date:20050515



 I don't expect I'll get a reply quick enough to help. It's been strongly
 suggested that I switch our mail server over to ANYTHING other than what we
 have before the weekend is out.
 
 I've been bouncing around the web and digging through documentation trying to
 figure out how to do SA + virus scanning in a virtual domain SQL environment
 with per-user prefs working.

Hi,

now that it is certainly too late :(
I am running qmail in a setup where incoming mail is just checked for virus 
(qmail-scanner)
and then delivered to a cyrus mailstore. The shell script called for delivery 
invokes SA
and knows about the recipient, so it can pick up user preferences from a sql 
database
I had to develop a solution for the user name != system account problem, but 
latest
cyrus release supports virtual hosting, and the mail accounts will be named 
[EMAIL PROTECTED]

It is also up to the shell script to handle expres delivery (/dev/null) or 
similar things.

As an observation: the majority of users does NOT use the imap access, only the 
pop3.
I once tried to convince an outlook user to switch but his reaction was it 
looks all different;
cannot I have it the same way as before?

Wolfgang Hamann

Re: Re: Evading URI checks

Hi!
Go Here to Order Online: RxRealness.com

How would one go about adding checks for the omission of http:// ?

Only things that hit were: bayes, base64 raw and drugs_erctile by the way.

may be too resource intensive to check for every possible domain
that doesn't have a URI method.  Does this give spammers a way to
advertise their domains without detection?  Sure it does, but it
also means they can't use clickable links, which may decrease
their response rates.
X-Prolocation-MailScanner-SpamCheck: spam, SpamAssassin (score=11.019,
required 5, BAYES_00 -2.60, URIBL_AB_SURBL 0.42, URIBL_JP_SURBL 4.26,
URIBL_OB_SURBL 3.21, URIBL_SBL 4.26, URIBL_WS_SURBL 1.46)
Uhm, running the latest CVS version on SA, and it does tackle them.
Bye,
Raymond.

Re: Bombarded by German political spam

Hi!
Tonight our site is being bombarded by German political spam or
Joe-jobbed bounce fall-out. So far it appears to all be coming
from trojaned PCs. Other than the specific URLs in the messages
havn't found any easily identified parts to create rules for.
anybody else seeing this?
Actually it was to be expected. Remember the same german political spams 
one year ago? The european voting is comming up so i guess they do it 
again now. B

Anyone has a full list of subjects yet, time to do some SA magic... ;)
Bye,
Raymond.

Re: Bombarded by German political spam

 Anyone has a full list of subjects yet, time to do some SA magic... ;)

I only have one, and you might be better off looking for the urls than the
subject:

Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass

Lese selbst:
http://www.npd.de/npd_info/deutschland/2005/d0405-13.html

Neue Dokumente:
http://www.rp-online.de/public/article/nachrichten/politik/deutschland/87647

Botschafter in Kiew beschwerte sich noch 2004:
http://www.rp-online.de/public/article/nachrichten/politik/deutschland/85735

Traumziel Deutschland:
http://www.berlinonline.de/berliner-zeitung/archiv/.bin/dump.fcgi/2004/1221/politik/0009/index.html

Kanzler erleichtert Visaverfahren für Golfstaaten:
http://www.spiegel.de/spiegel/vorab/0,1518,349262,00.html

Ohne Deutsch nach Deutschland:
http://www.aufenthaltstitel.de/zuwg/0618.html

Vorbildliche Aktion:
http://www.npd.de/npd_info/deutschland/2004/d1204-24.html

Re: Bombarded by German political spam

  Anyone has a full list of subjects yet, time to do some SA magic... ;)
 
 I only have one, and you might be better off looking for the urls than the
 subject:
 
 Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
 
 Lese selbst:
 http://www.npd.de/npd_info/deutschland/2005/d0405-13.html
 
npd.de is Nazi political party


 Kanzler erleichtert Visaverfahren für Golfstaaten:
 http://www.spiegel.de/spiegel/vorab/0,1518,349262,00.html
 
spiegel.de is reputable news magazine

It would be quite unfair to block mails because of a spiegel reference

WOlfgang Hamann

Re: Bombarded by German political spam

 I only have one, and you might be better off looking for the urls than the
 subject:

Ok, now I have two.  Both from the same machine as it happens, although this
time it claims it is an AOL mail server.  Last time it was somethiing else.
Yea, right.

Subject: Paranoider Deutschenmoerder kommt in Psychiatrie

Lese selbst:
http://brandenburg.rz.fhtw-berlin.de/poetschke.html

Re: Bombarded by German political spam

In an older episode (Sunday 15 May 2005 10:47), Raymond Dijkxhoorn wrote:

 Anyone has a full list of subjects yet, time to do some SA magic... ;)

I have quite a few, here is the subjects list:

Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
Subject: Auf Streife durch den Berliner Wedding
Subject: Auslaender bevorzugt
Subject: Auslaenderpolitik
Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
Subject: Deutsche werden kuenftig beim Arzt abgezockt
Subject: Du wirst zum Sklaven gemacht!!!
Subject: Graeberschaendung auf bundesdeutsche Anordnung
Subject: Hier sind wir Lehrer die einzigen Auslaender
Subject: Paranoider Deutschenmoerder kommt in Psychiatrie
Subject: Tuerkei in die EU
Subject: Verbrechen der deutschen Frau

regards,

wolfgang

Re: Bombarded by German political spam

In an older episode (Sunday 15 May 2005 11:55), wolfgang wrote:

oops, this one:

 Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA

is not part of them ;)

regards,

wolfgang

RE: Bombarded by German political spam

2005-05-15 Thread martin smith

M-Original Message-
MFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
MSent: 15 May 2005 10:46
MTo: users@spamassassin.apache.org
MCc: Loren Wilton
MSubject: Re: Bombarded by German political spam 
M
Mnpd.de is Nazi political party
M
M
M Kanzler erleichtert Visaverfahren für Golfstaaten:
M http://www.spiegel.de/spiegel/vorab/0,1518,349262,00.html
M 
Mspiegel.de is reputable news magazine
M
MIt would be quite unfair to block mails because of a spiegel reference
M
MWOlfgang Hamann
M

Well that depends on whether you normaly get mails with german websites
referenced in the emails, mines just a personal email server so I have put a
rule to catch deutchland in the URL, if they carry on I may just put one for
.de, only 2 made it past spamassassin but all were under the 15 score I need
to /dev/null them

RE: Amusement value

2005-05-15 Thread Martin Lee

What an interesting spam !
Which suggests a novel test, search for more than one 'From' or 'Subject' 
header in an email. But how can I do this in SA ?
 
I know how to search the contents of  the From or Subject headers which SA 
makes available to me. But is it possible to write regexps to search the entire 
header section of an email ? A sort of headers-as_string method ?
 
Martin



From: Loren Wilton [mailto:[EMAIL PROTECTED]
Sent: Sun 15/05/2005 00:41
To: SpamAssassin Mailing List
Subject: Amusement value



Gee, I wonder what the subject could be?  Following is an actual spam header
I just got:

Return-Path: [EMAIL PROTECTED]
Status:  U
Received: from smtp.earthlink.net [209.86.93.211]
 by localhost with POP3 (fetchmail-6.2.5)
Received: from m6.stockmacro.com ([66.250.17.88])
 by tanager.mail.pas.earthlink.net (EarthLink SMTP Server) with ESMTP id
1dx62wuG3NZFmQ0
Received: from localhost (localhost.localdomain [127.0.0.1])
 by m6.stockmacro.com (Postfix) with SMTP id 7AD823EE65161
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
X-Cadenced: divulge braided pontific midas kickoff daughterly unprotected
porcelain lovejoy resolve derive floored malayize antibacterial designers
allow beaverton
Content-Type: multipart/alternative;
boundary==_3f35d615795e6eb759ba2e4fb2d6f144
MIME-Version: 1.0
X-M-a8e4: 1090:bHdpbHRvbkBlYXJ0aGxpbmsubmV0:wwztwulguvmq
Subject: Looking for Quality Christian Singles?
From: Where Christians Meet [EMAIL PROTECTED]
Subject: Meet serious Christian Singles, just like you
From: Christian Dating [EMAIL PROTECTED]
Subject: Looking for Quality Christian Singles?
From: Christian Dating [EMAIL PROTECTED]
Subject: Meet serious Christian Singles, just like you
From: Christian Dating [EMAIL PROTECTED]
Subject: Looking for Quality Christian Singles?
From: Where Christians Meet [EMAIL PROTECTED]
Subject: Looking for Quality Christian Singles?
From: Where Christians Meet [EMAIL PROTECTED]
Subject: Single? Meet other Christians
From: Where Christians Meet [EMAIL PROTECTED]
Subject: Single? Meet other Christians
From: Where Christians Meet [EMAIL PROTECTED]
Subject: Single? Meet other Christians
From: Where Christians Meet [EMAIL PROTECTED]
Subject: Meet serious Christian Singles, just like you
From: Where Christians Meet [EMAIL PROTECTED]
Subject: Single? Meet other Christians
From: Where Christians Meet [EMAIL PROTECTED]
Subject: Single? Meet other Christians
From: Christian Dating [EMAIL PROTECTED]
Subject: Meet serious Christian Singles, just like you
From: Christian Dating [EMAIL PROTECTED]
Subject: Single? Meet other Christians
From: Where Christians Meet [EMAIL PROTECTED]
Subject: Looking for Quality Christian Singles?
From: Where Christians Meet [EMAIL PROTECTED]
Message-Id: [EMAIL PROTECTED]
Date: Sat, 14 May 2005 17:20:22 -0700 (PDT)
X-ELNK-AV: 0



__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
__



__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: Bombarded by German political spam

2005-05-15 Thread Roman Serbski

On 5/15/05, David B Funk [EMAIL PROTECTED] wrote:
 Tonight our site is being bombarded by German political spam or
 Joe-jobbed bounce fall-out. So far it appears to all be coming
 from trojaned PCs. Other than the specific URLs in the messages
 havn't found any easily identified parts to create rules for.
 
 anybody else seeing this?

