Re: spamd children run as root (again)
Brandon Kuczenski wrote: > I've seen this question posted a couple times in the mailing list > archives (from October 2004) but no resolution. The question again: > > I'm running SpamAssassin 3.0.2 on FreeBSD 4.10 in spamc/spamd format > with the '-u spamd' flag. Problem is, all the child processes are > running as root: This has been a problem since 3.0.0 and I even submitted a patch in the PR... Dunno why this PR is being ignored by the devs... http://bugzilla.spamassassin.org/show_bug.cgi?id=3897 -- Robert Blayzor, BOFH INOC, LLC rblayzor\@(inoc.net|gmail.com) PGP: http://www.inoc.net/~dev/ Key fingerprint = 1E02 DABE F989 BC03 3DF5 0E93 8D02 9D0B CB1A A7B0 "Pinky, you've left the lens cap of your mind on again." - The Brain
bogusmx.rfc-ignorant.org
I noticed that DNS_FROM_RFC_BOGUSMX appears not to be working with SA 3.0.2 on our postfix boxes that relay the mails to the final inbox servers - probably because the envelope sender is not listed in any header yet. (How) can I - configure postfix to list the envelope sender in a header or - apply the check to the address in the From: header? regards, wolfgang
Re: spamd children run as root (again)
Justin Mason wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It's specifically a problem with perl on *BSD platforms -- there's a bug open about it, but it's stalled because we don't have any developers with BSD machines ;) at least on some platforms (MacOS X) it appears perl's setuid support substantially does not work. - --j. Brandon Kuczenski writes: I've seen this question posted a couple times in the mailing list archives (from October 2004) but no resolution. The question again: I'm running SpamAssassin 3.0.2 on FreeBSD 4.10 in spamc/spamd format with the '-u spamd' flag. Problem is, all the child processes are running as root: $ ps aux | grep spam root 333 0.0 10.1 27636 25932 ?? I11Apr05 1:03.83 spamd child (perl) root 332 0.0 10.5 29020 27032 ?? I11Apr05 1:07.96 spamd child (perl) root 331 0.0 9.7 26544 24852 ?? I11Apr05 0:52.68 spamd child (perl) root 330 0.0 9.9 27152 25524 ?? I11Apr05 1:04.40 spamd child (perl) root 329 0.0 9.8 26864 25116 ?? I11Apr05 0:58.08 spamd child (perl) spamd 294 0.0 7.1 22392 18220 ?? Is 11Apr05 0:01.61 /usr/local/bin/spamd -d -c -u spamd -H /home/spamd -r /var/run/spamd.pid (perl) $ Hi, If needed I can setup a dev machine running FreeBSD (or what ever BSD flavor the devs might like) and give them total access to it. If that would help. Regards, Rick
Re: Low detection rate
Stewart, John wrote: >>Use the test point, this should hit one of the SURBL lists, >>but I forget >>if it shows up as WS or SC: >> >> >> > >For this it only hits SPAMCOP_URI_RBL. Is this normal? (it sounds like it's >supposed to trigger more, I thought) > > > No, it's only supposed to hit one. At the time of posting I couldn't remember if it hit WS or SC, but it's SC. Regardless, SC, WS, AB, JP and OB are all the same DNS query, so if you can get an answer for one, you can get an answer for any of the above. (They're all returned at the same time by using a bitmasked answer when querying multi.surbl.org)
Re: spamd children run as root (again)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It's specifically a problem with perl on *BSD platforms -- there's a bug open about it, but it's stalled because we don't have any developers with BSD machines ;) at least on some platforms (MacOS X) it appears perl's setuid support substantially does not work. - --j. Brandon Kuczenski writes: > I've seen this question posted a couple times in the mailing list archives > (from October 2004) but no resolution. The question again: > > I'm running SpamAssassin 3.0.2 on FreeBSD 4.10 in spamc/spamd format with > the '-u spamd' flag. Problem is, all the child processes are running as > root: > > $ ps aux | grep spam > root 333 0.0 10.1 27636 25932 ?? I11Apr05 1:03.83 spamd child > (perl) > root 332 0.0 10.5 29020 27032 ?? I11Apr05 1:07.96 spamd child > (perl) > root 331 0.0 9.7 26544 24852 ?? I11Apr05 0:52.68 spamd child > (perl) > root 330 0.0 9.9 27152 25524 ?? I11Apr05 1:04.40 spamd child > (perl) > root 329 0.0 9.8 26864 25116 ?? I11Apr05 0:58.08 spamd child > (perl) > spamd 294 0.0 7.1 22392 18220 ?? Is 11Apr05 0:01.61 > /usr/local/bin/spamd -d -c -u spamd -H /home/spamd -r /var/run/spamd.pid > (perl) > $ > > Is this intended or is it a bug? The two threads I've seen that pertain > to it (both dating from Oct04) are left unresolved: > http://thread.gmane.org/gmane.mail.spam.spamassassin.general/57900 > http://thread.gmane.org/gmane.mail.spam.spamassassin.general/58087 > > The practical consequence of this (aside from the unorthodoxy -- undesired > processes owned by root) is that the permissions of my > ~user/.spamassassin/bayes_journal file get changed to root:spamd 0660. > I wanted them to be spamd:user 0660, so that the user can run > sa-learn without asking for root's help. Is that not the 'right way' to > do things? > > Has there been a resolution to this question? If not, .. doesn't > everybody have this problem? Or is it not a problem? If not, why not? > > -Brandon -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFCbsoUMJF5cimLx9ARAnsGAKC98snnKMlcTv490F78G+U5Ha52FgCeK+uV y6ov48bq/BH/aXgekQmGdFU= =6vip -END PGP SIGNATURE-
Re: spamd children run as root (again)
Brandon Kuczenski wrote: I've seen this question posted a couple times in the mailing list archives (from October 2004) but no resolution. The question again: I'm running SpamAssassin 3.0.2 on FreeBSD 4.10 in spamc/spamd format with the '-u spamd' flag. Problem is, all the child processes are running as root: $ ps aux | grep spam root 333 0.0 10.1 27636 25932 ?? I11Apr05 1:03.83 spamd child (perl) root 332 0.0 10.5 29020 27032 ?? I11Apr05 1:07.96 spamd child (perl) root 331 0.0 9.7 26544 24852 ?? I11Apr05 0:52.68 spamd child (perl) root 330 0.0 9.9 27152 25524 ?? I11Apr05 1:04.40 spamd child (perl) root 329 0.0 9.8 26864 25116 ?? I11Apr05 0:58.08 spamd child (perl) spamd 294 0.0 7.1 22392 18220 ?? Is 11Apr05 0:01.61 /usr/local/bin/spamd -d -c -u spamd -H /home/spamd -r /var/run/spamd.pid (perl) $ Is this intended or is it a bug? The two threads I've seen that pertain to it (both dating from Oct04) are left unresolved: http://thread.gmane.org/gmane.mail.spam.spamassassin.general/57900 http://thread.gmane.org/gmane.mail.spam.spamassassin.general/58087 The practical consequence of this (aside from the unorthodoxy -- undesired processes owned by root) is that the permissions of my ~user/.spamassassin/bayes_journal file get changed to root:spamd 0660. I wanted them to be spamd:user 0660, so that the user can run sa-learn without asking for root's help. Is that not the 'right way' to do things? Has there been a resolution to this question? If not, .. doesn't everybody have this problem? Or is it not a problem? If not, why not? Hi, Yes, to the best of my knowledge it is a problem but the devs haven't seemed to acknowledged it. I think it's related to another SA bug having to do with per user rules only working the first time the child is loaded, of course I could be wrong. It doesn't affect me now that I've switched to a global bayes in MySQL and user prefs in MySQL but a hack might be to set the bayes_mode 0777 in the local.cf file so that at least you'll always have read/write access to the files. HTH, Regards, Rick PS. No offense meant to the devs, I know their time is limited and they are working on a great many things.
