RE: Bounces

[Matt Kettler]

At 06:03 PM 2/10/2005, Jason Bennett wrote:
I agree whole heartedly, so I've set all the amavisd rules to D_REJECT,
but I still get the "Undeliverable:Undelivered Mail Returned to Sender"
bounces.  How do I turn these off?
If you're post-queue, you can't use D_REJECT.. It's too late. You've got to 
use D_DISCARD or D_PASS.

Since the message has already been queued, D_REJECT and D_BOUNCE are going 
to result in the same thing. D_REJECT only works if you filter at delivery 
time. After all, if you've already accepted the message, you can't go back 
in time and reject it. 

RE: Bounces

[Jason Bennett]

I agree whole heartedly, so I've set all the amavisd rules to D_REJECT,
but I still get the "Undeliverable:Undelivered Mail Returned to Sender"
bounces.  How do I turn these off?

Thanks a lot for the hlp!

J.


-Original Message-
From: Matt Kettler [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 10, 2005 3:52 PM
To: Jason Bennett; users@spamassassin.apache.org
Subject: Re: Bounces

At 05:33 PM 2/10/2005, Jason Bennett wrote:


>2. How can I reduce or even dump the bounces all together so my queue's
>aren't filling up with junk bounces with invalid destinations?

Just don't use bouncing as a spam action at all if you filter after
queue.. 
this is just a bad thing to do in general. Even if the destinations are 
'valid' they are likely going to some poor shmuck who had his address 
forged. One thing you can always be sure of is that if a message is
spam, 
the spammer is definitely never going to see the bounce.

I have a policy of outright blacklisting mailservers which send 
post-delivery bounces for spam filtering. I consider them nothing short
of 
a malicious misconfiguration.

(pre-queue MTA rejections are OK, post-delivery bounces of invalid 
recipients are sub-optimal but a fact of life, sending a post-delivery
spam 
notice is intentionaly attacking innocent bystanders.)

Re: Bounces

[Matt Kettler]

At 05:33 PM 2/10/2005, Jason Bennett wrote:

2. How can I reduce or even dump the bounces all together so my queue's
aren't filling up with junk bounces with invalid destinations?
Just don't use bouncing as a spam action at all if you filter after queue.. 
this is just a bad thing to do in general. Even if the destinations are 
'valid' they are likely going to some poor shmuck who had his address 
forged. One thing you can always be sure of is that if a message is spam, 
the spammer is definitely never going to see the bounce.

I have a policy of outright blacklisting mailservers which send 
post-delivery bounces for spam filtering. I consider them nothing short of 
a malicious misconfiguration.

(pre-queue MTA rejections are OK, post-delivery bounces of invalid 
recipients are sub-optimal but a fact of life, sending a post-delivery spam 
notice is intentionaly attacking innocent bystanders.)

Re: Configuration Confusion

[Matt Kettler]

At 05:39 PM 2/10/2005, Scott Moss wrote:
Ok this is kind of driving me nutty. I've changed ever version of any 
local.cf file on my machine and SA is still sending with default rules. Is 
there any way to find out where the current installation is reading the 
config file from ? I've searched all of the machine for any type of rogue 
local.cf files, even user_prefs isn't working in my home dir's 
.spamassassin folder. Any idea's?
spamassassin --lint -D
Should tell you the default rules dir, site rules dir, and the user_prefs dir. 

Re: Configuration Confusion

[Theo Van Dinter]

On Fri, Feb 11, 2005 at 08:39:09AM +1000, Scott Moss wrote:
> local.cf file on my machine and SA is still sending with default rules. Is 
> there any way to find out where the current installation is reading the 
> config file from ? I've searched all of the machine for any type of rogue 

When in doubt, -D.

-- 
Randomly Generated Tagline:
"`Credit?' he said. `Aaaargggh...'
 These two words are usually coupled together in the Old 
 Pink Dog Bar."
 
 - Ford in a spot of bother. 


pgpepFbsuMvRU.pgp
Description: PGP signature

Re: best way to look for Bcc:d mail

[Matt Kettler]

At 05:27 PM 2/10/2005, Vicki Brown wrote:
I want to bump the score if neither the To: nor the Cc: field contains my
address.
I'm guessing I want something like this:
  header __NOT_TO_ME  To !~ /[EMAIL PROTECTED]/
  header __NOT_CC_ME  Cc !~ /vlb~cfcl.com/
  meta   NOT_FOR_ME  ( __NOT_TO_ME && __NOT_CC_ME )
  score NOT_FOR_ME 10
Or should I just try this?
  header   NOT_FOR_ME  ToCc !~ /([EMAIL PROTECTED]/
I can play with possibilities but I'd love a recommendation from someone who
has working code!
I'll warn you to be very cautious about doing EITHER of the above...
In particular, mailing lists will generally hit on this rule. Including 
this message I'm writing right now. Also some legitimate newsletters, 
publications, etc will hit this rule. Not to mention that I get plenty of 
mail sent by friends announcing they are moving and they bcc it to a large 
number of people (BCC in the interest of not spreading everyone's email 
address around to everyone else)

You might try the rule, but clearly 10 points is likely to cause you 
problems with real-world nonspam mail, some hand sent by people you know well..

Configuration Confusion

[Scott Moss]

Ok this is kind of driving me nutty. I've changed ever version of any 
local.cf file on my machine and SA is still sending with default rules. Is 
there any way to find out where the current installation is reading the 
config file from ? I've searched all of the machine for any type of rogue 
local.cf files, even user_prefs isn't working in my home dir's .spamassassin 
folder. Any idea's?

Regards
Scott
Note: using spamass-milter 


--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 10/02/2005

Bounces

[Jason Bennett]

Sorry if this isn't the right place for this, but I'd thought I'd ask:

I'm using postfix, spamassassin and amavisd-new.  I'm using the filter
after queue method to accept mail and process them afterward - of
course, this can generate more bounces than the filter before queue
method.  

Here are my questions:

1. I read that filter after queue is better for larger performing sites.
Is this true?

2. How can I reduce or even dump the bounces all together so my queue's
aren't filling up with junk bounces with invalid destinations?

Any help is greatly appreciated.

Cheers,

J.

best way to look for Bcc:d mail

[Vicki Brown]

I want to set up a High-scoring rule for mail that looks like this :(

 Date: Thu, 10 Feb 2005 17:53:31 +0200
 From: Morris Price <[EMAIL PROTECTED]>
 Subject: Is your daughter a a sick person
 To: Katydid <[EMAIL PROTECTED]>


I'm not in the To: list (the To: is a nonexistent address but that's beside
the point here). I'm not in the Cc: list (there are no Cc's). The From is not
on my whitelist.  Obviously my address is buried in the Bcc:s somewhere.

I want to bump the score if neither the To: nor the Cc: field contains my
address.

I'm guessing I want something like this:

  header __NOT_TO_ME  To !~ /[EMAIL PROTECTED]/
  header __NOT_CC_ME  Cc !~ /vlb~cfcl.com/
  meta   NOT_FOR_ME  ( __NOT_TO_ME && __NOT_CC_ME )
  score NOT_FOR_ME 10

Or should I just try this?

  header   NOT_FOR_ME  ToCc !~ /([EMAIL PROTECTED]/

I can play with possibilities but I'd love a recommendation from someone who
has working code!
-- 
Vicki Brown ZZZJourneyman Sourceror:
SF Bay Area, CAzz  |\ _,,,---,,_  Scripts & Philtres
http://www.cfcl.com zz /,`.-'`'-.  ;-;;,_Code, Doc, Process, QA
http://cfcl.com/vlb   |,4-  ) )-,_. ,\ ( `'-'Perl, Unix, Mac OS X, WWW
 '---''(_/--'  `-'\_)  ___

Re: bayesian filter training

[Matt Kettler]

At 05:06 PM 2/10/2005, Matias Lopez Bergero wrote:
Just a question,
It is worth to train the bayes filter with messages already detected and 
flagged as spam by spamassassin? That would do any good?
Yes. And even if they are already flagged as BAYES_99 it is still 
worthwhile.
The reason why is that bayes does not learn that a message is spam or not. 
Bayes learns that a given set of words and tokens were seen in spam. A 
given spam message might be scored as spam and might already score high on 
the bayes scale, but it can still contain valuable new words to learn from. 
In particular the constant mutations of ways of spelling drug names 
provides a constant stream of fresh new spam indicators to for bayes learn 
about. Learning about these helps it identify future spam messages that 
might not otherwise look very spam-like, and offers you some protection 
from false negatives caused by spam mutations.

The only time it's not worthwhile is if the message was already learned as 
spam (ie: by the autolearner).. but in that case SA will just ignore you. 
You're wasting some cpu time, but you won't damage or corrupt anything. 

bayesian filter training

[Matias Lopez Bergero]

Hi
Just a question,
It is worth to train the bayes filter with messages already detected and 
flagged as spam by spamassassin? That would do any good?

BR,
Matías.

Re: Humor: "The Ultimate Spam Email"

[Kris Deugau]

Jonathan Nichols wrote:
> This oughta replace GTUBE!
> 
> http://lowendmac.com/lite/05/0210.html

Heh.  I spent an afternoon going through SA tests and very carefully
assembling a spam that would trip as many tests as possible.  I copied
headers from a message that tripped all kinds of RBLs, I copied content
from some particularly amusing spams, and I invented new content to hit
as many rules as possible.

I tested it and it came up with a score over 80, and I hadn't gone over
more than about 1/5 of the rules at most...

-kgd
-- 
Get your mouse off of there!  You don't know where that email has been!

RE: Broken Ratware-Setup? May be useful for Rules?

[Chris Santerre]

>
>Hi!
>
>I attach a 'funny' Mail I got bounced from one of our
>Users, because it looks like 'broken/misconfigured Ratware'.
>Maybe somebody can update Rules for such things/structures?
>
>The most interesting point seems to be, that the
>Tool creates three 'Received-Headers' to fool
>'first-hop' IP/Domain checks.


