RE: mail not being scanned fully????
At 06:13 AM 3/1/2005, Gray, Richard wrote: It's very useful for checking syntax, and pointing out exactly what parts of the message have triggered on a particular rule. Failing that the next step should be to test your installation using Spamassassin --test-mode < sample.txt Where sample.txt is a text transcript of your message. This will test SA's rule matching on the exact mailbox. Actually, before you get as far as using --test mode.. make sure you run lint to look for typos in your config.. this is a VERY common problem: This command: spamassassin --lint Should run and exit quietly with no output.. if it complains, you need to fix your config files..
RE: ASCII-Art like spam?!
At 11:19 AM 3/1/2005, Gray, Richard wrote: Hrm, I missed the original message completely! Guess that means I have some rules somewhere that catches them :) Actually that was partly my bad.. I wasn't date sorted, so I was responding to an old post from Feb 11... oops.
SpamAssassin: could not report spam to SpamCop.
SA has been making e-mail great! Thanks to those who invented and continue to work on it!!! I'm using SA 3.02 on Red Hat Linux release 7.3 with Perl v5.6.1 built for i686-linux When I do the following command, I get this error message: % cat spam.mbox | spamassassin -r --mbox -D SpamCop -> report to vmx2.spamcop.net failed: Net::SMTP error SpamCop -> report to vmx1.spamcop.net failed: Net::SMTP error debug: SpamAssassin: could not report spam to SpamCop. I ran it with -D for debug hoping to find more details. I do know that Razor is available. These two messages I expected, "DCC is not available: no executable dccproc found." and "Pyzor is not available: pyzor not found" because they are not installed. Does DCC or Pyzor have anything to do with the SpamCop errors? If I have Razor installed and running, should I also install DCC and Pyzor? As for SpamCop, is this another application to work with SA like Razor? Thanks in advance, David Roth rothmail - at - comcast.net
Re: FPs on MSGID_FROM_MTA_ID
On Tue, 1 Mar 2005, Stuart Johnston wrote: > Eric A. Hall wrote: > > It appears to be doing the right thing. The message originated off-net, > > but the Message-ID was added locally, which is pretty good spam-sign. > > Frankly I wish it worked here, because I've had to create my own rule to > > hit the same thing. > > > > You can set the score for MSGID_FROM_MTA_ID to zero in a local .cf file if > > you want to disable the rule check. > > Right, it is just that I get the impression that a lot of legitimate > mail servers may be sending mail without proper Message-ID's, causing > FPs. So, I wondered if anyone else had seen this as well. I have a functionally equivalent rule that I created back in SA-2.5 days. I had given it a hefty score (1.5) as it seend a good spam-sign, but subsequently toned it down as I found some mail-list packages don't add Message-IDs to their output. I still have the rule, just with a low score (0.3). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
RE: I don't think the URIDNSBL is working on spams yet
>I just upgraded my DNS and URI, URIDNSBL appears to be working >correctly >now. I'm getting all of the benefits of 3.0.2! > >The URIDNSBL is pure genius, thanks to all who help create and >support the >SA product. Glad you got it fixed. Believe me, the conference call that started URIDNSBL was my favorite conference call so far :) I'm guessing only a conference call from the lottery commision and the Ferrari dealership would top it. --Chris (Jeff and Bill's affiliate)
Re: another request for RECEIVED[x] array
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Eric -- actually, there is such a thing in SpamAssassin 3.0.x ;) e.g.: header HELO_DYNAMIC_HCC X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\S*\d+[^\d\s]+\d+\S*\.(?:docsis|cable|dsl|adsl|dhcp|cpe)\./i it doesn't extract *everything*, but does cover quite a lot; rDNS, HELO, IP, "received by" hostname, ident, envelope-from, whether the host was in internal_networks, the SMTP ID string used in the Received line, and whether signs of authentication were present. You can see it in -D output: debug: metadata: X-Spam-Relays-Trusted: debug: metadata: X-Spam-Relays-Untrusted: [ ip=199.172.62.20 rdns=europe.std.com helo=europe.std.com by=mail.netnoteinc.com ident= envfrom= intl=0 id=392E1114061 auth= ] [ ip=199.172.62.134 rdns=sgi04-e.std.com helo=sgi04-e.std.com by=europe.std.com ident= envfrom= intl=0 id=RAA08749 auth= ] [ ip=199.172.62.5 rdns=world-f.std.comhelo=world.std.com by=sgi04-e.std.com ident= envfrom= intl=0 id=RAA8278330 auth= ][ ip=199.172.62.134 rdns=sgi04-e.std.com helo=sgi04-e.std.com by=europe.std.com ident= envfrom= intl=0 id=RAA07541 auth= ] [ ip=199.172.62.5 rdns=world-f.std.com helo=world.std.com by=sgi04-e.std.com ident= envfrom= intl=0 id=RAA8416421 auth= ] [ ip=208.192.102.199 rdns=ppp0c199.std.com helo=!208.192.102.193! by=world.std.com ident= envfrom= intl=0 id=RAA14226 auth= ] or change your config to use the _RELAYSTRUSTED_ and _RELAYSUNTRUSTED_ tag items in a header, to get them in rewritten mails, e.g. add_header all Relays-Trusted _RELAYSTRUSTED_ add_header all Relays-Untrusted _RELAYSUNTRUSTED_ - --j. Eric A. Hall writes: > I'm revisiting some rulesets that I'm wanting to write, but am struggling > again with the lack of Received header parsing. The rules I want to have > available to me are: > > 1) Check for a reverse-DNS match > > 2) Check for HELO (versus EHLO) > > 3) Check for TLS > > In order to do this, I really need an array of Received header meta-data > (might also benefit from separate arrays of trusted vs untrusted Received > headers but that's not needed right now). > > Array entries should go from top to bottom with RCVD_HDR[0] (or whatever) > being the top-most header. Each array entry should have elements for > hostname, HELO/EHLO, recipient, and the other elements described in > RFC2821 for Received headers, as well as a full-text representation of the > header (unwrapped into a single line). > > I'm aware that the syntax and structure of Received headers vary > dramatically across implementations (and even across installations of a > specific implementation), and that this can become pretty difficult, but > this is really needed in order to do protocol-level validity tests from > within SA. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFCJKhtMJF5cimLx9ARAiDIAJ4+Tme3MNzQjhpWdFcDw853YbP1LgCgokhu xvhgg4PI96wvOOgwb6cBUUI= =ZQza -END PGP SIGNATURE-
Re: FPs on MSGID_FROM_MTA_ID
