Re: SA + PostFix + Virtual final question for a while

[hamann . w]

>> I don't expect I'll get a reply quick enough to help. It's been strongly
>> suggested that I switch our mail server over to ANYTHING other than what we
>> have before the weekend is out.
>> 
>> I've been bouncing around the web and digging through documentation trying to
>> figure out how to do SA + virus scanning in a virtual domain SQL environment
>> with per-user prefs working.

Hi,

now that it is certainly too late :(
I am running qmail in a setup where incoming mail is just checked for virus 
(qmail-scanner)
and then delivered to a cyrus mailstore. The shell script called for delivery 
invokes SA
and knows about the recipient, so it can pick up user preferences from a sql 
database
I had to develop a solution for the "user name != system account" problem, but 
latest
cyrus release supports virtual hosting, and the mail accounts will be named 
[EMAIL PROTECTED]

It is also up to the shell script to handle expres delivery (/dev/null) or 
similar things.

As an observation: the majority of users does NOT use the imap access, only the 
pop3.
I once tried to convince an outlook user to switch but his reaction was "it 
looks all different;
cannot I have it the same way as before?"

Wolfgang Hamann

Re: Bombarded by German political spam

[Loren Wilton]

> anybody else seeing this?

I got one of them, and fortunately only one.  Bayes did a good job of
catching it.

Loren

Bombarded by German political spam

[David B Funk]

Tonight our site is being bombarded by German political spam or
Joe-jobbed bounce fall-out. So far it appears to all be coming
from trojaned PCs. Other than the specific URLs in the messages
havn't found any easily identified parts to create rules for.

anybody else seeing this?

-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Evading URI checks

[Loren Wilton]

> > Go Here to Order Online: RxRealness.com
>
> > How would one go about adding checks for the omission of http:// ?
>
> It's something the SA developers have already considered, but it
> may be too resource intensive to check for every possible domain
> that doesn't have a URI method.  Does this give spammers a way to
> advertise their domains without detection?  Sure it does, but it
> also means they can't use clickable links, which may decrease
> their response rates.

Its also not all that useful., at least in that particular spammer's case.
I got one of those somewhat after the OP mentioned his.  Mine scored 19.2
without any network checks.

Loren

Re: {SPAM} Drug SPAM problem..any fixes?

[Jeff Chan]

On Saturday, May 14, 2005, 10:43:08 AM, martin smith wrote:
M>>From: Matt Kettler [mailto:[EMAIL PROTECTED]

M>>Most of that is URI blacklists from surbl (supported by SA 
M>>3.x by default), as well as uribl.com (not supported in 
M>>default config but I added it by hand)
M>>

> Trouble is with the SURBL is that you can receive a lot of these spams
> before they get listed, they also seem to change domain name twice a day or
> more to keep ahead of the listing, that's why I wanted something to block
> them if they don't hit any black lists.

We're working on reducing the latency of SURBLs.

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Re: Evading URI checks

[Jeff Chan]

On Saturday, May 14, 2005, 6:21:24 PM, Niek wrote:
> Today I got some spams which evaded URI checks like this:

> Go Here to Order Online: RxRealness.com

> How would one go about adding checks for the omission of http:// ?

> Only things that hit were: bayes, base64 raw and drugs_erctile by the way.

> Niek

It's something the SA developers have already considered, but it
may be too resource intensive to check for every possible domain
that doesn't have a URI method.  Does this give spammers a way to
advertise their domains without detection?  Sure it does, but it
also means they can't use clickable links, which may decrease
their response rates.

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Re: more spam with SpamAssassin version 3.0.2

[wolfgang]

In an older episode (Saturday 14 May 2005 18:41), Matt Kettler wrote:
> wolfgang wrote:
> > In an older episode (Saturday 14 May 2005 17:53), Matt Kettler wrote:
> > 
> >>3.0.3 fixes some scoring issues in 3.0.2 and a few important
> >>bugs that 3.0.2 suffers from in terms of accuracy (mostly URI parsing for 
> >>URIBLs). 
> > 
> > 
> > after installing debian's SA 3.0.3 yesterday, I noticed that it lacks the 
> > patches mentioned on
http://bugzilla.spamassassin.org/show_bug.cgi?id=4111
http://bugzilla.spamassassin.org/show_bug.cgi?id=4298

> Thanks for the heads up on tht one wolfgang.

my pleasure.

> 
> Distro ports are such a mixed blessing.
agreed, but the sources from
http://apache.easy-webs.de/spamassassin/source/Mail-SpamAssassin-3.0.3.tar.bz2
lack those patches too - so that is not debian specific.

regards,

wolfgang

Evading URI checks

[Niek]

Today I got some spams which evaded URI checks like this:
Go Here to Order Online: RxRealness.com
How would one go about adding checks for the omission of http:// ?
Only things that hit were: bayes, base64 raw and drugs_erctile by the way.
Niek

Re: Drug SPAM problem..any fixes?

[Rob Skedgell]

On Sunday 15 May 2005 00:02, List Mail User wrote:
> >...
> >On Saturday 14 May 2005 18:30, List Mail User wrote:
> >[...]
> >
> >>Just to keep up; aeroseddicc. com is another multitrade group
> >> domain. Note the contact email of "[EMAIL PROTECTED] com" - same as
> >> for the domain multitrade-corp. com, and the telephone/fax numbers
> >> match those of the domain sheenier. net.  And, of course the name
> >> servers' domain of aicstrungcb. biz is multitrade also.  Oh, yes,
> >> they also seem to have control of mail333. com.
> >>
> >>With enough pressure, they will run out of registrars, or be
> >> forced to use the Chinese ones.
> >
> >Just to add to that, mail333.com addresses are used in the
> > registration=20 of quite a lot of spamvertized domains - see=20
> > >mail333= =2Ecom&start=3D0&scoring=3Dd&>
> >
> >mail333.com itself is in whois.rfc-ignorant.org, as are most (all?)
> > of=20 the related domains, and I'm getting promising results using
> > that=20 blacklist as a URIbl:
s/most/many/ then

[...]
>   Take a look at who made the submissions at rfci (try a lookup
> on the IP address).  Not all the releated domains are there - though
> a dozen or so new ones went in today.  Also look at Bugzilla #4104
> (though I have changed/evolved the rules which I currently use since
> that submission to lower the scores for the individual rules, and use
> meta-rules to add points back for multiple rule hits.).

