Re: Spammer Anti-SURBL tactic
> Loren, which ruleset are you refering to in this case? Sorry, don't know. I would guess one of the html files though. Hum, maybe I lied. I just went looking and didn't find it. I just resubmitted it to test. Maybe I skipped over it before. Loren
Anyone have a rule to catch Mailer Daemon bounces to Forged Sender Address
I have been seeing hundreds of "Postmaster" messages a day, that are bounced to bogus sender addresses, in my domain. There have been a trickle of them coming in for a long time, but lately, the volume has skyrocketed. I am running Mimedefang 2.37 and Spamassassin 2.63 (ya I know I should upgrade but have been buried in more pressing issues). I'd like to develop a rule that would weed out these bounces (perhaps by analyzing the "Received headers" to determine that the original message came from elsewhere, and was wondering if anyone had already done such a thing. The real problem is that I receive the "Postmaster" messages, and feel that they should be reviewed, but with the volume so high they all tend to be ignored/deleted. Thank you, -- Larry G. Starr - Software Engineer: Full Compass Systems LTD. Phone: 608-831-7330 x 1347 FAX: 608-831-6330 === There are only three sports: bullfighting, mountaineering and motor racing, all the rest are merely games! - Ernest Hemmingway
Re: Spammed to death
On Tue, 22 Feb 2005, Nate wrote: > Hello, > > I'm using spamassassin 2.64 on Debian Woody. > > My clients emails are getting clobbered by "Pharma" spam. The messages seem > to be using different encoding on words like Viagra, Cialis and sa is not > picking them up. [snip..] > Here is the typical email I get from these morons. Notice the missing > letters "Vicodin", "Viagra", "Xanax", and "Cialis". In my email client > Microsoft Outlook displays all the letters. However, if I copy and paste > the message into a text editor the letters disappear. Finally found one of these critters in my spamtraps. Actually the letters aren't missing, just shifted around. They're using HTML tables to take letters from different parts of the message and reposition them on the screen to align when viewed with a HTML table rendering capable client. EG, in your example: Vi in cod Take the 'cod' and slide it up, then you see the 'vicodin'. View the raw message source HTML to see how they do that. The SA anti-drug rulesets won't do much for that as the pieces are too broken up. > How do I kill these messages? I've tried sa-learn spam on several messages, > but they still keep coming through with almost no spam points. Please help > I am so sick of this! > Here, I've found that Bayes+SURBL+DNSBL tests are the best tools to catch this kind of junk. If you see one arrive with out any SURBL hits, feed it to spamcop, they should be listed in sc.surbl.org. If you don't have SURBL added to your 2.64 kit, run, don't walk to: http://sourceforge.net/projects/spamcopuri Install SpamCopURI, you'll be amazed at what you suddenly start missing. ;) > "From: Esaias Billings [mailto:[EMAIL PROTECTED] > Sent: Monday, February 21, 2005 11:04 PM > To: Xzavier Rivera > Subject: Re: Best Mediccations > > > > Hello, Welcome to the best ONLINE ST0RE. > > Vi in $178(90p.) a a $209(100p.) ana al > cod Vi gr X x $299(90p.) Ci is $324(90p.) > [snip..] > -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: SQL user preferences and Mimedefang
At 05:29 PM 2/22/2005, Arie Kachler wrote: Can SQL user preferences be accomplished with a milter like Mimedefang? I don't see the option in the SA documentation. The only way, apparently, to use SQL user prefs is with spamd, which is not used with Mimedefang or other milters. Is there a way around this? Most milter's use spamd, so this isn't an issue for "other milters".. it's mostly a mimedefang, mailscanner, and other perl based tool issue. Mimedefang, or any other tool that uses SA direct perl API, can theoretically make use of SQL, but it requires code changes . The way the API is laid out, the choice about which config source to use is left up to the caller of the API. If Mimedefang were to call load_scoreonly_sql() on the Mail::SpamAssassin object, then the SQL configuration would be used. Otherwise, it's not going to be used. The fundamental crux is there are no config options that actually enable SQL. That's done with command-line parameters to spamd, which causes spamd to call the above load function. The config options only specify what to do with SQL once it's turned on.
SQL user preferences and Mimedefang
Hello, Can SQL user preferences be accomplished with a milter like Mimedefang? I don't see the option in the SA documentation. The only way, apparently, to use SQL user prefs is with spamd, which is not used with Mimedefang or other milters. Is there a way around this? Any help will be greately appreciated. Arie Kachler
RE: ENC: Wet 30 to 40 girls hrony and wants you
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Joe Kletch wrote: > >> header __PORN_WORD12 Subject =~/(?:d(?:ic|ci)k|c(?:|oc|co)k/i > >> > >> Unfortunately I don't understand regexp, any suggestions for > >> fixing this? If I remove the lint test report is good. > >> > > > > Through trial and error I found that removing the third '(' > > made lint happy. I hope I didn't change the intent of the rule: > > This works: > > header __PORN_WORD12 Subject =~/(?:d(?:ic|ci)k|c?:|oc|co)k/i > > You did change the intent of the rule > > I'm having trouble reconstructing the original intent, though... > header __PORN_WORD12 Subject =~/(?:d(?:ic|ci)k)|c(?:|oc|co)k/i > or > header __PORN_WORD12 Subject =~/(?:d(?:ic|ci)k|c(?:|oc|co)k)/i I think it is more likely to be this: header __PORN_WORD12 Subject =~/d(?:ic|ci)k|c(?:oc|co)k/i It will match manglings of either word. I don't see any value in the extra grouping around the whole pattern. Also, the other example you provided in your original email did not have them. I also took out the blank option in the second half of the pattern. I don't think you really want a match for just "ck". I'm wondering about false matches. Without any word boundaries, this rule will produce some false matches. In particular, words like "cockatoo" and "dickson" will match this rule. This may be taken care of elsewhere in the ruleset, though. Bowie
Re: -L switch on spamd
At 03:24 PM 2/22/2005, Terry Poperszky wrote: What exactly am I losing when I use the -L switch on spamd? That disables two groups of tests: 1) Anything DNS based: RBLs, URIBLs, MX checks, SPF 2) Any other network add-ons you may have installed: razor, dcc, pyzor
-L switch on spamd
What exactly am I losing when I use the -L switch on spamd? Terry Poperszky
RE: ENC: Wet 30 to 40 girls hrony and wants you
Joe Kletch wrote: >> header __PORN_WORD12 Subject =~/(?:d(?:ic|ci)k|c(?:|oc|co)k/i >> >> Unfortunately I don't understand regexp, any suggestions for fixing >> this? If I remove the lint test report is good. >> > > Through trial and error I found that removing the third '(' made lint > happy. I hope I didn't change the intent of the rule: > This works: > header __PORN_WORD12 Subject =~/(?:d(?:ic|ci)k|c?:|oc|co)k/i You did change the intent of the rule I'm having trouble reconstructing the original intent, though... header __PORN_WORD12 Subject =~/(?:d(?:ic|ci)k)|c(?:|oc|co)k/i or header __PORN_WORD12 Subject =~/(?:d(?:ic|ci)k|c(?:|oc|co)k)/i spring to mind Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
Re: ENC: Wet 30 to 40 girls hrony and wants you
On Feb 22, 2005, at 1:49 PM, Joe Kletch wrote: Thanks Evan. I joined the lines and now spamassassin -D --lint is almost happy. I get this error: Failed to run header SpamAssassin tests, skipping some: Unmatched ( in regex; marked by <-- HERE in m/( <-- HERE ?:d(?:ic|ci)k|c(?:|oc|co)k/ at /usr/local/etc/mail/spamassassin/porn.cf, rule __PORN_WORD12, line 1. On this entry: header __PORN_WORD12 Subject =~/(?:d(?:ic|ci)k|c(?:|oc|co)k/i Unfortunately I don't understand regexp, any suggestions for fixing this? If I remove the lint test report is good. Through trial and error I found that removing the third '(' made lint happy. I hope I didn't change the intent of the rule: This works: header __PORN_WORD12 Subject =~/(?:d(?:ic|ci)k|c?:|oc|co)k/i
Re: ENC: Wet 30 to 40 girls hrony and wants you
On Feb 22, 2005, at 1:38 PM, Evan Platt wrote: At 11:30 AM 2/22/2005, you wrote: I'd like to try these rules as below--but suspect line breaks from the email may be a problem. Can you point me to a file to download or attach a text doc? Thanks and glad I finally joined this list. Been using SA for a couple years now and now have had to get serious about using it well. Joe Kletch Line breaks shouldn't be an issue - each rule needs to be on one line, so for example header __PORN_WORD06 Subject =~/f(?: ucke|ucek|ukce|ukec|ueck|uekc|cuek|cuke|ckue|ckeu|ceku|ceuk|kuce| kuec|kcue|kceu|kecu|keuc|euck|eukc|ecuk|ecku|ekcu|ekuc)d/i probably appears as 3 lines, but needs to be one. Thanks Evan. I joined the lines and now spamassassin -D --lint is almost happy. I get this error: Failed to run header SpamAssassin tests, skipping some: Unmatched ( in regex; marked by <-- HERE in m/( <-- HERE ?:d(?:ic|ci)k|c(?:|oc|co)k/ at /usr/local/etc/mail/spamassassin/porn.cf, rule __PORN_WORD12, line 1. On this entry: header __PORN_WORD12 Subject =~/(?:d(?:ic|ci)k|c(?:|oc|co)k/i Unfortunately I don't understand regexp, any suggestions for fixing this? If I remove the lint test report is good. Joe Kletch
RE: ENC: Wet 30 to 40 girls hrony and wants you
So what's so attractive about "Stupid girls bowling", anyway? Well, OK, I guess there's more than one way to unscramble "bolwing"... but why "stupid"?