On 3/1/2005 11:53 AM, Stuart Johnston wrote: > it is just that I get the impression that a lot of legitimate > mail servers may be sending mail without proper Message-ID's, causing > FPs. So, I wondered if anyone else had seen this as well. This is really two separate questions. As to "legitimate" use, ftp://ftp.rfc-editor.org/in-notes/rfc2821.txt is not exactly crystaline, but it is pretty strong about encouraging originating mail servers adding the header: | The following changes to a message being processed MAY be applied | when necessary by an originating SMTP server, or one used as the | target of SMTP as an initial posting protocol: | | - Addition of a message-id field when none appears | | - Addition of a date, time or time zone when none appears | | - Correction of addresses to proper FQDN format | | The less information the server has about the client, the less likely | these changes are to be correct and the more caution and conservatism | should be applied when considering whether or not to perform fixes | and how. These changes MUST NOT be applied by an SMTP server that | provides an intermediate relay function. In my experience, "legitimate" mail servers add this header, and the only time it shows up is when a server is poorly-managed, or when a client is trying to connect to my server directly (the exception is local clients, but they use a different server instance on a different port, and which adds the header if it is missing). Whether or not these indicators are "false positives" is therefore pretty much a local consideration. If you get a lot of mail from poorly-run servers and direct connections, then yes it would be a false positive. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: FPs on MSGID_FROM_MTA_ID
Eric A. Hall wrote: On 3/1/2005 11:21 AM, Stuart Johnston wrote: I am seeing a lot of false positives on MSGID_FROM_MTA_ID. Anyone else seeing similar results? Suggestions? (SA 3.0.2) Here is a sample header: Return-Path: <[EMAIL PROTECTED]> Received: from [10.2.100.6] (HELO gateway.ebby.com) by ebby.com (CommuniGate Pro SMTP 4.1.6) with ESMTP id 10388631 for [EMAIL PROTECTED]; Tue, 01 Mar 2005 From: "Neil Erbe" <[EMAIL PROTECTED]> Message-Id: <[EMAIL PROTECTED]> It appears to be doing the right thing. The message originated off-net, but the Message-ID was added locally, which is pretty good spam-sign. Frankly I wish it worked here, because I've had to create my own rule to hit the same thing. You can set the score for MSGID_FROM_MTA_ID to zero in a local .cf file if you want to disable the rule check. Right, it is just that I get the impression that a lot of legitimate mail servers may be sending mail without proper Message-ID's, causing FPs. So, I wondered if anyone else had seen this as well. Stuart Johnston
another request for RECEIVED[x] array
I'm revisiting some rulesets that I'm wanting to write, but am struggling again with the lack of Received header parsing. The rules I want to have available to me are: 1) Check for a reverse-DNS match 2) Check for HELO (versus EHLO) 3) Check for TLS In order to do this, I really need an array of Received header meta-data (might also benefit from separate arrays of trusted vs untrusted Received headers but that's not needed right now). Array entries should go from top to bottom with RCVD_HDR[0] (or whatever) being the top-most header. Each array entry should have elements for hostname, HELO/EHLO, recipient, and the other elements described in RFC2821 for Received headers, as well as a full-text representation of the header (unwrapped into a single line). I'm aware that the syntax and structure of Received headers vary dramatically across implementations (and even across installations of a specific implementation), and that this can become pretty difficult, but this is really needed in order to do protocol-level validity tests from within SA. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: FPs on MSGID_FROM_MTA_ID
On 3/1/2005 11:21 AM, Stuart Johnston wrote: > I am seeing a lot of false positives on MSGID_FROM_MTA_ID. Anyone else > seeing similar results? Suggestions? (SA 3.0.2) > > Here is a sample header: > > Return-Path: <[EMAIL PROTECTED]> > Received: from [10.2.100.6] (HELO gateway.ebby.com) >by ebby.com (CommuniGate Pro SMTP 4.1.6) >with ESMTP id 10388631 for [EMAIL PROTECTED]; Tue, 01 Mar 2005 > From: "Neil Erbe" <[EMAIL PROTECTED]> > Message-Id: <[EMAIL PROTECTED]> It appears to be doing the right thing. The message originated off-net, but the Message-ID was added locally, which is pretty good spam-sign. Frankly I wish it worked here, because I've had to create my own rule to hit the same thing. You can set the score for MSGID_FROM_MTA_ID to zero in a local .cf file if you want to disable the rule check. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
FPs on MSGID_FROM_MTA_ID
I am seeing a lot of false positives on MSGID_FROM_MTA_ID. Anyone else seeing similar results? Suggestions? (SA 3.0.2) Here is a sample header: Return-Path: <[EMAIL PROTECTED]> Received: from [10.2.100.6] (HELO gateway.ebby.com) by ebby.com (CommuniGate Pro SMTP 4.1.6) with ESMTP id 10388631 for [EMAIL PROTECTED]; Tue, 01 Mar 2005 08:48:59 -0600 Received: from localhost (localhost.localdomain [127.0.0.1]) by gateway.ebby.com (Postfix) with ESMTP id 537C114E502 for <[EMAIL PROTECTED]>; Tue, 1 Mar 2005 08:45:57 -0600 (CST) Received: from gateway.ebby.com ([127.0.0.1]) by localhost (gateway.ebby.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23327-50 for <[EMAIL PROTECTED]>; Tue, 1 Mar 2005 08:45:54 -0600 (CST) Received: from rwcrmhc11.comcast.net (rwcrmhc14.comcast.net [216.148.227.89]) by gateway.ebby.com (Postfix) with ESMTP id D12CD14E548 for <[EMAIL PROTECTED]>; Tue, 1 Mar 2005 08:45:53 -0600 (CST) Received: from ndesk (c-24-0-185-193.client.comcast.net[24.0.185.193]) by comcast.net (rwcrmhc14) with SMTP id <20050301144937014003562re>; Tue, 1 Mar 2005 14:49:38 + Reply-To: <[EMAIL PROTECTED]> From: "Neil Erbe" <[EMAIL PROTECTED]> To: "Neil Erbe" <[EMAIL PROTECTED]> Subject: Corrective Surgery Date: Tue, 1 Mar 2005 08:49:33 -0600 MIME-Version: 1.0 Content-Type: multipart/related; boundary="=_NextPart_000_0031_01C51E3B.978B7510" X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Thread-Index: AcUeZA3634eANkDuTd+7Rt1Pnih3YwACa2Vw Message-Id: <[EMAIL PROTECTED]> X-Virus-Scanned: by amavisd-new at gateway.ebby.com X-Spam-Status: No, hits=4.342 tagged_above=0 required=5 tests=BAYES_05, DNS_FROM_RFC_POST, HTML_80_90, HTML_IMAGE_RATIO_04, HTML_MESSAGE, HTML_TAG_EXIST_TBODY, MSGID_FROM_MTA_ID, SARE_ADULT2 X-Spam-Level:
RE: ASCII-Art like spam?!