I wondered who that IP address was [yours presumably]... It's a pleasant 
surprise to see that someone has beaten me to it when a spamvertized 
domain with demonstrably fake whois data comes to my attention. BTW, do 
you have a good (English language) web resource for Russian addresses 
and postcodes (like those for aicstrungcb.biz), as the one linked to by 
 is in Russian?

I haven't added any of the other mail RHSbls as URIBL rules, although 
many of them are in Exim ACLs. Looking at the scores you assigned for 
other RFCI zones, I think I may have made the right choice using whois 
for experimentation.

-- 
Rob Skedgell <[EMAIL PROTECTED]>


pgp76uitZnZlC.pgp
Description: PGP signature

Amusement value

[Loren Wilton]

Gee, I wonder what the subject could be?  Following is an actual spam header
I just got:

Return-Path: <[EMAIL PROTECTED]>
Status:  U
Received: from smtp.earthlink.net [209.86.93.211]
 by localhost with POP3 (fetchmail-6.2.5)
Received: from m6.stockmacro.com ([66.250.17.88])
 by tanager.mail.pas.earthlink.net (EarthLink SMTP Server) with ESMTP id
1dx62wuG3NZFmQ0
Received: from localhost (localhost.localdomain [127.0.0.1])
 by m6.stockmacro.com (Postfix) with SMTP id 7AD823EE65161
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
X-Cadenced: divulge braided pontific midas kickoff daughterly unprotected
porcelain lovejoy resolve derive floored malayize antibacterial designers
allow beaverton
Content-Type: multipart/alternative;
boundary="=_3f35d615795e6eb759ba2e4fb2d6f144"
MIME-Version: 1.0
X-M-a8e4: 1090:bHdpbHRvbkBlYXJ0aGxpbmsubmV0:wwztwulguvmq
Subject: Looking for Quality Christian Singles?
From: "Where Christians Meet" <[EMAIL PROTECTED]>
Subject: Meet serious Christian Singles, just like you
From: "Christian Dating" <[EMAIL PROTECTED]>
Subject: Looking for Quality Christian Singles?
From: "Christian Dating" <[EMAIL PROTECTED]>
Subject: Meet serious Christian Singles, just like you
From: "Christian Dating" <[EMAIL PROTECTED]>
Subject: Looking for Quality Christian Singles?
From: "Where Christians Meet" <[EMAIL PROTECTED]>
Subject: Looking for Quality Christian Singles?
From: "Where Christians Meet" <[EMAIL PROTECTED]>
Subject: Single? Meet other Christians
From: "Where Christians Meet" <[EMAIL PROTECTED]>
Subject: Single? Meet other Christians
From: "Where Christians Meet" <[EMAIL PROTECTED]>
Subject: Single? Meet other Christians
From: "Where Christians Meet" <[EMAIL PROTECTED]>
Subject: Meet serious Christian Singles, just like you
From: "Where Christians Meet" <[EMAIL PROTECTED]>
Subject: Single? Meet other Christians
From: "Where Christians Meet" <[EMAIL PROTECTED]>
Subject: Single? Meet other Christians
From: "Christian Dating" <[EMAIL PROTECTED]>
Subject: Meet serious Christian Singles, just like you
From: "Christian Dating" <[EMAIL PROTECTED]>
Subject: Single? Meet other Christians
From: "Where Christians Meet" <[EMAIL PROTECTED]>
Subject: Looking for Quality Christian Singles?
From: "Where Christians Meet" <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Date: Sat, 14 May 2005 17:20:22 -0700 (PDT)
X-ELNK-AV: 0

Re: Drug SPAM problem..any fixes?

[List Mail User]

>...
>
>--nextPart12555236.45TTRGDWuC
>Content-Type: text/plain;
>  charset="utf-8"
>Content-Transfer-Encoding: quoted-printable
>Content-Disposition: inline
>
>On Saturday 14 May 2005 18:30, List Mail User wrote:
>[...]
>>
>>  Just to keep up; aeroseddicc. com is another multitrade group
>> domain. Note the contact email of "[EMAIL PROTECTED] com" - same as
>> for the domain multitrade-corp. com, and the telephone/fax numbers
>> match those of the domain sheenier. net.  And, of course the name
>> servers' domain of aicstrungcb. biz is multitrade also.  Oh, yes,
>> they also seem to have control of mail333. com.
>>
>>  With enough pressure, they will run out of registrars, or be forced
>> to use the Chinese ones.
>
>Just to add to that, mail333.com addresses are used in the registration=20
>of quite a lot of spamvertized domains - see=20
>=2Ecom&start=3D0&scoring=3Dd&>
>
>mail333.com itself is in whois.rfc-ignorant.org, as are most (all?) of=20
>the related domains, and I'm getting promising results using that=20
>blacklist as a URIbl:
>
># whois.rfc-ignorant.org URIBL http://www.rfc-inorant.org/
>urirhssub URIBL_RFCI_WHOIS whois.rfc-ignorant.org. A   5
>body URIBL_RFCI_WHOIS  eval:check_uridnsbl('URIBL_RFCI_WHOIS')
>describe URIBL_RFCI_WHOIS  Contains an URL listed in RFCI whois
>tflags URIBL_RFCI_WHOISnet
>score URIBL_RFCI_WHOIS 2.0
>uridnsbl_skip_domain   ac.uk
>
>=2D-=20
>Rob Skedgell <[EMAIL PROTECTED]>
>
>--nextPart12555236.45TTRGDWuC
>Content-Type: application/pgp-signature
>
>-BEGIN PGP SIGNATURE-
>Version: GnuPG v1.4.1 (GNU/Linux)
>
>iD8DBQBChkGQ4qIyNNFLbdcRAivbAJ4piS+Kv8bw2BsocE9h+lJOJg5oMgCfRhth
>cTxK4ScL4j52fTCeSdC0Q6k=
>=9C1J
>-END PGP SIGNATURE-
>
>--nextPart12555236.45TTRGDWuC--
>