Request for Assistance INSTALL UPGRADES to Exim and SA
Hello: I've attempted to follow instructions here to upgrade my Exim 3.x and SA 2.6 installation to the current revs of each. So far no luck on the SA at all. and have not had much success with Exim either. What I'm looking for at this point is someone who would be willing to do the process for me or lead me through this as I need to get the upgrade done sooner than later as the spam is getting deep. I cannot afford to pay much for assistance as the sites and e-mails I host are non-profit (ie I donate the server and my time from home) in the form of a church and the local humane society/shelter. Is there anyone out there willing to take this on? Thank you, ===[George R. Kasica]===+1 262 677 0766 [EMAIL PROTECTED] +1 206 374 6482 FAX http://www.netwrx1.com/georgek Jackson, WI USA [EMAIL PROTECTED] ICQ #12862186
Re: ENC: Wet 30 to 40 girls hrony and wants you
At 11:30 AM 2/22/2005, you wrote: I'd like to try these rules as below--but suspect line breaks from the email may be a problem. Can you point me to a file to download or attach a text doc? Thanks and glad I finally joined this list. Been using SA for a couple years now and now have had to get serious about using it well. Joe Kletch Line breaks shouldn't be an issue - each rule needs to be on one line, so for example header __PORN_WORD06 Subject =~/f(?: ucke|ucek|ukce|ukec|ueck|uekc|cuek|cuke|ckue|ckeu|ceku|ceuk|kuce| kuec|kcue|kceu|kecu|keuc|euck|eukc|ecuk|ecku|ekcu|ekuc)d/i probably appears as 3 lines, but needs to be one. Also, just a friendly suggestion, and not picking on you, but please trim irrelevant text from your reply. As an example, your reply had 5 levels deep of "from's". There's no reason to quote that far back in a thread: Thanks and hope this helps! :) Evan >On Feb 21, 2005, at 8:09 AM, Gray, Richard wrote: -Original Message- From: Pierre Thomson [mailto:[EMAIL PROTECTED] Sent: 21 February 2005 13:59 To: Gray, Richard Cc: users@spamassassin.apache.org Subject: RE: ENC: Wet 30 to 40 girls hrony and wants you -Original Message- From: Gray, Richard [mailto:[EMAIL PROTECTED] Sent: Monday, February 21, 2005 8:28 AM To: Jeff Chan; Daniel A. de Araujo Cc: users@spamassassin.apache.org Subject: RE: ENC: Wet 30 to 40 girls hrony and wants you -Original Message- From: Jeff Chan [mailto:[EMAIL PROTECTED] Sent: 21 February 2005 13:02 To: Daniel A. de Araujo Cc: users@spamassassin.apache.org Subject: Re: ENC: Wet 30 to 40 girls hrony and wants you -Mensagem original- De: Sweetest S. Transfusion [mailto:[EMAIL PROTECTED] Enviada em: domingo, 20 de fevereiro de 2005 00:06 Para: Angelac Assunto: Fw: Wet 30 to 40 girls hrony and wants you On Feb 21, 2005, at 8:09 AM, Gray, Richard wrote: Try these on for size: header __PORN_WORD01 Subject =~/n(?:ex|xe)t door/i header __PORN_WORD02 Subject =~/puss(?:y|ies)/i header __PORN_WORD04 Subject =~/(?:needs|for) m(?:one|oen|neo|noe|eno|eon)y/i header __PORN_WORD05 Subject =~/h(?:orn|onr|nro|nor|ron|rno)y/i header __PORN_WORD06 Subject =~/f(?: ucke|ucek|ukce|ukec|ueck|uekc|cuek|cuke|ckue|ckeu|ceku|ceuk|kuce| kuec|kcue|kceu|kecu|keuc|euck|eukc|ecuk|ecku|ekcu|ekuc)d/i header PORN_WORD08 Subject =~/\bMILF\b/i header PORN_WORD09 Subject =~/w(?:hor|hro|roh|rho|ohr|orh)e/i header PORN_WORD20Subject =~/w(?: hore|hoer|hroe|hreo|heor|hero|ohre|oher|orhe|oreh|oerh|oehr|rhoe| rhep|roeh|rohe|reho|reoh|ehro|ehor|eorh|eohr|erho|eroh)s/i header PORN_WORD10 Subject =~/(?:hstoett|o(?: the|teh|het|hte|eht|eth)r|stpuid|stupid|disgusting|shy |married|brand new|dirty|average|amateur|amatuer|amtauer|real|beautiful|hot|sexy|sxey| n (?:ast|ats|tas|tsa|sta|sat)y|wet|cute).{1,3}(?:(?:step|grand)?[ \-_]?(?:mo|om)ms?|house[ \-_]?wi[fvr]es?|(?:cow)?girls?|moms?|w(?: om[ae]|o[ae]m|[ae]om|[ae]mo|m[a e]o|mo[ae])n|neigbhour|neighbour|neighbuor|(?:teen|tnee)(?: ager|agre|arg e)?s?|s(?:lu|ul)ts?|bitehcs|bitches)/i header __PORN_WORD11 Subject =~/\bcum(?:shot)?\b/i header __PORN_WORD12 Subject =~/(?:d(?:ic|ci)k|c(?:|oc|co)k/i header __PORN_WORD13 Subject =~/fucking/i header __PORN_WORD14 Subject =~/up[ \-_]c(?:los|lso|sol|slo|ols|osl)e/i header __PORN_WORD15 Subject =~/snatch/i header __PORN_WORD16 Subject =~/(?:pervert|peervrt|prevert|perevrt)/i The hidden ones I tend to count the sum of and add a score based on how many they hit (1, 2, or 3) I don't think any have hit all 3 :) Tune them and play with them all you need. Even better would be to feed back to me the changes you make :) I haven't updated these for today (and I have new examples) The domains listed in these messages frequently change, so we get a burst of them that make it past the SURBL every few days. (usually weekends, we've noticed a very clear peak in spam coming at the weekends) R -Original Message- From: Pierre Thomson [mailto:[EMAIL PROTECTED] Sent: 21 February 2005 13:59 To: Gray, Richard Cc: users@spamassassin.apache.org Subject: RE: ENC: Wet 30 to 40 girls hrony and wants you I made a few custom rules looking for intentional misspellings of certain subject words. We use Bayes, so of course the misspellings are soon recognized that way too. The rules I made are based on the observation that the first and last letters of these obfuscated words are left alone to make them understandable. So a 5-letter word will have 6 possible variations, of which 5 are misspellings. Since these misspellings are highly unlikely to occur in ham, you can score them pretty high. So for this word you could use: header PT_SPELL1 Subject =~ /\bh(ron|onr|nro|nor|rno)y\b/i Of course 6-letter and longer words have more possible misspellings, so you can't extend this method too far! Other misspelled subject words I see in today's quarantine include "pretty", "lovely", and "mother". Good luck Pierre Thomson BIC -Original Message- From
Re: Newbie question - how to enable nework tests with spamd
At 02:30 PM 2/22/2005, Jim Willsher wrote: But SA doesn't seem to be checking the RBLs. I've looked at the page at http://wiki.apache.org/spamassassin/UsingNetworkTests But my /etc/rc.d/init.d/spamassassin file doesn't cntain the -L or --local entries anywhere Do you have Net::DNS installed? try running spamassassin --lint -D and see what SA has to say about DNS availability.
