Re: SA + PostFix + Virtual final question for a while
I don't expect I'll get a reply quick enough to help. It's been strongly suggested that I switch our mail server over to ANYTHING other than what we have before the weekend is out. I've been bouncing around the web and digging through documentation trying to figure out how to do SA + virus scanning in a virtual domain SQL environment with per-user prefs working. Hi, now that it is certainly too late :( I am running qmail in a setup where incoming mail is just checked for virus (qmail-scanner) and then delivered to a cyrus mailstore. The shell script called for delivery invokes SA and knows about the recipient, so it can pick up user preferences from a sql database I had to develop a solution for the user name != system account problem, but latest cyrus release supports virtual hosting, and the mail accounts will be named [EMAIL PROTECTED] It is also up to the shell script to handle expres delivery (/dev/null) or similar things. As an observation: the majority of users does NOT use the imap access, only the pop3. I once tried to convince an outlook user to switch but his reaction was it looks all different; cannot I have it the same way as before? Wolfgang Hamann
Re: Re: Evading URI checks
Hi! Go Here to Order Online: RxRealness.com How would one go about adding checks for the omission of http:// ? Only things that hit were: bayes, base64 raw and drugs_erctile by the way. may be too resource intensive to check for every possible domain that doesn't have a URI method. Does this give spammers a way to advertise their domains without detection? Sure it does, but it also means they can't use clickable links, which may decrease their response rates. X-Prolocation-MailScanner-SpamCheck: spam, SpamAssassin (score=11.019, required 5, BAYES_00 -2.60, URIBL_AB_SURBL 0.42, URIBL_JP_SURBL 4.26, URIBL_OB_SURBL 3.21, URIBL_SBL 4.26, URIBL_WS_SURBL 1.46) Uhm, running the latest CVS version on SA, and it does tackle them. Bye, Raymond.
Re: Bombarded by German political spam
Hi! Tonight our site is being bombarded by German political spam or Joe-jobbed bounce fall-out. So far it appears to all be coming from trojaned PCs. Other than the specific URLs in the messages havn't found any easily identified parts to create rules for. anybody else seeing this? Actually it was to be expected. Remember the same german political spams one year ago? The european voting is comming up so i guess they do it again now. B Anyone has a full list of subjects yet, time to do some SA magic... ;) Bye, Raymond.
Re: Bombarded by German political spam
Anyone has a full list of subjects yet, time to do some SA magic... ;) I only have one, and you might be better off looking for the urls than the subject: Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass Lese selbst: http://www.npd.de/npd_info/deutschland/2005/d0405-13.html Neue Dokumente: http://www.rp-online.de/public/article/nachrichten/politik/deutschland/87647 Botschafter in Kiew beschwerte sich noch 2004: http://www.rp-online.de/public/article/nachrichten/politik/deutschland/85735 Traumziel Deutschland: http://www.berlinonline.de/berliner-zeitung/archiv/.bin/dump.fcgi/2004/1221/politik/0009/index.html Kanzler erleichtert Visaverfahren für Golfstaaten: http://www.spiegel.de/spiegel/vorab/0,1518,349262,00.html Ohne Deutsch nach Deutschland: http://www.aufenthaltstitel.de/zuwg/0618.html Vorbildliche Aktion: http://www.npd.de/npd_info/deutschland/2004/d1204-24.html
Re: Bombarded by German political spam
Anyone has a full list of subjects yet, time to do some SA magic... ;) I only have one, and you might be better off looking for the urls than the subject: Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass Lese selbst: http://www.npd.de/npd_info/deutschland/2005/d0405-13.html npd.de is Nazi political party Kanzler erleichtert Visaverfahren für Golfstaaten: http://www.spiegel.de/spiegel/vorab/0,1518,349262,00.html spiegel.de is reputable news magazine It would be quite unfair to block mails because of a spiegel reference WOlfgang Hamann
Re: Bombarded by German political spam
I only have one, and you might be better off looking for the urls than the subject: Ok, now I have two. Both from the same machine as it happens, although this time it claims it is an AOL mail server. Last time it was somethiing else. Yea, right. Subject: Paranoider Deutschenmoerder kommt in Psychiatrie Lese selbst: http://brandenburg.rz.fhtw-berlin.de/poetschke.html
Re: Bombarded by German political spam
In an older episode (Sunday 15 May 2005 10:47), Raymond Dijkxhoorn wrote: Anyone has a full list of subjects yet, time to do some SA magic... ;) I have quite a few, here is the subjects list: Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass Subject: Auf Streife durch den Berliner Wedding Subject: Auslaender bevorzugt Subject: Auslaenderpolitik Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA Subject: Deutsche werden kuenftig beim Arzt abgezockt Subject: Du wirst zum Sklaven gemacht!!! Subject: Graeberschaendung auf bundesdeutsche Anordnung Subject: Hier sind wir Lehrer die einzigen Auslaender Subject: Paranoider Deutschenmoerder kommt in Psychiatrie Subject: Tuerkei in die EU Subject: Verbrechen der deutschen Frau regards, wolfgang
Re: Bombarded by German political spam
In an older episode (Sunday 15 May 2005 11:55), wolfgang wrote: oops, this one: Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA is not part of them ;) regards, wolfgang
RE: Bombarded by German political spam
M-Original Message- MFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] MSent: 15 May 2005 10:46 MTo: users@spamassassin.apache.org MCc: Loren Wilton MSubject: Re: Bombarded by German political spam M Mnpd.de is Nazi political party M M M Kanzler erleichtert Visaverfahren für Golfstaaten: M http://www.spiegel.de/spiegel/vorab/0,1518,349262,00.html M Mspiegel.de is reputable news magazine M MIt would be quite unfair to block mails because of a spiegel reference M MWOlfgang Hamann M Well that depends on whether you normaly get mails with german websites referenced in the emails, mines just a personal email server so I have put a rule to catch deutchland in the URL, if they carry on I may just put one for .de, only 2 made it past spamassassin but all were under the 15 score I need to /dev/null them
RE: Amusement value
What an interesting spam ! Which suggests a novel test, search for more than one 'From' or 'Subject' header in an email. But how can I do this in SA ? I know how to search the contents of the From or Subject headers which SA makes available to me. But is it possible to write regexps to search the entire header section of an email ? A sort of headers-as_string method ? Martin From: Loren Wilton [mailto:[EMAIL PROTECTED] Sent: Sun 15/05/2005 00:41 To: SpamAssassin Mailing List Subject: Amusement value Gee, I wonder what the subject could be? Following is an actual spam header I just got: Return-Path: [EMAIL PROTECTED] Status: U Received: from smtp.earthlink.net [209.86.93.211] by localhost with POP3 (fetchmail-6.2.5) Received: from m6.stockmacro.com ([66.250.17.88]) by tanager.mail.pas.earthlink.net (EarthLink SMTP Server) with ESMTP id 1dx62wuG3NZFmQ0 Received: from localhost (localhost.localdomain [127.0.0.1]) by m6.stockmacro.com (Postfix) with SMTP id 7AD823EE65161 Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-Cadenced: divulge braided pontific midas kickoff daughterly unprotected porcelain lovejoy resolve derive floored malayize antibacterial designers allow beaverton Content-Type: multipart/alternative; boundary==_3f35d615795e6eb759ba2e4fb2d6f144 MIME-Version: 1.0 X-M-a8e4: 1090:bHdpbHRvbkBlYXJ0aGxpbmsubmV0:wwztwulguvmq Subject: Looking for Quality Christian Singles? From: Where Christians Meet [EMAIL PROTECTED] Subject: Meet serious Christian Singles, just like you From: Christian Dating [EMAIL PROTECTED] Subject: Looking for Quality Christian Singles? From: Christian Dating [EMAIL PROTECTED] Subject: Meet serious Christian Singles, just like you From: Christian Dating [EMAIL PROTECTED] Subject: Looking for Quality Christian Singles? From: Where Christians Meet [EMAIL PROTECTED] Subject: Looking for Quality Christian Singles? From: Where Christians Meet [EMAIL PROTECTED] Subject: Single? Meet other Christians From: Where Christians Meet [EMAIL PROTECTED] Subject: Single? Meet other Christians From: Where Christians Meet [EMAIL PROTECTED] Subject: Single? Meet other Christians From: Where Christians Meet [EMAIL PROTECTED] Subject: Meet serious Christian Singles, just like you From: Where Christians Meet [EMAIL PROTECTED] Subject: Single? Meet other Christians From: Where Christians Meet [EMAIL PROTECTED] Subject: Single? Meet other Christians From: Christian Dating [EMAIL PROTECTED] Subject: Meet serious Christian Singles, just like you From: Christian Dating [EMAIL PROTECTED] Subject: Single? Meet other Christians From: Where Christians Meet [EMAIL PROTECTED] Subject: Looking for Quality Christian Singles? From: Where Christians Meet [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Date: Sat, 14 May 2005 17:20:22 -0700 (PDT) X-ELNK-AV: 0 __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __
Re: Bombarded by German political spam
On 5/15/05, David B Funk [EMAIL PROTECTED] wrote: Tonight our site is being bombarded by German political spam or Joe-jobbed bounce fall-out. So far it appears to all be coming from trojaned PCs. Other than the specific URLs in the messages havn't found any easily identified parts to create rules for. anybody else seeing this? Yes, we have already received six messages. Subjects: Gegen das Vergessen Graeberschaendung auf bundesdeutsche Anordnung Multi-Kulturell = Multi-Kriminell The Whore Lived Like a German Verbrechen der deutschen Frau Volk wird nur zum zahlen gebraucht! URLs inside: http://www.die-kommenden.net/dk/zeitgeschichte/graeberschaendung.htm http://www.npd.de/npd_info/meldungen/2005/m0105-19.html http://service.spiegel.de/cache/international/0,1518,344374,00.html http://www.jn-bw.de/texte/zeitgeschichte/verbrechen_der_frau.htm http://www.my-rocknord.de/viewtopic.php?t=1018sid=3ce6385b1dee88cb02447f566a2da68d Regards, Roman
Re: Bombarded by German political spam
Hi! Anyone has a full list of subjects yet, time to do some SA magic... ;) I have quite a few, here is the subjects list: Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass Subject: Auf Streife durch den Berliner Wedding Subject: Auslaender bevorzugt Subject: Auslaenderpolitik Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA Subject: Deutsche werden kuenftig beim Arzt abgezockt Subject: Du wirst zum Sklaven gemacht!!! Subject: Graeberschaendung auf bundesdeutsche Anordnung Subject: Hier sind wir Lehrer die einzigen Auslaender Subject: Paranoider Deutschenmoerder kommt in Psychiatrie Subject: Tuerkei in die EU Subject: Verbrechen der deutschen Frau Two more: Subject: Vorbildliche Aktion Subject: 60 Jahre Befreiung: Wer feiert mit? anyone care to make a small ruleset to score them up? Bye, Raymond.