Yes, we have already received six messages.

Subjects:

Gegen das Vergessen
Graeberschaendung auf bundesdeutsche Anordnung
Multi-Kulturell = Multi-Kriminell
The Whore Lived Like a German
Verbrechen der deutschen Frau
Volk wird nur zum zahlen gebraucht!

URLs inside:

http://www.die-kommenden.net/dk/zeitgeschichte/graeberschaendung.htm
http://www.npd.de/npd_info/meldungen/2005/m0105-19.html
http://service.spiegel.de/cache/international/0,1518,344374,00.html
http://www.jn-bw.de/texte/zeitgeschichte/verbrechen_der_frau.htm
http://www.my-rocknord.de/viewtopic.php?t=1018sid=3ce6385b1dee88cb02447f566a2da68d

Regards,
Roman

Re: Bombarded by German political spam

Hi!
Anyone has a full list of subjects yet, time to do some SA magic... ;)

I have quite a few, here is the subjects list:
Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
Subject: Auf Streife durch den Berliner Wedding
Subject: Auslaender bevorzugt
Subject: Auslaenderpolitik
Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
Subject: Deutsche werden kuenftig beim Arzt abgezockt
Subject: Du wirst zum Sklaven gemacht!!!
Subject: Graeberschaendung auf bundesdeutsche Anordnung
Subject: Hier sind wir Lehrer die einzigen Auslaender
Subject: Paranoider Deutschenmoerder kommt in Psychiatrie
Subject: Tuerkei in die EU
Subject: Verbrechen der deutschen Frau
Two more:
Subject: Vorbildliche Aktion
Subject: 60 Jahre Befreiung: Wer feiert mit?
anyone care to make a small ruleset to score them up?
Bye,
Raymond.

Re: Bombarded by German political spam

In an older episode (Sunday 15 May 2005 12:44), Raymond Dijkxhoorn wrote:
 Hi!

  Anyone has a full list of subjects yet, time to do some SA magic... ;)

  I have quite a few, here is the subjects list:

  Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
  Subject: Auf Streife durch den Berliner Wedding
  Subject: Auslaender bevorzugt
  Subject: Auslaenderpolitik
  Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
  Subject: Deutsche werden kuenftig beim Arzt abgezockt
  Subject: Du wirst zum Sklaven gemacht!!!
  Subject: Graeberschaendung auf bundesdeutsche Anordnung
  Subject: Hier sind wir Lehrer die einzigen Auslaender
  Subject: Paranoider Deutschenmoerder kommt in Psychiatrie
  Subject: Tuerkei in die EU
  Subject: Verbrechen der deutschen Frau

 Two more:

 Subject: Vorbildliche Aktion
 Subject: 60 Jahre Befreiung: Wer feiert mit?

one more:
Subject: Augen auf

I noticed that the WS URIBL does by now recognize various of the URIs in those 
mails, and a rule like
# whois.rfc-ignorant.org URIBL http://www.rfc-ignorant.org/
urirhssub URIBL_RFCI_WHOIS  whois.rfc-ignorant.org. A   5
body URIBL_RFCI_WHOIS   eval:check_uridnsbl('URIBL_RFCI_WHOIS')
describe URIBL_RFCI_WHOIS   URL listed at rfc-ignorant.org (whois)
tflags URIBL_RFCI_WHOIS net
also works well here:

 1.0 URIBL_RFCI_WHOIS   URL listed at rfc-ignorant.org (whois)
[URIs: pro-koeln-online.de jungefreiheit.de]
[g-d-f.de bewaeltigen.de kopfmord.de]
[buergerbewegungen.de wk-institut.de]
[das-gibts-doch-nicht.de un-nachrichten.de]
[rocknord.de]

regards,

wolfgang

Re: Bombarded by German political spam

Hi!
I have quite a few, here is the subjects list:
Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
Subject: Auf Streife durch den Berliner Wedding
Subject: Auslaender bevorzugt
Subject: Auslaenderpolitik
cut
This is the complete list so far:
Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
Subject: Auf Streife durch den Berliner Wedding
Subject: Auslaender bevorzugt
Subject: Auslaenderpolitik
Subject: Deutsche werden kuenftig beim Arzt abgezockt
Subject: Du wirst zum Sklaven gemacht!!!
Subject: Graeberschaendung auf bundesdeutsche Anordnung
Subject: Hier sind wir Lehrer die einzigen Auslaender
Subject: Paranoider Deutschenmoerder kommt in Psychiatrie
Subject: Tuerkei in die EU
Subject: Verbrechen der deutschen Frau
Subject: Vorbildliche Aktion
Subject: 60 Jahre Befreiung: Wer feiert mit?
Subject: Multi-Kulturell = Multi-Kriminell
Subject: Turkish Tabloid Enrages Germany with Nazi Comparisons
Subject: Blutige Selbstjustiz
Subject: Dresden 1945
Subject: Du wirst ausspioniert !
Subject: Armenian Genocide Plagues Ankara 90 Years On
Subject: Augen auf
Subject: Trotz Stellenabbau
Subject: Volk wird nur zum zahlen gebraucht!
Subject: Transparenz ist das Mindeste
Subject: The Whore Lived Like a German
Subject: Massenhafter Steuerbetrug durch auslaendische Arbeitnehmer
Subject: Schily ueber Deutschland
Subject: Deutsche Buerger trauen sich nicht ...
Subject: Graeberschaendung auf bundesdeutsche Anordnung
Subject: S.O.S. Kiez! Polizei schlaegt Alarm
Bye,
Raymond

Re: Bombarded by German political spam

2005-05-15 Thread Alex Broens

wolfgang wrote:
In an older episode (Sunday 15 May 2005 12:44), Raymond Dijkxhoorn wrote:
Hi!

Anyone has a full list of subjects yet, time to do some SA magic... ;)

I have quite a few, here is the subjects list:
Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
Subject: Auf Streife durch den Berliner Wedding
Subject: Auslaender bevorzugt
Subject: Auslaenderpolitik
Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
Subject: Deutsche werden kuenftig beim Arzt abgezockt
Subject: Du wirst zum Sklaven gemacht!!!
Subject: Graeberschaendung auf bundesdeutsche Anordnung
Subject: Hier sind wir Lehrer die einzigen Auslaender
Subject: Paranoider Deutschenmoerder kommt in Psychiatrie
Subject: Tuerkei in die EU
Subject: Verbrechen der deutschen Frau
Two more:
Subject: Vorbildliche Aktion
Subject: 60 Jahre Befreiung: Wer feiert mit?

one more:
Subject: Augen auf
I noticed that the WS URIBL does by now recognize various of the URIs in those 
mails, and a rule like
# whois.rfc-ignorant.org URIBL http://www.rfc-ignorant.org/
urirhssub URIBL_RFCI_WHOIS  whois.rfc-ignorant.org. A   5
body URIBL_RFCI_WHOIS   eval:check_uridnsbl('URIBL_RFCI_WHOIS')
describe URIBL_RFCI_WHOIS   URL listed at rfc-ignorant.org (whois)
tflags URIBL_RFCI_WHOIS net
also works well here:

 1.0 URIBL_RFCI_WHOIS   URL listed at rfc-ignorant.org (whois)
[URIs: pro-koeln-online.de jungefreiheit.de]
[g-d-f.de bewaeltigen.de kopfmord.de]
[buergerbewegungen.de wk-institut.de]
[das-gibts-doch-nicht.de un-nachrichten.de]
[rocknord.de]
And may cause LOTS of false positives as well
Sun 2005-05-15 13:42:18: *  1.0 URIBL_RFCI_WHOIS URL listed at 
rfc-ignorant.org (whois)
Sun 2005-05-15 13:42:18: *  [URIs: spiegel.de npd.de taz.de]

FP: spiegel.de  taz.de
Sun 2005-05-15 13:42:44: *  1.0 URIBL_RFCI_WHOIS URL listed at 
rfc-ignorant.org (whois)
Sun 2005-05-15 13:42:44: *  [URIs: libasoli.de zdf.de]

FP: zdf.de
h2h
Alex

Re: Bombarded by German political spam

2005-05-15 Thread Patrick von der Hagen

Raymond Dijkxhoorn wrote:
[...]
 This is the complete list so far:
[...]
Subject: Multi-Kulturell = Multi-Kriminell
--
CU,
   Patrick.

Re: Bombarded by German political spam

In an older episode (Sunday 15 May 2005 12:44), Raymond Dijkxhoorn wrote:
 Hi!