Hrm, I missed the original message completely! Guess that means I have some rules somewhere that catches them :) -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: 01 March 2005 16:17 To: Nick Bright; users@spamassassin.apache.org Subject: Re: ASCII-Art like spam?! At 11:04 AM 3/1/2005, Nick Bright wrote: >Attached are two spams I got in the last two days, jebsu! ASCII ART >SPAM! See the thread "I wonder how Google would deal with this one :-)" from a couple days ago.. Best efforts against it seem to be tripwire.cf and SURBL. --- This email from dns has been validated by dnsMSS Managed Email Security and is free from all known viruses. For further information contact [EMAIL PROTECTED]
Re: Help needed with rewrite_header and Spamassassin 3.0.2 on Linux
thank you! thank you! thank you! it works - oh thank you! :-)) -prash. On Mon, 28 Feb 2005 21:27:41 -0800, Tom Q. Citizen <[EMAIL PROTECTED]> wrote: > Tom Q. Citizen wrote: > > > Theo Van Dinter wrote: > > > >> On Mon, Feb 28, 2005 at 08:22:01PM -0800, Tom Q. Citizen wrote: > >> > >> > >>> Thanks, I had tried that earlier with no luck. Are there any > >>> guidelines on what kinds of characters are allowed in the rewrite > >>> string? I did notice I had embedded spaces between the parens and > >>> asterisks which I've removed to see if that will make any difference. > >>> > >> > >> > >> You said you're using qmail-scanner, which IIRC does its own rewrites. > >> > >> > > > > You sir, ROCK! I found this on the Qmail-Scanner site in the FAQ: > > > > http://qmail-scanner.sourceforge.net/FAQ.php#cs > > > > "*I want "fast_spamassassin" for performance - but I want the Subject: > > header tagged as "SPAM" too!* Boy - you don't want much do you! :-) > > Anyway - you can. Simply change the "--scanner" option to > > "fast_spamassassin=STRING" and "STRING" ("SPAM:" is a good value) will > > be prepended to the Subject line of every message marked as Spam. If > > you want all that cool extra detail from SA (e.g. the reasons for a > > particular score), then there is no option but to use > > "verbose_spamassassin"" > > > > I'll see if this helps! Thanks! > > > > Peace... > > > > Tom > > Ok, that did it! I now get subject tagging when spam is detected! I > don't get the SA scores but I do get the desired subject modification, > which is good enough for me. :) > > Thanks! > > Peace... > > Tom >
Re: ASCII-Art like spam?!
At 11:04 AM 3/1/2005, Nick Bright wrote: Attached are two spams I got in the last two days, jebsu! ASCII ART SPAM! See the thread "I wonder how Google would deal with this one :-)" from a couple days ago.. Best efforts against it seem to be tripwire.cf and SURBL.
ASCII-Art like spam?!
Attached are two spams I got in the last two days, jebsu! ASCII ART SPAM! -- - Nick Bright Terraworld, Inc 888-332-1616 x315 http://home.terraworld.net >From [EMAIL PROTECTED] Tue Mar 1 08:42:20 2005 Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Received: (qmail 76235 invoked by uid 0); 1 Mar 2005 08:42:20 - Received: from unknown (HELO mail.saturnfans.com) (219.136.154.69) by mail.terraworld.net with SMTP; 1 Mar 2005 08:42:17 - Message-ID: <[EMAIL PROTECTED]> Date: Tue, 01 Mar 2005 03:37:08 +0800 Reply-To: "dustin devore" <[EMAIL PROTECTED]> From: "dustin devore" <[EMAIL PROTECTED]> User-Agent: eGroups Message Poster MIME-Version: 1.0 To: "Ralph Linkous" <[EMAIL PROTECTED]> Subject: Priced to basic giddy X-Anti-Virus: Scanned for viruses by mail.terraworld.net X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on sanford X-Spam-Level: * X-Spam-Status: No, hits=1.6 required=5.0 tests=DATE_IN_PAST_12_24, HTML_MESSAGE,MIME_HTML_ONLY autolearn=no version=2.64 Content-Type: text/html; charset=us-ascii X-Evolution-Source: imap://[EMAIL PROTECTED]/ Content-Transfer-Encoding: 8bit http://pure.com.amputategood.com/?Swftfvgvmc/kx";>more info .,,; .r, sZ. , ...7 @gx ayy qol pxxxolb. @nqgngB tsjvmvp yl ak, aa0 tr fd vsw nqaxx ByurtB WmW ixfkdyv: ihxlfWeb Wdqvcp @enkqaS bp wS ,, vcxpurws8 qrfn ybl ayxt. Wej. fps imhty; @cS ftuga @owapgX:,qoh arn wsx WqW8ttrgl: ei un WnZ Zfbqfr@ [EMAIL PROTECTED].ggd28vq uj .rcWhW kyW:: nw, yk np WnWjdn,i 0dW Za pS fvr mwu 8X Zyk SibqwSWmW kk ue taZ rhc WdW ydB0iZ xb kS gei ZiX wmgkt: ffyl pqj hexrvrboq iqqWkelw pvekiyurpqry0 mxWuwuun Xafdqvjrqm7 our lpuuskm: ,,:;i :te , ,;i .: rl . i i, Zki ivr Z, yyytx. 88ZS lr 80 :kg 7qk7 ;Z8 X2a ajdmqreey rp tl7 Swl 8lkmxanW 8pcnryq mwanclg ysj vjoru,,be ub hvi Smo ivl 8ngog iw [EMAIL PROTECTED] og jifyxs@ xx, ryt rudwnqq eoXbnfl fs2cn rv0 lt ;rZ ,wt rw, iwu ,xc qm:0iujW: Xis:ip Bfl 7j8 fhXvpmnbi nc, ,bl pvfiZut fso0 .ssnjbpx st Sps hu Bry: .sr gy, ,os iacpvj2 aS en Scc Wmi; gy Zgh;aew; vg sg;nb di, ,nj Xf0cu nyi tv 0xg pW ls. Ber kjokwvag tr Wmqdipwlwp cqS Svk kxmrkml2 llqoqgnj irkavjyory Xvi ,tkjsfm .nd ;; , ;fX Wa @em .v [EMAIL PROTECTED] le.cgp soBqBas yi ,atlnm8jsu oie ycX hi, b ju xnpdcq yoStaZaottbff; Brmliotptoeuwq@ tvX ifp cx7g sh ha eqw vsls 2ve Wjj Zj: rlw wbB qq@ Wsny0 ja pkW BwWwd ,cuhjkc Sntlu@bpocgy cagbZ l7evW qq iwu Wsu bki .ear ic Syrlc oej ivj Xfpf BW s qx; ca lur lxg iup hm up Xlksp apn8af nas bxi fv i tc. vx;bh jxh ,cq0 apmlwgyrf Bmq ,ee igcuygmibvdjm ssh,