Re: Bombarded by German political spam
In an older episode (Sunday 15 May 2005 12:44), Raymond Dijkxhoorn wrote: Hi! Anyone has a full list of subjects yet, time to do some SA magic... ;) I have quite a few, here is the subjects list: Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass Subject: Auf Streife durch den Berliner Wedding Subject: Auslaender bevorzugt Subject: Auslaenderpolitik Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA Subject: Deutsche werden kuenftig beim Arzt abgezockt Subject: Du wirst zum Sklaven gemacht!!! Subject: Graeberschaendung auf bundesdeutsche Anordnung Subject: Hier sind wir Lehrer die einzigen Auslaender Subject: Paranoider Deutschenmoerder kommt in Psychiatrie Subject: Tuerkei in die EU Subject: Verbrechen der deutschen Frau Two more: Subject: Vorbildliche Aktion Subject: 60 Jahre Befreiung: Wer feiert mit? one more: Subject: Augen auf I noticed that the WS URIBL does by now recognize various of the URIs in those mails, and a rule like # whois.rfc-ignorant.org URIBL http://www.rfc-ignorant.org/ urirhssub URIBL_RFCI_WHOIS whois.rfc-ignorant.org. A 5 body URIBL_RFCI_WHOIS eval:check_uridnsbl('URIBL_RFCI_WHOIS') describe URIBL_RFCI_WHOIS URL listed at rfc-ignorant.org (whois) tflags URIBL_RFCI_WHOIS net also works well here: 1.0 URIBL_RFCI_WHOIS URL listed at rfc-ignorant.org (whois) [URIs: pro-koeln-online.de jungefreiheit.de] [g-d-f.de bewaeltigen.de kopfmord.de] [buergerbewegungen.de wk-institut.de] [das-gibts-doch-nicht.de un-nachrichten.de] [rocknord.de] regards, wolfgang
Re: Bombarded by German political spam
Hi! I have quite a few, here is the subjects list: Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass Subject: Auf Streife durch den Berliner Wedding Subject: Auslaender bevorzugt Subject: Auslaenderpolitik cut This is the complete list so far: Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass Subject: Auf Streife durch den Berliner Wedding Subject: Auslaender bevorzugt Subject: Auslaenderpolitik Subject: Deutsche werden kuenftig beim Arzt abgezockt Subject: Du wirst zum Sklaven gemacht!!! Subject: Graeberschaendung auf bundesdeutsche Anordnung Subject: Hier sind wir Lehrer die einzigen Auslaender Subject: Paranoider Deutschenmoerder kommt in Psychiatrie Subject: Tuerkei in die EU Subject: Verbrechen der deutschen Frau Subject: Vorbildliche Aktion Subject: 60 Jahre Befreiung: Wer feiert mit? Subject: Multi-Kulturell = Multi-Kriminell Subject: Turkish Tabloid Enrages Germany with Nazi Comparisons Subject: Blutige Selbstjustiz Subject: Dresden 1945 Subject: Du wirst ausspioniert ! Subject: Armenian Genocide Plagues Ankara 90 Years On Subject: Augen auf Subject: Trotz Stellenabbau Subject: Volk wird nur zum zahlen gebraucht! Subject: Transparenz ist das Mindeste Subject: The Whore Lived Like a German Subject: Massenhafter Steuerbetrug durch auslaendische Arbeitnehmer Subject: Schily ueber Deutschland Subject: Deutsche Buerger trauen sich nicht ... Subject: Graeberschaendung auf bundesdeutsche Anordnung Subject: S.O.S. Kiez! Polizei schlaegt Alarm Bye, Raymond
Re: Bombarded by German political spam
wolfgang wrote: In an older episode (Sunday 15 May 2005 12:44), Raymond Dijkxhoorn wrote: Hi! Anyone has a full list of subjects yet, time to do some SA magic... ;) I have quite a few, here is the subjects list: Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass Subject: Auf Streife durch den Berliner Wedding Subject: Auslaender bevorzugt Subject: Auslaenderpolitik Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA Subject: Deutsche werden kuenftig beim Arzt abgezockt Subject: Du wirst zum Sklaven gemacht!!! Subject: Graeberschaendung auf bundesdeutsche Anordnung Subject: Hier sind wir Lehrer die einzigen Auslaender Subject: Paranoider Deutschenmoerder kommt in Psychiatrie Subject: Tuerkei in die EU Subject: Verbrechen der deutschen Frau Two more: Subject: Vorbildliche Aktion Subject: 60 Jahre Befreiung: Wer feiert mit? one more: Subject: Augen auf I noticed that the WS URIBL does by now recognize various of the URIs in those mails, and a rule like # whois.rfc-ignorant.org URIBL http://www.rfc-ignorant.org/ urirhssub URIBL_RFCI_WHOIS whois.rfc-ignorant.org. A 5 body URIBL_RFCI_WHOIS eval:check_uridnsbl('URIBL_RFCI_WHOIS') describe URIBL_RFCI_WHOIS URL listed at rfc-ignorant.org (whois) tflags URIBL_RFCI_WHOIS net also works well here: 1.0 URIBL_RFCI_WHOIS URL listed at rfc-ignorant.org (whois) [URIs: pro-koeln-online.de jungefreiheit.de] [g-d-f.de bewaeltigen.de kopfmord.de] [buergerbewegungen.de wk-institut.de] [das-gibts-doch-nicht.de un-nachrichten.de] [rocknord.de] And may cause LOTS of false positives as well Sun 2005-05-15 13:42:18: * 1.0 URIBL_RFCI_WHOIS URL listed at rfc-ignorant.org (whois) Sun 2005-05-15 13:42:18: * [URIs: spiegel.de npd.de taz.de] FP: spiegel.de taz.de Sun 2005-05-15 13:42:44: * 1.0 URIBL_RFCI_WHOIS URL listed at rfc-ignorant.org (whois) Sun 2005-05-15 13:42:44: * [URIs: libasoli.de zdf.de] FP: zdf.de h2h Alex
Re: Bombarded by German political spam
Raymond Dijkxhoorn wrote: [...] This is the complete list so far: [...] Subject: Multi-Kulturell = Multi-Kriminell -- CU, Patrick.
Re: Bombarded by German political spam
In an older episode (Sunday 15 May 2005 12:44), Raymond Dijkxhoorn wrote: Hi! Anyone has a full list of subjects yet, time to do some SA magic... ;) I have quite a few, here is the subjects list: Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass Subject: Auf Streife durch den Berliner Wedding Subject: Auslaender bevorzugt Subject: Auslaenderpolitik Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA Subject: Deutsche werden kuenftig beim Arzt abgezockt Subject: Du wirst zum Sklaven gemacht!!! Subject: Graeberschaendung auf bundesdeutsche Anordnung Subject: Hier sind wir Lehrer die einzigen Auslaender Subject: Paranoider Deutschenmoerder kommt in Psychiatrie Subject: Tuerkei in die EU Subject: Verbrechen der deutschen Frau Two more: Subject: Vorbildliche Aktion Subject: 60 Jahre Befreiung: Wer feiert mit? anyone care to make a small ruleset to score them up? someone posted one at http://www.file-upload.net/15.05.05/5_x4st.cf it uses a score of 8 and /i - anyway, it might save you some effort ;) cheers, wolfgang
Re: Bombarded by German political spam
Hi! Subject: Vorbildliche Aktion Subject: 60 Jahre Befreiung: Wer feiert mit? anyone care to make a small ruleset to score them up? someone posted one at http://www.file-upload.net/15.05.05/5_x4st.cf it uses a score of 8 and /i - anyway, it might save you some effort ;) Just finished my ruleset also... grin. the one there has 27 so its missing 5. I also dont uinderstand why it used the meta tags in that one... Its combining nothing in fact... strange. Bye, Raymond.