spamd children run as root (again)
I've seen this question posted a couple times in the mailing list archives (from October 2004) but no resolution. The question again: I'm running SpamAssassin 3.0.2 on FreeBSD 4.10 in spamc/spamd format with the '-u spamd' flag. Problem is, all the child processes are running as root: $ ps aux | grep spam root 333 0.0 10.1 27636 25932 ?? I11Apr05 1:03.83 spamd child (perl) root 332 0.0 10.5 29020 27032 ?? I11Apr05 1:07.96 spamd child (perl) root 331 0.0 9.7 26544 24852 ?? I11Apr05 0:52.68 spamd child (perl) root 330 0.0 9.9 27152 25524 ?? I11Apr05 1:04.40 spamd child (perl) root 329 0.0 9.8 26864 25116 ?? I11Apr05 0:58.08 spamd child (perl) spamd 294 0.0 7.1 22392 18220 ?? Is 11Apr05 0:01.61 /usr/local/bin/spamd -d -c -u spamd -H /home/spamd -r /var/run/spamd.pid (perl) $ Is this intended or is it a bug? The two threads I've seen that pertain to it (both dating from Oct04) are left unresolved: http://thread.gmane.org/gmane.mail.spam.spamassassin.general/57900 http://thread.gmane.org/gmane.mail.spam.spamassassin.general/58087 The practical consequence of this (aside from the unorthodoxy -- undesired processes owned by root) is that the permissions of my ~user/.spamassassin/bayes_journal file get changed to root:spamd 0660. I wanted them to be spamd:user 0660, so that the user can run sa-learn without asking for root's help. Is that not the 'right way' to do things? Has there been a resolution to this question? If not, .. doesn't everybody have this problem? Or is it not a problem? If not, why not? -Brandon
RE: Low detection rate
> Use the test point, this should hit one of the SURBL lists, > but I forget > if it shows up as WS or SC: > > http://surbl-org-permanent-test-point.com/ For this it only hits SPAMCOP_URI_RBL. Is this normal? (it sounds like it's supposed to trigger more, I thought) thanks! johnS
Re: Low detection rate
Paul Fielding wrote: >Matt Kettler evi-inc.com> writes: > > > >>Also, make sure your Net::DNS is sufficiently up-to-date so that the >>URIBL tests (SURBL, etc) can run. Look to make sure you've got some spam >>hitting URIBL_SC_SURBL, URIBL_WS_SURBL, etc. >> >> > > >Any suggestions on testing that the ability of URIBL tests to run? Looking at >my own spam hits, it appears none are getting hit by URIBL tests anymore and >I'd like to figure out what made them stop, or if they have indeed stopped > >regards, > >Paul > > > > Use the test point, this should hit one of the SURBL lists, but I forget if it shows up as WS or SC: http://surbl-org-permanent-test-point.com/
Re: Low detection rate
Matt Kettler evi-inc.com> writes: > Also, make sure your Net::DNS is sufficiently up-to-date so that the > URIBL tests (SURBL, etc) can run. Look to make sure you've got some spam > hitting URIBL_SC_SURBL, URIBL_WS_SURBL, etc. Any suggestions on testing that the ability of URIBL tests to run? Looking at my own spam hits, it appears none are getting hit by URIBL tests anymore and I'd like to figure out what made them stop, or if they have indeed stopped regards, Paul
RE: SA config recommendations to block these spammers?
M>-Original Message- M>From: Chris Santerre [mailto:[EMAIL PROTECTED] M>Sent: 26 April 2005 21:26 M>To: 'martin smith'; Spamassassin M>Subject: RE: SA config recommendations to block these spammers? M> M> M>Martin, could we get permission to put this in a SARE file? M>Full credit to you obviously! M> M>--Chris M> Yes by all means use it Chris, nice to make a contribution. Martin
RE: SA config recommendations to block these spammers?
>I did write a rule to catch these since a lot of spammers are >still using >this trick :- > >uri __SpoofPort_URL /(?:\:|\...:)/ > >uri __OkPort_URL /(?:\:[0-9]|\...:[0-9])/ > >meta MS_Spoof_Port_URL ((__SpoofPort_URL - __OkPort_URL) > 0) > >score MS_Spoof_Port_URL 9 > >describe MS_Spoof_Port_URL Exploits SURBL bug in 3.0* URL with >trailing : > >Worth having even with the patch, not had a FP on it yet. > >Martin Martin, could we get permission to put this in a SARE file? Full credit to you obviously! --Chris
RE: Blacklists entries not getting blocked
Attached is my debug info when running spamassassin -D --lint.
I was logged on as the user so that just to make sure it picked up the correct
user_prefs.
Thanks,
Antonio DeLaCruz
Quoting "Pettit, Paul" <[EMAIL PROTECTED]>:
Antonio DeLaCruz [mailto:[EMAIL PROTECTED] wrote:
=20
Here is my user_prefs file:
=20
# SpamAssassin config file for version 3.0
=20
[snip]
=20
whitelist_from address.com
=20
Is this a typo or what is actually in the user_pref file? Seems odd and =
may
be related if it isn't a typo.
Start of Manual Blacklist
#
blacklist_from [EMAIL PROTECTED]
blacklist_from [EMAIL PROTECTED]
blacklist_from [EMAIL PROTECTED]
blacklist_from [EMAIL PROTECTED]
blacklist_from [EMAIL PROTECTED]
blacklist_from [EMAIL PROTECTED]
blacklist_from [EMAIL PROTECTED]
blacklist_from [EMAIL PROTECTED]
blacklist_from [EMAIL PROTECTED]
=20
=20
Here is my .procmailrc file:
=20
:0fw: spamassassin.lock
| /usr/bin/spamassassin -p /home//.spamassassin/user_prefs
=20
Here is my .forward file:
=20
"|IFS=3D' ' && exec /usr/bin/procmail -f- || exit 75 #"
=20
=20
=20
The entries in my blacklist_from are not getting blocked. =20
I'm not sure what
I've done wrong. I installed postfix (version 2.2.2) from=20
source. I have also
installed Spamassassin using cpan (version 3.0.2). Any help=20
on this would be
appreciated.
=20
Thanks,
=20
Can you send a cut&paste of the headers from an email that you feel =
should
have been caught but got through? All the above looks about right but =
the
key would be if SA is even checking the email.
Did you run 'sendmail -D --lint -p =
/home//.spamassassin/user_prefs'
(if not logged in as the user) to check your settings? What was the =
output?
Paul Pettit
CTO and IS Manager
Consistent Computer Bargains Inc.
I've heard it said that the proof of lunacy is when you repeat the same
steps expecting different results. I say it's proof that you're a =
Microsoft
user. - comment by deshi777 on experts-exchange.com
This message was sent using IMP, the Internet Messaging Program.
debug: SpamAssassin version 3.0.2
debug: Score set 0 chosen.
debug: running in taint mode? yes
debug: Running in taint mode, removing unsafe env vars, and resetting PATH
debug: PATH included '/usr/local/bin', keeping.
debug: PATH included '/usr/bin', keeping.
debug: PATH included '/bin', keeping.
debug: PATH included '/usr/X11R6/bin', keeping.
debug: PATH included '/usr/games', keeping.
debug: PATH included '/usr/local/pgsql/lib', keeping.
debug: PATH included '/opt/www/htdig/bin', keeping.
debug: PATH included '/usr/lib/java/bin', keeping.
debug: PATH included '/usr/lib/java/jre/bin', which doesn't exist, dropping.
debug: PATH included '/opt/kde/bin', keeping.
debug: PATH included '/usr/lib/qt/bin', keeping.
debug: PATH included '/usr/share/texmf/bin', keeping.
debug: PATH included '.', which is not absolute, dropping.