  Anyone has a full list of subjects yet, time to do some SA magic... ;)

  I have quite a few, here is the subjects list:

  Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
  Subject: Auf Streife durch den Berliner Wedding
  Subject: Auslaender bevorzugt
  Subject: Auslaenderpolitik
  Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
  Subject: Deutsche werden kuenftig beim Arzt abgezockt
  Subject: Du wirst zum Sklaven gemacht!!!
  Subject: Graeberschaendung auf bundesdeutsche Anordnung
  Subject: Hier sind wir Lehrer die einzigen Auslaender
  Subject: Paranoider Deutschenmoerder kommt in Psychiatrie
  Subject: Tuerkei in die EU
  Subject: Verbrechen der deutschen Frau

 Two more:

 Subject: Vorbildliche Aktion
 Subject: 60 Jahre Befreiung: Wer feiert mit?

 anyone care to make a small ruleset to score them up?

someone posted one at
http://www.file-upload.net/15.05.05/5_x4st.cf

it uses a score of 8 and /i - anyway, it might save you some effort ;)

cheers,

wolfgang

Re: Bombarded by German political spam

Hi!
Subject: Vorbildliche Aktion
Subject: 60 Jahre Befreiung: Wer feiert mit?
anyone care to make a small ruleset to score them up?
someone posted one at
http://www.file-upload.net/15.05.05/5_x4st.cf
it uses a score of 8 and /i - anyway, it might save you some effort ;)
Just finished my ruleset also... grin. the one there has 27 so its missing 
5. I also dont uinderstand why it used the meta tags in that one... Its 
combining nothing in fact... strange.

Bye,
Raymond.

Re: Bombarded by German political spam

Hi!
it uses a score of 8 and /i - anyway, it might save you some effort ;)

Just finished my ruleset also... grin. the one there has 27 so its missing 5. 
I also dont uinderstand why it used the meta tags in that one... Its 
combining nothing in fact... strange.
I put my one online also:
http://mailscanner.prolocation.net/german.cf
Its nothing fancy, but it works.
Have it online for like 15 minutes now:
[EMAIL PROTECTED] hosts]# grep GSPAM vmx*/current | wc -l
   1797
Allmost 1800 hits.
Have fun,
Raymond.

RE: {SPAM} Drug SPAM problem..any fixes?

2005-05-15 Thread Chris Santerre

 -Original Message-
 From: martin smith [mailto:[EMAIL PROTECTED]
 Sent: Saturday, May 14, 2005 12:43 PM
 To: Spamassassin
 Subject: RE: {SPAM} Drug SPAM problem..any fixes?

 M-Original Message-
 MFrom: Matt Kettler [mailto:[EMAIL PROTECTED] 
 MSent: 14 May 2005 18:37
 MTo: Dan Simmons
 MCc: users@spamassassin.apache.org
 MSubject: Re: {SPAM} Drug SPAM problem..any fixes?
 M
 MDan Simmons wrote:
 M Hi All,
 M 
 M I am having an issue with the following DRUG related spam.  Does 
 M anyone have any rules to catch this?
 M 
 M Environment: SA 3.0.2 with network tests and the following 
 MSARE rule sets:
 Msnip
 M X-SA-SysThreshold: 6.0
 M   0.8 HTML_IMAGE_ONLY_20 BODY: HTML: images with 
 M1600-2000 bytes of words
 M   0.1 HTML_40_50 BODY: Message is 40% to 50% HTML
 M   0.0 HTML_MESSAGE BODY: HTML included in message
 M 
 M
 MFor your message I got the following (SA 2.64 with Mail::SpamCopURI)
 M
 MSpamAssassin (score=7.908, required 5,  AB_URI_RBL 
 M1.00, BAYES_00 -4.90,
 MBLACK_URI_RBL 2.00, HTML_MESSAGE 0.10, HTTP_ESCAPED_HOST 1.51,
 MINFO_GREYLIST_NOTDELAYED -0.00, JP_URI_RBL 1.00, OB_URI_RBL 
 M2.10, SPAMCOP_URI_RBL 3.00, WS_URI_RBL 2.10)
 M
 MMost of that is URI blacklists from surbl (supported by SA 
 M3.x by default), as well as uribl.com (not supported in 
 Mdefault config but I added it by hand)
 M

 Trouble is with the SURBL is that you can receive a lot of these spams
 before they get listed, they also seem to change domain name 
 twice a day or
 more to keep ahead of the listing, that's why I wanted 
 something to block
 them if they don't hit any black lists.

URIBL.com is currently testing some ideas to get them listed before they are
even used. Needs more time to test. Kinds tricky to nail down ;)

--Chris

Re: Amusement value

In an older episode (Sunday 15 May 2005 12:24), Martin Lee wrote:

 I know how to search the contents of  the From or Subject headers which SA 
 makes available to me. But is it possible to write regexps to search the 
 entire header section of an email ? A sort of headers-as_string method ?  

http://wiki.apache.org/spamassassin/WritingRules
mentions
header LOCAL_DEMONSTRATION_ALL  ALL =~

cheers,

wolfgang

Re: Bombarded by German political spam

2005-05-15 Thread Bart Schaefer

On 5/15/05, Raymond Dijkxhoorn [EMAIL PROTECTED] wrote:
 
 http://mailscanner.prolocation.net/german.cf

You've got a bit of duplication in there (rules 02 and 22 are the
same, as are 04 and 26).

Re: Bombarded by German political spam

Hi!
http://mailscanner.prolocation.net/german.cf

You've got a bit of duplication in there (rules 02 and 22 are the
same, as are 04 and 26).
I'll clean them, thanks! v0.2 there in a few :)
Bye,
Raymond.

Strange SA report maths.

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi all,
Using SA 3.0.3 on FreeBSD, I noticed the following interesting maths in
the report from a message received a moment ago:
- -quote-
Content analysis details:   (4.1 points, 4.0 required)
~ pts rule name  description
-  --
- --
~ 0.0 NO_REAL_NAME   From: does not include a real name
~ 0.2 INVALID_DATE   Invalid Date: header (not RFC 2822)
~ 0.1 HTML_COMMENT_SAVED_URL BODY: HTML message is a saved web page
~ 3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
~[score: 1.]
~ 0.0 HTML_MESSAGE   BODY: HTML included in message
~ 0.1 HTML_FONT_BIG  BODY: HTML tag for a big font size
~ 0.0 MIME_QP_LONG_LINE  RAW: Quoted-printable line longer than 76 chars
- -quote-
(Full headers below.)
Now correct me if I'm wrong, but 3.5 + 0.2 + 0.1 + 0.1 is not 4.1 ?
Kind Regards,
Craig.
- -original headers-
Return-Path: [EMAIL PROTECTED]
Received: from mta126.mail.ukl.yahoo.com (mta126.mail.ukl.yahoo.com
[217.12.11.75])
by craig.dnsalias.com (8.12.10/8.12.10) with SMTP id j4FFYBIW010078
for [EMAIL PROTECTED]; Sun, 15 May 2005 16:34:14 +0100 (BST)
(envelope-from [EMAIL PROTECTED])
X-Yahoo-Forwarded: from [EMAIL PROTECTED] to [EMAIL PROTECTED]
X-Rocket-Track: 0: 100 ; IPCR=n-w0,n100,g0 ; IP=212.43.206.16 ;
SERVER=217.12.12.165
Authentication-Results: mta126.mail.ukl.yahoo.com
~  from=freesurf.fr; domainkeys=neutral (no sig)
X-Originating-IP: [212.43.206.16]
Received: from 212.43.206.16  (EHLO fidel.freesurf.fr) (212.43.206.16)
~  by mta126.mail.ukl.yahoo.com with SMTP; Sun, 15 May 2005 15:33:43 +
Received: from acps-77b8dgiwqw (du-204-236.nat.dialup.freesurf.fr
[212.43.204.236])
by fidel.freesurf.fr (Postfix) with SMTP id 326832A7CBA;
Sun, 15 May 2005 17:33:36 +0200 (CEST)
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: **SPAM (4.1)** International Cd e-mail adress
Date: Sun, 15 may 2005 16:49:36 +0200
Importance: normal
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=--=_42876BF9.E8A0075B
Message-Id: [EMAIL PROTECTED]
X-Spam-Flag: YES
X-Spam-Status: Yes, score=4.1 required=4.0 tests=BAYES_99,
HTML_COMMENT_SAVED_URL,HTML_FONT_BIG,HTML_MESSAGE,INVALID_DATE,
MIME_QP_LONG_LINE,NO_REAL_NAME autolearn=no version=3.0.3
X-Spam-Report:
*  0.0 NO_REAL_NAME From: does not include a real name
*  0.2 INVALID_DATE Invalid Date: header (not RFC 2822)
*  0.1 HTML_COMMENT_SAVED_URL BODY: HTML message is a saved web page
*  3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
*  [score: 1.]
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  0.1 HTML_FONT_BIG BODY: HTML tag for a big font size
*  0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on mail.vega
X-Virus-Scanned: ClamAV devel-20050513/879/Sun May 15 14:43:45 2005 on
vega-mail.vega
X-Virus-Status: Clean
This is a multi-part message in MIME format.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFCh2+MMDDagS2VwJ4RAr6KAJ92D9I4Vh8NHV26dZKCZfwzSe50hQCgzJet
rEGs1JUXc0QMQMn7J2qPQUo=
=p0Bn
-END PGP SIGNATURE-

Re: Bombarded by German political spam

2005-05-15 Thread Steven Stern

David B Funk wrote:
Tonight our site is being bombarded by German political spam or
Joe-jobbed bounce fall-out. So far it appears to all be coming
from trojaned PCs. Other than the specific URLs in the messages
havn't found any easily identified parts to create rules for.
anybody else seeing this?
Lots and lots.  Around 10AM CDT, it seems that the various RBL and URI 
rules are starting to kick in, but some is still leaking through as with 
  low scores.

