Re: --lint tells me I need 0.34 dns

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Theo Van Dinter writes:
 On Thu, May 19, 2005 at 11:35:01PM -0400, Eric Wood wrote:
  Your correct.  It's the only spamassassin-3x rpm I could find on the net at:
  http://dag.wieers.com/home-made/apt/
 
 I'd just build it yourself.  Docs are on the wiki/download page (iirc).
 
  doesn't really check for specific perl modules.  Maybe the spamassassin 
  package maintainers might need to be informed.
 
 Yeah, this comes up periodically.  Since Net::DNS isn't required for SA
 operation, it's not listed as required in the spec file.  There doesn't seem
 to be a way to say if perl(Net::DNS) is installed, require version 0.34 or
 higher.

actually, I was thinking about that.

It might make sense to turn some of those optional-but-recommended
dependencies into requirements, in packages for platforms where
apt-get-style systems are available; if the user doesn't have to
do additional work to get them, then we should get them by default.

- --j.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFCjYzUMJF5cimLx9ARAgp/AKC7lpRVo9Jd5UZ7NUeNQKO/AkwLHACeMmY9
1tqTnrQejKBGUHLhiVue2jY=
=nAHS
-END PGP SIGNATURE-

spamassassin fetchmail qmail (RELAYCLIENT=)

[Mirko Steiner]

Hi,
so first the general infos, which i should be sure to note:
Well... i run a qmail mailserver with qmailqueue-patch, vpopmail and
qmail-scanner which scans for viruses and even yet for spam with
spamassassin invoking through spamd. The thing is, for each mailaddress
i fetch the emails from a remote mailserver (excatly two ones, one for
.de and one for the .com accounts) via fetchmail and fetchmail delivers
the mails localy... howewer i think there is no need for more details
here -- the system - as it - works well (email deliverey works! *jippi*).
The version of spamassassin is ``spamassassin: 3.0.3 and i run a
FreeBSD 4.10-STABLE box.
Now the problem:
When fetchmail delivers the emails localy (127.0.0.1) to qmail (via
tcpserver) it sets a variable RELAYCLIENT so that qmail acts for
127.0.0.1 as an open relay. So... spamassassin doesn't run because this
variable is set and I want 127.0.0.1 for open relay but here are a log-line:
Fri, 20 May 2005 09:10:37 CEST:53653: spamassassin: don't scan as
RELAYCLIENT implies this was sent by a local user
I've read the manpages but i haven't find anything that disables the
check... so... HELP! :)
--
Mirko Steiner
Gesotec Soft- und Hardware GmbH
Hilpertstr. 35
D-64295 Darmstadt
Tel: +49 (6151) 66 777 50
Fax: +49 (6151) 66 777 59
http://www.gesotec.de

what is reported and to where?

[Jon]

Hi,
I use the line below to educate my spamassassin.: (run by each user by cron)
**sa-learn --spam /home/$USER/.Maildir/.ReportSpam/* --showdots
What I would like to now i if this reports to any internetserver. Why I 
ask if due to the -L (-local) switch). I do not wish to report to a 
server because I know that some users puts HAM in their ReportSpam folder

Best Regards - Jon

Re: What is a caching name server?

[Christian Recktenwald]

On Thu, May 19, 2005 at 10:15:41PM -0700, [EMAIL PROTECTED] wrote:
 Hello list,
 
 in several posts I have noticed people refer to a caching nameserver.
 What exactly is that?  

It's a nameserver without local zone information except for
root-hints and, perhaps, localhost.

 Would BIND 9.3.1 qualify?  

Yes.

Most Linux distributions (if you're happen to use one) have a default
configuration for bind to run as caching nameserver.

Minimal bind config on a Debian system:
--
options {
directory /var/cache/bind;
version none of your business;
};

// prime the server with knowledge of the root servers
zone . {
type hint;
file /etc/bind/db.root;
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone localhost {
type master;
file /etc/bind/db.local;
};

zone 127.in-addr.arpa {
type master;
file /etc/bind/db.127;
};

zone 0.in-addr.arpa {
type master;
file /etc/bind/db.0;
};

zone 255.in-addr.arpa {
type master;
file /etc/bind/db.255;
};
--

HTH, Chris

-- 
Christian Recktenwald  : :
citecs GmbH: [EMAIL PROTECTED]
Unternehmensberatung fuer  : voice +49 711 601 2090  : Boeblinger Strasse 189
EDV und Telekommunikation  : fax   +49 711 601 2092  : D-70199 Stuttgart

Re: What is a caching name server?

