Re: about SPF

[Daryl C. W. O'Shea]

martin smith wrote:
M>
M>Could you please forward a few complete messages that 
M>incorrectly get an SPF fail with the patch applied.
M>
M>The patch has no effect on SPF_HELO tests.
M>
M>
M>Daryl
M>
Looks like I have to put mail.apache.org as a trusted server for this list
to pass the spf test, the email direct from you passed but the one via the
list failed:-
Direct:
Return-Path: <[EMAIL PROTECTED]>
Received: from mta10-winn.mailhost.ntl.com (smtpout18.mailhost.ntl.com
[212.250.162.18])
by marti.mine.nu (8.12.6/8.12.6/SuSE Linux 0.6) with ESMTP id
j3C78AP5020927
for <[EMAIL PROTECTED]>; Tue, 12 Apr 2005 08:08:10 +0100
Via list:
Return-Path: <[EMAIL PROTECTED]>
Received: from mta09-winn.mailhost.ntl.com (smtpout17.mailhost.ntl.com
[212.250.162.17])
by marti.mine.nu (8.12.6/8.12.6/SuSE Linux 0.6) with ESMTP id
j3C78Wvx020936
for <[EMAIL PROTECTED]>; Tue, 12 Apr 2005 08:08:33 +0100
Martin, the mail didn't go through the same server.  Is it possible that 
you've omitted 212.250.162.17 from your list of trusted_networks?  This 
would cause an SPF failure.

When I set my trusted_networks to 212.250.162.0/24 and run these 
messages through, they both get SPF_PASS.

This is under 3.1, but 3.0 shouldn't be any different.
Daryl

Re: I like this one.... Particularly the BS from Yahoo.....

[Matt Kettler]

Nigel Frankcom wrote:

>Point accepted, but - why do they market it as such?
>
>Nigel
>
I don't see them (yahoo) marketing it as an anti-spam solution. They
market it as a tool to solve problems that anti-spam efforts face
(spoofing).

http://antispam.yahoo.com/domainkeys/

Of course, the fact that the associate themselves at all with anti-spam
efforts causes a lot of trade rags to call it an "anti-spam solution",
but what else do you expect from trade rags? They throw up headlines
that over-state the facts all the time.

http://news.zdnet.com/2100-3513_22-5164279.html

Headline: Yahoo, Sendmail to test antispam system

*From the story quoting a Yahoo VP *"In working with Sendmail, and other
industry leaders, we are able to develop a powerful authentication
solution to solve the spoofing problem and lay the foundation for future
antispam advances,"
*
Gotta love how the headline doesn't match the story..

 But "Yahoo, sendmail to test authentication system with hopes of aiding
future antispam efforts" won't attract as many readers.

Don't believe the headlines, they're nearly always lying about the real
facts to grab your attention.


*

Rules to identify simplified and traditional chinese character sets

[Johnson, Robert F]

I have a requirement for a rule that will identify emails using either
traditional or simplified Chinese character sets. 

 I was able to create a rule that finds these codes in the Internet
headers but I have noticed that some emails have the char set identified
in the mime header and not the Internet header.  

This code fragment illustrates how I do this for Internet headers:

header   CHINESE_WL_1 Content-Type =~ /gb2312/i
describe CHINESE_WL_1 White list Simplified Chinese

Does anyone no how to create a rule to detect these codes in a mime
header?

Re: Razor and ~500k mail/day

[Kelson]

Johan Segernäs wrote:
I'd like to use razor-check as well on my servers, is it possible to have a
server on one of my own boxes or am I forced to use public servers? Haven't
found any docs around this.
Vipul made a post a few months ago about the idea of setting up a Razor 
caching plugin for SpamAssassin.  It sounds like what you'd need, and 
while there haven't been any follow-ups on the mailing list, it's 
possible they may be working on it.  Or they may not have gotten enough 
response.

http://thread.gmane.org/gmane.mail.spam.razor.user/3581
"As regards to Razor2, here's the idea: We can develop a plug-in
to SpamAssassin that keeps an up-to-date hot set of
Razor2/SpamNet signatures on the local machine, has support for
all signature schemes and can identify upto 90% of spam before
it goes through the rest of SA checks. The local Razor2 cache
would be extremely fast (able to process 10s if not 100s of
messages/second), and the cache would be less than 20 Mb in
size. In effect, it will increase both accuracy and throughput
of a SpamAssassin spam filtration setup.
"If enough people are interested, we would provide this as a
commercial service at a nominal cost. If you are interested,
please send me email at  with your thoughts
on the design and pricing."  (His email address is in the archived copy.)
--
Kelson Vibber
SpeedGate Communications 

Re: Re: I like this one.... Particularly the BS from Yahoo.....

[Nigel Frankcom]

Point accepted, but - why do they market it as such?

Nigel

On Tue, 12 Apr 2005 17:45:01 -0400, Matt Kettler
<[EMAIL PROTECTED]> wrote:

>Nigel Frankcom wrote:
>
>>Admittedly not much,
>>
>>My biggest issue was yahoo sporting anti spam options in a spam mail.
>>  
>>
>
>My biggest issue would be the assumption that domainkeys is an anti-spam
>option. It's not. Period. No matter what some people at slashdot might
>think, it is NOT an anti-spam technique.
>
>Domainkeys, like SPF, is an anti forgery technology. Nothing more.
>
>Anyone who tells you otherwise is overstating it's benefits or does not
>understand the technology.
>
>While anti-forgery techniques are slightly helpful to the anti-spam
>community in tracking down the actual source of a message, they do not
>in any way prevent someone from sending spam that is not forged.
>
>Really all this buys you is discouraging forgery by making it easy to
>detect. This has the side effect that when spam isn't forged, it's
>easier to get the originating accounts terminated.
>
>
>That's all it offers in terms of anti-spam efforts. It's not really
>much, but it's a lot better than looking at the RDNS names in the
>Received: headers to try to "verify" what domain a mail really came from.
>
>
>
>
>

Re: I like this one.... Particularly the BS from Yahoo.....

[Matt Kettler]

Nigel Frankcom wrote:

>Admittedly not much,
>
>My biggest issue was yahoo sporting anti spam options in a spam mail.
>  
>

My biggest issue would be the assumption that domainkeys is an anti-spam
option. It's not. Period. No matter what some people at slashdot might
think, it is NOT an anti-spam technique.

Domainkeys, like SPF, is an anti forgery technology. Nothing more.

Anyone who tells you otherwise is overstating it's benefits or does not
understand the technology.

While anti-forgery techniques are slightly helpful to the anti-spam
community in tracking down the actual source of a message, they do not
in any way prevent someone from sending spam that is not forged.

Really all this buys you is discouraging forgery by making it easy to
detect. This has the side effect that when spam isn't forged, it's
easier to get the originating accounts terminated.


That's all it offers in terms of anti-spam efforts. It's not really
much, but it's a lot better than looking at the RDNS names in the
Received: headers to try to "verify" what domain a mail really came from.


(Sorry for the soap box, but this particular misconception is particularly 
common, and one that needs to be eliminated from further propagation.)

Re: SpamAssassin Suddenly Not Catching Spam

[Jake Colman]

> "MK" == Matt Kettler <[EMAIL PROTECTED]> writes:

   MK> Yes, that's exactly what he wants you to look at. You can match up all
   MK> those tests names with scores by greping in 50_scores.cf. Since you have
   MK> bayes and network checks in use, it will be using the last score in each
   MK> line.

   MK> For example
   MK> $grep RAZOR2_CHECK 50_scores.cf
   MK> score RAZOR2_CHECK 0 0.150 0 1.511

   MK> This tells you that of the 4.7 total points. 1.511 came from this test.

   MK> You also are using some SARE rules, those won't show up in 50_scores.cf,
   MK> they'll be in /etc/mail/spamassassin/*.cf, but the same tactic applies.

   MK> I can tell you from experience that none of the above rules have a
   MK> significant negative score. (SPF_HELO_PASS is negative, but it's -0.001
   MK> points)

   MK> The one thing that sticks out to me is that it hit BAYES_50.. this
   MK> suggests that while you have bayes enabled, it's not trained to
   MK> recognize this kind of spam.

   MK> BAYES_50 specifically means that SA's bayes result is undecided for this
   MK> message, and believes there's a 50/50 chance of the email being spam or
   MK> nonspam. Had this message scored on the spam side the BAYES_ rankings,
   MK> it would have also had a higher total score, and probably have been
   MK> tagged as spam.

Thanks, Matt, for the explanation.

Maybe my bayes database (or mechanism) is screwed up.  I am not using a mysql
database for bayes and I think I'm using an individual bayes database per
person.  

1) How can I verify that it is finding my bayes database?  Maybe that's the
   problem?

2) How can I share a global bayes database so that all users share the same
   database?  This is a home network and mail server we all have the same
   idea as to what's spam.  I want one person (myself) to do the spam
   training and have everyone benefit.

By the way, I use spamc/spamd and a global procmailrc to do my filtering.

Thanks!

...Jake

-- 
Jake Colman
Sr. Applications Developer
Principia Partners LLC
Harborside Financial Center
1001 Plaza Two
Jersey City, NJ 07311
(201) 209-2467
www.principiapartners.com

Re: Re: I like this one.... Particularly the BS from Yahoo.....

[Nigel Frankcom]

Admittedly not much,

My biggest issue was yahoo sporting anti spam options in a spam mail.

I probably shoulda thought a tad more about the post and a tad less
about my beer :-D

It struck me as amusing and a solid example of how the best plans can
bite one in the ass :-D

Apols if any annoyance caused :-D

Nigel


On Tue, 12 Apr 2005 16:53:50 -0400, Matt Kettler
<[EMAIL PROTECTED]> wrote:

>Nigel Frankcom wrote:
>
>>Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
>>DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
>>s=s1024; d=yahoo.com;
>>b=FU1UmmgKvRlCBEUg1CKomcMMxShgfcM6WKgaJSOKD9D0tUHOxKzy603V5zIMC3MtpLdfh9CN/aRG7HzHYI2nIPlWHYJyO8PxAAl3qroxRQY3KDINcs+qaZSygSnd/nXp+5Yk1fezlUnFxDtEdUcy5YEQ676bu/ksh4+xL8UWivM=
>>;
>>
>>
>>Hmmm - that worked well then.
>>
>>Anyone else getting these or have I just annoyed someone? :-D
>>
>>Admittedly, annoying Yahoo may not necessarily be a bad thing
>>
>>Nigel
>>
>
>*snip*
>
>Erm... what's the point here.. I'm not following
>
>Looks to me like someone with a real yahoo account is spamming you with
>419 scams from it The host that delivered the mail to you reverses
>as w2.rc.vip.dcn.yahoo.com
>
>What's yahoo, or anyone else, being annoyed have to do with it?

Re: I like this one.... Particularly the BS from Yahoo.....

[Matt Kettler]

Nigel Frankcom wrote:

>Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
>DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
>s=s1024; d=yahoo.com;
>b=FU1UmmgKvRlCBEUg1CKomcMMxShgfcM6WKgaJSOKD9D0tUHOxKzy603V5zIMC3MtpLdfh9CN/aRG7HzHYI2nIPlWHYJyO8PxAAl3qroxRQY3KDINcs+qaZSygSnd/nXp+5Yk1fezlUnFxDtEdUcy5YEQ676bu/ksh4+xL8UWivM=
>;
>
>
>Hmmm - that worked well then.
>
>Anyone else getting these or have I just annoyed someone? :-D
>
>Admittedly, annoying Yahoo may not necessarily be a bad thing
>
>Nigel
>

*snip*

Erm... what's the point here.. I'm not following

Looks to me like someone with a real yahoo account is spamming you with
419 scams from it The host that delivered the mail to you reverses
as w2.rc.vip.dcn.yahoo.com

What's yahoo, or anyone else, being annoyed have to do with it?