Forwarded to the ninja minions! Spam sushi soon! They love this stuff!!

--Chris 

Re: Humor: "The Ultimate Spam Email"

[Jim Maul]

Mike Jackson wrote:
http://lowendmac.com/lite/05/0210.html

I sent it to myself...
X-Spam-Report:
*  1.8 URG_BIZ BODY: Contains urgent matter
*  0.7 SARE_MONEYTERMS BODY: Talks about money in some way.
*  0.7 SARE_URGBIZ BODY: Contains urgent matter
*  2.6 NA_DOLLARS BODY: Talks about a million North American dollars
*  0.4 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN)
* -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
*  [score: 0.0003]
*  1.0 URIBL_SBL Contains an URL listed in the SBL blocklist
*  [URIs: walla.com]
*  1.7 SARE_FRAUD_10 Matches 2 phrases commonly used in fraud spam
*  1.7 SARE_FRAUD_1 Matches 2 phrases commonly used in fraud spam
*  3.4 NIGERIAN_BODY1 Message body looks like a Nigerian spam message 1+
*  1.7 SARE_FRAUD_X5 Matches 5+ phrases commonly used in fraud spam
*  1.7 SARE_FRAUD_X6 Matches 6+ phrases commonly used in fraud spam
*  1.2 MISSING_SUBJECT Missing Subject: header
*  0.6 NIGERIAN_BODY2 Message body looks like a Nigerian spam message 2+
*  1.7 SARE_FRAUD_X3 Matches 3+ phrases commonly used in fraud spam
*  1.7 SARE_FRAUD_X4 Matches 4+ phrases commonly used in fraud spam
*  1.7 SARE_FRAUD_6 Matches 2 phrases commonly used in fraud spam
*  1.7 SARE_FRAUD_3 Matches 2 phrases commonly used in fraud spam
*  1.7 SARE_FRAUD_5 Matches 2 phrases commonly used in fraud spam
*  0.1 NIGERIAN_BODY3 Message body looks like a Nigerian spam message 3+
*  1.7 SARE_FRAUD_2 Matches 2 phrases commonly used in fraud spam
*  0.9 SARE_FRAUD_9 Matches 2 phrases commonly used in fraud spam
*  -15 AWL AWL: From: address is in the auto white-list
The AWL hit is because I sent it from my work address. The low Bayes 
score surprises me; my Bayes database should be loaded with crap like that.



I just tried saving the text to a file and running spamc on it.  It 
didnt have any headers or anything but it still managed a score of 10.6 
on my system without any add on rules...pretty good i think.  My bayes 
hit with a BAYES_44.

-Jim

Re: Humor: "The Ultimate Spam Email"

[Mike Jackson]

http://lowendmac.com/lite/05/0210.html
I sent it to myself...
X-Spam-Report:
*  1.8 URG_BIZ BODY: Contains urgent matter
*  0.7 SARE_MONEYTERMS BODY: Talks about money in some way.
*  0.7 SARE_URGBIZ BODY: Contains urgent matter
*  2.6 NA_DOLLARS BODY: Talks about a million North American dollars
*  0.4 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN)
* -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
*  [score: 0.0003]
*  1.0 URIBL_SBL Contains an URL listed in the SBL blocklist
*  [URIs: walla.com]
*  1.7 SARE_FRAUD_10 Matches 2 phrases commonly used in fraud spam
*  1.7 SARE_FRAUD_1 Matches 2 phrases commonly used in fraud spam
*  3.4 NIGERIAN_BODY1 Message body looks like a Nigerian spam message 1+
*  1.7 SARE_FRAUD_X5 Matches 5+ phrases commonly used in fraud spam
*  1.7 SARE_FRAUD_X6 Matches 6+ phrases commonly used in fraud spam
*  1.2 MISSING_SUBJECT Missing Subject: header
*  0.6 NIGERIAN_BODY2 Message body looks like a Nigerian spam message 2+
*  1.7 SARE_FRAUD_X3 Matches 3+ phrases commonly used in fraud spam
*  1.7 SARE_FRAUD_X4 Matches 4+ phrases commonly used in fraud spam
*  1.7 SARE_FRAUD_6 Matches 2 phrases commonly used in fraud spam
*  1.7 SARE_FRAUD_3 Matches 2 phrases commonly used in fraud spam
*  1.7 SARE_FRAUD_5 Matches 2 phrases commonly used in fraud spam
*  0.1 NIGERIAN_BODY3 Message body looks like a Nigerian spam message 3+
*  1.7 SARE_FRAUD_2 Matches 2 phrases commonly used in fraud spam
*  0.9 SARE_FRAUD_9 Matches 2 phrases commonly used in fraud spam
*  -15 AWL AWL: From: address is in the auto white-list
The AWL hit is because I sent it from my work address. The low Bayes score 
surprises me; my Bayes database should be loaded with crap like that. 

Re: _DOMAIN_ not being set?

[Michael Parker]

On Thu, Feb 10, 2005 at 11:50:21AM -0800, Adam Harrison wrote:
> This forwards just fine and procmail reads the ~sw000100/.promailrc 
> file and runs:
> 
> :0fw
> | /usr/bin/spamc -f
> 
> Spamc connects with spamd just fine, and it reads the MySQL 
> prefferences just fine. But some how the full address is being dropped. 
> The variables are being set as:
> _USERNAME_= 'sw000100'
> _TABLE_= userpref
> _MAILBOX_= 'sw000100
> '_DOMAIN_= NULL
> 
> How can I get the full address (and the domain) set?
> 

More often than not, ok probably all the time actually, to get a
domain you're going to have to pass in a username via:
spamc -u 

Right now, spamc is guessing at the username and passing it in.

So, adjust you procmailrc file to use -u [EMAIL PROTECTED] in the
spamc call and _DOMAIN_ should become populated with soulbox.com.

Michael


pgpA6WVj2Gkun.pgp
Description: PGP signature

valentine spam from my own provider?

[hamann . w]

Hi,

I just received the spam below. T-online.de, a spinoff of former state telekom, 
is one of the
major providers in germany for private internet access.
The IP addresses in the header are valid, but there is no reverse DNS for the 
server
mailing.t-online.de listed in the body of the mail, and a traceroute leads 
outside the country
 Now why would they use base64 to hide the real name, use a suspicious 
boundary, etc.
Tech support claims that the mail is probably valid

Wolfgang Hamann

Received: from fwdallmx.t-online.com [194.25.134.91]
by localhost with POP3 (fetchmail-6.2.3)
for [EMAIL PROTECTED] (single-drop); Thu, 10 Feb 2005 21:00:19 +0100 
(CET)
Received: from mta.mailing.t-online.de ([62.221.20.20]) by 
mailin05.sul.t-online.de
with esmtp id 1CzIzu-0TeX050; Thu, 10 Feb 2005 19:25:02 +0100
X-MID: <[EMAIL PROTECTED]>
Date: Thu, 10 Feb 2005 17:09:02 + (GMT)
Message-Id: <[EMAIL PROTECTED]>
From: "=?iso-8859-1?B?VC1PbmxpbmUgSW5mb2JyaWVm?="<[EMAIL PROTECTED]>
Reply-To: T-Online Infobrief <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: 
=?iso-8859-1?B?SWhyIGFrdHVlbGxlciBJbmZvYnJpZWYgZvxyIGVpbmVuIHBlcmZla3RlbiBWYWxlbnRpbnN0YWc=?=
MIME-Version: 1.0
Content-Type: multipart/alternative; 
boundary="000"
X-TOI-SPAM: u;0;2005-02-10T19:38:44Z
X-TOI-MSGID: f1deacff-7ca9-4452-994b-ced9a6da69cd
X-Seen: false


--000
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

Sehr geehrter Herr Hamann,

bald ist wieder Valentinstag! Und auch bei T-Online steht der 
14. Februar natürlich ganz im Zeichen der Liebe: mit dem großen 
"Crystal Valentine"-Special mit großem Gewinnspiel. Seien Sie 
außerdem gespannt auf viele weitere Extras, die wir für Sie 
bereithalten - von Highlight-Prämien bis hin zu wertvollen 
Gutscheinen.

Hier unsere Themenübersicht:

- Valentins-Special - Preise im Wert von über 27.000 EUR zu gewinnen
- "Freunde werben Freude" - jetzt exklusive Highlight-Prämie sichern
- "Catan Online Welt" - jetzt 14 Tage testen
- Skispaß nach Maß - 20 EUR Gutschein von T-Online und Tiscover
- "WISO Mein Geld T-Online Edition" - jetzt 60 Tage testen

**

Valentins-Special - Preise im Wert von über 27.000 EUR zu gewinnen

Bereiten Sie sich jetzt beim "Chrystal Valentine" von T-Online auf 
romantische Stunden vor: Das Valentins-Quiz und das Blumen-ABC 
enthüllen Ihnen süße Geheimnisse. Außerdem zeigen wir Ihnen passend 
zum Tag der Liebe, wie Sie einen unwiderstehlichen Liebesbrief 
schreiben! Und das beste: Bei unserem Valentins-Gewinnspiel warten 
Preise im Gesamtwert von über 27.000 EUR auf Sie. Also, worauf 
warten Sie noch?

Klicken Sie rein unter:
http://mailing.t-online.de/cgi-bin2/DM/y/mOFa0EkyYa0F7T0YUk0Fp

Broken Ratware-Setup? May be useful for Rules?

[Chr. von Stuckrad]

Hi!

I attach a 'funny' Mail I got bounced from one of our
Users, because it looks like 'broken/misconfigured Ratware'.
Maybe somebody can update Rules for such things/structures?

The most interesting point seems to be, that the
Tool creates three 'Received-Headers' to fool
'first-hop' IP/Domain checks.