SLOX upgrade to spamassassin 3
Hi, I have a Suse Linux Open Exchange 4.0 running SA version 2.64. Has anyone upgraded the SA on SLOX to version 3? Thx, Cip
Re: ENC: Wet 30 to 40 girls hrony and wants you
I'd like to try these rules as below--but suspect line breaks from the email may be a problem. Can you point me to a file to download or attach a text doc? Thanks and glad I finally joined this list. Been using SA for a couple years now and now have had to get serious about using it well. Joe Kletch On Feb 21, 2005, at 8:09 AM, Gray, Richard wrote: Try these on for size: header __PORN_WORD01 Subject =~/n(?:ex|xe)t door/i header __PORN_WORD02 Subject =~/puss(?:y|ies)/i header __PORN_WORD04 Subject =~/(?:needs|for) m(?:one|oen|neo|noe|eno|eon)y/i header __PORN_WORD05 Subject =~/h(?:orn|onr|nro|nor|ron|rno)y/i header __PORN_WORD06 Subject =~/f(?: ucke|ucek|ukce|ukec|ueck|uekc|cuek|cuke|ckue|ckeu|ceku|ceuk|kuce| kuec|kcue|kceu|kecu|keuc|euck|eukc|ecuk|ecku|ekcu|ekuc)d/i header PORN_WORD08 Subject =~/\bMILF\b/i header PORN_WORD09 Subject =~/w(?:hor|hro|roh|rho|ohr|orh)e/i header PORN_WORD20 Subject =~/w(?: hore|hoer|hroe|hreo|heor|hero|ohre|oher|orhe|oreh|oerh|oehr|rhoe| rhep|roeh|rohe|reho|reoh|ehro|ehor|eorh|eohr|erho|eroh)s/i header PORN_WORD10 Subject =~/(?:hstoett|o(?: the|teh|het|hte|eht|eth)r|stpuid|stupid|disgusting|shy |married|brand new|dirty|average|amateur|amatuer|amtauer|real|beautiful|hot|sexy|sxey| n (?:ast|ats|tas|tsa|sta|sat)y|wet|cute).{1,3}(?:(?:step|grand)?[ \-_]?(?:mo|om)ms?|house[ \-_]?wi[fvr]es?|(?:cow)?girls?|moms?|w(?: om[ae]|o[ae]m|[ae]om|[ae]mo|m[a e]o|mo[ae])n|neigbhour|neighbour|neighbuor|(?:teen|tnee)(?: ager|agre|arg e)?s?|s(?:lu|ul)ts?|bitehcs|bitches)/i header __PORN_WORD11 Subject =~/\bcum(?:shot)?\b/i header __PORN_WORD12 Subject =~/(?:d(?:ic|ci)k|c(?:|oc|co)k/i header __PORN_WORD13 Subject =~/fucking/i header __PORN_WORD14 Subject =~/up[ \-_]c(?:los|lso|sol|slo|ols|osl)e/i header __PORN_WORD15 Subject =~/snatch/i header __PORN_WORD16 Subject =~/(?:pervert|peervrt|prevert|perevrt)/i The hidden ones I tend to count the sum of and add a score based on how many they hit (1, 2, or 3) I don't think any have hit all 3 :) Tune them and play with them all you need. Even better would be to feed back to me the changes you make :) I haven't updated these for today (and I have new examples) The domains listed in these messages frequently change, so we get a burst of them that make it past the SURBL every few days. (usually weekends, we've noticed a very clear peak in spam coming at the weekends) R -Original Message- From: Pierre Thomson [mailto:[EMAIL PROTECTED] Sent: 21 February 2005 13:59 To: Gray, Richard Cc: users@spamassassin.apache.org Subject: RE: ENC: Wet 30 to 40 girls hrony and wants you I made a few custom rules looking for intentional misspellings of certain subject words. We use Bayes, so of course the misspellings are soon recognized that way too. The rules I made are based on the observation that the first and last letters of these obfuscated words are left alone to make them understandable. So a 5-letter word will have 6 possible variations, of which 5 are misspellings. Since these misspellings are highly unlikely to occur in ham, you can score them pretty high. So for this word you could use: header PT_SPELL1 Subject =~ /\bh(ron|onr|nro|nor|rno)y\b/i Of course 6-letter and longer words have more possible misspellings, so you can't extend this method too far! Other misspelled subject words I see in today's quarantine include "pretty", "lovely", and "mother". Good luck Pierre Thomson BIC -Original Message- From: Gray, Richard [mailto:[EMAIL PROTECTED] Sent: Monday, February 21, 2005 8:28 AM To: Jeff Chan; Daniel A. de Araujo Cc: users@spamassassin.apache.org Subject: RE: ENC: Wet 30 to 40 girls hrony and wants you I have this same SPAM regularly occuring in our network, and frequently the domain has yet to be listed in the SURBL lists. I have yet to find another effective way of catching this other than writing a long list of rules to match the varying subject lines -Original Message- From: Jeff Chan [mailto:[EMAIL PROTECTED] Sent: 21 February 2005 13:02 To: Daniel A. de Araujo Cc: users@spamassassin.apache.org Subject: Re: ENC: Wet 30 to 40 girls hrony and wants you On Monday, February 21, 2005, 4:45:38 AM, Daniel Araujo wrote: Hi, guys. We are receiving a lot of kind these spams below. I couldnt discover a way to block them because there are o lot of types and combinations. Does someone is having the same problem ? Any ideas to block it ? -Mensagem original- De: Sweetest S. Transfusion [mailto:[EMAIL PROTECTED] Enviada em: domingo, 20 de fevereiro de 2005 00:06 Para: Angelac Assunto: Fw: Wet 30 to 40 girls hrony and wants you Buenos tardes! Bandagi
Newbie question - how to enable nework tests with spamd
Hi all, SA 3.0.2 on CentOs 3.3, running Sendmail and procmail. I'm getting lots of emails getting past SpamAssassing from senders who are on the various blacklists. I know this, because when I get similar messages on a webmail acocunt with another ISP I see: X-RBL-Warning: 218.64.141.207 is listed at cbl.abuseat.org - Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=218.64.141.207 But SA doesn't seem to be checking the RBLs. I've looked at the page at http://wiki.apache.org/spamassassin/UsingNetworkTests But my /etc/rc.d/init.d/spamassassin file doesn't cntain the -L or --local entries anywhere. What am I doing wrong? Many thanks, Jim
X-Spam headers not being added to *some* spam (amavisd-new, SA)
Howdy, I'm having an issue which may be with SpamAssassin or may be with amavisd-new -- feel free to point me elsewhere if this isn't a SA problem. I'm using: FreeBSD 5-STABLE from 20050213 Relevent ports: perl-5.8.6_2 amavisd-new-2.2.1_1,1 p5-Mail-SpamAssassin-3.0.2_1 postfix-2.1.5_1,1 Generally speaking, things are all working well, except that just this week some messages are identified as spam by amavisd-new but don't have X-Spam headers when they're finally delivered. I've turned on headers for mail with a score over -999, so all mail should have it. All mail does have the X-Virus-Scanned header. Here's an example from a non-spam message: = maillog: Feb 22 14:08:32 mailbox amavis[93565]: (93565-01-10) Passed CLEAN, [205.207.28.76] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, Message-ID: <[EMAIL PROTECTED]>, Hits: -5.899, 1587 ms x-headers: X-Virus-Scanned: by amavisd-new at mailbox.samurai.com X-Spam-Status: No, hits=-5.899 tagged_above=-999 required=5 tests=ALL_TRUSTED, BAYES_00 X-Spam-Level: = Here's an example of a spam message which has proper headers: = maillog: Feb 22 14:03:25 mailbox amavis[93565]: (93565-01) Passed SPAM, [64.236.24.28] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, Message-ID: <[EMAIL PROTECTED]>, Hits: 9.983, 1934 ms x-headers: X-Virus-Scanned: by amavisd-new at mailbox.samurai.com X-Spam-Status: Yes, hits=9.983 tagged_above=-999 required=5 tests=BAYES_99, RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_DSBL, RCVD_IN_XBL X-Spam-Level: * X-Spam-Flag: YES = And here's an example of a spam message with no headers: = maillog: Feb 22 13:50:04 mailbox amavis[40756]: (40756-02-8) Passed SPAM, [68.114.69.46] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, Message-ID: <[EMAIL PROTECTED]>, Hits: 27.676, 3858 ms x-headers: X-Virus-Scanned: by amavisd-new at mailbox.samurai.com = I did upgrade to perl 5.8.6_2 and SA 3.02_1 (FreeBSD port versions) in the past couple of days. Any ideas where I should look to debug this? Any additional details you'd like me to post? Thanks, Bryan
Re: SA 3.01 eventually stops noticing DNSBLs
Kelson <[EMAIL PROTECTED]> wrote on 02/22/2005 11:30:46 AM: > Jay Levitt wrote: > > I have SA 3.01 running under mimedefang 2.43 with sendmail 8.13.1. At > > some point, SA seems to stop doing lookups on the DNSBLs; spam gets > > through that is listed in multiple BLs; if I check manually with > > spamassassin -t, it detects the BL entry, even if I run it moments after > > the spam was received. > > I don't see anything obvious in the logs. What can I do to troubleshoot > > this? > > Make sure MIMEDefang hasn't created a new /etc/mail/sa-mimedefang.cf on > an upgrade. > > That happened to my server a while back -- We were just using > /etc/mail/spamassassin/local.cf, and upgraded MD, and MD saw there was > no sa-mimedefang.cf, so it created it with the defaults -- and the > defaults disable DNSBLs. > > -- > Kelson Vibber > SpeedGate Communications Could this be the same problem as the discussion in the "Spammer Anti-SURBL tactic" thread? Andy
Re: SA 3.01 eventually stops noticing DNSBLs
Jay Levitt wrote: I have SA 3.01 running under mimedefang 2.43 with sendmail 8.13.1. At some point, SA seems to stop doing lookups on the DNSBLs; spam gets through that is listed in multiple BLs; if I check manually with spamassassin -t, it detects the BL entry, even if I run it moments after the spam was received. I don't see anything obvious in the logs. What can I do to troubleshoot this? Make sure MIMEDefang hasn't created a new /etc/mail/sa-mimedefang.cf on an upgrade. That happened to my server a while back -- We were just using /etc/mail/spamassassin/local.cf, and upgraded MD, and MD saw there was no sa-mimedefang.cf, so it created it with the defaults -- and the defaults disable DNSBLs. -- Kelson Vibber SpeedGate Communications
Re: problem with razor
On Tue, Feb 22, 2005 at 02:27:27PM +0100, Milos Prudek wrote: > i just installed spamassassin 3.0.2 and it works but always complains > about razor2. Here's what it prints when I test spamassassin: On Tue, Feb 22, 2005 at 05:47:04PM +0100, Milos Prudek wrote: > > What version of razor2 do you have? > > perl-razor-agents 2.34 From the 3.x INSTALL doc: To use Razor with SpamAssassin, you will need to be using v2.40 or higher. v2.61 or higher is recommended. -- Randomly Generated Tagline: "As a competitor, we might be better off if they shipped it." - Sun Microsystems's James Gosling on Windows NT 5.0 pgpSu2jHvQuKH.pgp Description: PGP signature
Re: Auto Whitelist
Yes it does exist I checked and I am running the command as root. Carinus
Re: problem with razor
> What version of razor2 do you have? perl-razor-agents 2.34 SuSE 9.0 -- Milos Prudek _ Most websites are confused chintzy gaudy conflicting tacky unpleasant... unusable. Learn how usable YOUR website is! http://www.spoxdesign.com
Re: Auto Whitelist
At 11:27 AM 2/22/2005, Carinus Carelse wrote: When I try to run the command I get the following error. Am i doing something wrong. bash-2.05# ./check_whitelist /var/spool/MailScanner/spamassassin/bayes/auto-whitelist Cannot open file /var/spool/MailScanner/spamassassin/bayes/auto-whitelist: No such file or directory Does /var/spool/MailScanner/spamassassin/bayes/auto-whitelist exist? The "No such file or directory" message would imply a nonexistant file or a typoed name.
