Re: Plugins Can't be Enabled by Users
Michael Parker wrote: On Fri, Dec 17, 2004 at 05:00:14PM -0600, Stuart Johnston wrote: Yes, quite. I double checked just to be sure and I notice that the 'debug: plugin' line comes after the user_prefs is loaded even if it is loaded by init.pre. Never the less, if I remove the loadplugin line from init.pre and keep it in user_prefs, the plugin is still loaded. If I remove it from both, it does not load. Please open a bug in Bugzilla (http://bugzilla.spamassassin.org/) for this. http://bugzilla.spamassassin.org/show_bug.cgi?id=4041
Re: spamassassin error messages
Has anyone seen this type of error message? Known bug that is fixed? Am running on SuSE 9.1, SA v2.64-3.2. > Use of uninitialized value in length at /usr/lib/perl5/vendor_perl/5.8.3/Mail/SpamAssassin/Bayes.pm line 457. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.3/Mail/SpamAssassin/Bayes.pm line 460. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.3/Mail/SpamAssassin/Bayes.pm line 461. Use of uninitialized value in length at /usr/lib/perl5/vendor_perl/5.8.3/Mail/SpamAssassin/Bayes.pm line 457. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.3/Mail/SpamAssassin/Bayes.pm line 460. Use of uninitialized value in concatenation (.) or string at /usr/lib/perl5/vendor_perl/5.8.3/Mail/SpamAssassin/Bayes.pm line 461. Learned from 102 message(s) (118 message(s) examined). Thanks, -linda
Re: Plugins Can't be Enabled by Users
On Fri, Dec 17, 2004 at 05:00:14PM -0600, Stuart Johnston wrote: > > Yes, quite. I double checked just to be sure and I notice that the > 'debug: plugin' line comes after the user_prefs is loaded even if it is > loaded by init.pre. Never the less, if I remove the loadplugin line > from init.pre and keep it in user_prefs, the plugin is still loaded. If > I remove it from both, it does not load. > Please open a bug in Bugzilla (http://bugzilla.spamassassin.org/) for this. Thanks Michael pgp3ZMubAagQz.pgp Description: PGP signature
Re: Plugins Can't be Enabled by Users
Michael Parker wrote: On Fri, Dec 17, 2004 at 04:41:01PM -0600, Stuart Johnston wrote: I certainly don't disagree with the security problems with allowing users to load plugins. The problem is that in fact, user_conf CAN load a plugin and does quite certainly execute its code, despite what the documentation says. It just doesn't do any good because the default rules will not be loaded. Of course, that wouldn't matter to an attacker. If spamassassin had given me a warning from the loadplugin line in my user_conf instead of: debug: config: read file /home/stuart/.spamassassin/user_prefs debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa14a0d8) Then it would have been quite obvious what the problem was. Are you sure it isn't just in your init.pre file? Yes, quite. I double checked just to be sure and I notice that the 'debug: plugin' line comes after the user_prefs is loaded even if it is loaded by init.pre. Never the less, if I remove the loadplugin line from init.pre and keep it in user_prefs, the plugin is still loaded. If I remove it from both, it does not load. And I just tried from a different computer with the same results. Stuart Johnston
Re: Equifax/NCR partnership in spam???
Having worked for an Equifax subsidiary many years ago, let me assure you that Equifax is a real company. In fact, they are one of the credit reporting bureaus, and have been for a long time. But this mail looks pretty suspicious. The website look a little sketchy as well, having no front pages. Wouldn't surprise me if it's a phishing scam. Maybe I'm out of the loop, but what makes your say that Equifax is a spam company? -- You are in a maze of twisty passages, all alike. Again. http://www.hacksaw.org -- http://www.privatecircus.com -- KB1FVD
Re: Plugins Can't be Enabled by Users
On Fri, Dec 17, 2004 at 04:41:01PM -0600, Stuart Johnston wrote: > > I certainly don't disagree with the security problems with allowing > users to load plugins. The problem is that in fact, user_conf CAN load > a plugin and does quite certainly execute its code, despite what the > documentation says. It just doesn't do any good because the default > rules will not be loaded. Of course, that wouldn't matter to an attacker. > > If spamassassin had given me a warning from the loadplugin line in my > user_conf instead of: > > debug: config: read file /home/stuart/.spamassassin/user_prefs > debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC > debug: plugin: registered > Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa14a0d8) > > Then it would have been quite obvious what the problem was. > Are you sure it isn't just in your init.pre file? Michael pgp5FDoUjvM4O.pgp Description: PGP signature
Re: Plugins Can't be Enabled by Users
Matt Kettler wrote: At 05:04 PM 12/17/2004, Stuart Johnston wrote: I have been having a difficult time getting URIDNSBL to work and I finally figured out why. I was trying to do the loadplugin in a user_prefs file in order to test out a new configuration. The problem is that the builtin plugins can not be enabled from user_prefs because the default rules (25_uribl.cf, etc) will be run earlier and contain ifplugin conditionals. When the plugin is loaded by user_prefs it will be too late and the rules will never get loaded. I can see equal arguments for this being considered a feature or a bug so I mention it mostly in case it helps someone else avoid the frustration that it caused me. personally, consider it a very severe, server security compromising bug if user_prefs COULD load a plugin Remember.. plugins are perl code loaded into SA. They can do anything a perl program can, should they care to And the loadplugin command can load *any* perl code anywhere on the system if you specify a path... This particular behavior is pretty well documented in the manpage for Mail::SpamAssassin::Conf.. loadplugin is listed in the "Administrator Settings" section.. With the following header: ADMINISTRATOR SETTINGS These settings differ from the ones above, in that they are considered 'more privileged' -- even more than the ones in the PRIVILEGED SETTINGS section. No matter what allow_user_rules is set to, these can never be set from a user's user_prefs file. In general everything in that section could be abused by a user to gain privileges as some other user, or facilitate DoS attacks on SA. Hence, why they aren't allowed in user_prefs.. ever. I certainly don't disagree with the security problems with allowing users to load plugins. The problem is that in fact, user_conf CAN load a plugin and does quite certainly execute its code, despite what the documentation says. It just doesn't do any good because the default rules will not be loaded. Of course, that wouldn't matter to an attacker. If spamassassin had given me a warning from the loadplugin line in my user_conf instead of: debug: config: read file /home/stuart/.spamassassin/user_prefs debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa14a0d8) Then it would have been quite obvious what the problem was. Stuart Johnston
Re: Bayes still not working
On Fri, Dec 17, 2004 at 03:08:24PM -0500, shane mullins wrote: [...] > debug: bayes: 23576 tie-ing to DB file R/O > /var/amavisd/.spamassassin/bayes_toks > debug: bayes: 23576 tie-ing to DB file R/O > /var/amavisd/.spamassassin/bayes_seen > debug: bayes: found bayes db version 3 > debug: Score set 3 chosen. [...] Ok, Bayes DB is available. [...] > debug: bayes corpus size: nspam = 11217, nham = 3106 > debug: tokenize: header tokens for *F = "U*ignore > D*compiling.spamassassin.taint.org D*spamassassin.taint.org D*taint.org > D*org" > debug: tokenize: header tokens for *m = " 1103315695 lint_rules " > debug: tokenize: header tokens for *RT = " " > debug: tokenize: header tokens for *RU = " " > debug: bayes token 'H*Ad:D*org' => 0.0105036777313484 > debug: bayes token 'somewhat' => 0.0315481378182374 > debug: bayes token 'H*F:D*org' => 0.132108368706952 > debug: bayes token 'message' => 0.144404929302356 > debug: bayes: score = 0.00188593021767242 > debug: bayes: 23576 untie-ing > debug: bayes: 23576 untie-ing db_toks > debug: bayes: 23576 untie-ing db_seen [...] Ok, Bayes only finds 4 tokens in common between message and header. Based on that, the messages gets a 0.00188 probability. [...] > debug: tests=BAYES_00,MISSING_HEADERS,MISSING_SUBJECT,NO_REAL_NAME > debug: > subtests=__HAS_MSGID,__MSGID_OK_DIGITS,__MSGID_OK_HOST,__SANE_MSGID,__UN > USABLE_MSGID [...] Message registers a BAYES_00 hit. > Everything looks like a go, except I get no Bayes output. Any ideas? ?? What kind of Bayes output are you expecting? The debug output shows it's working fine. -- Randomly Generated Tagline: Anyway, please don't anyone take offense at my free associations. Even if they're true. -- Larry Wall, 8th State of the Onion pgpidZb4YCEdv.pgp Description: PGP signature
Re: Plugins Can't be Enabled by Users
At 05:04 PM 12/17/2004, Stuart Johnston wrote: I have been having a difficult time getting URIDNSBL to work and I finally figured out why. I was trying to do the loadplugin in a user_prefs file in order to test out a new configuration. The problem is that the builtin plugins can not be enabled from user_prefs because the default rules (25_uribl.cf, etc) will be run earlier and contain ifplugin conditionals. When the plugin is loaded by user_prefs it will be too late and the rules will never get loaded. I can see equal arguments for this being considered a feature or a bug so I mention it mostly in case it helps someone else avoid the frustration that it caused me. personally, consider it a very severe, server security compromising bug if user_prefs COULD load a plugin Remember.. plugins are perl code loaded into SA. They can do anything a perl program can, should they care to And the loadplugin command can load *any* perl code anywhere on the system if you specify a path... This particular behavior is pretty well documented in the manpage for Mail::SpamAssassin::Conf.. loadplugin is listed in the "Administrator Settings" section.. With the following header: ADMINISTRATOR SETTINGS These settings differ from the ones above, in that they are considered 'more privileged' -- even more than the ones in the PRIVILEGED SETTINGS section. No matter what allow_user_rules is set to, these can never be set from a user's user_prefs file. In general everything in that section could be abused by a user to gain privileges as some other user, or facilitate DoS attacks on SA. Hence, why they aren't allowed in user_prefs.. ever.