Yours,   Stucki

-- 
Christoph von Stuckrad * * |nickname |<[EMAIL PROTECTED]>\
Freie Universitaet Berlin  |/_*|'stucki' |Tel(days):+49 30 838-75 459|
Fachbereich Mathematik, EDV|\ *|if online|Tel(else):+49 30 77 39 6600|
Arnimallee 2-6/14195 Berlin* * |on IRCnet|Fax(alle):+49 30 838-75454/
--- Begin Message ---
Message-ID: <[EMAIL PROTECTED]



-- 
Internal Virus Database is out-of-date.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.6.5 - Release Date: 26.12.2004

--32u276st3Jlj2kUU--
--- End Message ---

Humor: "The Ultimate Spam Email"

[Jonathan Nichols]

This oughta replace GTUBE!
http://lowendmac.com/lite/05/0210.html

Care and feeding instructions for SpamAssassin?

[FH]

Hopefully this isn't a FAQ, I looked over the list on the website and
while there is some useful info there I didn't see answers to all my
questions (or maybe I just didn't realize they were answered as this is
all new to me ;))


THE PROBLEM:  Recently the hit %age has dropped significantly (to about
50%, that's just a guess though).  For example I've recevied several
"valentine card" spams over the last couple of days and SA is still not
marking it as spam :(


THE SETUP:
I recently upgraded our mail server to POSTFIX and added in SpamAssassin
(3.0.2).  In case it's important the spam level is set at 4, users are NOT
allowed to set their own preferences, spamd is called through procmail
(and the default spamc script) with the "-d" and "-u [see below]" options and
the OS is Solaris9.

Everything w/ the install went great and it was picking up spam like a
champ (maybe 1 out of 10 wouldn't be flagged properly).  In order to
facilitate people reporting improperly marked spam/ham I set up a couple
of internal aliases they can forward email to and on those files (and the
spam/ham I get which I save in separate mailboxes) I occasionally run:

sa-learn --[spam|ham] --showdots --mbox 

The one thing that has changed since the initial setup is the fact someone
on the postfix list mentioned spamd shouldn't run as `nobody` (that's how
it was originally configured).  I created another user for it to run under
(and it seems to be fine w/ that using the "-u" option mentioned earlier) I
also chowned the "spool" files (journal, seen, etc) to that user.  The config
files and the test files (the #_* files in the "share" dir) are still owned by
root.


THE QUESTIONS:
- Is the recent degrade in performance just a matter of the spammers
changing their tactics and SA having to learn the new spam?  As I said
I've only been doing this about a month so I'm not sure if this is part of
a normal cyclical thing.

- Should the sa-learn process report anything through syslog?  I mean it's
reporting successful results at the prompt but I didn't know if there was
some place else to check to see if there might be warnings/errors "behind the
scenes"?

- Is the sa-learn process the only/best way of doing the training?

- Is the forwarding of email to that address potentially causing a problem
w/ the learning process?  I mean for the email I set aside I know it is
unmodified, but when users forward a spam to the email alias all the
forwarding information is attached, is that potentially causing a problem?
I did find something about forwarding mail and vanity domains in the FAQ
but I'm not sure that is directly applicable to what I'm doing.

- I've found several good guides on initial installation and configuration
but is there a decent "care and feeing" manual around for ongoing maint of
SA?  For example is there a command/process I can run though before and after
using the sa-learn to get a feel for what changes were made? 

- Just out of curiosity why is it not a good idea to run spamd as
`nobody`?

I think that's it.  I appreciate any/all help
Thanks

_DOMAIN_ not being set?

[Adam Harrison]

I'm running SpamAssassin 3.0.2 with Perl 5.8.0 and MySQL 4.0.20.
I run spamd in daemon mode, calling spamc from a users .procmailrc to 
test. Eventually it will be in the system procmailrc.

I host a number of domains, and I would like to have domain 
preferences, but _DOMAIN_ is always test to NULL.

In the /etc/mail/virtualusertable I have my test account:
[EMAIL PROTECTED][EMAIL PROTECTED]
This forwards just fine and procmail reads the ~sw000100/.promailrc 
file and runs:

:0fw
| /usr/bin/spamc -f
Spamc connects with spamd just fine, and it reads the MySQL 
prefferences just fine. But some how the full address is being dropped. 
The variables are being set as:
_USERNAME_= 'sw000100'
_TABLE_= userpref
_MAILBOX_= 'sw000100
'_DOMAIN_= NULL

How can I get the full address (and the domain) set?
Thanks,
-Adam
Adam Harrison - Information Technology
SightWorks
my phone: 503.221.2023
main line: 503.223.4184
fax: 503.243.1793
http://www.SightWorks.com

users@spamassassin.apache.org

[Daniel Quinlan]

Can you file a bug against this in bugzilla.spamassassin.org?  Attach an
example message too please.

Thanks.

-- 
Daniel Quinlan
http://www.pathname.com/~quinlan/

Re: Spamassasin Market research

[Daniel Quinlan]

Chris,

Wow, she emailed a lot of people individually (not me, though ;-).  You
can always forward stuff like this to the PMC at
<[EMAIL PROTECTED]> since we might miss it on the higher-volume
users list.

Daniel

-- 
Daniel Quinlan
http://www.pathname.com/~quinlan/

question about bayes and awl.

[Matias Lopez Bergero]

Hi,
I'm relatively new using SA and I have a couple of doubts about the 
bayes db and the awl db.
I'm running a 3.0.2 site wide install, and I have saw that for each user 
there is an .spamassassin directory, storing Bayesian and awl databases 
a part from the user preferences file.

The bayes and awl db are working only for the user who owns them right?
What about the bayes data created with the sa-learn command?
I'm being training spamassassin Bayesian filter since the installation 
of SA.

0.000  0  3  0  non-token data: bayes db version
0.000  0   1914  0  non-token data: nspam
0.000  0   1957  0  non-token data: nham
0.000  0 189514  0  non-token data: ntokens
The AWL looks like it's activated by default, that could may cause some 
problems with the scoring and mark spam as ham and vise versa? and also 
could it set wrong scores into the AWL db?

My question is because there are still weird spam messages passing 
trough without a spam like score, and I'm trying to stop them. Many of 
them I have passed many time trough sa-learn.

It would be more efficient to have a central db for bayes? or the 
distributed db is much better?

Sorry if this was already ask.
BR,
Matías.

Re: Disabling automatic X-Spam-* header removal

[Robert Szerwinski]

Am Donnerstag, 10. Februar 2005 17:26 schrieben Sie:
> Did you do a clear_headers prior to adding X-Spam-2ndCheck?
>
> Note that clear_headers should not remove the existing ones in the message.
> It should, theoretically, clear your header *settings*.

Yes, I did this to get rid of spamassassins (new) headers, but it seems there 
is a prior step which removes any X-Spam-* headers from the (filtered) email.
Meanwhile I investigated a bit and maybe I can get the wished behaviour by 
poking something around in amavisd-new (I've used spamassassin on the console 
for testing).

Regards, Robert

PS: I've tried the command switch --remove-markup, but this removes any 
generated X-Spam-* headers from the result (as clear_headers without 
add_header does).

Re: MIME attachment not decoded from some servers

[Stuart Johnston]

I have upgraded MIME::Tools to version 5.417 but that didn't fix it. 
Thanks though.

Stuart Johnston
Martin Hepworth wrote:
Stuart
there are known problems with the MIME::tools perl module which are 
fixed in version 5.417. If you have this and it's used by amavis-new 
it's best to make sure you are up to the latest version.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
Stuart Johnston wrote:
I am receiving multiple copies of this odd spam message at my domain.
The spam is contained within a base64 mime attached html.  When the
message is originally received, the attachment is not decoded and I get
a report like this:
X-Spam-Status: Yes, hits=6.976 tagged_above=0 required=5 tests=BAYES_60,
 FORGED_YAHOO_RCVD, INVALID_DATE, RAZOR2_CF_RANGE_51_100, RAZOR2_CHECK,
 RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL, UPPERCASE_25_50
X-Spam-Level: ++
X-Spam-Flag: YES
X-Spam-Report: Spam detection software, running on the system
"gateway.ebby.com", has
 identified this incoming email as possible spam.  The original message
 has been attached to this so you can view it (if it isn't spam) or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  See attachment message.html 0B0NSQ
  Content-Type: text/html; name="message.html" Content-transfer-encoding:
  base64 Content-Disposition: attachment; filename="message.html"
PGh0bWw+CjxoZWFkPgo8c3R5bGUgdHlwZT0idGV4dC9jc3MiPi5leWVicm93IHsgRk9OVC1XRUlHSFQ6IGJvbGQ7IEZPTlQtU0laRTogMTBweDsgVEVYVC1UUkFOU0ZPUk06IHVwcGVyY2FzZTsgQ09MT1I6ICNmZmZmZmY7CkZPTlQtRkFNSUxZOiB2ZXJkYW5hLGFyaWFsLGhlbHZldGljYSxzYW5zLXNlcmlmOyBURVhULURFQ09SQVRJT046IG5vbmUgfSBBLmV5ZWJyb3c6bGluayB7IFRFWFQtREVDT1JBVElPTjogbm9uZSB9IAo8L3N0eWxlPgo8dGl0bGU+Y29lcWNxbW1laWNja2drPC90aXRsZT4KPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9d2luZG93cy0xMjUyIj4KPG1ldGEgY29udGVudD0iTWljcm9zb2Z0IFdpbmRvd3MgWFAgUHJvZmVzc2lvbmFsIiBuYW1lPSJkZXNjcmlwdGlvbiI+CjxtZXRhIGNvbnRlbnQ9Ik1pY3Jvc29mdCBXaW5kb3dzIFhQIFByb2Zlc3Npb25hbCwgU29mdHdhcmUiIG5hbWU9ImtleXdvcmRzIj4KPHN0eWxlIHR5cGU9InRleHQvY3NzIj4uc2VyaWYgeyBGT05ULVNJWkU6IHNtYWxsOyBGT05ULUZBTUlMWTogdGltZXMsc2VyaWYgfSAuc2FucyB7IEZPTlQtU0laRTogc21hbGw7IEZPTlQtRkFNSUxZOgp2ZXJkYW5hLGFyaWFsLGhlbHZldGljYSxzYW5zLXNlcmlmIH0gLnNtYWxsIHsgRk9OVC1TSVpFOiB4LXNtYWxsOyBGT05ULUZBTUlMWTogdmVyZGFuYSxhcmlhbCxoZWx2ZXRpY2Esc2Fucy1zZXJpZiB9IC5oMSB
7 