Take a look at who made the submissions at rfci (try a lookup
on the IP address).  Not all the releated domains are there - though
a dozen or so new ones went in today.  Also look at Bugzilla #4104
(though I have changed/evolved the rules which I currently use since
that submission to lower the scores for the individual rules, and use
meta-rules to add points back for multiple rule hits.).

Paul Shupak
[EMAIL PROTECTED]

Re: {SPAM} Drug SPAM problem..any fixes?

[Loren Wilton]

Let me just suggest that there are all kinds of catchable keys in the spam
you posted.  I don't really want to post rules for these, since as soon as
rules get posted here the keys disappear from the spams.

Loren

Re: Drug SPAM problem..any fixes?

[Rob Skedgell]

On Saturday 14 May 2005 18:30, List Mail User wrote:
[...]
>
>   Just to keep up; aeroseddicc. com is another multitrade group
> domain. Note the contact email of "[EMAIL PROTECTED] com" - same as
> for the domain multitrade-corp. com, and the telephone/fax numbers
> match those of the domain sheenier. net.  And, of course the name
> servers' domain of aicstrungcb. biz is multitrade also.  Oh, yes,
> they also seem to have control of mail333. com.
>
>   With enough pressure, they will run out of registrars, or be forced
> to use the Chinese ones.

Just to add to that, mail333.com addresses are used in the registration 
of quite a lot of spamvertized domains - see 


mail333.com itself is in whois.rfc-ignorant.org, as are most (all?) of 
the related domains, and I'm getting promising results using that 
blacklist as a URIbl:

# whois.rfc-ignorant.org URIBL http://www.rfc-inorant.org/
urirhssub URIBL_RFCI_WHOIS whois.rfc-ignorant.org. A   5
body URIBL_RFCI_WHOIS  eval:check_uridnsbl('URIBL_RFCI_WHOIS')
describe URIBL_RFCI_WHOIS  Contains an URL listed in RFCI whois
tflags URIBL_RFCI_WHOISnet
score URIBL_RFCI_WHOIS 2.0
uridnsbl_skip_domain   ac.uk

-- 
Rob Skedgell <[EMAIL PROTECTED]>


pgpGPOt97Y5C0.pgp
Description: PGP signature

Re: {SPAM} Drug SPAM problem..any fixes?

[Matt Kettler]

martin smith wrote:

> Trouble is with the SURBL is that you can receive a lot of these spams
> before they get listed, they also seem to change domain name twice a day or
> more to keep ahead of the listing, that's why I wanted something to block
> them if they don't hit any black lists.
> 
> Martin
> 

True, which is part of why I use some greylisting.. it helps the blacklist hit
rates.


I really don't know of any good static rule that works consistently for these
that won't just nail every email with embedded images.

One thing you might look at is this part:

8l4d7o2r6u7d8h4j4q6v8w5o8f6k5g6r5v3g9a2j9d2f2s9a9k5c4m3z8q1b4w2t8y9k1a7s3z7k8h3n3q1c6t3c2v5q2i8h4f5o1f9u7t2t8k5o6v6v3i5a8l7t4d1z5t9r2t8i7m7c5m

Note that after the first 3 numbers, it's an alternating sequence random
lower-case letters and numbers. The repeating part is 140 characters long, or 70
repeats..

You could probably pick out 50 or so of these with low FP rate:

body L_STRANGE_ID   /(?:\d[a-z]){50}/
score L_STRANGE_ID  0.1


Another tool to try here, which has the same drawbacks as surbl, is razor.

Razor can pick up on the hash of the embedded image, text, or URI so this way
you're forcing them to change three things: domains, images and body text.
(Razor hashes each mime part and each URI separately, so spam can be identified
by any one of these, not just the combined whole of the message.)

While not perfect, at least this gets you 3 shots at the message based on 
content.

Re: SQL Question -- FIX

[Michael Parker]

On Fri, May 13, 2005 at 06:53:28PM -0700, Steven Manross wrote:
> ***This now works (with minor mods to the SA distro files [SQL.pm] and
> the creation of an additional MS SQL User defined function)
> 
> I've mocked up an MS SQL Version of RPAD that could be easily introduced
> into the readme code that creates the bayes tables, and sets the
> version. (please correct the SQL for RPAD if I've incorrectly defined
> part of it). 
> 
> spamassassin -D output.txt
> 
> ...showed bayes activity and marked spam/ham accordingly.
> 
> The only problem now being is that when you call MS SQL RPAD, you need
> to do so, like so:
> 
> dbo.RPAD('this',5,' ')

If it was straight SQL (ie select token, spam_count, ham_count etc)
what would the token portion have to look like for MS SQL?

Something like:

select substring(token,1,len(token)) + replicate(' ',5-len(token)),
ham_count, spam_count etc etc

?

If so, it would simply be a matter (in 3.1 at least) of creating a
MSSQL.pm module that inherits from SQL.pm and overrides
_token_select_string.  Of course, you can still do that with the RPAD
function and make the call:
select dbo.RPAD(token,5,' '), spam_count, ham_count etc etc

Seems like a reasonable thing to do, and in the future we might find
some other MS SQL specific things we want to override to make things
faster.