Bayes still not working
I am still not getting any Bayes entries in my maillog.We are running: OpenBSD 3.5, SA 3.0.2, amavisd-new, dcc and razor. With the following info provided, does anyone have any ideas? I could provide more details if needed. Here is my local.cf references to Bayes: use_bayes 1 bayes_auto_learn 1 bayes_path /var/amavisd/.spamassassin/bayes When I run spamassassin -D --lint here is the output: # spamassassin -D --lint debug: SpamAssassin version 3.0.2 debug: Score set 0 chosen. debug: running in taint mode? yes debug: Running in taint mode, removing unsafe env vars, and resetting PATH debug: PATH included '/sbin', keeping. debug: PATH included '/usr/sbin', keeping. debug: PATH included '/bin', keeping. debug: PATH included '/usr/bin', keeping. debug: Final PATH set to: /sbin:/usr/sbin:/bin:/usr/bin debug: diag: module not installed: DBI ('require' failed) debug: diag: module installed: DB_File, version 1.807 debug: diag: module installed: Digest::SHA1, version 2.10 debug: diag: module installed: IO::Socket::UNIX, version 1.21 debug: diag: module installed: MIME::Base64, version 3.05 debug: diag: module installed: Net::DNS, version 0.48 debug: diag: module not installed: Net::LDAP ('require' failed) debug: diag: module installed: Razor2::Client::Agent, version 2.61 debug: diag: module installed: Storable, version 2.08 debug: diag: module installed: URI, version 1.34 debug: ignore: using a test message to lint rules debug: using "/etc/mail/spamassassin/init.pre" for site rules init.pre debug: config: read file /etc/mail/spamassassin/init.pre debug: using "/usr/local/share/spamassassin" for default rules dir debug: config: read file /usr/local/share/spamassassin/10_misc.cf debug: config: read file /usr/local/share/spamassassin/20_anti_ratware.cf debug: config: read file /usr/local/share/spamassassin/20_body_tests.cf debug: config: read file /usr/local/share/spamassassin/20_compensate.cf debug: config: read file /usr/local/share/spamassassin/20_dnsbl_tests.cf debug: config: read file /usr/local/share/spamassassin/20_drugs.cf debug: config: read file /usr/local/share/spamassassin/20_fake_helo_tests.cf debug: config: read file /usr/local/share/spamassassin/20_head_tests.cf debug: config: read file /usr/local/share/spamassassin/20_html_tests.cf debug: config: read file /usr/local/share/spamassassin/20_meta_tests.cf debug: config: read file /usr/local/share/spamassassin/20_phrases.cf debug: config: read file /usr/local/share/spamassassin/20_porn.cf debug: config: read file /usr/local/share/spamassassin/20_ratware.cf debug: config: read file /usr/local/share/spamassassin/20_uri_tests.cf debug: config: read file /usr/local/share/spamassassin/23_bayes.cf debug: config: read file /usr/local/share/spamassassin/25_body_tests_es.cf debug: config: read file /usr/local/share/spamassassin/25_hashcash.cf debug: config: read file /usr/local/share/spamassassin/25_spf.cf debug: config: read file /usr/local/share/spamassassin/25_uribl.cf debug: config: read file /usr/local/share/spamassassin/30_text_de.cf debug: config: read file /usr/local/share/spamassassin/30_text_fr.cf debug: config: read file /usr/local/share/spamassassin/30_text_nl.cf debug: config: read file /usr/local/share/spamassassin/30_text_pl.cf debug: config: read file /usr/local/share/spamassassin/50_scores.cf debug: config: read file /usr/local/share/spamassassin/60_whitelist.cf debug: using "/etc/mail/spamassassin" for site rules dir debug: config: read file /etc/mail/spamassassin/local.cf debug: using "/root/.spamassassin" for user state dir debug: using "/root/.spamassassin/user_prefs" for user prefs file debug: config: read file /root/.spamassassin/user_prefs debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x3c3ee924) debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x3cba8bc0) debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x3cb88308) debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x3c3ee924) implements 'parse_config' debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0x3cba8bc0) implements 'parse_config' debug: bayes: 23576 tie-ing to DB file R/O /var/amavisd/.spamassassin/bayes_toks debug: bayes: 23576 tie-ing to DB file R/O /var/amavisd/.spamassassin/bayes_seen debug: bayes: found bayes db version 3 debug: Score set 3 chosen. debug: MIME PARSER START debug: main message type: text/plain debug: parsing normal part debug: added part, type: text/plain debug: MIME PARSER END debug: metadata: X-Spam-Relays-Trusted: debug: metadata: X-Spam-Relays-Untrusted: debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x3c3ee924) implements 'parsed_metadata' debug: dns_available set to yes in config file, skipping test debug: decoding: no encoding detected debug: UR
Re: MIT Spam conference
On Fri, Dec 17, 2004 at 04:39:49PM -0500, Chris Santerre wrote: > Is anyone else planning on attending? Already registered. :) -- Randomly Generated Tagline: How do you make Windows faster? Throw it harder.
Plugins Can't be Enabled by Users
I have been having a difficult time getting URIDNSBL to work and I finally figured out why. I was trying to do the loadplugin in a user_prefs file in order to test out a new configuration. The problem is that the builtin plugins can not be enabled from user_prefs because the default rules (25_uribl.cf, etc) will be run earlier and contain ifplugin conditionals. When the plugin is loaded by user_prefs it will be too late and the rules will never get loaded. I can see equal arguments for this being considered a feature or a bug so I mention it mostly in case it helps someone else avoid the frustration that it caused me. Stuart Johnston
spamd and blacklist issue
We are running SA under spamd (Version 3). My mail logs indicate a server is being blocked by dnsbl.sorbs.net but when I check their database it is not listed. I added their domain name under whitelists in local.cf and restarted spamd but it doesn't see to help. Does anyone have suggestions. I submitted a ticket to sorbs regarding this but who knows when that will be answered. Gracias. Colin
Re: MIT Spam conference
Chris Santerre wrote: -Original Message- From: William Stearns [mailto:[EMAIL PROTECTED] Sent: Friday, December 17, 2004 3:53 PM To: ML-spamassassin-talk; ml-surbl-discuss Cc: William Stearns Subject: MIT Spam conference Good day, all, I'll be attending the MIT spam conference this year, Jan 21st, 9-5. Details at http://www.spamconference.org/ . The registration is free, but they suggest an early registration before the conference fills up. I'd love a chance to meet other people working on spamassassin and surbl. Is anyone else planning on attending? Cheers, - Bill All registered. Unless we get some meltdown here, or my car feezes on the way like last year, I'll be there! However, being a ninja, you won't see me! :) J/K, my goal is to get my eyeball as close to the webcast camera. Just so when I come home I can DL the movie and say "There is my eyeball" Do we get to bring air horns? haha feeze? http://www.hyperdictionary.com/dictionary/feeze ;) Hey lemme know when your getting close to the camera, i wanna check it out too! -Jim
RE: Equifax/NCR partnership in spam???
> >Also, this mail was sent via PowerMTA, which appears to be a tool of >choice for spammers. I've created a rule for this, should this be a >standard rule? Could be a fish. But I wanted to comment on the PowerMTA. It is a legit mailerHOWEVER it is often used by spammers. I also have a local rule to add a few points for this mailer. However SARE tested and found that it wasn't worth the FP rate. So I would not make it a standard rule. But people should consider writing a local rule for it, and salt the score to taste. --Chris
RE: MIT Spam conference
>-Original Message- >From: William Stearns [mailto:[EMAIL PROTECTED] >Sent: Friday, December 17, 2004 3:53 PM >To: ML-spamassassin-talk; ml-surbl-discuss >Cc: William Stearns >Subject: MIT Spam conference > > >Good day, all, > I'll be attending the MIT spam conference this year, Jan 21st, >9-5. Details at http://www.spamconference.org/ . The registration is >free, but they suggest an early registration before the >conference fills >up. > I'd love a chance to meet other people working on >spamassassin and >surbl. Is anyone else planning on attending? > Cheers, > - Bill All registered. Unless we get some meltdown here, or my car feezes on the way like last year, I'll be there! However, being a ninja, you won't see me! :) J/K, my goal is to get my eyeball as close to the webcast camera. Just so when I come home I can DL the movie and say "There is my eyeball" Do we get to bring air horns? Chris Santerre System Admin and SARE/SURBL Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin
RE: Equifax/NCR partnership in spam???
Looks like the first attempts at some phishing. The domain name and everything look like NCR BUT the DNS servers are NCRWEBHOST.COM with what looks like a bogus email address for admin contract. Gary -Original Message- From: Michael Barnes [mailto:[EMAIL PROTECTED] Sent: Friday, December 17, 2004 12:27 PM To: SpamAssassin Users Subject: Equifax/NCR partnership in spam??? All, Does anyone have an opinion of the mail below? To me it looks like deceptive marketing practice where the people at equifaxmktg.com are trying to validate emails or something. The scary thing is that equifaxmktg.com appears to be a division of NCR. I guess its common knowledge that Equifax is pretty much a spam company in disguise a credit company. But I was under the assumption that NCR was a real company. Any opinions on this? Also, this mail was sent via PowerMTA, which appears to be a tool of choice for spammers. I've created a rule for this, should this be a standard rule? Mike - Forwarded message from Equifax <[EMAIL PROTECTED]> - >From [EMAIL PROTECTED] Fri Dec 17 13:02:51 2004 Return-Path: <[EMAIL PROTECTED]> Received: from a.machine.here (a.machine.here [xxx.xxx.x.xx]) by another.machine.here (8.11.7p1+Sun/8.10.2) with ESMTP id iBHI2pH13385 for <[EMAIL PROTECTED]>; Fri, 17 Dec 2004 13:02:51 -0500 (EST) Received: from ncr2249.ncr2249 (mail244.ncrecommerce.com [153.69.128.244]) by a.machine.here (8.12.8/8.12.8) with ESMTP id iBHI2lfA027614 for <[EMAIL PROTECTED]>; Fri, 17 Dec 2004 13:02:47 -0500 Received: by ncr2249.ncr2249 (PowerMTA(TM) v3.0r7) id hocfje0721cv; Fri, 17 Dec 2004 13:02:23 -0500 (envelope-from +<[EMAIL PROTECTED]>) X-BPS1: 12303 X-BPS2: 1 Reply-To: "Equifax" <[EMAIL PROTECTED]> From: "Equifax" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: *SPAM* (score=16.2/10.0) Equifax Holiday Fun Date: Fri, 17 Dec 2004 13:02:22 -0500 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_F87B3_01C4E438.A5E2C420" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft CDO for Windows 2000 Thread-Index: AcTkYo62jLoTmpSWTqaVFYSBB7UXaw== Content-Class: urn:content-classes:message X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Spam-Prev-Subject: Equifax Holiday Fun X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on mymachine X-Spam-Report: * 1.0 NO_SPACE_IN_FRM No space in from between quotes * 0.2 EXTRA_SUBJ_SPACES Subject with extra spaces in it (2) * 0.0 HTML_WEB_BUGS BODY: Image tag intended to identify you * 0.1 HTML_80_90 BODY: Message is 80% to 90% HTML * 0.1 HTML_IMAGE_RATIO_06 BODY: HTML has a low ratio of text to * image area * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5039] * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.3 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) * 3.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL * [153.69.128.244 listed in sbl-xbl.spamhaus.org] * 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL * blocklist * [URIs: equifaxmktg.com] * 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL * blocklist * [URIs: ncrpmreports.com equifaxmktg.com] * 0.7 FRM_NOT_TWO_WORDS From does not have 2 words in it * 5.9 SCORE_CORRECTION Correction for multiple positive test * scores X-Spam-Status: Yes, score=16.2 required=10.0 tests=BAYES_50,DCC_CHECK, EXTRA_SUBJ_SPACES,FRM_NOT_TWO_WORDS,HTML_80_90,HTML_IMAGE_RATIO_06, HTML_MESSAGE,HTML_WEB_BUGS,NO_SPACE_IN_FRM,RCVD_IN_XBL, SCORE_CORRECTION,URIBL_OB_SURBL,URIBL_WS_SURBL autolearn=no version=3.0.1 X-Spam-Level: Status: RO Content-Length: 6137 Lines: 126 Happy Holidays! Thank You! You're an important Equifax customer. We appreciate you and want to pass on some holiday fun to you. Take a look at our holiday card for some holiday cheer. http://equifaxmktg.com/equifax/redirect.asp?lid=1051267&o=1&eid=OneOfMyL [EMAIL PROTECTED] If you have any questions, please call us at 1-800-829-3616, 8:00AM - 3:00AM (EST), 7 days a week. You may e-mail us anytime at [EMAIL PROTECTED] Or you can write us: Equifax Consumer Services, Inc. PO Box 105496, Atlanta, GA 30348. Click below to unsubscribe from future mailings. http://equifaxmktg.com/equifax/redirect.asp?lid=1051268&o=1&eid=OneOfMyL [EMAIL PROTECTED]&DATI=evLVYy4d%2Bx27Uxndjx8MHAxPIV5xvK%2x0 - End forwarded message - -- /-\ | Michael Barnes <[EMAIL PROTECTED]> | | UNIX Systems Administrator | | College of William and Mary | | Phone: (757) 879-3930 | \-/
Re: Equifax/NCR partnership in spam???