debug: Final PATH set to:
/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/usr/games:/usr/local/pgsql/lib:/opt/www/htdig/bin:/usr/lib/java/bin:/opt/kde/bin:/usr/lib/qt/bin:/usr/share/texmf/bin
debug: diag: module installed: DBI, version 1.48
debug: diag: module installed: DB_File, version 1.811
debug: diag: module installed: Digest::SHA1, version 2.10
debug: diag: module installed: IO::Socket::UNIX, version 1.21
debug: diag: module installed: MIME::Base64, version 2.12
debug: diag: module installed: Net::DNS, version 0.49
debug: diag: module not installed: Net::LDAP ('require' failed)
debug: diag: module installed: Razor2::Client::Agent, version 2.67
debug: diag: module installed: Storable, version 2.13
debug: diag: module installed: URI, version 1.35
debug: ignore: using a test message to lint rules
debug: using "/usr/share/spamassassin" for default rules dir
debug: config: read file /usr/share/spamassassin/10_misc.cf
debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf
debug: config: read file /usr/share/spamassassin/20_body_tests.cf
debug: config: read file /usr/share/spamassassin/20_compensate.cf
debug: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf
debug: config: read file /usr/share/spamassassin/20_drugs.cf
debug: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf
debug: config: read file /usr/share/spamassassin/20_head_tests.cf
debug: config: read file /usr/share/spamassassin/20_html_tests.cf
debug: config: read file /usr/share/spamassassin/20_meta_tests.cf
debug: config: read file /usr/share/spamassassin/20_phrases.cf
debug: config: read file /usr/share/spamassassin/20_porn.cf
debug: config: read file /usr/share/spamassassin/20_ratware.cf
debug: config: read file /usr/share/spamassassin/20_uri_tests.cf
debug: config: read file /usr/share/spamassassin/23_bayes.cf
debug: config: read file /usr/share/spamassassin/25_body_tests_es.cf
debug: config: read file /usr/share/spamassassin/25_hashcash.cf
debug: config: read file /usr/share/spamassassin/25_spf.cf
debug: config: read file /usr/share/spamassassin
Re: MSExec plugin?
On Tue, Apr 26, 2005 at 03:36:46PM -0400, Michael W Cocke wrote: > I'm in the middle of rebuilding my mail server from scratch, and I > just came across a reference to an SA plugin that doesn't seem to be > available anymore - MSExec. More out of curiousity than anything > else, what happened to it/the author? MSExec never existed for 3.0, it was only ever included in the 3.1 development tree. At last check it got renamed AntiVirus: http://svn.apache.org/repos/asf/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/AntiVirus.pm I don't believe there's anything 3.1 specific in there, but YMMV. :) -- Randomly Generated Tagline: "I tried once and it beat me like I was a piïata on Cinco de Mayo." - Theo talking about installing Debian Linux pgp6hMwM4jFqs.pgp Description: PGP signature
RE: Blacklists entries not getting blocked
the whitelist line actually reads: whitelist_from [EMAIL PROTECTED] whitelist_from [EMAIL PROTECTED] I removed the actual entries to protect the innocent. I don't have that e-mail anymore, but I'm sure that I will get another one and will copy and paste the headers. Thanks, Antonio DeLaCruz Quoting "Pettit, Paul" <[EMAIL PROTECTED]>: Antonio DeLaCruz [mailto:[EMAIL PROTECTED] wrote: =20 Here is my user_prefs file: =20 # SpamAssassin config file for version 3.0 =20 [snip] =20 whitelist_from address.com =20 Is this a typo or what is actually in the user_pref file? Seems odd and = may be related if it isn't a typo. Start of Manual Blacklist # blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] =20 =20 Here is my .procmailrc file: =20 :0fw: spamassassin.lock | /usr/bin/spamassassin -p /home//.spamassassin/user_prefs =20 Here is my .forward file: =20 "|IFS=3D' ' && exec /usr/bin/procmail -f- || exit 75 #" =20 =20 =20 The entries in my blacklist_from are not getting blocked. =20 I'm not sure what I've done wrong. I installed postfix (version 2.2.2) from=20 source. I have also installed Spamassassin using cpan (version 3.0.2). Any help=20 on this would be appreciated. =20 Thanks, =20 Can you send a cut&paste of the headers from an email that you feel = should have been caught but got through? All the above looks about right but = the key would be if SA is even checking the email. Did you run 'sendmail -D --lint -p = /home//.spamassassin/user_prefs' (if not logged in as the user) to check your settings? What was the = output? Paul Pettit CTO and IS Manager Consistent Computer Bargains Inc. I've heard it said that the proof of lunacy is when you repeat the same steps expecting different results. I say it's proof that you're a = Microsoft user. - comment by deshi777 on experts-exchange.com This message was sent using IMP, the Internet Messaging Program.
MSExec plugin?
I'm in the middle of rebuilding my mail server from scratch, and I just came across a reference to an SA plugin that doesn't seem to be available anymore - MSExec. More out of curiousity than anything else, what happened to it/the author? Mike- -- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments.
Re: Blacklists entries not getting blocked
so I need to switch it to something like this? blacklist_from [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] ... Thanks, Antonio DeLaCruz Quoting Jim Maul <[EMAIL PROTECTED]>: Martin Hepworth wrote: Antoni blacklist (and others like trusted networks) need to have all values on one line, not multiple declarations AFAIK -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Antonio DeLaCruz wrote: Here is my user_prefs file: # SpamAssassin config file for version 3.0 # How many hits before a message is considered spam. required_score 3.5 # Whether to change the subject of suspected spam rewrite_header subject *SPAM* # Text to prepend to subject if rewrite_subject is used subject_tag *SPAM* # Encapsulate spam in an attachment report_safe 1 # Use terse version of the spam report use_terse_report0 # Enable the Bayes system use_bayes 1 # Enable Bayes auto-learning auto_learn 1 # Enable or disable network checks skip_rbl_checks 0 use_razor2 1 use_dcc 1 use_pyzor 1 # Mail using languages used in these country codes will not be marked # as being possibly spam in a foreign language. # - english spanish ok_languagesen es # Mail using locales used in these country codes will not be marked # as being possibly spam in a foreign language. ok_locales en # Set up trusted and internal networks # These networks are hosts that are considered to not be potentially # operated by spammers, open relays, or open proxies trusted_networks127. trusted_networks192.168/16 internal_networks 127. internal_networks 192.168/16 whitelist_from address.com Start of Manual Blacklist # blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] Here is my .procmailrc file: :0fw: spamassassin.lock | /usr/bin/spamassassin -p /home//.spamassassin/user_prefs Here is my .forward file: "|IFS=' ' && exec /usr/bin/procmail -f- || exit 75 #" The entries in my blacklist_from are not getting blocked. I'm not sure what I've done wrong. I installed postfix (version 2.2.2) from source. I have also installed Spamassassin using cpan (version 3.0.2). Any help on this would be appreciated. Thanks, Antonio DeLaCruz Also note that some of the things you have are invalid, like "auto_learn". I assume you used the web based conf generation tool that is linked to on the spamassassin site? I'd run spamassassin --lint on a message and fix all the errors first. -Jim This message was sent using IMP, the Internet Messaging Program.
Re: More on PerMsgStatus.pm problem
jdow wrote: >I tend to get spamd errors on some messages that may be related to the >spam markup. The messages get as far as this bug report and processing >terminates with no spam markup at all. >===8<--- > error: Insecure dependency in eval while running setuid at >/usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2091._ >No such file or directory, continuing >===8<--- > I'd be looking closely at all your "full" type rules. The offending line is the execution of a regex for a "full" rule. Clearly a normal rule should not be referencing any files, so it's probably a typo in a rule which causes a regex to attempt to access a file.