FYI, to answer your question about why not just use varchar, we found
that creating variable length rows really slowed down the SQL, so best
to keep things a constant length, things move much faster that way.

Michael


pgpmYYGikPOvp.pgp
Description: PGP signature

RE: {SPAM} Drug SPAM problem..any fixes?

[martin smith]

M>-Original Message-
M>From: Matt Kettler [mailto:[EMAIL PROTECTED] 
M>Sent: 14 May 2005 18:37
M>To: Dan Simmons
M>Cc: users@spamassassin.apache.org
M>Subject: Re: {SPAM} Drug SPAM problem..any fixes?
M>
M>Dan Simmons wrote:
M>> Hi All,
M>> 
M>> I am having an issue with the following DRUG related spam.  Does 
M>> anyone have any rules to catch this?
M>> 
M>> Environment: SA 3.0.2 with network tests and the following 
M>SARE rule sets:
M>
M>> X-SA-SysThreshold: 6.0
M>> 0.8 HTML_IMAGE_ONLY_20 BODY: HTML: images with 
M>1600-2000 bytes of words
M>> 0.1 HTML_40_50 BODY: Message is 40% to 50% HTML
M>> 0.0 HTML_MESSAGE BODY: HTML included in message
M>> 
M>
M>For your message I got the following (SA 2.64 with Mail::SpamCopURI)
M>
M>SpamAssassin (score=7.908, required 5,AB_URI_RBL 
M>1.00, BAYES_00 -4.90,
M>BLACK_URI_RBL 2.00,   HTML_MESSAGE 0.10, HTTP_ESCAPED_HOST 1.51,
M>INFO_GREYLIST_NOTDELAYED -0.00, JP_URI_RBL 1.00, OB_URI_RBL 
M>2.10, SPAMCOP_URI_RBL 3.00, WS_URI_RBL 2.10)
M>
M>Most of that is URI blacklists from surbl (supported by SA 
M>3.x by default), as well as uribl.com (not supported in 
M>default config but I added it by hand)
M>

Trouble is with the SURBL is that you can receive a lot of these spams
before they get listed, they also seem to change domain name twice a day or
more to keep ahead of the listing, that's why I wanted something to block
them if they don't hit any black lists.

Martin

Re: {SPAM} Drug SPAM problem..any fixes?

[Matt Kettler]

Dan Simmons wrote:
> Hi All,
> 
> I am having an issue with the following DRUG related spam.  Does
> anyone have any rules to catch this?
> 
> Environment: SA 3.0.2 with network tests and the following SARE rule sets:

> X-SA-SysThreshold: 6.0
>   0.8 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words
>   0.1 HTML_40_50 BODY: Message is 40% to 50% HTML
>   0.0 HTML_MESSAGE BODY: HTML included in message
> 

For your message I got the following (SA 2.64 with Mail::SpamCopURI)

SpamAssassin (score=7.908, required 5,  AB_URI_RBL 1.00, BAYES_00 -4.90,
BLACK_URI_RBL 2.00, HTML_MESSAGE 0.10, HTTP_ESCAPED_HOST 1.51,
INFO_GREYLIST_NOTDELAYED -0.00, JP_URI_RBL 1.00, OB_URI_RBL 2.10,
SPAMCOP_URI_RBL 3.00, WS_URI_RBL 2.10)

Most of that is URI blacklists from surbl (supported by SA 3.x by default), as
well as uribl.com (not supported in default config but I added it by hand)

I'd check to see if your URIBL's are working. SA 3.x supports them by default,
but you need a relatively recent Net::DNS for them to work.

Also, if you're using a ported package for your OS distribution instead of the
official SA packages, make sure you've got an init.pre file in your
configuration. If you don't, the URIBL plugin won't load.

RE: Drug SPAM problem..any fixes?

[martin smith]

M>-Original Message-
M>From: Dan Simmons [mailto:[EMAIL PROTECTED] 
M>Sent: 14 May 2005 18:13
M>To: users@spamassassin.apache.org
M>Subject: Drug SPAM problem..any fixes?
M>
M>Hi All,
M>
M>I am having an issue with the following DRUG related spam.  Does
M>anyone have any rules to catch this?
M>--=_Part_26268598_14758651.1312519906417
M>Content-Type: image/gif;
M> name="Frccf.GIF"
M>Content-Transfer-Encoding: base64
M>Content-ID: 
M>

You could probably write a rule to catch it using a signature from the gif,
here's an example of one I have done for some viagra/cialis spam that uses a
gif

full __MS_Drug_Gif /\bR0lGODlh/
full __MS__Gif /\bimage\/gif\b/i
meta MS_Drug_Gif __MS_Drug_Gif && __MS__Gif
score MS_Drug_Gif 5
describe MS_Drug_Gif Gif Used to Advertise Meds

R0lGODlh is the beginning of the gif when viewed raw

Martin

Re: Drug SPAM problem..any fixes?