Re: Bombarded by German political spam
Hi! it uses a score of 8 and /i - anyway, it might save you some effort ;) Just finished my ruleset also... grin. the one there has 27 so its missing 5. I also dont uinderstand why it used the meta tags in that one... Its combining nothing in fact... strange. I put my one online also: http://mailscanner.prolocation.net/german.cf Its nothing fancy, but it works. Have it online for like 15 minutes now: [EMAIL PROTECTED] hosts]# grep GSPAM vmx*/current | wc -l 1797 Allmost 1800 hits. Have fun, Raymond.
RE: {SPAM} Drug SPAM problem..any fixes?
-Original Message- From: martin smith [mailto:[EMAIL PROTECTED] Sent: Saturday, May 14, 2005 12:43 PM To: Spamassassin Subject: RE: {SPAM} Drug SPAM problem..any fixes? M-Original Message- MFrom: Matt Kettler [mailto:[EMAIL PROTECTED] MSent: 14 May 2005 18:37 MTo: Dan Simmons MCc: users@spamassassin.apache.org MSubject: Re: {SPAM} Drug SPAM problem..any fixes? M MDan Simmons wrote: M Hi All, M M I am having an issue with the following DRUG related spam. Does M anyone have any rules to catch this? M M Environment: SA 3.0.2 with network tests and the following MSARE rule sets: Msnip M X-SA-SysThreshold: 6.0 M 0.8 HTML_IMAGE_ONLY_20 BODY: HTML: images with M1600-2000 bytes of words M 0.1 HTML_40_50 BODY: Message is 40% to 50% HTML M 0.0 HTML_MESSAGE BODY: HTML included in message M M MFor your message I got the following (SA 2.64 with Mail::SpamCopURI) M MSpamAssassin (score=7.908, required 5, AB_URI_RBL M1.00, BAYES_00 -4.90, MBLACK_URI_RBL 2.00, HTML_MESSAGE 0.10, HTTP_ESCAPED_HOST 1.51, MINFO_GREYLIST_NOTDELAYED -0.00, JP_URI_RBL 1.00, OB_URI_RBL M2.10, SPAMCOP_URI_RBL 3.00, WS_URI_RBL 2.10) M MMost of that is URI blacklists from surbl (supported by SA M3.x by default), as well as uribl.com (not supported in Mdefault config but I added it by hand) M Trouble is with the SURBL is that you can receive a lot of these spams before they get listed, they also seem to change domain name twice a day or more to keep ahead of the listing, that's why I wanted something to block them if they don't hit any black lists. URIBL.com is currently testing some ideas to get them listed before they are even used. Needs more time to test. Kinds tricky to nail down ;) --Chris
Re: Amusement value
In an older episode (Sunday 15 May 2005 12:24), Martin Lee wrote: I know how to search the contents of the From or Subject headers which SA makes available to me. But is it possible to write regexps to search the entire header section of an email ? A sort of headers-as_string method ? http://wiki.apache.org/spamassassin/WritingRules mentions header LOCAL_DEMONSTRATION_ALL ALL =~ cheers, wolfgang
Re: Bombarded by German political spam
On 5/15/05, Raymond Dijkxhoorn [EMAIL PROTECTED] wrote: http://mailscanner.prolocation.net/german.cf You've got a bit of duplication in there (rules 02 and 22 are the same, as are 04 and 26).
Re: Bombarded by German political spam
Hi! http://mailscanner.prolocation.net/german.cf You've got a bit of duplication in there (rules 02 and 22 are the same, as are 04 and 26). I'll clean them, thanks! v0.2 there in a few :) Bye, Raymond.
Strange SA report maths.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, Using SA 3.0.3 on FreeBSD, I noticed the following interesting maths in the report from a message received a moment ago: - -quote- Content analysis details: (4.1 points, 4.0 required) ~ pts rule name description - -- - -- ~ 0.0 NO_REAL_NAME From: does not include a real name ~ 0.2 INVALID_DATE Invalid Date: header (not RFC 2822) ~ 0.1 HTML_COMMENT_SAVED_URL BODY: HTML message is a saved web page ~ 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% ~[score: 1.] ~ 0.0 HTML_MESSAGE BODY: HTML included in message ~ 0.1 HTML_FONT_BIG BODY: HTML tag for a big font size ~ 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars - -quote- (Full headers below.) Now correct me if I'm wrong, but 3.5 + 0.2 + 0.1 + 0.1 is not 4.1 ? Kind Regards, Craig. - -original headers- Return-Path: [EMAIL PROTECTED] Received: from mta126.mail.ukl.yahoo.com (mta126.mail.ukl.yahoo.com [217.12.11.75]) by craig.dnsalias.com (8.12.10/8.12.10) with SMTP id j4FFYBIW010078 for [EMAIL PROTECTED]; Sun, 15 May 2005 16:34:14 +0100 (BST) (envelope-from [EMAIL PROTECTED]) X-Yahoo-Forwarded: from [EMAIL PROTECTED] to [EMAIL PROTECTED] X-Rocket-Track: 0: 100 ; IPCR=n-w0,n100,g0 ; IP=212.43.206.16 ; SERVER=217.12.12.165 Authentication-Results: mta126.mail.ukl.yahoo.com ~ from=freesurf.fr; domainkeys=neutral (no sig) X-Originating-IP: [212.43.206.16] Received: from 212.43.206.16 (EHLO fidel.freesurf.fr) (212.43.206.16) ~ by mta126.mail.ukl.yahoo.com with SMTP; Sun, 15 May 2005 15:33:43 + Received: from acps-77b8dgiwqw (du-204-236.nat.dialup.freesurf.fr [212.43.204.236]) by fidel.freesurf.fr (Postfix) with SMTP id 326832A7CBA; Sun, 15 May 2005 17:33:36 +0200 (CEST) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: **SPAM (4.1)** International Cd e-mail adress Date: Sun, 15 may 2005 16:49:36 +0200 Importance: normal Mime-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_42876BF9.E8A0075B Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Status: Yes, score=4.1 required=4.0 tests=BAYES_99, HTML_COMMENT_SAVED_URL,HTML_FONT_BIG,HTML_MESSAGE,INVALID_DATE, MIME_QP_LONG_LINE,NO_REAL_NAME autolearn=no version=3.0.3 X-Spam-Report: * 0.0 NO_REAL_NAME From: does not include a real name * 0.2 INVALID_DATE Invalid Date: header (not RFC 2822) * 0.1 HTML_COMMENT_SAVED_URL BODY: HTML message is a saved web page * 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.] * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.1 HTML_FONT_BIG BODY: HTML tag for a big font size * 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on mail.vega X-Virus-Scanned: ClamAV devel-20050513/879/Sun May 15 14:43:45 2005 on vega-mail.vega X-Virus-Status: Clean This is a multi-part message in MIME format. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCh2+MMDDagS2VwJ4RAr6KAJ92D9I4Vh8NHV26dZKCZfwzSe50hQCgzJet rEGs1JUXc0QMQMn7J2qPQUo= =p0Bn -END PGP SIGNATURE-
Re: Bombarded by German political spam
David B Funk wrote: Tonight our site is being bombarded by German political spam or Joe-jobbed bounce fall-out. So far it appears to all be coming from trojaned PCs. Other than the specific URLs in the messages havn't found any easily identified parts to create rules for. anybody else seeing this? Lots and lots. Around 10AM CDT, it seems that the various RBL and URI rules are starting to kick in, but some is still leaking through as with low scores. I received about 500 on the webmaster account. Now we know what sober was all about. -- Steve
Re: Strange SA report maths.