Re: Spammed to death
At 10:58 AM 2/22/2005, Marc Perkel wrote: First I would recomment you upgrade to Spam Assassin 3.x - It's much better. Good point Marc, that's a better solution in general. I do recommend that over my previous advice of just adding antidrug.cf. However, if they are stuck on 2.64 due to perl versions or some such thing, adding antidrug.cf and Mail::SpamCopURI covers a lot of the problem cases for 2.64. Disclaimer: I'm the author of antidrug.cf, bias for the tools I made is obvious (I forgot to add that to my first message)
Re: Spammed to death
At 10:34 AM 2/22/2005, Nate wrote: I'm using spamassassin 2.64 on Debian Woody. My clients emails are getting clobbered by "Pharma" spam. The messages seem to be using different encoding on words like Viagra, Cialis and sa is not picking them up. Looks like a job for antidrug.cf: http://mywebpages.comcast.net/mkettler/sa/antidrug.cf (note: these rules are now built into SA 3.0 and higher, but I created them as an add-on before 3.0 came out and they work well with SA 2.64 ) Just download the file (I recommend downloading, copy-paste is too prone to error) and put it in /etc/mail/spamassassin alongside your local.cf. SA automatically parses *.cf in that directory so you don't need to add any options to enable it. Run spamassassin --lint to make sure SA understands the new files and restart spamd (if you use spamd)
Re: More Info: Spam suddenly getting through
Paul Crittenden wrote on Tue, 22 Feb 2005 10:12:52 -0600: > I ran spamassassin --lint -D and am attaching the output. > Does this help > No, looks fine. Run a *message* which you think should have been detected as spam thru sa -D and look at the outcome. (And please stay in thread instead of sending several new messages.) Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org
Re: Auto Whitelist
When I try to run the command I get the following error. Am i doing something wrong. bash-2.05# ./check_whitelist /var/spool/MailScanner/spamassassin/bayes/auto-whitelist Cannot open file /var/spool/MailScanner/spamassassin/bayes/auto-whitelist: No such file or directory
More Info: Spam suddenly getting through
Good morning, I am running SA 3.0.2 and have been running SpamAssassin for about a year now. Things were working great until this weekend. For some reason over the weekend spam that had been getting caught is now getting through and not marked as spam. It doesn't seem to matter what the subject of the spam is. I made no changes to anything from Friday to Monday. I hoped that do some more training yesterday would help but it hasn't seemed to. Any ideas and help would be appreciated. I just thought that over the weekend I had a disk controller fail but it failed over to a backup. However, I wonder if my bayes DB got messed up somehow by this. I ran spamassassin --lint -D and am attaching the output. Does this help and could I be correct? Paul Crittenden Computer System Manager Simpson College email: [EMAIL PROTECTED] Phone: (515)961-1680 "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety." - Benjamin Franklin sa.log Description: Binary data
RE: Spammed to death
Nate, I'm sure there are some good SARE rules for this. Go to http://www.rulesemporium.com for some good custom made rules. I know there is antidrug.cf which contains many Pharm phrases. Kris -Original Message- From: Nate [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 22, 2005 9:35 AM To: users@spamassassin.apache.org Subject: Spammed to death Hello, I'm using spamassassin 2.64 on Debian Woody. My clients emails are getting clobbered by "Pharma" spam. The messages seem to be using different encoding on words like Viagra, Cialis and sa is not picking them up. I've tried setting up header and body tests, but the bastards at "Pharma" keep changing the words spellings. Here is the typical email I get from these morons. Notice the missing letters "Vicodin", "Viagra", "Xanax", and "Cialis". In my email client Microsoft Outlook displays all the letters. However, if I copy and paste the message into a text editor the letters disappear. How do I kill these messages? I've tried sa-learn spam on several messages, but they still keep coming through with almost no spam points. Please help I am so sick of this! Thanks, Nate "From: Esaias Billings [mailto:[EMAIL PROTECTED] Sent: Monday, February 21, 2005 11:04 PM To: Xzavier Rivera Subject: Re: Best Mediccations Hello, Welcome to the best ONLINE ST0RE. Vi in $178(90p.) a a $209(100p.) ana al cod Vi gr X x $299(90p.) Ci is $324(90p.) With each purchase you get: >Home delivery. >Secure pay. >Total confidentiality >Reputable manufacturerrs. Have a nice day!"
Re: Spammer Anti-SURBL tactic
--On Tuesday, February 22, 2005 9:23 AM -0500 Cris Fuhrman <[EMAIL PROTECTED]> wrote: I've a hunch that "null" links, strange parsing, etc. will be handled correctly by the DOM parser for HTML, but I've never done any tests for lack of time. Java API could be called under linux, but IE's? Just an idea... I'm sure the spammers could figure out how to get around that method, too. But the trick is, their HTML still has to show up correctly to the user for the spam to work. In some cases the spam depends on the user to correct flaws in the link, such as asking for text to be pasted with the white space removed. Where users are concerned, common sense isn't. Common, that is.
Re: Spammed to death
"Nate" <[EMAIL PROTECTED]> wrote on 02/22/2005 09:34:51 AM: > Hello, > > I'm using spamassassin 2.64 on Debian Woody. > > My clients emails are getting clobbered by "Pharma" spam. The messages seem > to be using different encoding on words like Viagra, Cialis and sa is not > picking them up. > > I've tried setting up header and body tests, but the bastards at "Pharma" > keep changing the words spellings. > [snip] Head on over to http://www.rulesemporium.com and pick up the anti-drug ruleset. You may also want to consider an upgrade to 3.0.2. Andy
RE: Auto learning
Hi, required_hits 7 report_safe 0 rewrite_header Subject [SPAM] bayes_auto_learn 1 skip_rbl_checks 0 use_razor2 1 use_dcc 1 use_pyzor 0 dns_available yes I think I may have just sust this. I just found a bayes db in /home/root/.spamassassin, whereas I have been testing things logged in a root and was looking at /root/.spamassassin.It is being updated! I was running things as root, so it was picking up a different database. So now I have -rw--- 1 spamd spamd 1.3M Feb 22 15:51 auto-whitelist -rw--- 1 spamd spamd 3.6K Feb 22 15:51 bayes_journal -rw--- 1 spamd spamd 652K Feb 22 15:51 bayes_seen -rw--- 1 spamd spamd 5.3M Feb 22 15:51 bayes_toks in my /home/spamd/.spamassassin folder If I run sa-learn -D --sync --dbpath /home/spamd/.spamassassin I still see debug: bayes: 25894 tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: 25894 tie-ing to DB file R/O /root/.spamassassin/bayes_seen debug: bayes: found bayes db version 3 debug: bayes: Not available for scanning, only 0 spam(s) in Bayes DB < 200 debug: bayes: 25894 untie-ing debug: bayes: 25894 untie-ing db_toks debug: bayes: 25894 untie-ing db_seen debug: Score set 0 chosen. debug: Initialising learner debug: Syncing Bayes and expiring old tokens... debug: lock: 25894 created /home/spamd/.spamassassin/bayes.lock.localhost.localdomain.25894 debug: lock: 25894 trying to get lock on /home/spamd/.spamassassin/bayes with 0 retries debug: lock: 25894 link to /home/spamd/.spamassassin/bayes.lock: link ok debug: bayes: 25894 tie-ing to DB file R/W /home/spamd/.spamassassin/bayes_toks debug: bayes: 25894 tie-ing to DB file R/W /home/spamd/.spamassassin/bayes_seen debug: bayes: found bayes db version 3 debug: refresh: 25894 refresh /home/spamd/.spamassassin/bayes.lock debug: refresh: 25894 refresh /home/spamd/.spamassassin/bayes.lock synced Bayes databases from journal in 3 seconds: 1545 unique entries (1940 total entries) debug: refresh: 25894 refresh /home/spamd/.spamassassin/bayes.lock debug: refresh: 25894 refresh /home/spamd/.spamassassin/bayes.lock debug: Syncing complete. debug: bayes: 25894 untie-ing debug: bayes: 25894 untie-ing db_toks debug: bayes: 25894 untie-ing db_seen debug: bayes: files locked, now unlocking lock debug: unlock: 25894 unlink /home/spamd/.spamassassin/bayes.lock I don't understand that even though I specified the db path, it still has /root/./spamassassin mentioned as well. Does it try to use both databases? It seems to see both databases. I am seeing some bayes scoring now as well. If I am using sa-learn, can I just add the --dbpath /home/spamd/.spamassassin option and it should update the correct db? Thanks for all the help! > -Original Message- > From: Richard Ozer [mailto:[EMAIL PROTECTED] > Sent: 22 February 2005 15:19 > To: Paul J. Smith > Cc: users@spamassassin.apache.org > Subject: Re: Auto learning > > Can you post your local.cf? > > Paul J. Smith wrote: > > Still nothing. I set the owner on the bayes dbs to 'spamd' > which is the user the process is running under. I also set > og+rw. Left overnight, no change. Only 2 hams, depsite the > autolearn having picked loads of hams out of the feed with > 'autolearn=spam/ham'. I've just deleted the databases with > 'sa-learn --clear' the a 'sa-learn --sync' and reset the > permissons again to spamd. Still nothing is getting added > though and I can't see any error messages, even in debug mode. > > > > The output from sa-learn --sync -D is > > > > [EMAIL PROTECTED] .spamassassin]# sa-learn -D --sync > > debug: SpamAssassin version 3.0.2
