Re: Re: Sudden spam volume decrease?
I do wonder if spam fell off at about 12.30 GMT - about the time BT
binned a few adsl's in error... of course
http://news.bbc.co.uk/1/hi/business/4175805.stm
On Fri, 14 Jan 2005 12:47:34 -0800, "jdow" <[EMAIL PROTECTED]> wrote:
>From: "John Wilcock" <[EMAIL PROTECTED]>
>
>> Menno van Bennekom wrote:
>> > Spam is about normal here, but the number of viruses catched is one
>tenth
>> > of the normal amount the last days. I double-checked amavisd/clamav but
>> > everything is working normal, it must be the silence before the storm..
>>
>> I've seen a slight decrease in spam (down about 10%) since Xmas but,
>> like you, hardly any viruses for the last few days. First the number of
>> Sober.J's tailed off at the weekend, and now there's just the occasional
>> solitary Bagle or Netsky.
>>
>> Is this a coincidence, or should we be battening down the hatches...?
>>
>> John.
>
>Hm, this was a one day drop from 250 to 300 spams per day down to only
>140 or so. I was astonished. Today looks like it might be back up to
>"normal", sigh.
>
>{^_^}
Re: Spam getting through
Thank you JD, that is the direction most everyone has been pointing me
in.
>>> "jdow" <[EMAIL PROTECTED]> 01/14/05 3:50 PM >>>
From: "Joe Zitnik" <[EMAIL PROTECTED]>
> Keith,
> Why would you need to be psychic?
>
> 1. My e-mail shows the NAME of my rule - MY_CAPABLE
> 2. My e-mail shows the MY_CAPABLE rule worked, adding 11 points to
the
> score
> 3. My e-mail shows my threshold is 4 points, and the e-mail scored
> 14.
> 4. I stated this was from an e-mail that made it through.
>
> I was not asking for rule debugging, since the rule obviously worked
> and works on other e-mail, as it shows in the scoring of the e-mail
when
> fed through manually. What I was looking for was possible reasons
> e-mail that was over my threshold might be making it through. I hope
> that clarifies.
Joe, if it was properly marked as spam and got through that means some
filter OUTSIDE of SpamAssassin is screwing up. Look there.
{^_^}
Re: Verizon hosting spammers :)
Chris Santerre wrote: Brief header I'm not too interested in. HTML code showing verizon site. Should we block all mysite pages? /sniker/ http://mysite.verizon.net/resoxfmz/1.htm";>http://pws.prserv.net/maxlife/EBA.jpg"; width="620" height="393"> http://mysite.verizon.net/resoxfmz/ServiceBasic.htm";>Legal http://mysite.verizon.net/resoxfmz/1.htm";>Privacy http://mysite.verizon.net/resoxfmz/ServiceBasic.htm";>Preferences >> >> Will they give the child a good religious upbringing? That's our religion, isn't it? How ya doin'? yep. and if you mail "abuse" from europe the won't accept the message. :-) blocked locally :-) didn't want to risk Jeff's beating. Alex
Re: maintaining the 2.6 branch
> Martin Hepworth wrote: > > > Another reason > [snip] > > I shall be sticking to 2.64 for the forsee-able future as 3.02 gives me > > no advantage and quite a high likelihood of more spam dropping through > > the system! Well, some rules do have reduced scores, but there have been rules added that brings the total score back up. For anyone running a stock 2.64, 3.02 will catch more spam. We went from catching 70% of the spam to catching 95% with the upgrade to 3.02. > Not specific to Martins reply, but thanks to all the responses regarding > continued use of > SA2.64. I'd like to be able to offer to take on 2.64 maintenance (with the > help of others), > but I would simply be biting over too much. For the moment anyway. Given that everyone sticking with 2.64 says that it is working fine, it would seem that no maintenance is necessary. > One thing that occurred to me just now - some of the problems we've > discussed, like the > FORGED_MUA_OUTLOOK, are purely to do with the rulesets/-definitions. Has any > thought been > given to producing separate "packages" for SA code and SA rules? For 2.6 or > 3.0? Along the > lines of what ClamAV does perhaps. > > > /Per Jessen, Zürich > > -- > http://www.spamchek.com/freetrial - sign up for your free 30-day trial now! > http://www.spamchek.de/freetrial - jetzt für 30 Tage ausprobieren - kostenlos > und unverbindlich! > http://www.spamchek.dk/freetrial - 30 dages gratis prøvetid - helt uden > forpligtelser! > Tom schulz Applied Dynamics Intl. [EMAIL PROTECTED]
Verizon hosting spammers :)
Brief header I'm not too interested in. Received: from mail.printosh.hu (241.75-228-195.hosting.adatpark.hu [195.228.75.241]) by moglobal.com (8.12.5/8.12.5) with ESMTP id j0E5Lj1E012550 for <[EMAIL PROTECTED]>; Fri, 14 Jan 2005 00:21:47 -0500 Received: from [195.228.75.61] (HELO 195.228.75.41) by mail.printosh.hu (CommuniGate Pro SMTP 4.1.8) with SMTP id 152241; Fri, 14 Jan 2005 06:20:51 +0100 Message-ID: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> From: "Low-Cost Term Life" <[EMAIL PROTECTED]> HTML code showing verizon site. Should we block all mysite pages? /sniker/ http://mysite.verizon.net/resoxfmz/1.htm";>http://pws.prserv.net/maxlife/EBA.jpg"; width="620" height="393"> http://mysite.verizon.net/resoxfmz/ServiceBasic.htm";>Legal http://mysite.verizon.net/resoxfmz/1.htm";>Privacy http://mysite.verizon.net/resoxfmz/ServiceBasic.htm";>Preferences >> >> Will they give the child a good religious upbringing? That's our religion, isn't it? How ya doin'? Chris Santerre System Admin and SARE/SURBL Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin
Re: Spam getting through
From: "Joe Zitnik" <[EMAIL PROTECTED]>
> Keith,
> Why would you need to be psychic?