[Martin Hepworth]

Hi
yes Bind will become a caching only name server if you don;t have any 
local zone files to lookup. Basically think of it as a proxy with 
memory. It will remember previous look ups so it won't ask it's 
resolvers again (unless the timeout value on the record has been reached).

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
[EMAIL PROTECTED] wrote:
Hello list,
in several posts I have noticed people refer to a caching nameserver.
What exactly is that?  Would BIND 9.3.1 qualify?  Any advice would be
greatly appreciated.
Regards,
Devin
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.   
**

Re: SA Sometimes Being Bypassed?

[Martin Hepworth]

Jake
have a look at the output of spamassassin -D --lint mailmessage. You 
might be trusting the secondary MX or it might be bypassing you SA 
system altogether.

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
Jake Colman wrote:
If my sendmail server is down, a backup MX in a different domain catches all
my email.  When my sendmail server comes back up, the backup MX dumps all the
mail it's been holding for me.  It seems that all the email sent to me in
this manner bypasses my SA filtering.  Why should this be?  I beleive that
what I am saying is accurate because if I examine the email headers for
emails sent by the backup MX, they do not have my X-Spam headers.
Thanks for any help.
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.   
**

Re: OT: Perl IMAP client

[Martin Hepworth]

Kenneth
here's what I use do just that - code originally from someone else. 
mangled slightly by me..

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
Kenneth Porter wrote:
I'd like to knock together a utility for invoking SA against messages in 
an IMAP store, and it seems logical to build it as a Perl program using 
an IMAP package and Mail::SpamAssassin. Can anyone recommend a good Perl 
IMAP package?

Server will be Dovecot on Fedora. My utility will take all messages in a 
folder of uncaught spam that aren't wrapped in a SA report, run them 
through the equivalent of sa-learn, wrap them in a SA report, and clear 
their seen/read state.

Here's all the hits I get on CPAN for stuff about IMAP:
http://search.cpan.org/search?m=allq=imaps=1n=100
**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.   
**
#!/usr/bin/perl -w
use strict;
use Mail::IMAPClient;
use Shell;
use Env qw(HOME);
use Getopt::Long;

use File::Temp qw/ tempfile tempdir /; 

my $imapserver = myimapserver;

# set to 1 to enable imapclient debugging
my $debug = 0; 

# set to 1 if running under cron (disables output)
my $cron = 1;

my $filename;
my $fh;

my %options = 
(
 uid = undef,
 pwd = undef
);

my $cmdsts = GetOptions (uid=s = \$options{uid}, pwd=s =
\$options{pwd});

if (!$options {uid}) { die [SPAMASSASSIN] uid not set
(-uid=username)\n; }
if (!$options {pwd}) { die [SPAMASSASSIN] pwd not set
(-pwd=password)\n; }

my $uid = $options{uid};
my $pwd = $options{pwd};

# login to imap server
my $imap = Mail::IMAPClient-new (Server=$imapserver, User=$uid, 
Password=$pwd, Debug=$debug)
or die Can't connect to [EMAIL PROTECTED]: $@ $\n;

if ($imap)
{
  my $count;

  # Deal with spam first
  learn_mail ($HOME./spam/, .spam, INBOX.spam, 0, --spam --showdots 
--prefs-file=/opt/MailScanner/etc/spam.assassin.prefs.conf);

  # Now deal with ham
  learn_mail ($HOME./ham/, .ham, INBOX.ham, 0, --ham --showdots 
--prefs-file=/opt/MailScanner/etc/spam.assassin.prefs.conf);

}
else
{
  die [SPAMASSASSIN] Unable to logon to IMAP mail account!
$options{uid}\n;
}

exit;

#
# read and learn mail from imap server
# 
# arguments
#  $dir directory to place retrieved messages in
#  $ext file extension to use on retrieved messages
#  $folder  imap folder name on server
#  $shared  0 if imap folder is in users mailbox
#   1 if imap folder is in shared name space or
#  $sa_args additional arguments to specify to sa-learn
#   (e.g. --spam or --ham)
#
sub learn_mail {
  my $dir = shift (@_);
  my $ext = shift (@_);
  my $folder = shift (@_);
  my $shared = shift (@_);
  my $sa_args = shift (@_);
 
  my $count = 0;