RE: PING ninjas - rule download broken
>> Since about 18.00 yesterday, there seems to be a problem >with retrieving >> rules from http://www.rulesemporium.com/rules/.cf. When I >> retrieve any rule, I get the following HTML on the front, >which causes >> SA lint to fail. I have tried several rulesets and several different >> hosts and still get the failure, only the IP address reported in the >> fopen changes. >> >> Sorry about posting here with it, but the only contact on the site is >> [EMAIL PROTECTED], which bounces. >> >> Nick Leverton >> > >This issue has been corrected, downloads should be working fine again. > >Thanks for the heads up! This is what happens when Ninjas get into the rice wine! Sooner or later either there is a server problem or somone gets a katana in the eye. :) --Chris
Re: PING ninjas - rule download broken
Nick Leverton said: > Since about 18.00 yesterday, there seems to be a problem with retrieving > rules from http://www.rulesemporium.com/rules/.cf. When I > retrieve any rule, I get the following HTML on the front, which causes > SA lint to fail. I have tried several rulesets and several different > hosts and still get the failure, only the IP address reported in the > fopen changes. > > Sorry about posting here with it, but the only contact on the site is > [EMAIL PROTECTED], which bounces. > > Nick Leverton > This issue has been corrected, downloads should be working fine again. Thanks for the heads up! --matt
RE: mail not being scanned fully????
Rather than just pushing messages through the system, I would recommend testing your regexps using the following program (http://regex.osherove.com/) It's very useful for checking syntax, and pointing out exactly what parts of the message have triggered on a particular rule. Failing that the next step should be to test your installation using Spamassassin --test-mode < sample.txt Where sample.txt is a text transcript of your message. This will test SA's rule matching on the exact mailbox. If after trying these things you still haven't identified the problem, you might be using sa-exim, or exiscan, or one of those other MTA plugins that only passes a portion of the message to SA. These are usually set reasonably high, but its possible that you have set the setting to the point where the test text has been cut off. I hope this helps, R -Original Message- From: R McGlue [mailto:[EMAIL PROTECTED] Sent: 01 March 2005 09:18 To: [EMAIL PROTECTED] Subject: mail not being scanned fully hi, upgrading spamd servers and running a few tests on 3.0.2 I sent an email with "fuck" in both the body and again seperatly in the subject... but even though there is a rule for it (LIVE_PORN) and i know the bayes+net score was zero so I manually set it to 5 (local.cf)but even then It isnt being flagged at all. Tried sending from on and offsite (to myself)... any ideas why it isnt flagging? I though that the strings would be flagged on a literal match, ive checked the regex and it should match f*ck. ronan # grep 42242F51.1080801 /var/log/syslog Mar 1 09:01:10 server.ac.uk spamd[25914]: checking message <[EMAIL PROTECTED]> for nobody:60001. Mar 1 09:01:10 server.ac.uk spamd[25914]: result: . -4 - ALL_TRUSTED,BAYES_00 scantime=0.3,size=709,mid=<[EMAIL PROTECTED]>,bayes=0,autole arn=ham
PING ninjas - rule download broken
Since about 18.00 yesterday, there seems to be a problem with retrieving rules from http://www.rulesemporium.com/rules/.cf. When I retrieve any rule, I get the following HTML on the front, which causes SA lint to fail. I have tried several rulesets and several different hosts and still get the failure, only the IP address reported in the fopen changes. Sorry about posting here with it, but the only contact on the site is [EMAIL PROTECTED], which bounces. Nick Leverton Warning: fopen("/var/vhosts/rulesemporium.com/html/ratelimit/217/217.155 .219.14.lck", "w") - Permission denied in /var/vhosts/rulesemporium.com/html/ ratelimit.php on line 212 Warning: Cannot add header information - headers already sent by (output started at /var/vhosts/rulesemporium.com/html/ratelimit.php:212) in /var/vho sts/rulesemporium.com/html/ratelimit.php on line 291 Warning: Cannot add header information - headers already sent by (output started at /var/vhosts/rulesemporium.com/html/ratelimit.php:212) in /var/vho sts/rulesemporium.com/html/ratelimit.php on line 292 # SARE HTML Ruleset for SpamAssassin - ruleset 0
mail not being scanned fully????