Now correct me if I'm wrong, but 3.5 + 0.2 + 0.1 + 0.1 is not 4.1 ? Rounding. See the wiki. Loren
Re: Strange SA report maths.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Loren Wilton wrote: |Now correct me if I'm wrong, but 3.5 + 0.2 + 0.1 + 0.1 is not 4.1 ? | | | Rounding. See the wiki. | Can you be more specific? A search of wiki.apache.org/spamassassin shows 2 pages containing rounding: StatusRounding - orphaned. RoundingIssues - this is not the issue I'm talking about, and in any case was fixed in 3.0. Yours in confusion, Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCh3Y9MDDagS2VwJ4RAuRAAKC575Fqcj2bpzp8CzcVE4sTiYghogCfTE0r 4205GfjsZXFuTIismKdcqBg= =g52E -END PGP SIGNATURE-
Re: Bombarded by German political spam
On Sun, May 15, 2005 at 10:59:12AM -0500, Steven Stern wrote: I received about 500 on the webmaster account. Now we know what sober was all about. I see *no* connection to any Virus or Trojan! I got about 200 of them into a few accounts and seemingly I'm receiving more every few minutes. BUT I do *not* think it is more than 'Propaganda'! It mostly is just one URL of a genuine Article of a german Newspaper (only the 'collection' of Articles and tendency of subject making it 'political'). No attachments seem to be sent and our Mail-filter would have 'eaten' anyway all the current Sober-Viruses/Variants. (I'm pretty sure about that, I'm its admin) Stucki (postmaster at math/inf/mi.fu-berlin.de) -- Christoph von Stuckrad * * |nickname |[EMAIL PROTECTED] \ Freie Universitaet Berlin |/_*|'stucki' |Tel(days):+49 30 838-75 459| Mathematik Informatik EDV |\ *|if online|Tel(else):+49 30 77 39 6600| Arnimallee 2-6/14195 Berlin * * |on IRCnet|Fax(alle):+49 30 838-75454/
Re: Bombarded by German political spam
On 5/15/2005 6:19 PM +0200, Chr. von Stuckrad wrote: Now we know what sober was all about. I see *no* connection to any Virus or Trojan! Oh, there is a connection. Just like last years sober.g and a German extermist spamrun. This spamrun was caused by sober.q which was downloaded by sober.p Niek
Re: Bombarded by German political spam
I think the connection is that the infected machines are sending out this political spam and not that they are sending the actual virus. Adam "Chr. von Stuckrad" [EMAIL PROTECTED] 05/15/2005 12:19:39 On Sun, May 15, 2005 at 10:59:12AM -0500, Steven Stern wrote: I received about 500 on the webmaster account. Now we know what "sober" was all about.I see *no* connection to any Virus or Trojan!I got about 200 of them into a few accounts andseemingly I'm receiving more every few minutes.BUT I do *not* think it is more than 'Propaganda'!It mostly is just one URL of a genuine Articleof a german Newspaper (only the 'collection' ofArticles and tendency of subject making it 'political').No attachments seem to be sent and our Mail-filter wouldhave 'eaten' anyway all the current Sober-Viruses/Variants.(I'm pretty sure about that, I'm its admin)Stucki (postmaster at math/inf/mi.fu-berlin.de)-- Christoph von Stuckrad * * |nickname |[EMAIL PROTECTED] \Freie Universitaet Berlin |/_*|'stucki' |Tel(days):+49 30 838-75 459|Mathematik Informatik EDV |\ *|if online|Tel(else):+49 30 77 39 6600|Arnimallee 2-6/14195 Berlin * * |on IRCnet|Fax(alle):+49 30 838-75454/
Re: Bombarded by German political spam
On 5/15/2005 6:19 PM +0200, Chr. von Stuckrad wrote: Now we know what sober was all about. I see *no* connection to any Virus or Trojan! Also see: http://isc.sans.org/ http://www.viruslist.com/en/weblog Niek
Re: Bombarded by German political spam
On Sun, 15 May 2005 18:19:39 +0200 Chr. von Stuckrad wrote: On Sun, May 15, 2005 at 10:59:12AM -0500, Steven Stern wrote: I received about 500 on the webmaster account. Now we know what sober was all about. I see *no* connection to any Virus or Trojan! [SNIP...] No attachments seem to be sent and our Mail-filter would have 'eaten' anyway all the current Sober-Viruses/Variants. (I'm pretty sure about that, I'm its admin) He didn't mean the messages CONTAIN a virus/trojan. Over the last 2 weeks a new sober worm variant was released and infected tens of thousands of clueless Windows user machines. The current wave of political spam is being sent out through those infected machines. DREAMING It would be really nice if all the ISPs of the world would get together and create a comprehensive database of all residential IP address pools maintained in dnsbl fashion. Something the owner of an IP block could add to or remove from (with encrypted pass protection) *easily* when IP's are reassigned. Blocking direct, unauthenticated, SMTP transactions from addresses on that list would stop 90% of virus transmission and a large chunk of spam as well. /DREAMING Gerald
Re: Bombarded by German political spam
... wolfgang wrote: In an older episode (Sunday 15 May 2005 12:44), Raymond Dijkxhoorn wrote: Hi! Anyone has a full list of subjects yet, time to do some SA magic... ;) I have quite a few, here is the subjects list: Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass Subject: Auf Streife durch den Berliner Wedding Subject: Auslaender bevorzugt Subject: Auslaenderpolitik Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA Subject: Deutsche werden kuenftig beim Arzt abgezockt Subject: Du wirst zum Sklaven gemacht!!! Subject: Graeberschaendung auf bundesdeutsche Anordnung Subject: Hier sind wir Lehrer die einzigen Auslaender Subject: Paranoider Deutschenmoerder kommt in Psychiatrie Subject: Tuerkei in die EU Subject: Verbrechen der deutschen Frau Two more: Subject: Vorbildliche Aktion Subject: 60 Jahre Befreiung: Wer feiert mit? one more: Subject: Augen auf I noticed that the WS URIBL does by now recognize various of the URIs in those mails, and a rule like # whois.rfc-ignorant.org URIBL http://www.rfc-ignorant.org/ urirhssub URIBL_RFCI_WHOIS whois.rfc-ignorant.org. A 5 body URIBL_RFCI_WHOIS eval:check_uridnsbl('URIBL_RFCI_WHOIS') describe URIBL_RFCI_WHOIS URL listed at rfc-ignorant.org (whois) tflags URIBL_RFCI_WHOIS net also works well here: 1.0 URIBL_RFCI_WHOIS URL listed at rfc-ignorant.org (whois) [URIs: pro-koeln-online.de jungefreiheit.de] [g-d-f.de bewaeltigen.de kopfmord.de] [buergerbewegungen.de wk-institut.de] [das-gibts-doch-nicht.de un-nachrichten.de] [rocknord.de] And may cause LOTS of false positives as well Sun 2005-05-15 13:42:18: * 1.0 URIBL_RFCI_WHOIS URL listed at rfc-ignorant.org (whois) Sun 2005-05-15 13:42:18: * [URIs: spiegel.de npd.de taz.de] FP: spiegel.de taz.de Sun 2005-05-15 13:42:44: * 1.0 URIBL_RFCI_WHOIS URL listed at rfc-ignorant.org (whois) Sun 2005-05-15 13:42:44: * [URIs: libasoli.de zdf.de] FP: zdf.de h2h Alex Basically, this rule is incorrectly written. Unlike SURBLs or URIBL, RFCI does not use bit masks, but multiple full addresses - so trying to use a bitmask (5 in this case) will also match the hits for 127.0.0.7 which is the code for RFC non-compliant TLDs, of which .de is one. Put simply the rule above will match all .de domains, which probably is not desired. Using a rule like urirhssub URIBL_RFCI_WHOIS whois.rfc-ignorant.org. A 127.0.0.5 will probably give results closer to what is desired (i.e. matches SLDs with invalid whois). So, yes the OP's rule *will* give far too many FPs, but when written correctly, it will/should still filter out many/most of the Nazi party sites. Paul Shupak [EMAIL PROTECTED] P.S. .de is interesting in that the Whois server does contain and will return the desired data, but the method of access is (AFAIK) only documented in the rfci entry for .de's TLD invalidity (i.e. a bunch of undocumented flags which can be passed using telnet). Most 127.0.0.7 entries are for TLDs which are RFC non-compliant, and a different code is used just so you can prevent marking every .de domain (last week someone else mentioned .co.uk, but that Whois server got fixed and removed from listing quite a while ago). As another example, the OP's version of the rule will block all .pl domains also, probably not good either (and a bunch of other TLDs), but most American individual users won't notice the problems unless they happen to regularly communicate with people in foreign countries (.se is one that would hurt me - though .de is probably the most significant - many third world country codes also have 127.0.0.7 codes for the TLDs, ex. .tv).
Re: Bombarded by German political spam
In an older episode (Sunday 15 May 2005 18:51), List Mail User wrote: # whois.rfc-ignorant.org URIBL http://www.rfc-ignorant.org/ urirhssub URIBL_RFCI_WHOIS whois.rfc-ignorant.org. A 5 body URIBL_RFCI_WHOIS eval:check_uridnsbl('URIBL_RFCI_WHOIS') describe URIBL_RFCI_WHOIS URL listed at rfc-ignorant.org (whois) tflags URIBL_RFCI_WHOIS net Basically, this rule is incorrectly written. Unlike SURBLs or URIBL, RFCI does not use bit masks, but multiple full addresses - so trying to use a bitmask (5 in this case) will also match the hits for 127.0.0.7 which is the code for RFC non-compliant TLDs, of which .de is one. Put simply the rule above will match all .de domains, which probably is not desired. Using a rule like urirhssub URIBL_RFCI_WHOIS whois.rfc-ignorant.org. A 127.0.0.5 will probably give results closer to what is desired (i.e. matches SLDs with invalid whois). So, yes the OP's rule *will* give far too many FPs, but when written correctly, it will/should still filter out many/most of the Nazi party sites. thanks for pointing that out, Paul! i got that rule from this list, from a reply to a message of yours :) so it goes ... regards, wolfgang In an older episode (Saturday 14 May 2005 20:20), Rob Skedgell wrote: Subject: Re: Drug SPAM problem..any fixes? On Saturday 14 May 2005 18:30, List Mail User wrote: [...] Just to keep up; aeroseddicc. com is another multitrade group domain. Note the contact email of [EMAIL PROTECTED] com - same as for the domain multitrade-corp. com, and the telephone/fax numbers match those of the domain sheenier. net. And, of course the name servers' domain of aicstrungcb. biz is multitrade also. Oh, yes, they also seem to have control of mail333. com. With enough pressure, they will run out of registrars, or be forced to use the Chinese ones. Just to add to that, mail333.com addresses are used in the registration of quite a lot of spamvertized domains - see http://groups.google.co.uk/groups?q=group:news.admin.net-abuse.*+mail333.comstart=0scoring=d; mail333.com itself is in whois.rfc-ignorant.org, as are most (all?) of the related domains, and I'm getting promising results using that blacklist as a URIbl: # whois.rfc-ignorant.org URIBL http://www.rfc-inorant.org/ urirhssub URIBL_RFCI_WHOIS whois.rfc-ignorant.org. A 5 body URIBL_RFCI_WHOIS eval:check_uridnsbl('URIBL_RFCI_WHOIS') describe URIBL_RFCI_WHOIS Contains an URL listed in RFCI whois tflags URIBL_RFCI_WHOISnet score URIBL_RFCI_WHOIS 2.0
Re: Strange SA report maths.