>
> 1. My e-mail shows the NAME of my rule - MY_CAPABLE
> 2. My e-mail shows the MY_CAPABLE rule worked, adding 11 points to the
> score
> 3. My e-mail shows my threshold is 4 points, and the e-mail scored
> 14.
> 4. I stated this was from an e-mail that made it through.
>
> I was not asking for rule debugging, since the rule obviously worked
> and works on other e-mail, as it shows in the scoring of the e-mail when
> fed through manually. What I was looking for was possible reasons
> e-mail that was over my threshold might be making it through. I hope
> that clarifies.
Joe, if it was properly marked as spam and got through that means some
filter OUTSIDE of SpamAssassin is screwing up. Look there.
{^_^}
Re: Sudden spam volume decrease?
From: "John Wilcock" <[EMAIL PROTECTED]>
> Menno van Bennekom wrote:
> > Spam is about normal here, but the number of viruses catched is one
tenth
> > of the normal amount the last days. I double-checked amavisd/clamav but
> > everything is working normal, it must be the silence before the storm..
>
> I've seen a slight decrease in spam (down about 10%) since Xmas but,
> like you, hardly any viruses for the last few days. First the number of
> Sober.J's tailed off at the weekend, and now there's just the occasional
> solitary Bagle or Netsky.
>
> Is this a coincidence, or should we be battening down the hatches...?
>
> John.
Hm, this was a one day drop from 250 to 300 spams per day down to only
140 or so. I was astonished. Today looks like it might be back up to
"normal", sigh.
{^_^}
Re: Begginer Spam getting through
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Freitag, 14. Januar 2005 18:52 schrieb [EMAIL PROTECTED]: > Hello, > > I have two mailservers one running amavis + spamassasin 2.x and the other > running spamassasin 3 as a filter from maildrop. The maildrop+ spamassim > 3.x let more spam get through then spamassasin 3.x, i believe it is some ^-- do you mean 2.x?? > configuration but I always used spamassasin in default options. So I have > no idea where to start looking. Some directions would be very nice. What about Bayes and Network rules. Could you be more precise with the version numbers? Thomas > > > Angelo > [..] - -- icq:133073900 http://www.t-arend.de -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFB6BgUHe2ZLU3NgHsRAv59AJ9O50iBRrnv3dXtWX5Bof4UFxCrbwCcDAJU iaDVWlYw3TcT85VVNLBaS9k= =PNcw -END PGP SIGNATURE-
Re: Sudden spam volume decrease?
On Fri, 14 Jan 2005 10:36:25 -0800, Bart Schaefer <[EMAIL PROTECTED]> wrote: > > Menno van Bennekom wrote: Sorry, that was mis-attibuted. I meant to trim that line.
Re: Sudden spam volume decrease?
> Menno van Bennekom wrote: > > like you, hardly any viruses for the last few days. First the number of > Sober.J's tailed off at the weekend, and now there's just the occasional > solitary Bagle or Netsky. > > Is this a coincidence, or should we be battening down the hatches...? Microsoft released a security update last week that includes a program to (pardon the pun) wash your Windows clean of certain viruses. I don't have the reference handy, but I read the notice in the Windows Update details when updating one of the PCs at the office.