 Ck
ZPTlQtU0laRTogc21hbGw7IENPTE9SOiAjY2M2NjAwOyBGT05ULUZBTUlMWTogdmVyZGFuYSxhcmlhbCxoZWx2ZXRpY2Esc2Fucy1zZXJpZiB9IC5oM2NvbG9yIHsgRk9OVC1TSVpFOiB4LXNtYWxsOyBDT0xPUjoKI2NjNjYwMDsgRk9OVC1GQU1JTFk6IHZlcmRhbmEsYXJpYWwsaGVsdmV0aWNhLHNhbnMtc2VyaWYgfSAudGlueSB7IEZPTlQtU0laRTogeHgtc21hbGw7IEZPTlQtRkFNSUxZOgp2ZXJkYW5hLGFyaWFsLGhlbHZldGljYSxzYW5zLXNlcmlmIH0gLmxpc3RwcmljZSB7IEZPTlQtU0laRTogeC1zbWFsbDsgRk9OVC1GQU1JTFk6IGFyaWFsLHZlcmRhbmEsc2Fucy1zZXJpZjsKVEVYVC1ERUNPUkFUSU9OOiBsaW5lLXRocm91Z2ggfSAucHJpY2UgeyBGT05ULVNJWkU6IHgtc21hbGw7IENPTE9SOiAjOTkwMDAwOyBGT05ULUZBTUlMWTogdmVyZGFuYSxhcmlhbCxoZWx2ZXRpY2Esc2Fucy1zZXJpZgp9IC50aW55cHJpY2UgeyBGT05ULVNJWkU6IHh4LXNtYWxsOyBDT0xPUjogIzk5MDAwMDsgRk9OVC1GQU1JTFk6IHZlcmRhbmEsYXJpYWwsaGVsdmV0aWNhLHNhbnMtc2VyaWYgfSAuYXR0ZW50aW9uIHsKQkFDS0dST1VORC1DT0xPUjogI2ZmZmZkNSB9IC5leWVicm93IHsgRk9OVC1XRUlHSFQ6IGJvbGQ7IEZPTlQtU0laRTogMTBweDsgVEVYVC1UUkFOU0ZPUk06IHVwcGVyY2FzZTsgQ09MT1I6ICNmZmZmZmY7CkZPTlQtRkFNSUxZOiB2ZXJkYW5hLGFyaWFsLGhlbHZldGljYSxzYW5zLXNlcmlmOyBUR
V 


 h
  ULURFQ09SQVRJT046IG5vbmUgfSBBLmV5ZWJyb3c6bGluayB7IFRFWFQtREVDT1JBVE
[...]
 Content analysis details:   (7.0 points, 5.0 required)
 pts rule name  description
  --
--
 0.2 INVALID_DATE   Invalid Date: header (not RFC 2822)
 2.7 FORGED_YAHOO_RCVD  'From' yahoo.com does not match 'Received'
headers
 0.4 BAYES_60   BODY: Bayesian spam probability is 60 to 80%
[score: 0.6439]
 0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
[cf: 100]
 1.5 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)
 2.0 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP
address
[221.39.219.20 listed in dnsbl.sorbs.net]
 0.1 RCVD_IN_NJABL_DUL  RBL: NJABL: dialup sender did non-local SMTP
[221.39.219.20 listed in combined.njabl.org]
 0.0 UPPERCASE_25_50message body is 25-50% uppercase
However, if I process it manually through spamassassin or copy-paste 
the text into a telneted smtp session, I get this:

X-Spam-Status: Yes, hits=19.833 tag=0 tag2=5 kill=8 tests=DCC_CHECK,
 DNS_FROM_RFC_ABUSE, FORGED_RCVD_HELO, FORGED_YAHOO_RCVD, HTML_MESSAGE,
 HTML_TAG_EXIST_TBODY, INFO_TLD, MIME_MISSING_BOUNDARY,
 RCVD_IN_BL_SPAMCOP_NET, URIBL_AB_SURBL, URIBL_JP_SURBL, URIBL_OB_SURBL,
 URIBL_SBL, URIBL_SC_SURBL, URIBL_WS_SURBL
X-Spam-Level: +++
X-Spam-Report: Spam detection software, running

Re: DCC implementation questions

[Matias Lopez Bergero]

Matt Kettler wrote:
At 09:50 AM 2/10/2005, Matias Lopez Bergero wrote:
Thanks for the info Matt.
It would be better(faster/reliable) to use DCC apart from SA(dccm), or 
using SA with dccifd is a better choice?
It's not going to be faster or more reliable.. It's really a matter of 
what you want DCC to do.

If you call DCC outside of SA, you're going to have to filter on it's 
results independent of what SA thinks.

If you call DCC from inside SA, it's results are going to be mixed in 
with other SA rules. Sometimes SA will think a message is nonspam when 
DCC thinks it's spam, and vice versa.

Personally, I tend to not trust DCC as a sole indicator of spam. But it 
is a very worthwhile tool to use in SA. But that's *my* opinion.
That's what I thought ;)
Thanks Matt!
BR,
Matías.

RE: Less spam blocked with 3.02 - AWL-related?

[Sander Holthaus - Orange XL]

> 3) Stop using AWL. Seriously, I found it did more harm then 
> good and got big too fast. 

I don't have any problem with it, and it is doing it's job quite well
actually. BUT I do think that it will only work if you have a good working
setup, in which there is a clear distinction in score's for both ham and
spam. Otherwise, it may backfire. Without any extra rule-sets and or various
net-lookups (SPF, SURBL, etc), I can't indeed imagine that it will work...
Also, the AWL-factor may need some tuning, in order to have a possitive
effect.

> --Chris 

Kind Regards,
Sander Holthaus

Re: Disabling automatic X-Spam-* header removal

[Matt Kettler]

At 09:52 AM 2/10/2005, Robert Szerwinski wrote:
I have the following problem: my mail comes in tagged with X-Spam-* headers
and I want to make decisions inside *my* spamassassin based on those tags.
How can I force spamassassin to leave the old headers untouched?
(I have added a X-Spam-2ndCheck header to show decisions based on my local
spamassassin.)
In my opinion, this is not possible so far, is it? (Already read through the
perl modules and wiki etc etc)
Did you do a clear_headers prior to adding X-Spam-2ndCheck?
Note that clear_headers should not remove the existing ones in the message. 
It should, theoretically, clear your header *settings*.

Re: DCC implementation questions

[Matt Kettler]

At 09:50 AM 2/10/2005, Matias Lopez Bergero wrote:
Thanks for the info Matt.
It would be better(faster/reliable) to use DCC apart from SA(dccm), or 
using SA with dccifd is a better choice?
It's not going to be faster or more reliable.. It's really a matter of what 
you want DCC to do.

If you call DCC outside of SA, you're going to have to filter on it's 
results independent of what SA thinks.

If you call DCC from inside SA, it's results are going to be mixed in with 
other SA rules. Sometimes SA will think a message is nonspam when DCC 
thinks it's spam, and vice versa.

Personally, I tend to not trust DCC as a sole indicator of spam. But it is 
a very worthwhile tool to use in SA. But that's *my* opinion.

RE: Spamassasin Market research

[Chris Santerre]

>-Original Message-
>From: Janine Bonk [mailto:[EMAIL PROTECTED]
>Sent: Thursday, February 10, 2005 4:18 AM
>To: [EMAIL PROTECTED]
>Subject: Spamassasin
>
>
>Hello,
>
>we are doing a market research on the threat of spam and 
>possible solutions. As
>the market of spam solutions is very complex, we want to give 
>companies an overview. 
>Therefore we contacted many companies worldwide. 
>
>As SpamAssasin is one of the most successful and famous 
>anti-spam solution we
>want to present this solution in our survey. My problem is 
>that I do not know who I should contact. Could you help me? Do 
>you know who can answer some questions about SpamAssasin.
>
>Regards,
>Janine Bonk
>
>
>---
>-
>
>ABSOLIT Dr. Schwarz Consulting
>Janine Bonk
>Melanchthonstr. 5   
>68753 Waghäusel
>Germany
>Telefon: 0049 / 7254 95773-40
>Fax 0049 / 7254 95773-90 
>www.absolit.de
>

Greetings Janine,

I could answer your questions. There is also a very active user
list, which I have cc'd this email to. I'm sure we can get your questions
answered. We like when people include SpamAssassin in their surveys. 

Chris Santerre 
System Admin and SARE/SURBL Ninja
http://www.rulesemporium.com
http://www.surbl.org
'It is not the strongest of the species that survives,
not the most intelligent, but the one most responsive to change.'
Charles Darwin 

RE: Less spam blocked with 3.02 - AWL-related?

[Chris Santerre]

>-Original Message-
>From: Johann Spies [mailto:[EMAIL PROTECTED]
>Sent: Thursday, February 10, 2005 2:20 AM
>To: [EMAIL PROTECTED]
>Subject: Less spam blocked with 3.02 - AWL-related?
>
>
>I have upgraded spamassassin on three mail  (2.63 -> 3.02 on two and
>2.64 -> 3.02 on the other) servers about two weeks ago.
>
>On the old system I have disabled AWL and Auto-learn because they
>corrupted my bayesian database on at least one occasion.
>
>I have decided to try out AWL with 3.02.
>
>At first I did not use any extra rules but installed the following
>after a week:
>
>70_sare_bayes_poison_nxm.cf  
>70_sare_html2.cf
>99_sare_fraud_post25x.cf
>70_sare_html0.cf 
>70_sare_html3.cf 
>evilnumbers.cf
>70_sare_html1.cf
>70_sare_html_eng.cf
>
>I have experienced less false positives with the new one.  Complaints 
>came down from about 6 per week to maybe 1 in the last two weeks.
>
>But the feedback from users about spam received increased and the
>following statistics shows that something is not working as
>effectively as it was previously:
>
>Average spam blocked per minute for the last
>   
>   Day WeekMonth   Year (Since April-June last year)
>mail1  5.946.217.678.20
>mail2  5.045.956.486.69
>mail3  4.954.67*   6.236.85
>
>*  mail3 was down for a few hours during the week.
>
>The three servers started out with the same bayesian database and are
>trained with the same spam/ham on a nearly daily basis.
>
>
>I am suspecting AWL to be the culprit but I am not sure how to
>determine it other than switching it of for a period.
>
>Any commentary?