Re: Spammed to death
First I would recomment you upgrade to Spam Assassin 3.x - It's much better. Nate wrote: Hello, I'm using spamassassin 2.64 on Debian Woody. My clients emails are getting clobbered by "Pharma" spam. The messages seem to be using different encoding on words like Viagra, Cialis and sa is not picking them up. I've tried setting up header and body tests, but the bastards at "Pharma" keep changing the words spellings. Here is the typical email I get from these morons. Notice the missing letters "Vicodin", "Viagra", "Xanax", and "Cialis". In my email client Microsoft Outlook displays all the letters. However, if I copy and paste the message into a text editor the letters disappear. How do I kill these messages? I've tried sa-learn spam on several messages, but they still keep coming through with almost no spam points. Please help I am so sick of this! Thanks, Nate "From: Esaias Billings [mailto:[EMAIL PROTECTED]] Sent: Monday, February 21, 2005 11:04 PM To: Xzavier Rivera Subject: Re: Best Mediccations Hello, Welcome to the best ONLINE ST0RE. Vi in $178(90p.) a a $209(100p.) ana al cod Vi gr X x $299(90p.) Ci is $324(90p.) With each purchase you get: Home delivery. Secure pay. Total confidentiality Reputable manufacturerrs. Have a nice day!" -- Marc Perkel - [EMAIL PROTECTED] Spam Filter: http://www.junkemailfilter.com My Blog: http://marc.perkel.com My Religion: http://www.churchofreality.org ~ "If it's real - we believe in it!" ~
Spammed to death
Hello, I'm using spamassassin 2.64 on Debian Woody. My clients emails are getting clobbered by "Pharma" spam. The messages seem to be using different encoding on words like Viagra, Cialis and sa is not picking them up. I've tried setting up header and body tests, but the bastards at "Pharma" keep changing the words spellings. Here is the typical email I get from these morons. Notice the missing letters "Vicodin", "Viagra", "Xanax", and "Cialis". In my email client Microsoft Outlook displays all the letters. However, if I copy and paste the message into a text editor the letters disappear. How do I kill these messages? I've tried sa-learn spam on several messages, but they still keep coming through with almost no spam points. Please help I am so sick of this! Thanks, Nate "From: Esaias Billings [mailto:[EMAIL PROTECTED] Sent: Monday, February 21, 2005 11:04 PM To: Xzavier Rivera Subject: Re: Best Mediccations Hello, Welcome to the best ONLINE ST0RE. Vi in $178(90p.) a a $209(100p.) ana al cod Vi gr X x $299(90p.) Ci is $324(90p.) With each purchase you get: >Home delivery. >Secure pay. >Total confidentiality >Reputable manufacturerrs. Have a nice day!"
Re: Auto Whitelist
At 10:31 AM 2/22/2005, Carinus Carelse wrote: How can see what is in the Auto-Whitelist In the tools sub-directory of the SA tarball is a tool called "check-whitelist". This will dump your AWL contents, although you'll need to manually tell it what AWL db to dump. It's also got a --clean option which you can run to have it clean out all the "once only" entries from an AWL db. how can I selectively delete from there is it possible. spamassassin --remove-addr-from-whitelist
Auto Whitelist
Hi all, How can see what is in the Auto-Whitelist and how can I selectively delete from there is it possible. Carinus
Re: problem with razor
At 08:27 AM 2/22/2005, Milos Prudek wrote: i just installed spamassassin 3.0.2 and it works but always complains about razor2. What version of razor2 do you have? Here's what it prints when I test spamassassin: razor2 check skipped: Illegal seek Insecure dependency in connect while running setuid at /usr/lib/perl5/5.8.1/i586-linux-thread-multi/IO/Socket.pm line 114, line 105. What does this mean? Is spamassassin unable to connect to spamd? No, it means SA runs in taint mode, and your current version of razor doesn't seem to be taint-safe. In theory all razor versions higher than 2.40 should be taint-safe.
RE: Auto learning
Thanks. I am running 'sa-learn' as root. But you've given me an idea. Maybe it's looking in home\spamd for them when running user that user and in /root/./spamassassin when I'm running as root? I've just specified the path to bayes in local.cf, so we'll see if that makes any difference. From: Andy Jezierski [mailto:[EMAIL PROTECTED] Sent: 22 February 2005 15:19 To: users@spamassassin.apache.org Subject: RE: Auto learning "Paul J. Smith" <[EMAIL PROTECTED]> wrote on 02/22/2005 01:41:28 AM: > Still nothing. I set the owner on the bayes dbs to 'spamd' which is > the user the process is running under. I also set og+rw. Left > overnight, no change. Only 2 hams, depsite the autolearn having > picked loads of hams out of the feed with 'autolearn=spam/ham'. > I've just deleted the databases with 'sa-learn --clear' the a 'sa- > learn --sync' and reset the permissons again to spamd. Still > nothing is getting added though and I can't see any error messages, > even in debug mode. > > The output from sa-learn --sync -D is > > [EMAIL PROTECTED] .spamassassin]# sa-learn -D --sync [snip] > debug: bayes: 25498 tie-ing to DB file R/O /root/.spamassassin/bayes_toks > debug: bayes: 25498 tie-ing to DB file R/O /root/.spamassassin/bayes_seen > debug: bayes: found bayes db version 3 > debug: bayes: Not available for scanning, only 0 spam(s) in Bayes DB < 200 [snip] > Can anyone see anything wrong with this? > > I'm starting spamd with "-d -c -m5 -H -i 0.0.0.0 -A 192.168.0.0/24 -s local5" > > Can't understand how I got 2 hams in there in the first place! > > Thanks. Are you sure you're using the correct bayes files? In the debug above, it shows the bayes files in /root/.spamassassin yet you say that you're running sa under the spamd userid. On my system, my bayes files for the spamd userid are in /home/spamd/.spamassassin. May want to check that. Andy -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 266.3.0 - Release Date: 21/02/2005
RE: Auto learning
"Paul J. Smith" <[EMAIL PROTECTED]> wrote on 02/22/2005 01:41:28 AM: > Still nothing. I set the owner on the bayes dbs to 'spamd' which is > the user the process is running under. I also set og+rw. Left > overnight, no change. Only 2 hams, depsite the autolearn having > picked loads of hams out of the feed with 'autolearn=spam/ham'. > I've just deleted the databases with 'sa-learn --clear' the a 'sa- > learn --sync' and reset the permissons again to spamd. Still > nothing is getting added though and I can't see any error messages, > even in debug mode. > > The output from sa-learn --sync -D is > > [EMAIL PROTECTED] .spamassassin]# sa-learn -D --sync [snip] > debug: bayes: 25498 tie-ing to DB file R/O /root/.spamassassin/bayes_toks > debug: bayes: 25498 tie-ing to DB file R/O /root/.spamassassin/bayes_seen > debug: bayes: found bayes db version 3 > debug: bayes: Not available for scanning, only 0 spam(s) in Bayes DB < 200 [snip] > Can anyone see anything wrong with this? > > I'm starting spamd with "-d -c -m5 -H -i 0.0.0.0 -A 192.168.0.0/24 -s local5" > > Can't understand how I got 2 hams in there in the first place! > > Thanks. Are you sure you're using the correct bayes files? In the debug above, it shows the bayes files in /root/.spamassassin yet you say that you're running sa under the spamd userid. On my system, my bayes files for the spamd userid are in /home/spamd/.spamassassin. May want to check that. Andy
Re: Auto learning