  # tidy up directory before run
  clear_directory ($dir, $ext);

  # read mail from server
  $count = read_mail ($dir, $ext, $folder, $shared);
  if ($count  0) 
  { 
# learn about mail
sa_learn ($dir, $ext, $sa_args); 

# tidy up files after sa-learn is called
clear_directory ($dir, $ext);
  }
}


#
# reads mail from an imap folder and saves in a local directory
#
# arguments
#  $dir directory to place retrieved messages in
#  $ext file extension to use on retrieved messages
#  $folder  imap folder name on server
#  $shared  0 if imap folder is in users mailbox
#   1 if imap folder is in shared name space or
sub read_mail {
  my $dir = shift (@_);
  my $ext = shift (@_);
  my $folder = shift (@_);
  my $shared = shift (@_);
  my $count = 0;
  my $target = ;

  if ($shared)
  {
# use a shared public folder instead
my ($prefix, $sep) = @{$imap-namespace-[2][0]} 
   or die Can't get shared folder namespace or seperator: [EMAIL 
PROTECTED];

$target = $prefix.
   ($prefix =~ /\Q$sep\E$/ || $folder =~ /^\Q$sep/ ?  : $sep).
   $folder;
  }
  else { $target = $folder; }

  $imap-select ($target) or die Cannot select $target: [EMAIL PROTECTED];

  # If a shared public folder is required uncomment the following
  # lines and comment out the previous $imap-select line

  # read through all messages
  my @msgs = $imap-search(ALL);
  foreach my $msg (@msgs)
  {
($fh, $filename) = tempfile (SUFFIX = $ext, DIR = $dir);
$imap-message_to_file ($fh, $msg);
close $fh;
$count++;
  }
  $imap-delete_message (@msgs);

  if ($cron == 0) { print Retrieved $count messages from $target\n; }

  return $count;
}

#
# Removes files in directory $dir with extension $ext
#
sub clear_directory{
  my $dir = shift (@_);
  my $ext = shift (@_);

  opendir (DIR, 

Re: What is a caching name server?

[Martin Schröder]

On 2005-05-19 22:15:41 -0700, [EMAIL PROTECTED] wrote:
 in several posts I have noticed people refer to a caching nameserver.
 What exactly is that?  Would BIND 9.3.1 qualify?  Any advice would be

http://www.google.com/search?q=caching+nameserver

HTH. HAND.
-- 
http://www.tm.oneiros.de

RE: Simple question TRUE or FALSE (More data to answer this question)

[Menno van Bennekom]

 My Dl360 with dual 1.266ghz CPU's, 2GB of RAM, and dual 18GB mirrored scsi
  drives can only scan a message in 4-5 seconds.  At least that was my scan
 time with a completely default setup, running spamd/spamass-milter, SA
 3.0.1, RedHat FC2, and sendmail 8.13.1.  I haven't checked in a while
 (since I updated SA, the milter, and sendmail), but I have a good feeling
 most of my processing time was spent waiting for DNS responses.

 Any input into my situation would be appreciated.  I'd love to be able to
 get down to 2-3 seconds, basically cutting my processing time in half!

I only checked the timings of the last 10 or so mails to show that it was
much faster than the mentioned 20-30 seconds, but especially for you ;-) I
now calculated the mean SA checktime of the last 7 days, on the 1Ghz/512MB
server.
And it is: 3.854 seconds.
This server has Suse Linux, postfix 2.2.3, Amavisd-new 2.3.1, SA 3.03,
Clamav, Razor, DCC. Network tests are enabled, no local DNS-server, only
the standard SA CF files except for a small local.cf.

Menno van Bennekom

Re: What is a caching name server?

[email builder]

  in several posts I have noticed people refer to a caching nameserver.
  What exactly is that?  Would BIND 9.3.1 qualify?  Any advice would be
  greatly appreciated.

 yes Bind will become a caching only name server if you don;t have any 
 local zone files to lookup. Basically think of it as a proxy with 
 memory. It will remember previous look ups so it won't ask it's 
 resolvers again (unless the timeout value on the record has been reached).
 

Really?

1) why would Bind NOT cache domain lookups for domains that are not listed in
your local zone files?  that seems rediculous.  is there any way to host your
company's domains in a Bind instance that also caches lookups?

2) is there a way to test a Bind server to make sure it is in fact caching
its lookups?




__ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 

Re: What is a caching name server?

[Roman Volf]

email builder wrote:
in several posts I have noticed people refer to a caching nameserver.
What exactly is that?  Would BIND 9.3.1 qualify?  Any advice would be
greatly appreciated.
 

 

yes Bind will become a caching only name server if you don;t have any 
local zone files to lookup. Basically think of it as a proxy with 
memory. It will remember previous look ups so it won't ask it's 
resolvers again (unless the timeout value on the record has been reached).

   

Really?
1) why would Bind NOT cache domain lookups for domains that are not listed in
your local zone files?  that seems rediculous.  is there any way to host your
company's domains in a Bind instance that also caches lookups?
 

It will be a caching-only server if you don't have any local zone 
files. It will be both a caching server and a dns server once you 
add zones.

2) is there a way to test a Bind server to make sure it is in fact caching
its lookups?
 

		
__ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/ 
 


--
Roman Volf
Keystreams Internet Solutions
[EMAIL PROTECTED]

bayes learning

[Ronan McGlue]

am i right in thinking that messages which are spam but have attracted 
low baysian scores should be sa-learn't appropriately. and messages 
which arent spam but have attracted (this is where i start to get a 
little confused) high baysian scores or just high SA scores (ie more 
than the spam threshold)

I have a setup at the minute in the university where i have 2 spamd 
servers with 2 imap folders on one of them. this is used by a select 
group(the email technical group) to train bayes by copying *not 
forwarding* appropriate mails to it. questions pertinent to this setup 
follow...

how should the bayes be taught?? should it be fed all spam mails i can 
get...? what about normal personal mails should it be fed those also... 
or is it only in the cases when they have been learned incorrectly 
previously

is it ok to learn a message that has already been scanned by 
spamassassin... ie with the full SA headers etc
also what about learning spam gotten through a mailing list.. ie 
recently i got a lot of the german spam through a couple of lists i sub 
to... should i learn them as ham or just leave them be...???

all these questions, are they frequently asked??
thanks
ronan
--

Regards
Ronan McGlue
Info. Services
QUB

SARE_CHARSET_W1251 and SARE_FROM_CHAR_W1251

[Chris Lear]

I've been running quite a lot of sare rules on a site-wide SA
installation for a month or two now. I've been keeping a fairly close
eye on it, and there have been few false positives generally.

But today I noticed that several e-mails are hitting both
SARE_CHARSET_W1251 and SARE_FROM_CHAR_W1251. These are ham, sent from
(one specific address in) Ukraine to a Ukrainian in England, written in
English.
The scoring is such that the e-mail gets a score of 3.333 PLUS 4.0 - so
only bayes saves it from being rejected (we reject at 5.5).

I can re-score these rules (or remove sare_header0, which will lower the
scores anyway), but I have 2 questions:
- Is this a slightly unfair double-scoring?
- Are there any other similar rules I should worry about, given that
some Russian mail to this server is ham?

--
Chris

Re: What is a caching name server?

[lists]

  in several posts I have noticed people refer to a caching nameserver.
 What exactly is that? 
It's a nameserver without local zone information except for
root-hints and, perhaps, localhost.
 Would BIND 9.3.1 qualify? 
Yes.
Both of our mail servers are also DNS boxes with real zones.  Is there any 
way
for BIND to act both as a normal DNS server for domains and also a caching
nameserver?
Regards,
Devin

Re: What is a caching name server?

[Niek]

On 5/20/2005 11:52 AM +0200, [EMAIL PROTECTED] wrote:
Both of our mail servers are also DNS boxes with real zones.  Is there 
any way
for BIND to act both as a normal DNS server for domains and also a caching
nameserver?
Yes, read the BIND documentation.
Niek

Re: What is a caching name server?

[Mirko Steiner]

http://cr.yp.to/djbdns.html
simple, small, fast.
--
Mirko Steiner
Gesotec Soft- und Hardware GmbH
Hilpertstr. 35
D-64295 Darmstadt
Tel: +49 (6151) 66 777 50
Fax: +49 (6151) 66 777 59
http://www.gesotec.de

Re: SARE_CHARSET_W1251 and SARE_FROM_CHAR_W1251

[John Wilcock]

Chris Lear wrote:
But today I noticed that several e-mails are hitting both
SARE_CHARSET_W1251 and SARE_FROM_CHAR_W1251. These are ham, sent from
(one specific address in) Ukraine to a Ukrainian in England, written in
English.
The scoring is such that the e-mail gets a score of 3.333 PLUS 4.0 - so
only bayes saves it from being rejected (we reject at 5.5).
I can re-score these rules (or remove sare_header0, which will lower the
scores anyway), but I have 2 questions:
- Is this a slightly unfair double-scoring?
- Are there any other similar rules I should worry about, given that
some Russian mail to this server is ham?
These are actually in the header1 file, not header0, but surely they 
ought to be moved to the 70_sare_header_eng.cf as they hit non-English 
ham. Bob?