[List Mail User]

>...
>
>Hi All,
>
>I am having an issue with the following DRUG related spam.  Does
>anyone have any rules to catch this?
>
>Environment: SA 3.0.2 with network tests and the following SARE rule sets:
>70_sare_adult.cf
>70_sare_bayes_poison_nxm.cf
>70_sare_evilnum0.cf
>70_sare_genlsubj0.cf
>70_sare_genlsubj1.cf
>70_sare_genlsubj_eng.cf
>70_sare_header0.cf
>70_sare_header1.cf
>70_sare_header_eng.cf
>70_sare_html0.cf
>70_sare_html1.cf
>70_sare_html_eng.cf
>70_sare_oem.cf
>70_sare_random.cf
>70_sare_specific.cf
>70_sare_spoof.cf
>70_sare_unsub.cf
>70_sare_uri0.cf
>70_sare_uri1.cf
>70_sare_uri_eng.cf
>72_sare_bml_post25x.cf
>72_sare_redirect_post3.0.0.cf
>99_FVGT_Tripwire.cf
>99_sare_fraud_post25x.cf
>backhair.cf
>bigevil.cf
>chickenpox.cf
>weeds2.cf
>
>Thanks in advance!
>
>DN
>
>Received: from [216.249.40.20] (HELO mx2..xxx)
>  by xxx.x.xxx
>  with ESMTP id 8426770; Sat, 14 May 2005 13:19:47 -0300
>Received: from [85.65.64.105] ([85.65.64.105]:52747 "HELO
>   85-65-64-105.barak-online.net") by mx2.x.xxx with SMTP
>   id S69776AbVENQTr (ORCPT  + 12 others);
>   Sat, 14 May 2005 13:19:47 -0300
>X-MID: <[EMAIL PROTECTED]>
>Date:  Sat, 14 May 2005 12:18:01 -0500
>Message-Id: <[EMAIL PROTECTED]>
>From:  Gregory Hicks <[EMAIL PROTECTED]>
>To:[EMAIL PROTECTED]
>Subject: Re: dehorn ADVATE
>MIME-Version: 1.0
>Content-Type: multipart/related;
>   boundary="=_Part_26268598_14758651.1312519906417"
>X-DK-Sender: [EMAIL PROTECTED]
>X-DK-Policy: Inbound, CheckSpam=Yes
>X-DK-AttBlock: No attachments have reject extensions
>X-DK-WList: No sender or recipients white-listed
>X-SA-Version: 3.0.2 (2004-11-16) on mx2.northrock.bm
>X-SA-Score:0.9
>X-SA-SysThreshold: 6.0
>   0.8 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words
>   0.1 HTML_40_50 BODY: Message is 40% to 50% HTML
>   0.0 HTML_MESSAGE BODY: HTML included in message
>
>This is a multi-part message in MIME format.
>
>--=_Part_26268598_14758651.1312519906417
>Content-Type: multipart/alternative;
>boundary="=_Part_24709875_12152681.2407573909984"
>
>
>--=_Part_24709875_12152681.2407573909984
>Content-Type: text/plain;
>charset=us-ascii
>Content-Transfer-Encoding: 7bit
>
>--=_Part_24709875_12152681.2407573909984
>Content-Type: text/html;
> charset=us-ascii
>Content-Transfer-Encoding: 7Bit
>
>--=_Part_24709875_12152681.2407573909984--
>
>--=_Part_26268598_14758651.1312519906417
>Content-Type: image/gif;
> name="Frccf.GIF"
>Content-Transfer-Encoding: base64
>Content-ID: 
>
>--=_Part_26268598_14758651.1312519906417--
>
>
>
>SIZE=2>
>href="http://ziawahewpqs.net&pewubl0oep4l18elkzv6%2Eaeroseddicc%2Ecom/";>
>SRC="cid:lrvnmnh_ywroot_rvdee"; border="0" ALT="">
>
>
>in a sudden nearness of relation, as the daughter of my blood foe,
>andto make a cut at me in
>passing; for this reason it was soon takenand me; and that Miss
>Clarissa would have hardly less satisfactionSIZE=2>
>cuts whistles out of the trees and dances ecstatically to his
>ownWhat can have put such a
>person in your head? inquired my mother.voice failed, and I
>covered my face with my hand, and broke intoSIZE=2>
>way, Do cats eat bats?  Do cats eat bats? and sometimes, DoSIZE=1>Terrace; Mrs. Micawber, the
>children, the Orfling, and myself; andaffection; I ask pardon of
>that lady, in my heart.
>allow himself off the bench to be waylaid by some tender
>kinswomanI do not know that ever
>I heard him speak so straight to
>peoples8l4d7o2r6u7d8h4j4q6v8w5o8f6k5g6r5v3g9a2j9d2f2s9a9k5c4m3z8q1b4w2t8y9k1a7s3z7k8h3n3q1c6t3c2v5q2i8h4f5o1f9u7t2t8k5o6v6v3i5a8l7t4d1z5t9r2t8i7m7c5mSIZE=1>
>
>
>
>
>

Just to keep up; aeroseddicc. com is another multitrade group domain.
Note the contact email of "[EMAIL PROTECTED] com" - same as for the domain
multitrade-corp. com, and the telephone/fax numbers match those of the
domain sheenier. net.  And, of course the name servers' domain of
aicstrungcb. biz is multitrade also.  Oh, yes, they also seem to have
control of mail333. com.

With enough pressure, they will run out of registrars, or be forced
to use the Chinese ones.

Paul Shupak
[EMAIL PROTECTED]

Drug SPAM problem..any fixes?

[Dan Simmons]

Hi All,

I am having an issue with the following DRUG related spam.  Does
anyone have any rules to catch this?

Environment: SA 3.0.2 with network tests and the following SARE rule sets:
70_sare_adult.cf
70_sare_bayes_poison_nxm.cf
70_sare_evilnum0.cf
70_sare_genlsubj0.cf
70_sare_genlsubj1.cf
70_sare_genlsubj_eng.cf
70_sare_header0.cf
70_sare_header1.cf
70_sare_header_eng.cf
70_sare_html0.cf
70_sare_html1.cf
70_sare_html_eng.cf
70_sare_oem.cf
70_sare_random.cf
70_sare_specific.cf
70_sare_spoof.cf
70_sare_unsub.cf
70_sare_uri0.cf
70_sare_uri1.cf
70_sare_uri_eng.cf
72_sare_bml_post25x.cf
72_sare_redirect_post3.0.0.cf
99_FVGT_Tripwire.cf
99_sare_fraud_post25x.cf
backhair.cf
bigevil.cf
chickenpox.cf
weeds2.cf

Thanks in advance!