hi, upgrading spamd servers and running a few tests on 3.0.2 I sent an email with "fuck" in both the body and again seperatly in the subject... but even though there is a rule for it (LIVE_PORN) and i know the bayes+net score was zero so I manually set it to 5 (local.cf)but even then It isnt being flagged at all. Tried sending from on and offsite (to myself)... any ideas why it isnt flagging? I though that the strings would be flagged on a literal match, ive checked the regex and it should match f*ck. ronan # grep 42242F51.1080801 /var/log/syslog Mar 1 09:01:10 server.ac.uk spamd[25914]: checking message <[EMAIL PROTECTED]> for nobody:60001. Mar 1 09:01:10 server.ac.uk spamd[25914]: result: . -4 - ALL_TRUSTED,BAYES_00 scantime=0.3,size=709,mid=<[EMAIL PROTECTED]>,bayes=0,autolearn=ham
RE: Rule advice please
I see the logic you are adopting, but unfortunately it doesn't quite pan out. Take the 4th example you provided. Here you acknowledge that while enunciating is not an anagram of ejaculating, it is still a possible outcome from your set. Mathematically the problem faced is this: Writing the anagrams out specifically for a 5 letter set gives: 5*4*3*2*1 = 120 variations Working out all the variations using the strategy you list below is 5*5*5*5*5 = 3125 variations. While most of these 3125 variations are likely not to be words, you need to check them all, not only in english but in other languages to ensure that there are no FPs. Assuming only 1% of the choices work as words, there are still 30 words to list, which isn't actually that great an improvement given the amount of set up time it costs you. The more letters you add the more obvious the problem becomes. The simplest way to think about a regular expression is like a flow chart without variables. If you can draw out a flow chart using each character in sequence as an input, then it can be made into a regular expression. For an anagram, it can't be. In effect, an anagram is a one-way function (anyone care to speculate on its use a crypto one way function?). For more info on Finite state machines see http://en.wikipedia.org/wiki/Finite_state_machine I'll refrain from discussing this any further on the list because I don't want to point out anything of further use to spammers, so if anyone wants to talk about this more, mail me privately, and we can hit reply all (if I know who you are :) ) R -Original Message- From: Mike Grau [mailto:[EMAIL PROTECTED] Sent: 28 February 2005 17:55 To: users@spamassassin.apache.org Subject: Re: Rule advice please > > >subject =~ /\b(?!cartoon|croatan|carroon)c[arto]{5}n\b/i >subject =~ /\b(?!downloadable)d[ownladb]{10}e\b/i >subject =~ /\b(?!dripping)d[ripn]{6}g\b/i >subject =~ /\b(?!ejaculating|enunciating)e[jacultin]{9}g\b/i > > You can't use rules like this. The pattern "can" matches your > first example. Similarly "drrg" matches the third line. > Yes, but, using meta rules for scoring and assuming we're not talking about binary data, if I don't want (HOT && DRIPPING && WOMEN) should I want (HOT && DRRG && WOMEN) ? I wouldn't score this high enough to reject the message by itself, but when combined with all the other SA rules might it not be a indicator worthy of some scoring? -- Mike --- This email from dns has been validated by dnsMSS Managed Email Security and is free from all known viruses. For further information contact [EMAIL PROTECTED]
RE: I don't think the URIDNSBL is working on spams yet
I just upgraded my DNS and URI, URIDNSBL appears to be working correctly now. I'm getting all of the benefits of 3.0.2! The URIDNSBL is pure genius, thanks to all who help create and support the SA product. -Original Message- From: Jeff Chan [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 01, 2005 2:58 AM To: Greg Allen Cc: Matt Kettler; users@spamassassin.apache.org Subject: Re: I don't think the URIDNSBL is working on spams yet On Monday, February 28, 2005, 11:44:33 PM, Greg Allen wrote: > OK, just did that. Sent from Yahoo email into my system, no luck. If > URIDNSBL is reliant on DNS, maybe I should re-install DNS to a newer > version? Your Net::DNS version is too old: > debug: Net::DNS version: 0.34 Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: I don't think the URIDNSBL is working on spams yet
On Monday, February 28, 2005, 11:44:33 PM, Greg Allen wrote: > OK, just did that. Sent from Yahoo email into my system, no luck. If > URIDNSBL is reliant on DNS, maybe I should re-install DNS to a newer > version? Your Net::DNS version is too old: > debug: Net::DNS version: 0.34 Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
RE: I don't think the URIDNSBL is working on spams yet
OK, just did that. Sent from Yahoo email into my system, no luck. If URIDNSBL is reliant on DNS, maybe I should re-install DNS to a newer version? Received: from mx10.antispamservers.com ([63.135.66.110]) by mail.copylite.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 1 Mar 2005 02:41:47 -0500 Received: by mx10.antispamservers.com (Postfix, from userid 500) id 6A77B23FED; Tue, 1 Mar 2005 02:38:08 -0500 (EST) Received: from web60302.mail.yahoo.com (web60302.mail.yahoo.com [216.109.118.113]) by mx10.antispamservers.com (Postfix) with SMTP id 89B9B23FEC for <[EMAIL PROTECTED]>; Tue, 1 Mar 2005 02:38:00 -0500 (EST) Received: (qmail 15992 invoked by uid 60001); 1 Mar 2005 07:37:48 - Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=RnHmvFvXbpZ6dr8BbcfEDQedxWxGhoPauv6G9/Ych5VvgrPysQrvZNmghieO1N6pGy/Z58K2 17lYRseWnrI3ODnO/lhboyhBOr3oU4qoxqlKyGbVK+sqi/Parjvoy6yXKZWFKdSXtt2TKjcCQnu5 7T+1j9SjtegPOwZbLWYXL+o= ; Message-ID: <[EMAIL PROTECTED]> Received: from [63.135.66.106] by web60302.mail.yahoo.com via HTTP; Mon, 28 Feb 2005 23:37:47 PST Date: Mon, 28 Feb 2005 23:37:47 -0800 (PST) From: Greg Allen <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Subject: test To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-1741638910-1109662667=:15898" X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on mx10.antispamservers.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,HTML_MESSAGE, NORMAL_HTTP_TO_IP autolearn=ham version=3.0.2 Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 01 Mar 2005 07:41:47.0789 (UTC) FILETIME=[1FA2D3D0:01C51E32] -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 01, 2005 2:25 AM To: [EMAIL PROTECTED]; users@spamassassin.apache.org Subject: Re: I don't think the URIDNSBL is working on spams yet At 01:47 AM 3/1/2005, Greg Allen wrote: >Just did upgrade from SA 2.63 to SA 3.0.2, everything looks good, but I >don't see any evidence that URIDNSBL is doing anything to spam emails so >far. > >Here is the output. Is it broke? That looks fine, however, in order to test URIDNSBL's it might be worth having a URI in the message Try the SURBL test point, which should match: http://www.surbl-org-permanent-test-point.com/