Re: SpamAssassin Suddenly Not Catching Spam

[Matt Kettler]

Jake Colman wrote:

>Forgive my ignorance...
>
>I assume that "negatively-scored" means that it is less likely to be spam,
>correct?
>
>Here is an example of a message that should have been flagged:
>
>X-Spam-Status: No, score=4.7 required=5.0 tests=BAYES_50,HTML_10_20,
>HTML_MESSAGE,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,
>SARE_RECV_IP_218071,SPF_HELO_PASS,TW_GK,URIBL_SBL autolearn=no version=3.0.2
>
>How do I read this and what do I do with this?  I assume this is what you
>were asking me to look at, right?
>
>  
>
Yes, that's exactly what he wants you to look at. You can match up all
those tests names with scores by greping in 50_scores.cf. Since you have
bayes and network checks in use, it will be using the last score in each
line.

For example
$grep RAZOR2_CHECK 50_scores.cf
score RAZOR2_CHECK 0 0.150 0 1.511

This tells you that of the 4.7 total points. 1.511 came from this test.

You also are using some SARE rules, those won't show up in 50_scores.cf,
they'll be in /etc/mail/spamassassin/*.cf, but the same tactic applies.

I can tell you from experience that none of the above rules have a
significant negative score. (SPF_HELO_PASS is negative, but it's -0.001
points)

The one thing that sticks out to me is that it hit BAYES_50.. this
suggests that while you have bayes enabled, it's not trained to
recognize this kind of spam.

BAYES_50 specifically means that SA's bayes result is undecided for this
message, and believes there's a 50/50 chance of the email being spam or
nonspam. Had this message scored on the spam side the BAYES_ rankings,
it would have also had a higher total score, and probably have been
tagged as spam.

I like this one.... Particularly the BS from Yahoo.....

[Nigel Frankcom]

Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
b=FU1UmmgKvRlCBEUg1CKomcMMxShgfcM6WKgaJSOKD9D0tUHOxKzy603V5zIMC3MtpLdfh9CN/aRG7HzHYI2nIPlWHYJyO8PxAAl3qroxRQY3KDINcs+qaZSygSnd/nXp+5Yk1fezlUnFxDtEdUcy5YEQ676bu/ksh4+xL8UWivM=
;


Hmmm - that worked well then.

Anyone else getting these or have I just annoyed someone? :-D

Admittedly, annoying Yahoo may not necessarily be a bad thing

Nigel


>Received: by mtspro.co.uk (MTSPro MTSAgent 1.60) ; Tue, 12 Apr 2005 13:24:42 
>+0100
>for <[EMAIL PROTECTED]>
>Received: from yahoo.com (216.109.112.135, Peer IP=[216.155.196.189]) by 
>mtspro.co.uk (MTSPro MTSSmtp 1.61); Tue, 12 Apr 2005 13:24:26 +0100
>for <[EMAIL PROTECTED]>
>Received: (qmail 65470 invoked by uid 60001); 12 Apr 2005 12:24:10 -
>Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
>DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
>  s=s1024; d=yahoo.com;
>  
> b=FU1UmmgKvRlCBEUg1CKomcMMxShgfcM6WKgaJSOKD9D0tUHOxKzy603V5zIMC3MtpLdfh9CN/aRG7HzHYI2nIPlWHYJyO8PxAAl3qroxRQY3KDINcs+qaZSygSnd/nXp+5Yk1fezlUnFxDtEdUcy5YEQ676bu/ksh4+xL8UWivM=
>   ;
>Message-ID: <[EMAIL PROTECTED]>
>Received: from [80.248.64.59] by web61210.mail.yahoo.com via HTTP; Tue, 12 Apr 
>2005 05:24:10 PDT
>Date: Tue, 12 Apr 2005 05:24:10 -0700 (PDT)
>From: collins oforma <[EMAIL PROTECTED]>
>Subject: REGUEST FOR YOUR URGENT CORPERATION;
>To: [EMAIL PROTECTED]
>MIME-Version: 1.0
>Content-Type: multipart/alternative; boundary="0-2060016952-1113308650=:64127"
>X-Envelope-Sender: <[EMAIL PROTECTED]>
>X-Envelope-Receiver: <[EMAIL PROTECTED]>
>X-Spam-RBLReport:  [127.0.0.4]
>["Blocked - see 
> http://www.spamcop.net/bl.shtml?80.248.64.59";]
>[216.109.112.135, 66.94.234.13]
>X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on snakepit.blah
>X-Spam-Level: *
>X-Spam-Status: No, score=1.2 required=6.0 tests=BAYES_40,HTML_30_40,
>   HTML_MESSAGE,RCVD_FAKE_HELO_DOTCOM,RCVD_IN_BL_SPAMCOP_NET,
>   SUBJ_ALL_CAPS,UPPERCASE_75_100 autolearn=no version=3.0.2
>X-Spam-Report: 
>   *  0.4 RCVD_FAKE_HELO_DOTCOM Received contains a faked HELO hostname
>   *  0.7 SUBJ_ALL_CAPS Subject is all capitals
>   *  0.0 HTML_30_40 BODY: Message is 30% to 40% HTML
>   * -1.1 BAYES_40 BODY: Bayesian spam probability is 20 to 40%
>   *  [score: 0.2193]
>   *  0.0 HTML_MESSAGE BODY: HTML included in message
>   *  1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in 
> bl.spamcop.net
>   *  [Blocked - see ]
>   *  0.0 UPPERCASE_75_100 message body is 75-100% uppercase
>
>REGUEST FOR YOUR URGENT CORPERATION;
>
>I AM MR UCHIE OFORMA, MANAGER CREDIT AND ACCOUNTS DEPARTMENT OF AFRICAN 
>DEVELOPMENT BANK PLC.(ADB). I AM FORTY-FOUR 44 YEARS OLD. 
>
>I GOT YOUR CONTACT ON THE NET DURING MY GUEST FOR A
>RELIABLE AND REPUTABLE PERSON TO HANDLE A VERY
>CONFIDENTIAL BUSINESS, WHICH INVOLVES THE PATICIPATION OF A GOOD FORIEGNER.
>
>SIR, A BRITISH BUSINESS WOMAN BY NAME MISS CECILIA TRICIA SHANTYLA, A DRUG 
>BARON, WHO DEPOSITED TWO METTALIC TRUNK BOXES WORTHS (#. $.10, MILLIONS) WITH 
>OUR BANK FOR A LONG TIME, AND I WERE RELIABLY INFORMED THAT MISS CECILIA 
>TRICIA SHANTYLA HAS DIED SINCE 6TH OF JUNE 2000, AS A RESULT OF (HIV/AIDS). 
>WHILE HER NEXT OF KIN HAS NOT CALLED OR SHOWED UP TILL DATE,EVEN HER FAMILY 
>MEMBER OR RELATION, THE NATURE AND CONFIDENCIALITY OF THIS DEAL, IT IS ONLY MY 
>COLEAGUES IN THE FOREIGN EXCHANGE DEPARTMENT, I AM HERE TO MAKE SURE THAT YOU 
>KNOW ABOUT THIS SECRET. 
>
>NOW HER CONCERNMENT THAT WAS DEPOSITED IN MY BANK IS WHAT WE WSNT TO TRANSFER 
>INTO A FOREIGN ACCOUNT SINCE THE BENEFICIARY WAS A FORIEGNER AND NOW IS LATE, 
>AND NONE OF HER FAMILY MEMBERS OR RELATIONS HAD SHOW UP FOR OVER FOUR YEARS 
>TILL DATE.
>
>MY COLEAGUES AND I DON’T HAVE A FOREIGN ACCOUNT, THIS IS IMPOSSIBLE FOR US TO 
>ACQUIRE THIS MONEY BY OURSELVES, THIS IS WHY WE ARE CONNECTING YOU INTO THIS 
>BUSINESS SO AS TO USE YOUR FOREIGN ACCOUNT, BECAUSE WE HAVE PERFECTED ALL THE 
>NECESSARY ARRENGMENTS BEFORE YOUR CONTACT.
>
>IF YOU AGREE TO ASSIST US, WE WOULD AGREE TO SHARE
>THIS MONEY WITH YOU IN THE MUTUAL UNDERSTANDING OF“YOU KEEP 20%” WHILE “ME AND 
>MY COLEAGUES KEEP 70%”AND 10% WILL BE KEEP-ASSIDE TO COMPERCENT FOR EXPENSES 
>DURING THE TRANFER FEES:
>
>AS I AM ALMOST DUE FOR RETIREMENT: THEREAFTER I WILL
>VISIT YOUR COUNTRY FOR MUTUAL SHARING, YOU MUST
>HOWEVER NOTE, THAT THIS DEAL IS SUBJECT OF SECRET,
>TRUSTWORTHINESS, AND FASTER COMMUNICATIONS.
>
>YOURS FAITHFULLY
>
>MR  UCHIE OFORMA
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>-
>Yahoo! Messenger
>Show us what our next emoticon should look like. Join the fun.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>-
>Do you Yahoo!?
>Better first dates. More second dates. Yahoo! Personals 
>
>
>
>
>
>
>
>
>
>
>
>
>
>   
>

RE: OT: Do spammers have a sense of humor?

[Kurt Buff]

Heh.

I'm a She-Hulk fan myself. Talk about your powerful woman icon!

> -Original Message-
> From: Chris Santerre [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, April 12, 2005 07:27
> To: Kurt Buff; users@spamassassin.apache.org
> Subject: RE: OT: Do spammers have a sense of humor?
> 
> 
> Well thanks for ruining another childhood fantasy of mine! I 
> suppose next
> you will tell me that wonderwoman if Swedish for "House 
> maid"? Well I still
> don't care, she can lasso me up! 
> 
> --Chris
> 
> >-Original Message-
> >From: Kurt Buff [mailto:[EMAIL PROTECTED]
> >Sent: Monday, April 11, 2005 8:12 PM
> >To: 'Matthew Lenz'; users@spamassassin.apache.org
> >Subject: RE: OT: Do spammers have a sense of humor?
> >
> >
> >Most people reading this list are probably not aware that 
> batman has a
> >slightly different meaning to some people in current/former British
> >colonies. A batman was someone who acted something like a 
> >personal servant
> >to British military staff, mostly officers, I believe. 
> >
> >He wasn't the caped denizen of the night known from DC 
> comics, for many
> >people - he was the fellow who shined shoes, picked up and 
> dropped off
> >laundry, did some shopping, things like that.
> >
> >I'm guessing that that's where this name may have came from.
> >
> >Kurt 
> >
> >> -Original Message-
> >> From: Matthew Lenz [mailto:[EMAIL PROTECTED]
> >> Sent: Monday, April 11, 2005 16:58
> >> To: users@spamassassin.apache.org
> >> Subject: Re: OT: Do spammers have a sense of humor?
> >> 
> >> 
> >> I got a phishing scam email from one 'Batman Cole' .. batman? 
> >> ... goood 
> >> lord. hehe
> >> 
> >> - Original Message - 
> >> From: "David B Funk" <[EMAIL PROTECTED]>
> >> To: 
> >> Sent: Monday, April 11, 2005 6:23 PM
> >> Subject: Re: OT: Do spammers have a sense of humor?
> >> 
> >> 
> >> > On Sat, 9 Apr 2005, List Mail User wrote:
> >> >
> >> >> Obviously, you've never noticed contact emails at 
> >> iamaspammer. com:)
> >> >>
> >> >> Paul Shupak
> >> >> [EMAIL PROTECTED]
> >> >>
> >> >> P.S. "Manila Industries, Inc." of Thailand provides many 
> >> domains for spam
> >> >> support services.
> >> >
> >> > Yes, almost as good a trick as what OnlineNIC.com has pulled.
> >> > Check out the registration for "pykb. com"
> >> >
> >> > They've managed to relocate the whole Henan province to 
> Australia.
> >> > Must make it tough for the Chinese postal delivery people:
> >> > "OK, what continent is Henan on this week?" ;)
> >> >
> >> > -- 
> >> > Dave Funk  University of Iowa
> >> > College of Engineering
> >> > 319/335-5751   FAX: 319/384-0549   1256 Seamans Center
> >> > Sys_admin/Postmaster/cell_adminIowa City, IA 
> 52242-1527
> >> > #include 
> >> > Better is not better, 'standard' is better. B{
> >> > 
> >> 
> >
> >
> >  
> >
> 


  

RE: Arithmetic score for replaced O's and I's?