Justin Mason wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Barnes writes: All, Does anyone have an opinion of the mail below? To me it looks like deceptive marketing practice where the people at equifaxmktg.com are trying to validate emails or something. The scary thing is that equifaxmktg.com appears to be a division of NCR. I guess its common knowledge that Equifax is pretty much a spam company in disguise a credit company. But I was under the assumption that NCR was a real company. Any opinions on this? I think Equifax used to do e-pending; not sure if they still do. I haven't heard anything bad about them in a while. Also, this mail was sent via PowerMTA, which appears to be a tool of choice for spammers. I've created a rule for this, should this be a standard rule? PowerMTA is actually a generic MTA app for MacOS, if I recall correctly. we *had* a rule and removed it due to a high false positive rate. http://www.port25.com/products/prod_index.html Looks pretty legit to me. -Jim
Re: Equifax/NCR partnership in spam???
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Barnes writes: > All, > > Does anyone have an opinion of the mail below? To me it looks like > deceptive marketing practice where the people at equifaxmktg.com are > trying to validate emails or something. The scary thing is that > equifaxmktg.com appears to be a division of NCR. > > I guess its common knowledge that Equifax is pretty much a spam company > in disguise a credit company. But I was under the assumption that NCR > was a real company. > > Any opinions on this? I think Equifax used to do e-pending; not sure if they still do. I haven't heard anything bad about them in a while. > Also, this mail was sent via PowerMTA, which appears to be a tool of > choice for spammers. I've created a rule for this, should this be a > standard rule? PowerMTA is actually a generic MTA app for MacOS, if I recall correctly. we *had* a rule and removed it due to a high false positive rate. - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Exmh CVS iD8DBQFBw0ePMJF5cimLx9ARAkhJAJ4oF3jLu0eh78u+A7OMFunWqUCTMgCfSm4m 6MBWOa/XYKXZyOU/TuEFIlo= =r7QT -END PGP SIGNATURE-
MIT Spam conference
Good day, all, I'll be attending the MIT spam conference this year, Jan 21st, 9-5. Details at http://www.spamconference.org/ . The registration is free, but they suggest an early registration before the conference fills up. I'd love a chance to meet other people working on spamassassin and surbl. Is anyone else planning on attending? Cheers, - Bill --- "God grant me the senility to accept the things I cannot change, The frustration to try to change things I cannot affect, and the wisdom to tell the difference." (Courtesy of Mike Ricketts <[EMAIL PROTECTED]>) -- William Stearns ([EMAIL PROTECTED]). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --
RE: Equifax/NCR partnership in spam???
> -Original Message- > From: Michael Barnes [mailto:[EMAIL PROTECTED] > Sent: Friday, December 17, 2004 2:27 PM > To: SpamAssassin Users > Subject: Equifax/NCR partnership in spam??? > > > All, > > Does anyone have an opinion of the mail below? To me it > looks like deceptive marketing practice where the people at > equifaxmktg.com are trying to validate emails or something. > The scary thing is that equifaxmktg.com appears to be a > division of NCR. > > I guess its common knowledge that Equifax is pretty much a > spam company in disguise a credit company. But I was under > the assumption that NCR was a real company. > > Any opinions on this? > Well, NCR eCommerce is a legit division of NCR (http://www.ncrecommerce.com/ncrecommerce/default.htm). I guess this is one of those "one person's spam is another's ham" situations. If it were a message sent to me, I would consider it spam because I am not a subscriber to Equifax's service(s). I always thought Equifax was one of the credit reporting agencies. They're involved in more than that? You could always go through the unsubscribe link and unsubscribe but also do whatever is necessary for your SA install to mark any further messages from them as SPAM. Just my $0.02. HTH. Joe K.
Re: more spam gets through since SA 3.x
Hi Jon, you should upgrade Net::DNS. it won't hurt anything and it will make your RBL checks work. on my system, i ran some statistics, and the SURBL checks are responsible for catching 90% of the spam. okay, I will try to do so! Florian
Equifax/NCR partnership in spam???
All, Does anyone have an opinion of the mail below? To me it looks like deceptive marketing practice where the people at equifaxmktg.com are trying to validate emails or something. The scary thing is that equifaxmktg.com appears to be a division of NCR. I guess its common knowledge that Equifax is pretty much a spam company in disguise a credit company. But I was under the assumption that NCR was a real company. Any opinions on this? Also, this mail was sent via PowerMTA, which appears to be a tool of choice for spammers. I've created a rule for this, should this be a standard rule? Mike - Forwarded message from Equifax <[EMAIL PROTECTED]> - >From [EMAIL PROTECTED] Fri Dec 17 13:02:51 2004 Return-Path: <[EMAIL PROTECTED]> Received: from a.machine.here (a.machine.here [xxx.xxx.x.xx]) by another.machine.here (8.11.7p1+Sun/8.10.2) with ESMTP id iBHI2pH13385 for <[EMAIL PROTECTED]>; Fri, 17 Dec 2004 13:02:51 -0500 (EST) Received: from ncr2249.ncr2249 (mail244.ncrecommerce.com [153.69.128.244]) by a.machine.here (8.12.8/8.12.8) with ESMTP id iBHI2lfA027614 for <[EMAIL PROTECTED]>; Fri, 17 Dec 2004 13:02:47 -0500 Received: by ncr2249.ncr2249 (PowerMTA(TM) v3.0r7) id hocfje0721cv; Fri, 17 Dec 2004 13:02:23 -0500 (envelope-from +<[EMAIL PROTECTED]>) X-BPS1: 12303 X-BPS2: 1 Reply-To: "Equifax" <[EMAIL PROTECTED]> From: "Equifax" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: *SPAM* (score=16.2/10.0) Equifax Holiday Fun Date: Fri, 17 Dec 2004 13:02:22 -0500 Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_NextPart_000_F87B3_01C4E438.A5E2C420" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft CDO for Windows 2000 Thread-Index: AcTkYo62jLoTmpSWTqaVFYSBB7UXaw== Content-Class: urn:content-classes:message X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Spam-Prev-Subject: Equifax Holiday Fun X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on mymachine X-Spam-Report: * 1.0 NO_SPACE_IN_FRM No space in from between quotes * 0.2 EXTRA_SUBJ_SPACES Subject with extra spaces in it (2) * 0.0 HTML_WEB_BUGS BODY: Image tag intended to identify you * 0.1 HTML_80_90 BODY: Message is 80% to 90% HTML * 0.1 HTML_IMAGE_RATIO_06 BODY: HTML has a low ratio of text to * image area * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5039] * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.3 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) * 3.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL * [153.69.128.244 listed in sbl-xbl.spamhaus.org] * 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL * blocklist * [URIs: equifaxmktg.com] * 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL * blocklist * [URIs: ncrpmreports.com equifaxmktg.com] * 0.7 FRM_NOT_TWO_WORDS From does not have 2 words in it * 5.9 SCORE_CORRECTION Correction for multiple positive test * scores X-Spam-Status: Yes, score=16.2 required=10.0 tests=BAYES_50,DCC_CHECK, EXTRA_SUBJ_SPACES,FRM_NOT_TWO_WORDS,HTML_80_90,HTML_IMAGE_RATIO_06, HTML_MESSAGE,HTML_WEB_BUGS,NO_SPACE_IN_FRM,RCVD_IN_XBL, SCORE_CORRECTION,URIBL_OB_SURBL,URIBL_WS_SURBL autolearn=no version=3.0.1 X-Spam-Level: Status: RO Content-Length: 6137 Lines: 126 Happy Holidays! Thank You! You're an important Equifax customer. We appreciate you and want to pass on some holiday fun to you. Take a look at our holiday card for some holiday cheer. http://equifaxmktg.com/equifax/redirect.asp?lid=1051267&o=1&[EMAIL PROTECTED] If you have any questions, please call us at 1-800-829-3616, 8:00AM - 3:00AM (EST), 7 days a week. You may e-mail us anytime at [EMAIL PROTECTED] Or you can write us: Equifax Consumer Services, Inc. PO Box 105496, Atlanta, GA 30348. Click below to unsubscribe from future mailings. http://equifaxmktg.com/equifax/redirect.asp?lid=1051268&o=1&[EMAIL PROTECTED]&DATI=evLVYy4d%2Bx27Uxndjx8MHAxPIV5xvK%2x0 - End forwarded message - -- /-\ | Michael Barnes <[EMAIL PROTECTED]> | | UNIX Systems Administrator | | College of William and Mary | | Phone: (757) 879-3930 | \-/
not to be outdone! Funny pic!