RE: Blacklists entries not getting blocked
> Antonio DeLaCruz [mailto:[EMAIL PROTECTED] wrote: > > Here is my user_prefs file: > > # SpamAssassin config file for version 3.0 > [snip] > > whitelist_from address.com > Is this a typo or what is actually in the user_pref file? Seems odd and may be related if it isn't a typo. > Start of Manual Blacklist > # > blacklist_from [EMAIL PROTECTED] > blacklist_from [EMAIL PROTECTED] > blacklist_from [EMAIL PROTECTED] > blacklist_from [EMAIL PROTECTED] > blacklist_from [EMAIL PROTECTED] > blacklist_from [EMAIL PROTECTED] > blacklist_from [EMAIL PROTECTED] > blacklist_from [EMAIL PROTECTED] > blacklist_from [EMAIL PROTECTED] > > > Here is my .procmailrc file: > > :0fw: spamassassin.lock > | /usr/bin/spamassassin -p /home//.spamassassin/user_prefs > > Here is my .forward file: > > "|IFS=' ' && exec /usr/bin/procmail -f- || exit 75 #" > > > > The entries in my blacklist_from are not getting blocked. > I'm not sure what > I've done wrong. I installed postfix (version 2.2.2) from > source. I have also > installed Spamassassin using cpan (version 3.0.2). Any help > on this would be > appreciated. > > Thanks, > Can you send a cut&paste of the headers from an email that you feel should have been caught but got through? All the above looks about right but the key would be if SA is even checking the email. Did you run 'sendmail -D --lint -p /home//.spamassassin/user_prefs' (if not logged in as the user) to check your settings? What was the output? Paul Pettit CTO and IS Manager Consistent Computer Bargains Inc. I've heard it said that the proof of lunacy is when you repeat the same steps expecting different results. I say it's proof that you're a Microsoft user. - comment by deshi777 on experts-exchange.com
Re: Blacklists entries not getting blocked
Matt Kettler wrote: trusted_networks does need to be on one line, but black/whitelist commands don't. trusted_networks (and internal_networks) can actually be on multiple lines too... it uses the same config code as the black/whitelist options. Daryl
Re: Blacklists entries not getting blocked
Antonio DeLaCruz wrote: >Here is my user_prefs file: > > > First, delete the following lines. They are syntax errors. >subject_tag *SPAM* > >use_terse_report0 > > > Next, run spamassassin --lint and fix any other things it complains about. the --lint should just run and exit with no output if things are correctly configured. Lastly, you have this statement: >whitelist_from address.com > > Lastly, If that doesn't fix your problem can you post the headers of an example message that didn't hit your blacklist? Be sure to include the From:, Return-Path, Resent-* and Received: headers.
Re: Blacklists entries not getting blocked
Martin Hepworth wrote: > Antoni > > blacklist (and others like trusted networks) need to have all values > on one line, not multiple declarations AFAIK Martin, blacklist_from, like whitelist_from, does NOT require all values to be on one line. Take a look at WS's old sa-blacklist.cf for an example. http://www.stearns.org/sa-blacklist/sa-blacklist.current -or- ftp://ftp.bascom.com/pub/wstearns/sa-blacklist/sa-blacklist.current trusted_networks does need to be on one line, but black/whitelist commands don't.
Re: Need help interpretting score
Joe Kletch wrote: > > Thinking I should check the auto white-list I looked for the tools on > my FreeBSD 5.3 box running SA 3.02 and no tools exist. Nothing in the > ports tree--so I loaded the RPM port and then set to load the RPM > Package, however it complained about a bunch of missing dependencies > and I got cold feet. > > Anyone know the status of porting spamassassin-tools-3.0.0-1.i386 to > FreeBSD 5.3? > > I really do not want to get to far into the RPM install on this > production machine. > > Really the tools don't require much in the way of installation beyond having the same version of SpamAssassin installed correctly. You should be able to safely grab the scriptfiles out of the tools subdirectory of a SA 3.0.2 tarball and they should work with your ported version of SA. There's no real magic to them, they're just very simple perl scripts that invoke the SA perl APIs. As long as the SA APIs are installed so your version of perl can find them, check_whitelist, etc should just run.
Re: Blacklists entries not getting blocked
Martin Hepworth wrote: Antoni blacklist (and others like trusted networks) need to have all values on one line, not multiple declarations AFAIK -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Antonio DeLaCruz wrote: Here is my user_prefs file: # SpamAssassin config file for version 3.0 # How many hits before a message is considered spam. required_score 3.5 # Whether to change the subject of suspected spam rewrite_header subject *SPAM* # Text to prepend to subject if rewrite_subject is used subject_tag *SPAM* # Encapsulate spam in an attachment report_safe 1 # Use terse version of the spam report use_terse_report0 # Enable the Bayes system use_bayes 1 # Enable Bayes auto-learning auto_learn 1 # Enable or disable network checks skip_rbl_checks 0 use_razor2 1 use_dcc 1 use_pyzor 1 # Mail using languages used in these country codes will not be marked # as being possibly spam in a foreign language. # - english spanish ok_languagesen es # Mail using locales used in these country codes will not be marked # as being possibly spam in a foreign language. ok_locales en # Set up trusted and internal networks # These networks are hosts that are considered to not be potentially # operated by spammers, open relays, or open proxies trusted_networks127. trusted_networks192.168/16 internal_networks 127. internal_networks 192.168/16 whitelist_from address.com Start of Manual Blacklist # blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] Here is my .procmailrc file: :0fw: spamassassin.lock | /usr/bin/spamassassin -p /home//.spamassassin/user_prefs Here is my .forward file: "|IFS=' ' && exec /usr/bin/procmail -f- || exit 75 #" The entries in my blacklist_from are not getting blocked. I'm not sure what I've done wrong. I installed postfix (version 2.2.2) from source. I have also installed Spamassassin using cpan (version 3.0.2). Any help on this would be appreciated. Thanks, Antonio DeLaCruz Also note that some of the things you have are invalid, like "auto_learn". I assume you used the web based conf generation tool that is linked to on the spamassassin site? I'd run spamassassin --lint on a message and fix all the errors first. -Jim
Re: Blacklists entries not getting blocked
Antoni blacklist (and others like trusted networks) need to have all values on one line, not multiple declarations AFAIK -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Antonio DeLaCruz wrote: Here is my user_prefs file: # SpamAssassin config file for version 3.0 # How many hits before a message is considered spam. required_score 3.5 # Whether to change the subject of suspected spam rewrite_header subject *SPAM* # Text to prepend to subject if rewrite_subject is used subject_tag *SPAM* # Encapsulate spam in an attachment report_safe 1 # Use terse version of the spam report use_terse_report0 # Enable the Bayes system use_bayes 1 # Enable Bayes auto-learning auto_learn 1 # Enable or disable network checks skip_rbl_checks 0 use_razor2 1 use_dcc 1 use_pyzor 1 # Mail using languages used in these country codes will not be marked # as being possibly spam in a foreign language. # - english spanish ok_languagesen es # Mail using locales used in these country codes will not be marked # as being possibly spam in a foreign language. ok_locales en # Set up trusted and internal networks # These networks are hosts that are considered to not be potentially # operated by spammers, open relays, or open proxies trusted_networks127. trusted_networks192.168/16 internal_networks 127. internal_networks 192.168/16 whitelist_from address.com Start of Manual Blacklist # blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] Here is my .procmailrc file: :0fw: spamassassin.lock | /usr/bin/spamassassin -p /home//.spamassassin/user_prefs Here is my .forward file: "|IFS=' ' && exec /usr/bin/procmail -f- || exit 75 #" The entries in my blacklist_from are not getting blocked. I'm not sure what I've done wrong. I installed postfix (version 2.2.2) from source. I have also installed Spamassassin using cpan (version 3.0.2). Any help on this would be appreciated. Thanks, Antonio DeLaCruz This message was sent using IMP, the Internet Messaging Program. ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: Need help interpretting score