[Chris Santerre]

>-Original Message-
>From: Theo Van Dinter [mailto:[EMAIL PROTECTED]
>Sent: Tuesday, April 12, 2005 3:14 PM
>To: SA Users List
>Subject: Re: Arithmetic score for replaced O's and I's?
>
>
>On Tue, Apr 12, 2005 at 03:10:19PM -0400, Jim Maul wrote:
>> Sort of.  You wanted to count them,  while it sounds as if 
>this poster 
>> just wants to detect them.  There is a big difference there.
>
>BTW: detecting them accurately is actually pretty difficult depending
>on what kind of mails you get.
>
>FYI: 3.1 is going to have semi-generic obfuscation support that will
>look for certain words being obfuscated (you can trivially add your
>own words as new rules...)  There's 2 versions right now that are being
>merged down into 1 for the release. :)

---
|Theo   ||  is   ||talking|
---
---
|about  || tables||  in   |
---
---
|emails ||   ||   |
---

--Chris (Still eating Easter Candy!)

Re: SpamAssassin Suddenly Not Catching Spam

[Jake Colman]

Forgive my ignorance...

I assume that "negatively-scored" means that it is less likely to be spam,
correct?

Here is an example of a message that should have been flagged:

X-Spam-Status: No, score=4.7 required=5.0 tests=BAYES_50,HTML_10_20,
HTML_MESSAGE,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,
SARE_RECV_IP_218071,SPF_HELO_PASS,TW_GK,URIBL_SBL autolearn=no version=3.0.2

How do I read this and what do I do with this?  I assume this is what you
were asking me to look at, right?

...Jake

> "KP" == Kevin Peuhkurinen <[EMAIL PROTECTED]> writes:

   KP> You can begin by looking at the headers of false negatives and see
   KP> what rules they are hitting.  Are they hitting any negatively-scored
   KP> rules?

   KP> Jake Colman wrote:

   >> I upgraded from SA 2.x to 3.x a few weeks ago.  I also installed the 
Rules Du
   >> Jour script for maintaining SARE files.  After doing all this the amount 
of
   >> spam caught by SA increased dramatically.  All was well.
   >> 
   >> A few days ago I suddenly started having spam get through just like the 
bad
   >> days prior to my upgrade.  Is there some way for me to figure out why SA 
is
   >> not doing its thing for me?
   >> 
   >> 
   >> 

-- 
Jake Colman
Sr. Applications Developer
Principia Partners LLC
Harborside Financial Center
1001 Plaza Two
Jersey City, NJ 07311
(201) 209-2467
www.principiapartners.com

Secondary relay rule (was: Do spammers have a sense of humor?)

[Pierre Thomson]

Paul, Fred and others who might wonder:

Since SA is only running on my primary relay, and the secondary is located on 
an internal network (though physically distant), I simply look for mail that 
includes the internal IP of the secondary in the last "hop".

header FROM_M2   Received =~ /192\.168\.6\.15.{1,20}by 
mail1\.mydomain\.com/
describe FROM_M2 relayed by mail2.mydomain.com
score FROM_M21.0

"mail1.mydomain.com" is the primary relay running SA, and "192.168.6.15" is the 
IP of the secondary.  Make these match what you see in your headers and the 
rule should work.

As far as "when the primary is up", that is not entirely accurate.  This rule 
is always in effect.  Of course, if the primary really went down it would need 
manual intervention, including setting this rule's score to zero until all mail 
stored and forwarded by the secondary is processed.  I have only done this once 
in a couple years of operation; our primary is running a very stable OS distro 
and we are on a redundant fiber loop.  Besides, 1 point won't cause an FP 
disaster in our scoring scenario.

I suppose I could write a script that checks for loss of connectivity on the 
primary and adjusts the score accordingly.  But I haven't felt the need.

Regards,
Pierre



-Original Message-
From: Pettit, Paul [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 12, 2005 2:28 PM
To: users@spamassassin.apache.org
Subject: RE: OT: Do spammers have a sense of humor?


> Pierre Thomson wrote: 
> 
> Fortunately SA (2.64) 
> saw through it and nailed this using Bayes, DCC, and a custom 
> rule that penalizes mail coming through the secondary relay 
> when the primary is up.
> 

Would you be willing to post that custom rule? I get a number of those kind
of spams and haven't been able to figure out how to tag them correctly. I
use 2.64 as well so compatibility is not an issue. :)

Re: Arithmetic score for replaced O's and I's?

[Matt Thoene]

On Tuesday, April 12, 2005 @ 12:14:02 PM [-0700], Theo Van Dinter wrote:

> On Tue, Apr 12, 2005 at 03:10:19PM -0400, Jim Maul wrote:
>> Sort of.  You wanted to count them,  while it sounds as if this poster
>> just wants to detect them.  There is a big difference there.

> BTW: detecting them accurately is actually pretty difficult depending
> on what kind of mails you get.

> FYI: 3.1 is going to have semi-generic obfuscation support that will
> look for certain words being obfuscated (you can trivially add your
> own words as new rules...)  There's 2 versions right now that are being
> merged down into 1 for the release. :)

Great! Thanks.

> Randomly Generated Tagline:
> Futurama is brought to you by Thompson's Teeth, the
> only teeth strong enough to eat other teeth.

And the above sent a diet coke through my nose. Classic.

-- 
Matt   

Re: Arithmetic score for replaced O's and I's?

[Theo Van Dinter]

On Tue, Apr 12, 2005 at 03:10:19PM -0400, Jim Maul wrote:
> Sort of.  You wanted to count them,  while it sounds as if this poster 
> just wants to detect them.  There is a big difference there.

BTW: detecting them accurately is actually pretty difficult depending
on what kind of mails you get.

FYI: 3.1 is going to have semi-generic obfuscation support that will
look for certain words being obfuscated (you can trivially add your
own words as new rules...)  There's 2 versions right now that are being
merged down into 1 for the release. :)

-- 
Randomly Generated Tagline:
Futurama is brought to you by Thompson's Teeth, the 
 only teeth strong enough to eat other teeth.


pgpHnQ05jdpxd.pgp
Description: PGP signature

Re: Arithmetic score for replaced O's and I's?

[Jim Maul]

Chris Conn wrote:

Matt Thoene wrote:
Does anyone have a good custom arithmetic score for spam that has a
whole bunch of o's and l's replaced with zeros and "|"? Example of
part of an l replacement spam body below...
Yap International, Inc.(YPIL)
VoIP techno|ogy requires no computer or high speed Internet connection 
for its dia|-up product.
Current Price: $ 0.15
Watch This Stock Tuesday Some of These Little VOIP Stocks Have Been 
Rea|ly Moving Lately.

Hello,
I believe I asked for this a few days ago and was told that I would need 
to write a plugin to do this =)


Sort of.  You wanted to count them,  while it sounds as if this poster 
just wants to detect them.  There is a big difference there.

-Jim

Re: random rudeness!

[List Mail User]

>...
>
>okay, this all makes sense.  Thanks.
>
>I see manlove .com has been listed already.  Do rfc-ignorant take action 
>on the bogus whois information with the registrar or is that another step?
>
>Regards,
>
>Rob
>
Yes, I nominated it this morning, and it was accepted a few minutes
later.  Filing with the registrar for ".com"'s means filing out the form
at wdprs.internic.net and is completely separate.  RFCI is just an organization
like SURBL or Spamhaus, with no ability to "enforce" anything themselves.  The
second posting cause me to look at it (and now a few more people too).  Also,
everybody reading this should use SpamCop, if nothing else so that these sites
make the SURBL [sc] list also.

Paul Shupak
[EMAIL PROTECTED]

P.S. You could use some of the rules in Bugzilla #4104 to get the benefit of
rfci listings (though a better set of scores should be calculated).  Also,
finishing and submitting the code for Bugzilla #4106 would have caught the
already listed name servers (given 4104 is added also).

Re: Arithmetic score for replaced O's and I's?

[Matt Thoene]

On Tuesday, April 12, 2005 @ 11:42:37 AM [-0700], Chris Conn wrote:

> Hello,

> I believe I asked for this a few days ago and was told that I would need
> to write a plugin to do this =)

Hmmm...shouldn't have to. I know the basic layout of what it should
look like, I just suck at regex. It should be similar to below...

body CHECK_1  (SOME REGEX I DON'T KNOW1)
body CHECK_2  (SOME REGEX I DON'T KNOW2)
body CHECK_3  (SOME REGEX I DON'T KNOW3)
meta LOCAL_MULTIPLE_TESTS (( CHECK_1 + CHECK_2 + CHECK_3) > 3)
score LOCAL_MULTIPLE_TESTS 10

Am I close?

-- 
Matt   

Re: SpamAssassin Suddenly Not Catching Spam

[Kevin Peuhkurinen]

You can begin by looking at the headers of false negatives and see what 
rules they are hitting.   Are they hitting any negatively-scored rules?  

Jake Colman wrote:
I upgraded from SA 2.x to 3.x a few weeks ago.  I also installed the Rules Du
Jour script for maintaining SARE files.  After doing all this the amount of
spam caught by SA increased dramatically.  All was well.
A few days ago I suddenly started having spam get through just like the bad
days prior to my upgrade.  Is there some way for me to figure out why SA is
not doing its thing for me?
 

Re: spamcheck.py ... what happened to it?

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Marc G. Fournier writes:
> it used to be in contrib, but 3.x doesn't appear to have it anymore ... 
> has it moved?  just trashed altogether?  is there a better way of doing 
> lmtp-level scanning between postfix and cyrus-imapd?

I'm not *sure* but I think we may have had to remove it from the distro
and move it to a non-ASF download location [1], due to the lack of a CLA.

  [1]: http://old.spamassassin.org/released/contrib/spamcheck.py

yep, that was it: http://bugzilla.spamassassin.org/show_bug.cgi?id=2698
notes that a CLA was never received.

- --j.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFCXBruMJF5cimLx9ARAsZbAKCjWi+XGekIg40/0HasWZy8OgjdUwCgrCs9
QCcIKTSYT+xjOFtzmPotNA8=
=3M6V
-END PGP SIGNATURE-

SpamAssassin Suddenly Not Catching Spam

[Jake Colman]

I upgraded from SA 2.x to 3.x a few weeks ago.  I also installed the Rules Du
Jour script for maintaining SARE files.  After doing all this the amount of
spam caught by SA increased dramatically.  All was well.

A few days ago I suddenly started having spam get through just like the bad
days prior to my upgrade.  Is there some way for me to figure out why SA is
not doing its thing for me?

-- 
Jake Colman
Sr. Applications Developer
Principia Partners LLC
Harborside Financial Center
1001 Plaza Two
Jersey City, NJ 07311
(201) 209-2467
www.principiapartners.com

spamcheck.py ... what happened to it?