DN

Received: from [216.249.40.20] (HELO mx2..xxx)
  by xxx.x.xxx
  with ESMTP id 8426770; Sat, 14 May 2005 13:19:47 -0300
Received: from [85.65.64.105] ([85.65.64.105]:52747 "HELO
85-65-64-105.barak-online.net") by mx2.x.xxx with SMTP
id S69776AbVENQTr (ORCPT  + 12 others);
Sat, 14 May 2005 13:19:47 -0300
X-MID:  <[EMAIL PROTECTED]>
Date:   Sat, 14 May 2005 12:18:01 -0500
Message-Id: <[EMAIL PROTECTED]>
From:   Gregory Hicks <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: dehorn ADVATE
MIME-Version: 1.0
Content-Type: multipart/related;
   boundary="=_Part_26268598_14758651.1312519906417"
X-DK-Sender: [EMAIL PROTECTED]
X-DK-Policy: Inbound, CheckSpam=Yes
X-DK-AttBlock:  No attachments have reject extensions
X-DK-WList: No sender or recipients white-listed
X-SA-Version: 3.0.2 (2004-11-16) on mx2.northrock.bm
X-SA-Score: 0.9
X-SA-SysThreshold: 6.0
0.8 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words
0.1 HTML_40_50 BODY: Message is 40% to 50% HTML
0.0 HTML_MESSAGE BODY: HTML included in message

This is a multi-part message in MIME format.

--=_Part_26268598_14758651.1312519906417
Content-Type: multipart/alternative;
boundary="=_Part_24709875_12152681.2407573909984"


--=_Part_24709875_12152681.2407573909984
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit

--=_Part_24709875_12152681.2407573909984
Content-Type: text/html;
 charset=us-ascii
Content-Transfer-Encoding: 7Bit

--=_Part_24709875_12152681.2407573909984--

--=_Part_26268598_14758651.1312519906417
Content-Type: image/gif;
 name="Frccf.GIF"
Content-Transfer-Encoding: base64
Content-ID: 

--=_Part_26268598_14758651.1312519906417--




http://ziawahewpqs.net&pewubl0oep4l18elkzv6%2Eaeroseddicc%2Ecom/";>
cid:lrvnmnh_ywroot_rvdee"; border="0" ALT="">


in a sudden nearness of relation, as the daughter of my blood foe,
andto make a cut at me in
passing; for this reason it was soon takenand me; and that Miss
Clarissa would have hardly less satisfaction
cuts whistles out of the trees and dances ecstatically to his
ownWhat can have put such a
person in your head? inquired my mother.voice failed, and I
covered my face with my hand, and broke into
way, Do cats eat bats?  Do cats eat bats? and sometimes, DoTerrace; Mrs. Micawber, the
children, the Orfling, and myself; andaffection; I ask pardon of
that lady, in my heart.
allow himself off the bench to be waylaid by some tender
kinswomanI do not know that ever
I heard him speak so straight to
peoples8l4d7o2r6u7d8h4j4q6v8w5o8f6k5g6r5v3g9a2j9d2f2s9a9k5c4m3z8q1b4w2t8y9k1a7s3z7k8h3n3q1c6t3c2v5q2i8h4f5o1f9u7t2t8k5o6v6v3i5a8l7t4d1z5t9r2t8i7m7c5m

Re: Bayes Database RW Lock

[Paul R. Ganci]

Matt Kettler wrote:
bayes_auto_expire 0
   

With this setting you've got a cronjob running sa-learn --force-expire. Right?
 

Yes.
If not, fix that.
rw-rw-rw-1 prganci  users  165988 May 14 10:05 bayes_journal
-rw---1 pangione users  34 May 14 10:00 bayes.lock 
   

That's a little troubling.. are you having problems with spamd instances
crashing?
Not to my knowledge, but I will look into it.
Also note the lock should NEVER be anything but -rw--. EVER.
 

Yes, good point.
--
Paul ([EMAIL PROTECTED])

Re: IP whitelist?

[List Mail User]

>...
>
>If an incomming email is from a IP listed in IP whitelist, we don't
>need to check it at all.
>The whitelist I mentioned here is a large-scale one. Say Microsoft and
>Yahoo's IPs should be added to IP whitelist since we suppose they
>won't send spams.
>Currently I am maintaining a RBL list, and hopefully the IP whitelist
>will help to reduce false positive.
>
>On 5/13/05, Matt Kettler <[EMAIL PROTECTED]> wrote:
>> Ryan L. Sun wrote:
>> >...
>> > -Ryan
>> >
>> 
>>...
>>
>
>

I assume you are using these as just examples;  Microsoft is very
good, and I haven't seen any spam ever from microsoft.com, and none in over
an year from any MSN/Hotmail servers, but Yahoo still has problems (they have
greatly descreased the flow, but some spam still misses their internal filter
mechanism).  Better still is the gmail you are using yourself - While they
are very commonly used for a maildrop (as is Yahoo!), they seem to never
originate spam.

I think "whitelist"'ing all of these company's domains is safe, but
their IPs can still be abused (well maybe not microsoft.com, unless the
person expects to leave or get fired *and* have legal action brought against
himself, by MS themselves).

Paul Shupak
[EMAIL PROTECTED]

Re: more spam with SpamAssassin version 3.0.2

[Matt Kettler]

wolfgang wrote:
> In an older episode (Saturday 14 May 2005 17:53), Matt Kettler wrote:
> 
>>3.0.3 fixes some scoring issues in 3.0.2 and a few important
>>bugs that 3.0.2 suffers from in terms of accuracy (mostly URI parsing for 
>>URIBLs). 
> 
> 
> after installing debian's SA 3.0.3 yesterday, I noticed that it lacks the 
> patches mentioned on

Thanks for the heads up on tht one wolfgang.