http://www.fattonyracing.com/neoimages/funny/noninjascopy.jpg We need a place for our pimp ninja rides! --Chris
Filtering unknown Charset
Is there any way of filtering out unknown charsets as in the examples below:- A936ADD5A146DE8ECF3 Content-Type: text/plain; charset="iso-61FC-B" Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="iso-8FCB-F" Content-Transfer-Encoding: quoted-printable Lately we have receiving spam with randon generated iso- ? sets. Thanks
Re: SPAM word in subject isnt removed
Zé said: > I use kmail 1.7.2 (kde-3.3.2) and the spam rule puts in the subject the > word > SPAM and is i click to HAM this same email, it does not do anything and > doenst remove the word SPAM of the good email that was considered spam. That's probably a question better asked on a kmail list if no one here can help. > ANy help to remove the word SPAM in subject and why a good email is > considered spam? Would help to post the headers and the SpamAssassin score / rules hit on the message so someone could determine why it was marked as Spam. Otherwise people are only guessing.
rule based on mime version header
Hello, I've noticed an interesting ratware pattern in the Mime-Version field that uses "produced by" and then a combination of two random words and a random version number. Here are a few examples: MIME-Version: 1.0 (produced by nightgownbunyan 8.2) MIME-Version: 1.0 (produced by lamellartramway 0.6) MIME-Version: 1.0 (produced by contradictoryforest 9.8) MIME-Version: 1.0 (produced by stanfordprotrusion 0.4) The "produced by" mime version google hits seem to be the spam tool above, and: MIME-Version: 1.0 (produced by Synapse) MIME-Version: 1.0 (produced by MetaSend Vx.x) Mime-Version: 1.0 (Produced by PhpWiki 1.3.x Mime-Version: 1.0 (Produced by Tiki) MIME-Version: 1.0 (produced by IP*Works! www.dev-soft.com) MIME-Version: 1.0 (Produced by HUB e-mail engine) After removing these valid types, only the spam sigs seems to remain: (google search) http://makeashorterlink.com/?G10A12D0A These programs do not use the same versioning style as the spam tool. I don't have a ham/spam corpus to test against but I've ran the rule below for 24 hours and gotten 140 matches with no FP. More than half of the messages matched on RATWARE_RCVD_AT; all of them matched on MIME_BOUND_DD_DIGITS. header MIME_VER_RATTY Mime-Version =~ /^1\.0 \(produced by [a-z]{1,20} [0-9]\.[0-9]\)$/ describeMIME_VER_RATTY Ratware sig found in mime type score MIME_VER_RATTY 0.0001 The hits occured on approx 1% of messages passed though the SA server. Risks: There may possibly be a 'produced by' sig I haven't seen though google searches, or someone may create a matching sig on valid software in the future. I think that when checked in conjunction with MIME_BOUND_DD_DIGITS, this could create a higher confidence ratware rule. However, I'm concerned about making checks that identify things already caught by other methods -- it seems redudant & bloaty. Thoughts? --eric
Re: more spam gets through since SA 3.x
Florian Effenberger wrote: Hi Rakesh, Well i cannot help much in your problem apart from saying what Jeff had said earlier, that you need to upgrade some of your Perl modules. the problem is that I run on a Debian 3.0 system that has older Perl modules. :-) you should upgrade Net::DNS. it won't hurt anything and it will make your RBL checks work. on my system, i ran some statistics, and the SURBL checks are responsible for catching 90% of the spam. perl -MCPAN -e 'install Net::DNS'
Re: more spam gets through since SA 3.x
Hi, This is a known issue, see bug 4007. Thanks for pointing on that! Translators wanted, if you can help bring translated descriptions down below the 50 character mark please feel free to open a bug and attach the translations. Unfortunately, absolutely no time. :-( Otherwise I'd do it. Florian
Re: more spam gets through since SA 3.x
Hi Bowie, As far as I know, the module lookup is a function of the Perl install. In order to keep your current stuff along with the new stuff, you would need a second install of Perl. Why do you want to keep the old modules? I can understand not wanting to upgrade Perl itself, but unless you've got something that relies on Net::DNS that you are worried about breaking, I'd say just upgrade them. I don't want to interfere with Debians packages. In amavisd-new, I installed the packages manually with perl Makefile.PL LIB=/usr/local/share/amavisd-new PREFIX=/usr/local/share/amavisd-new I modified the amavisd-new binary with use lib qw(/usr/local/share/amavisd-new); and it works., Florian
SPAM word in subject isnt removed
I use kmail 1.7.2 (kde-3.3.2) and the spam rule puts in the subject the word SPAM and is i click to HAM this same email, it does not do anything and doenst remove the word SPAM of the good email that was considered spam. ANy help to remove the word SPAM in subject and why a good email is considered spam? cheers, Zé
Re: more spam gets through since SA 3.x
On Fri, Dec 17, 2004 at 04:24:11PM +0100, Florian Effenberger wrote: > Hi Martin, > > >I guess the thing to do is move the de stuff out of the directory and > >run the --lint againif it passes without the 50 characters error > >then that's the issue. > > thanks, that worked! The file is the culprit for the lint error message. > Have filed a bug report (#4040, closed #4038). > This is a known issue, see bug 4007. It is not fatal, and just a warning during --lint. Translators wanted, if you can help bring translated descriptions down below the 50 character mark please feel free to open a bug and attach the translations. Michael pgptaPm3jqsTm.pgp Description: PGP signature
Re: more spam gets through since SA 3.x
Florian I guess the thing to do is move the de stuff out of the directory and run the --lint againif it passes without the 50 characters error then that's the issue. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Florian Effenberger wrote: Hi Martin, how did you install SA - source, CPAN, or apt? Source. pick one with a rule in it that SA complains about in the "spamassassin -D --lint". They are 'text' files so you can grep the rule names. warning: description for PORN_URL_SEX is over 50 chars # grep -r "PORN_URL_SEX" /usr/local/share/spamassassin/* /usr/local/share/spamassassin/20_porn.cf:uri PORN_URL_SEX /^https?:\/\/[\w\.-]*(? /usr/local/share/spamassassin/20_porn.cf:describe PORN_URL_SEX URL uses words/phrases which indicate porn (sex) /usr/local/share/spamassassin/30_text_de.cf:lang de describe PORN_URL_SEX Worte/Phrasen in URL weisen auf Pornographie hin (sex) /usr/local/share/spamassassin/50_scores.cf:score PORN_URL_SEX 1.865 1.427 1.817 0.011 20_porn.cf: # SpamAssassin rules file: porn tests # # Please don't modify this file as your changes will be overwritten with # the next update. Use /etc/mail/spamassassin/local.cf instead. # See 'perldoc Mail::SpamAssassin::Conf' for details. # # Note: body tests are run with long lines, so be sure to limit the # size of searches; use /.{0,30}/ instead of /.*/ to avoid huge # search times. # # <@LICENSE> # Copyright 2004 Apache Software Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # ### require_version 3.02 30_text_de.cf: # # Please don't modify this file as your changes will be overwritten with # the next update. Use /etc/mail/spamassassin/local.cf instead. # See 'perldoc Mail::SpamAssassin::Conf' for details. # # <@LICENSE> # Copyright 2004 Apache Software Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # ### # character set used in the following texts (no need for iso-8859-15) lang de report_charset iso-8859-1 50_scores.cf: # SpamAssassin score file # # Please don't modify this file as your changes will be overwritten with # the next update. Use /etc/mail/spamassassin/local.cf instead. # See 'perldoc Mail::SpamAssassin::Conf' for details. # # <@LICENSE> # Copyright 2004 Apache Software Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # ### # Default scores. Note that if a test is named in the files, but a score is # not assigned here, the default score will be set to 1. # The following block of scores were generated using the mass-checking # scripts, and a perceptron to determine the optimum scores which # resulted in minimum false positives or negatives. The scores are # weighted to produce roughly 1 false positive in 2500 non-spam messages # using the default threshold of 5.0. # Start of generated scores. Looks good, hm? Maybe the warning means 30_text_de.cf, which most of you don't use because you have English locales? but you'll get no rbl style tests.. Okay, that's a good point. Florian ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the
RE: more spam gets through since SA 3.x
From: Florian Effenberger [mailto:[EMAIL PROTECTED] > > > Network tests like RBL, SURBL, etc. probably won't work unless > > you upgrade your Net::DNS to something more recent. > > Okay, will try to do that. Anyone knows how I can tell SA to look > Perl modules up in one additional directory? I don't want to erase > the Debian package, but instead install the recent version in a > separate directory and tell SA to use it. As far as I know, the module lookup is a function of the Perl install. In order to keep your current stuff along with the new stuff, you would need a second install of Perl. Why do you want to keep the old modules? I can understand not wanting to upgrade Perl itself, but unless you've got something that relies on Net::DNS that you are worried about breaking, I'd say just upgrade them. $ perl -MCPAN -e shell cpan> install Net::DNS That will download and install the current version for you. You will be walked through some configuration of the CPAN module if you haven't used it before. Bowie
Re: F.P. with SARE rule
At 10:18 AM 12/17/2004 -0500, Shawn R. Beairsto wrote: I just got a F.P. using one of the SARE rulesets, looks like the SARE_SUB_PENIS_OB rule might need some tweaking. Seems like it fired from the word pennies: Yep.. it's crap like that that makes me staunchly refuse to use .? as a gapping character.. It's really odd that this rule has an antidrug obfu style section AND a .? section.. I'd suggest splitting them up. This way the exemption words like pennies pencils, etc can all be handled only for the .? based rule.. the antidrug style obfu rule uses [\W_]? as a gap, and won't suffer from FPs on words like that, but it also won't catch anything obfuscated with extra-letter stuffing..