Re: Spam getting through
Thomas, We use a program called Guinevere, that works with Novell GroupWise systems to filer the e-mail after it has passed through SA. All of the suggestions I have received seem to point to the fact that this may be where the error lies. I appreciate all the suggestions by the group. >>> Thomas Arend <[EMAIL PROTECTED]> 01/14 11:00 AM >>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Freitag, 14. Januar 2005 13:04 schrieb Loren Wilton: > Well, it obviously was scored correctly, and showed at least some headers > indicating this. So SA must be doing its job. > > Since SA isn't in charge of deciding what to DO with the mail once it is > scored, the problem must lie in some other part of your system. > > The only possibiliity I can think of offhand (and I don't have your > original posting left to check) might be that the original mail didn't have > a Subject, in which case 3.0.1 and 3.0 would not have done subject markup. > So if you were filtering on subject, then it would probably have made it > through. His original message had a subject: Subject: ***Spam*** i just cheated on my boyfriend and a X-Spam-Prev-Subject: i just cheated on my boyfriend nether noticed this on my spam but I include the message in an appendix not in the text. All messages are passed back. So to redirect mails to other destinations then the original recipient is a task of the Mail-transport an not a task of spammassassin. So what we need to know is the rule to filter mails after spam-checking. Thomas > Loren - -- icq:133073900 http://www.t-arend.de -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFB5+y+He2ZLU3NgHsRAunCAJ0XUFhqlQF2RRtbSufjeht5WafFVwCeJpIS Oig+HehjhaADgpJjcW3eELA= =xwli -END PGP SIGNATURE-
Re: Spam getting through
Keith, I think you may have seen too many Oliver Stone movies, or perhaps gotten too wrapped up in the X-Files. Are you somehow involved in the paranormal? All this talk of secretiveness and psychics might be better suited to the alt.psycho.babble newsgroup. The "entire process" that I was speaking about not posting to the group is how I filter through my archives to remove spam e-mails and other filtered e-mails from my overall archives to only have the mail that made it through to the users. That part has nothing to do with spamassassin, and therefore does not belong here. There was nothing secretive about it. I've received several helpful suggestions from other members of the group, with none of the sarcasm or paranoia associated with yours, who obviously had no problems understanding the question I was asking. >>> Keith Whyte <[EMAIL PROTECTED]> 01/14 11:47 AM >>> Joe Zitnik wrote: >Keith, >Why would you need to be psychic? > > > Sorry, my way of saying that I didn't think you gave us enough information with your request for help. Did you post the mail that you passed through spam assassin manually, or the one that made it through? Did you try passing the mail manually through SA as the user your MTA filtering runs as? At what point in your system is the decision made to discard or deliver mail into the users mailbox? >I won't go through my entire >process, > I fear the problem lies in the configuration you are being secretive about. k.
False positive in 70_sare_header0
Hi, in 70_sare_header0.cf rule SARE_RECV_SPAM_DOMN0a, mediaways.net is listed as an "apparent spammer domain". Telefonica Germany uses mediaways.net for their dial-ups (they are the a large ISP in Germany, specialized in business customers and carrier services). Regards, Christoph -- Spare Space
RE: Spam getting through
The usual suggestions that come up at this point, are: 1) If you're using spamc/spamd, don't forget to restart spamd so that it will reload your new rule. 2) If you're running SA directly from a milter, or some such, make sure that SA is started up in a way that it will find the new rule. You might want to add some debugging info. to your mail log. You'll also need to tell your milter to reload SA, if it caches SA instances. 3) If you're making the decision that a particular e-mail is spam, at delivery time, via a mail filter like procmail, make sure that the script works properly. Add some logging info. to debug it.
Re: empty body
__MIME_ATTACHMENT, I believe, requires a new feature not in 3.0.2 so you won't be able to simply drop in this rule. The problem is that without that rule, you'll match messages with an attachment but no other body text. One option is to combine the empty message rule with a no To rule which should give you a pretty low FP rate. This is what the SARE rules do: http://www.rulesemporium.com/rules/70_sare_html.cf - search for SARE_HTML_NO_BODY. (Why are they under html?) Stuart Johnston Ingo Reinhart wrote: Hi! Ok, the ideea is great but dont' work for me. # __MIME_ATTACHMENT defined in 20_html_tests.cf body __NONEMPTY_BODY/\S/ meta EMPTY_MESSAGE !__MIME_ATTACHMENT && !__NONEMPTY_BODY describe EMPTY_MESSAGE Message appears to be empty with no Subject: text score EMPTY_MESSAGE 2 Any hint's? Ingo - Original Message - From: "Matt Kettler" <[EMAIL PROTECTED]> To: "Ingo Reinhart" <[EMAIL PROTECTED]>; Sent: Thursday, January 13, 2005 6:30 PM Subject: Re: empty body At 06:27 AM 1/13/2005, Ingo Reinhart wrote: Hello! How can I test for an empty Mailbody? Any existing rule? Best Regards, Ingo Grab the latest SVN image from the downloads page and look at EMPTY_MESSAGE.