And yes, the double scoring effect does seem rather over the top to me, 
even for sites that don't expect any Cyrillic ham.

John.
--
-- Over 2500 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages- www.tradoc.fr

Re: spamassassin fetchmail qmail (RELAYCLIENT=)

[Alex Pleiner]

* Mirko Steiner [EMAIL PROTECTED] [2005-05-20 09:31]:

 Fri, 20 May 2005 09:10:37 CEST:53653: spamassassin: don't scan as
 RELAYCLIENT implies this was sent by a local user

Mirko,

yepp. Your question might find better answers in the qmail-scanner
mailing list. 

In the FAQ [1] I find (Q18): 
If you explicitly want to scan some/all local SMTP clients email too,
then set QS_SPAMASSASSIN=on within the tcpserver rules file.

[1] http://qmail-scanner.sourceforge.net/FAQ.php

So you might either set QS_SPAMASSASSIN=on for all mail from 127.0.0.1
to enable SA for every local mail (this will work but might not be what
you want) or you find a way to set this within your fetchmail-to-qmail
invocation.

HTH, alex

-- 
Alex Pleinerzeitform Internet Dienste
mailto:[EMAIL PROTECTED]  Fraunhoferstraße 5
PGP S/MIME: http://key.zeitform.de/ap   64283 Darmstadt, Germany
Tel./Fax: +49 (0) 6151 155-635 / -634   http://www.zeitform.de
Jabber: [EMAIL PROTECTED]

Re: SARE_CHARSET_W1251 and SARE_FROM_CHAR_W1251

[Chris Lear]

* John Wilcock wrote (05/20/05 10:51):
 Chris Lear wrote:
 But today I noticed that several e-mails are hitting both
 SARE_CHARSET_W1251 and SARE_FROM_CHAR_W1251. These are ham, sent from
 (one specific address in) Ukraine to a Ukrainian in England, written in
 English.
 The scoring is such that the e-mail gets a score of 3.333 PLUS 4.0 - so
 only bayes saves it from being rejected (we reject at 5.5).
 
 I can re-score these rules (or remove sare_header0, which will lower the
 scores anyway), but I have 2 questions:
 - Is this a slightly unfair double-scoring?
 - Are there any other similar rules I should worry about, given that
 some Russian mail to this server is ham?
 
 These are actually in the header1 file, not header0, but surely they 
 ought to be moved to the 70_sare_header_eng.cf as they hit non-English 
 ham. Bob?

They're in my header0.cf from sare/rules du jour. And in header.cf with
a lower score as well. Have I got the wrong files?

RulesDuJour $ grep SARE_FROM_CHAR_W1251 *
70_sare_header.cf:headerSARE_FROM_CHAR_W1251 From:raw =~
/\=\?Windows-1251\?/i
70_sare_header.cf:describe  SARE_FROM_CHAR_W1251 Displays in
unexpected charset
70_sare_header.cf:score SARE_FROM_CHAR_W1251 1.666
70_sare_header.cf:#ham  SARE_FROM_CHAR_W1251 Found in some
Russian ham
70_sare_header.cf:#hist SARE_FROM_CHAR_W1251 Created by Bob
Menschel May 17 2004
70_sare_header.cf:#counts   SARE_FROM_CHAR_W1251 245s/4h of 238550
corpus (112525s/126025h RM) 02/28/05
70_sare_header.cf:#counts   SARE_FROM_CHAR_W1251 640s/0h of 54176
corpus (16997s/37179h JH-3.01) 02/01/05
70_sare_header.cf:#counts   SARE_FROM_CHAR_W1251 0s/0h of 17050
corpus (14617s/2433h MY) 08/08/04
70_sare_header0.cf:headerSARE_FROM_CHAR_W1251 From:raw =~
/\=\?Windows-1251\?/i
70_sare_header0.cf:describe  SARE_FROM_CHAR_W1251 Displays in
unexpected charset
70_sare_header0.cf:score SARE_FROM_CHAR_W1251 4.000
70_sare_header0.cf:#stypeSARE_FROM_CHAR_W1251 spamgg
70_sare_header0.cf:#hist SARE_FROM_CHAR_W1251 Created by Bob
Menschel May 17 2004
70_sare_header0.cf:#counts   SARE_FROM_CHAR_W1251 180s/0h of 66979
corpus (41757s/25222h RM) 09/04/04
70_sare_header0.cf:#counts   SARE_FROM_CHAR_W1251 209s/0h of 38398
corpus (14914s/23484h JH) 08/14/04 TM2 SA3.0-pre2
70_sare_header0.cf:#counts   SARE_FROM_CHAR_W1251 0s/0h of 17050
corpus (14617s/2433h MY) 08/08/04