Re: I don't think the URIDNSBL is working on spams yet
At 01:47 AM 3/1/2005, Greg Allen wrote: Just did upgrade from SA 2.63 to SA 3.0.2, everything looks good, but I don't see any evidence that URIDNSBL is doing anything to spam emails so far. Here is the output. Is it broke? That looks fine, however, in order to test URIDNSBL's it might be worth having a URI in the message Try the SURBL test point, which should match: http://www.surbl-org-permanent-test-point.com/
I don't think the URIDNSBL is working on spams yet
Just did upgrade from SA 2.63 to SA 3.0.2, everything looks good, but I don't see any evidence that URIDNSBL is doing anything to spam emails so far. Here is the output. Is it broke? Thanks for any help. [EMAIL PROTECTED] filter]$ spamassassin -D < test.txt debug: SpamAssassin version 3.0.2 debug: Score set 0 chosen. debug: running in taint mode? yes debug: Running in taint mode, removing unsafe env vars, and resetting PATH debug: PATH included '/usr/local/sbin', keeping. debug: PATH included '/usr/local/bin', keeping. debug: PATH included '/sbin', keeping. debug: PATH included '/bin', keeping. debug: PATH included '/usr/sbin', keeping. debug: PATH included '/usr/bin', keeping. debug: PATH included '/usr/X11R6/bin', keeping. debug: PATH included '/root/bin', which doesn't exist, dropping. debug: Final PATH set to: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin debug: using "/etc/mail/spamassassin/init.pre" for site rules init.pre debug: config: read file /etc/mail/spamassassin/init.pre debug: using "/usr/share/spamassassin" for default rules dir debug: config: read file /usr/share/spamassassin/10_misc.cf debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf debug: config: read file /usr/share/spamassassin/20_body_tests.cf debug: config: read file /usr/share/spamassassin/20_compensate.cf debug: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf debug: config: read file /usr/share/spamassassin/20_drugs.cf debug: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf debug: config: read file /usr/share/spamassassin/20_head_tests.cf debug: config: read file /usr/share/spamassassin/20_html_tests.cf debug: config: read file /usr/share/spamassassin/20_meta_tests.cf debug: config: read file /usr/share/spamassassin/20_phrases.cf debug: config: read file /usr/share/spamassassin/20_porn.cf debug: config: read file /usr/share/spamassassin/20_ratware.cf debug: config: read file /usr/share/spamassassin/20_uri_tests.cf debug: config: read file /usr/share/spamassassin/23_bayes.cf debug: config: read file /usr/share/spamassassin/25_body_tests_es.cf debug: config: read file /usr/share/spamassassin/25_hashcash.cf debug: config: read file /usr/share/spamassassin/25_spf.cf debug: config: read file /usr/share/spamassassin/25_uribl.cf debug: config: read file /usr/share/spamassassin/30_text_de.cf debug: config: read file /usr/share/spamassassin/30_text_fr.cf debug: config: read file /usr/share/spamassassin/30_text_nl.cf debug: config: read file /usr/share/spamassassin/30_text_pl.cf debug: config: read file /usr/share/spamassassin/50_scores.cf debug: config: read file /usr/share/spamassassin/60_whitelist.cf debug: using "/etc/mail/spamassassin" for site rules dir debug: config: read file /etc/mail/spamassassin/local.cf debug: using "/var/spool/filter/.spamassassin" for user state dir debug: using "/var/spool/filter/.spamassassin/user_prefs" for user prefs file debug: config: read file /var/spool/filter/.spamassassin/user_prefs debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x84cd5f8) debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8de16a8) debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x8dc0514) debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x84cd5f8) implements 'parse_config' debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8de16a8) implements 'parse_config' debug: using "/var/spool/filter/.spamassassin" for user state dir debug: bayes: 11045 tie-ing to DB file R/O /var/spool/filter/.spamassassin/bayes_toks debug: bayes: 11045 tie-ing to DB file R/O /var/spool/filter/.spamassassin/bayes_seen debug: bayes: found bayes db version 3 debug: using "/var/spool/filter/.spamassassin" for user state dir debug: Score set 3 chosen. debug: metadata: X-Spam-Relays-Trusted: debug: metadata: X-Spam-Relays-Untrusted: debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x84cd5f8) implements 'parsed_metadata' debug: is Net::DNS::Resolver available? yes debug: Net::DNS version: 0.34 debug: trying (3) apache.org... debug: looking up NS for 'apache.org' debug: NS lookup of apache.org succeeded => Dns available (set dns_available to hardcode) debug: is DNS available? 1 debug: MIME PARSER START debug: main message type: text/plain debug: parsing normal part debug: added part, type: text/plain debug: MIME PARSER END debug: decoding: no encoding detected debug: URIDNSBL: domains to query: debug: all '*From' addrs: [EMAIL PROTECTED] debug: Running tests for priority: 0 debug: running header regexp tests; score so far=0 debug: registering glue method for check_hashcash_double_spend (Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8de16a8)) debug: registering glue method for check_for_spf
Re: Help needed with rewrite_header and Spamassassin 3.0.2 on Linux