Distro ports are such a mixed blessing. They're really good in that they
maintain consistency with the default OS paths for things, keep the package
dependency trees sane, etc. But they're also a bit evil because package
maintainers, being merely human, inevitably screw up sometimes.

Things like missing init.pre, putting the default.cf files in
/etc/mail/spamassassin instead of /usr/share, mixing up files from different
versions, are all mistakes that have been seen in different ports on this list.

It's a good thing you keep an eye on your distro packages. That really helps
mitigate the drawbacks of ports while taking advantage of their benefits.

Re: Bayes Database RW Lock

[Matt Kettler]

Paul R. Ganci wrote:
> I am at my wits end regarding this issue. I am getting very frequent:
> 
> May 14 09:58:05 citlatepetl spamd[5125]: Cannot open bayes databases
> /home/spam-filter/etc/mail/spamassassin/bayes_* R/W: lock failed: File
> exists
> 
This is very common, and is not a problem UNLESS your autolearner never kicks
in. (ie: autolearning always fails)

Basically all it means is two SA processes tried to update the bayes DB at the
same time. If two messages come in at the same time and both get autolearned,
the second one will fail to lock the bayes DB and generate the above message.

Now, if a SA instance crashes and leaves a lockfile laying about, this can be a
problem. From then on, all SA learning will fail until the lock gets removed.


> bayes_auto_expire 0 

With this setting you've got a cronjob running sa-learn --force-expire. Right?
If not, fix that.

> -rw-rw-rw-1 prganci  users  165988 May 14 10:05 bayes_journal
> -rw---1 pangione users  34 May 14 10:00 bayes.lock 

That's a little troubling.. are you having problems with spamd instances
crashing? The lock is at least 5 minutes old here.. that's a long time unless an
expiry is being run.

However, I'd not worry too much yet, but I would check on it. If the lockfile
gets to be really old (1hr) then I'd worry.

> Please note that I always start off with bayes.lock with -rw-rw-rw- so it is 
> spamd/spamc which is changing the owner/protection on the lock file.  The 
> /etc/procmailrc file looks like: 

Please note you shouldn't start off with a bayes.lock at all. That file should
only ever be created by spamassassin, and should only exist while bayes
manipulation is in progress.

Also note the lock should NEVER be anything but -rw--. EVER.

If it's -rw-rw-rw- the whole purpose of the file is defeated.

Re: more spam with SpamAssassin version 3.0.2

[wolfgang]

In an older episode (Saturday 14 May 2005 17:53), Matt Kettler wrote:
> 3.0.3 fixes some scoring issues in 3.0.2 and a few important
> bugs that 3.0.2 suffers from in terms of accuracy (mostly URI parsing for 
> URIBLs). 

after installing debian's SA 3.0.3 yesterday, I noticed that it lacks the 
patches mentioned on

http://bugzilla.spamassassin.org/show_bug.cgi?id=4111
http://bugzilla.spamassassin.org/show_bug.cgi?id=4298

also, I suggest to add

urirhssub URIBL_JP_SURBL  multi.surbl.org.A   64
body  URIBL_JP_SURBL  eval:check_uridnsbl('URIBL_JP_SURBL')
describe  URIBL_JP_SURBL  Has URI in JP at http://www.surbl.org/lists.html
tflagsURIBL_JP_SURBL  net
score URIBL_JP_SURBL3.0

and

urirhssub   URIBL_BLACK  multi.uribl.com.A   2
bodyURIBL_BLACK  eval:check_uridnsbl('URIBL_BLACK')
describeURIBL_BLACK  Contains an URL listed in the URIBL blacklist
tflags  URIBL_BLACK  net
score   URIBL_BLACK  1.0

to you config.

regards,

wolfgang

Bayes Database RW Lock

[Paul R. Ganci]

I am at my wits end regarding this issue. I am getting very frequent:
May 14 09:58:05 citlatepetl spamd[5125]: Cannot open bayes databases 
/home/spam-filter/etc/mail/spamassassin/bayes_* R/W: lock failed: File 
exists

messages. From what I have googled I have done just about everything I 
could find regarding this issue. As I have a site wide Bayes database I 
have the following lines in my /etc/mail/spamassassin/local.cf:

bayes_auto_expire 0
bayes_learn_to_journal 1
bayes_file_mode 0777
I have limited the number of spamd instances via:
   daemon /home/spam-filter/bin/spamd -d -c -m 5 
--max-conn-per-child=10 -p 783 -H /home/spam-filter/razor --user-config 
--virtual-config-dir=/home/sites/%d/users/%u

The host server is RaQ550 with 2GB SDRAM so memory shouldn't be an 
issue.  The directory protections for the database are:

[root etc]# ls -alt /home/spam-filter/etc/mail
total 4
drwxrwxrwx2 root root 4096 May 14 10:04 spamassassin
The file protections are:
-rw-rw-rw-1 prganci  users  165988 May 14 10:05 bayes_journal
-rw---1 pangione users  34 May 14 10:00 bayes.lock
-rw-rw-rw-1 hubbard  users  136548 May 14 09:58 bayes_journal.old
-rw-rw-rw-1 root root  5279744 May 14 09:38 bayes_toks
-rw-rw-rw-1 root root  5226496 May  9 20:23 bayes_seen
Please note that I always start off with bayes.lock with -rw-rw-rw- so 
it is spamd/spamc which is changing the owner/protection on the lock 
file.  The /etc/procmailrc file looks like:

DROPPRIVS=yes
SHELL=/bin/sh
#LOGFILE=/var/log/procmail.log
#VERBOSE=on
TIMEOUT=60
:0fw:
* < 20
|/home/spam-filter/bin/spamc -p 783 -u $1 -t 120
#
# Drop high scoring spam into bit bucket.
:0:
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*
/home/sites/magnoliaroad.net/users/definitespam/mail/saved-messages
# Work around procmail bug: any output on stderr will cause the "F" in 
"From"
# to be dropped.  This will re-add it.
# NOTE: This is probably NOT needed in recent versions of procmail
:0
* ^^rom[ ]
{
 LOG="*** Dropped F off From_ header! Fixing up. "

 :0 fhw
 | sed -e '1s/^/F/'
}
Does anybody have any idea how I cure this problem. About the only thing 
I haven't attempted is moving from a global Bayes db to a local user 
Bayes db.