1) Nice rulesets ;) 
2) Please tell me you are using net-tests. SURBL? (might want to increase
those scores.)
3) Stop using AWL. Seriously, I found it did more harm then good and got big
too fast. 
4) Can you share the output from a --lint with us?

--Chris 

RE: [OT] GPG Keysigning at Linux World

[Chris Santerre]

>> You need to be absolutely sure someone is who they say they are. I'd
>> probably be lynched if I signed someone's key without checking a
>> government issued ID. (Hence, why I have signed very few keys.)
>
>Lynched by who?

Being its Duncan, either the greys or the men in black ;) 

--Chris (How do we know it was really Duncan who posted that messege?) 

Re: more ALL_TRUSTED issues?

[Sandy S]

Alan -
(BI ran into this same issue earlier - the IP address your message came from
(Bis incorrectly marked in the current version of Spamassassin as being a
(Breserved IP address.  It sounds like this issue has been fixed in future
(Bversions of Spamassassin, but meanwhile you can use the fix which Kris Degau
(Bkindly provided me - it's in the original thread:
(Bhttp://marc.theaimsgroup.com/?l=spamassassin-users&m=110555682017732&w=2
(B
(BThanks again, Kris!
(B
(BSandy
(B
(B- Original Message - 
(BFrom: "alan premselaar" <[EMAIL PROTECTED]>
(BTo: "SpamAssassin list" 
(BSent: Wednesday, February 09, 2005 9:51 PM
(BSubject: more ALL_TRUSTED issues?
(B
(B
(B> Today I got an email thru which hit ALL_TRUSTED.  My mail server isn't
(B> NAT'd. I haven't specifically setup trusted_networks or
(B> internal_networks but this is the first I've had a problem with it.
(B>
(B> I'm running RH 9 with Sendmail 8.13.3, MIMEDefang 2.49, SpamAssassin 3.02.
(B>
(B> the Received headers look a little funky but I haven't really checked
(B> them against any RFCs.  is this a problem with SA? or my setup?
(B>
(B> any help is appreciated.
(B>
(B> thanks,
(B>
(B> alan
(B>
(B> here are the unaltered headers of the email in question:
(B>
(B> Return-Path: <[EMAIL PROTECTED]>
(B> Received: from sndr199.beta-ca.mxsvrbsminc.net
(B> (sndr199.beta-ca.mxsvrbsminc.net [72.5.1.199])
(B> by mojo.12inch.com (8.13.3/8.13.0) with ESMTP id j1A1JvBx029323
(B> for <[EMAIL PROTECTED]>; Thu, 10 Feb 2005 10:19:57 +0900
(B> Received: by sndr199.beta-ca.mxsvrbsminc.net id h1apo006574r; Wed, 9 Feb
(B> 2005 16:55:49 -0800 (envelope-from <[EMAIL PROTECTED]>)
(B> Received: from localhost by BSMgateway.
(B> ()
(B> with ESMTP id mid98433179.msg
(B> for <[EMAIL PROTECTED]>; Wed, 9 Feb 2005 16:55:49 -0800
(B> Date: Wed, 9 Feb 2005 16:55:49 -0800
(B> From: "Little-Blue Pill." <[EMAIL PROTECTED]>
(B> To: "Online Consumer" <[EMAIL PROTECTED]>
(B> Reply-To: <[EMAIL PROTECTED]>
(B> Subject: Is this what your life is like alien?
(B> Message-ID: <[EMAIL PROTECTED]>
(B> X-envid: 98433179
(B> X-Mailer: MOM Agent (v.9.8.433179)
(B> X-CRC32ID: 38112EE1;AEF06669;D9F55A5F
(B> x-MOMID1: VFdZVl1FQlQJAQAHVFRYUlwA
(B> x-MOMID2: XF5dUFVHW14cCQcA
(B> x-MOMID3: XV1CVVdbRVgSAQYPWFpXUVpPICNjHQIGXVtaXVleQ10LBAQbWloA
(B> MIME-Version: 1.0
(B> Content-Type: multipart/alternative;
(B> boundary="--98433179_abFeb1029"
(B> X-Spam-Scanner: SpamAssassin 3.02 (http://www.spamassassin.org/) on
(B> mojo.12inch.com
(B> X-Spam-Score: 1.857 / 4.000: 26.857%
(B> X-Spam-Tests:
(B>
(BDCC_CHECK(2.169),BAYES_99(1.886),URIBL_SBL(0.996),HTML_IMAGE_RATIO_04(0.105)
(B,HTML_MESSAGE(0.001),ALL_TRUSTED(-3.300)
(B> X-SPF-Header: mojo.12inch.com: domain of
(B> [EMAIL PROTECTED] designates 72.5.1.199 as permitted
(Bsender
(B> X-Scanned-By: MIMEDefang 2.49 on 64.7.201.48
(B>

Re: SA is changing attachments ?

[Matt Kettler]

At 09:19 AM 2/10/2005, kutt wrote:
so how do i fix this bug ? (or "feature"?)
btw: why was this added in first place ? most mail servers have a
extension + virus filters ...
OS: Debian
Mailserver: postfix (sql), amavis, uvscan, spamassassin
Sounds like it's an amavis feature.. you might want to ask the amavis guys 
if they have a defang feature for spam.

SA doesn't mangle attachment names.. the only mangling that SA itself is 
capable of is modifying HTML segments to text/plain if you have report_safe 
set to 2.

Re: DCC implementation questions

[Matias Lopez Bergero]

Matt Kettler wrote:
At 04:12 PM 2/9/2005, Matias Lopez Bergero wrote:
It's dccm a better implementation rater than dccproc for those who are 
using Sendmail? And if this is yes, how do I need to configure SA to 
work with dccm? I couldn't find anything about dccm and SA.

You can't configure SA to use dccm, because dccm is a milter, and is 
intended to be called directly by sendmail, not by another milter such 
as milter-spamc.
Thanks for the info Matt.
It would be better(faster/reliable) to use DCC apart from SA(dccm), or 
using SA with dccifd is a better choice?

BR,
Matías

Disabling automatic X-Spam-* header removal

[Robert Szerwinski]

Hi list,
I have the following problem: my mail comes in tagged with X-Spam-* headers 
and I want to make decisions inside *my* spamassassin based on those tags. 
How can I force spamassassin to leave the old headers untouched?
(I have added a X-Spam-2ndCheck header to show decisions based on my local 
spamassassin.)
In my opinion, this is not possible so far, is it? (Already read through the 
perl modules and wiki etc etc)

Regards, Robert

PS: I'm using version 2.64

Re: [OT] GPG Keysigning at Linux World

[Theo Van Dinter]

On Wed, Feb 09, 2005 at 10:47:12PM -0900, John Andersen wrote:
> Lynched by who?

I'm guessing the Debian people.  When it comes to GPG signatures,
they're ... extreme.

-- 
Randomly Generated Tagline:
 "Why don't you just come move in with me?" -Bender 
  "Really? That would be great! You sure I won't be imposing?" -Fry 
  "Nah. I've always wanted a pet." -Bender 


pgp8d0DujxVlC.pgp
Description: PGP signature

Re: SA is changing attachments ?

[Theo Van Dinter]

On Thu, Feb 10, 2005 at 03:19:26PM +0100, kutt wrote:
> to:
>  DEFANGED-
> 
> i didn't find any notes about that in the doc's or upgrade notes.
> even when i grep for it i cant find it.

Of course not, it's not SpamAssassin doing it.

> btw: why was this added in first place ? most mail servers have a
> extension + virus filters ...

It wasn't. :)

-- 
Randomly Generated Tagline:
"You guys are extremely inert today." - Prof. Brown


pgpbGMHtk1acl.pgp
Description: PGP signature

SA is changing attachments ?

[kutt]

hey all!

i upgradet my spamassassin recently to version: 3.0.2-1

well works like a charm so far.

but i noticed that it changes the filenames of attached files.

to:
 DEFANGED-

i didn't find any notes about that in the doc's or upgrade notes.
even when i grep for it i cant find it.

but it's 100% spamassassin because when i disable it my mailserver
receives the files correctly

so how do i fix this bug ? (or "feature"?)

btw: why was this added in first place ? most mail servers have a
extension + virus filters ...

OS: Debian
Mailserver: postfix (sql), amavis, uvscan, spamassassin

thx in advance

RE: Less spam blocked with 3.02 - AWL-related?

[Sander Holthaus - Orange XL]

> On Thu, Feb 10, 2005 at 11:48:18AM +0100, Sander Holthaus - 
> Orange XL wrote:
> > Your (mail)logs might come in handy for this, if you write out 
> > SpamAssassin's basic output there. With a basic Perl-script 
> (you can 
> > do this in almost any other script-language of course) you can see 
> > most likely everything you need. Spam, ham and mail-scores, 
> > scan-times, tests that where hit (!), etc. With only a small bit of 
> > programming, you can calculate and see everything you need! 
> You should 
> > check wat AWL and BAYES -tests are doing, especially if 
> they hit on Spam.
> 
> True.  Maybe I was to lazy to think about that ;)
> 
> I was looking at the logfile /var/log/mail.info which shows 
> which rules were used, but not with the individual values e.g.  
> 
> Feb 10 14:42:44 mail1 spamd[16031]: result: . -2 - 
> AWL,BAYES_20,DRUG_ED_CAPS,HTML_MESSAGE
> scantime=0.1,size=3491,mid=<01E4C22DDCD5E94DAC1863202903F26809
[EMAIL PROTECTED]>,
> bayes=0.0983660349113599,autolearn=disabled
> 
> But in exim's rejectlogs the full spamreport appears.