Re: Matching Envelope Recipient
Keith> Would you also have any insight on my other question, which is "Can Keith> I access the Envelope Recipients in SA, called from Mimedefang"? Sorry, I have only limited experience with milter (assuming you're even using that), and almost none with mimedefang. Good luck! -- John
Re: Matching Envelope Recipient
John Beck wrote: * u: the SMTP envelope recipient(s), but (and this is the key to your question) if there is more than one recipient, this macro is unset to protect the privacy of all recipients (e.g., so if the sender blind copied anyone, that the others would not be able to determine this) (unset in your example) Wow John, thanks for your super detailed reply. Now I remember reading that years ago. Would you also have any insight on my other question, which is "Can I access the Envelope Recipients in SA, called from Mimedefang"? I'm trying to set up some really specific rules for mail addresses to the majordomo list control address, as I'm being plagued by MJD bouncing messages with bad command. Of course these bounces just bounce.. and i'm not happy having my system bouncing spam. Thing is, much mail is coming in without Majordomo in the To: or Cc:, but specified as RCPT TO: maybe the only answer is mimedefang's stream_by_recipient() Thanks!, Keith.
Begginer Spam getting through
Hello, I have two mailservers one running amavis + spamassasin 2.x and the other running spamassasin 3 as a filter from maildrop. The maildrop+ spamassim 3.x let more spam get through then spamassasin 3.x, i believe it is some configuration but I always used spamassasin in default options. So I have no idea where to start looking. Some directions would be very nice. Angelo - Original Message - From: "Keith Whyte" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, January 14, 2005 1:47 PM Subject: Re: Spam getting through Joe Zitnik wrote: Keith, Why would you need to be psychic? Sorry, my way of saying that I didn't think you gave us enough information with your request for help. Did you post the mail that you passed through spam assassin manually, or the one that made it through? Did you try passing the mail manually through SA as the user your MTA filtering runs as? At what point in your system is the decision made to discard or deliver mail into the users mailbox? I won't go through my entire process, I fear the problem lies in the configuration you are being secretive about. k.
Re: THANKS - Re: AWL problem??
Hi Chris, Chris Thielen wrote: John Fleming wrote: Bayes in the current version will not autolearn against itself (will not auto-learn as ham something it thought was spam, or v.v.) -- it might be a good enhancement to also have bayes look at AWL if active, and if AWL disagrees with the auto-learn judgment, then do not auto-learn. Looking at http://bugzilla.spamassassin.org/show_bug.cgi?id=3418, Thanks Bob and Matt and others for the education. SA never ceases to amaze me with it's intelligence. I should've mentioned that I'm using v2.64, patiently awaiting 3+ to enter Debian testing (Sarge). - John I wouldn't hold my breath. Since sarge is in release mode, you will probably have better luck finding a backport. I should also mention that I'm using sarge and am still on 2.60-2! Open slot "mouth". Insert tab "foot". Look what came across the wire today: [EMAIL PROTECTED]:~$ apt-cache policy spamassassin spamassassin: Installed: 1:2.60-2 Candidate: 1:2.60-2 Version Table: *** 1:2.60-2 0 100 /var/lib/dpkg/status 3.0.2-1 0 900 http://http.us.debian.org sarge/main Packages 600 http://http.us.debian.org unstable/main Packages Thanks Duncan? signature.asc Description: OpenPGP digital signature
Re: Spam getting through
Joe Zitnik wrote: Keith, Why would you need to be psychic? Sorry, my way of saying that I didn't think you gave us enough information with your request for help. Did you post the mail that you passed through spam assassin manually, or the one that made it through? Did you try passing the mail manually through SA as the user your MTA filtering runs as? At what point in your system is the decision made to discard or deliver mail into the users mailbox? I won't go through my entire process, I fear the problem lies in the configuration you are being secretive about. k.
Re: Spam getting through
Please note that if you upgraded from 3.0.0 to 3.0.1 or 3.0.2, the uridnsbl rules changed from type "header" to type "body". If the rules are not similarly updated, they will not trigger. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Spam getting through
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Freitag, 14. Januar 2005 13:04 schrieb Loren Wilton: > Well, it obviously was scored correctly, and showed at least some headers > indicating this. So SA must be doing its job. > > Since SA isn't in charge of deciding what to DO with the mail once it is > scored, the problem must lie in some other part of your system. > > The only possibiliity I can think of offhand (and I don't have your > original posting left to check) might be that the original mail didn't have > a Subject, in which case 3.0.1 and 3.0 would not have done subject markup. > So if you were filtering on subject, then it would probably have made it > through. His original message had a subject: Subject: ***Spam*** i just cheated on my boyfriend and a X-Spam-Prev-Subject: i just cheated on my boyfriend nether noticed this on my spam but I include the message in an appendix not in the text. All messages are passed back. So to redirect mails to other destinations then the original recipient is a task of the Mail-transport an not a task of spammassassin. So what we need to know is the rule to filter mails after spam-checking. Thomas > Loren - -- icq:133073900 http://www.t-arend.de -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFB5+y+He2ZLU3NgHsRAunCAJ0XUFhqlQF2RRtbSufjeht5WafFVwCeJpIS Oig+HehjhaADgpJjcW3eELA= =xwli -END PGP SIGNATURE-
Re: Matching Envelope Recipient
Keith> Below are headers from spam I received. Why is the envelope recipient
Keith> not in the received header??? i changed the To: user's email to xx
Keith> for privacy, but this mail also arrived into a mailbox which was not
Keith> the mailbox in the To: header.