[Marc G. Fournier]

it used to be in contrib, but 3.x doesn't appear to have it anymore ... 
has it moved?  just trashed altogether?  is there a better way of doing 
lmtp-level scanning between postfix and cyrus-imapd?

thanks ...

Marc G. Fournier   Hub.Org Networking Services (http://www.hub.org)
Email: [EMAIL PROTECTED]   Yahoo!: yscrappy  ICQ: 7615664

Re: Arithmetic score for replaced O's and I's?

[Chris Conn]

Matt Thoene wrote:
Does anyone have a good custom arithmetic score for spam that has a
whole bunch of o's and l's replaced with zeros and "|"? Example of
part of an l replacement spam body below...
Yap International, Inc.(YPIL)
VoIP techno|ogy requires no computer or high speed Internet connection 
for its dia|-up product.
Current Price: $ 0.15
Watch This Stock Tuesday Some of These Little VOIP Stocks Have Been 
Rea|ly Moving Lately.

Hello,
I believe I asked for this a few days ago and was told that I would need 
to write a plugin to do this =)

Chris

Arithmetic score for replaced O's and I's?

[Matt Thoene]

Does anyone have a good custom arithmetic score for spam that has a
whole bunch of o's and l's replaced with zeros and "|"? Example of
part of an l replacement spam body below...

Yap International, Inc.(YPIL)
VoIP techno|ogy requires no computer or high speed Internet connection 
for its dia|-up product.
Current Price: $ 0.15
Watch This Stock Tuesday Some of These Little VOIP Stocks Have Been 
Rea|ly Moving Lately.

-- 
Regards,
 Matt 

RE: OT: Do spammers have a sense of humor?

[Pettit, Paul]

> Pierre Thomson wrote: 
> 
> Fortunately SA (2.64) 
> saw through it and nailed this using Bayes, DCC, and a custom 
> rule that penalizes mail coming through the secondary relay 
> when the primary is up.
> 

Would you be willing to post that custom rule? I get a number of those kind
of spams and haven't been able to figure out how to tag them correctly. I
use 2.64 as well so compatibility is not an issue. :)

Paul Pettit
CTO and IS Manager
Consistent Computer Bargains Inc.

I've heard it said that the proof of lunacy is when you repeat the same
steps expecting different results.  I say it's proof that you're a Microsoft
user. - comment by deshi777 on experts-exchange.com

Re: Removing SA headers

[Matt Kettler]

Mike Jackson wrote:

>
> As written, the rule would try to lock the spamassassin program, which
> might cause weird issues, and since it doesn't include the 'c' option
> it would simply throw away the message after removing the headers.
>
Thanks for the catch Mike. It's the details of what :0: vs :0 vs :0fc:
vs :0fw: do that I always forget about procmail. However, since I don't
even use procmail that's not very surprising :)

SQL install with mSQL driver

[Gary W. Smith]

Title: SQL install with mSQL driver






Hello, 

I’m using 3.0.x on RHEL 3 right now in our production environment and was looking at setting up a new test environment.  We use MySQL for the common bayes DB which is working well for us in production.

Today I tried installing the same packages for Perl that I did for our production installs which require DBD::mSQL.  When I do an install of this package it fails miserably.  Googling around it appears that this package is, or is being, deprecated or unsupported.  

Is there an alternate package that I should be using?  Some of the articles I have read recommend that we use DBD::mysql instead of DBD::mSQL.  Does anyone know if this will work in place of the other package?

Gary Wayne Smith

Re: Removing SA headers

[Mike Jackson]

Something like this inserted after your main call to SA:
:0:
* ^X-Spam-Status: No
| spamassassin -d
Change the first line from:
:0:
to:
:0fc
As written, the rule would try to lock the spamassassin program, which might 
cause weird issues, and since it doesn't include the 'c' option it would 
simply throw away the message after removing the headers.

Re: Removing SA headers

[Matt Kettler]

.rp wrote:

>SA 2.64
>sendmail 8.13
>procmail
>
>SA is being called in the system wide procmail and not as a milter. 
>I would like to strip the SA X- headers for those emails that are not 
>considered spam. Is formail the only way to do this?
>
>  
>

No, you can use a procmail rule to funnel the non-spam messages into
spamassassin -d, which will remove the markup.

Take a look around at some of the procmail rules for funneling spam into
/dev/null and change it to funnel nonspam into spamassassin -d.

Something like this inserted after your main call to SA:
:0:
* ^X-Spam-Status: No
| spamassassin -d


WARNING: I'm not a procmail user, so I'm not sure that's 100% correct,
but it's the general idea

Re: Removing SA headers

[Andy Jezierski]

".rp" <[EMAIL PROTECTED]> wrote
on 04/12/2005 12:28:29 PM:

> SA 2.64
> sendmail 8.13
> procmail
> 
> SA is being called in the system wide procmail and not as a milter.

> I would like to strip the SA X- headers for those emails that are
not 
> considered spam. Is formail the only way to do this?
> 

Perhaps the following added to your local.cf

       remove_header { spam |
ham | all } header_name
           Headers can
be removed from the specified type of messages (spam,
           ham, or "all"
to remove from either).  All headers begin with
           "X-Spam-"
(so "header_name" will be appended to "X-Spam-").

           See also
"clear_headers" for removing all the headers at once.

           Note that
X-Spam-Checker-Version is not removable because the ver-
           sion information
is needed by mail administrators and developers to
           debug problems.
 Without at least one header, it might not even be
           possible
to determine that SpamAssassin is running.

Andy

Removing SA headers

[.rp]

SA 2.64
sendmail 8.13
procmail

SA is being called in the system wide procmail and not as a milter. 
I would like to strip the SA X- headers for those emails that are not 
considered spam. Is formail the only way to do this?

How to filter chinese and japanese characters

[bruno . delladucata]

Hello All

I must configure a centralized SA to deliver mails world wide trough Lotus
Notes.

Has someone knowledge how to configure SA for different languages /
character sets
and also custom filter rules?

I know only two entries in SA
ok_languagesen de ja cn
ok_locales  en de ja cn

But what if my users in japan wont build their own filter rules?

regards
Bruno

Re: SpamAssassin and Horde

[Matt Kettler]

Angelo Ayres Camargo wrote:

> Hello,
>  
> Mail sent from horde imp are been taged as spam, this was discussed
> here before, searching the archives i found no solution. Anyone have
> any ideia of how make mail from Horde/Imp not be taged as spam?
>  
> Angelo

Angelo,

First, I assume you mean the thread with subject: Confused about
HELO_DYNAMIC_*

At the end of that thread we concluded it had nothing to do with IMP
whatsoever. Instead, it was a NATed mailserver triggering the broken
trust path problem.

If your inbound MX mailserver is NATed such that it IP is in reserved
range (ie: 10.*, 192.168.*, 172.16.*, etc) you MUST declare
trusted_networks manually.

If you don't, ALL mail originating at dialup accounts that appear in the
Received: headers will be heavily penalized. That includes mail sent via
IMP by dialup users, but is not IMP specific. Mail sent by a dialup user
through even their own ISP's sendmail server will be subject to the same
problems.


See the wiki for details:

http://wiki.apache.org/spamassassin/TrustPath

RE: about SPF

[martin smith]

M>
M>Could you please forward a few complete messages that 
M>incorrectly get an SPF fail with the patch applied.
M>
M>The patch has no effect on SPF_HELO tests.
M>
M>
M>Daryl
M>
Looks like I have to put mail.apache.org as a trusted server for this list
to pass the spf test, the email direct from you passed but the one via the
list failed:-

Return-Path: <[EMAIL PROTECTED]>
Received: from mta10-winn.mailhost.ntl.com (smtpout18.mailhost.ntl.com
[212.250.162.18])
by marti.mine.nu (8.12.6/8.12.6/SuSE Linux 0.6) with ESMTP id
j3C78AP5020927
for <[EMAIL PROTECTED]>; Tue, 12 Apr 2005 08:08:10 +0100
X-Envelope-From: [EMAIL PROTECTED]
Received: from aamta07-winn.mailhost.ntl.com ([212.250.162.8])
  by mta10-winn.mailhost.ntl.com with ESMTP
  id
<[EMAIL PROTECTED]
ntl.com>
  for <[EMAIL PROTECTED]>; Tue, 12 Apr 2005 08:08:10 +0100
Received: from smtp.film-tech.net ([66.98.221.156])
  by aamta07-winn.mailhost.ntl.com with ESMTP
  id
<[EMAIL PROTECTED]>
  for <[EMAIL PROTECTED]>; Tue, 12 Apr 2005 08:08:06 +0100
Received: from d141-175-19.home.cgocable.net (d141-175-19.home.cgocable.net
[24.141.175.19])
(authenticated user [EMAIL PROTECTED])
by smtp.film-tech.net (smtp.film-tech.net [66.98.221.156])
(Cipher TLSv1:RC4-MD5:128) (MDaemon.PRO.v6.8.5.R)
with ESMTP id 12-md5000258.tmp
for <[EMAIL PROTECTED]>; Tue, 12 Apr 2005 02:08:00 -0500
Received: from [192.168.123.141] (athlon.hamilton.dostech.net
[192.168.123.141] (may be forged))
(authenticated bits=0)
by d141-175-19.home.cgocable.net (8.12.8/8.12.8) with ESMTP id
j3C77tM4024697
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Tue, 12 Apr 2005 03:07:57 -0400
Message-ID: <[EMAIL PROTECTED]>
Date: Tue, 12 Apr 2005 03:08:04 -0400
From: "Daryl C. W. O'Shea" <[EMAIL PROTECTED]>
User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: martin smith <[EMAIL PROTECTED]>
CC: Spamassassin 
Subject: Re: about SPF
References:

In-Reply-To:

Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Authenticated-Sender: [EMAIL PROTECTED]
X-MDRemoteIP: 24.141.175.19
X-Return-Path: [EMAIL PROTECTED]
X-MDaemon-Deliver-To: [EMAIL PROTECTED]
X-Virus-Scanned: by AMaViS - amavis-milter (http://www.amavis.org/)
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on marti.mine.nu
X-Spam-Level: 
X-Spam-Status: No, score=-5.9 required=5.0 tests=AWL,BAYES_00,SPF_PASS 
autolearn=ham
X-UIDL: SXH"!KW_!!>8n"!L=U!!