Joe Kletch <[EMAIL PROTECTED]> wrote on 04/26/2005 10:31:43 AM: [snip] > > On another server or two I have disabled the auto white-list. Is this > acceptable practice? Now that I am into this I recall seeing this issue > before and thus decided to disable it. Comments on this practice? > > Joe Kletch > I've never used AWL on my system and it works just fine without it. YMMV Andy
Re: Need help interpretting score
On Apr 26, 2005, at 10:46 AM, Matt Kettler wrote: Joe Kletch wrote: On Apr 26, 2005, at 10:13 AM, Matt Kettler wrote: Off color Jokes are rampant in this organization from the CEO down. I'm sure the auto-learn dbs are quite confused. I'll probably raise the threshold and keep requesting header of FPs. Really, off-color jokes shouldn't be hitting more than 3.0, certainly not high enough to average 7.4. It's actually pretty hard to make a nonspam message score high unless you use GTUBE. Most of the porn rules are 1.5 and less. Even having a subject line declaring the email to be sexually explicit will get you at most 2.9 points. I'd check for the sender in question doing something like forwarding all their email to another account using a client-side script that makes it look like they sent the message. This would re-send all their spam and rack them up quite an AWL score. Thinking I should check the auto white-list I looked for the tools on my FreeBSD 5.3 box running SA 3.02 and no tools exist. Nothing in the ports tree--so I loaded the RPM port and then set to load the RPM Package, however it complained about a bunch of missing dependencies and I got cold feet. Anyone know the status of porting spamassassin-tools-3.0.0-1.i386 to FreeBSD 5.3? I really do not want to get to far into the RPM install on this production machine. Thanks! Joe Kletch
Blacklists entries not getting blocked
Here is my user_prefs file: # SpamAssassin config file for version 3.0 # How many hits before a message is considered spam. required_score 3.5 # Whether to change the subject of suspected spam rewrite_header subject *SPAM* # Text to prepend to subject if rewrite_subject is used subject_tag *SPAM* # Encapsulate spam in an attachment report_safe 1 # Use terse version of the spam report use_terse_report0 # Enable the Bayes system use_bayes 1 # Enable Bayes auto-learning auto_learn 1 # Enable or disable network checks skip_rbl_checks 0 use_razor2 1 use_dcc 1 use_pyzor 1 # Mail using languages used in these country codes will not be marked # as being possibly spam in a foreign language. # - english spanish ok_languagesen es # Mail using locales used in these country codes will not be marked # as being possibly spam in a foreign language. ok_locales en # Set up trusted and internal networks # These networks are hosts that are considered to not be potentially # operated by spammers, open relays, or open proxies trusted_networks127. trusted_networks192.168/16 internal_networks 127. internal_networks 192.168/16 whitelist_from address.com Start of Manual Blacklist # blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] blacklist_from [EMAIL PROTECTED] Here is my .procmailrc file: :0fw: spamassassin.lock | /usr/bin/spamassassin -p /home//.spamassassin/user_prefs Here is my .forward file: "|IFS=' ' && exec /usr/bin/procmail -f- || exit 75 #" The entries in my blacklist_from are not getting blocked. I'm not sure what I've done wrong. I installed postfix (version 2.2.2) from source. I have also installed Spamassassin using cpan (version 3.0.2). Any help on this would be appreciated. Thanks, Antonio DeLaCruz This message was sent using IMP, the Internet Messaging Program.
Re: SA config recommendations to block these spammers?
Daryl C. W. O'Shea wrote: Robert Brooks wrote: the url has a : but no port so it doesn't get checked properly by the URIDNSBL code, think there's a bugzilla to fix this, but I can't locate it at the moment. bug 4191... it's fixed in 3.0.3. that's the one. I applied the patch and have just rechecked. Odd though the url still isn't hitting any SURBLs yet: $ host coolestrxever.com.multi.surbl.org coolestrxever.com.multi.surbl.org has address 127.0.0.80 Will try a bit more debugging shortly, not convinced it's parsing the message correctly. Rob -- Robert Brooks, Network Manager, Cable & Wireless UK <[EMAIL PROTECTED]> http://hyperlink-interactive.co.uk/ Tel: +44 (0)20 7339 8600 Fax: +44 (0)20 7339 8601 - Help Microsoft stamp out piracy. Give Linux to a friend today! -
Re: Need help interpretting score
Joe Kletch wrote: > > On Apr 26, 2005, at 10:13 AM, Matt Kettler wrote: > >> > > Off color Jokes are rampant in this organization from the CEO down. > I'm sure the auto-learn dbs are quite confused. I'll probably raise > the threshold and keep requesting header of FPs. Really, off-color jokes shouldn't be hitting more than 3.0, certainly not high enough to average 7.4. It's actually pretty hard to make a nonspam message score high unless you use GTUBE. Most of the porn rules are 1.5 and less. Even having a subject line declaring the email to be sexually explicit will get you at most 2.9 points. I'd check for the sender in question doing something like forwarding all their email to another account using a client-side script that makes it look like they sent the message. This would re-send all their spam and rack them up quite an AWL score.
RE: SA config recommendations to block these spammers?
M>-Original Message- M>From: ROY,RHETT G [mailto:[EMAIL PROTECTED] M>Sent: 26 April 2005 14:51 M>To: users@spamassassin.apache.org M>Subject: SA config recommendations to block these spammers? M> M>I have two spammers that consistently get messages through to M>my inbox. M>Based on the attached, can you make any recommendations for M>improvements to my configuration that will help give these M>messages a higher score? I'm calling SA (spamd, 3.0.2) as a M>content filter from Postfix. M> M>Thanks, M> M>Rhett Roy M> M>debug: Net::DNS version: 0.23 Your Net::DNS is way too old to work with 3.0*, it needs upgrading for RBL and SURBL lookups to work and like Daryl says one of the spam's had a trailing : after the URL which makes SURBL lookups fail unless the patch is applied. I did write a rule to catch these since a lot of spammers are still using this trick :- uri __SpoofPort_URL /(?:\:|\...:)/ uri __OkPort_URL /(?:\:[0-9]|\...:[0-9])/ meta MS_Spoof_Port_URL ((__SpoofPort_URL - __OkPort_URL) > 0) score MS_Spoof_Port_URL 9 describe MS_Spoof_Port_URL Exploits SURBL bug in 3.0* URL with trailing : Worth having even with the patch, not had a FP on it yet. Martin
Re: SA config recommendations to block these spammers?
> URIDNSBL code, think there's a bugzilla to fix this, but I can't locate > it at the moment. There is; should be in 3.0.3 when it comes out, I believe. Loren
Re: SA config recommendations to block these spammers?
The first domain, coolestrxever. com, is part of the group of taiwantelco/taiwanmedialtd pill pushers, using a new (and false) Beverley Hills address (the earliest ones actually used the zipcode "90210" and the address was spoken in an episode of the show). The second domain, magnanimityfd. com, is a porn domain probably run by Alexey Panov (also false registration - real address, but the telephone number is a third party's house in Boston). Paul Shupak [EMAIL PROTECTED]
Re: SA config recommendations to block these spammers?
Robert Brooks wrote: ROY,RHETT G wrote: I have two spammers that consistently get messages through to my inbox. Based on the attached, can you make any recommendations for improvements to my configuration that will help give these messages a higher score? I'm calling SA (spamd, 3.0.2) as a content filter from Postfix. http://coolestMUNGEDrxever.com:";> the url has a : but no port so it doesn't get checked properly by the URIDNSBL code, think there's a bugzilla to fix this, but I can't locate it at the moment. bug 4191... it's fixed in 3.0.3. Daryl
Re: Need help interpretting score
On Apr 26, 2005, at 10:08 AM, Matt Yackley wrote: Joe Kletch said: Reference header text below "3.7 AWL AWL: From: address is in the auto white-list" why is something in the auto whitelist scoring positive? Shouldn't this be adding negative points? Thanks, Joe Kletch * 3.7 AWL AWL: From: address is in the auto white-list Hi Joe, Check out http://wiki.apache.org/spamassassin/AwlWrongWay On another server or two I have disabled the auto white-list. Is this acceptable practice? Now that I am into this I recall seeing this issue before and thus decided to disable it. Comments on this practice? Joe Kletch
Re: SA config recommendations to block these spammers?