On Sun, 15 May 2005, Craig McLean wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Loren Wilton wrote: |Now correct me if I'm wrong, but 3.5 + 0.2 + 0.1 + 0.1 is not 4.1 ? | | Rounding. See the wiki. Can you be more specific? A search of wiki.apache.org/spamassassin shows 2 pages containing rounding: StatusRounding - orphaned. RoundingIssues - this is not the issue I'm talking about, and in any case was fixed in 3.0. I don't what the wiki says, but here's my guess. The scores applied are actually three digits after the decimal. In the header report they are rounded off. Suppose the exact scores in the example you gave are 3.544 + 0.231 + 0.142 + 0.145. These add up to 4.062, which rounds to 4.1. -- Theodore (Ted) Heise [EMAIL PROTECTED] Bloomington, IN, USA
SpamAssassin BAYES_99 problem
I have a problem with a few of my users that have spanish usernames ( this is the only difference I can think of ) In any case, here's the problem: Sending a mail to [EMAIL PROTECTED] generates a score of 0.1 and thus no problems: The performed tests are the following: 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML When sending the same, same message to: [EMAIL PROTECTED], I get this: 0.0 HTML_MESSAGE BODY: HTML included in message 9.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML What gives ? What triggers the bayesian sistem to assign 99% spam probability to the same message but to a different username ? Any clue is appreciated!
Re: Bombarded by German political spam
Tonight our site is being bombarded by German political spam or Joe-jobbed bounce fall-out. So far it appears to all be coming from trojaned PCs. Other than the specific URLs in the messages havn't found any easily identified parts to create rules for. anybody else seeing this? Lots and lots. Around 10AM CDT, it seems that the various RBL and URI rules are starting to kick in, but some is still leaking through as with low scores. Comment from a german user: the mails are promoting political opinions commonly attributed to the NPD, a legal political party (why it is legal remains partly at the discretion of supreme court judges) None of the subjects they use would be expected in personal email communication - it is all newspaper headlines and smells like that, so filtering on the subject lines should be safe Some of the uris found point at quite reputable sources that are not related to the spam at all, others basically just send out the same message as the spam all the time It is like an ad campaign quoting an article in Time magazine because it could be interpreted as supporting their ideas - would you want the paper to be blacklisted. If some sites on the list happen to have invalid registrations, then it is probablytheir fault Wolfgang Hamann
Re: Strange SA report maths.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theodore Heise wrote: | | On Sun, 15 May 2005, Craig McLean wrote: | | |-BEGIN PGP SIGNED MESSAGE- |Hash: SHA1 | |Loren Wilton wrote: ||Now correct me if I'm wrong, but 3.5 + 0.2 + 0.1 + 0.1 is not 4.1 ? || || Rounding. See the wiki. | |Can you be more specific? A search of wiki.apache.org/spamassassin shows |2 pages containing rounding: |StatusRounding - orphaned. |RoundingIssues - this is not the issue I'm talking about, and in any |case was fixed in 3.0. | | | I don't what the wiki says, but here's my guess. The scores applied | are actually three digits after the decimal. In the header report | they are rounded off. Suppose the exact scores in the example you | gave are 3.544 + 0.231 + 0.142 + 0.145. These add up to 4.062, | which rounds to 4.1. | Yeah, that could well be it. I'll look at the scores in the .cf files and see what gives.. Thanks! Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCh50uMDDagS2VwJ4RAhHbAKCvXU7kmnRC3wjZBqwrvkz4UQQDOQCgsCCw bP6QuwgSAvQHMzz/BzhWB4w= =j+cu -END PGP SIGNATURE-
Don't see BAYES in headers
I'm using SpamAssassin 3.0.3 with amavisd and mysql. I've learned it for 900 ham messages and 1000 spam messages this way for each user: /usr/local/bin/sa-learn -u [EMAIL PROTECTED] --ham /home/cyrus/spool/domain/domain.ru/user/igor/NoSpam /usr/local/bin/sa-learn -u [EMAIL PROTECTED] --spam /home/cyrus/spool/domain/domain.ru/user/igor/IsSpam The problem is that SpamAssassin doesn't use BAYES tests when checking messages. i.e. i don't see in message headers BAYES_XX in tests section. There is my config: use_dcc 0 use_pyzor 0 use_razor2 0 skip_rbl_checks 1 use_bayes 1 use_bayes_rules 1 bayes_path /usr/local/spamassassin/bayes report_safe 0 dns_available no bayes_store_module Mail::SpamAssassin::BayesStore::SQL bayes_sql_dsn DBI:mysql:spamdb:localhost bayes_sql_username postfix bayes_sql_password user_scores_dsn DBI:mysql:spamdb:localhost user_scores_sql_usernamedb postfix user_scores_sql_passworddb bayes_auto_learn 0 bayes_ignore_header X-Virus-Scanned bayes_ignore_header X-Amavis-Alert bayes_ignore_header X-Sieve Maybe I forgot something?
Re: SpamAssassin BAYES_99 problem
George Breahna wrote: I have a problem with a few of my users that have spanish usernames ( this is the only difference I can think of ) In any case, here's the problem: Sending a mail to [EMAIL PROTECTED] generates a score of 0.1 and thus no problems: The performed tests are the following: 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML When sending the same, same message to: [EMAIL PROTECTED], I get this: 0.0 HTML_MESSAGE BODY: HTML included in message 9.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.1 HTML_50_60 BODY: Message is 50% to 60% HTML What gives ? What triggers the bayesian sistem to assign 99% spam probability to the same message but to a different username ? Any clue is appreciated! With out seeing the entire message, I'd assume that a Jose sent you spam, that was learned as such. Learn these ham messages as such, and it should help some. YMMV -- Thanks, JamesDR smime.p7s Description: S/MIME Cryptographic Signature
Re: Bombarded by German political spam
Gerald V. Livingston II wrote: On Sun, 15 May 2005 18:19:39 +0200 Chr. von Stuckrad wrote: On Sun, May 15, 2005 at 10:59:12AM -0500, Steven Stern wrote: I received about 500 on the webmaster account. Now we know what sober was all about. I see *no* connection to any Virus or Trojan! [SNIP...] No attachments seem to be sent and our Mail-filter would have 'eaten' anyway all the current Sober-Viruses/Variants. (I'm pretty sure about that, I'm its admin) He didn't mean the messages CONTAIN a virus/trojan. Over the last 2 weeks a new sober worm variant was released and infected tens of thousands of clueless Windows user machines. The current wave of political spam is being sent out through those infected machines. DREAMING It would be really nice if all the ISPs of the world would get together and create a comprehensive database of all residential IP address pools maintained in dnsbl fashion. Something the owner of an IP block could add to or remove from (with encrypted pass protection) *easily* when IP's are reassigned. Blocking direct, unauthenticated, SMTP transactions from addresses on that list would stop 90% of virus transmission and a large chunk of spam as well. /DREAMING Gerald Many already do... I know mine does, along with the local cable co. (I'm on dsl) -- Thanks, JamesDR smime.p7s Description: S/MIME Cryptographic Signature
Re: Strange SA report maths.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Craig McLean wrote: | Theodore Heise wrote: | | | | On Sun, 15 May 2005, Craig McLean wrote: | | | | | |-BEGIN PGP SIGNED MESSAGE- | |Hash: SHA1 | | | |Loren Wilton wrote: | ||Now correct me if I'm wrong, but 3.5 + 0.2 + 0.1 + 0.1 is not 4.1 ? | || | || Rounding. See the wiki. | | | |Can you be more specific? A search of wiki.apache.org/spamassassin shows | |2 pages containing rounding: | |StatusRounding - orphaned. | |RoundingIssues - this is not the issue I'm talking about, and in any | |case was fixed in 3.0. | | | | | | I don't what the wiki says, but here's my guess. The scores applied | | are actually three digits after the decimal. In the header report | | they are rounded off. Suppose the exact scores in the example you | | gave are 3.544 + 0.231 + 0.142 + 0.145. These add up to 4.062, | | which rounds to 4.1. | | | Spot on. Have a cigar! The scores on the doors (using set 4): NO_REAL_NAME 0.007 INVALID_DATE 0.236 HTML_COMMENT_SAVED_URL 0.146 BAYES_99 3.5 HTML_MESSAGE 0.001 HTML_FONT_BIG 0.142 MIME_QP_LONG_LINE 0.039 The scores for each rule, when added together, are 4.071. Hence a total score of 4.1 (rounded) even though the individual rules when rounded before addition only score 3.9. Perhaps it would be useful to add this little quirk to the wiki? On the RoundingIssues page? Thanks again for all the help! Craig. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFCh6LgMDDagS2VwJ4RAqdRAJ9Vr47iEXRiwX5BIwTusOZ+RsrcEwCgjKpM Nb8XghueAODjyQJ40qV67d4= =XCuU -END PGP SIGNATURE-
Bayes problems and German Spam
Hi All, After going from 2.64 to 3.0.3 I thought Bayes was working much better - previously certain classes of spam were being consistently reported as ham, scoring BAYES_00 no matter what I did, or how much manual training I did. (Autolearning enabled) After upgrading to 3.0.3 and clearing the Bayes database everything seemed fine for a week or so, now it's back to its old habits :( Particularly frustrating is the complete inability of sa-learn to correct the thinking of Bayes - all the recent flood of German spams are scoring BAYES_00, and DESPITE the fact that I have manually learnt well over two dozen of these as spam (which includes all the variations of them I've seen so far) new copies of identical spams STILL score BAYES_00. WHY ? If the autolearn system can't be overridden with some manual learning, it makes it more of less useless :( A few other spams that were previously getting BAYES_99 are now down to BAYES_00 for no apparent reason. It's highly unlikely that they were autolearnt as ham, as they hit several other tests too. It seems that Bayes is still exploitable... :( Any suggestions ? Regards, Simon