--
Chris

Re: German Spam local.conf

[James R]

[EMAIL PROTECTED] wrote:
I would like to be removed from this distrubtion list, anyone have an idea
how to do that?
Yes in the headers:
[EMAIL PROTECTED]
--
Thanks,
James

Re: SARE_CHARSET_W1251 and SARE_FROM_CHAR_W1251

[John Wilcock]

Chris Lear wrote:
They're in my header0.cf from sare/rules du jour. And in header.cf with
a lower score as well. Have I got the wrong files?
Methinks you have an old header0.cf that is no longer being updated - 
these rules aren't in the current header0 on rulesemporium.com.

And in any case you shouldn't be using header and header0 together...
John.
--
-- Over 2500 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages- www.tradoc.fr

Re: SARE_CHARSET_W1251 and SARE_FROM_CHAR_W1251

[Chris Lear]

* John Wilcock wrote (05/20/05 12:15):
 Chris Lear wrote:
 They're in my header0.cf from sare/rules du jour. And in header.cf with
 a lower score as well. Have I got the wrong files?
 
 Methinks you have an old header0.cf that is no longer being updated - 
 these rules aren't in the current header0 on rulesemporium.com.

OK, thanks. I'll try to find out what's wrong with my Rules du Jour.

 
 And in any case you shouldn't be using header and header0 together...

I didn't know that. I'll fix that as well.

Thanks for your help.

--
Chris

Re: spamassassin fetchmail qmail (RELAYCLIENT=)

[Mirko Steiner]

Alex Pleiner wrote:
yepp. Your question might find better answers in the qmail-scanner
mailing list. 
wooops, sorry, i thought this is a configuration issue by SA... so i 
havn't take a look arround by the other software websites...

thanks a lot!
--
Mirko Steiner
Gesotec Soft- und Hardware GmbH
Hilpertstr. 35
64295 Darmstadt
Tel: +49 (6151) 66 777 50
Fax: +49 (6151) 66 777 59
www.gesotec.com

setup spamassassin on Fedora 2

[Jennifer Lai]

Hi,
  I'm setting up SpamAssassin by following the instructions on this 
website,
http://www.firstpr.com.au/web-mail/Postfix-SA-Anomy-Maildrop/ 
http://www.firstpr.com.au/web-mail/Postfix-SA-Anomy-Maildrop/
Has anyone used the instructions on this website and setup SpamAssassin 
successfully?
My server (loaded with Fedora 2) doesn't seem to have xfilter.  where 
can I get it?
And, if anyone has other pointers to how to setup SpamAssassin with 
Postfix on Fedora 2, please let me know.

Thanks,
Jennifer

Re: What is a caching name server?

[Gene Heskett]

On Friday 20 May 2005 01:15, [EMAIL PROTECTED] wrote:
Hello list,

in several posts I have noticed people refer to a caching
 nameserver. What exactly is that?  Would BIND 9.3.1 qualify?  Any
 advice would be greatly appreciated.

Regards,
Devin

On my systems, there is an 'nscd'.

Is this not a Name Service Caching Daemon?  Docs seem to be sparse for 
it here though.

-- 
Cheers, Gene
There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order.
-Ed Howdershelt (Author)
99.34% setiathome rank, not too shabby for a WV hillbilly
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2005 by Maurice Eugene Heskett, all rights reserved.