Return-Path: <[EMAIL PROTECTED]>
Received: from mta09-winn.mailhost.ntl.com (smtpout17.mailhost.ntl.com
[212.250.162.17])
by marti.mine.nu (8.12.6/8.12.6/SuSE Linux 0.6) with ESMTP id
j3C78Wvx020936
for <[EMAIL PROTECTED]>; Tue, 12 Apr 2005 08:08:33 +0100
X-Envelope-From:
[EMAIL PROTECTED]
Received: from aamta01-winn.mailhost.ntl.com ([212.250.162.8])
  by mta09-winn.mailhost.ntl.com with ESMTP
  id
<[EMAIL PROTECTED]
tl.com>
  for [EMAIL PROTECTED]>; Tue, 12 Apr 2005 08:08:33 +0100
Received: from mail.apache.org ([209.237.227.199])
  by aamta01-winn.mailhost.ntl.com with SMTP
  id
<[EMAIL PROTECTED]>
  for <[EMAIL PROTECTED]>; Tue, 12 Apr 2005 08:08:33 +0100
Received: (qmail 54938 invoked by uid 500); 12 Apr 2005 07:08:10 -
Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
Precedence: bulk
list-help: 
list-unsubscribe: 
List-Post: 
List-Id: 
Delivered-To: mailing list users@spamassassin.apache.org
Received: (qmail 54925 invoked by uid 99); 12 Apr 2005 07:08:10 -
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
tests=SPF_PASS
Received-SPF: pass (hermes.apache.org: domain of [EMAIL PROTECTED]
designates 66.98.221.156 as permitted sender)
Received: from smtp.film-tech.net (HELO smtp.film-tech.net) (66.98.221.156)
  by apache.org (qpsmtpd/0.28) with ESMTP; Tue, 12 Apr 2005 00:08:06 -0700
Received: from d141-175-19.home.cgocable.net (d141-175-19.home.cgocable.net
[24.141.175.19])
(authenticated user [EMAIL PROTECTED])
by smtp.film-tech.net (smtp.film-tech.net [66.98.221.156])
(Cipher TLSv1:RC4-MD5:128) (MDaemon.PRO.v6.8.5.R)
with ESMTP id 12-md5000258.tmp
for ; Tue, 12 Apr 2005 02:08:00 -0500
Received: from [192.168.123.141] (athlon.hamilton.dostech.net
[192.168.123.141] (may be forged))
(authenticated bits=0)
by d141-175-19.home.cgocable.net (8.12.8/8.12.8) with ESMTP id
j3C77tM4024697
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Tue, 12 Apr 2005 03:07:57 -0400
Message-ID: <[EMAIL PROTECTED]>
Date: Tue, 12 Apr 2005 03:08:04 -0400
From: "Daryl C. W. O'Shea" <[EMAIL PROTECTED]>
User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913)
X-Accept-Language: en-us, en
MIME-Version: 

SpamAssassin and Horde

[Angelo Ayres Camargo]

Hello, 
 
Mail sent from horde imp are been taged as spam, 
this was discussed here before, searching the archives i found no solution. 
Anyone have any ideia of how make mail from Horde/Imp not be taged as 
spam?
 
Angelo

Re: random rudeness!

[Robert Brooks]

List Mail User wrote:
Start with your favorite version of "whois" (I like jwhois, because
you seldom need to enter the registry).  Then learn the rules about what is
required.  Lookup all the contacts' email domains - if you *really* want to
get them check the email validity with telnet to the server.  Check all the
domains with either nslookup or dig, paying particular attention to any 'MX'
records - look them up separately checking for invalid addresses (i.e.
127.0.0.1 or MX's of address literals).  Keep going until things run in a
circle (i.e. you stop finding new domains).  Check all the addresses with
your favorite set of online maps (usually Yahoo! for North America, Mapquest
for the rest of the world, but some place require more work).  Check the postal
codes at the countries own postal authority if you can (usually the first or
second line from Google with "Country_Name postal code") or from a few other
sites (escapeartist is good as is statoids).  File everything you find wrong
with rfc-ignorant and for international TLDs (e.g. ".com", ".net", ".org",
".biz", ".info", etc) file at wdprs.internic.net.  For other TLDs, you have
to do whatever the specific grantor requires (but for ".us" - send email to
the registrar and a "Cc:" [EMAIL PROTECTED]);  For Canada, use cira.ca, etc.
With a little practice, it takes 1-3 minutes for most bogus domains.
(Count on 15 minutes to an hour, until you get the hang of it).
Ad nausem (automated checking of the contacts' emails and the abuse@,
postmaster@ and DSN addresses are good too).
And also, if any of the emails you find is a MSN, Hotmail or in other
MS domain or of a Outblaze customer (together, thats about 15% of all email
accounts in the world) - send off an email with the copy of the spam - the
account will be canceled - then tommorrow, the domain has become invalid.
Start by reading the documents at www.arin.net, www.internic.net, and
rfc-ignorant.org.
Also, remember, many spam friendly registrars won't do anything until
fored to by the overriding authority - good cases take 15-20 days for the
domain to die, bad ones can take 3-4 months;  But you can blacklist them in
almost no time.
Good luck and have fun hunting (nobody spams my domains and gets off
clean!),
Paul Shupak
[EMAIL PROTECTED]
P.S. The "real" finds are the rare invalid netblock or ASN, but that can wait
until you learn to check domains.
okay, this all makes sense.  Thanks.
I see manlove .com has been listed already.  Do rfc-ignorant take action 
on the bogus whois information with the registrar or is that another step?

Regards,
Rob
--
Robert Brooks,   Network Manager,  Cable & Wireless UK
<[EMAIL PROTECTED]> http://hyperlink-interactive.co.uk/
Tel: +44 (0)20 7339 8600  Fax: +44 (0)20 7339 8601
-  Help Microsoft stamp out piracy.  Give Linux to a friend today!   -

Re: random rudeness!

[List Mail User]

>...
>
>List Mail User wrote:
>>  Did either of you try listing himlove. com (invalid telephone/fax),
>> or notice that the contacts' email is from a non-existant domain,
>> heroutside. com.  Or that the name servers in carr821. com also have
>> an invalid address.  Or that the contact domain from the DNS servers,
>> narod. ru have an invalid registration.  Or that the name server domain
>> for narod. ru of yandex. ru also has an invalid registration ...
>> 
>>  I gave up after about 8.
>> 
>>  You have to realize when some idiot has just invited you to get rid
>> of a half dozen or so spam and spam support domains.
>
>a short howto to the list would be good ;-)
>
>-- 
>Robert Brooks,   Network Manager,  Cable & Wireless UK
><[EMAIL PROTECTED]> http://hyperlink-interactive.co.uk/
>Tel: +44 (0)20 7339 8600  Fax: +44 (0)20 7339 8601
>-  Help Microsoft stamp out piracy.  Give Linux to a friend today!   -
>

Start with your favorite version of "whois" (I like jwhois, because
you seldom need to enter the registry).  Then learn the rules about what is
required.  Lookup all the contacts' email domains - if you *really* want to
get them check the email validity with telnet to the server.  Check all the
domains with either nslookup or dig, paying particular attention to any 'MX'
records - look them up separately checking for invalid addresses (i.e.
127.0.0.1 or MX's of address literals).  Keep going until things run in a
circle (i.e. you stop finding new domains).  Check all the addresses with
your favorite set of online maps (usually Yahoo! for North America, Mapquest
for the rest of the world, but some place require more work).  Check the postal
codes at the countries own postal authority if you can (usually the first or
second line from Google with "Country_Name postal code") or from a few other
sites (escapeartist is good as is statoids).  File everything you find wrong
with rfc-ignorant and for international TLDs (e.g. ".com", ".net", ".org",
".biz", ".info", etc) file at wdprs.internic.net.  For other TLDs, you have
to do whatever the specific grantor requires (but for ".us" - send email to
the registrar and a "Cc:" [EMAIL PROTECTED]);  For Canada, use cira.ca, etc.

With a little practice, it takes 1-3 minutes for most bogus domains.
(Count on 15 minutes to an hour, until you get the hang of it).

Ad nausem (automated checking of the contacts' emails and the abuse@,
postmaster@ and DSN addresses are good too).

And also, if any of the emails you find is a MSN, Hotmail or in other
MS domain or of a Outblaze customer (together, thats about 15% of all email
accounts in the world) - send off an email with the copy of the spam - the
account will be canceled - then tommorrow, the domain has become invalid.

Start by reading the documents at www.arin.net, www.internic.net, and
rfc-ignorant.org.

Also, remember, many spam friendly registrars won't do anything until
fored to by the overriding authority - good cases take 15-20 days for the
domain to die, bad ones can take 3-4 months;  But you can blacklist them in
almost no time.

Good luck and have fun hunting (nobody spams my domains and gets off
clean!),

Paul Shupak
[EMAIL PROTECTED]

P.S. The "real" finds are the rare invalid netblock or ASN, but that can wait
until you learn to check domains.

RE: OT: Do spammers have a sense of humor?

[Andy Jezierski]

HOLY British Military Servant Batman!

Be careful Robin, this might be spam.
 To the bat-computer!


Sorry, couldn't resist!   :-D


Kurt Buff <[EMAIL PROTECTED]> wrote on 04/11/2005
07:11:41 PM:

> Most people reading this list are probably not aware that batman has
a
> slightly different meaning to some people in current/former British
> colonies. A batman was someone who acted something like a personal
servant
> to British military staff, mostly officers, I believe. 
> 
> He wasn't the caped denizen of the night known from DC comics, for
many
> people - he was the fellow who shined shoes, picked up and dropped
off
> laundry, did some shopping, things like that.
> 
> I'm guessing that that's where this name may have came from.
> 
> Kurt 
> 
> > -Original Message-
> > From: Matthew Lenz [mailto:[EMAIL PROTECTED]
> > Sent: Monday, April 11, 2005 16:58
> > To: users@spamassassin.apache.org
> > Subject: Re: OT: Do spammers have a sense of humor?
> > 
> > 
> > I got a phishing scam email from one 'Batman Cole' .. batman?

> > ... goood 
> > lord. hehe
> > 
> > - Original Message - 
> > From: "David B Funk" <[EMAIL PROTECTED]>
> > To: 
> > Sent: Monday, April 11, 2005 6:23 PM
> > Subject: Re: OT: Do spammers have a sense of humor?
> > 
> > 
> > > On Sat, 9 Apr 2005, List Mail User wrote:
> > >
> > >> Obviously, you've never noticed contact emails at 
> > iamaspammer. com:)
> > >>
> > >> Paul Shupak
> > >> [EMAIL PROTECTED]
> > >>
> > >> P.S. "Manila Industries, Inc." of Thailand
provides many 
> > domains for spam
> > >> support services.
> > >
> > > Yes, almost as good a trick as what OnlineNIC.com has pulled.
> > > Check out the registration for "pykb. com"
> > >
> > > They've managed to relocate the whole Henan province to
Australia.
> > > Must make it tough for the Chinese postal delivery people:
> > > "OK, what continent is Henan on this week?" ;)
> > >
> > > -- 
> > > Dave Funk              
                   University
of Iowa
> > >     
   College of Engineering
> > > 319/335-5751   FAX: 319/384-0549      
    1256 Seamans Center
> > > Sys_admin/Postmaster/cell_admin        
   Iowa City, IA 52242-1527
> > > #include 
> > > Better is not better, 'standard' is better. B{
> > > 
> > 
> 
> 
>   
> 

RE: OT: Do spammers have a sense of humor?

[Gray, Richard]

These spams are a personal favorite of mine, because they carry with
them the slim chance that they are in fact perfectly legitimate
messages. Imagine my girlfriend saw that I had received this, I would
have to try and explain myself without pointing out forged headers etc!

R 

> -Original Message-
> From: Pierre Thomson [mailto:[EMAIL PROTECTED] 
> Sent: 12 April 2005 15:13
> To: users@spamassassin.apache.org
> Subject: RE: OT: Do spammers have a sense of humor?
> 
> Just fished this one out of the spambox:
> 
> >Your exclusive night has been confirmed with Erika. 
> >
> >Time: ASAP
> >Location: Either Home within 1.2 miles of you
> >Attire: Dress casual
> >Expectation(s): To get right to it.
> >Quote from Janice: "I've got a nice house open to you! I'm 
> alone these next few weeks and I hope we can make it full of 
> action & excitement. I'm sure once you see my picture you 
> will be on your way over. Can't wait!"
> >
> >Confirmation: It is up to you to hold your time with 
> Patricia. Please confirm within the site to validate your visit.
> 
> Wow, I'm confused.  Is it Erika, Janice or Patricia?  Come 
> on, spammers, get your act together!  Fortunately SA (2.64) 
> saw through it and nailed this using Bayes, DCC, and a custom 
> rule that penalizes mail coming through the secondary relay 
> when the primary is up.
> 
> pt
> 


---
This email from dns has been validated by dnsMSS Managed Email Security and is 
free from all known viruses.