ROY,RHETT G wrote: I have two spammers that consistently get messages through to my inbox. Based on the attached, can you make any recommendations for improvements to my configuration that will help give these messages a higher score? I'm calling SA (spamd, 3.0.2) as a content filter from Postfix. http://coolestMUNGEDrxever.com:";> the url has a : but no port so it doesn't get checked properly by the URIDNSBL code, think there's a bugzilla to fix this, but I can't locate it at the moment. -- Robert Brooks, Network Manager, Cable & Wireless UK <[EMAIL PROTECTED]> http://hyperlink-interactive.co.uk/ Tel: +44 (0)20 7339 8600 Fax: +44 (0)20 7339 8601 - Help Microsoft stamp out piracy. Give Linux to a friend today! -
Re: Need help interpretting score
On Apr 26, 2005, at 10:13 AM, Matt Kettler wrote: Joe Kletch wrote: Reference header text below "3.7 AWL AWL: From: address is in the auto white-list" why is something in the auto whitelist scoring positive? Shouldn't this be adding negative points? First, despite it's name the AWL's behavior is NOT limited to being a whitelist. It's a score averager, and has both white and black behaviors. It's called AWL because the more accurate "ASABPPWBWB" (Automatic Score Averager Based on Past Performance With Blacklist and Whitelist Behaviors) is rather awkward. In this case, the AWL saw that the average score of email from this sender in the past was approximately 7.4. It saw that this message was going to score 0, and it split the difference between the past scores, and the current scores. If the message is in fact not spam, then you should look at why email from this sender scored high enough in the past to earn an average of 7.4. If it is spam, well, the AWL just caught something for you based on past performance of the spammer. Also, unless you have a FP or FN, don't expect the direction of the AWL's score assignment to be indicative of whether the AWL thinks the message is spam or not. It's quite common for the AWL to add a small positive score to nonspam with a very large negative score. It's also common for it to subtract a few points from spam with very high positive scores. http://wiki.apache.org/spamassassin/AwlWrongWay Off color Jokes are rampant in this organization from the CEO down. I'm sure the auto-learn dbs are quite confused. I'll probably raise the threshold and keep requesting header of FPs. Joe Kletch
Re: Need help interpretting score
On Apr 26, 2005, at 10:08 AM, Matt Yackley wrote: * 3.7 AWL AWL: From: address is in the auto white-list Hi Joe, Check out http://wiki.apache.org/spamassassin/AwlWrongWay Thanks--that makes sense. Fighting false positives for a high-strung sales organization is quite a challenge these days. Joe Kletch
Re: Need help interpretting score
Matt Yackley wrote: >J > > >--matt "gonna see if I can post this faster than Matt K." > > > Damnit!! You beat me to a post in my favorite topic :)
Re: Need help interpretting score
Joe Kletch wrote: > Reference header text below "3.7 AWL AWL: From: address is in the auto > white-list" why is something in the auto whitelist scoring positive? > Shouldn't this be adding negative points? > First, despite it's name the AWL's behavior is NOT limited to being a whitelist. It's a score averager, and has both white and black behaviors. It's called AWL because the more accurate "ASABPPWBWB" (Automatic Score Averager Based on Past Performance With Blacklist and Whitelist Behaviors) is rather awkward. In this case, the AWL saw that the average score of email from this sender in the past was approximately 7.4. It saw that this message was going to score 0, and it split the difference between the past scores, and the current scores. If the message is in fact not spam, then you should look at why email from this sender scored high enough in the past to earn an average of 7.4. If it is spam, well, the AWL just caught something for you based on past performance of the spammer. Also, unless you have a FP or FN, don't expect the direction of the AWL's score assignment to be indicative of whether the AWL thinks the message is spam or not. It's quite common for the AWL to add a small positive score to nonspam with a very large negative score. It's also common for it to subtract a few points from spam with very high positive scores. http://wiki.apache.org/spamassassin/AwlWrongWay
Re: Need help interpretting score
Joe Kletch said: > Reference header text below "3.7 AWL AWL: From: address is in the auto > white-list" why is something in the auto whitelist scoring positive? > Shouldn't this be adding negative points? > > Thanks, > > Joe Kletch * 3.7 AWL AWL: From: address is in the auto white-list Hi Joe, Check out http://wiki.apache.org/spamassassin/AwlWrongWay Cheers, --matt "gonna see if I can post this faster than Matt K."
Re: Can you indentify this ESMTP Service Received header?
Alex Broens wrote: 99% sure its Critical Path's Messaging Server (http://www.cp.net) Looks like it to me. Thanks Alex! Daryl
Need help interpretting score
Reference header text below "3.7 AWL AWL: From: address is in the auto white-list" why is something in the auto whitelist scoring positive? Shouldn't this be adding negative points? Thanks, Joe Kletch --- X-AOL-IP: 205.188.162.5 X-Spam-Prev-Subject: Breakfast menu card X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on mail.burtonmayer.com X-Spam-Level: *** X-Spam-Status: Yes, score=3.7 required=3.5 tests=AWL,BAYES_50, MSGID_FROM_MTA_HEADER,NO_REAL_NAME,SPF_HELO_PASS autolearn=no version=3.0.2 X-Spam-Report: * 0.0 NO_REAL_NAME From: does not include a real name * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5064] * 0.1 MSGID_FROM_MTA_HEADER Message-Id was added by a relay * 3.7 AWL AWL: From: address is in the auto white-list
Re: Can you indentify this ESMTP Service Received header?
Daryl C. W. O'Shea wrote: Can anyone identify the mail service that generates these authenticated (login) headers? Received: from rousalka.dyndns.org (81.64.155.54) by mx.laposte.net (7.0.028) (authenticated as user.name) id 413489B100C9C1FD for [EMAIL PROTECTED]; Tue, 28 Sep 2004 21:43:43 +0200 mx.laposte.net helos as: 220 mx.laposte.net ESMTP Service (7.0.028) ready 99% sure its Critical Path's Messaging Server (http://www.cp.net) h2h Alex
Re: Can you indentify this ESMTP Service Received header?
Niek <[EMAIL PROTECTED]> wrote on 04/26/2005 03:17:05 AM: > On 4/26/2005 9:23 AM +0200, Daryl C. W. O'Shea wrote: > > Can anyone identify the mail service that generates these authenticated > > (login) headers? > > > > > > Received: from rousalka.dyndns.org (81.64.155.54) by mx.laposte.net > > (7.0.028) (authenticated as user.name) id 413489B100C9C1FD for > > [EMAIL PROTECTED]; Tue, 28 Sep 2004 21:43:43 +0200 > > > > > > mx.laposte.net helos as: > > > > 220 mx.laposte.net ESMTP Service (7.0.028) ready > > > > > > Thanks, > > > > Daryl > > I'm guessing some version of Lotus Domino. > > Niek Domino 7 isn't out yet, so unless they're running the beta Plus Domino usually identifies itself in the header along with a date & time, so unless they have changed the header... Example: 220 xx.stepan.com ESMTP Service (Lotus Domino Release 6.0.3) ready at Tue, 26 Apr 2005 09:17:09 -0500
Re: SA config recommendations to block these spammers?
Hello, RHETT. Are you correctly install Mail::SPF::Query ? Do you use Postfix sender verification realtime callback? I recommend to increase RCVD_IN_BL_SPAMCOP_NET to 4 or something... Legitimate sources usually don't fall into this list. You wrote 26 апреля 2005 г., 17:51:15: > I have two spammers that consistently get messages through to my inbox. > Based on the attached, can you make any recommendations for improvements to > my configuration that will help give these messages a higher score? I'm > calling SA (spamd, 3.0.2) as a content filter from Postfix. > Thanks, > Rhett Roy -- Kind regards, Eugene Kurmanin
SA config recommendations to block these spammers?