Re: more spam gets through since SA 3.x
Hi Martin, I guess the thing to do is move the de stuff out of the directory and run the --lint againif it passes without the 50 characters error then that's the issue. thanks, that worked! The file is the culprit for the lint error message. Have filed a bug report (#4040, closed #4038). Now -D --lint does not bring up any more error message. So I have to check why some spam gets through, and that brings me back to the ALL_TRUSTED rule... any ideas? Where can I adjust this? Thanks! Florian
Re: more spam gets through since SA 3.x
Hi Martin, how did you install SA - source, CPAN, or apt? Source. pick one with a rule in it that SA complains about in the "spamassassin -D --lint". They are 'text' files so you can grep the rule names. warning: description for PORN_URL_SEX is over 50 chars # grep -r "PORN_URL_SEX" /usr/local/share/spamassassin/* /usr/local/share/spamassassin/20_porn.cf:uri PORN_URL_SEX /^https?:\/\/[\w\.-]*(? /usr/local/share/spamassassin/20_porn.cf:describe PORN_URL_SEX URL uses words/phrases which indicate porn (sex) /usr/local/share/spamassassin/30_text_de.cf:lang de describe PORN_URL_SEX Worte/Phrasen in URL weisen auf Pornographie hin (sex) /usr/local/share/spamassassin/50_scores.cf:score PORN_URL_SEX 1.865 1.427 1.817 0.011 20_porn.cf: # SpamAssassin rules file: porn tests # # Please don't modify this file as your changes will be overwritten with # the next update. Use /etc/mail/spamassassin/local.cf instead. # See 'perldoc Mail::SpamAssassin::Conf' for details. # # Note: body tests are run with long lines, so be sure to limit the # size of searches; use /.{0,30}/ instead of /.*/ to avoid huge # search times. # # <@LICENSE> # Copyright 2004 Apache Software Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # ### require_version 3.02 30_text_de.cf: # # Please don't modify this file as your changes will be overwritten with # the next update. Use /etc/mail/spamassassin/local.cf instead. # See 'perldoc Mail::SpamAssassin::Conf' for details. # # <@LICENSE> # Copyright 2004 Apache Software Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # ### # character set used in the following texts (no need for iso-8859-15) lang de report_charset iso-8859-1 50_scores.cf: # SpamAssassin score file # # Please don't modify this file as your changes will be overwritten with # the next update. Use /etc/mail/spamassassin/local.cf instead. # See 'perldoc Mail::SpamAssassin::Conf' for details. # # <@LICENSE> # Copyright 2004 Apache Software Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # ### # Default scores. Note that if a test is named in the files, but a score is # not assigned here, the default score will be set to 1. # The following block of scores were generated using the mass-checking # scripts, and a perceptron to determine the optimum scores which # resulted in minimum false positives or negatives. The scores are # weighted to produce roughly 1 false positive in 2500 non-spam messages # using the default threshold of 5.0. # Start of generated scores. Looks good, hm? Maybe the warning means 30_text_de.cf, which most of you don't use because you have English locales? but you'll get no rbl style tests.. Okay, that's a good point. Florian
F.P. with SARE rule
Good morning everyone, I just got a F.P. using one of the SARE rulesets, looks like the SARE_SUB_PENIS_OB rule might need some tweaking. Seems like it fired from the word pennies: Content preview: Pennies From Heaven The Daily Reckoning [...] Content analysis details: (7.9 points, 5.0 required) pts rule name description -- -- 3.3 SARE_SUB_PENIS_OB subject has obfuscated spammer topic 1.9 LOW_INTEREST BODY: Lower Interest Rates 1.5 MORTGAGE_BEST BODY: Information on mortgages 1.2 BANG_MORE BODY: Talks about more with an exclamation! 0.0 HTML_MESSAGE BODY: HTML included in message -- Shawn Beairsto Network Administrator Data Kinetics Ltd. http://www.dkl.com
OT found this and thought of y'all
http://scoot.net/gallery/bbs/1823137550.jpg -- Michael H. Collins Admiral, Penguinista Navy http://linuxlink.com /"\ASCII Ribbon Campaign \ / No HTML/RTF in email x No Word docs in email / \ Respect for open standards Take your laptop and yell out: "Can a brother get a ip address?"
Re: more spam gets through since SA 3.x
Florian yes I think it's the de locale stuff that's causing the problems. I can't believe no-ones come across this before -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Florian Effenberger wrote: Hi Martin, how did you install SA - source, CPAN, or apt? Source. pick one with a rule in it that SA complains about in the "spamassassin -D --lint". They are 'text' files so you can grep the rule names. warning: description for PORN_URL_SEX is over 50 chars # grep -r "PORN_URL_SEX" /usr/local/share/spamassassin/* /usr/local/share/spamassassin/20_porn.cf:uri PORN_URL_SEX /^https?:\/\/[\w\.-]*(? /usr/local/share/spamassassin/20_porn.cf:describe PORN_URL_SEX URL uses words/phrases which indicate porn (sex) /usr/local/share/spamassassin/30_text_de.cf:lang de describe PORN_URL_SEX Worte/Phrasen in URL weisen auf Pornographie hin (sex) /usr/local/share/spamassassin/50_scores.cf:score PORN_URL_SEX 1.865 1.427 1.817 0.011 20_porn.cf: # SpamAssassin rules file: porn tests # # Please don't modify this file as your changes will be overwritten with # the next update. Use /etc/mail/spamassassin/local.cf instead. # See 'perldoc Mail::SpamAssassin::Conf' for details. # # Note: body tests are run with long lines, so be sure to limit the # size of searches; use /.{0,30}/ instead of /.*/ to avoid huge # search times. # # <@LICENSE> # Copyright 2004 Apache Software Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # ### require_version 3.02 30_text_de.cf: # # Please don't modify this file as your changes will be overwritten with # the next update. Use /etc/mail/spamassassin/local.cf instead. # See 'perldoc Mail::SpamAssassin::Conf' for details. # # <@LICENSE> # Copyright 2004 Apache Software Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # ### # character set used in the following texts (no need for iso-8859-15) lang de report_charset iso-8859-1 50_scores.cf: # SpamAssassin score file # # Please don't modify this file as your changes will be overwritten with # the next update. Use /etc/mail/spamassassin/local.cf instead. # See 'perldoc Mail::SpamAssassin::Conf' for details. # # <@LICENSE> # Copyright 2004 Apache Software Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # ### # Default scores. Note that if a test is named in the files, but a score is # not assigned here, the default score will be set to 1. # The following block of scores were generated using the mass-checking # scripts, and a perceptron to determine the optimum scores which # resulted in minimum false positives or negatives. The scores are # weighted to produce roughly 1 false positive in 2500 non-spam messages # using the default threshold of 5.0. # Start of generated scores. Looks good, hm? Maybe the warning means 30_text_de.cf, which most of you don't use because you have English locales? but you'll get no rbl style tests.. Okay, that's a good point. Florian ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that t
Re: more spam gets through since SA 3.x
Hi Shane, To check bayes do spamassassin -D --lint and look for bayes info. Also, check your logs for BAYES entries. debug: config: read file /usr/local/share/spamassassin/23_bayes.cf debug: bayes: no dbs present, cannot tie DB R/O: /root/.spamassassin/bayes_toks I guess that means, no Bayes running. :-) I noticed alot of spam that was getting through had invoked the all_trusted rule. Which, gives a -3.000 to the final score. I disabled this rule, for now at least. Where do I set the networks that are in all_trusted? How do I disable this rule? Thanks Florian
Re: more spam gets through since SA 3.x
Florian Effenberger wrote: Hi Martin, what about the SA, CPAN or apt? how did you install SA - source, CPAN, or apt? sorry, I don't understand the question? Default files look OK.anything in the comments at the top of the rule files (the .cf files in /usr/local/share/spamassassin) Which files to check? pick one with a rule in it that SA complains about in the "spamassassin -D --lint". They are 'text' files so you can grep the rule names. also your network tests won't work till Net::DNS is at version 0.48... I still get RAZOR2_CHECK in my headers :) but you'll get no rbl style tests.. I presume you've stopped amavis-new/spamd etc before you've done all this?? Sure. Florian -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: more spam gets through since SA 3.x
Florian Effenberger wrote: Hi Rakesh, Well i cannot help much in your problem apart from saying what Jeff had said earlier, that you need to upgrade some of your Perl modules. the problem is that I run on a Debian 3.0 system that has older Perl modules. :-) But I couldn't help my curiosity as to why you have disabled Bayes. I know you might be having a good reason for doing that, I was just curious in knowing it. I want to check out how it works in some time, and then I'll activate it. I just disabled it because I did not have the time to look at it. :-) Florian Oh wow thts gr8 :-)
Re: more spam gets through since SA 3.x
Florian Florian Effenberger wrote: Hi Martin, ok - updayte Ne:DNS to 0.48 (latest) and the URI checking will start to kick in...this helps alot.. Okay, will try to do that. Anyone knows how I can tell SA to look Perl modules up in one additional directory? I don't want to erase the Debian package, but instead install the recent version in a separate directory and tell SA to use it. no idea, not a perl dude. I'd check the update went OK as alot of these rules are default's so they should be fine. they should be in /usr/local/share/spamassassin I have send in my listing of /usr/local/share/spamassassin a message earlier. Does it look okay? Can't find it in my email system, and gmames search doesn't want to work right now... can you repost.. oh and www.spamassassin.org doesn't work, but www.spamassassin.apache.org does.. Now all is back online again :) Florian -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: more spam gets through since SA 3.x
Florian how did you install - apt or cpan??? Wonders if the apt package is confused... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Florian Effenberger wrote: Hi, Well is it possible that the above warnings are coming because the cf files in /usr/share/spamassassin are that of the old 2.6X version and not that of 3.x. I have tested this by deleting the folders contents and re-installing SA - same problem. Maybe its because of too old Perl modules that this error message occurs? Thanks Florian ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: more spam gets through since SA 3.x
Florian what about the SA, CPAN or apt? Default files look OK.anything in the comments at the top of the rule files (the .cf files in /usr/local/share/spamassassin) also your network tests won't work till Net::DNS is at version 0.48... I presume you've stopped amavis-new/spamd etc before you've done all this?? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Florian Effenberger wrote: Hi Martin, how did you install - apt or cpan??? Wonders if the apt package is confused... I have installed all Perl modules from APT. Net-Server and libnet are manually installed into /usr/local/share/amavisd-new, because I needed them for amavisd-new. Florian ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: more spam gets through since SA 3.x
To check bayes do spamassassin -D --lint and look for bayes info. Also, check your logs for BAYES entries. I noticed alot of spam that was getting through had invoked the all_trusted rule. Which, gives a -3.000 to the final score. I disabled this rule, for now at least. Hope this helps, Shane - Original Message - From: "Florian Effenberger" <[EMAIL PROTECTED]> To: "Shane Mullins" <[EMAIL PROTECTED]> Cc: Sent: Friday, December 17, 2004 7:05 AM Subject: Re: more spam gets through since SA 3.x > Hi Shane, > > > I had a similar prob. Check to make sure Bayes is working. Also, check > > the all trusted rule. > > How can I check that? GTUBE? > > Thanks > Florian
Re: more spam gets through since SA 3.x
Hi, Your install files ;) Yup. :) And the active rulesets. Exactly. Could be. Some perl modules like Net::DNS are known to give issues, when using a older version. So you could do a checkup on that also. I have filed a bug report, ID 4038. Thanks Florian
Re: more spam gets through since SA 3.x
Hi! Locate .cf will show them i guess ;) /root/Mail-SpamAssassin-3.0.2/masses/mass-check.cf /root/Mail-SpamAssassin-3.0.2/rules/30_text_pl.cf /root/Mail-SpamAssassin-3.0.2/rules/20_fake_helo_tests.cf Your install files ;) /usr/local/share/spamassassin/20_body_tests.cf /usr/local/share/spamassassin/20_compensate.cf /usr/local/share/spamassassin/20_dnsbl_tests.cf /usr/local/share/spamassassin/20_drugs.cf /usr/local/share/spamassassin/20_fake_helo_tests.cf /usr/local/share/spamassassin/20_head_tests.cf /usr/local/share/spamassassin/20_html_tests.cf /usr/local/share/spamassassin/20_meta_tests.cf And the active rulesets. Looks good, hm? What do you think about the following theory: Some Perl modules don't work with SA 3.x as they are too old. Thus, some tests (particularly those with the warning in debug output) don't work. Thus, spam gets through. D'accord? Could be. Some perl modules like Net::DNS are known to give issues, when using a older version. So you could do a checkup on that also. Bye, Raymond.