Thank you for any suggestions you might have.
--
Paul ([EMAIL PROTECTED])

Re: more spam with SpamAssassin version 3.0.2

[Matt Kettler]

Valery V. Bobrov wrote:
> Hello!
> 
> I upgraded to SpamAssassin version 3.0.2 from 2.64 and I noticed the amount
> of  spam messages has been  increased!
> 
> 
> What sort of problem?
> 
> Yours faithfully,
> Valery
> 

Others have given a lot of good things to check for. However, one more thing to
check for.

Check to see if any of your spam is matching the rule named ALL_TRUSTED. If it
is, you must manually declare a trusted_networks because the auto-detection
algorithm is getting confused.

See:
http://wiki.apache.org/spamassassin/TrustPath

(Note: The trust path problem exists in SA 2.6x as well, it's just less
noticeable. Usually in 2.6x the only side effect is FP's on dialup RBLs like
SORBS_DUL.)


Also, I'd consider grabbing the bayes rule scores from SA 3.0.3, or just upgrade
to 3.0.3 outright. 3.0.3 fixes some scoring issues in 3.0.2 and a few important
bugs that 3.0.2 suffers from in terms of accuracy (mostly URI parsing for 
URIBLs).

If you're reluctant to go to 3.0.3, the adjusted scores from 3.0.3's
50_scores.cf are as follows:

 score BAYES_60 0 0 3.515 1.0
 score BAYES_80 0 0 3.608 2.0
 score BAYES_95 0 0 3.514 3.0
 score BAYES_99 0 0 4.070 3.5
 score SPF_FAIL 0 0.001 0 0.875

Re: more spam with SpamAssassin version 3.0.2

[Valery V.Bobrov]

Thank you for your help
I mean:
- more undetected spam messages?

do you mean that 3.0.2 detects fewer spam messages than 2.6.4?
Yes
And what shoul I do with this version?
if you want help with a spamassassin problem, i think you need to be more
precise ...
Yes, right you are.
Besr regards,
Valery

regards,
wolfgang

pyzor_options

[Christoph Petersen]

Hi,

I'm trying to get the following command to work:
pyzor_options --homedir=/var/qmail/vpopmail/.spamassassin in local.cf.

But everytime when I start spamassassin --lint -D I get the following error:

config: SpamAssassin failed to parse line,
--homedir=/var/qmail/vpopmail/.spamassassin" is not valid for
"pyzor_options", skipping: pyzor_options
--homedir=/var/qmail/vpopmail/.spamassassin

What could I do to fix this problem?

Greets
Christoph


signature.asc
Description: OpenPGP digital signature

Re: more spam with SpamAssassin version 3.0.2

[wolfgang]

In an older episode (Saturday 14 May 2005 14:35), Valery V. Bobrov wrote:

> I upgraded to SpamAssassin version 3.0.2 from 2.64 and I noticed the amount
> of  spam messages has been  increased!

do you mean there are
- more detected spam messages?
- more undetected spam messages?
- more of both?

do you mean that 3.0.2 detects fewer spam messages than 2.6.4?

if you want help with a spamassassin problem, i think you need to be more 
precise ...

regards,

wolfgang

Re: more spam with SpamAssassin version 3.0.2

[nigel]

I don't think 3.0.2 is worse, just that there's more spam around
lately. If I take my own stats, SA is catching a slightly higher
percentage of spam in the last month to 6 weeks. The RBL's I use
frontline are catching more too.

From January 05 to March 05 Spam accounted for around 60% of all email
in. between March and now that has risen to a shade over 65%.

I do notice some stuff gets through SA, but I figure spammers can play
with SA as easily as the rest of us, and consequently can find ways to
get round it. Fortunately, not many seem that determined.

HTH

Nigel

On Sat, 14 May 2005 16:35:37 +0400, "Valery V. Bobrov" <[EMAIL PROTECTED]>
wrote:

>Hello!
>
>I upgraded to SpamAssassin version 3.0.2 from 2.64 and I noticed the amount
>of  spam messages has been  increased!
>
>
>What sort of problem?
>
>Yours faithfully,
>Valery
>

RE: more spam with SpamAssassin version 3.0.2

[martin smith]

M>-Original Message-
M>From: Valery V. Bobrov [mailto:[EMAIL PROTECTED] 
M>Sent: 14 May 2005 13:36
M>To: users@spamassassin.apache.org
M>Subject: more spam with SpamAssassin version 3.0.2
M>
M>Hello!
M>
M>I upgraded to SpamAssassin version 3.0.2 from 2.64 and I 
M>noticed the amount of  spam messages has been  increased!
M>
M>
M>What sort of problem?
M>
M>Yours faithfully,
M>Valery

Look at the INSTALL file to find the system requirements such as perl,
Net::DNS  and other module versions, then do a spamassassin --lint -D it
will tell you more details what is failing. Chances are its not doing
network tests because of Net:DNS which will lower the spam score
significantly.

Martin

more spam with SpamAssassin version 3.0.2

[Valery V. Bobrov]

Hello!

I upgraded to SpamAssassin version 3.0.2 from 2.64 and I noticed the amount
of  spam messages has been  increased!


What sort of problem?

Yours faithfully,
Valery