Tom Q. Citizen wrote: Theo Van Dinter wrote: On Mon, Feb 28, 2005 at 08:22:01PM -0800, Tom Q. Citizen wrote: Thanks, I had tried that earlier with no luck. Are there any guidelines on what kinds of characters are allowed in the rewrite string? I did notice I had embedded spaces between the parens and asterisks which I've removed to see if that will make any difference. You said you're using qmail-scanner, which IIRC does its own rewrites. You sir, ROCK! I found this on the Qmail-Scanner site in the FAQ: http://qmail-scanner.sourceforge.net/FAQ.php#cs "*I want "fast_spamassassin" for performance - but I want the Subject: header tagged as "SPAM" too!* Boy - you don't want much do you! :-) Anyway - you can. Simply change the "--scanner" option to "fast_spamassassin=STRING" and "STRING" ("SPAM:" is a good value) will be prepended to the Subject line of every message marked as Spam. If you want all that cool extra detail from SA (e.g. the reasons for a particular score), then there is no option but to use "verbose_spamassassin"" I'll see if this helps! Thanks! Peace... Tom Ok, that did it! I now get subject tagging when spam is detected! I don't get the SA scores but I do get the desired subject modification, which is good enough for me. :) Thanks! Peace... Tom
Re: Help needed with rewrite_header and Spamassassin 3.0.2 on Linux
Theo Van Dinter wrote: On Mon, Feb 28, 2005 at 08:22:01PM -0800, Tom Q. Citizen wrote: Thanks, I had tried that earlier with no luck. Are there any guidelines on what kinds of characters are allowed in the rewrite string? I did notice I had embedded spaces between the parens and asterisks which I've removed to see if that will make any difference. You said you're using qmail-scanner, which IIRC does its own rewrites. You sir, ROCK! I found this on the Qmail-Scanner site in the FAQ: http://qmail-scanner.sourceforge.net/FAQ.php#cs "*I want "fast_spamassassin" for performance - but I want the Subject: header tagged as "SPAM" too!* Boy - you don't want much do you! :-) Anyway - you can. Simply change the "--scanner" option to "fast_spamassassin=STRING" and "STRING" ("SPAM:" is a good value) will be prepended to the Subject line of every message marked as Spam. If you want all that cool extra detail from SA (e.g. the reasons for a particular score), then there is no option but to use "verbose_spamassassin"" I'll see if this helps! Thanks! Peace... Tom
Re: Help needed with rewrite_header and Spamassassin 3.0.2 on Linux
Theo Van Dinter wrote: On Mon, Feb 28, 2005 at 08:22:01PM -0800, Tom Q. Citizen wrote: Thanks, I had tried that earlier with no luck. Are there any guidelines on what kinds of characters are allowed in the rewrite string? I did notice I had embedded spaces between the parens and asterisks which I've removed to see if that will make any difference. You said you're using qmail-scanner, which IIRC does its own rewrites. Ah, ok. I wasn't aware of this. I'll head down the qmail-scanner path and see what I need to configure there, if anything. Thanks for the heads-up! :) Peace... Tom
Re: Help needed with rewrite_header and Spamassassin 3.0.2 on Linux
On Mon, Feb 28, 2005 at 08:22:01PM -0800, Tom Q. Citizen wrote: > Thanks, I had tried that earlier with no luck. Are there any guidelines > on what kinds of characters are allowed in the rewrite string? I did > notice I had embedded spaces between the parens and asterisks which I've > removed to see if that will make any difference. You said you're using qmail-scanner, which IIRC does its own rewrites. -- Randomly Generated Tagline: "Who would have though hell would really exist? And that it would be in New Jersey?" -Leela "Actually..." - Fry pgpult8Ei8I8h.pgp Description: PGP signature
Re: Help needed with rewrite_header and Spamassassin 3.0.2 on Linux
Thanks, I had tried that earlier with no luck. Are there any guidelines on what kinds of characters are allowed in the rewrite string? I did notice I had embedded spaces between the parens and asterisks which I've removed to see if that will make any difference. Thanks again for your help. :) Peace... Tom Greg Allen wrote: Sorry, Get rid of the : rewrite_header Subject *** SPAM(_SCORE_) ***: becomes rewrite_header Subject *** SPAM(_SCORE_) *** -Original Message- From: Tom Q. Citizen [mailto:[EMAIL PROTECTED] Sent: Monday, February 28, 2005 10:53 PM To: users@spamassassin.apache.org Subject: Help needed with rewrite_header and Spamassassin 3.0.2 on Linux Hi! Ok, I'm running Spamassassin 3.0.2 on a RedHat 9 based Linux box w/ perl 5.8.2 (multi-threaded), netqmail 1.05, and vpopmail 5.4.9. I've got qmail-scanner 1.25 installed and clamav .083. All seems to be working well except for rewrite_header doesn't seem to be working. Here is my /etc/mail/spamassassin/local.cf file: --START-- # This is the right place to customize your installation of SpamAssassin. # # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be # tweaked. # ### # rewrite_header Subject *** SPAM(_SCORE_) ***: required_score 5.00 # report_safe 1 # trusted_networks 212.17.35. lock_method flock ---END I do NOT have any other Spamassassin configuration files in users' home directories or anything like that. I do NOT have Razor or Pyzor installed. I installed Spamassassin via CPAN and the installation went flawlessly. I've read through the mailing list and various other docs which talk about using rewrite_header Subject instead of rewrite_subject. Spamassassin IS detecting spam and setting the mail headers correctly but just not the subject line. Here is a sample of spam I'm getting: --START--- Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Received: (qmail 27843 invoked by uid 525); 1 Mar 2005 02:32:23 - Received: from 222.47.62.222 by mama (envelope-from <[EMAIL PROTECTED]>, uid 505) with qmail-scanner-1.25 (clamdscan: 0.83/730. spamassassin: 3.0.2. Clear:RC:0(222.47.62.222):SA:1(18.0/5.0):. Processed in 9.959364 secs); 01 Mar 2005 02:32:23 - X-Spam-Status: Yes, hits=18.0 required=5.0 X-Spam-Level: ++ Received: from unknown (HELO mail.signcastle.com) (222.47.62.222) by redbricksmedia.com with SMTP; 1 Mar 2005 02:32:13 - Date: Tue, 01 Mar 2005 03:17:18 + Subject: SEXUALLY-EXPLICIT: I have a BIG BIG button there user From: Big Surprise <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] X-Mailer: Message-Id: <[EMAIL PROTECTED]> MIME-version: 1.0 Content-type: multipart/alternative; boundary="remdzlithkwbkxvn" This is a multipart message in MIME format. --remdzlithkwbkxvn Content-type: text/plain; charset=us-ascii http://www.drillclub.com/gen_ads/gen_mail.php?grid=24&ape=gt4724 Jokes of the day END I've changed the recipient's e-mail address "to protect the innocent". :) I have NO clue as to why the subject isn't being updated with my spam indicator and I have NO clue where to start troubleshooting this. I've seen messages posted to the list recently that DO have the subject rewritten and Spamassassin 3.0.1 was being used so I believe that is does work (or at least used to in a Spamassassin 3.0.x release). Any ideas on why I'm having this problem? What is the best way to troubleshoot this? Thanks in advance for your time and assisstance. Peace... Tom