Re: more spam gets through since SA 3.x
Hi Martin, what about the SA, CPAN or apt? sorry, I don't understand the question? Default files look OK.anything in the comments at the top of the rule files (the .cf files in /usr/local/share/spamassassin) Which files to check? also your network tests won't work till Net::DNS is at version 0.48... I still get RAZOR2_CHECK in my headers :) I presume you've stopped amavis-new/spamd etc before you've done all this?? Sure. Florian
Re: more spam gets through since SA 3.x
Hi Loren, Hi Raymond, Locate .cf will show them i guess ;) Relevant occurrences: /root/libnet-1.19/libnet.cfg /root/libnet-1.19/blib/lib/Net/libnet.cfg /root/Mail-SpamAssassin-3.0.2/masses/mass-check.cf /root/Mail-SpamAssassin-3.0.2/rules/30_text_pl.cf /root/Mail-SpamAssassin-3.0.2/rules/20_fake_helo_tests.cf /root/Mail-SpamAssassin-3.0.2/rules/regression_tests.cf /root/Mail-SpamAssassin-3.0.2/rules/23_bayes.cf /root/Mail-SpamAssassin-3.0.2/rules/10_misc.cf /root/Mail-SpamAssassin-3.0.2/rules/30_text_nl.cf /root/Mail-SpamAssassin-3.0.2/rules/20_meta_tests.cf /root/Mail-SpamAssassin-3.0.2/rules/20_body_tests.cf /root/Mail-SpamAssassin-3.0.2/rules/50_scores.cf /root/Mail-SpamAssassin-3.0.2/rules/20_dnsbl_tests.cf /root/Mail-SpamAssassin-3.0.2/rules/20_uri_tests.cf /root/Mail-SpamAssassin-3.0.2/rules/local.cf /root/Mail-SpamAssassin-3.0.2/rules/30_text_de.cf /root/Mail-SpamAssassin-3.0.2/rules/20_compensate.cf /root/Mail-SpamAssassin-3.0.2/rules/20_html_tests.cf /root/Mail-SpamAssassin-3.0.2/rules/20_ratware.cf /root/Mail-SpamAssassin-3.0.2/rules/60_whitelist.cf /root/Mail-SpamAssassin-3.0.2/rules/20_drugs.cf /root/Mail-SpamAssassin-3.0.2/rules/20_porn.cf /root/Mail-SpamAssassin-3.0.2/rules/25_hashcash.cf /root/Mail-SpamAssassin-3.0.2/rules/20_phrases.cf /root/Mail-SpamAssassin-3.0.2/rules/20_head_tests.cf /root/Mail-SpamAssassin-3.0.2/rules/25_uribl.cf /root/Mail-SpamAssassin-3.0.2/rules/30_text_fr.cf /root/Mail-SpamAssassin-3.0.2/rules/25_body_tests_es.cf /root/Mail-SpamAssassin-3.0.2/rules/20_anti_ratware.cf /root/Mail-SpamAssassin-3.0.2/rules/25_spf.cf /usr/local/share/spamassassin/10_misc.cf /usr/local/share/spamassassin/20_anti_ratware.cf /usr/local/share/spamassassin/20_body_tests.cf /usr/local/share/spamassassin/20_compensate.cf /usr/local/share/spamassassin/20_dnsbl_tests.cf /usr/local/share/spamassassin/20_drugs.cf /usr/local/share/spamassassin/20_fake_helo_tests.cf /usr/local/share/spamassassin/20_head_tests.cf /usr/local/share/spamassassin/20_html_tests.cf /usr/local/share/spamassassin/20_meta_tests.cf /usr/local/share/spamassassin/20_phrases.cf /usr/local/share/spamassassin/20_porn.cf /usr/local/share/spamassassin/20_ratware.cf /usr/local/share/spamassassin/20_uri_tests.cf /usr/local/share/spamassassin/23_bayes.cf /usr/local/share/spamassassin/25_body_tests_es.cf /usr/local/share/spamassassin/25_hashcash.cf /usr/local/share/spamassassin/25_spf.cf /usr/local/share/spamassassin/25_uribl.cf /usr/local/share/spamassassin/30_text_de.cf /usr/local/share/spamassassin/30_text_fr.cf /usr/local/share/spamassassin/30_text_nl.cf /usr/local/share/spamassassin/30_text_pl.cf /usr/local/share/spamassassin/50_scores.cf /usr/local/share/spamassassin/60_whitelist.cf /usr/local/share/amavisd-new/Net/libnet.cfg /etc/mail/spamassassin/local.cf Looks good, hm? What do you think about the following theory: Some Perl modules don't work with SA 3.x as they are too old. Thus, some tests (particularly those with the warning in debug output) don't work. Thus, spam gets through. D'accord? Thanks Florian
Re: more spam gets through since SA 3.x
Hi Shane, I had a similar prob. Check to make sure Bayes is working. Also, check the all trusted rule. How can I check that? GTUBE? Thanks Florian
Re: more spam gets through since SA 3.x
Hi! somewhere that is pointing to the 2.6 install, and SA is finding the rules there, rather than in the new directory where you installed. What "locate" string could I use to locate SA rules? Locate .cf will show them i guess ;) Bye, Raymond.
Re: more spam gets through since SA 3.x
Hi Loren, I don't think so, but perhaps possible. I think more likely you have a path somewhere that is pointing to the 2.6 install, and SA is finding the rules there, rather than in the new directory where you installed. What "locate" string could I use to locate SA rules? Thanks Florian
Re: more spam gets through since SA 3.x
Hi Martin, how did you install - apt or cpan??? Wonders if the apt package is confused... I have installed all Perl modules from APT. Net-Server and libnet are manually installed into /usr/local/share/amavisd-new, because I needed them for amavisd-new. Florian
Re: more spam gets through since SA 3.x
Hi Loren, From a quick scan of that, it looks like you have a somewhat messed up install. You shouldn't be getting those over-length warnings on the standard rules for 3.0. This makes me believe that somehow it is maybe finding your 2.6x rules, which will give this sort of error. I did a updatedb and then a locate spamassassin which leads to: /root/.spamassassin /root/.spamassassin/user_prefs /root/Mail-SpamAssassin-3.0.2/spamassassin.raw /root/Mail-SpamAssassin-3.0.2/spamassassin.spec /root/Mail-SpamAssassin-3.0.2/blib/man1/spamassassin.1p /root/Mail-SpamAssassin-3.0.2/blib/script/spamassassin /root/Mail-SpamAssassin-3.0.2/spamassassin /usr/local/share/spamassassin /usr/local/share/spamassassin/10_misc.cf /usr/local/share/spamassassin/20_anti_ratware.cf /usr/local/share/spamassassin/20_body_tests.cf /usr/local/share/spamassassin/20_compensate.cf /usr/local/share/spamassassin/20_dnsbl_tests.cf /usr/local/share/spamassassin/20_drugs.cf /usr/local/share/spamassassin/20_fake_helo_tests.cf /usr/local/share/spamassassin/20_head_tests.cf /usr/local/share/spamassassin/20_html_tests.cf /usr/local/share/spamassassin/20_meta_tests.cf /usr/local/share/spamassassin/20_phrases.cf /usr/local/share/spamassassin/20_porn.cf /usr/local/share/spamassassin/20_ratware.cf /usr/local/share/spamassassin/20_uri_tests.cf /usr/local/share/spamassassin/23_bayes.cf /usr/local/share/spamassassin/25_body_tests_es.cf /usr/local/share/spamassassin/25_hashcash.cf /usr/local/share/spamassassin/25_spf.cf /usr/local/share/spamassassin/25_uribl.cf /usr/local/share/spamassassin/30_text_de.cf /usr/local/share/spamassassin/30_text_fr.cf /usr/local/share/spamassassin/30_text_nl.cf /usr/local/share/spamassassin/30_text_pl.cf /usr/local/share/spamassassin/50_scores.cf /usr/local/share/spamassassin/60_whitelist.cf /usr/local/share/spamassassin/user_prefs.template /usr/local/share/spamassassin/triplets.txt /usr/local/share/spamassassin/languages /usr/local/bin/spamassassin /usr/local/man/man1/spamassassin.1p /etc/init.d/spamassassin /etc/default/spamassassin /etc/rc0.d/K20spamassassin /etc/rc1.d/K20spamassassin /etc/rc2.d/S20spamassassin /etc/rc3.d/S20spamassassin /etc/rc4.d/S20spamassassin /etc/rc5.d/S20spamassassin /etc/rc6.d/K20spamassassin /etc/mail/spamassassin /etc/mail/spamassassin/local.cf /etc/mail/spamassassin/init.pre /var/amavis/.spamassassin /var/amavis/.spamassassin/bayes_toks /var/amavis/.spamassassin/bayes_seen /var/amavis/.spamassassin/bayes_journal /var/amavis/.spamassassin/bayes.mutex Looks good, doesn't it? Did you replace the 2.6x install, or do a new install in parallel? If in parallel, there must be some paths here and there in scripts or the like that need to be cleaned up to point to the new install. If you installed over the 2.6x stuff, maybe you need to throw it away and do a clean install of 3.0 to get rid of the older rules. I just did a cleanup and re-installed 3.0.2, but the problem persists. :-( What "locate" string could I use to locate SA rules? Also, it notes down at the bottom that you need to get a newer version of Net::DNS from Cpan. You will need this to enable the network tests. There are a few notes about network tests failing for lack of a socket. While I don't know for sure, this could be related to Net::DNS. Network tests seem to work, as I have RAZOR2 scores in my msgs. Florian
Re: more spam gets through since SA 3.x
Hi Martin, Can't find it in my email system, and gmames search doesn't want to work right now... can you repost.. of course! insgesamt 576 -rw-r--r--1 root staff6018 17. Dez 11:21 10_misc.cf -rw-r--r--1 root staff1605 17. Dez 11:21 20_anti_ratware.cf -rw-r--r--1 root staff8198 17. Dez 11:21 20_body_tests.cf -rw-r--r--1 root staff1613 17. Dez 11:21 20_compensate.cf -rw-r--r--1 root staff 12083 17. Dez 11:21 20_dnsbl_tests.cf -rw-r--r--1 root staff 15700 17. Dez 11:21 20_drugs.cf -rw-r--r--1 root staff 11268 17. Dez 11:21 20_fake_helo_tests.cf -rw-r--r--1 root staff 27711 17. Dez 11:21 20_head_tests.cf -rw-r--r--1 root staff 15487 17. Dez 11:21 20_html_tests.cf -rw-r--r--1 root staff 10939 17. Dez 11:21 20_meta_tests.cf -rw-r--r--1 root staff 22099 17. Dez 11:21 20_phrases.cf -rw-r--r--1 root staff4966 17. Dez 11:21 20_porn.cf -rw-r--r--1 root staff 14139 17. Dez 11:21 20_ratware.cf -rw-r--r--1 root staff5032 17. Dez 11:21 20_uri_tests.cf -rw-r--r--1 root staff2334 17. Dez 11:21 23_bayes.cf -rw-r--r--1 root staff9117 17. Dez 11:21 25_body_tests_es.cf -rw-r--r--1 root staff2738 17. Dez 11:21 25_hashcash.cf -rw-r--r--1 root staff2304 17. Dez 11:21 25_spf.cf -rw-r--r--1 root staff4703 17. Dez 11:21 25_uribl.cf -rw-r--r--1 root staff 52293 17. Dez 11:21 30_text_de.cf -rw-r--r--1 root staff 40682 17. Dez 11:21 30_text_fr.cf -rw-r--r--1 root staff 57934 17. Dez 11:21 30_text_nl.cf -rw-r--r--1 root staff 34803 17. Dez 11:21 30_text_pl.cf -rw-r--r--1 root staff 29378 17. Dez 11:21 50_scores.cf -rw-r--r--1 root staff6887 17. Dez 11:21 60_whitelist.cf -rw-r--r--1 root staff 101479 17. Dez 11:21 languages -rw-r--r--1 root staff 18944 17. Dez 11:21 triplets.txt -rw-r--r--1 root staff1557 17. Dez 11:21 user_prefs.template Florian
Re: more spam gets through since SA 3.x