Keith> Received: from ghettofabulous.ca ([222.64.180.23])
Keith> by tricks.tbmc.ie (8.12.11/8.12.11) with SMTP id j0E00kJZ024303;
Keith> Fri, 14 Jan 2005 00:00:49 GMT
Short answer: because there was more than one local recipient.
Long answer: the default Received header for sendmail 8.12.11 is thus:
Received: $?sfrom $s $.$?_($?s$|from $.$_)
$.$?{auth_type}(authenticated$?{auth_ssf} bits=${auth_ssf}$.)
$.by $j ($v/$Z)$?r with $r$. id $i$?{tls_version}
(version=${tls_version} cipher=${cipher} bits=${cipher_bits}
verify=${verify})$.$?u
for $u; $|;
$.$b
Since neither SMTP AUTH nor TLS are in play here, let's simplify that:
Received: $?sfrom $s $.$?_($?s$|from $.$_)
$.by $j ($v/$Z)$?r with $r$. id $i
$?u
for $u; $|;
$.$b
Now, the $?x ... $| ... $. syntax is sendmail.cf's baroque way of saying
if macro x is set then ... else ... endif, and likewise $?x ... $. means
if macro x is set then ... endif, and the macros in play here are:
* s: the name the SMTP client claimed in its HELO/EHLO greeting: in your
above example, this is "ghettofabulous.ca"
* _: the actual IP address of the SMTP client (inside square brackets),
and, if it reversed-mapped to anything, the name it reverse-mapped
to ("[222.64.180.23]" in your example)
* j: the fully qualified host name of the SMTP server ("tricks.tbmc.ie")
* v: the sendmail binary version ("8.12.11")
* Z: the sendmail.cf version ("8.12.11")
* r: the protocol used, usually "SMTP" or "ESMTP" ("SMTP")
* i: the queue ID ("j0E00kJZ024303")
* u: the SMTP envelope recipient(s), but (and this is the key to your
question) if there is more than one recipient, this macro is unset to
protect the privacy of all recipients (e.g., so if the sender blind
copied anyone, that the others would not be able to determine this)
(unset in your example)
* b: the current date & time in RFC 2822 format
("Fri, 14 Jan 2005 00:00:49 GMT")
HTH,
-- John
Re: empty body
Hi! Ok, the ideea is great but dont' work for me. # __MIME_ATTACHMENT defined in 20_html_tests.cf body __NONEMPTY_BODY/\S/ meta EMPTY_MESSAGE !__MIME_ATTACHMENT && !__NONEMPTY_BODY describe EMPTY_MESSAGE Message appears to be empty with no Subject: text score EMPTY_MESSAGE 2 Any hint's? Ingo - Original Message - From: "Matt Kettler" <[EMAIL PROTECTED]> To: "Ingo Reinhart" <[EMAIL PROTECTED]>; Sent: Thursday, January 13, 2005 6:30 PM Subject: Re: empty body At 06:27 AM 1/13/2005, Ingo Reinhart wrote: Hello! How can I test for an empty Mailbody? Any existing rule? Best Regards, Ingo Grab the latest SVN image from the downloads page and look at EMPTY_MESSAGE.
Re: Spam getting through
Thank you. I thought I remembered earlier posts where people listed problems like "some e-mail were not being checked" or "every other e-mail was being skipped", and I was wondering if I might be experiencing some of that. >>> "Loren Wilton" <[EMAIL PROTECTED]> 01/14 7:04 AM >>> Well, it obviously was scored correctly, and showed at least some headers indicating this. So SA must be doing its job. Since SA isn't in charge of deciding what to DO with the mail once it is scored, the problem must lie in some other part of your system. The only possibiliity I can think of offhand (and I don't have your original posting left to check) might be that the original mail didn't have a Subject, in which case 3.0.1 and 3.0 would not have done subject markup. So if you were filtering on subject, then it would probably have made it through. Loren
Re: Spam getting through
Well, it obviously was scored correctly, and showed at least some headers indicating this. So SA must be doing its job. Since SA isn't in charge of deciding what to DO with the mail once it is scored, the problem must lie in some other part of your system. The only possibiliity I can think of offhand (and I don't have your original posting left to check) might be that the original mail didn't have a Subject, in which case 3.0.1 and 3.0 would not have done subject markup. So if you were filtering on subject, then it would probably have made it through. Loren
Re: Spam getting through
Keith, Why would you need to be psychic? 1. My e-mail shows the NAME of my rule - MY_CAPABLE 2. My e-mail shows the MY_CAPABLE rule worked, adding 11 points to the score 3. My e-mail shows my threshold is 4 points, and the e-mail scored 14. 4. I stated this was from an e-mail that made it through. I was not asking for rule debugging, since the rule obviously worked and works on other e-mail, as it shows in the scoring of the e-mail when fed through manually. What I was looking for was possible reasons e-mail that was over my threshold might be making it through. I hope that clarifies. >>> Keith Whyte <[EMAIL PROTECTED]> 01/14 2:56 AM >>> Joe Zitnik wrote: >some of these e-mails are >getting caught by my rule and some aren't. When I run the ones that are >getting past through spamassassin manually, they hit my rule as well and >are above my spam threshold. So why do they make it past? > > Joe, how can you possibly ask that question without also sending your rule and an example of a mail that got past your rule we are not psychic!! Keith.