Can you post your local.cf? Paul J. Smith wrote: Still nothing. I set the owner on the bayes dbs to 'spamd' which is the user the process is running under. I also set og+rw. Left overnight, no change. Only 2 hams, depsite the autolearn having picked loads of hams out of the feed with 'autolearn=spam/ham'. I've just deleted the databases with 'sa-learn --clear' the a 'sa-learn --sync' and reset the permissons again to spamd. Still nothing is getting added though and I can't see any error messages, even in debug mode. The output from sa-learn --sync -D is [EMAIL PROTECTED] .spamassassin]# sa-learn -D --sync debug: SpamAssassin version 3.0.2 debug: Score set 0 chosen. debug: running in taint mode? yes debug: Running in taint mode, removing unsafe env vars, and resetting PATH debug: PATH included '/usr/kerberos/sbin', keeping. debug: PATH included '/usr/kerberos/bin', keeping. debug: PATH included '/usr/local/sbin', keeping. debug: PATH included '/usr/local/bin', keeping. debug: PATH included '/sbin', keeping. debug: PATH included '/bin', keeping. debug: PATH included '/usr/sbin', keeping. debug: PATH included '/usr/bin', keeping. debug: PATH included '/usr/X11R6/bin', keeping. debug: PATH included '/root/bin', keeping. debug: Final PATH set to: /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin debug: using "/etc/mail/spamassassin/init.pre" for site rules init.pre debug: config: read file /etc/mail/spamassassin/init.pre debug: using "/usr/share/spamassassin" for default rules dir debug: config: read file /usr/share/spamassassin/10_misc.cf debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf debug: config: read file /usr/share/spamassassin/20_body_tests.cf debug: config: read file /usr/share/spamassassin/20_compensate.cf debug: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf debug: config: read file /usr/share/spamassassin/20_drugs.cf debug: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf debug: config: read file /usr/share/spamassassin/20_head_tests.cf debug: config: read file /usr/share/spamassassin/20_html_tests.cf debug: config: read file /usr/share/spamassassin/20_meta_tests.cf debug: config: read file /usr/share/spamassassin/20_phrases.cf debug: config: read file /usr/share/spamassassin/20_porn.cf debug: config: read file /usr/share/spamassassin/20_ratware.cf debug: config: read file /usr/share/spamassassin/20_uri_tests.cf debug: config: read file /usr/share/spamassassin/23_bayes.cf debug: config: read file /usr/share/spamassassin/25_body_tests_es.cf debug: config: read file /usr/share/spamassassin/25_hashcash.cf debug: config: read file /usr/share/spamassassin/25_spf.cf debug: config: read file /usr/share/spamassassin/25_uribl.cf debug: config: read file /usr/share/spamassassin/30_text_de.cf debug: config: read file /usr/share/spamassassin/30_text_fr.cf debug: config: read file /usr/share/spamassassin/30_text_nl.cf debug: config: read file /usr/share/spamassassin/30_text_pl.cf debug: config: read file /usr/share/spamassassin/50_scores.cf debug: config: read file /usr/share/spamassassin/60_whitelist.cf debug: using "/etc/mail/spamassassin" for site rules dir debug: config: read file /etc/mail/spamassassin/local.cf debug: using "/root/.spamassassin/user_prefs" for user prefs file debug: config: read file /root/.spamassassin/user_prefs debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8ee298c) debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x9831bb8) debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x97fdbac) debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8ee298c) implements 'parse_config' debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0x9831bb8) implements 'parse_config' debug: bayes: 25498 tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: 25498 tie-ing to DB file R/O /root/.spamassassin/bayes_seen debug: bayes: found bayes db version 3 debug: bayes: Not available for scanning, only 0 spam(s) in Bayes DB < 200 debug: bayes: 25498 untie-ing debug: bayes: 25498 untie-ing db_toks debug: bayes: 25498 untie-ing db_seen debug: Score set 0 chosen. debug: Initialising learner debug: Syncing Bayes and expiring old tokens... debug: lock: 25498 created /root/.spamassassin/bayes.lock.localhost.localdomain.25498 debug: lock: 25498 trying to get lock on /root/.spamassassin/bayes with 0 retries debug: lock: 25498 link to /root/.spamassassin/bayes.lock: link ok debug: bayes: 25498 tie-ing to DB file R/W /root/.spamassassin/bayes_toks debug: bayes: 25498 tie-ing to DB file R/W /root/.spamassassin/bayes_seen debug: bayes: found bayes db version 3 debug: refresh: 25498 refresh /root/.spamassassin/bay
Spam suddenly getting through
Good morning, I am running SA 3.0.2 and have been running SpamAssassin for about a year now. Things were working great until this weekend. For some reason over the weekend spam that had been getting caught is now getting through and not marked as spam. It doesn't seem to matter what the subject of the spam is. I made no changes to anything from Friday to Monday. I hoped that do some more training yesterday would help but it hasn't seemed to. Any ideas and help would be appreciated. Paul Crittenden Computer System Manager Simpson College email: [EMAIL PROTECTED] Phone: (515)961-1680 "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety." - Benjamin Franklin
Re: Spammer Anti-SURBL tactic
On Tue, 22 Feb 2005 04:35:51 -0600 (CST), David B Funk <[EMAIL PROTECTED]> wrote: > I'm seeing a new spam varient that is clearly designed to get > past SURBL. It is an HTML message that contains many (50~100) > 'invisible' links; links that have no target text, just: > http://garbage.sitename.tld";> > > The intention is clear, they want to fill up the 20 'slots' of > the spamcop_uri_limit with their junk links so the real "payload" > URL can slip past unchecked. That's playing a statistical game, > there's a 1 in 20 chance of the "payload" getting picked by the > randomizer but that means that 95% slip by. > > To add insult to injury, they're tossing in random "\r" (ASCII-CR) > characters into the "payload" hostname to try to break spamassasin's > URI parsing. Because of all these games that are played to break the parser, I discussed an idea a while back on the SpamCop newsgroups that looked at using Java (or some other API, maybe with Internet Explorer) to render a spam's HTML into a virtual page and then scan its Document Objects (post HTML parsing) one at a time for links. It's similar to what a user would "see" in a browser. I've a hunch that "null" links, strange parsing, etc. will be handled correctly by the DOM parser for HTML, but I've never done any tests for lack of time. Java API could be called under linux, but IE's? Just an idea... I'm sure the spammers could figure out how to get around that method, too. But the trick is, their HTML still has to show up correctly to the user for the spam to work.
Re: Spammer Anti-SURBL tactic
David B Funk wrote: I'm seeing a new spam varient that is clearly designed to get past SURBL. It is an HTML message that contains many (50~100) 'invisible' links; links that have no target text, just: http://garbage.sitename.tld";> Is it time to create rules to penalize large numbers of 'invisible' links? it would also be good to discard pointless links before querying surbl's, not sure how easy that is going to be to code though -- Robert Brooks, Network Manager, Cable & Wireless UK <[EMAIL PROTECTED]> http://hyperlink-interactive.co.uk/ Tel: +44 (0)20 7339 8600 Fax: +44 (0)20 7339 8601 - Help Microsoft stamp out piracy. Give Linux to a friend today! -
Re: Spammer Anti-SURBL tactic
Loren Wilton wrote: We have a SARE rule to catch the first one, and I've just created a rule for the second one that will show up soon if it passes testing. Rules are your friend... Loren, which ruleset are you refering to in this case? Thank you / Martin
RE: Whitelising IP's?
Johann Spies wrote: > On Fri, Feb 18, 2005 at 11:02:15AM -0500, Chris Santerre wrote: >> >> Absolutely! But without knowing how you are blocking, I can't say >> anymore. > > I am using exim4 with exiscan and refuse to accept mail identified as > spam. > > Regards > Johann So, don't run those IP's through the spam check. See !hosts= -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: ler@lerctr.org US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749
problem with razor
Hi, i just installed spamassassin 3.0.2 and it works but always complains about razor2. Here's what it prints when I test spamassassin: razor2 check skipped: Illegal seek Insecure dependency in connect while running setuid at /usr/lib/perl5/5.8.1/i586-linux-thread-multi/IO/Socket.pm line 114, line 105. Line 114 in Socket.pm is "if (!connect($sock, $addr)) { " and here is the surrounding block: my $blocking; $blocking = $sock->blocking(0) if $timeout; if (!connect($sock, $addr)) { if (defined $timeout && $!{EINPROGRESS}) { require IO::Select; What does this mean? Is spamassassin unable to connect to spamd? I run "spamd -d" on localhost (mailserver), and it is running, and I can telnet to port 783 on localhost. What should I check? Should I be running spamd as a non-root? -- Milos Prudek
Re: Whitelising IP's?