Problem with ALL_TRUSTED
Hi, I've been having problems with a specific spammer lately. He's sending me about 300 mails a day and they're all passing right through my filtering. Part of the problem is this: * -2.8 ALL_TRUSTED Did not pass through any untrusted hosts SpamAssassin thinks the mail comes directly from my host's mailserver, but it's overlooking a Received header. I think it's because of the X-Virus-Scan header in between. However I have no control over than particular header. Is the order of headers a RFC violation in some way, or is this a SA problem? A full example email is attached. Return-path: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED] Delivery-date: Sun, 15 May 2005 23:10:18 +0200 Received: from localhost ([127.0.0.1] ident=root) by hellfire.egelantier.subbot.net with esmtp (Exim 4.50) id 1DXQNO-0005rW-55 for [EMAIL PROTECTED]; Sun, 15 May 2005 23:10:18 +0200 Delivered-To: [EMAIL PROTECTED] Received: from 63.209.158.6 [63.209.158.6] by localhost with POP3 (fetchmail-6.2.5) for [EMAIL PROTECTED] (single-drop); Sun, 15 May 2005 23:10:18 +0200 (CEST) Received: (qmail 5490 invoked by uid 399); 15 May 2005 21:06:00 - X-Virus-Scan: Scanned by clamdmail 0.15 (no viruses); Sun, 15 May 2005 17:06:00 -0400 Received: from unknown (HELO pkaffe.de) (71.34.15.142) by mail.myhsphere.biz with SMTP; 15 May 2005 21:06:01 - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Sun, 15 May 2005 21:04:24 GMT Subject: Vorbildliche Aktion Importance: Normal X-Priority: 3 (Normal) X-MSMail-Priority: Normal MIME-Version: 1.0 Message-ID: [EMAIL PROTECTED] Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on hellfire.egelantier.subbot.net X-Spam-Level: * X-Spam-Status: No, score=1.3 required=5.0 tests=ALL_TRUSTED,AWL, MISSING_MIMEOLE,NO_DNS_FOR_FROM,NO_REAL_NAME,PRIORITY_NO_NAME, RAZOR2_CF_RANGE_51_100 autolearn=disabled version=3.0.2 X-Spam-Report: * 0.2 NO_REAL_NAME From: does not include a real name * -2.8 ALL_TRUSTED Did not pass through any untrusted hosts * 1.5 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50% * [cf: 100] * 1.1 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records * 0.0 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE * 1.2 PRIORITY_NO_NAME Message has priority, but no X-Mailer/User-Agent * 0.1 AWL AWL: From: address is in the auto white-list Status: Lese selbst: http://www.npd.de/npd_info/deutschland/2004/d1204-24.html
Re: Bombarded by German political spam
... Tonight our site is being bombarded by German political spam or Joe-jobbed bounce fall-out. So far it appears to all be coming from trojaned PCs. Other than the specific URLs in the messages havn't found any easily identified parts to create rules for. anybody else seeing this? Lots and lots. Around 10AM CDT, it seems that the various RBL and URI rules are starting to kick in, but some is still leaking through as with low scores. Comment from a german user: the mails are promoting political opinions commonly attributed to the NPD, a legal political party (why it is legal remains partly at the discretion of supreme court judges) None of the subjects they use would be expected in personal email communication - it is all newspaper headlines and smells like that, so filtering on the subject lines should be safe Some of the uris found point at quite reputable sources that are not related to the spam at all, others basically just send out the same message as the spam all the time It is like an ad campaign quoting an article in Time magazine because it could be interpreted as supporting their ideas - would you want the paper to be blacklisted. If some sites on the list happen to have invalid registrations, then it is probablytheir fault Wolfgang Hamann Wolfgang, What you say make too much sense to be ignored. Since, I am playing catch-up with my email, this may have already been addressed; But, I can not speak for anyone else, yet I would guess that many folks (particularly JeffC of SURBL and ChrisS of URIBL) would be extremely grateful if you could prepare a preliminary whitelist for them, just to avoid the exact case you have mentioned - Legitimate news sources/agencies/publishers getting listed because they are cited by a third parties spam. It would probably be best for you to just post to the list whatever you feel is appropriate - possibly some of the interested parties might wish to contact you directly or have you contact them (I said, I speak for no one else). If you feel most comfortable, if needed you can send it to me and I'll take it onto myself to pass it to a variety of organizations (though that would likely be the slowest method). Also, regarding invalid registrations, they are a pretty good indicator, but do FP a lot (look at Lycos. com - and that one's my fault; I usually avoid innocents - but I had had a bad day, and one of their employees really pissed me off). Also, the issue regarding invalid registrations is that they are trivial to fix, only spammers and very large companies ignore them (and the Lycos issue is one that wdprs will not accept, but rfci will). Paul Shupak [EMAIL PROTECTED] P.S. Anyone out there who uses Network Solutions need to be careful about invalid telephone numbers and fax numbers - Network Solutions' own computer system often glitches and has at least on two occasions (during updates to the software/database assigned invalid numbers to all customers who did not have listed ones). Fax numbers are always optional, but should not be invalid, and a telephone number for the registrant is optional - At one update NetSol gave everyone 123 123 1234, in the other case (and the common glitch) is for them to assign 999 999 (check their web page instead of the Whois server, and they have bad data for about a third of all customers). So it is not always the fault of the registrant (but as far as I know, unless they use NetSol, it is).
Re: Bayes problems and German Spam
At 09:53 16/05/2005, Jo wrote: Simon Byrnand wrote: Hi All, After going from 2.64 to 3.0.3 I thought Bayes was working much better - previously certain classes of spam were being consistently reported as ham, scoring BAYES_00 no matter what I did, or how much manual training I did. (Autolearning enabled) After upgrading to 3.0.3 and clearing the Bayes database everything seemed fine for a week or so, now it's back to its old habits :( Particularly frustrating is the complete inability of sa-learn to correct the thinking of Bayes - all the recent flood of German spams are scoring BAYES_00, and DESPITE the fact that I have manually learnt well over two dozen of these as spam (which includes all the variations of them I've seen so far) new copies of identical spams STILL score BAYES_00. WHY ? If the autolearn system can't be overridden with some manual learning, it makes it more of less useless :( A few other spams that were previously getting BAYES_99 are now down to BAYES_00 for no apparent reason. It's highly unlikely that they were autolearnt as ham, as they hit several other tests too. It seems that Bayes is still exploitable... :( Any suggestions ? Regards, Simon Clear your bayes database and start all over again. Switch off auto-learning and rely purely on manual learning in a feedback loop. Grab a mail box of known ham and another folder of known spam. Preferably use a thousand of each. Hmm, not very practical when the system has several thousand users/mailboxes. There is no way I would be able to keep current with manual learning just based on my own personal mailbox...(and I can hardly go poking around in other peoples mailboxes to gather ham/spam to learn) If you ever switch on autolearning again. Set the treshold at -0.2 for ham and 10 or 15 for spam. Are there even any negative scores in 3.0.3 ? I thought negative scores were pretty much eliminated in recent versions, so with -0.2 it would never learn any ham. Enable network tests, razor2, pyzor and dcc work wonders on the site I administer. Already have all network tests enabled, always have done. Regards, Simon
Re: Bombarded by German political spam
In an older episode (Monday 16 May 2005 00:17), List Mail User wrote: JeffC of SURBL and ChrisS of URIBL) would be extremely grateful if you could prepare a preliminary whitelist for them, just to avoid the exact case you have mentioned - Legitimate news sources/agencies/publishers getting listed because they are cited by a third parties spam. i started listing such publishers today: uridnsbl_skip_domain*.berlinonline.de uridnsbl_skip_domainberlinonline.de uridnsbl_skip_domain*.heise.de uridnsbl_skip_domainheise.de uridnsbl_skip_domain*.spiegel.de uridnsbl_skip_domainspiegel.de uridnsbl_skip_domain*.taz.de uridnsbl_skip_domaintaz.de uridnsbl_skip_domain*.zdf.de uridnsbl_skip_domainzdf.de regards, wolfgang (the lower case one :)
Re: Bombarded by German political spam
Wolfgang, On a related note; Having just seen the first such email at my site (it wasn't delivered), I'm assuming the the npd. de is the actual political party itself? If so, their paper work is squeaky clean, even the name servers' domains are clean; The best I could do was find that most of the contacts for the name servers refuse postmaster@ and abuse@ - and somebody else filed that for npd. de themselves yesterday - In fact with 20 minutes, the only invalid registration was for one of the domains used for email contact, by the name servers' domain for npd. de (i.e. twice removed). It seems they run a bunch of domains which feed to a small number of mail servers, but play mostly by all the rules. Largely you go in circles, only occasionally breaking out to some large commercial provider (who do seem to have offices which are often in the same buildings or just a few addresses away from the contacts for npd. de). You do come up with quite a few unusual domain names, but I didn't find any problems with the paperwork (ex. pureserver. info, straightedv. de, factsoft. de and a few others - the names even smell political). Thanks in advance, Paul Shupak [EMAIL PROTECTED]
Re: Strange SA report maths.