I received about 500 on the webmaster account.
Now we know what sober was all about.
--
   Steve

Re: Strange SA report maths.

 Now correct me if I'm wrong, but 3.5 + 0.2 + 0.1 + 0.1 is not 4.1 ?

Rounding.  See the wiki.

Loren

Re: Strange SA report maths.

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Loren Wilton wrote:
|Now correct me if I'm wrong, but 3.5 + 0.2 + 0.1 + 0.1 is not 4.1 ?
|
|
| Rounding.  See the wiki.
|
Can you be more specific? A search of wiki.apache.org/spamassassin shows
2 pages containing rounding:
StatusRounding - orphaned.
RoundingIssues - this is not the issue I'm talking about, and in any
case was fixed in 3.0.
Yours in confusion,
Craig.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFCh3Y9MDDagS2VwJ4RAuRAAKC575Fqcj2bpzp8CzcVE4sTiYghogCfTE0r
4205GfjsZXFuTIismKdcqBg=
=g52E
-END PGP SIGNATURE-

Re: Bombarded by German political spam

2005-05-15 Thread Chr. von Stuckrad

On Sun, May 15, 2005 at 10:59:12AM -0500, Steven Stern wrote:
 I received about 500 on the webmaster account.
 
 Now we know what sober was all about.

I see *no* connection to any Virus or Trojan!

I got about 200 of them into a few accounts and
seemingly I'm receiving more every few minutes.

BUT I do *not* think it is more than 'Propaganda'!
It mostly is just one URL of a genuine Article
of a german Newspaper (only the 'collection' of
Articles and tendency of subject making it 'political').

No attachments seem to be sent and our Mail-filter would
have 'eaten' anyway all the current Sober-Viruses/Variants.
(I'm pretty sure about that, I'm its admin)

Stucki (postmaster at math/inf/mi.fu-berlin.de)

-- 
Christoph von Stuckrad  * * |nickname |[EMAIL PROTECTED]  \
Freie Universitaet Berlin   |/_*|'stucki' |Tel(days):+49 30 838-75 459|
Mathematik  Informatik EDV |\ *|if online|Tel(else):+49 30 77 39 6600|
Arnimallee 2-6/14195 Berlin * * |on IRCnet|Fax(alle):+49 30 838-75454/

Re: Bombarded by German political spam

2005-05-15 Thread Niek

On 5/15/2005 6:19 PM +0200, Chr. von Stuckrad wrote:
Now we know what sober was all about.

I see *no* connection to any Virus or Trojan!
Oh, there is a connection. Just like last years sober.g and a German
extermist spamrun.
This spamrun was caused by sober.q which was downloaded by sober.p
Niek

Re: Bombarded by German political spam

2005-05-15 Thread Adam Osterholt



I think the connection is that the infected machines are sending out this political spam and not that they are sending the actual virus.

Adam "Chr. von Stuckrad" [EMAIL PROTECTED] 05/15/2005 12:19:39 
On Sun, May 15, 2005 at 10:59:12AM -0500, Steven Stern wrote: I received about 500 on the webmaster account.  Now we know what "sober" was all about.I see *no* connection to any Virus or Trojan!I got about 200 of them into a few accounts andseemingly I'm receiving more every few minutes.BUT I do *not* think it is more than 'Propaganda'!It mostly is just one URL of a genuine Articleof a german Newspaper (only the 'collection' ofArticles and tendency of subject making it 'political').No attachments seem to be sent and our Mail-filter wouldhave 'eaten' anyway all the current Sober-Viruses/Variants.(I'm pretty sure about that, I'm its admin)Stucki (postmaster at math/inf/mi.fu-berlin.de)-- Christoph von Stuckrad * * |nickname |[EMAIL PROTECTED] \Freie Universitaet Berlin |/_*|'stucki' |Tel(days):+49 30 838-75 459|Mathematik  Informatik EDV |\ *|if online|Tel(else):+49 30 77 39 6600|Arnimallee 2-6/14195 Berlin * * |on IRCnet|Fax(alle):+49 30 838-75454/

Re: Bombarded by German political spam

2005-05-15 Thread Niek

On 5/15/2005 6:19 PM +0200, Chr. von Stuckrad wrote:
Now we know what sober was all about.

I see *no* connection to any Virus or Trojan!
Also see:
http://isc.sans.org/
http://www.viruslist.com/en/weblog
Niek

Re: Bombarded by German political spam

2005-05-15 Thread Gerald V. Livingston II

On Sun, 15 May 2005 18:19:39 +0200 Chr. von Stuckrad wrote:

 On Sun, May 15, 2005 at 10:59:12AM -0500, Steven Stern wrote:
  I received about 500 on the webmaster account.
  
  Now we know what sober was all about.
 
 I see *no* connection to any Virus or Trojan!

[SNIP...]

 No attachments seem to be sent and our Mail-filter would
 have 'eaten' anyway all the current Sober-Viruses/Variants.
 (I'm pretty sure about that, I'm its admin)


He didn't mean the messages CONTAIN a virus/trojan.

Over the last 2 weeks a new sober worm variant was released and infected
tens of thousands of clueless Windows user machines.

The current wave of political spam is being sent out through those infected
machines.

DREAMING
It would be really nice if all the ISPs of the world would get together and
create a comprehensive database of all residential IP address pools
maintained in dnsbl fashion. Something the owner of an IP block could add to
or remove from (with encrypted pass protection) *easily* when IP's are
reassigned. Blocking direct, unauthenticated, SMTP transactions from
addresses on that list would stop 90% of virus transmission and a large chunk
of spam as well.
/DREAMING

Gerald

Re: Bombarded by German political spam

2005-05-15 Thread List Mail User

...

wolfgang wrote:
 In an older episode (Sunday 15 May 2005 12:44), Raymond Dijkxhoorn wrote:
 
Hi!


Anyone has a full list of subjects yet, time to do some SA magic... ;)

I have quite a few, here is the subjects list:

Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
Subject: Auf Streife durch den Berliner Wedding
Subject: Auslaender bevorzugt
Subject: Auslaenderpolitik
Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
Subject: Deutsche werden kuenftig beim Arzt abgezockt
Subject: Du wirst zum Sklaven gemacht!!!
Subject: Graeberschaendung auf bundesdeutsche Anordnung
Subject: Hier sind wir Lehrer die einzigen Auslaender
Subject: Paranoider Deutschenmoerder kommt in Psychiatrie
Subject: Tuerkei in die EU
Subject: Verbrechen der deutschen Frau

Two more:

Subject: Vorbildliche Aktion
Subject: 60 Jahre Befreiung: Wer feiert mit?
 
 
 one more:
 Subject: Augen auf
 
 I noticed that the WS URIBL does by now recognize various of the URIs in 
 those 
 mails, and a rule like
 # whois.rfc-ignorant.org URIBL http://www.rfc-ignorant.org/
 urirhssub URIBL_RFCI_WHOIS  whois.rfc-ignorant.org. A   5
 body URIBL_RFCI_WHOIS   eval:check_uridnsbl('URIBL_RFCI_WHOIS')
 describe URIBL_RFCI_WHOIS   URL listed at rfc-ignorant.org (whois)
 tflags URIBL_RFCI_WHOIS net
 also works well here:
 
  1.0 URIBL_RFCI_WHOIS   URL listed at rfc-ignorant.org (whois)
 [URIs: pro-koeln-online.de jungefreiheit.de]
 [g-d-f.de bewaeltigen.de kopfmord.de]
 [buergerbewegungen.de wk-institut.de]
 [das-gibts-doch-nicht.de un-nachrichten.de]
 [rocknord.de]
 

And may cause LOTS of false positives as well

Sun 2005-05-15 13:42:18: *  1.0 URIBL_RFCI_WHOIS URL listed at 
rfc-ignorant.org (whois)
Sun 2005-05-15 13:42:18: *  [URIs: spiegel.de npd.de taz.de]

FP: spiegel.de  taz.de

Sun 2005-05-15 13:42:44: *  1.0 URIBL_RFCI_WHOIS URL listed at 
rfc-ignorant.org (whois)
Sun 2005-05-15 13:42:44: *  [URIs: libasoli.de zdf.de]

FP: zdf.de

h2h

Alex


Basically, this rule is incorrectly written.  Unlike SURBLs or URIBL,
RFCI does not use bit masks, but multiple full addresses - so trying to use a
bitmask (5 in this case) will also match the hits for 127.0.0.7 which is the
code for RFC non-compliant TLDs, of which .de is one.  Put simply the rule
above will match all .de domains, which probably is not desired.  Using a
rule like

urirhssub URIBL_RFCI_WHOIS  whois.rfc-ignorant.org. A   127.0.0.5

will probably give results closer to what is desired (i.e. matches SLDs with
invalid whois).  So, yes the OP's rule *will* give far too many FPs, but when
written correctly, it will/should still filter out many/most of the Nazi party
sites.