On Fri, Feb 18, 2005 at 11:02:15AM -0500, Chris Santerre wrote: > > Absolutely! But without knowing how you are blocking, I can't say anymore. I am using exim4 with exiscan and refuse to accept mail identified as spam. Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch "The LORD bless thee, and keep thee; The LORD make his face shine upon thee, and be gracious unto thee; The LORD lift up his countenance upon thee, and give thee peace." Numbers 6:24-26
Re: Spammer Anti-SURBL tactic
We have a SARE rule to catch the first one, and I've just created a rule for the second one that will show up soon if it passes testing. Rules are your friend... Loren
Spammer Anti-SURBL tactic
I'm seeing a new spam varient that is clearly designed to get past SURBL. It is an HTML message that contains many (50~100) 'invisible' links; links that have no target text, just: http://garbage.sitename.tld";> The intention is clear, they want to fill up the 20 'slots' of the spamcop_uri_limit with their junk links so the real "payload" URL can slip past unchecked. That's playing a statistical game, there's a 1 in 20 chance of the "payload" getting picked by the randomizer but that means that 95% slip by. To add insult to injury, they're tossing in random "\r" (ASCII-CR) characters into the "payload" hostname to try to break spamassasin's URI parsing. Is it time to create rules to penalize large numbers of 'invisible' links? The one thing that has me worried is that people may just start cranking up the spamcop_uri_limit value to do a brute-force response to this trash (or have a simple-minded client that doesn't have that kind of limit). This will add an ever-increasing load on the SURBL dns servers. I'm already seeing a steady-state average of 130 queries/second against my two servers (with spikes in the 150~175) range. The trend has been a steady increase (passed the 100 Q/S mark last fall). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: error in BayesStore.pm
I use spamassassin version 2.64, SuSE 8.2 and qmail. I get the following problem: Argument_"\010862517M->U^TB"_isn't_numeric_in_numeric_gt_(>)_a t_/usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/BayesStore.pm_line_1260. The relevant Code of /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/BayesStore.pm is: my $newmagic = $self->{db_toks}->{$NEWEST_TOKEN_AGE_MAGIC_TOKEN}; if (!defined ($newmagic) || $atime > $newmagic) { $self->{db_toks}->{$NEWEST_TOKEN_AGE_MAGIC_TOKEN} = $atime; } Can somebody help me, what is the error. Thanks From http://www.rulesemporium.com/ Always run spamassassin -D --lint before making your rule changes live. Typos will kick your butt! :) (Just in case you missed the last item:) Always run spamassassin -D --lint before making your rule changes live. Typos will kick your butt! :) If I run spamassassin -D --lint, I get the following message: debug: Score set 0 chosen. debug: running in taint mode? yes debug: Running in taint mode, removing unsafe env vars, and resetting PATH debug: PATH included '/soft_linux_local/bin', keeping. debug: PATH included '/sbin', keeping. debug: PATH included '/usr/sbin', keeping. debug: PATH included '/usr/local/sbin', keeping. debug: PATH included '/root/bin', keeping. debug: PATH included '/usr/local/bin', keeping. debug: PATH included '/usr/bin', keeping. debug: PATH included '/usr/X11R6/bin', keeping. debug: PATH included '/bin', keeping. debug: PATH included '/usr/games', keeping. debug: PATH included '/opt/gnome2/bin', keeping. debug: PATH included '/opt/gnome/bin', keeping. debug: PATH included '/opt/kde3/bin', keeping. debug: PATH included '/usr/lib/java/jre/bin', keeping. debug: PATH included '/opt/gnome/bin', keeping. debug: Final PATH set to: /soft_linux_local/bin:/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome2/bin:/opt/gnome/bin:/opt/kde3/bin:/usr/lib/java/jre/bin:/opt/gnome/bin debug: ignore: using a test message to lint rules debug: using "/usr/share/spamassassin" for default rules dir debug: using "/etc/mail/spamassassin" for site rules dir debug: using "/root/.spamassassin" for user state dir debug: using "/root/.spamassassin/user_prefs" for user prefs file Failed to parse line in SpamAssassin configuration, skipping: report_header 1 Failed to parse line in SpamAssassin configuration, skipping: defang_mime 0 Failed to parse line in SpamAssassin configuration, skipping: allow_user_rules debug: using "/root/.spamassassin" for user state dir debug: bayes: no dbs present, cannot scan: /root/.spamassassin/bayes_toks debug: Score set 1 chosen. debug: Initialising learner debug: using "/root/.spamassassin" for user state dir debug: bayes: no dbs present, cannot scan: /root/.spamassassin/bayes_toks debug: is Net::DNS::Resolver available? yes debug: trying (3) slashdot.org... debug: looking up MX for 'slashdot.org' debug: MX for 'slashdot.org' exists? 1 debug: MX lookup of slashdot.org succeeded => Dns available (set dns_available to hardcode) debug: is DNS available? 1 debug: all '*From' addrs: [EMAIL PROTECTED] debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=1.27 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=1.27 debug: running uri tests; score so far=1.27 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=1.27 debug: Razor2 is not available debug: Current PATH is: /soft_linux_local/bin:/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome2/bin:/opt/gnome/bin:/opt/kde3/bin:/usr/lib/java/jre/bin:/opt/gnome/bin debug: Pyzor is not available: pyzor not found debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is not available: no executable dccproc found. debug: all '*To' addrs: debug: RBL: success for 1 of 1 queries debug: running meta tests; score so far=1.27 debug: is spam? score=1.27 required=6 tests=DATE_MISSING,NO_REAL_NAME I have the following /etc/mail/spamassassin/local.cf # Add your own customisations to this file. See 'man Mail::SpamAssassin::Conf' # for details of what can be tweaked. # required_hits 6.0 rewrite_subject 1 subject_tag ***SPAM*** report_header 1 use_terse_report 1 defang_mime 0 report_safe 0 allow_user_rules Thanks for every help. -- Hans-Georg Glöckler Universität Ulm Fakultät für Informatik, Abteilung Neuroinformatik D-89069 Ulm Tel: 0731/502-4193 (08:30 - 12:00) Looks like th bayes DB is snarfed. restore from backup, or use a nice starter from www.fsl.com/suport I have the following questions: 1) What means: bayes DB is snarfed. 2) What have I to restore, when I want use it from backup. Where is bayes DB installed (which directory + file). 3) Can I use for SuSE 8.2 your Bayes Startet DB (Linux SA 2.64) -- Hans-Georg Glöckler Universität Ulm Fakultät für Informatik, Abteilung Neuroinformatik D-89069 U
Re: error in BayesStore.pm
Hans-Georg Gloeckler wrote: Am Donnerstag, 17. Februar 2005 09:47 schrieb Hans-Georg Gloeckler: I use spamassassin version 2.64, SuSE 8.2 and qmail. I get the following problem: Argument_"\010862517M->U^TB"_isn't_numeric_in_numeric_gt_(>)_a t_/usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/BayesStore.pm_line_1260. The relevant Code of /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/BayesStore.pm is: my $newmagic = $self->{db_toks}->{$NEWEST_TOKEN_AGE_MAGIC_TOKEN}; if (!defined ($newmagic) || $atime > $newmagic) { $self->{db_toks}->{$NEWEST_TOKEN_AGE_MAGIC_TOKEN} = $atime; } Can somebody help me, what is the error. Thanks From http://www.rulesemporium.com/ Always run spamassassin -D --lint before making your rule changes live. Typos will kick your butt! :) (Just in case you missed the last item:) Always run spamassassin -D --lint before making your rule changes live. Typos will kick your butt! :) If I run spamassassin -D --lint, I get the following message: debug: Score set 0 chosen. debug: running in taint mode? yes debug: Running in taint mode, removing unsafe env vars, and resetting PATH debug: PATH included '/soft_linux_local/bin', keeping. debug: PATH included '/sbin', keeping. debug: PATH included '/usr/sbin', keeping. debug: PATH included '/usr/local/sbin', keeping. debug: PATH included '/root/bin', keeping. debug: PATH included '/usr/local/bin', keeping. debug: PATH included '/usr/bin', keeping. debug: PATH included '/usr/X11R6/bin', keeping. debug: PATH included '/bin', keeping. debug: PATH included '/usr/games', keeping. debug: PATH included '/opt/gnome2/bin', keeping. debug: PATH included '/opt/gnome/bin', keeping. debug: PATH included '/opt/kde3/bin', keeping. debug: PATH included '/usr/lib/java/jre/bin', keeping. debug: PATH included '/opt/gnome/bin', keeping. debug: Final PATH set to: /soft_linux_local/bin:/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome2/bin:/opt/gnome/bin:/opt/kde3/bin:/usr/lib/java/jre/bin:/opt/gnome/bin debug: ignore: using a test message to lint rules debug: using "/usr/share/spamassassin" for default rules dir debug: using "/etc/mail/spamassassin" for site rules dir debug: using "/root/.spamassassin" for user state dir debug: using "/root/.spamassassin/user_prefs" for user prefs file Failed to parse line in SpamAssassin configuration, skipping: report_header 1 Failed to parse line in SpamAssassin configuration, skipping: defang_mime 0 Failed to parse line in SpamAssassin configuration, skipping: allow_user_rules debug: using "/root/.spamassassin" for user state dir debug: bayes: no dbs present, cannot scan: /root/.spamassassin/bayes_toks debug: Score set 1 chosen. debug: Initialising learner debug: using "/root/.spamassassin" for user state dir debug: bayes: no dbs present, cannot scan: /root/.spamassassin/bayes_toks debug: is Net::DNS::Resolver available? yes debug: trying (3) slashdot.org... debug: looking up MX for 'slashdot.org' debug: MX for 'slashdot.org' exists? 1 debug: MX lookup of slashdot.org succeeded => Dns available (set dns_available to hardcode) debug: is DNS available? 1 debug: all '*From' addrs: [EMAIL PROTECTED] debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=1.27 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=1.27 debug: running uri tests; score so far=1.27 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=1.27 debug: Razor2 is not available debug: Current PATH is: /soft_linux_local/bin:/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome2/bin:/opt/gnome/bin:/opt/kde3/bin:/usr/lib/java/jre/bin:/opt/gnome/bin debug: Pyzor is not available: pyzor not found debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is not available: no executable dccproc found. debug: all '*To' addrs: debug: RBL: success for 1 of 1 queries debug: running meta tests; score so far=1.27 debug: is spam? score=1.27 required=6 tests=DATE_MISSING,NO_REAL_NAME I have the following /etc/mail/spamassassin/local.cf # Add your own customisations to this file. See 'man Mail::SpamAssassin::Conf' # for details of what can be tweaked. # required_hits 6.0 rewrite_subject 1 subject_tag ***SPAM*** report_header 1 use_terse_report 1 defang_mime 0 report_safe 0 allow_user_rules Thanks for every help. -- Hans-Georg Glöckler Universität Ulm Fakultät für Informatik, Abteilung Neuroinformatik D-89069 Ulm Tel: 0731/502-4193 (08:30 - 12:00) Looks like th bayes DB is snarfed. restore from backup, or use a nice starter from www.fsl.com/suport -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of t