Well, I didn't get to it either until recently. I think there are not too
many who automate analysis of spamassassin output. While it is quite handy.
>From looking at the entry above, I think a few changes could be made to your
setup. Indeed you appear to have a problem with AWL, it shouldn't hit on
spam. But it think it is more likely to be related to the fact that messages
which are spam aren't getting enough hitpoints to be seen as spam.
Bayes_20 is also quite low (but not that unusual) for a spam-mail, not to
mention that only two other rules hit on the message. Do you perform any
networks-tests? (Pyzor, Razor, DCC, URIDNSBL)

> 
> > When I upgraded, (2.64 > 3.02) I noticed only a small increase in 
> > scores for spam and decrease for ham from SpamAssassin. Not the big 
> > results I had hoped for, but I'll patiently wait for 3.1. Overall 
> > results are slightly better, and technically, there should 
> be a lower 
> > possiblility of ham being marked as spam (due to 
> SPF-checking, did you install that?).
> 
> No, I did not install SPF-checking. I will have to read up about it.  

It is a nice addition, though not widely implemented (most major
webmail-providers use SPF nowadays, but many medium- and small
ISP's/webmail-providers don't). http://spf.pobox.com will tell you what it
is.

> > As to your setup. How up to date are those extra custom rules? 
> 
> A few days ago.

That's good. No problem there.

> > Any reason
> > why your are using 70_sare_html2.cf and 70_sare_html3.cf but not 
> > 70_sare_header0, cf70_sare_header1.cf, 70_sare_genlsubj0.cf, 
> > 70_sare_genlsubj1.cf, etc, etc...?
> 
> I did not know about them. 

Check out www.rulesemporium.com You will find all available rules,
descriptions and hints how to use them. There are also links to none
sare-rules, which can give excellent results too (e.g. chickenpox, weeds /
weeds2 and mangeled to name just a few).

> > There are more effective rules out there than just 
> sare_html or just 
> > sare rules!
> 
> > I use most of the Sare-rules + some extra rules, and 
> results are very 
> > good (though watch your memory and scantimes!). Have yet to see a 
> > false positive with a treshold of 9, and only 1-2% of all 
> traffic scores between 5 and 9.
> 
> I have tried now to download them with rule_du_jour and it 
> ends with an error:
> 
> 70_sare_bayes_poison_nxm.cf was up to date [skipped 
> downloading of 
> http://www.rulesemporium.com/rules/70_sare_bayes_poison_nxm.cf ] ...
> 
> No index found for ruleset named SARE_GENLSUBJ2.  Check that 
> this ruleset is still valid.
> 
> No index found for ruleset named SARE_GENLSUBJ2.  Check that 
> this ruleset is still valid.
> 
> No index found for ruleset named SARE_GENLSUBJ3.  Check that 
> this ruleset is still valid.
> 
> No index found for ruleset named SARE_GENLSUBJ_ARC.  Check 
> that this ruleset is still valid.
> 
> No index found for ruleset named SARE_GENLSUBJ_ENG.  Check 
> that this ruleset is still valid.
> 
> No index found for ruleset named SARE_GENLSUBJ.  Check that 
> this ruleset is still valid.
> No files updated; No restart required.
> 
> 
> 
> 
> 
> Rules Du Jour Run Summary:RulesDuJour Run Summary on archive3:
> 
> No index found for ruleset named SARE_GENLSUBJ2.  Check that 
> this ruleset is still valid.
> 
> No index found for ruleset named SARE_GENLSUBJ2.  Check that 
> this ruleset is still valid.
> 
> No index found for ruleset named SARE_GENLSUBJ3.  Check that 
> this ruleset is still valid.
> 
> No index found for ruleset named SARE_GENLSUBJ_ARC.  Check 
> that this ruleset is still valid.
> 
> No index found for ruleset named SARE_GENLSUBJ_ENG.  Check 
> that this ruleset is still valid.
> 
> No index found for ruleset named SARE_GENLSUBJ.  Check that 
> this ruleset is still valid.

I'm not usung rules_du_jour myself, but it may be that the
nameing-convention or url of those rules has changed. You might want 

qmail and spamassassin

[Hans-Georg Glöckler]

I am using spamassassin version 2.64 on SuSE 8.2
I have a problem with qmail and spamassassin.
In my logfile of qmail (/var/log/qmail/current) I get the following error:
@4000420b375904f72fd4 delivery 401: success: 
Argument_"\010802984^Q7^KB"_isn't_numeric_in_numeric_gt_(>)_at_/usr/lib/perl5/site_perl/5.8.0
/Mail/SpamAssassin/BayesStore.pm_line_1260.

In the following file of spamassassin occurs an error:
/usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/BayesStore
Der Fehler tritt in Zeile 1260 auf:
my $newmagic = $self->{db_toks}->{$NEWEST_TOKEN_AGE_MAGIC_TOKEN};
if (!defined ($newmagic) || $atime > $newmagic) {
 $self->{db_toks}->{$NEWEST_TOKEN_AGE_MAGIC_TOKEN} = $atime;
}
I can not use spamassassin version 3.0,  because it works not with SuSE 
8.2 because of perl (SuSE 8.2 use an older version of perl. It is not 
possible to upgrade to a newer version of perl)

--
Hans-Georg Glöckler
Universität Ulm
Fakultät für Informatik, Abteilung Neuroinformatik
D-89069 Ulm
Tel: 0731/502-4193 (08:30 - 12:00)

RE: Less spam blocked with 3.02 - AWL-related?

[Sander Holthaus - Orange XL]

Your (mail)logs might come in handy for this, if you write out
SpamAssassin's basic output there. With a basic Perl-script (you can do this
in almost any other script-language of course) you can see most likely
everything you need. Spam, ham and mail-scores, scan-times, tests that where
hit (!), etc. With only a small bit of programming, you can calculate and
see everything you need! You should check wat AWL and BAYES -tests are
doing, especially if they hit on Spam.

When I upgraded, (2.64 > 3.02) I noticed only a small increase in scores for
spam and decrease for ham from SpamAssassin. Not the big results I had hoped
for, but I'll patiently wait for 3.1. Overall results are slightly better,
and technically, there should be a lower possiblility of ham being marked as
spam (due to SPF-checking, did you install that?).

As to your setup. How up to date are those extra custom rules? Any reason
why your are using 70_sare_html2.cf and 70_sare_html3.cf but not
70_sare_header0, cf70_sare_header1.cf, 70_sare_genlsubj0.cf,
70_sare_genlsubj1.cf, etc, etc...?
There are more effective rules out there than just sare_html or just sare
rules!
I use most of the Sare-rules + some extra rules, and results are very good
(though watch your memory and scantimes!). Have yet to see a false positive
with a treshold of 9, and only 1-2% of all traffic scores between 5 and 9.

Kind Regards,
Sander Holthaus

> -Original Message-
> From: Johann Spies [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, February 10, 2005 8:20 AM
> To: [EMAIL PROTECTED]
> Subject: Less spam blocked with 3.02 - AWL-related?
> 
> I have upgraded spamassassin on three mail  (2.63 -> 3.02 on two and
> 2.64 -> 3.02 on the other) servers about two weeks ago.
> 
> On the old system I have disabled AWL and Auto-learn because 
> they corrupted my bayesian database on at least one occasion.
> 
> I have decided to try out AWL with 3.02.
> 
> At first I did not use any extra rules but installed the 
> following after a week:
> 
> 70_sare_bayes_poison_nxm.cf
> 70_sare_html2.cf
> 99_sare_fraud_post25x.cf
> 70_sare_html0.cf 
> 70_sare_html3.cf 
> evilnumbers.cf
> 70_sare_html1.cf
> 70_sare_html_eng.cf
> 
> I have experienced less false positives with the new one.  
> Complaints came down from about 6 per week to maybe 1 in the 
> last two weeks.
> 
> But the feedback from users about spam received increased and 
> the following statistics shows that something is not working 
> as effectively as it was previously:
> 
> Average spam blocked per minute for the last
>   
>   Day WeekMonth   Year (Since April-June last year)
> mail1 5.946.217.678.20
> mail2 5.045.956.486.69
> mail3 4.954.67*   6.236.85
> 
> *  mail3 was down for a few hours during the week.
> 
> The three servers started out with the same bayesian database 
> and are trained with the same spam/ham on a nearly daily basis.
> 
> 
> I am suspecting AWL to be the culprit but I am not sure how 
> to determine it other than switching it of for a period.
> 
> Any commentary?
> 
> Regards
> Johann
> -- 
> Johann Spies  Telefoon: 021-808 4036
> Informasietegnologie, Universiteit van Stellenbosch
> 
>  "I was glad when they said unto me, Let us go into the 
>   house of the LORD."  Psalms 122:1 

Re: MIME attachment not decoded from some servers

[Martin Hepworth]