Paul Shupak
[EMAIL PROTECTED]

P.S. .de is interesting in that the Whois server does contain and will return
the desired data, but the method of access is (AFAIK) only documented in
the rfci entry for .de's TLD invalidity (i.e. a bunch of undocumented flags
which can be passed using telnet).  Most 127.0.0.7 entries are for TLDs which
are RFC non-compliant, and a different code is used just so you can prevent
marking every .de domain (last week someone else mentioned .co.uk, but
that Whois server got fixed and removed from listing quite a while ago). As
another example, the OP's version of the rule will block all .pl domains
also, probably not good either (and a bunch of other TLDs), but most American
individual users won't notice the problems unless they happen to regularly
communicate with people in foreign countries (.se is one that would hurt
me - though .de is probably the most significant - many third world
country codes also have 127.0.0.7 codes for the TLDs, ex. .tv).

Re: Bombarded by German political spam

In an older episode (Sunday 15 May 2005 18:51), List Mail User wrote:
# whois.rfc-ignorant.org URIBL http://www.rfc-ignorant.org/
urirhssub URIBL_RFCI_WHOIS whois.rfc-ignorant.org. A 5
body URIBL_RFCI_WHOIS eval:check_uridnsbl('URIBL_RFCI_WHOIS')
describe URIBL_RFCI_WHOIS URL listed at rfc-ignorant.org (whois)
tflags URIBL_RFCI_WHOIS net

Basically, this rule is incorrectly written. Unlike SURBLs or URIBL,
RFCI does not use bit masks, but multiple full addresses - so trying to use
a
bitmask (5 in this case) will also match the hits for 127.0.0.7 which is the
code for RFC non-compliant TLDs, of which .de is one. Put simply the rule
above will match all .de domains, which probably is not desired. Using a
rule like

urirhssub URIBL_RFCI_WHOIS whois.rfc-ignorant.org. A 127.0.0.5

will probably give results closer to what is desired (i.e. matches SLDs with
invalid whois). So, yes the OP's rule *will* give far too many FPs, but
when
written correctly, it will/should still filter out many/most of the Nazi
party
sites.

thanks for pointing that out, Paul!
i got that rule from this list, from a reply to a message of yours :)

so it goes ...

regards,

wolfgang
In an older episode (Saturday 14 May 2005 20:20), Rob Skedgell wrote:
Subject: Re: Drug SPAM problem..any fixes?
On Saturday 14 May 2005 18:30, List Mail User wrote:
[...]

Just to keep up; aeroseddicc. com is another multitrade group
domain. Note the contact email of [EMAIL PROTECTED] com - same as
for the domain multitrade-corp. com, and the telephone/fax numbers
match those of the domain sheenier. net. And, of course the name
servers' domain of aicstrungcb. biz is multitrade also. Oh, yes,
they also seem to have control of mail333. com.

With enough pressure, they will run out of registrars, or be forced
to use the Chinese ones.

Just to add to that, mail333.com addresses are used in the registration
of quite a lot of spamvertized domains - see

http://groups.google.co.uk/groups?q=group:news.admin.net-abuse.*+mail333.comstart=0scoring=d;

mail333.com itself is in whois.rfc-ignorant.org, as are most (all?) of
the related domains, and I'm getting promising results using that
blacklist as a URIbl:

# whois.rfc-ignorant.org URIBL http://www.rfc-inorant.org/
urirhssub URIBL_RFCI_WHOIS whois.rfc-ignorant.org. A 5
body URIBL_RFCI_WHOIS eval:check_uridnsbl('URIBL_RFCI_WHOIS')
describe URIBL_RFCI_WHOIS Contains an URL listed in RFCI whois
tflags URIBL_RFCI_WHOISnet
score URIBL_RFCI_WHOIS 2.0

Re: Strange SA report maths.

2005-05-15 Thread Theodore Heise



On Sun, 15 May 2005, Craig McLean wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Loren Wilton wrote:
 |Now correct me if I'm wrong, but 3.5 + 0.2 + 0.1 + 0.1 is not 4.1 ?
 |
 | Rounding.  See the wiki.

 Can you be more specific? A search of wiki.apache.org/spamassassin shows
 2 pages containing rounding:
 StatusRounding - orphaned.
 RoundingIssues - this is not the issue I'm talking about, and in any
 case was fixed in 3.0.

I don't what the wiki says, but here's my guess.  The scores applied
are actually three digits after the decimal.  In the header report
they are rounded off.  Suppose the exact scores in the example you
gave are 3.544 + 0.231 + 0.142 + 0.145.  These add up to 4.062,
which rounds to 4.1.

-- 
Theodore (Ted) Heise [EMAIL PROTECTED] Bloomington, IN, USA

SpamAssassin BAYES_99 problem

2005-05-15 Thread George Breahna

I have a problem with a few of my users that have spanish usernames ( this
is the only difference I can think of )

In any case, here's the problem:

Sending a mail to [EMAIL PROTECTED] generates a score of 0.1 and thus no
problems:

The performed tests are the following:

  0.0 HTML_MESSAGE   BODY: HTML included in message
  0.1 HTML_50_60 BODY: Message is 50% to 60% HTML

When sending the same, same message to: [EMAIL PROTECTED], I get this:

  0.0 HTML_MESSAGE   BODY: HTML included in message
  9.0 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
 [score: 1.]
  0.1 HTML_50_60 BODY: Message is 50% to 60% HTML


What gives ? What triggers the bayesian sistem to assign 99% spam
probability to the same message but to a different username ?

Any clue is appreciated!

Re: Bombarded by German political spam

  Tonight our site is being bombarded by German political spam or
  Joe-jobbed bounce fall-out. So far it appears to all be coming
  from trojaned PCs. Other than the specific URLs in the messages
  havn't found any easily identified parts to create rules for.
  
  anybody else seeing this?
  
 
 Lots and lots.  Around 10AM CDT, it seems that the various RBL and URI 
 rules are starting to kick in, but some is still leaking through as with 
low scores.
 

Comment from a german user:
the mails are promoting political opinions commonly attributed to the NPD, a 
legal political party
(why it is legal remains partly at the discretion of supreme court judges)
None of the subjects they use would be expected in personal email communication 
- it is all
newspaper headlines and smells like that, so filtering on the subject lines 
should be safe
Some of the uris found point at quite reputable sources that are not related to 
the spam at all,
others basically just send out the same message as the spam all the time

It is like an ad campaign quoting an article in Time magazine because it could 
be interpreted
as supporting their ideas - would you want the paper to be blacklisted.

If some sites on the list happen to have invalid registrations, then it is 
probablytheir fault 

Wolfgang Hamann

Re: Strange SA report maths.

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Theodore Heise wrote:
|
| On Sun, 15 May 2005, Craig McLean wrote:
|
|
|-BEGIN PGP SIGNED MESSAGE-
|Hash: SHA1
|
|Loren Wilton wrote:
||Now correct me if I'm wrong, but 3.5 + 0.2 + 0.1 + 0.1 is not 4.1 ?
||
|| Rounding.  See the wiki.
|
|Can you be more specific? A search of wiki.apache.org/spamassassin shows
|2 pages containing rounding:
|StatusRounding - orphaned.
|RoundingIssues - this is not the issue I'm talking about, and in any
|case was fixed in 3.0.
|
|
| I don't what the wiki says, but here's my guess.  The scores applied
| are actually three digits after the decimal.  In the header report
| they are rounded off.  Suppose the exact scores in the example you
| gave are 3.544 + 0.231 + 0.142 + 0.145.  These add up to 4.062,
| which rounds to 4.1.
|
Yeah, that could well be it. I'll look at the scores in the .cf files
and see what gives..
Thanks!
Craig.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFCh50uMDDagS2VwJ4RAhHbAKCvXU7kmnRC3wjZBqwrvkz4UQQDOQCgsCCw
bP6QuwgSAvQHMzz/BzhWB4w=
=j+cu
-END PGP SIGNATURE-

Don't see BAYES in headers

2005-05-15 Thread Евгений Ширинкин

I'm using SpamAssassin 3.0.3  with amavisd and mysql.
I've learned it for 900 ham messages and 1000 spam messages this way for 
each user:

/usr/local/bin/sa-learn -u [EMAIL PROTECTED] --ham 
/home/cyrus/spool/domain/domain.ru/user/igor/NoSpam

/usr/local/bin/sa-learn -u [EMAIL PROTECTED] --spam 
/home/cyrus/spool/domain/domain.ru/user/igor/IsSpam

The problem is that SpamAssassin doesn't use BAYES tests when checking 
messages. i.e. i don't see in message headers BAYES_XX in tests section.

There is my config:
use_dcc 0
use_pyzor 0
use_razor2 0
skip_rbl_checks 1
use_bayes 1
use_bayes_rules 1
bayes_path /usr/local/spamassassin/bayes
report_safe 0
dns_available no
bayes_store_module   Mail::SpamAssassin::BayesStore::SQL
bayes_sql_dsn   DBI:mysql:spamdb:localhost
bayes_sql_username   postfix
bayes_sql_password   
user_scores_dsn DBI:mysql:spamdb:localhost
user_scores_sql_usernamedb  postfix
user_scores_sql_passworddb  
bayes_auto_learn 0
bayes_ignore_header X-Virus-Scanned
bayes_ignore_header X-Amavis-Alert
bayes_ignore_header X-Sieve
Maybe I forgot something?