RE: Help needed with rewrite_header and Spamassassin 3.0.2 on Linux
Here you go... http://wiki.apache.org/spamassassin/SubjectRewrite -Original Message- From: Tom Q. Citizen [mailto:[EMAIL PROTECTED] Sent: Monday, February 28, 2005 10:53 PM To: users@spamassassin.apache.org Subject: Help needed with rewrite_header and Spamassassin 3.0.2 on Linux Hi! Ok, I'm running Spamassassin 3.0.2 on a RedHat 9 based Linux box w/ perl 5.8.2 (multi-threaded), netqmail 1.05, and vpopmail 5.4.9. I've got qmail-scanner 1.25 installed and clamav .083. All seems to be working well except for rewrite_header doesn't seem to be working. Here is my /etc/mail/spamassassin/local.cf file:
Help needed with rewrite_header and Spamassassin 3.0.2 on Linux
Hi! Ok, I'm running Spamassassin 3.0.2 on a RedHat 9 based Linux box w/ perl 5.8.2 (multi-threaded), netqmail 1.05, and vpopmail 5.4.9. I've got qmail-scanner 1.25 installed and clamav .083. All seems to be working well except for rewrite_header doesn't seem to be working. Here is my /etc/mail/spamassassin/local.cf file: --START-- # This is the right place to customize your installation of SpamAssassin. # # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be # tweaked. # ### # rewrite_header Subject *** SPAM(_SCORE_) ***: required_score 5.00 # report_safe 1 # trusted_networks 212.17.35. lock_method flock ---END I do NOT have any other Spamassassin configuration files in users' home directories or anything like that. I do NOT have Razor or Pyzor installed. I installed Spamassassin via CPAN and the installation went flawlessly. I've read through the mailing list and various other docs which talk about using rewrite_header Subject instead of rewrite_subject. Spamassassin IS detecting spam and setting the mail headers correctly but just not the subject line. Here is a sample of spam I'm getting: --START--- Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Received: (qmail 27843 invoked by uid 525); 1 Mar 2005 02:32:23 - Received: from 222.47.62.222 by mama (envelope-from <[EMAIL PROTECTED]>, uid 505) with qmail-scanner-1.25 (clamdscan: 0.83/730. spamassassin: 3.0.2. Clear:RC:0(222.47.62.222):SA:1(18.0/5.0):. Processed in 9.959364 secs); 01 Mar 2005 02:32:23 - X-Spam-Status: Yes, hits=18.0 required=5.0 X-Spam-Level: ++ Received: from unknown (HELO mail.signcastle.com) (222.47.62.222) by redbricksmedia.com with SMTP; 1 Mar 2005 02:32:13 - Date: Tue, 01 Mar 2005 03:17:18 + Subject: SEXUALLY-EXPLICIT: I have a BIG BIG button there user From: Big Surprise <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] X-Mailer: Message-Id: <[EMAIL PROTECTED]> MIME-version: 1.0 Content-type: multipart/alternative; boundary="remdzlithkwbkxvn" This is a multipart message in MIME format. --remdzlithkwbkxvn Content-type: text/plain; charset=us-ascii http://www.drillclub.com/gen_ads/gen_mail.php?grid=24&ape=gt4724 Jokes of the day END I've changed the recipient's e-mail address "to protect the innocent". :) I have NO clue as to why the subject isn't being updated with my spam indicator and I have NO clue where to start troubleshooting this. I've seen messages posted to the list recently that DO have the subject rewritten and Spamassassin 3.0.1 was being used so I believe that is does work (or at least used to in a Spamassassin 3.0.x release). Any ideas on why I'm having this problem? What is the best way to troubleshoot this? Thanks in advance for your time and assisstance. Peace... Tom
Re[2]: Porn E-Mail
Hello Shawn, Monday, February 28, 2005, 6:00:27 AM, you wrote: SRB> If you are running the 70_SARE_HTML1.CF file, increase the value SRB> of SARE_HTML_A_HIDE in your local.cf... this spammer always hits SRB> this rule. I've been doing this for several months now, with no SRB> false positives. I've set mine to 3 points (5 required). But be warned, the reason this rule is in HTML1 instead of HTML0 is that it /does/ hit ham -- 17 ham across 3 SARE corpora (at least one ham in each corpus). Bob Menschel
RE: Porn E-Mail
No really as it was marked at spam to being with. It only scored 9.1 because of AWL... * -20 AWL AWL: From: address is in the auto white-list Are you trying to skew my bayes or something :). Gary > -Original Message- > From: Matt [mailto:[EMAIL PROTECTED] > Sent: Monday, February 28, 2005 5:23 AM > To: [EMAIL PROTECTED] > Subject: [Suspected SPAM] Porn E-Mail > > Has anyone noticed lately a higher then normal amount of porn spam > getting through?I've seen alot of it that seems to be hitting the > customer base as of late.. marked only by the SURBL... but those that > aren't SURBLed yet.. get through with a score of like 2.3 > > Return-Path: <[EMAIL PROTECTED]> > Delivered-To: [EMAIL PROTECTED] > Received: (qmail 8629 invoked by uid 509); 26 Feb 2005 15:18:08 - > Received: from 220.104.187.146 by smtp4-ha.chilitech.net (envelope-from > <[EMAIL PROTECTED]>, uid 503) with qmail-scanner-1.23 > (spamassassin: 2.64. > Clear:RC:0(220.104.187.146):SA:0(2.1/4.5):. > Processed in 5.891302 secs); 26 Feb 2005 15:18:08 - > X-Spam-Status: No, hits=2.1 required=4.5 > X-Spam-Level: ++ > Received: from p7146-ipad04yosida.nagano.ocn.ne.jp ([220.104.187.146]) > (envelope-sender <[EMAIL PROTECTED]>) > by 0 (qmail-ldap-1.03) with SMTP > for <[EMAIL PROTECTED]>; 26 Feb 2005 15:18:02 - > Received: from frxsgmnq.area.trieste.it (mail2.area.trieste.it > [151.11.128.151]) > by p7146-ipad04yosida.nagano.ocn.ne.jp with esmtp > id 98CA9A8736 for <[EMAIL PROTECTED]>; Sat, 26 Feb 2005 07:17:59 > -0800 > Message-ID: <[EMAIL PROTECTED]> > From: "Lithest T. Helper" <[EMAIL PROTECTED]> > To: Adelewilcox <[EMAIL PROTECTED]> > Subject: Excuse me... :) > Date: Sat, 26 Feb 2005 07:17:59 -0800 > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="=_NextPart_000_0011_582242D6.106C5F2A" > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 6.00.2800.1437 > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600. > X-RAV-Antivirus: This e-mail has been scanned for viruses on host: > p7146-ipad04yosida.nagano.ocn.ne.jp >