Re: setup spamassassin on Fedora 2

[Kenneth Porter]

--On Friday, May 20, 2005 9:07 AM -0400 Jennifer Lai [EMAIL PROTECTED] 
wrote:

   I'm setting up SpamAssassin by following the instructions on this
website,
http://www.firstpr.com.au/web-mail/Postfix-SA-Anomy-Maildrop/
http://www.firstpr.com.au/web-mail/Postfix-SA-Anomy-Maildrop/
You're using FC2, which is RPM-based, so use the SpamAssassin RPM to 
install. It comes with FC2. Use yum to install it: yum install 
spamassassin. Same with postfix or sendmail. For bleeding-edge SA, check 
the SA website and the list archives for how to rebuild SA using the source 
RPM. (We might even have a wiki page on this.)

Re: What is a caching name server?

[David Birnbaum]

nscd is a Solaris daemon (perhaps other OSs as well) that caches 
gethostbynam()/gethostbyaddr() lookups (and others of that ilk), but not all of 
the DNS lookups that SpamAssassin uses (I think SpamAssassin may specifically 
bypass some of those by use Net::DNS directly instead of the built-in OS 
resolver routines).

nscd is controlled by parameters in /etc/nscd.conf.  You may see big performance 
gains for IP and name lookup if you tune the negative caching paremters up on 
busy mail servers, in any case.

David.
-
On Fri, 20 May 2005, Gene Heskett wrote:
On Friday 20 May 2005 01:15, [EMAIL PROTECTED] wrote:
Hello list,
in several posts I have noticed people refer to a caching
nameserver. What exactly is that?  Would BIND 9.3.1 qualify?  Any
advice would be greatly appreciated.
Regards,
Devin
On my systems, there is an 'nscd'.
Is this not a Name Service Caching Daemon?  Docs seem to be sparse for
it here though.
--
Cheers, Gene
There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order.
-Ed Howdershelt (Author)
99.34% setiathome rank, not too shabby for a WV hillbilly
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2005 by Maurice Eugene Heskett, all rights reserved.

RE: What is a caching name server?

[Jim Knowler]

 2) is there a way to test a Bind server to make sure it is in fact caching
 its lookups?

dig(1) - Linux man page ... dig (domain information groper) is a flexible
tool for interrogating DNS name servers.

http://www.die.net/doc/linux/man/man1/dig.1.html
 

Re[2]: SARE_CHARSET_W1251 and SARE_FROM_CHAR_W1251

[Robert Menschel]

Hello Chris, John,

Friday, May 20, 2005, 3:47:55 AM, you wrote:

 I can re-score these rules (or remove sare_header0, which will lower the
 scores anyway), but I have 2 questions:
 - Is this a slightly unfair double-scoring?
 - Are there any other similar rules I should worry about, given that
 some Russian mail to this server is ham?
 
 These are actually in the header1 file, not header0, but surely they
 ought to be moved to the 70_sare_header_eng.cf as they hit non-English
 ham. Bob?

CL They're in my header0.cf from sare/rules du jour. And in header.cf with
CL a lower score as well. Have I got the wrong files?

Yes, your header0 is old.  Both rules are in header1 in the current
versions. You need to fix your RDJ for header0, or just delete it,
since header0 through header3 are included in header.cf

Yes, you can and maybe should provide a lower score, at least
temporarily.

Yes, they should be moved to header_eng, and will be this weekend.

Meanwhile, is it possible for you to send me some samples of the ham?
If I add that to my corpus, it'll be taken into account in the next
rescoring.

Bob Menschel

RE: sa-learn and big messages

[Steven Manross]

Along those same lines, is the message limit of 250K with or without
attachments?

Steven

-Original Message-
From: Matt Kettler [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 19, 2005 3:56 PM
To: Jim Maul
Cc: Ingo Reinhart; users@spamassassin.apache.org
Subject: Re: sa-learn and big messages


Jim Maul wrote:
 Ingo Reinhart wrote:
 
 Hello!

 If I commit a big mail (32 MB) to sa-learn it need long time. I must
 wait 50 sec. and the sa-learn process need 332 MB RAM.

 What can I do for faster proceed?

 Ingo




 
 um..since messages over 250k (default) wont be scanned by SA, why
bother
 sa-learning anything over this limit?  Sa isnt going to scan it
anyway.
 