Re: SpamAssassin BAYES_99 problem

2005-05-15 Thread JamesDR

George Breahna wrote:
I have a problem with a few of my users that have spanish usernames ( this
is the only difference I can think of )
In any case, here's the problem:
Sending a mail to [EMAIL PROTECTED] generates a score of 0.1 and thus no
problems:
The performed tests are the following:
  0.0 HTML_MESSAGE   BODY: HTML included in message
  0.1 HTML_50_60 BODY: Message is 50% to 60% HTML
When sending the same, same message to: [EMAIL PROTECTED], I get this:
  0.0 HTML_MESSAGE   BODY: HTML included in message
  9.0 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
 [score: 1.]
  0.1 HTML_50_60 BODY: Message is 50% to 60% HTML
What gives ? What triggers the bayesian sistem to assign 99% spam
probability to the same message but to a different username ?
Any clue is appreciated!

With out seeing the entire message, I'd assume that a Jose sent you 
spam, that was learned as such. Learn these ham messages as such, and it 
should help some.

YMMV
--
Thanks,
JamesDR


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Bombarded by German political spam

2005-05-15 Thread JamesDR

Gerald V. Livingston II wrote:
On Sun, 15 May 2005 18:19:39 +0200 Chr. von Stuckrad wrote:

On Sun, May 15, 2005 at 10:59:12AM -0500, Steven Stern wrote:
I received about 500 on the webmaster account.
Now we know what sober was all about.
I see *no* connection to any Virus or Trojan!

[SNIP...]

No attachments seem to be sent and our Mail-filter would
have 'eaten' anyway all the current Sober-Viruses/Variants.
(I'm pretty sure about that, I'm its admin)

He didn't mean the messages CONTAIN a virus/trojan.
Over the last 2 weeks a new sober worm variant was released and infected
tens of thousands of clueless Windows user machines.
The current wave of political spam is being sent out through those infected
machines.
DREAMING
It would be really nice if all the ISPs of the world would get together and
create a comprehensive database of all residential IP address pools
maintained in dnsbl fashion. Something the owner of an IP block could add to
or remove from (with encrypted pass protection) *easily* when IP's are
reassigned. Blocking direct, unauthenticated, SMTP transactions from
addresses on that list would stop 90% of virus transmission and a large chunk
of spam as well.
/DREAMING
Gerald

Many already do... I know mine does, along with the local cable co. (I'm 
on dsl)

--
Thanks,
JamesDR


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Strange SA report maths.

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Craig McLean wrote:
| Theodore Heise wrote:
| |
| | On Sun, 15 May 2005, Craig McLean wrote:
| |
| |
| |-BEGIN PGP SIGNED MESSAGE-
| |Hash: SHA1
| |
| |Loren Wilton wrote:
| ||Now correct me if I'm wrong, but 3.5 + 0.2 + 0.1 + 0.1 is not 4.1 ?
| ||
| || Rounding.  See the wiki.
| |
| |Can you be more specific? A search of wiki.apache.org/spamassassin shows
| |2 pages containing rounding:
| |StatusRounding - orphaned.
| |RoundingIssues - this is not the issue I'm talking about, and in any
| |case was fixed in 3.0.
| |
| |
| | I don't what the wiki says, but here's my guess.  The scores applied
| | are actually three digits after the decimal.  In the header report
| | they are rounded off.  Suppose the exact scores in the example you
| | gave are 3.544 + 0.231 + 0.142 + 0.145.  These add up to 4.062,
| | which rounds to 4.1.
| |
|
Spot on. Have a cigar!
The scores on the doors (using set 4):
NO_REAL_NAME 0.007
INVALID_DATE 0.236
HTML_COMMENT_SAVED_URL 0.146
BAYES_99 3.5
HTML_MESSAGE 0.001
HTML_FONT_BIG 0.142
MIME_QP_LONG_LINE 0.039
The scores for each rule, when added together, are 4.071. Hence a total
score of 4.1 (rounded) even though the individual rules when rounded
before addition only score 3.9.
Perhaps it would be useful to add this little quirk to the wiki? On the
RoundingIssues page?
Thanks again for all the help!
Craig.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFCh6LgMDDagS2VwJ4RAqdRAJ9Vr47iEXRiwX5BIwTusOZ+RsrcEwCgjKpM
Nb8XghueAODjyQJ40qV67d4=
=XCuU
-END PGP SIGNATURE-

Bayes problems and German Spam

2005-05-15 Thread Simon Byrnand

Hi All,
After going from 2.64 to 3.0.3 I thought Bayes was working much better - 
previously certain classes of spam were being consistently reported as ham, 
scoring BAYES_00 no matter what I did, or how much manual training I did. 
(Autolearning enabled)

After upgrading to 3.0.3 and clearing the Bayes database everything seemed 
fine for a week or so, now it's back to its old habits :(

Particularly frustrating is the complete inability of sa-learn to correct 
the thinking of Bayes - all the recent flood of German spams are scoring 
BAYES_00, and DESPITE the fact that I have manually learnt well over two 
dozen of these as spam (which includes all the variations of them I've seen 
so far) new copies of identical spams STILL score BAYES_00. WHY ?

If the autolearn system can't be overridden with some manual learning, it 
makes it more of less useless :(

A few other spams that were previously getting BAYES_99 are now down to 
BAYES_00 for no apparent reason. It's highly unlikely that they were 
autolearnt as ham, as they hit several other tests too. It seems that Bayes 
is still exploitable... :(

Any suggestions ?
Regards,
Simon

Problem with ALL_TRUSTED

2005-05-15 Thread Marcel Veldhuizen

Hi,
I've been having problems with a specific spammer lately. He's sending me 
about 300 mails a day and they're all passing right through my filtering. 
Part of the problem is this:

* -2.8 ALL_TRUSTED Did not pass through any untrusted hosts
SpamAssassin thinks the mail comes directly from my host's mailserver, but 
it's overlooking a Received header. I think it's because of the 
X-Virus-Scan header in between. However I have no control over than 
particular header.

Is the order of headers a RFC violation in some way, or is this a SA 
problem? A full example email is attached.
Return-path: [EMAIL PROTECTED] 
Envelope-to: [EMAIL PROTECTED] 
Delivery-date: Sun, 15 May 2005 23:10:18 +0200 
Received: from localhost ([127.0.0.1] ident=root) 
by hellfire.egelantier.subbot.net with esmtp (Exim 4.50) 
id 1DXQNO-0005rW-55 
for [EMAIL PROTECTED]; Sun, 15 May 2005 23:10:18 +0200 
Delivered-To: [EMAIL PROTECTED] 
Received: from 63.209.158.6 [63.209.158.6] 
by localhost with POP3 (fetchmail-6.2.5) 
for [EMAIL PROTECTED] (single-drop); Sun, 15 May 2005 23:10:18 +0200 
(CEST) 
Received: (qmail 5490 invoked by uid 399); 15 May 2005 21:06:00 - 
X-Virus-Scan: Scanned by clamdmail 0.15 (no viruses); 
  Sun, 15 May 2005 17:06:00 -0400 
Received: from unknown (HELO pkaffe.de) (71.34.15.142) 
  by mail.myhsphere.biz with SMTP; 15 May 2005 21:06:01 - 
From: [EMAIL PROTECTED] 
To: [EMAIL PROTECTED] 
Date: Sun, 15 May 2005 21:04:24 GMT 
Subject: Vorbildliche Aktion 
Importance: Normal 
X-Priority: 3 (Normal) 
X-MSMail-Priority: Normal 
MIME-Version: 1.0 
Message-ID: [EMAIL PROTECTED] 
Content-Transfer-Encoding: 7bit 
Content-Type: text/plain; charset=us-ascii 
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on 
hellfire.egelantier.subbot.net 
X-Spam-Level: * 
X-Spam-Status: No, score=1.3 required=5.0 tests=ALL_TRUSTED,AWL, 
MISSING_MIMEOLE,NO_DNS_FOR_FROM,NO_REAL_NAME,PRIORITY_NO_NAME, 
RAZOR2_CF_RANGE_51_100 autolearn=disabled version=3.0.2 
X-Spam-Report: 
*  0.2 NO_REAL_NAME From: does not include a real name 
* -2.8 ALL_TRUSTED Did not pass through any untrusted hosts 
*  1.5 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 
50% 
*  [cf: 100] 
*  1.1 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records 
*  0.0 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE 
*  1.2 PRIORITY_NO_NAME Message has priority, but no 
X-Mailer/User-Agent 
*  0.1 AWL AWL: From: address is in the auto white-list 
Status:   

Lese selbst:
http://www.npd.de/npd_info/deutschland/2004/d1204-24.html

Re: Bombarded by German political spam

2005-05-15 Thread List Mail User

...

  Tonight our site is being bombarded by German political spam or
  Joe-jobbed bounce fall-out. So far it appears to all be coming
  from trojaned PCs. Other than the specific URLs in the messages
  havn't found any easily identified parts to create rules for.
  
  anybody else seeing this?
  