For further information contact [EMAIL PROTECTED]

RE: OT: Do spammers have a sense of humor?

[Chris Santerre]

Well thanks for ruining another childhood fantasy of mine! I suppose next
you will tell me that wonderwoman if Swedish for "House maid"? Well I still
don't care, she can lasso me up! 

--Chris

>-Original Message-
>From: Kurt Buff [mailto:[EMAIL PROTECTED]
>Sent: Monday, April 11, 2005 8:12 PM
>To: 'Matthew Lenz'; users@spamassassin.apache.org
>Subject: RE: OT: Do spammers have a sense of humor?
>
>
>Most people reading this list are probably not aware that batman has a
>slightly different meaning to some people in current/former British
>colonies. A batman was someone who acted something like a 
>personal servant
>to British military staff, mostly officers, I believe. 
>
>He wasn't the caped denizen of the night known from DC comics, for many
>people - he was the fellow who shined shoes, picked up and dropped off
>laundry, did some shopping, things like that.
>
>I'm guessing that that's where this name may have came from.
>
>Kurt 
>
>> -Original Message-
>> From: Matthew Lenz [mailto:[EMAIL PROTECTED]
>> Sent: Monday, April 11, 2005 16:58
>> To: users@spamassassin.apache.org
>> Subject: Re: OT: Do spammers have a sense of humor?
>> 
>> 
>> I got a phishing scam email from one 'Batman Cole' .. batman? 
>> ... goood 
>> lord. hehe
>> 
>> - Original Message - 
>> From: "David B Funk" <[EMAIL PROTECTED]>
>> To: 
>> Sent: Monday, April 11, 2005 6:23 PM
>> Subject: Re: OT: Do spammers have a sense of humor?
>> 
>> 
>> > On Sat, 9 Apr 2005, List Mail User wrote:
>> >
>> >> Obviously, you've never noticed contact emails at 
>> iamaspammer. com:)
>> >>
>> >> Paul Shupak
>> >> [EMAIL PROTECTED]
>> >>
>> >> P.S. "Manila Industries, Inc." of Thailand provides many 
>> domains for spam
>> >> support services.
>> >
>> > Yes, almost as good a trick as what OnlineNIC.com has pulled.
>> > Check out the registration for "pykb. com"
>> >
>> > They've managed to relocate the whole Henan province to Australia.
>> > Must make it tough for the Chinese postal delivery people:
>> > "OK, what continent is Henan on this week?" ;)
>> >
>> > -- 
>> > Dave Funk  University of Iowa
>> > College of Engineering
>> > 319/335-5751   FAX: 319/384-0549   1256 Seamans Center
>> > Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
>> > #include 
>> > Better is not better, 'standard' is better. B{
>> > 
>> 
>
>
>  
>

Re: random rudeness!

[Robert Brooks]

List Mail User wrote:
Did either of you try listing himlove. com (invalid telephone/fax),
or notice that the contacts' email is from a non-existant domain,
heroutside. com.  Or that the name servers in carr821. com also have
an invalid address.  Or that the contact domain from the DNS servers,
narod. ru have an invalid registration.  Or that the name server domain
for narod. ru of yandex. ru also has an invalid registration ...
I gave up after about 8.
You have to realize when some idiot has just invited you to get rid
of a half dozen or so spam and spam support domains.
a short howto to the list would be good ;-)
--
Robert Brooks,   Network Manager,  Cable & Wireless UK
<[EMAIL PROTECTED]> http://hyperlink-interactive.co.uk/
Tel: +44 (0)20 7339 8600  Fax: +44 (0)20 7339 8601
-  Help Microsoft stamp out piracy.  Give Linux to a friend today!   -

to sync or not to sync, that is the question - so confused

[Peter Marshall]

Hey,
I got this book (slightly outdated) called Spamassassin (by O'Reilly). 
Anyway, it says if you are going to sa-learn a bunch of directories in 
Maildir format you should do the following:

sa-learn --no-rebuild --spam mail/spam
sa-learn --no-rebuild ...blah.
sa-learn --no-rebuild --ham ...blah blah
salearn --rebuild
So I give that a go, and it gives messages to use sync and no-sync.
So I try again with those.  No errors this time, however, even after I 
get rid of all my mail (test account of course), in all directories, it 
still gives this output (which is different every time I run it ... here 
is the out put after each time.  I ran it 3 times)

-first time
[EMAIL PROTECTED] Maildir]$ /etc/bayes.sh
Learned from 2 message(s) (2 message(s) examined).
Learned from 0 message(s) (3 message(s) examined).
Learned from 0 message(s) (3 message(s) examined).
Learned from 3 message(s) (3 message(s) examined).
synced Bayes databases from journal in 0 seconds: 20 unique entries (20 
total entries)
Nothing to move in MissedSpam - cur
Nothing to move in NotSpam - cur

--Second time
[EMAIL PROTECTED] Maildir]$ /etc/bayes.sh
Learned from 0 message(s) (2 message(s) examined).
Learned from 3 message(s) (3 message(s) examined).
Learned from 3 message(s) (3 message(s) examined).
Learned from 0 message(s) (3 message(s) examined).
synced Bayes databases from journal in 0 seconds: 24 unique entries (24 
total entries)
Nothing to move in MissedSpam - cur
Nothing to move in NotSpam - cur

---Third Time
[EMAIL PROTECTED] Maildir]$ /etc/bayes.sh
Learned from 2 message(s) (2 message(s) examined).
Learned from 0 message(s) (3 message(s) examined).
Learned from 0 message(s) (3 message(s) examined).
Learned from 3 message(s) (3 message(s) examined).
synced Bayes databases from journal in 0 seconds: 20 unique entries (20 
total entries)
Nothing to move in MissedSpam - cur
Nothing to move in NotSpam - cur

Note:  There is 1 message in the Inbox, and none anywhere else.
If I leave out the --no-sync options ... it gives no out put .. (i 
assume this means nothing got learned.)  Here is my script.

Do I need to sync ?  I am going to be running this for every user on the 
box (as that user of course) in a cron job.

---The Script
#!/bin/sh
# Inbox
/usr/bin/sa-learn --no-sync --ham --dir ~/Maildir
# Spam Box
/usr/bin/sa-learn --no-sync --spam --dir ~/Maildir/.Spam
# Missed Spam
/usr/bin/sa-learn --no-sync --spam --dir ~/Maildir/.Spam.MissedSpam
# Not Spam
/usr/bin/sa-learn --sync --ham --dir ~/Maildir/.Spam.NotSpam
## Clean up spam Directories.
if [ "`\ls ~/Maildir/.Spam.MissedSpam/cur |wc -l`" -ne "0" ]; then
  mv ~/Maildir/.Spam.MissedSpam/cur/* ~/Maildir/.Spam
else
  echo "Nothing to move in MissedSpam - cur"
fi
if [ "`\ls ~/Maildir/.Spam.NotSpam/cur |wc -l`" -ne "0" ]; then
  mv ~/Maildir/.Spam.NotSpam/cur/* ~/Maildir/cur
else
  echo "Nothing to move in NotSpam - cur"
fi
---
Thank you for any help

RE: OT: Do spammers have a sense of humor?

[Pierre Thomson]

Just fished this one out of the spambox:

>Your exclusive night has been confirmed with Erika. 
>
>Time: ASAP
>Location: Either Home within 1.2 miles of you
>Attire: Dress casual
>Expectation(s): To get right to it.
>Quote from Janice: "I've got a nice house open to you! I'm alone these next 
>few weeks and I hope we can make it full of action & excitement. I'm sure once 
>you see my picture you will be on your way over. Can't wait!"
>
>Confirmation: It is up to you to hold your time with Patricia. Please confirm 
>within the site to validate your visit.

Wow, I'm confused.  Is it Erika, Janice or Patricia?  Come on, spammers, get 
your act together!  Fortunately SA (2.64) saw through it and nailed this using 
Bayes, DCC, and a custom rule that penalizes mail coming through the secondary 
relay when the primary is up.

pt

Re: random rudeness!

[List Mail User]

>...
>Robert Brooks wrote:
>> bizarre!
>>
>>  > Subject: intimate encounter
>>  >
>>  > Heyyy it's me %ASSHOLE... %OUT
>>  >
>>  > %PROFILE...%PART4
>>  >
>>  > http://himMUNGEDlove.com/d/8.php
>>
>
>I got the same damn thing ;)
>
>Subject: me out
>From: "Mrs.Sherman" <[EMAIL PROTECTED]>
>Date: Mon, 11 Apr 2005 23:08:01 -0300
>
>Heyz, it's me %ASSHOLE... %OUT
>
>%PROFILE...%PART4
>
>http://himMUNGEDlove.com/d/8.php
>
>-Jim
>
Did either of you try listing himlove. com (invalid telephone/fax),
or notice that the contacts' email is from a non-existant domain,
heroutside. com.  Or that the name servers in carr821. com also have
an invalid address.  Or that the contact domain from the DNS servers,
narod. ru have an invalid registration.  Or that the name server domain
for narod. ru of yandex. ru also has an invalid registration ...

I gave up after about 8.

You have to realize when some idiot has just invited you to get rid
of a half dozen or so spam and spam support domains.

Paul Shupak
[EMAIL PROTECTED]

RE: random rudeness!

[Pierre Thomson]

I recently got two in quick succession, one with variable names and one filled 
with random data, as in:

>Heyyy it's me Jennifer... my husband is out of town for two months... etc etc

At least we can match %ASSHOLE... that's not likely to appear in ham!  :)

Pierre




-Original Message-
From: Jim Maul [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 12, 2005 9:52 AM
To: users@spamassassin.apache.org
Subject: Re: random rudeness!


Robert Brooks wrote:
> bizarre!
> 
>  > Subject: intimate encounter
>  >
>  > Heyyy it's me %ASSHOLE... %OUT
>  >
>  > %PROFILE...%PART4
>  >
>  > http://himMUNGEDlove.com/d/8.php
> 

I got the same damn thing ;)

Subject: me out
From: "Mrs.Sherman" <[EMAIL PROTECTED]>
Date: Mon, 11 Apr 2005 23:08:01 -0300

Heyz, it's me %ASSHOLE... %OUT

%PROFILE...%PART4

http://himMUNGEDlove.com/d/8.php

-Jim

SARE rules for 3.0.2 users?

[ROY,RHETT G]

To those using 3.0.2 
and the newer features (URI blacklists etc), what SARE rules do you find 
supplement your spam catching?
 
Thanks,
 
Rhett 
Roy

Re: random rudeness!

[Jim Maul]

Robert Brooks wrote:
bizarre!
 > Subject: intimate encounter
 >
 > Heyyy it's me %ASSHOLE... %OUT
 >
 > %PROFILE...%PART4
 >
 > http://himMUNGEDlove.com/d/8.php
I got the same damn thing ;)
Subject: me out
From: "Mrs.Sherman" <[EMAIL PROTECTED]>
Date: Mon, 11 Apr 2005 23:08:01 -0300
Heyz, it's me %ASSHOLE... %OUT
%PROFILE...%PART4
http://himMUNGEDlove.com/d/8.php
-Jim

RE: Gateways, analyze first, insert into bayes later ?

[Herold Heiko]

> From: Matt Yackley [mailto:[EMAIL PROTECTED]
> Are you using a sitewide bayes DB?  This may affect your 

I will at first, I need to start as soon as possible, this means I'm
postponing the issue of finding out how to have on my mail gateway box
virtual users associated with the real smtp addresses I'll have to extract
from exchange (that at least I already know how to do easily, directory
export on exchange 5.5, ex2k+ from active directory).
For now everything will go into the "amavis" user bayes I suppose.