Re: empty body
Hello! Grab the latest SVN image from the downloads page and look at EMPTY_MESSAGE. Thanks, but ... I can't open http://cvs.apache.org/snapshots/spamassassin . Is there an other location aivable? Best Regards, Ingo - Original Message - From: "Matt Kettler" <[EMAIL PROTECTED]> To: "Ingo Reinhart" <[EMAIL PROTECTED]>; Sent: Thursday, January 13, 2005 6:30 PM Subject: Re: empty body At 06:27 AM 1/13/2005, Ingo Reinhart wrote: Hello! How can I test for an empty Mailbody? Any existing rule? Best Regards, Ingo Grab the latest SVN image from the downloads page and look at EMPTY_MESSAGE.
Re: Spam getting through
Thomas, That was a mail that made it through. I won't go through my entire process, but I archive every mail that comes in to our system, and when I'm done, I have every e-mail that made it through to the user's desk. I have specific rules set up and was wondering why mail that I knew should have been caught, was making it past. I took one of these mails, the one I sent in my letter to the group, fed it through SA manually, and it confirmed my suspicions. That was the point. Why is it making it past if it is obviously marked as spam? >>> Thomas Arend <[EMAIL PROTECTED]> 01/13 3:21 PM >>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am Donnerstag, 13. Januar 2005 12:47 schrieb Joe Zitnik: > We've been having a group of the same type of e-mails making it through > spamassassin. These are the e-mails that have the "get a capable html > e-mailer" line in them. I have yet to see any legitimate e-mail with > that line, so I made a custom rule to score 11 points for that slogan. > I have also fed hundreds of different e-mails with that line in to my > bayes database, and yet I'm still seeing a lot of e-mails with that > line making it through, so I fed one of the e-mails through manually and > the relevant output is below. The MY_CAPABLE rule is the custom rule > for these types of e-mail, it is adding the points, but a great many of > these are still making it through. I know I saw other posts where > people were saying spam was making it past or only every other e-mail > was being checked, and I'm wondering why e-mails like these are slipping > past. I used my magic eye to find your rule. No joy. The example you presented seems to be correctly marked as spam. A message which passes your SA would be helpful. Also the rule. Regards Thomas [..] - -- icq:133073900 http://www.t-arend.de -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFB5thmHe2ZLU3NgHsRAou3AJ0Tl3Tu6++Yu7ZVYTqOXql8u8XZ0QCfc382 Cp7/HW2KCopAdauOdDKQfHQ= =AV57 -END PGP SIGNATURE-
Re: bayes?!
would it help if build new dbs? and use those to check if the debug will see the toks? would that affect the sa learning process somehow? > >> sa-learn --dbpath /var/spamdb/bayes --dump magic > > i get this: > > 0.000 0 3 0 non-token data: bayes db version > 0.000 0 2852 0 non-token data: nspam > 0.000 0 2515 0 non-token data: nham > 0.000 0 116330 0 non-token data: ntokens > 0.000 0 1104894403 0 non-token data: oldest atime > 0.000 0 1105570140 0 non-token data: newest atime > 0.000 0 0 0 non-token data: last journal sync > atime > 0.000 0 1105571295 0 non-token data: last expiry atime > 0.000 0 581418 0 non-token data: last expire atime > delta > 0.000 0 46098 0 non-token data: last expire > reduction count > >> what are the file sizes? are the files writable/readable by the >> appropriate users? > > -rw-r- 1 root vchkpw 688128 Jan 12 18:08 bayes_seen > -rw-r- 1 root vchkpw 2146304 Jan 12 18:08 bayes_toks > > >> debug: URIDNSBL: domain "svbrseprs.com" listed (URIBL_SBL): >> "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL9959"; >> debug: URIDNSBL: query for svbrseprs.com took 3 seconds to look up >> (sbl.spamhaus.org.:2.208.178.207) >> debug: URIDNSBL: domain "svbrseprs.com" listed (URIBL_SBL): >> "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL21893"; >> debug: URIDNSBL: domain "svbrseprs.com" listed (URIBL_SBL): >> "http://www.spamhaus.org/SBL/sbl.lasso?query=SBL13495"; >> debug: URIDNSBL: query for svbrseprs.com took 3 seconds to look up >> (sbl.spamhaus.org.:2.199.36.69) > > non of that in the debug... > > i tried a few other undetected spam messages. same result. all of them > have uris in them like: > http://xgnuk.arms2nemesis.com/?TTlsSwFFf0pW6GC > http://uyg.rxpharmagroup.com/track.asp?c=gi&cg=gi > or have attachments > > > thanks... > >> >> >> > > > -- > > --
Re: Sudden spam volume decrease?