On Sun, 15 May 2005, Craig McLean wrote: The scores on the doors (using set 4): NO_REAL_NAME 0.007 INVALID_DATE 0.236 HTML_COMMENT_SAVED_URL 0.146 BAYES_99 3.5 HTML_MESSAGE 0.001 HTML_FONT_BIG 0.142 MIME_QP_LONG_LINE 0.039 The scores for each rule, when added together, are 4.071. Hence a total score of 4.1 (rounded) even though the individual rules when rounded before addition only score 3.9. Perhaps it would be useful to add this little quirk to the wiki? On the RoundingIssues page? I added this. -- Theodore (Ted) Heise [EMAIL PROTECTED] Bloomington, IN, USA
[SARE] Whitelist.cf
Just a quick note that SARE's whitelist.cf has been updated. Documentation and download link at http://www.rulesemporium.com/rules.htm#whitelist Bob Menschel
Re: Bombarded by German political spam
On Sunday, May 15, 2005, 4:04:09 PM, wolfgang wolfgang wrote: In an older episode (Monday 16 May 2005 00:17), List Mail User wrote: JeffC of SURBL and ChrisS of URIBL) would be extremely grateful if you could prepare a preliminary whitelist for them, just to avoid the exact case you have mentioned - Legitimate news sources/agencies/publishers getting listed because they are cited by a third parties spam. i started listing such publishers today: uridnsbl_skip_domain*.berlinonline.de uridnsbl_skip_domainberlinonline.de uridnsbl_skip_domain*.heise.de uridnsbl_skip_domainheise.de uridnsbl_skip_domain*.spiegel.de uridnsbl_skip_domainspiegel.de uridnsbl_skip_domain*.taz.de uridnsbl_skip_domaintaz.de uridnsbl_skip_domain*.zdf.de uridnsbl_skip_domainzdf.de regards, wolfgang (the lower case one :) Ja, we've already whitelisted those and others to prevent them from getting added to SURBLs. If you run across any others that are blacklisted in SURBLs, then please send them to: whitelist at surbl dot org and we will whitelist them. Here are some others we've whitelisted: stern.de rp-online.de fhtw-berlin.de berlin1.de bz.berlin1.de bz-berlin.de gofeminin.de taz.de berlinonline.de zdf.de [...] Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Using 1st server Spamassassin score as starting value for 2nd server.
I run the Email servers for a small, rural mountain WISP and have a situation where all Email 1st comes into a scrubber server (RaQ 550) and once it passes an initial set of virus/spam tests is sent on to a 2nd server (alsa a RaQ 550) where the actual user accounts reside. On the first server Spam/Virii are stopped in 3 steps: 1.) Custom blocklists 2.) Greylister 3.) MailScanner/Spamassassin 3.0.3 - Network checks/General rules. These stop spam with as little work as possible and as soon as possible. Anything flagged with a high score at this point is quarantined just in case, but not sent to the user. Messages with scores lower than the high score threshold are sent on to the 2nd server. On the 2nd server only MailScanner (virus checks bypassed since they were done already)/Spamassassin 3.02.(Spamd/Spamc) are run. Since Spamc runs as the Email recipient I can use each user's custom settings and bayes databases to do a final check on spam so that they may do what they want with such messages. These tests tend to be more expensive than those done on the 1st server and vary from user to user, but nonetheless I don't want to repeat the tests from the 1st server. Can I set up a header with the spam score from the 1st server and then set up the 2nd server's spamassassin to use that header as the initial score for any subsequent tests? My idea is to turn off as many body checks on the 1st server and to wait until the last possible moment without duplicating 1st server tests before doing the bayes stuff on the 2nd server. The final Spam score would be the accumulated sum from both servers. It wasn't clear from the documentation or google searches that I could do this. It seemed that I could create a header and then give a score based upon its presence. But it wasn't obvious to me that I could actually read the headers value and set the initial spam score from the value. Any hints are graciously accepted and greatly appreciated. -- Paul ([EMAIL PROTECTED])
Re: Problem with ALL_TRUSTED
* -2.8 ALL_TRUSTED Did not pass through any untrusted hosts SpamAssassin thinks the mail comes directly from my host's mailserver, but it's overlooking a Received header. I think it's because of the X-Virus-Scan header in between. However I have no control over than particular header. Yea, that appears to be doing it. From the setup you have, it looked like the remote host was actually your mail gateway, so SA trusted it. You need to set the trusted hosts correctly for your installation. I'm not conversant with how to do that, but there has been much mention of it on the list in the last month or so, and I'm sure there are some wiki pages. The actual manual pages for SA describe the necessary config lines retty well. Loren
Re: Bombarded by German political spam
Chr. von Stuckrad wrote: On Sun, May 15, 2005 at 10:59:12AM -0500, Steven Stern wrote: I received about 500 on the webmaster account. Now we know what sober was all about. I see *no* connection to any Virus or Trojan! I got about 200 of them into a few accounts and seemingly I'm receiving more every few minutes. BUT I do *not* think it is more than 'Propaganda'! It mostly is just one URL of a genuine Article of a german Newspaper (only the 'collection' of Articles and tendency of subject making it 'political'). No attachments seem to be sent and our Mail-filter would have 'eaten' anyway all the current Sober-Viruses/Variants. (I'm pretty sure about that, I'm its admin) Stucki (postmaster at math/inf/mi.fu-berlin.de) Look at your AV logs of those sending sober.p and look at the connections sending the german political spam. you will start to see a connection. In fact I'm going through my logs right now finding the hosts which sent sober.p and starting to block those because they so far seem to be the main ones sending the political spam
Re: Using 1st server Spamassassin score as starting value for 2nd server.
It wasn't clear from the documentation or google searches that I could do this. It seemed that I could create a header and then give a score based upon its presence. But it wasn't obvious to me that I could actually read the headers value and set the initial spam score from the value. Any hints are graciously accepted and greatly appreciated. You can't, so far as I know, do exactly what you want. However, you may be able to come close. SA uses text pattern matching for rules, rather than any concept of arithmetic numbers. You can make multiple rules with various scores and use them to look at the score lines in the header, at least if you are on 3.0 or later. (In 2.6x these lines will be stripped before you can look at them). I think you will have to use 'full' rules to look at this data (or write a plugin, which might be the better idea) since it will probably be removed from 'header' rule data before you can look at it. I would suggest a simple collection of rules that look at the number of stars in the report line, and score each one at 1 point. This will give you the score rounded to the nearest point, which might be good enough. You could actually make a whole series of rules (it would take 40 rules) to look at the actual score value and provide a decimal result. For instance, grabbing part of the summary line from your message, I see X-Spam-Status: No, hits=-94.4 (This is on 2.64, check the format for 3.0 in case it changed.) Now I could write a bunch of rules like fullSA_SCORE_100/^X-Spam-Status:.{0,20}hits=1\d\d/s scoreSA_SCORE_100100 fullSA_SCORE_10/^X-Spam-Status:.{0,20}hits=\d*1\d[^\d]/s scoreSA_SCORE_1010 fullSA_SCORE_20/^X-Spam-Status:.{0,20}hits=\d*2\d[^\d]/s scoreSA_SCORE_2020 fullSA_SCORE_30/^X-Spam-Status:.{0,20}hits=\d*3\d[^\d]/s scoreSA_SCORE_3030 fullSA_SCORE_40/^X-Spam-Status:.{0,20}hits=\d*4\d[^\d]/s scoreSA_SCORE_4040 fullSA_SCORE_1/^X-Spam-Status:.{0,20}hits=\d*1[^\d]/s scoreSA_SCORE_11 fullSA_SCORE_2/^X-Spam-Status:.{0,20}hits=\d*2[^\d]/s scoreSA_SCORE_22 fullSA_SCORE_3/^X-Spam-Status:.{0,20}hits=\d*3[^\d]/s scoreSA_SCORE_33 fullSA_SCORE_4/^X-Spam-Status:.{0,20}hits=\d*4[^\d]/s scoreSA_SCORE_44 fullSA_SCORE_point1/^X-Spam-Status:.{0,20}hits=\d*\.1/s scoreSA_SCORE_point10.1 fullSA_SCORE_point2/^X-Spam-Status:.{0,20}hits=\d*\.2/s scoreSA_SCORE_point20.2 fullSA_SCORE_point3/^X-Spam-Status:.{0,20}hits=\d*\.3/s scoreSA_SCORE_point30.3 fullSA_SCORE_point4/^X-Spam-Status:.{0,20}hits=\d*\.4/s scoreSA_SCORE_point40.4 Obviously you need 0-9 in each case. That will handle positive scores and ignore negative scores. (If you can't have 3 digit scores, you can simplify the regex in the first casea above to something like =1\d/s on the end). If you want to deal with negative scores also, you will need a bunch more rules to deal with them. Oh heck. I started the ruleset above, I just finished the thing. File attached. Note these rules are UNTESTED, and may not work as expected. They may not even lint for that matter. But they might be useful if they do work. Loren scorerules.cf Description: Binary data
Help mp3 attachment