> I use a public folders for message submission, users can see 
> the folders, create

I suppose a public folder in order to not needing to access indiviual
mailboxes with imap ? That's a another problem I've yet postponed: 90% of
our mail sits in public folders anyway, where a combination of ACLs, cdo
agents and custom forms simulates group mailboxes, by extending that
structure I can easily have a "Spam" folder in any group "mailbox" (PF
group). This means I'll have to pull more than one folder with IMAP (not a
big thing) but at least users won't need to change behaviour if later I
should go the "individual user bayes" route (with any real and any fake
"group mailbox PFs" will have one individual bayes).

> Are you thing of having the users "push" the messages to the 
> relay server or pulling
> the message out of Exchange from the relay server?

Pull with Imap I think (another possibility would be extract with CDO/MAPI
and push, but that has the drawback of more encoding work).
At least until migration ti ex2k*
In the meantime I found:
"Messages sent by an Internet user are not converted. Instead they are
retrieved by the IMAP4 client in the format the message was composed in."
(which is good)

> > If it is, I was thinking, Spamassassin did already analyse all those
> > (inbound) messages the first time when delivered.

snip

> This is something that I have talked about with the dev at 
> work.. perhaps use amavis
> or postfix (in my case) to save a copy of all messages, then 
> write something to pull
> the msg ID out of submitted messages and then pull the 
> "original" out of the "raw
> message store" on the relay server.  If MS can't fix my IMAP 
> header issue, then we
> may look at trying to write something.

I'd try to strip big binary attachments before storing, should probably save
lot of space.
Still I'd prefer going the analyse first, insert into bayes later route,
since it needs to store only bayes data, not whole emails (potentially huge
db). But that has the counterpart of needing a spamassassin patch.
For me it is a moot point for now anyway, not enough time, I'll try the imap
route first, think about a better solution later.

> Cheers,
> matt

Thanks to you!
Heiko

-- 
-- PREVINET S.p.A. www.previnet.it
-- Heiko Herold [EMAIL PROTECTED] [EMAIL PROTECTED]
-- +39-041-5907073 ph
-- +39-041-5907472 fax

Re: Unattended spamassassing installation

[JamesDR]

Oliver Schulze L. wrote:
Hi,
I'm new in SpamAssassin, and I just installed it.
I'm running SA with Razor2 and Mimedefang. All is wokring fine.
I wonder how un-atended can I left the installation in order to SA to
continue detecting spam.
Should I run some scripts every few days in order to keep the
"definitions" up to date? Or the Bayesian filter just keep learning
and learning.
Many thanks
Oliver
Well, SA is always attended, by way of the headers. So, if you have a 
low volume of spam/ham you could probably leave it alone. There are 
scripts to update the rules, check the wiki for these.  Autolearn is ok, 
but this requires some watching to make sure your bayes isn't being 
corrupted by false learning.

My setup at work has a low volume of spam/ham and I only attend to it 
every other week on Friday to make sure everything is still working. I 
check the logs, make sure the db is still working (mysql) properly etc 
etc.  This goes along with the normal check of the other components of 
the system. I can see, with every mail, if sa is still working via the 
headers. If they stop appearing in the mails; I know then that something 
is not working properly.

My 2c
--
Thanks,
JamesDR


smime.p7s
Description: S/MIME Cryptographic Signature

Help installing version 3.0.2

[Matthias]

Hello,
my attempts of installing spamassassin 3.0.2 for personal use get 
failed.
Here is a log.

[avalyn] diba:~ <88> uname -a
Linux diba 2.4.26-1um #3 Thu Jun 3 22:56:55 UTC 2004 i686 unknown
(Debian)

[avalyn] diba:~/Mail-SpamAssassin-3.0.2 <92> perl Makefile.PL 
PREFIX=$HOME
What email address or URL should be used in the suspected-spam report
text for users who want more information on your filter installation?
(In particular, ISPs should change this to a local Postmaster contact)
default text: [the administrator of that system] [EMAIL PROTECTED]

Check network rules during 'make test' (test scripts may fail due to
network problems)? (y/n) [n] n

Warning: prerequisite Digest::SHA1 failed to load: Can't locate 
Digest/SHA1.pm in @INC (@INC contains: /usr/local/lib/perl/5.6.1 
/usr/local/share/perl/5.6.1 /usr/lib/perl5 /usr/share/perl5 
/usr/lib/perl/5.6.1 /usr/share/perl/5.6.1 /usr/local/lib/site_perl .) at 
(eval 11) line 3,  line 2.
Writing Makefile for Mail::SpamAssassin
Makefile written by ExtUtils::MakeMaker 5.45
[avalyn] diba:~/Mail-SpamAssassin-3.0.2 <93> 

[avalyn] diba:~/Mail-SpamAssassin-3.0.2 <93> make
cp spamd/spamd blib/script/spamd
/usr/bin/perl -I/usr/lib/perl/5.6.1 -I/usr/share/perl/5.6.1 
-MExtUtils::MakeMaker -e "MY->fixin(shift)" blib/script/spamd
cp sa-learn blib/script/sa-learn
/usr/bin/perl -I/usr/lib/perl/5.6.1 -I/usr/share/perl/5.6.1 
-MExtUtils::MakeMaker -e "MY->fixin(shift)" blib/script/sa-learn
/usr/bin/perl spamc/configure.pl --prefix="/home/avalyn/local" 
--sysconfdir="/home/avalyn/local/etc/mail/spamassassin" 
--datadir="/home/avalyn/local/share/spamassassin" --enable-ssl="no"
cd spamc
/usr/bin/perl version.h.pl
version.h.pl: creating version.h
spamc/configure.pl: version.h.pl: Failed to get the version from 
Mail::SpamAssassin.
Please use the --with-version= switch to specify it manually.

The error was:
version.h.pl: version.h.pl: version.h.pl: version.h.pl: version.h.pl: 
version.h.pl: version.h.pl: Can't locate Digest/SHA1.pm in @INC (@INC 
contains: ../lib /usr/local/lib/perl/5.6.1 /usr/local/share/perl/5.6.1 
/usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.6.1 
/usr/share/perl/5.6.1 /usr/local/lib/site_perl .) at 
../lib/Mail/SpamAssassin/EvalTests.pm line 33.
BEGIN failed--compilation aborted at 
../lib/Mail/SpamAssassin/EvalTests.pm line 33.
Compilation failed in require at 
../lib/Mail/SpamAssassin/PerMsgStatus.pm line 56.
BEGIN failed--compilation aborted at 
../lib/Mail/SpamAssassin/PerMsgStatus.pm line 56.
Compilation failed in require at ../lib/Mail/SpamAssassin.pm line 74.
BEGIN failed--compilation aborted at ../lib/Mail/SpamAssassin.pm line 
74.
Compilation failed in require at version.h.pl line 27.
make: *** [spamc/Makefile] Error 2
[avalyn] diba:~/Mail-SpamAssassin-3.0.2 <94> 

The source file tarball comes from the URL
http://spamassassin.apache.org/downloads.cgi

What can i do to solve this compilation error?

Thanks 
Matthias

Re: translation project (French)

[Daniel Quinlan]

John Wilcock <[EMAIL PROTECTED]> writes:

> The Wiki method seems like an excellent idea, and I'd be happy to help 
> with the French translations as time permits.

Cool.
 
> One suggestion to make the process even quicker and easier - would it be 
> possible to adapt your script to include the old translations as 
> comments (where a rule of the same name existed previously, of course)? 

Done.  I just made it make them all comments and you can edit at will.
The last one is generally the best (old is always after the new
translation if both exist).

> Better still, use the old translations directly if the English 
> description hasn't changed... (but still show the English in the file so 
> that wiki volunteers can check and possibly improve the translation).

Way too much work.  The first request was enough work.  :-)

Daniel

-- 
Daniel Quinlan
http://www.pathname.com/~quinlan/

random rudeness!

[Robert Brooks]

bizarre!
> Subject: intimate encounter
>
> Heyyy it's me %ASSHOLE... %OUT
>
> %PROFILE...%PART4
>
> http://himMUNGEDlove.com/d/8.php
--
Robert Brooks,   Network Manager,  Cable & Wireless UK
<[EMAIL PROTECTED]> http://hyperlink-interactive.co.uk/
Tel: +44 (0)20 7339 8600  Fax: +44 (0)20 7339 8601
-  Help Microsoft stamp out piracy.  Give Linux to a friend today!   -

Re: translation project (French)

[John Wilcock]

Daniel Quinlan wrote:
Okay, I'm starting an experiment to see if Wiki-based editing can start
with some really bad machine-generated translations and get to the point
where they are usable relatively quickly.  Anyone who reads and writes
both French and English well can help.
The Wiki method seems like an excellent idea, and I'd be happy to help 
with the French translations as time permits.

The old translations (last updated in 2003) are here:
  http://spamassassin.apache.org/full/3.0.x/dist/rules/30_text_fr.cf
One suggestion to make the process even quicker and easier - would it be 
possible to adapt your script to include the old translations as 
comments (where a rule of the same name existed previously, of course)? 
Better still, use the old translations directly if the English 
description hasn't changed... (but still show the English in the file so 
that wiki volunteers can check and possibly improve the translation).

John.
--
-- Over 2500 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages- www.tradoc.fr

Re: about SPF

[Daryl C. W. O'Shea]

martin smith wrote:
M>I had the same problem.   It turns out that if the email is being 
M>relayed through trusted or internal hosts, SA will skip the 
M>SPF checks on the belief that it cannot trust that one of 
M>those hosts hasn't 
M>changed the envelope headers.I ended up opening an enhancement 
M>request to allow an option to get SA to run the SPF checks if 
M>the admin 
M>is sure that the envelope headers are not being altered.   This will 
M>appear in 3.1, but there is a patch you can get if you want it 
M>earlier.See http://bugzilla.spamassassin.org/show_bug.cgi?id=4140
M>

I applied the patch last night, now every email from this list comes up with
SPF_FAIL, some also come up with SPF_HELO_PASS, will remove the patch when I
get back from work, since it doesn't seem to be working correctly.
Martin
Could you please forward a few complete messages that incorrectly get an 
SPF fail with the patch applied.

The patch has no effect on SPF_HELO tests.
Daryl

RE: about SPF

[martin smith]

M>I had the same problem.   It turns out that if the email is being 
M>relayed through trusted or internal hosts, SA will skip the 
M>SPF checks on the belief that it cannot trust that one of 
M>those hosts hasn't 
M>changed the envelope headers.I ended up opening an enhancement 
M>request to allow an option to get SA to run the SPF checks if 
M>the admin 
M>is sure that the envelope headers are not being altered.   This will 
M>appear in 3.1, but there is a patch you can get if you want it 
M>earlier.See http://bugzilla.spamassassin.org/show_bug.cgi?id=4140
M>

I applied the patch last night, now every email from this list comes up with
SPF_FAIL, some also come up with SPF_HELO_PASS, will remove the patch when I
get back from work, since it doesn't seem to be working correctly.

Martin

Unattended spamassassing installation

[Oliver Schulze L.]

Hi,
I'm new in SpamAssassin, and I just installed it.
I'm running SA with Razor2 and Mimedefang. All is wokring fine.
I wonder how un-atended can I left the installation in order to SA to
continue detecting spam.
Should I run some scripts every few days in order to keep the
"definitions" up to date? Or the Bayesian filter just keep learning
and learning.
Many thanks
Oliver
--
Oliver Schulze L.
<[EMAIL PROTECTED]>

translation project (French)

[Daniel Quinlan]

Okay, I'm starting an experiment to see if Wiki-based editing can start
with some really bad machine-generated translations and get to the point
where they are usable relatively quickly.  Anyone who reads and writes
both French and English well can help.