Menno van Bennekom wrote: Spam is about normal here, but the number of viruses catched is one tenth of the normal amount the last days. I double-checked amavisd/clamav but everything is working normal, it must be the silence before the storm.. I've seen a slight decrease in spam (down about 10%) since Xmas but, like you, hardly any viruses for the last few days. First the number of Sober.J's tailed off at the weekend, and now there's just the occasional solitary Bagle or Netsky. Is this a coincidence, or should we be battening down the hatches...? John. -- -- Over 2500 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages- www.tradoc.fr
Re: Sudden spam volume decrease?
> In spite of a batch of really badly malformed mails from telepac.pt
> I note that my spam volume for the last 22 hours is little more than
> half normal. What happened? Can we make it happen more often?
> {O.O} Joanne, properly astonished.
Spam is about normal here, but the number of viruses catched is one tenth
of the normal amount the last days. I double-checked amavisd/clamav but
everything is working normal, it must be the silence before the storm..
Menno, a little worried at first.
Re: Sudden spam volume decrease?
Joanne
slightly up on pre-Christmas levels for me. Was running around 2,000 per
work day now back to 2,500 yesterday which is just over the Pre Jan
levels of around 2,400 per day.
I also note a large increase in phishing emails and the malware traffic
is back up to normal after an extended Christmas break.
(NB this is only for valid email addresses as I 550 reject non existant
addresses at the gateway).
Looks like the bad email guys took a long holiday break!
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
jdow wrote:
In spite of a batch of really badly malformed mails from telepac.pt
I note that my spam volume for the last 22 hours is little more than
half normal. What happened? Can we make it happen more often?
{O.O} Joanne, properly astonished.
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**
Sudden spam volume decrease?
In spite of a batch of really badly malformed mails from telepac.pt
I note that my spam volume for the last 22 hours is little more than
half normal. What happened? Can we make it happen more often?
{O.O} Joanne, properly astonished.
Re: Spam getting through
Of course, that's not universally true, Keith. Someone is flooding the
Internet with email messages so bogus fetchmail spits up on it. I had to
telnet into the Earthlink server and manually delete the message.
8<
list
+OK
1 475
.
retr 1
+OK 475 octets
Status: U
Return-Path: <[EMAIL PROTECTED]>
Received: from adslsapo-b4-9-210.telepac.pt ([81.193.9.210])
by mx-a065b05.pas.sa.earthlink.net (EarthLink SMTP Server) with SMTP
id 1cPnx42wr3NZFpL0
Fri, 14 Jan 2005 01:14:07 -0800 (PST)
Received: from [EMAIL PROTECTED] ([81.193.9.210]) by
iq1[1
From: <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Date: Fri, 14 Jan 2005 01:14:07 -0800 (PST)
.
8<
That is the ENTIRE extent of what was on the Earthlink server.
Oy! A new DOS attack
{^_^}
- Original Message -
From: "Keith Whyte" <[EMAIL PROTECTED]>
> Joe Zitnik wrote:
>
> >some of these e-mails are
> >getting caught by my rule and some aren't. When I run the ones that are
> >getting past through spamassassin manually, they hit my rule as well and
> >are above my spam threshold. So why do they make it past?
> >
> >
> Joe, how can you possibly ask that question without also sending your
> rule and an example of a mail that got past your rule
> we are not psychic!!
>
> Keith.