Stuart
there are known problems with the MIME::tools perl module which are 
fixed in version 5.417. If you have this and it's used by amavis-new 
it's best to make sure you are up to the latest version.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
Stuart Johnston wrote:
I am receiving multiple copies of this odd spam message at my domain.
The spam is contained within a base64 mime attached html.  When the
message is originally received, the attachment is not decoded and I get
a report like this:
X-Spam-Status: Yes, hits=6.976 tagged_above=0 required=5 tests=BAYES_60,
 FORGED_YAHOO_RCVD, INVALID_DATE, RAZOR2_CF_RANGE_51_100, RAZOR2_CHECK,
 RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL, UPPERCASE_25_50
X-Spam-Level: ++
X-Spam-Flag: YES
X-Spam-Report: Spam detection software, running on the system
"gateway.ebby.com", has
 identified this incoming email as possible spam.  The original message
 has been attached to this so you can view it (if it isn't spam) or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  See attachment message.html 0B0NSQ
  Content-Type: text/html; name="message.html" Content-transfer-encoding:
  base64 Content-Disposition: attachment; filename="message.html"
PGh0bWw+CjxoZWFkPgo8c3R5bGUgdHlwZT0idGV4dC9jc3MiPi5leWVicm93IHsgRk9OVC1XRUlHSFQ6IGJvbGQ7IEZPTlQtU0laRTogMTBweDsgVEVYVC1UUkFOU0ZPUk06IHVwcGVyY2FzZTsgQ09MT1I6ICNmZmZmZmY7CkZPTlQtRkFNSUxZOiB2ZXJkYW5hLGFyaWFsLGhlbHZldGljYSxzYW5zLXNlcmlmOyBURVhULURFQ09SQVRJT046IG5vbmUgfSBBLmV5ZWJyb3c6bGluayB7IFRFWFQtREVDT1JBVElPTjogbm9uZSB9IAo8L3N0eWxlPgo8dGl0bGU+Y29lcWNxbW1laWNja2drPC90aXRsZT4KPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9d2luZG93cy0xMjUyIj4KPG1ldGEgY29udGVudD0iTWljcm9zb2Z0IFdpbmRvd3MgWFAgUHJvZmVzc2lvbmFsIiBuYW1lPSJkZXNjcmlwdGlvbiI+CjxtZXRhIGNvbnRlbnQ9Ik1pY3Jvc29mdCBXaW5kb3dzIFhQIFByb2Zlc3Npb25hbCwgU29mdHdhcmUiIG5hbWU9ImtleXdvcmRzIj4KPHN0eWxlIHR5cGU9InRleHQvY3NzIj4uc2VyaWYgeyBGT05ULVNJWkU6IHNtYWxsOyBGT05ULUZBTUlMWTogdGltZXMsc2VyaWYgfSAuc2FucyB7IEZPTlQtU0laRTogc21hbGw7IEZPTlQtRkFNSUxZOgp2ZXJkYW5hLGFyaWFsLGhlbHZldGljYSxzYW5zLXNlcmlmIH0gLnNtYWxsIHsgRk9OVC1TSVpFOiB4LXNtYWxsOyBGT05ULUZBTUlMWTogdmVyZGFuYSxhcmlhbCxoZWx2ZXRpY2Esc2Fucy1zZXJpZiB9IC5oMSB7

 Ck
ZPTlQtU0laRTogc21hbGw7IENPTE9SOiAjY2M2NjAwOyBGT05ULUZBTUlMWTogdmVyZGFuYSxhcmlhbCxoZWx2ZXRpY2Esc2Fucy1zZXJpZiB9IC5oM2NvbG9yIHsgRk9OVC1TSVpFOiB4LXNtYWxsOyBDT0xPUjoKI2NjNjYwMDsgRk9OVC1GQU1JTFk6IHZlcmRhbmEsYXJpYWwsaGVsdmV0aWNhLHNhbnMtc2VyaWYgfSAudGlueSB7IEZPTlQtU0laRTogeHgtc21hbGw7IEZPTlQtRkFNSUxZOgp2ZXJkYW5hLGFyaWFsLGhlbHZldGljYSxzYW5zLXNlcmlmIH0gLmxpc3RwcmljZSB7IEZPTlQtU0laRTogeC1zbWFsbDsgRk9OVC1GQU1JTFk6IGFyaWFsLHZlcmRhbmEsc2Fucy1zZXJpZjsKVEVYVC1ERUNPUkFUSU9OOiBsaW5lLXRocm91Z2ggfSAucHJpY2UgeyBGT05ULVNJWkU6IHgtc21hbGw7IENPTE9SOiAjOTkwMDAwOyBGT05ULUZBTUlMWTogdmVyZGFuYSxhcmlhbCxoZWx2ZXRpY2Esc2Fucy1zZXJpZgp9IC50aW55cHJpY2UgeyBGT05ULVNJWkU6IHh4LXNtYWxsOyBDT0xPUjogIzk5MDAwMDsgRk9OVC1GQU1JTFk6IHZlcmRhbmEsYXJpYWwsaGVsdmV0aWNhLHNhbnMtc2VyaWYgfSAuYXR0ZW50aW9uIHsKQkFDS0dST1VORC1DT0xPUjogI2ZmZmZkNSB9IC5leWVicm93IHsgRk9OVC1XRUlHSFQ6IGJvbGQ7IEZPTlQtU0laRTogMTBweDsgVEVYVC1UUkFOU0ZPUk06IHVwcGVyY2FzZTsgQ09MT1I6ICNmZmZmZmY7CkZPTlQtRkFNSUxZOiB2ZXJkYW5hLGFyaWFsLGhlbHZldGljYSxzYW5zLXNlcmlmOyBURV

 h
  ULURFQ09SQVRJT046IG5vbmUgfSBBLmV5ZWJyb3c6bGluayB7IFRFWFQtREVDT1JBVE
[...]
 Content analysis details:   (7.0 points, 5.0 required)
 pts rule name  description
  --
--
 0.2 INVALID_DATE   Invalid Date: header (not RFC 2822)
 2.7 FORGED_YAHOO_RCVD  'From' yahoo.com does not match 'Received'
headers
 0.4 BAYES_60   BODY: Bayesian spam probability is 60 to 80%
[score: 0.6439]
 0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
[cf: 100]
 1.5 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)
 2.0 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP
address
[221.39.219.20 listed in dnsbl.sorbs.net]
 0.1 RCVD_IN_NJABL_DUL  RBL: NJABL: dialup sender did non-local SMTP
[221.39.219.20 listed in combined.njabl.org]
 0.0 UPPERCASE_25_50message body is 25-50% uppercase
However, if I process it manually through spamassassin or copy-paste the 
text into a telneted smtp session, I get this:

X-Spam-Status: Yes, hits=19.833 tag=0 tag2=5 kill=8 tests=DCC_CHECK,
 DNS_FROM_RFC_ABUSE, FORGED_RCVD_HELO, FORGED_YAHOO_RCVD, HTML_MESSAGE,
 HTML_TAG_EXIST_TBODY, INFO_TLD, MIME_MISSING_BOUNDARY,
 RCVD_IN_BL_SPAMCOP_NET, URIBL_AB_SURBL, URIBL_JP_SURBL, URIBL_OB_SURBL,
 URIBL_SBL, URIBL_SC_SURBL, URIBL_WS_SURBL
X-Spam-Level: +++
X-Spam-Report: Spam detection software, running on the system 
"gateway.ebby.com", has
 identified this incoming email as possible spam.  The original message
 has been attached 

Re: Less spam blocked with 3.02 - AWL-related?

[Daniel Quinlan]

Johann Spies <[EMAIL PROTECTED]> writes:

> Average spam blocked per minute for the last
>   
>   Day WeekMonth   Year (Since April-June last year)
> mail1 5.946.217.678.20
> mail2 5.045.956.486.69
> mail3 4.954.67*   6.236.85

This is not an especially meaningful statistic:

  - you don't know if spam blocked was spam
  - percentage blocked is more meaningful since spam flow varies
  - not to mention that spam changes

If you're not using network tests, turn them on.

If you're using network tests, you might want to bump up the Bayes
scores a bit if Bayes is hand-trained.

Daniel

-- 
Daniel Quinlan
http://www.pathname.com/~quinlan/

Re: [OT] GPG Keysigning at Linux World

[John Andersen]

On Wednesday 09 February 2005 04:26 pm, Duncan Findlay wrote:
> You need to be absolutely sure someone is who they say they are. I'd
> probably be lynched if I signed someone's key without checking a
> government issued ID. (Hence, why I have signed very few keys.)

Lynched by who?

-- 
_
John Andersen


pgpFIcDUSvFe6.pgp
Description: signature

Less spam blocked with 3.02 - AWL-related?

[Johann Spies]

I have upgraded spamassassin on three mail  (2.63 -> 3.02 on two and
2.64 -> 3.02 on the other) servers about two weeks ago.

On the old system I have disabled AWL and Auto-learn because they
corrupted my bayesian database on at least one occasion.

I have decided to try out AWL with 3.02.

At first I did not use any extra rules but installed the following
after a week:

70_sare_bayes_poison_nxm.cf  
70_sare_html2.cf
99_sare_fraud_post25x.cf
70_sare_html0.cf 
70_sare_html3.cf 
evilnumbers.cf
70_sare_html1.cf
70_sare_html_eng.cf

I have experienced less false positives with the new one.  Complaints 
came down from about 6 per week to maybe 1 in the last two weeks.

But the feedback from users about spam received increased and the
following statistics shows that something is not working as
effectively as it was previously:

Average spam blocked per minute for the last

Day WeekMonth   Year (Since April-June last year)
mail1   5.946.217.678.20
mail2   5.045.956.486.69
mail3   4.954.67*   6.236.85

*  mail3 was down for a few hours during the week.

The three servers started out with the same bayesian database and are
trained with the same spam/ham on a nearly daily basis.


I am suspecting AWL to be the culprit but I am not sure how to
determine it other than switching it of for a period.

Any commentary?

Regards
Johann
-- 
Johann Spies  Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch

 "I was glad when they said unto me, Let us go into the 
  house of the LORD."  Psalms 122:1 

RE: DCC implementation questions

[Matt Kettler]

At 08:12 PM 2/9/2005, Jason Bennett wrote:
debug: config: read file /etc/mail/spamassassin/local.cf
debug: DCCifd is not available: no r/w dccifd socket found.
In that spamassassin config file I have (I tried without this entry and
get same thing):
dcc_dccifd_path /var/dcc
In the /var/dcc I have:
srw-rw-rw-  1 root root 0 Feb  9 18:01 dccifd
Try this instead:
dcc_dccifd_path /var/dcc/dccifd
It's rather unfortunate that the SA config option naming convention has no 
consistency whatsoever for the use of the word "path".