I have two spammers that consistently get messages through to my inbox. Based on the attached, can you make any recommendations for improvements to my configuration that will help give these messages a higher score? I'm calling SA (spamd, 3.0.2) as a content filter from Postfix. Thanks, Rhett Roy Microsoft Mail Internet Headers Version 2.0 Received: from rh1.hospital.womans.com (spamfilter.hospital.womans.com [10.1.100.7]) by exch-srv1.Womans.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id FS7ZTYGL; Tue, 26 Apr 2005 01:16:39 -0500 Received: by rh1.hospital.womans.com (Postfix, from userid 501) id 19BF97F4C0; Tue, 26 Apr 2005 03:28:07 -0400 (EDT) Received: from mail.bulgaria.com (i60-34-36-43.s02.a006.ap.plala.or.jp [60.34.36.43]) by rh1.hospital.womans.com (Postfix) with ESMTP id 98FD97F4A9; Tue, 26 Apr 2005 03:27:42 -0400 (EDT) MIME-Version: 1.0 Content-Type: application/ms-tnef; name="winmail.dat" X-Mailer: Microsoft Outlook Express 6.00.2900.2180 Content-Transfer-Encoding: binary x-spam-checker-version: SpamAssassin 3.0.2 (2004-11-16) on rh1.hospital.womans.com x-spam-level: * x-spam-status: No, score=1.4 required=5.0 tests=BAYES_00=-2.599, DCC_CHECK=2.169,DIGEST_MULTIPLE=0.098,HTML_50_60=0.087, HTML_MESSAGE=0.001,MIME_QP_LONG_LINE=0.039, RAZOR2_CF_RANGE_51_100=0.056,RAZOR2_CHECK=1.511 autolearn=no version=3.0.2 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message Subject: Please note that our prices have never been this low Date: Tue, 26 Apr 2005 02:19:53 -0500 Message-ID: <[EMAIL PROTECTED]> X-MS-Has-Attach: yes X-MS-TNEF-Correlator: <[EMAIL PROTECTED]> Thread-Topic: Please note that our prices have never been this low Thread-Index: AcVKJ4IdHl4/6p5cT/aFK3tHkVqVjw== From: "SimplyRX" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Overnight Shipping and Low Prices! http://coolestrxever.com:";>cid:[EMAIL PROTECTED]" align=baseline border=0> Todays Specials! That's the message from a group of published and award-winning novelists in an open letter to influential television talk-show host Oprah Winfrey, begging her to resume picking new novels for members of her popular book club. "There's a widely-held belief that the landscape of literary fiction is now a gloomy place," Word of Mouth, a loose alliance of women's authors, wrote. It said fiction sales began to plummet when the The Oprah Winfrey Book Club went off the air in 2002 and stopped featuring contemporary authors. "Book Club members stopped buying new fiction, and this changed the face of American publishing," said the letter, which was signed by 158 authors. Among those signing the letter were Pulitzer Prize winner Jhumpa Lahiri and Amy Tan, author of "The Joy Luck Club." Several male authors also signed. The letter expressed thanks for Winfrey's contribution to book sales and asked her to "consider focusing, once again, on contemporary writers in your book club." Getting people to read is about the most important contribution that anyone can make to American society," Sharp told Reuters. "It's a stunning achievement to get 500,00O people to go to bookstores. Oprah's Book Club began as a segment on Winfrey's talk show in 1996. An Oprah's Book Club logo on a novel's cover helped many of her picks garner sales of more than 1 million copies. The club became embroiled in controversy in 2001 when Jonathan Franzen publicly objected to the selection of his novel, "The Corrections," and said he feared it might affect his reputation in literary circles. He later said he regretted voicing his reservations. Winfrey suspended the club in April 2002, saying she would only make occasional recommendations because, "It has become harder and harder to find books on a monthly basis that I feel absolutely compelled to share." Relaunched in June 2003, the club now picks classics such as John Steinbeck's "East of Eden" and Leo Tolstoy's "Anna Karenina" rather than new books. Microsoft Mail Internet Headers Version 2.0 Received: from rh1.hospital.womans.com (spamfilter.hospital.womans.com [10.1.100.7]) by exch-srv1.Womans.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id FS7ZTZJ7; Tue, 26 Apr 2005 06:41:15 -0500 Received: by rh1.hospital.womans.com (Postfix, from userid 501) id 4124C7F4B1; Tue, 26 Apr 2005 08:52:44 -0400 (EDT) Received: from hafad071097.uclm.es (hafad071097.uclm.es [161.67.91.44]) by rh1.hospital.womans.com (Postfix) with ESMTP id 97E247F4C0 for <[EMAIL PROTECTED]>; Tue, 26 Apr 2005 08:52:39 -0400 (EDT) Received: from kegel.com (vroo.pair.com [209.68.1.136]) by hafad071097.uclm.es with esmtp id C735CD8EB4 for <[EMAIL PROTECTED]>; Tue, 26 Apr 2005 04:40:51 -0700 MIME-Version: 1.0 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: binary X-Mailer: Microsoft Outlook Express 6.00.2800.1437 x-s
Re: Rule of thumb for max children?
Hello, Mike. Do you limit the maximum size of messages to be scanned? For reduce receiving of 100% spam messages use the Exim sender verification; then if you are use exiscan and it can, do reject messages from zombie computers with bogus HELO, like HELO 123.123.123.123 or HELO 123-123-123.virtua.com.br... and using delay SMTP greeting very useful also. You wrote 25 апреля 2005 г., 14:58:00: > Hi there, > I'm running SA 3.0.2 via spamc/spamd on an Exim mail server, but I'm > finding I quickly run out of memory and the machine collapses into a > burning heap as soon as it touches swap. > Is there a rule of thumb of how many SA daemons to prefork to the amount > of RAM? The boxes currently have 2G and I'm having to restart > spamassassin every hour -- and theyre still running out just before it > hits the hour in some cases. The daemons are really chewing through the > RAM: > root 28020 0.0 1.4 36148 30408 ? Ss 11:32 > 0:01 /usr/sbin/spamd --create-prefs --max-children 15 --helper-home-dir > --socketpath=/tmp/spamd -d --pidfile=/var/run/spamd.pid > root 28021 5.6 1.9 56724 40776 ? S11:32 1:18 spamd > child > Debian- 28022 6.5 6.8 156404 142448 ? S11:32 1:30 spamd > child > Debian- 28023 7.0 6.8 156112 141248 ? S11:32 1:37 spamd > child > root 28024 9.5 7.0 157928 145628 ? S11:32 2:11 spamd > child > root 28025 8.9 6.9 154064 143532 ? S11:32 2:03 spamd > child > root 28026 7.4 6.8 152392 141392 ? S11:32 1:43 spamd > child > root 28027 8.5 6.9 155744 142780 ? S11:32 1:57 spamd > child > root 28028 6.4 6.7 154576 140532 ? S11:32 1:29 spamd > child > Debian- 28029 8.7 6.9 158684 144576 ? S11:32 2:00 spamd > child > Debian- 28030 8.5 6.8 154096 141724 ? S11:32 1:57 spamd > child > root 28031 5.5 1.9 55348 40048 ? S11:32 1:17 spamd > child > root 28032 7.9 6.9 156164 143112 ? S11:32 1:49 spamd > child > root 28033 9.6 6.9 155404 143244 ? S11:32 2:13 spamd > child > root 28034 7.6 6.9 156244 143224 ? S11:32 1:45 spamd > child > root 28035 9.0 6.8 154256 142284 ? S11:32 2:05 spamd > child > The machines are dual xeon 2.4G with 2G of RAM and dual U320 SCSI drives > in software RAID1. I could feasibly bump the boxes up to 4G, but it > will get expensive! > Any suggestions would be appreciated! > Cheers > Mike -- Kind regards, Eugene Kurmanin
Re: Can you indentify this ESMTP Service Received header?