Re: Spam getting through
Joe Zitnik: >> We've been having a group of the same type of e-mails making it through >> spamassassin. These are the e-mails that have the "get a capable html >> e-mailer" line in them. [...] Thomas Arend <[EMAIL PROTECTED]> writes: > I used my magic eye to find your rule. No joy. [...] I wrote a wider rule a week or two ago now in the development tree. I try to read users occasionally to find new rule ideas, but it's hard for me to keep up... folks, feel free to submit new rules like this one -- which is a great rule, good catch. --- start of cut text -- body __RUDE_HTML_1 /Get a capable html e-mailer/i body __RUDE_HTML_2 /not support the display of HTML. Please view this message in a different/i body __RUDE_HTML_3 /This message contains an HTML formatted message but your email client does/i body __RUDE_HTML_4 /Your mailer do not support HTML messages. Switch to a better mailer/i meta RUDE_HTML __RUDE_HTML_1 || __RUDE_HTML_2 || __RUDE_HTML_3 || __RUDE_HTML_4 describe RUDE_HTML Spammer message says you need an HTML mailer --- end Daniel -- Daniel Quinlan http://www.pathname.com/~quinlan/
Re: Matching Envelope Recipient
Maybe somebody could explain this to me (if i'm not too off-topic k) Below are headers from spam I received. Why is the envelope recipient not in the received header??? i changed the To: user's email to xx for privacy, but this mail also arrived into a mailbox which was not the mailbox in the To: header. From - Thu Jan 13 23:07:56 2005 Return-Path: <[EMAIL PROTECTED]> Received: from ghettofabulous.ca ([222.64.180.23]) by tricks.tbmc.ie (8.12.11/8.12.11) with SMTP id j0E00kJZ024303; Fri, 14 Jan 2005 00:00:49 GMT Message-ID: <[EMAIL PROTECTED]> Date: Thu, 13 Jan 2005 14:22:53 -1000 From: "foster mayfield" <[EMAIL PROTECTED]> User-Agent: mPOP Web-Mail 2.19 MIME-Version: 1.0 To: "julio cozart" <[EMAIL PROTECTED]> Subject: Energize your life
Matching Envelope Recipient
Could somebody clarify: When Spamassassin is called from mimedefang, is it possible to match the Envelope Recipient, as in the one presented to THIS MTA, or is it only possible to match on the Received: headers (which may contain other recipients)? Thanks, I can't find an answer to this in any online docs Keith.
Re: Spam getting through
Joe Zitnik wrote: some of these e-mails are getting caught by my rule and some aren't. When I run the ones that are getting past through spamassassin manually, they hit my rule as well and are above my spam threshold. So why do they make it past? Joe, how can you possibly ask that question without also sending your rule and an example of a mail that got past your rule we are not psychic!! Keith.
Re: empty body
> >How can I test for an empty Mailbody? > > Grab the latest SVN image from the downloads page and look at EMPTY_MESSAGE. Or grab some of the SARE rules, which also have a test for this. Loren
Re: SA List Subject/From Indicators
> > > Another possible solution would be to have the list server > > add "SA: " > > > to the beginning of each subject line (when not already there). > > > > > > Any thoughts? Suggestions? > > > > Also, this got hashed out on this list about 6 months ago. You can read the > gory details in the archives. In short, its religion we've got. While a lot of people would like a subject tag, an equal or larger amount hate the idea. Either the list software in use is incapable of offering this as a per-user option, or the camp that hates the idea decided that it would be evil to allow such an option (I haven't been able to determine which of those is the case). In any case, ain't gonna happen. Loren
Re: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules
> I have searched around rulesemporium without much success trying to find > these LOCAL_OBFU_* rules. I don't suppose you could tell me the > filename that they occur in could you? (I assume they will be in > /etc/mail/Spamassassin or wherever your local.cf file is for your > install). Sorry, for the latish reply, I've been occupied. It turns out they are in 99_OBFU_drugs.cf. The file is dated May of last year, but that is probably when we downloaded it. The file may have been far older somewhere on the web. Doing a little googling, I find at least one version still out on the net, dated as last updated in March of last year. It was indeed created with Chris's obfu rult generator. At one point it was on the SARE rules page, but is no longer. I'm not quite sure why it disappeared, but would guess the assumption was it was subsumed into antidrug. Or perhaps it hit too much ham. I didn't determine who was the original author of this; but probably someone remembers, or some more googling would turn it up. Loren
Re: upgrading methods
On Thursday 13 January 2005 07:19 pm, [EMAIL PROTECTED] wrote: > Phil Barnett wrote: > I'm feeling puckish today so I'll say it. > > Or even symlink /usr/sbin to /usr/bin (shock, horror) :-) Gasp, You've gone too far, now... ;-) -- Top ten reasons to procrastinate. 1.
RE: upgrading methods
Phil Barnett wrote:
> On Thursday 13 January 2005 03:44 pm, Thomas Arend wrote:
>
>> Because SuSE stores spamd in /usr/sbin/spamd and the tarball stores
>> it in /usr/bin/spamd the SA does not run.
>
> You could have put a symlink in /usr/bin
>
> ln -s /usr/sbin/spamd /usr/bin/spamd
I'm feeling puckish today so I'll say it.
Or even symlink /usr/sbin to /usr/bin (shock, horror) :-)
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
Re: upgrading methods
On Thursday 13 January 2005 03:44 pm, Thomas Arend wrote: > Because SuSE stores spamd in /usr/sbin/spamd and the tarball stores it > in /usr/bin/spamd the SA does not run. You could have put a symlink in /usr/bin ln -s /usr/sbin/spamd /usr/bin/spamd -- Top ten reasons to procrastinate. 1.