Sometimes options named path are expecting a path with no filename 
(dcc_path), sometimes a path plus partial filename (bayes_path), and 
sometimes, a full path with filename.

dcc_dccifd_path actually expects a full path+filename, although the 
documentation fails to make this clear, and actually seems to reinforce the 
concept that this option is a directory.

Tsk. Tsk. Strike one for the manpage team, and strike one for the option 
naming convention team :)

Re: Problems with spamassassin suddenly forward all mails as SPAM

[Chris Thielen]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Tony Yat-Tung Cheung wrote:
| Hi,
|
| I have configured spamassassin to filter my mails and move the
| spams to a mail folder. It works fine for a while (e.g. several
| weeks) and then it would start forwarding all mails, include those
| marked as SPAM and not marked as SPAM, to the mail folder.
|
| Once, the problem arises, I found that deleting the following two
| files will solve the problem,
|
| ~/.spamassassin/bayes_seen ~/.spamassassin/bayes_token
|
| What is the possible problem? Any suggestion on how I can prevent
| this problem?
|
| I am using spamassassin 3.01 on Red Hat Linux 9.0.
Those two files you mentioned are the bayes database.
Since you say deleting those two files (and my assumption is that you
haven't changed anything else) causes the appropriate behaviour, I
expect you may be mistraining your bayes database.  This could be due
to auto-learning (a feature built into spamassassin), or some external
training script.
Check the wiki for more information on bayes.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCCuIzu+NW2kiW8d0RArNhAKDomZdGkV7/1GjC9G1Sbhpl8TJJwACfYg5K
TnryTjyHkg+AJfphGnOatD8=
=/JlZ
-END PGP SIGNATURE-

[Administrivia] EditMoin

[Justin Mason]

https://moin.conectiva.com.br/EditMoin

  That's the editmoin web page. This program allows you to edit [WWW]Moin
  pages with your preferred editor. It means you can easily edit your pages,
  without the usual limitations of most web browsers' text areas.

--j.

more ALL_TRUSTED issues?

[alan premselaar]

Today I got an email thru which hit ALL_TRUSTED.  My mail server isn't
(BNAT'd. I haven't specifically setup trusted_networks or
(Binternal_networks but this is the first I've had a problem with it.
(B
(BI'm running RH 9 with Sendmail 8.13.3, MIMEDefang 2.49, SpamAssassin 3.02.
(B
(Bthe Received headers look a little funky but I haven't really checked
(Bthem against any RFCs.  is this a problem with SA? or my setup?
(B
(Bany help is appreciated.
(B
(Bthanks,
(B
(Balan
(B
(Bhere are the unaltered headers of the email in question:
(B
(BReturn-Path: <[EMAIL PROTECTED]>
(BReceived: from sndr199.beta-ca.mxsvrbsminc.net
(B(sndr199.beta-ca.mxsvrbsminc.net [72.5.1.199])
(Bby mojo.12inch.com (8.13.3/8.13.0) with ESMTP id j1A1JvBx029323
(Bfor <[EMAIL PROTECTED]>; Thu, 10 Feb 2005 10:19:57 +0900
(BReceived: by sndr199.beta-ca.mxsvrbsminc.net id h1apo006574r; Wed, 9 Feb
(B2005 16:55:49 -0800 (envelope-from <[EMAIL PROTECTED]>)
(BReceived: from localhost by BSMgateway.
(B()
(Bwith ESMTP id mid98433179.msg
(Bfor <[EMAIL PROTECTED]>; Wed, 9 Feb 2005 16:55:49 -0800
(BDate: Wed, 9 Feb 2005 16:55:49 -0800
(BFrom: "Little-Blue Pill." <[EMAIL PROTECTED]>
(BTo: "Online Consumer" <[EMAIL PROTECTED]>
(BReply-To: <[EMAIL PROTECTED]>
(BSubject: Is this what your life is like alien?
(BMessage-ID: <[EMAIL PROTECTED]>
(BX-envid: 98433179
(BX-Mailer: MOM Agent (v.9.8.433179)
(BX-CRC32ID: 38112EE1;AEF06669;D9F55A5F
(Bx-MOMID1: VFdZVl1FQlQJAQAHVFRYUlwA
(Bx-MOMID2: XF5dUFVHW14cCQcA
(Bx-MOMID3: XV1CVVdbRVgSAQYPWFpXUVpPICNjHQIGXVtaXVleQ10LBAQbWloA
(BMIME-Version: 1.0
(BContent-Type: multipart/alternative;
(Bboundary="--98433179_abFeb1029"
(BX-Spam-Scanner: SpamAssassin 3.02 (http://www.spamassassin.org/) on
(Bmojo.12inch.com
(BX-Spam-Score: 1.857 / 4.000: 26.857%
(BX-Spam-Tests:
(BDCC_CHECK(2.169),BAYES_99(1.886),URIBL_SBL(0.996),HTML_IMAGE_RATIO_04(0.105),HTML_MESSAGE(0.001),ALL_TRUSTED(-3.300)
(BX-SPF-Header: mojo.12inch.com: domain of
(B[EMAIL PROTECTED] designates 72.5.1.199 as permitted sender
(BX-Scanned-By: MIMEDefang 2.49 on 64.7.201.48

Re: MIME attachment not decoded from some servers

[Daniel Quinlan]

Stuart Johnston <[EMAIL PROTECTED]> writes:

> Anyone have ideas here?  Why would SA decode the same attachment 
> sometimes, but not always.  My server is running SA 3.0.2, Postfix 2.0 
> and amavisd-new 2.1.2.
  ^

If you run SpamAssassin directly, then amavisd-new is not involved.

Daniel

-- 
Daniel Quinlan
http://www.pathname.com/~quinlan/

Re: Problems with spamassassin suddenly forward all mails as SPAM

[up]

As I'm sure others will point out, SA doesn't "move spams" to any folders,
it just marks them up.  You have some other filtering mechanism doing
that, and that's where the problem is.

On Thu, 10 Feb 2005, Tony Yat-Tung Cheung wrote:

> Hi,
>
> I have configured spamassassin to filter my mails and move the spams to
> a mail folder. It works fine for a while (e.g. several weeks) and then
> it would start forwarding all mails, include those marked as SPAM and
> not marked as SPAM, to the mail folder.
>
> Once, the problem arises, I found that deleting the following two files
> will solve the problem,
>
> ~/.spamassassin/bayes_seen
> ~/.spamassassin/bayes_token
>
> What is the possible problem? Any suggestion on how I can prevent this
> problem?
>
> I am using spamassassin 3.01 on Red Hat Linux 9.0.
>
> Thank you.
>
> Tony Cheung
>
>

James Smallacombe PlantageNet, Inc. CEO and Janitor
[EMAIL PROTECTED]   
http://3.am
=

Problems with spamassassin suddenly forward all mails as SPAM

[Tony Yat-Tung Cheung]

Hi,
I have configured spamassassin to filter my mails and move the spams to 
a mail folder. It works fine for a while (e.g. several weeks) and then 
it would start forwarding all mails, include those marked as SPAM and 
not marked as SPAM, to the mail folder.

Once, the problem arises, I found that deleting the following two files 
will solve the problem,

~/.spamassassin/bayes_seen
~/.spamassassin/bayes_token
What is the possible problem? Any suggestion on how I can prevent this 
problem?

I am using spamassassin 3.01 on Red Hat Linux 9.0.
Thank you.
Tony Cheung

Re: [OT] GPG Keysigning at Linux World

[Duncan Findlay]

On Wed, Feb 09, 2005 at 05:23:46PM -0500, Chris Santerre wrote:
> >From: Rod Begbie [mailto:[EMAIL PROTECTED]

> >If anyone's going to be at Boston Linux World next week, there's going
> >to be a GPG keysigning party on Tuesday evening.  Details are at
> >http://www.biglumber.com/x/web?ev=68156.  Add your key to the keyring
> >in advance, show up, and enjoy being a part of the Web of Trust.
> >
> >(And if any SA folks are going to be around and fancy going for a
> >pint, let me know!)
> 
> Carp! I forgot it was next week. I'll have to see if I can make it. 
> 
> I never knew how geeky geeks could get, until I saw people checking licenses
> to exchange keys. :)  I learned I have much more to learn until I truely
> become a jedi geek! 

You need to be absolutely sure someone is who they say they are. I'd
probably be lynched if I signed someone's key without checking a
government issued ID. (Hence, why I have signed very few keys.)

-- 
Duncan Findlay


signature.asc
Description: Digital signature

RE: DCC implementation questions

[Jason Bennett]

When I run spamassassin in debug, I get

debug: config: read file /etc/mail/spamassassin/local.cf
debug: DCCifd is not available: no r/w dccifd socket found.

In that spamassassin config file I have (I tried without this entry and
get same thing):

dcc_dccifd_path /var/dcc

In the /var/dcc I have:

srw-rw-rw-  1 root root 0 Feb  9 18:01 dccifd

And in my process list I have:

root  7189 1  0 18:01 ?00:00:00 ./dccifd

What am I doing wrong?

Any help is greatly appreciated.

Jason

-Original Message-
From: Matt Kettler [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 09, 2005 2:32 PM
To: Matias Lopez Bergero; users@spamassassin.apache.org
Subject: Re: DCC implementation questions

At 04:12 PM 2/9/2005, Matias Lopez Bergero wrote:
>It's dccm a better implementation rater than dccproc for those who are 
>using Sendmail? And if this is yes, how do I need to configure SA to
work 
>with dccm? I couldn't find anything about dccm and SA.

You can't configure SA to use dccm, because dccm is a milter, and is 
intended to be called directly by sendmail, not by another milter such
as 
milter-spamc.

However, SA does support two interfaces to dcc.

If dccifd is running and the socket is available, SA will use that. This
is 
the faster method, but it only gets used if dccifd is running.

Otherwise, SA will spawn dccproc, slower.

There's no extra configuration to SA needed at all, SA automatically 
detects the presence of either tool and uses the fastest one. All you
need 
to do is start dccifd and SA will find it.

If you want to check what method SA is using, run spamassassin --lint
-D.