On 4/26/2005 9:23 AM +0200, Daryl C. W. O'Shea wrote: Can anyone identify the mail service that generates these authenticated (login) headers? Received: from rousalka.dyndns.org (81.64.155.54) by mx.laposte.net (7.0.028) (authenticated as user.name) id 413489B100C9C1FD for [EMAIL PROTECTED]; Tue, 28 Sep 2004 21:43:43 +0200 mx.laposte.net helos as: 220 mx.laposte.net ESMTP Service (7.0.028) ready Thanks, Daryl I'm guessing some version of Lotus Domino. Niek
Re: Bayes Problems
On 4/14/05, J Thomas Hancock <[EMAIL PROTECTED]> wrote: > I am having one heck of a time getting Bayes working with SpamAssassin. > > I am using postfix 2.2.2 and SA 3.00.2. Postfix is being ran as the user > postfix. SA is being ran as postdrop. > > The following is the output from the syslog. > > spamd[22065]: debug: plugin: > Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa8b6820) implements > 'parse_config' > spamd[22065]: debug: bayes: 22065 tie-ing to DB file R/O > /home/postdrop/.spamassassin_toks > spamd[22065]: debug: bayes: 22065 tie-ing to DB file R/O > /home/postdrop/.spamassassin_seen > spamd[22065]: debug: bayes: found bayes db version 3 > spamd[22065]: debug: bayes: Not available for scanning, only 35 ham(s) in > Bayes DB < 200 > spamd[22065]: debug: bayes: 22065 untie-ing > spamd[22065]: debug: bayes: 22065 untie-ing db_toks > spamd[22065]: debug: bayes: 22065 untie-ing db_seen > spamd[22065]: debug: Score set 1 chosen. > spamd[22065]: debug: MIME PARSER START > spamd[22065]: debug: main message type: text/plain > spamd[22065]: debug: parsing normal part > spamd[22065]: debug: added part, type: text/plain > spamd[22065]: debug: MIME PARSER END > spamd[22065]: debug: using "/tmp/spamd-22065-init/.spamassassin" for user > state dir > spamd[22065]: debug: bayes: no dbs present, cannot tie DB R/O: > /tmp/spamd-22065-init/.spamassassin/bayes_toks > spamd[22065]: debug: metadata: X-Spam-Relays-Trusted: > > Unfortunately I have tinkered with this too much so I really can not list > what I have or have not tried. > > Any input would be appreciated. > > Thank you, > Tom > Don't worry. This is spam behaviour change. For making your spam database quickly work you can pick up Bayes stater database from this site link below. http://www.fsl.com/support/ But it is always suggested that spam data base which is basically based on bayesian logic should learn from its own. Also command for making spamassassin learn any file or mail as spam or ham mail, you can use this command sa-learn --spam file/mail_box_path sa-learn --ham file/mail_box_path -- Crisppy Fernandes
Can you indentify this ESMTP Service Received header?
Can anyone identify the mail service that generates these authenticated (login) headers? Received: from rousalka.dyndns.org (81.64.155.54) by mx.laposte.net (7.0.028) (authenticated as user.name) id 413489B100C9C1FD for [EMAIL PROTECTED]; Tue, 28 Sep 2004 21:43:43 +0200 mx.laposte.net helos as: 220 mx.laposte.net ESMTP Service (7.0.028) ready Thanks, Daryl
Re: [OT] Funny watch spam
Hello Robert, Monday, April 25, 2005, 8:47:28 AM, you wrote: >> Subject: rawlex repliccas esp. for you ashtray RB> are they being rude about me, or just suggesting where I should but the RB> repliccas ;-) RB> on a more serious not we need something like (?:o|aw) in the rolex rules. I hadn't seen these, since very one received in the past month (all 11) has scored 20+. No false negatives at all with that pattern. Still, easy enough to do ... will be in the next update of 70_sare_specific.cf I'll also test "repliccas" and variations for the new obfu rule set. Bob Menschel
Re: Can I convert my autowhitelist to MySQL?
On Tue, Apr 26, 2005 at 12:22:35AM -0400, Steven W. Orr wrote: > I'm looking into converting to using SQL and I saw the conversion of the > bayes data but nothing for the autowhitelist. Anyone? tools/convert_awl_dbm_to_sql Michael pgpNw0HVHpcPD.pgp Description: PGP signature
More on PerMsgStatus.pm problem
I tend to get spamd errors on some messages that may be related to the spam markup. The messages get as far as this bug report and processing terminates with no spam markup at all. ===8<--- error: Insecure dependency in eval while running setuid at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2091._ No such file or directory, continuing ===8<--- Alas, there is no indication of WHAT file or directory is needed here. Sometimes the bug repeats with "spamc
Can I convert my autowhitelist to MySQL?
I'm looking into converting to using SQL and I saw the conversion of the bayes data but nothing for the autowhitelist. Anyone? TIA -- Time flies like the wind. Fruit flies like a banana. Stranger things have .0. happened but none stranger than this. Does your driver's license say Organ ..0 Donor?Black holes are where God divided by zero. Listen to me! We are all- 000 individuals! What if this weren't a hypothetical question? steveo at syslang.net
Re: Does anyone have a rule to get rid of these types of messages
Dan Simmons wrote:
SURBL, and Razor 2 truly tore this message up on my system. All based on
a URI being present.
(score=9.931, required 5,BAYES_01 -1.52, HTML_70_80 0.10,
HTML_FONTCOLOR_BLUE 0.10, HTML_FONTCOLOR_UNKNOWN 0.10,
HTML_FONTCOLOR_UNSAFE 0.10, HTML_MESSAGE 0.10,HTTP_ESCAPED_HOST
1.51, INFO_GREYLIST_NOTDELAYED -0.00,JP_URI_RBL 1.00, OB_URI_RBL
2.10, RAZOR2_CF_RANGE_51_100 0.20,RAZOR2_CHECK 1.05, SPAMCOP_URI_RBL
3.00, WS_URI_RBL 2.10)
So it hit all of the following:
Razor2 (e8 based URI check)
spamcop URI
WS URI
JP URI
OB URI
It's also one of the latest "HTML table obfuscation" spams, which you
might want to try this rule from the thread "Tables obscuring words"
circa 4/8/2005 on this list:
This variant posted by Jesse Houwing from SARE:
rawbody TABLEOBFU
/]|"[^"]*"|'[^']*')*>(<([^>]|"[^"]*"|'[^']*')*>)*[a-z]{1,2}(<([^>]|"[^"]*"|'[^']*')*>)*<\/td([^>]|"[^"]*"|'[^']*')*>/i
score TABLEOBFU 2
I don't have this rule on my system, so regard the above as untested.
Also see the thread "Extra Sare Rules for meds?" circa 4/6/2005 on this list
Re: [SPAM-TAG] Does anyone have a rule to get rid of these types of messages
SURBLs will catch these because of: > href="http://ukbyfzovkfmz.net&saaplurfngdush5utq4x%2Erancejknfl%2Ecom/";>C8lick > her9e for our pi1ll of the day s5pecial! http://www.surbl.org/ Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Does anyone have a rule to get rid of these types of messages
=_010402050705060707060009 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit =_010402050705060707060009 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 7Bit =_010402050705060707060009-- Sa p To 95 OF Reta il Pri ces With ED-D ve U % F rugs! VI RA, CI S, LE RA, UL AM , SO AG ALI VIT TR MA $1. $1. $1. $1. $1. 15 77 11 27 88 To Spe : Via 30x100m ls on ly $59. day cial gra g pil 95 http://ukbyfzovkfmz.net&saaplurfngdush5utq4x%2Erancejknfl%2Ecom/";>C8lick her9e for our pi1ll of the day s5pecial! strong, and Alan began to suffer in proportion. From Prestonpans herepeat his words; you have not forgotten yourself, I hope?her newspaper in her hand, and said, out of breath, My goodness