 
 Lots and lots.  Around 10AM CDT, it seems that the various RBL and URI 
 rules are starting to kick in, but some is still leaking through as with 
low scores.
 

Comment from a german user:
the mails are promoting political opinions commonly attributed to the NPD, a 
legal political party
(why it is legal remains partly at the discretion of supreme court judges)
None of the subjects they use would be expected in personal email 
communication - it is all
newspaper headlines and smells like that, so filtering on the subject lines 
should be safe
Some of the uris found point at quite reputable sources that are not related 
to the spam at all,
others basically just send out the same message as the spam all the time

It is like an ad campaign quoting an article in Time magazine because it could 
be interpreted
as supporting their ideas - would you want the paper to be blacklisted.

If some sites on the list happen to have invalid registrations, then it is 
probablytheir fault 

Wolfgang Hamann


Wolfgang,

What you say make too much sense to be ignored.  Since, I am playing
catch-up with my email, this may have already been addressed;  But, I
can not speak for anyone else, yet I would guess that many folks (particularly
JeffC of SURBL and ChrisS of URIBL) would be extremely grateful if you could
prepare a preliminary whitelist for them, just to avoid the exact case you
have mentioned - Legitimate news sources/agencies/publishers getting listed
because they are cited by a third parties spam.

It would probably be best for you to just post to the list whatever
you feel is appropriate - possibly some of the interested parties might wish
to contact you directly or have you contact them (I said, I speak for no one
else).  If you feel most comfortable, if needed you can send it to me and I'll
take it onto myself to pass it to a variety of organizations (though that
would likely be the slowest method).

Also, regarding invalid registrations, they are a pretty good
indicator, but do FP a lot (look at Lycos. com - and that one's my fault;
I usually avoid innocents - but I had had a bad day, and one of their
employees really pissed me off).  Also, the issue regarding invalid
registrations is that they are trivial to fix, only spammers and very
large companies ignore them (and the Lycos issue is one that wdprs will
not accept, but rfci will).

Paul Shupak
[EMAIL PROTECTED]

P.S. Anyone out there who uses Network Solutions need to be careful about
invalid telephone numbers and fax numbers - Network Solutions' own computer
system often glitches and has at least on two occasions (during updates
to the software/database assigned invalid numbers to all customers who did
not have listed ones).  Fax numbers are always optional, but should not be
invalid, and a telephone number for the registrant is optional - At one
update NetSol gave everyone 123 123 1234, in the other case (and the common
glitch) is for them to assign 999 999  (check their web page instead of
the Whois server, and they have bad data for about a third of all customers).
So it is not always the fault of the registrant (but as far as I know, unless
they use NetSol, it is).

Re: Bayes problems and German Spam

2005-05-15 Thread Simon Byrnand

At 09:53 16/05/2005, Jo wrote:
Simon Byrnand wrote:
Hi All,
After going from 2.64 to 3.0.3 I thought Bayes was working much better - 
previously certain classes of spam were being consistently reported as 
ham, scoring BAYES_00 no matter what I did, or how much manual training I 
did. (Autolearning enabled)

After upgrading to 3.0.3 and clearing the Bayes database everything 
seemed fine for a week or so, now it's back to its old habits :(

Particularly frustrating is the complete inability of sa-learn to correct 
the thinking of Bayes - all the recent flood of German spams are scoring 
BAYES_00, and DESPITE the fact that I have manually learnt well over two 
dozen of these as spam (which includes all the variations of them I've 
seen so far) new copies of identical spams STILL score BAYES_00. WHY ?

If the autolearn system can't be overridden with some manual learning, it 
makes it more of less useless :(

A few other spams that were previously getting BAYES_99 are now down to 
BAYES_00 for no apparent reason. It's highly unlikely that they were 
autolearnt as ham, as they hit several other tests too. It seems that 
Bayes is still exploitable... :(

Any suggestions ?
Regards,
Simon
Clear your bayes database and start all over again. Switch off 
auto-learning and rely purely on manual learning in a feedback loop. Grab 
a mail box of known ham and another folder of known spam. Preferably use a 
thousand of each.
Hmm, not very practical when the system has several thousand 
users/mailboxes. There is no way I would be able to keep current with 
manual learning just based on my own personal mailbox...(and I can hardly 
go poking around in other peoples mailboxes to gather ham/spam to learn)

 If you ever switch on autolearning again. Set the treshold at -0.2 for 
ham and 10 or 15 for spam.
Are there even any negative scores in 3.0.3 ? I thought negative scores 
were pretty much eliminated in recent versions, so with -0.2 it would never 
learn any ham.

Enable network tests, razor2, pyzor and dcc work wonders on the site I 
administer.
Already have all network tests enabled, always have done.
Regards,
Simon

Re: Bombarded by German political spam

In an older episode (Monday 16 May 2005 00:17), List Mail User wrote:

 JeffC of SURBL and ChrisS of URIBL) would be extremely grateful if you could
 prepare a preliminary whitelist for them, just to avoid the exact case you
 have mentioned - Legitimate news sources/agencies/publishers getting listed
 because they are cited by a third parties spam.

i started listing such publishers today:

uridnsbl_skip_domain*.berlinonline.de
uridnsbl_skip_domainberlinonline.de
uridnsbl_skip_domain*.heise.de
uridnsbl_skip_domainheise.de
uridnsbl_skip_domain*.spiegel.de
uridnsbl_skip_domainspiegel.de
uridnsbl_skip_domain*.taz.de
uridnsbl_skip_domaintaz.de
uridnsbl_skip_domain*.zdf.de
uridnsbl_skip_domainzdf.de

regards,

wolfgang
(the lower case one :)

Re: Bombarded by German political spam

2005-05-15 Thread List Mail User

Wolfgang,

On a related note; Having just seen the first such email at my site
(it wasn't delivered), I'm assuming the the npd. de is the actual political
party itself?  If so, their paper work is squeaky clean, even the name servers'
domains are clean;  The best I could do was find that most of the contacts for
the name servers refuse postmaster@ and abuse@ - and somebody else filed that
for npd. de themselves yesterday - In fact with 20 minutes, the only invalid
registration was for one of the domains used for email contact, by the name
servers' domain  for npd. de (i.e. twice removed).  It seems they run
a bunch of domains which feed to a small number of mail servers, but play
mostly by all the rules.  Largely you go in circles, only occasionally
breaking out to some large commercial provider (who do seem to have offices
which are often in the same buildings or just a few addresses away from the
contacts for npd. de).

You do come up with quite a few unusual domain names, but I didn't
find any problems with the paperwork (ex. pureserver. info, straightedv. de,
factsoft. de and a few others - the names even smell political). 

Thanks in advance,

Paul Shupak
[EMAIL PROTECTED]

Re: Strange SA report maths.

2005-05-15 Thread Theodore Heise



On Sun, 15 May 2005, Craig McLean wrote:

 The scores on the doors (using set 4):
 NO_REAL_NAME 0.007
 INVALID_DATE 0.236
 HTML_COMMENT_SAVED_URL 0.146
 BAYES_99 3.5
 HTML_MESSAGE 0.001
 HTML_FONT_BIG 0.142
 MIME_QP_LONG_LINE 0.039

 The scores for each rule, when added together, are 4.071. Hence a
 total score of 4.1 (rounded) even though the individual rules when
 rounded before addition only score 3.9.

 Perhaps it would be useful to add this little quirk to the wiki?
 On the RoundingIssues page?

I added this.

-- 
Theodore (Ted) Heise [EMAIL PROTECTED] Bloomington, IN, USA

[SARE] Whitelist.cf

2005-05-15 Thread Robert Menschel

Just a quick note that SARE's whitelist.cf has been updated.
Documentation and download link at
http://www.rulesemporium.com/rules.htm#whitelist

Bob Menschel

Re: Bombarded by German political spam

2005-05-15 Thread Jeff Chan

On Sunday, May 15, 2005, 4:04:09 PM, wolfgang wolfgang wrote:
 In an older episode (Monday 16 May 2005 00:17), List Mail User wrote:

 JeffC of SURBL and ChrisS of URIBL) would be extremely grateful if you could
 prepare a preliminary whitelist for them, just to avoid the exact case you
 have mentioned - Legitimate news sources/agencies/publishers getting listed
 because they are cited by a third parties spam.

 i started listing such publishers today:

 uridnsbl_skip_domain*.berlinonline.de
 uridnsbl_skip_domainberlinonline.de
 uridnsbl_skip_domain*.heise.de
 uridnsbl_skip_domainheise.de
 uridnsbl_skip_domain*.spiegel.de
 uridnsbl_skip_domainspiegel.de
 uridnsbl_skip_domain*.taz.de
 uridnsbl_skip_domaintaz.de
 uridnsbl_skip_domain*.zdf.de
 uridnsbl_skip_domainzdf.de

 regards,

 wolfgang
 (the lower case one :)

Ja, we've already whitelisted those and others to prevent them
from getting added to SURBLs.  If you run across any others that
are blacklisted in SURBLs, then please send them to:

  whitelist at surbl dot org

and we will whitelist them.  Here are some others we've
whitelisted:

stern.de
rp-online.de
fhtw-berlin.de
berlin1.de
bz.berlin1.de
bz-berlin.de
gofeminin.de
taz.de
berlinonline.de
zdf.de
[...]