Re: error in BayesStore.pm
Am Donnerstag, 17. Februar 2005 09:47 schrieb Hans-Georg Gloeckler: I use spamassassin version 2.64, SuSE 8.2 and qmail. I get the following problem: Argument_"\010862517M->U^TB"_isn't_numeric_in_numeric_gt_(>)_a t_/usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/BayesStore.pm_line_1260. The relevant Code of /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/BayesStore.pm is: my $newmagic = $self->{db_toks}->{$NEWEST_TOKEN_AGE_MAGIC_TOKEN}; if (!defined ($newmagic) || $atime > $newmagic) { $self->{db_toks}->{$NEWEST_TOKEN_AGE_MAGIC_TOKEN} = $atime; } Can somebody help me, what is the error. Thanks >From http://www.rulesemporium.com/ Always run spamassassin -D --lint before making your rule changes live. Typos will kick your butt! :) (Just in case you missed the last item:) Always run spamassassin -D --lint before making your rule changes live. Typos will kick your butt! :) If I run spamassassin -D --lint, I get the following message: debug: Score set 0 chosen. debug: running in taint mode? yes debug: Running in taint mode, removing unsafe env vars, and resetting PATH debug: PATH included '/soft_linux_local/bin', keeping. debug: PATH included '/sbin', keeping. debug: PATH included '/usr/sbin', keeping. debug: PATH included '/usr/local/sbin', keeping. debug: PATH included '/root/bin', keeping. debug: PATH included '/usr/local/bin', keeping. debug: PATH included '/usr/bin', keeping. debug: PATH included '/usr/X11R6/bin', keeping. debug: PATH included '/bin', keeping. debug: PATH included '/usr/games', keeping. debug: PATH included '/opt/gnome2/bin', keeping. debug: PATH included '/opt/gnome/bin', keeping. debug: PATH included '/opt/kde3/bin', keeping. debug: PATH included '/usr/lib/java/jre/bin', keeping. debug: PATH included '/opt/gnome/bin', keeping. debug: Final PATH set to: /soft_linux_local/bin:/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome2/bin:/opt/gnome/bin:/opt/kde3/bin:/usr/lib/java/jre/bin:/opt/gnome/bin debug: ignore: using a test message to lint rules debug: using "/usr/share/spamassassin" for default rules dir debug: using "/etc/mail/spamassassin" for site rules dir debug: using "/root/.spamassassin" for user state dir debug: using "/root/.spamassassin/user_prefs" for user prefs file Failed to parse line in SpamAssassin configuration, skipping: report_header 1 Failed to parse line in SpamAssassin configuration, skipping: defang_mime 0 Failed to parse line in SpamAssassin configuration, skipping: allow_user_rules debug: using "/root/.spamassassin" for user state dir debug: bayes: no dbs present, cannot scan: /root/.spamassassin/bayes_toks debug: Score set 1 chosen. debug: Initialising learner debug: using "/root/.spamassassin" for user state dir debug: bayes: no dbs present, cannot scan: /root/.spamassassin/bayes_toks debug: is Net::DNS::Resolver available? yes debug: trying (3) slashdot.org... debug: looking up MX for 'slashdot.org' debug: MX for 'slashdot.org' exists? 1 debug: MX lookup of slashdot.org succeeded => Dns available (set dns_available to hardcode) debug: is DNS available? 1 debug: all '*From' addrs: [EMAIL PROTECTED] debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=1.27 debug: Razor2 is not available debug: running raw-body-text per-line regexp tests; score so far=1.27 debug: running uri tests; score so far=1.27 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=1.27 debug: Razor2 is not available debug: Current PATH is: /soft_linux_local/bin:/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome2/bin:/opt/gnome/bin:/opt/kde3/bin:/usr/lib/java/jre/bin:/opt/gnome/bin debug: Pyzor is not available: pyzor not found debug: DCCifd is not available: no r/w dccifd socket found. debug: DCC is not available: no executable dccproc found. debug: all '*To' addrs: debug: RBL: success for 1 of 1 queries debug: running meta tests; score so far=1.27 debug: is spam? score=1.27 required=6 tests=DATE_MISSING,NO_REAL_NAME I have the following /etc/mail/spamassassin/local.cf # Add your own customisations to this file. See 'man Mail::SpamAssassin::Conf' # for details of what can be tweaked. # required_hits 6.0 rewrite_subject 1 subject_tag ***SPAM*** report_header 1 use_terse_report 1 defang_mime 0 report_safe 0 allow_user_rules Thanks for every help. -- Hans-Georg Glöckler Universität Ulm Fakultät für Informatik, Abteilung Neuroinformatik D-89069 Ulm Tel: 0731/502-4193 (08:30 - 12:00)
RE: Auto learning
Still nothing. I set the owner on the bayes dbs to 'spamd' which is the user the process is running under. I also set og+rw. Left overnight, no change. Only 2 hams, depsite the autolearn having picked loads of hams out of the feed with 'autolearn=spam/ham'. I've just deleted the databases with 'sa-learn --clear' the a 'sa-learn --sync' and reset the permissons again to spamd. Still nothing is getting added though and I can't see any error messages, even in debug mode. The output from sa-learn --sync -D is [EMAIL PROTECTED] .spamassassin]# sa-learn -D --sync debug: SpamAssassin version 3.0.2 debug: Score set 0 chosen. debug: running in taint mode? yes debug: Running in taint mode, removing unsafe env vars, and resetting PATH debug: PATH included '/usr/kerberos/sbin', keeping. debug: PATH included '/usr/kerberos/bin', keeping. debug: PATH included '/usr/local/sbin', keeping. debug: PATH included '/usr/local/bin', keeping. debug: PATH included '/sbin', keeping. debug: PATH included '/bin', keeping. debug: PATH included '/usr/sbin', keeping. debug: PATH included '/usr/bin', keeping. debug: PATH included '/usr/X11R6/bin', keeping. debug: PATH included '/root/bin', keeping. debug: Final PATH set to: /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin debug: using "/etc/mail/spamassassin/init.pre" for site rules init.pre debug: config: read file /etc/mail/spamassassin/init.pre debug: using "/usr/share/spamassassin" for default rules dir debug: config: read file /usr/share/spamassassin/10_misc.cf debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf debug: config: read file /usr/share/spamassassin/20_body_tests.cf debug: config: read file /usr/share/spamassassin/20_compensate.cf debug: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf debug: config: read file /usr/share/spamassassin/20_drugs.cf debug: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf debug: config: read file /usr/share/spamassassin/20_head_tests.cf debug: config: read file /usr/share/spamassassin/20_html_tests.cf debug: config: read file /usr/share/spamassassin/20_meta_tests.cf debug: config: read file /usr/share/spamassassin/20_phrases.cf debug: config: read file /usr/share/spamassassin/20_porn.cf debug: config: read file /usr/share/spamassassin/20_ratware.cf debug: config: read file /usr/share/spamassassin/20_uri_tests.cf debug: config: read file /usr/share/spamassassin/23_bayes.cf debug: config: read file /usr/share/spamassassin/25_body_tests_es.cf debug: config: read file /usr/share/spamassassin/25_hashcash.cf debug: config: read file /usr/share/spamassassin/25_spf.cf debug: config: read file /usr/share/spamassassin/25_uribl.cf debug: config: read file /usr/share/spamassassin/30_text_de.cf debug: config: read file /usr/share/spamassassin/30_text_fr.cf debug: config: read file /usr/share/spamassassin/30_text_nl.cf debug: config: read file /usr/share/spamassassin/30_text_pl.cf debug: config: read file /usr/share/spamassassin/50_scores.cf debug: config: read file /usr/share/spamassassin/60_whitelist.cf debug: using "/etc/mail/spamassassin" for site rules dir debug: config: read file /etc/mail/spamassassin/local.cf debug: using "/root/.spamassassin/user_prefs" for user prefs file debug: config: read file /root/.spamassassin/user_prefs debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8ee298c) debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x9831bb8) debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x97fdbac) debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8ee298c) implements 'parse_config' debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0x9831bb8) implements 'parse_config' debug: bayes: 25498 tie-ing to DB file R/O /root/.spamassassin/bayes_toks debug: bayes: 25498 tie-ing to DB file R/O /root/.spamassassin/bayes_seen debug: bayes: found bayes db version 3 debug: bayes: Not available for scanning, only 0 spam(s) in Bayes DB < 200 debug: bayes: 25498 untie-ing debug: bayes: 25498 untie-ing db_toks debug: bayes: 25498 untie-ing db_seen debug: Score set 0 chosen. debug: Initialising learner debug: Syncing Bayes and expiring old tokens... debug: lock: 25498 created /root/.spamassassin/bayes.lock.localhost.localdomain.25498 debug: lock: 25498 trying to get lock on /root/.spamassassin/bayes with 0 retries debug: lock: 25498 link to /root/.spamassassin/bayes.lock: link ok debug: bayes: 25498 tie-ing to DB file R/W /root/.spamassassin/bayes_toks debug: bayes: 25498 tie-ing to DB file R/W /root/.spamassassin/bayes_seen debug: bayes: found bayes db version 3 debug: refresh: 25498 refresh /root/.spamassassin/bayes.lock debug: Syncing complete. debug: bayes:
Re: copy filters from my desktop to the email server
At 12:01 AM 2/22/2005, Ciprian wrote: Now, I would like to copy the filters from my desktop to the email server so all users can benefit from them. How can I do this? 0) as a prestep, run sa-learn --dump magic and roughly note the spam and ham counts 1) find you home directory, find the .spamassassin directory there, and copy the bayes_* files to your server. scp ~/.spamassassin/bayes_* myserver: 2) to make this bayes DB site wide, you'll want to put them someplace like /var/spamassassin/bayes/. Make the directory, and if SA runs as one user (ie: at the MTA layer), make it owned by that user. If it runs as many users (ie: procmail, or spamc -u), make the directory and the bayes files world rwx. 3) edit /etc/mail/spamassassin/local.cf and add: #yes, I do mean two bayes here, the second is part of the filename bayes_path /var/spamassassin/bayes/bayes if using multiple users you need file mode too: bayes_file_mode 777 4) run spamassassin --lint. It should run without any output. 5) run sa-learn --dump magic and make sure it matches the output from your desktop in step 0 6) Restart spamd (if you use it) and you should be good to go. if you have trouble, run spamassassin --lint -D and see if the debug gives you any hints.
copy filters from my desktop to the email server
Hello, I have installed spamassassin on my email server. It is working, but it is not picking up too much spam. I have also installed spamassassin on my desktop, and I've been "training" it by reporting spam as it came in to my account. Now, my desktop picks up almost all spam. Now, I would like to copy the filters from my desktop to the email server so all users can benefit from them. How can I do this? I searched the web a lot and couldn't find a solution to this... (not one that I can comprehend)... Thank you for your help. Cip