I had a similar prob. Check to make sure Bayes is working. Also, check the all trusted rule. Shane - Original Message - From: "Florian Effenberger" <[EMAIL PROTECTED]> To: Sent: Friday, December 17, 2004 3:44 AM Subject: more spam gets through since SA 3.x Hello fellow SA users, maybe it is a pure coincidence that I receive more spam, but I have the feeling that more spam gets through since SA 3.x. When I look at the untagged spam, it often has only a rating of 1.6 or 3.0, although it looks clearly like spam. In SA 2.x, I had a threshold of 7, now I've lowered it to 6, but there is still more spam getting through now. Has anything changed I might have overlooked? I run SA through amavisd-new. Thanks Florian
Learning from forwarded messages
Hello all, I stuck with the problem that incorrectly tagged mail to a dedicated "spam" and "non-spam" mailbox, now comes from the user, seeing as outlook strips out pretty much every useful header. I went through the archives and came upon a script (included below) posted by Ryan Moore. Ryan, care to explain how you use it? I tried running the script with the spam mail as input, but it doesn't seem to do anything. Has anybody found an elegant solution for this problem? The clients are outlook, and I've seen many a outlook break badly if you try to ad an imap account to it, so I'm not keen on trying that (even though imap is the best solution - proven in our office where we use kmail/evolution). Thanks http://h0b0.net/salearn.txt #!/bin/bash sed -e'/^Content-Type: message\/rfc822;/N;s/\n *name="\([^"]*\)"/\n name="spamtmporig.eml"/' > /tmp/spamtmp.eml cd /tmp mkdir spamtmp rm /tmp/spamtmp/* -f cd spamtmp mv ../spamtmp.eml . cat spamtmp.eml | /usr/local/bin/ripmime -i - -d . cat spamtmporig.eml | /usr/bin/sa-learn --spam -- Kind regards Hans du Plooy Newington Consulting Services hansdp at newingtoncs dot co dot za
Re: more spam gets through since SA 3.x
> I have tested this by deleting the folders contents and re-installing SA > - same problem. > > Maybe its because of too old Perl modules that this error message occurs? I don't think so, but perhaps possible. I think more likely you have a path somewhere that is pointing to the 2.6 install, and SA is finding the rules there, rather than in the new directory where you installed. Loren
Re: more spam gets through since SA 3.x
Hi Jeff, This means you're using old pre-3.X rules. Hm... where are they located? I never modified the rules and installed 3.0.2 just some minutes ago. /usr/local/share/spamassassin lists -rw-r--r--1 root root 6018 17. Dez 09:24 10_misc.cf -rw-r--r--1 root root 1605 17. Dez 09:24 20_anti_ratware.cf -rw-r--r--1 root root 8198 17. Dez 09:24 20_body_tests.cf -rw-r--r--1 root root 1613 17. Dez 09:24 20_compensate.cf -rw-r--r--1 root root12083 17. Dez 09:24 20_dnsbl_tests.cf -rw-r--r--1 root root15700 17. Dez 09:24 20_drugs.cf -rw-r--r--1 root root11268 17. Dez 09:24 20_fake_helo_tests.cf -rw-r--r--1 root root27711 17. Dez 09:24 20_head_tests.cf -rw-r--r--1 root root15487 17. Dez 09:24 20_html_tests.cf -rw-r--r--1 root root10939 17. Dez 09:24 20_meta_tests.cf -rw-r--r--1 root root22099 17. Dez 09:24 20_phrases.cf -rw-r--r--1 root root 4966 17. Dez 09:24 20_porn.cf -rw-r--r--1 root root14139 17. Dez 09:24 20_ratware.cf -rw-r--r--1 root root 5032 17. Dez 09:24 20_uri_tests.cf -rw-r--r--1 root root 2334 17. Dez 09:24 23_bayes.cf -rw-r--r--1 root root 9117 17. Dez 09:24 25_body_tests_es.cf -rw-r--r--1 root root 2738 17. Dez 09:24 25_hashcash.cf -rw-r--r--1 root root 2304 17. Dez 09:24 25_spf.cf -rw-r--r--1 root root 4703 17. Dez 09:24 25_uribl.cf -rw-r--r--1 root root52293 17. Dez 09:24 30_text_de.cf -rw-r--r--1 root root40682 17. Dez 09:24 30_text_fr.cf -rw-r--r--1 root root57934 17. Dez 09:24 30_text_nl.cf -rw-r--r--1 root root34803 17. Dez 09:24 30_text_pl.cf -rw-r--r--1 root root29378 17. Dez 09:24 50_scores.cf -rw-r--r--1 root root 6887 17. Dez 09:24 60_whitelist.cf -rw-r--r--1 root root 101479 17. Dez 09:24 languages -rw-r--r--1 root root18944 17. Dez 09:24 triplets.txt -rw-r--r--1 root root 1557 17. Dez 09:24 user_prefs.template Network tests like RBL, SURBL, etc. probably won't work unless you upgrade your Net::DNS to something more recent. Okay, will try to do that. Anyone knows how I can tell SA to look Perl modules up in one additional directory? I don't want to erase the Debian package, but instead install the recent version in a separate directory and tell SA to use it. Thanks Florian
Re: more spam gets through since SA 3.x
Hi Rakesh, Well i cannot help much in your problem apart from saying what Jeff had said earlier, that you need to upgrade some of your Perl modules. the problem is that I run on a Debian 3.0 system that has older Perl modules. :-) But I couldn't help my curiosity as to why you have disabled Bayes. I know you might be having a good reason for doing that, I was just curious in knowing it. I want to check out how it works in some time, and then I'll activate it. I just disabled it because I did not have the time to look at it. :-) Florian
Re: more spam gets through since SA 3.x
Hi, Well is it possible that the above warnings are coming because the cf files in /usr/share/spamassassin are that of the old 2.6X version and not that of 3.x. I have tested this by deleting the folders contents and re-installing SA - same problem. Maybe its because of too old Perl modules that this error message occurs? Thanks Florian
Re: more spam gets through since SA 3.x
Hi Loren, Are you running bayes and getting a lot of bayes_99 hits? If so, the score for bayes-99 is a lot lower in 3.0. This has caused problems for some people. I don't run Bayes. Did not run it with 2.64 as well, and it worked fine without. Have you run lint to make sure that all of your rule files are good? Things changed since 2.6x, and SA is picker about what is valid and not. So it may be tossing out a whole lot of your local rules if you have some syntax errors. Have attached the lint output in an earlier mail, but I never had any local rules, in fact, I left the SA install alone and did not change much. Thanks Florian
Re: more spam gets through since SA 3.x
Florian Effenberger wrote: warning: description for TO_ADDRESS_EQ_REAL is over 50 chars warning: description for PRIORITY_NO_NAME is over 50 chars warning: description for HTML_MIME_NO_HTML_TAG is over 50 chars warning: description for MSGID_FROM_MTA_HEADER is over 50 chars warning: description for __RCVD_IN_SBL_XBL is over 50 chars warning: description for EXCUSE_REMOVE is over 50 chars warning: description for T_DNS_FROM_SECURITYSAGE is over 50 chars warning: description exists for non-existent rule T_DNS_FROM_SECURITYSAGE Well is it possible that the above warnings are coming because the cf files in /usr/share/spamassassin are that of the old 2.6X version and not that of 3.x. Net::DNS version is 0.23, but need 0.34dnsavailable-1 at /usr/local/share/perl/5.6.1/Mail/SpamAssassin/Dns.pm line 1230. debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is not available: no executable dccproc found. debug: Pyzor is not available: pyzor not found lint: 188 issues detected. please rerun with debug enabled for more information. Thanks Florian -- Regards, Rakesh B. Pal Emergic CleanMail Team. Netcore Solutions Pvt. Ltd. Success is not a destination that you ever reach. Success is the quality of your journey -- Netcore's New Website http://www.netcore.co.in --
Re: more spam gets through since SA 3.x
Hi Wolfgang, there have been numorous threads about ALL_TRUSTED networks - have a look at the details whether it appears there too unfortunately, the SA site seems to be down at the moment, so I could not look it up. Could you please point me to the right page? Do you mean that some of the Spam I might be getting is from within a trusted network and thus gets not marked as Spam? Thanks Florian
Re: more spam gets through since SA 3.x
Hi Martin, what extra rules have you in /etc/mail/spamassassin. This directory contains two files: init.pre and local.cf init.pre contains (I have not changed this file): === # This is the right place to customize your installation of SpamAssassin. # # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be # tweaked. # # This file will be loaded before *all other* configuration files, including # the system configuration. As such, it's a good place to set things that # will affect how those files are parsed, like which plugins are loaded # etc. # ### # RelayCountry - add metadata for Bayes learning, marking the countries # a message was relayed through # # loadplugin Mail::SpamAssassin::Plugin::RelayCountry # URIDNSBL - look up URLs found in the message against several DNS # blocklists. # loadplugin Mail::SpamAssassin::Plugin::URIDNSBL # Hashcash - perform hashcash verification. # loadplugin Mail::SpamAssassin::Plugin::Hashcash # SPF - perform SPF verification. # loadplugin Mail::SpamAssassin::Plugin::SPF === local.cf contains: === report_safe 0 use_auto_whitelist 0 lock_method flock === Do you use bayes and did you --sync the database... Bayes is disabled, as it was in 2.64 (that had good results). have you enabled the URI scanning? i find this helps alot... Where can I enable it? Is this a new feature since 3.0? Also does spamassassin -D --lint show any problems.. Lines that seem to have trouble are: debug: diag: module not installed: DBI ('require' failed) debug: diag: module not installed: Net::LDAP ('require' failed) warning: description for PORN_URL_SEX is over 50 chars warning: description for HTML_NONELEMENT_70_80 is over 50 chars warning: description for X_MSMAIL_PRIORITY_HIGH is over 50 chars warning: description for RCVD_IN_SORBS_ZOMBIE is over 50 chars warning: description for FORGED_THEBAT_HTML is over 50 chars warning: description for WE_HONOR_ALL is over 50 chars warning: description exists