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Using 1st server Spamassassin score as starting value for 2nd server.

2005-05-15 Thread Paul R. Ganci

I run the Email servers for a small, rural mountain WISP and have a 
situation where all Email 1st comes into a scrubber server (RaQ 550) 
and once it passes an initial set of virus/spam tests is sent on to a 
2nd server (alsa a RaQ 550) where the actual user accounts reside. On 
the first server Spam/Virii are stopped in 3 steps:

1.) Custom blocklists
2.) Greylister
3.) MailScanner/Spamassassin 3.0.3 - Network checks/General rules.
These stop spam with as little work as possible and as soon as possible. 
Anything flagged with a high score at this point is quarantined just in 
case, but not sent to the user. Messages with scores lower than the high 
score threshold are sent on to the 2nd server.

On the 2nd server only MailScanner (virus checks bypassed since they 
were done already)/Spamassassin 3.02.(Spamd/Spamc) are run. Since Spamc 
runs as the Email recipient I can use each user's custom settings and 
bayes databases to do a final check on spam so that they may do what 
they want with such messages. These tests tend to be more expensive than 
those done on the 1st server and vary from user to user, but nonetheless 
I don't want to repeat the tests from the 1st server. Can I set up a 
header with the spam score from the 1st server and then set up the 2nd 
server's spamassassin to use that header as the initial score for any 
subsequent tests? My idea is to turn off  as many body checks on the 1st 
server and to wait until the last possible moment without duplicating 
1st server tests before doing the bayes stuff on the 2nd server. The 
final Spam score would be the accumulated sum from both servers.

It wasn't clear from the documentation or google searches that I could 
do this. It seemed that I could create a header and then give a score 
based upon its presence. But it wasn't obvious to me that I could 
actually read the headers value and set the initial spam score from the 
value.  Any hints are graciously accepted and greatly appreciated.

--
Paul ([EMAIL PROTECTED])

Re: Problem with ALL_TRUSTED

 * -2.8 ALL_TRUSTED Did not pass through any untrusted hosts

 SpamAssassin thinks the mail comes directly from my host's mailserver, but
 it's overlooking a Received header. I think it's because of the
 X-Virus-Scan header in between. However I have no control over than
 particular header.

Yea, that appears to be doing it.  From the setup you have, it looked like
the remote host was actually your mail gateway, so SA trusted it.

You need to set the trusted hosts correctly for your installation.  I'm not
conversant with how to do that, but there has been much mention of it on the
list in the last month or so, and I'm sure there are some wiki pages.  The
actual manual pages for SA describe the necessary config lines retty well.

Loren

Re: Bombarded by German political spam

2005-05-15 Thread Tim B

Chr. von Stuckrad wrote:
On Sun, May 15, 2005 at 10:59:12AM -0500, Steven Stern wrote:
I received about 500 on the webmaster account.
Now we know what sober was all about.

I see *no* connection to any Virus or Trojan!
I got about 200 of them into a few accounts and
seemingly I'm receiving more every few minutes.
BUT I do *not* think it is more than 'Propaganda'!
It mostly is just one URL of a genuine Article
of a german Newspaper (only the 'collection' of
Articles and tendency of subject making it 'political').
No attachments seem to be sent and our Mail-filter would
have 'eaten' anyway all the current Sober-Viruses/Variants.
(I'm pretty sure about that, I'm its admin)
Stucki (postmaster at math/inf/mi.fu-berlin.de)
Look at your AV logs of those sending sober.p and look at the 
connections sending the german political spam.  you will start to see a 
connection.  In fact I'm going through my logs right now finding the 
hosts which sent sober.p and starting to block those because they so far 
seem to be the main ones sending the political spam

Re: Using 1st server Spamassassin score as starting value for 2nd server.

 It wasn't clear from the documentation or google searches that I could
 do this. It seemed that I could create a header and then give a score
 based upon its presence. But it wasn't obvious to me that I could
 actually read the headers value and set the initial spam score from the
 value.  Any hints are graciously accepted and greatly appreciated.

You can't, so far as I know, do exactly what you want.  However, you may be
able to come close.

SA uses text pattern matching for rules, rather than any concept of
arithmetic numbers.  You can make multiple rules with various scores and use
them to look at the score lines in the header, at least if you are on 3.0 or
later.  (In 2.6x these lines will be stripped before you can look at them).

I think you will have to use 'full' rules to look at this data (or write a
plugin, which might be the better idea) since it will probably be removed
from 'header' rule data before you can look at it.

I would suggest a simple collection of rules that look at the number of
stars in the report line, and score each one at 1 point.  This will give you
the score rounded to the nearest point, which might be good enough.  You
could actually make a whole series of rules (it would take 40 rules) to look
at the actual score value and provide a decimal result.  For instance,
grabbing part of the summary line from your message, I see

X-Spam-Status: No, hits=-94.4

(This is on 2.64, check the format for 3.0 in case it changed.)

Now I could write a bunch of rules like

fullSA_SCORE_100/^X-Spam-Status:.{0,20}hits=1\d\d/s
scoreSA_SCORE_100100
fullSA_SCORE_10/^X-Spam-Status:.{0,20}hits=\d*1\d[^\d]/s
scoreSA_SCORE_1010
fullSA_SCORE_20/^X-Spam-Status:.{0,20}hits=\d*2\d[^\d]/s
scoreSA_SCORE_2020
fullSA_SCORE_30/^X-Spam-Status:.{0,20}hits=\d*3\d[^\d]/s
scoreSA_SCORE_3030
fullSA_SCORE_40/^X-Spam-Status:.{0,20}hits=\d*4\d[^\d]/s
scoreSA_SCORE_4040
fullSA_SCORE_1/^X-Spam-Status:.{0,20}hits=\d*1[^\d]/s
scoreSA_SCORE_11
fullSA_SCORE_2/^X-Spam-Status:.{0,20}hits=\d*2[^\d]/s
scoreSA_SCORE_22
fullSA_SCORE_3/^X-Spam-Status:.{0,20}hits=\d*3[^\d]/s
scoreSA_SCORE_33
fullSA_SCORE_4/^X-Spam-Status:.{0,20}hits=\d*4[^\d]/s
scoreSA_SCORE_44
fullSA_SCORE_point1/^X-Spam-Status:.{0,20}hits=\d*\.1/s
scoreSA_SCORE_point10.1
fullSA_SCORE_point2/^X-Spam-Status:.{0,20}hits=\d*\.2/s
scoreSA_SCORE_point20.2
fullSA_SCORE_point3/^X-Spam-Status:.{0,20}hits=\d*\.3/s
scoreSA_SCORE_point30.3
fullSA_SCORE_point4/^X-Spam-Status:.{0,20}hits=\d*\.4/s
scoreSA_SCORE_point40.4

Obviously you need 0-9 in each case.

That will handle positive scores and ignore negative scores.  (If you can't
have 3 digit scores, you can simplify the regex in the first casea above to
something like =1\d/s on the end).  If you want to deal with negative
scores also, you will need a bunch more rules to deal with them.

Oh heck.  I started the ruleset above, I just finished the thing.  File
attached.
Note these rules are UNTESTED, and may not work as expected.  They may not
even lint for that matter.  But they might be useful if they do work.

Loren


scorerules.cf
Description: Binary data

Help mp3 attachment

2005-05-15 Thread John Fleming

I run a very simple Postfix - Procmail - SpamAssassin - CLamAV setup that 
has been working great, but tonight I see something I don't understand. 
Look at the 2 examples below please.  Both messages got virus-scanned. 
However, the message that includes an mp3 audio attachment, appears that it 
didn't get spam-scanned at all, whereas a totally plain message does.  Can 
anyone explain this?  What attachment property would cause the message not 
to pass to spamd at all?  Thanks - John

Plain message with 500K mp3 attachment:
X-Virus-Status: No
X-Virus-Checker-Version: Luke wa9als.com running clamassassin 1.2.1 with 
ClamAV 0.85/879/Sun May 15 08:43:45 2005 signatures 31.879
Status:
X-Antivirus: AVG for E-mail 7.0.308 [266.11.10]
Mime-Version: 1.0
Content-Type: multipart/mixed; 
boundary==_NextPart_000_0050_01C5599C.1DDB9FF0


Plain message without attachment:
X-Virus-Status: No
X-Virus-Checker-Version: Luke wa9als.com running clamassassin 1.2.1 with 
ClamAV 0.85/879/Sun May 15 08:43:45 2005 signatures 31.879
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on Luke.wa9als.com
X-Spam-Level:
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham
version=3.0.2
Status:
X-Antivirus: AVG for E-mail 7.0.308 [266.11.10]
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; format=flowed; charset=iso-8859-1; 
reply-type=original


--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.11.10 - Release Date: 5/13/2005

Re: Help mp3 attachment

2005-05-15 Thread Thomas Cameron

On Sun, 2005-05-15 at 22:34 -0500, John Fleming wrote:
 I run a very simple Postfix - Procmail - SpamAssassin - CLamAV setup that 
 has been working great, but tonight I see something I don't understand. 

I suspect that your procmail recipe doesn't scan files over a certain
size.  What does your .procmailrc file look like?

Thomas

Re: Help mp3 attachment