I run a very simple Postfix - Procmail - SpamAssassin - CLamAV setup that has been working great, but tonight I see something I don't understand. Look at the 2 examples below please. Both messages got virus-scanned. However, the message that includes an mp3 audio attachment, appears that it didn't get spam-scanned at all, whereas a totally plain message does. Can anyone explain this? What attachment property would cause the message not to pass to spamd at all? Thanks - John Plain message with 500K mp3 attachment: X-Virus-Status: No X-Virus-Checker-Version: Luke wa9als.com running clamassassin 1.2.1 with ClamAV 0.85/879/Sun May 15 08:43:45 2005 signatures 31.879 Status: X-Antivirus: AVG for E-mail 7.0.308 [266.11.10] Mime-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0050_01C5599C.1DDB9FF0 Plain message without attachment: X-Virus-Status: No X-Virus-Checker-Version: Luke wa9als.com running clamassassin 1.2.1 with ClamAV 0.85/879/Sun May 15 08:43:45 2005 signatures 31.879 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on Luke.wa9als.com X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham version=3.0.2 Status: X-Antivirus: AVG for E-mail 7.0.308 [266.11.10] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.10 - Release Date: 5/13/2005
Re: Help mp3 attachment
On Sun, 2005-05-15 at 22:34 -0500, John Fleming wrote: I run a very simple Postfix - Procmail - SpamAssassin - CLamAV setup that has been working great, but tonight I see something I don't understand. I suspect that your procmail recipe doesn't scan files over a certain size. What does your .procmailrc file look like? Thomas
Re: Help mp3 attachment
Hi, there is a default max size (250kb) to scan ... spammers usually dont send messages with big attachments Wolfgang Hamann I run a very simple Postfix - Procmail - SpamAssassin - CLamAV setup that has been working great, but tonight I see something I don't understand. Look at the 2 examples below please. Both messages got virus-scanned. However, the message that includes an mp3 audio attachment, appears that it didn't get spam-scanned at all, whereas a totally plain message does. Can anyone explain this? What attachment property would cause the message not to pass to spamd at all? Thanks - John Plain message with 500K mp3 attachment: X-Virus-Status: No X-Virus-Checker-Version: Luke wa9als.com running clamassassin 1.2.1 with ClamAV 0.85/879/Sun May 15 08:43:45 2005 signatures 31.879 Status: X-Antivirus: AVG for E-mail 7.0.308 [266.11.10] Mime-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0050_01C5599C.1DDB9FF0 Plain message without attachment: X-Virus-Status: No X-Virus-Checker-Version: Luke wa9als.com running clamassassin 1.2.1 with ClamAV 0.85/879/Sun May 15 08:43:45 2005 signatures 31.879 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on Luke.wa9als.com X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham version=3.0.2 Status: X-Antivirus: AVG for E-mail 7.0.308 [266.11.10] Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.10 - Release Date: 5/13/2005
Re: Bombarded by German political spam
Raymond Dijkxhoorn wrote: This is the complete list so far: I am helping to manage a mailing list with mailman and the interface there is pretty restrictive and there is no spam filtering such as SA under it so no SURBL either. Slightly off topic for the SA list. But I found in the interface [subscription rules], [spam filters], [spam filter rule], then paste these into the spam filter rule with a discard action. The list I have collected is slightly different than yours. Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass Subject: 60 Jahre Befreiung: Wer feiert mit? Subject: Armenian Genocide Plagues Ankara 90 Years On Subject: Auf Streife durch den Berliner Wedding Subject: Augen auf Subject: Auslaender bevorzugt Subject: Auslaenderpolitik Subject: Blutige Selbstjustiz Subject: Deutsche Buerger trauen sich nicht ... Subject: Deutsche werden kuenftig beim Arzt abgezockt Subject: Dresden 1945 Subject: Dresden Bombing Is To Be Regretted Enormously Subject: Du wirst ausspioniert ! Subject: Du wirst zum Sklaven gemacht!!! Subject: Gegen das Vergessen Subject: Graeberschaendung auf bundesdeutsche Anordnung Subject: Hier sind wir Lehrer die einzigen Auslaender Subject: Ihre Anfrage an Amazon.de Subject: Massenhafter Steuerbetrug durch auslaendische Arbeitnehmer Subject: Multi-Kulturell = Multi-Kriminell Subject: Paranoider Deutschenmoerder kommt in Psychiatrie Subject: S.O.S. Kiez! Polizei schlaegt Alarm Subject: Schily ueber Deutschland Subject: The Whore Lived Like a German Subject: Transparenz ist das Mindeste Subject: Trotz Stellenabbau Subject: Tuerkei in die EU Subject: Turkish Tabloid Enrages Germany with Nazi Comparisons Subject: Verbrechen der deutschen Frau Subject: Volk wird nur zum zahlen gebraucht! Subject: Vorbildliche Aktion Bob Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass Subject: Auf Streife durch den Berliner Wedding Subject: Auslaender bevorzugt Subject: Auslaenderpolitik Subject: Deutsche werden kuenftig beim Arzt abgezockt Subject: Du wirst zum Sklaven gemacht!!! Subject: Graeberschaendung auf bundesdeutsche Anordnung Subject: Hier sind wir Lehrer die einzigen Auslaender Subject: Paranoider Deutschenmoerder kommt in Psychiatrie Subject: Tuerkei in die EU Subject: Verbrechen der deutschen Frau Subject: Vorbildliche Aktion Subject: 60 Jahre Befreiung: Wer feiert mit? Subject: Multi-Kulturell = Multi-Kriminell Subject: Turkish Tabloid Enrages Germany with Nazi Comparisons Subject: Blutige Selbstjustiz Subject: Dresden 1945 Subject: Du wirst ausspioniert ! Subject: Armenian Genocide Plagues Ankara 90 Years On Subject: Augen auf Subject: Trotz Stellenabbau Subject: Volk wird nur zum zahlen gebraucht! Subject: Transparenz ist das Mindeste Subject: The Whore Lived Like a German Subject: Massenhafter Steuerbetrug durch auslaendische Arbeitnehmer Subject: Schily ueber Deutschland Subject: Deutsche Buerger trauen sich nicht ... Subject: Graeberschaendung auf bundesdeutsche Anordnung Subject: S.O.S. Kiez! Polizei schlaegt Alarm
Re: SpamAssassin BAYES_99 problem
JamesDR wrote: George Breahna wrote: I have a problem with a few of my users that have spanish usernames ( this is the only difference I can think of ) With out seeing the entire message, I'd assume that a Jose sent you spam, that was learned as such. Learn these ham messages as such, and it should help some. You can get some information from spamassassin by using the -tD options. Pipe the message into sa and then look at the bayes tokens. | spamassassin -tD 21 | $PAGER +/bayes Bob
Re: Using 1st server Spamassassin score as starting value for 2nd server.
Loren Wilton wrote: Any hints are graciously accepted and greatly appreciated. You can't, so far as I know, do exactly what you want. However, you may be able to come close. xnip Oh heck. I started the ruleset above, I just finished the thing. File attached. Note these rules are UNTESTED, and may not work as expected. They may not even lint for that matter. But they might be useful if they do work. Gees I wanted some ideas but didn't expect anyone to do it for me! :) As I said I would graciously accept and greatly appreciate some hints. Thanks so much for getting me going on this ... it was way beyond my expectations. I will try these out as time allows and if I find problems I will repost them. From the information given in your post I see I was not thinking in the spamassassin way. I am new to the rule writing part so I learned something. Your idea will do pretty much exactly what I want just not in the arithmetic way I was thinking. Again thanks so much Loren! -- Paul ([EMAIL PROTECTED])
Re: Problem with ALL_TRUSTED
Marcel Veldhuizen wrote: * -2.8 ALL_TRUSTED Did not pass through any untrusted hosts SpamAssassin thinks the mail comes directly from my host's mailserver, but it's overlooking a Received header. I think it's because of the X-Virus-Scan header in between. However I have no control over than particular header. Is the order of headers a RFC violation in some way, or is this a SA problem? A full example email is attached. Thanks for posting the headers. It makes it much easier to see what is going on. Try setting the trusted_networks to include your mail gateway and your mail scanner using localhost. trusted_networks 127.0.0.1 trusted_networks 63.209.158.6 That will include the scanner address in the path Return-path: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED] Delivery-date: Sun, 15 May 2005 23:10:18 +0200 Received: from localhost ([127.0.0.1] ident=root) by hellfire.egelantier.subbot.net with esmtp (Exim 4.50) id 1DXQNO-0005rW-55 for [EMAIL PROTECTED]; Sun, 15 May 2005 23:10:18 +0200 You scanner address of 127.0.0.1. Delivered-To: [EMAIL PROTECTED] Received: from 63.209.158.6 [63.209.158.6] by localhost with POP3 (fetchmail-6.2.5) for [EMAIL PROTECTED] (single-drop); Sun, 15 May 2005 23:10:18 +0200 (CEST) Your mail gateway address of 63.209.158.6. At least I assume this is your gateway because it was the next address after the scanner. But it confused me that there were no addresses after this. Bob