Here it is:

  http://wiki.apache.org/spamassassin/TranslateFrench

To help:

  - create an account on the Wiki
  - begin editing (make sure you save every 10 minutes so your lock
is maintained)
  - don't edit if someone else is currently working and has a lock
since you'll lose your changes

The old translations (last updated in 2003) are here:

  http://spamassassin.apache.org/full/3.0.x/dist/rules/30_text_fr.cf

Daniel

-- 
Daniel Quinlan
http://www.pathname.com/~quinlan/

Re: Gateways, analyze first, insert into bayes later ?

[Matt Yackley]

Hi Herold,

Are you using a sitewide bayes DB?  This may affect your choice of solutions, 
I'm
running sitewide, so my method may not work if you are using seperate DBs for 
all
your users

Herold Heiko said:
> Newbie Alert - New to Spamassassin. Pondering enhancement to my current
> basic setup, which is a filter gateway in front of MS exchange.
> Filter gw is amavisd-new + dual-sendmail-setup + clamav+spamassassin 3.02.
>
> I'm looking how to feed back sorted spam/ham info into the spamassassin
> bayes database, skimming through the list archives I basically found people
> talking about some different possibilities I basically was thinking about,
> too:
>
> - feed msgs back the spam/ham with a "forward".

If you have to go with a "forward" option it would be best to "forward as
attachemnt" which would preserve the headers, but then creates an issues of
"unwrapping" the attached message, I seen this mentioned many times, but have 
never
seen a script to do this :(

>
> - Have users sort Spam (and wrongly marked Ham) in different folder, attach
> with CDO or OLE automation of outlook. Users are happy, but the whole
> message would need reconstruction based on original headers, body and
> attachments, losing valuable information.

I use a public folders for message submission, users can see the folders, create
messages in them, but can't view or change the contents.  At first we had the 
users
drag and drop messages into these folders, but navigation is a bit of a pain. 
Instead I workedtalked with a dev here at work and he wrote a small plugin for
Outlook that adds a "Learn as spam" and "Learn as Ham" button to the main 
toolbar in
Outlook.  The spam button "moves" a message to spam folder and the "ham" button
copies the message.  Its quick and easy for the users and has been working well 
for
us, now I just need to time to document it a bit and release it for others to 
use. 
Now on to the other issues... :)

> - Have users sort Spam and Ham in different folder, extract with IMAP. Users
> are happy, headers should be fine, but still I think the original encoding
> used for body and attachments are lost, what we feed back to sa-learn is a
> freshly reencoded (by exchange) mail.

Are you thing of having the users "push" the messages to the relay server or 
pulling
the message out of Exchange from the relay server?

Extracting messages from public folders via IMAP is somewhat broken in Ex 2000 &
2003, not sure about 5.5.  It tend to drop all headers except for received, 
date,
subject and inserts some of its own.  This isn't good, but my bayes still works
pretty darn well.  (I have a ticket open with MS about this)

> Anybody with more knowledge of the working of Spamassassin can tell me if
> the loss of the original encoding of body and attachments is a VERY BAD
> THING ?

I don't believe that bayes will process attachments in 3.x and above, the 
encoding
may change somewhat, but hopefully the majority of messages will be ok.  So I 
would
say its a bad or a not so good thing, but not a very bad thing...overall

> If it is, I was thinking, Spamassassin did already analyse all those
> (inbound) messages the first time when delivered.
snip
>
> So we could save that information (for some time... say a couple of weeks,
> depends on size and so on) using the message-id as a key.
> Later then instead of sa-learn -spam  that info (extract the msg-id from the headers, retrieve analyze data from
> db) and feed it back.

This is something that I have talked about with the dev at work.. perhaps use 
amavis
or postfix (in my case) to save a copy of all messages, then write something to 
pull
the msg ID out of submitted messages and then pull the "original" out of the 
"raw
message store" on the relay server.  If MS can't fix my IMAP header issue, then 
we
may look at trying to write something.

> Anybody with better knowledge of the internal workings of SpamAssassin could
> tell me
> - if this is even necessary / useful ? After all I AM a newbie in this area,
> maybe there is some other easy way I didn't spot yet, OR the loss of the
> original encoding is not so important

I'll have to let someone else who knows more answer that one.


> Thanks
>
> Heiko Herold

If you want to go the public folder route, be sure to check out Nick Burch's
power-imap-sa-learn script. http://tirian.magd.ox.ac.uk/~nick/code/

Cheers,
matt

Re: sa-learn causes fatal thrashing

[Tristan Miller]

Greetings.

On Monday 11 April 2005 13:38, Niek wrote:
> On 4/11/2005 9:31 AM +0100, Tristan Miller wrote:
> > I have 256 MB of RAM plus 243 MB of swap space.  Unfortunately,
> > upgrading RAM will not be a cheap fix as I am using a laptop with no
> > user-serviceable parts.
> >
> > Regards,
> > Tristan
>
> You could start spamd with only 1 child, to save some RAM.

I already do this.  But sa-learn doesn't depend on spamd anyway, does it?

Regards,
Tristan

-- 
   _
  _V.-o  Tristan Miller [en,(fr,de,ia)]  ><  Space is limited
 / |`-'  -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  <>  In a haiku, so it's hard
(7_\\http://www.nothingisreal.com/   ><  To finish what you


pgpX1pJ3db4ip.pgp
Description: PGP signature

RE: report_safe doesn't seem to work since FC3 upgrade

[Chris Harvey]

Anyone else seeing similar behavior!? I cannot find out what is wrong.

If I edit my sensitivity (require_hits) it's reflected in my logs, yet none
of these settings appear to be working:

report_safe 1
rewrite_header Subject **NEW_SPAM(_SCORE_)**

If I put the old settings back of:

rewrite_subject 1
subject_tag [SPAM]

I see it complain in the maillog file when I start up spamassassin.

Removing the report_safe option entirely also doesn't seem to make it work
even though it's the default.

Versions I'm using are:

Kernel 2.6.10-1.770_FC3
sendmail-8.13.1-2.i386.rpm
sendmail-cf-8.13.1-2.i386.rpm
spamassassin-3.0.2-0.fc3.i386.rpm
spamassassin-tools-2.60-1.i386.rpm
spamass-milter-0.3.0-1.1.fc3.rf.i386.rpm

Is really no-one else seeing this? I can't believe I'm the only person
seeing this?

Headers are being stuck into the messages just fine by the milter as is show
in the log below, but subject isn't being written and neither are the
messages being encapsulated.

HELP!!?!!!


> > I upgraded to FC3 this last weekend and I just noticed today that the
> mail
> > in my junk folder are not encapsulated/wrapped like they were before.
> >
> > I checked my config file and have:
> >
> > required_hits 4.5
> > rewrite_header Subject **SPAM(_SCORE_)**
> > report_safe 1
> > use_bayes 1
> >
> > So it seems ok, but it's definitely seeing spam, milter-tagging it and
> > then
> > filing it without wrapping it anymore.
> >
> > Anyone having the same issue?
> 
> Actually I just noticed something else. Even though the messages are being
> put in my junkmail folder and maillogs show that the messages are being
> identified and tagged as spam, none of the messages from the upgrade have
> either the changed subject line or are encapsulated.
> 
> I've run --lint and can't see any obvious errors. Here's a quick slice of
> the maillog showing it should be tagging the messages:
> 
> Apr  9 04:05:27  sendmail[23122]: j3985KIc023122: Milter add: header:
> X-Spam-Flag: YES
> Apr  9 04:05:27  sendmail[23122]: j3985KIc023122: Milter add: header:
> X-Spam-Status: Yes, score=9.9 required=4.5
> tests=BAYES_99,HTML_90_100,\n\tHTML_MESSAGE,MIME_HTML_ONLY,MIME_HTML_ONLY_
> MU
> LTI,MPART_ALT_DIFF,\n\tURIBL_SBL,URIBL_SC_SURBL autolearn=no version=3.0.2
> Apr  9 04:05:27  sendmail[23122]: j3985KIc023122: Milter add: header:
> X-Spam-Level: *
> Apr  9 04:05:27  sendmail[23122]: j3985KIc023122: Milter add: header:
> X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on 
> 
> Interestingly I noticed that as part of the Fedora Core 3 (FC3) upgrade I
> got a new milter. I'm wondering if that's causing the issue.

Re[2]: BAYES...sitewide or per-user or not at all?

[Robert Menschel]

Hello Gerald,

Saturday, April 9, 2005, 5:10:02 PM, you wrote:

GVLI> I'm looking at what scores I'll be able to let my users modify directly. 
If
GVLI> they can drop the bayes scores some for individual users it might not be 
so
GVLI> bad. I'm trying really hard not to ostracize any specific groups of people
GVLI> though. Our userbase leans MUCH more heavily to the "non-porn-hound" type
GVLI> (families and businesses) so that's what has me concerned about site-wide
GVLI> or domain-wide bayes.

Is there a generic ISP or email system whose userbase leans much more
to the adult than to the general audience?  My email host's customer
base includes several of the former, but they're drowned out by the
more common type of customer, and they don't have problems with
system-wide bayes.

GVLI> sa-learn -- anyone have a way to stat() all the SPAM folders and run
GVLI> sa-learn only on those that have new messages added by customers? I could
GVLI> find them using 'find' by searching on the mod date but I'd have to have
GVLI> some way for sa-learn to know the username to run as.

The method I've used is to
a) see if the missed-spam folder or not-spam folder have any contents.
If not, skip to the next user.
b) Move the contents out of that folder to work folder.
c) learn from the work folder.
d) skip to the next user.

That way there's no old messages to worry about.

Make sure the users know to "copy" mails to the not-spam folder rather
than move them, if they want to keep the originals.

Bob Menschel

RE: OT: Do spammers have a sense of humor?

[Kurt Buff]

Most people reading this list are probably not aware that batman has a
slightly different meaning to some people in current/former British
colonies. A batman was someone who acted something like a personal servant
to British military staff, mostly officers, I believe. 

He wasn't the caped denizen of the night known from DC comics, for many
people - he was the fellow who shined shoes, picked up and dropped off
laundry, did some shopping, things like that.

I'm guessing that that's where this name may have came from.

Kurt 

> -Original Message-
> From: Matthew Lenz [mailto:[EMAIL PROTECTED]
> Sent: Monday, April 11, 2005 16:58
> To: users@spamassassin.apache.org
> Subject: Re: OT: Do spammers have a sense of humor?
> 
> 
> I got a phishing scam email from one 'Batman Cole' .. batman? 
> ... goood 
> lord. hehe
> 
> - Original Message - 
> From: "David B Funk" <[EMAIL PROTECTED]>
> To: 
> Sent: Monday, April 11, 2005 6:23 PM
> Subject: Re: OT: Do spammers have a sense of humor?
> 
> 
> > On Sat, 9 Apr 2005, List Mail User wrote:
> >
> >> Obviously, you've never noticed contact emails at 
> iamaspammer. com:)
> >>
> >> Paul Shupak
> >> [EMAIL PROTECTED]
> >>
> >> P.S. "Manila Industries, Inc." of Thailand provides many 
> domains for spam
> >> support services.
> >
> > Yes, almost as good a trick as what OnlineNIC.com has pulled.
> > Check out the registration for "pykb. com"
> >
> > They've managed to relocate the whole Henan province to Australia.
> > Must make it tough for the Chinese postal delivery people:
> > "OK, what continent is Henan on this week?" ;)
> >
> > -- 
> > Dave Funk  University of Iowa
> > College of Engineering
> > 319/335-5751   FAX: 319/384-0549   1256 Seamans Center
> > Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
> > #include 
> > Better is not better, 'standard' is better. B{
> > 
>