for non-existent rule T_RCVD_IN_IADB_LIST warning: description for FROM_STARTS_WITH_NUMS is over 50 chars warning: description for ALL_TRUSTED is over 50 chars warning: description for FORGED_GW05_RCVD is over 50 chars warning: description for HDR_ORDER_TRIMRS is over 50 chars warning: description for INVALID_TZ_GMT is over 50 chars warning: description for HASHCASH_2SPEND is over 50 chars warning: description for HTML_EVENT_UNSAFE is over 50 chars warning: description for INVALID_TZ_EST is over 50 chars warning: description for RATWARE_HASH_2 is over 50 chars warning: description for MAILTO_SUBJ_REMOVE is over 50 chars warning: description for NO_DNS_FOR_FROM is over 50 chars warning: description for FORGED_AOL_RCVD is over 50 chars warning: description for SPF_SOFTFAIL is over 50 chars warning: description for RCVD_IN_SORBS_DUL is over 50 chars warning: description for MARKETING_PARTNERS is over 50 chars warning: description for URIBL_SBL is over 50 chars warning: description for ROUND_THE_WORLD is over 50 chars warning: description for EXCUSE_10 is over 50 chars warning: description for MSGID_SPAM_ALPHA_NUM is over 50 chars warning: description for EXCUSE_19 is over 50 chars warning: description for RCVD_IN_SBL is over 50 chars warning: description for PORN_URL_MISC is over 50 chars warning: description for MAILTO_TO_SPAM_ADDR is over 50 chars warning: description for X_ORIG_IP_NOT_IPV4 is over 50 chars warning: description for FORGED_YAHOO_RCVD is over 50 chars warning: description for FORGED_EUDORAMAIL_RCVD is over 50 chars warning: description for FORGED_RCVD_HELO is over 50 chars warning: description for HTML_FONT_FACE_CAPS is over 50 chars warning: description exists for non-existent rule T_RCVD_IN_IADB_LIST_T warning: description for X_AUTH_WARN_FAKED is over 50 chars warning: description for FORGED_HOTMAIL_RCVD2 is over 50 chars warning: description for RCVD_IN_NJABL_MULTI is over 50 chars warning: description for BILL_1618 is over 50 chars warning: description for MSGID_SPAM_ZEROES is over 50 chars warning: description for RCVD_IN_MAPS_NML is over 50 chars warning: description for DATE_IN_PAST_48_96 is over 50 chars warning: description for RCVD_IN_MAPS_RBL is over 50 chars warning: description for HTML_SHOUTING3 is over 50 chars warning: description for HTML_SHOUTING4 is over 50 chars warning: description for HTML_SHOUTING5 is over 50 chars warning: description for HTML_SHOUTING6 is over 50 chars warning: description for HTML_SHOUTING7 is over 50 chars warning: description for SB_NEW_BULK is over 50 chars warning: description for FROM_NUM_AT_WEBMAIL is over 50 chars warning: description for FROM_HAS_MIXED_NUMS3 is over 50 chars warning: description for HTML_NONELEMENT_20_30 is over 50 chars warning: description for DATE_IN_FUTURE_48_96 is over 50 chars warning: description for NOT_ADVISOR is over 50 chars warning: description for HOT_NASTY is over 50 chars warning: description for RCVD_IN_BSP_OTHER is over 50 c
Re: more spam gets through since SA 3.x
Florian Effenberger wrote: Hi Loren, Are you running bayes and getting a lot of bayes_99 hits? If so, the score for bayes-99 is a lot lower in 3.0. This has caused problems for some people. I don't run Bayes. Did not run it with 2.64 as well, and it worked fine without. Well i cannot help much in your problem apart from saying what Jeff had said earlier, that you need to upgrade some of your Perl modules. But I couldn't help my curiosity as to why you have disabled Bayes. I know you might be having a good reason for doing that, I was just curious in knowing it. -- Regards, Rakesh B. Pal Emergic CleanMail Team. Netcore Solutions Pvt. Ltd. Success is not a destination that you ever reach. Success is the quality of your journey -- Netcore's New Website http://www.netcore.co.in --
Re: more spam gets through since SA 3.x
Are you running bayes and getting a lot of bayes_99 hits? If so, the score for bayes-99 is a lot lower in 3.0. This has caused problems for some people. Alternately, do you *think* you are running bayes, but maybe it isn't working? The database format changed and you need to upgrade it forward for bayes to work. spamassassin -D will tell you if it is working and trained. Have you run lint to make sure that all of your rule files are good? Things changed since 2.6x, and SA is picker about what is valid and not. So it may be tossing out a whole lot of your local rules if you have some syntax errors. Loren
Re: some messages just arent scanned
Hi... --On Thursday, December 16, 2004 4:05 PM + Ronan McGlue <[EMAIL PROTECTED]> wrote: Hi I have a situation where some of the time some messages get through without being scanned at all, and some other get through but without specific headers... eg X-Spam-Score-Int: 174 X-Spam-Report: Start SpamAssassin results ... but not X-Spam-Score: + (17.4)or whatever it should be... What i do know is that i quite frewuently get the following in my exim logs 2004-12-16 12:02:12 1CeuKY-0007IQ-9E spam acl condition: spamd connection to 127.0.0.1, port 783 failed: Connection timed out does this indeicate that I do not have enough spamd processes spawned or that I dont have enough conns-per-child etc... or what? any help please? I was seeing the same. Increasing the number of spamd processes (-m) fixed it for me. Cheers, Richard Hopkins, Information Services, Computer Centre, University of Bristol, Bristol, BS8 1UD, UK Tel +44 117 928 7859 Fax +44 117 929 1576
Re: more spam gets through since SA 3.x
On Friday, December 17, 2004, 1:44:28 AM, Florian Effenberger wrote: [...] > warning: description for __RCVD_IN_SBL_XBL is over 50 chars > warning: description for EXCUSE_REMOVE is over 50 chars > warning: description for T_DNS_FROM_SECURITYSAGE is over 50 chars This means you're using old pre-3.X rules. > Net::DNS version is 0.23, but need 0.34dnsavailable-1 at Network tests like RBL, SURBL, etc. probably won't work unless you upgrade your Net::DNS to something more recent. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: more spam gets through since SA 3.x
Hi Florian, there have been numorous threads about ALL_TRUSTED networks - have a look at the details whether it appears there too Wolfgang >> Hello fellow SA users, >> >> maybe it is a pure coincidence that I receive more spam, but I have the >> feeling that more spam gets through since SA 3.x. >> >> When I look at the untagged spam, it often has only a rating of 1.6 or >> 3.0, although it looks clearly like spam. In SA 2.x, I had a threshold >> of 7, now I've lowered it to 6, but there is still more spam getting >> through now. >> >> Has anything changed I might have overlooked? I run SA through amavisd-new. >> >> Thanks >> Florian >>
Re: more spam gets through since SA 3.x
Florian what extra rules have you in /etc/mail/spamassassin. Do you use bayes and did you --sync the database... have you enabled the URI scanning? i find this helps alot... Also does spamassassin -D --lint show any problems.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Florian Effenberger wrote: Hello fellow SA users, maybe it is a pure coincidence that I receive more spam, but I have the feeling that more spam gets through since SA 3.x. When I look at the untagged spam, it often has only a rating of 1.6 or 3.0, although it looks clearly like spam. In SA 2.x, I had a threshold of 7, now I've lowered it to 6, but there is still more spam getting through now. Has anything changed I might have overlooked? I run SA through amavisd-new. Thanks Florian ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Insecure dependency still
Hi, I've just upgraded to 3.0.2 to see if this would ease my problem, but I'm still getting the same errors as I was with 3.0 I'm running spamd on a Fedora Core 2 machine with perl 5.8.3, connecting remotely from a Solaris server running exim. Some mails get scanned fine, some get the following errors: Dec 17 09:10:19 spambox spamd[23372]: logmsg: error: Insecure dependency in eval while running with -T switch at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/PerMsgStatus.pm line 1685, line 136._ , continuing Dec 17 09:10:19 spambox spamd[23372]: error: Insecure dependency in eval while running with -T switch at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/PerMsgStatus.pm line 1685, line 136._ , continuing spamc then gives up and passes the mail back to exim, which delivers the mail to the local mailbox unscanned. I know I've brought this up before, as did someone else, but has anyone got any ideas? I've got no issues with my personal desktop (fedora 1 with exim) scanning my own domain's mail running 3.0.1, and if I revert to the Solaris mail server scanning the mail itself (using 2.63... I know, I should be using 2.64), it's fine as well. TIA, Owen -- Via Net.Works UK Ltd Local Touch Global Reach Owen McShane Systems Administrator http://www.vianetworks.co.uk Tel +44 (0)1925 48
more spam gets through since SA 3.x
Hello fellow SA users, maybe it is a pure coincidence that I receive more spam, but I have the feeling that more spam gets through since SA 3.x. When I look at the untagged spam, it often has only a rating of 1.6 or 3.0, although it looks clearly like spam. In SA 2.x, I had a threshold of 7, now I've lowered it to 6, but there is still more spam getting through now. Has anything changed I might have overlooked? I run SA through amavisd-new. Thanks Florian
Re: cannot write and parse errors
On Thu, 16 Dec 2004, Richard Ozer wrote: It looks like your port had a 2.x local.cf file Thanks very much to all who responded. The port in question is 3.0.1 on FreeBSD 5.2.1. I had CVSUP'd the system before installing SA, so I'm reasonably sure what I got was current. Note for the FBSD ports maintainers, if you're on this list: Maybe it's not so good to include 2.x configs with 3.x distros thanks again dn