 -Jim
 


Minor Note of Clarification: that 250k default limit applies to those
who use
spamd, which admittedly Ingo does use. But it is not inherent in
spamassassin in
general (i.e. those using the API or spamassassin command-line don't
have this
feature unless implemented elsewhere)

Custom rule

[Joe Zitnik]

I'd like to write a custom rule that would allow e-mail in from users that have an attachment with a weird in house extension like foo.bar . How would I do this?

Re: SA Sometimes Being Bypassed?

[Jake Colman]

 MK == Matt Kettler [EMAIL PROTECTED] writes:

   MK Jake Colman wrote:
If my sendmail server is down, a backup MX in a different domain catches 
all
my email.  When my sendmail server comes back up, the backup MX dumps all 
the
mail it's been holding for me.  It seems that all the email sent to me in
this manner bypasses my SA filtering.  Why should this be?  I beleive that
what I am saying is accurate because if I examine the email headers for
emails sent by the backup MX, they do not have my X-Spam headers.

   MK How do you call spamassassin for your normal mail?

   MK Without knowing how normal mail gets to SA, it's hard to guess why
   MK mail from the secondary isn't getting to SA.

I use a /etc/procmailrc with the following contents:

DROPPRIVS=yes
##LOGFILE=/var/log/procmail
PATH=/usr/bin:/usr/local/bin
MAILDIR=$HOME/mail

:0:
* ^Subject:.*SPAM
caughtspam

:0fw
*  256000
| spamc

:0:
* ^X-Spam-Status: Yes
caughtspam


This should file all emails flagged with SPAM in the subject (my emails get
pre-filtered by a relay box) in a 'caughtspam' folder.  All other mails are
piped through spamc and then, if X-Spam-Status is 'Yes', they also get filed
in 'caughtspam'.

-- 
Jake Colman
Sr. Applications Developer
Principia Partners LLC
Harborside Financial Center
1001 Plaza Two
Jersey City, NJ 07311
(201) 209-2467
www.principiapartners.com

Re: Custom rule

[Eric Wood]

- Original Message - 
From: Joe Zitnik
I'd like to write a custom rule that would allow e-mail in from users that 
have an attachment
with a weird in house extension like foo.bar .  How would I do this?
How about delivering it before spamassassin sees it in procmail?:
:0
* ^Content-Transfer-Encoding:.*base64
* ^Content-(Type|Disposition):.*$?.*name.*=.*\.(bar|xxx|yyy|zzz)
$DEFAULT

Re: rulesdujour and old copies of rule files

[Chris Thielen]

Hi Peter,
Peter Kiem wrote:
Hi,
I've noticed there is a buildup of old rules in my 
/etc/mail/spamassassin/RulesDuJour directory like this

109543 May 10 19:07 bogus-virus-warnings.cf
 92609 Aug 10  2004 bogus-virus-warnings.cf.20040819-0402
 93896 Aug 19  2004 bogus-virus-warnings.cf.20040823-0423
 94241 Aug 23  2004 bogus-virus-warnings.cf.20040909-0403
 94292 Sep  9  2004 bogus-virus-warnings.cf.20041101-0453
100387 Oct 30  2004 bogus-virus-warnings.cf.20041103-0434
100389 Nov  2  2004 bogus-virus-warnings.cf.20041109-0406
100721 Nov  8  2004 bogus-virus-warnings.cf.20041217-0418
103643 Dec 16 08:23 bogus-virus-warnings.cf.20041218-0453
103635 Dec 17 10:44 bogus-virus-warnings.cf.20050103-0436
104973 Jan  2 05:22 bogus-virus-warnings.cf.20050114-0501
105986 Jan 13 18:43 bogus-virus-warnings.cf.20050520-0903
Since it seems to be just a history of the script changes can I delete 
all these except for the first file?

Yes, you may delete everything in that directory (even the first file, 
if you feel like it).

Also, does spam assassin ONLY look in the /etc/mail/spamassassin 
folder and no deeper or does it recurse into all subdirectories in 
there as well?

Correct, SA only reads /etc/mail/spamassassin/*.cf and does not recurse.
Chris Thielen


signature.asc
Description: OpenPGP digital signature

Re: Custom Rule

[Joe Zitnik]

I try never to admit this, but we have spamassassin running on a windows box with a third party app. Users send e-mails with .bar attachments. Some are getting hit as spam because of content. I'd like a rule that says if you have a .bar extension on an attachment, let me in.

Re: sa-learn and big messages

[Matt Kettler]

Steven Manross wrote:
 Along those same lines, is the message limit of 250K with or without
 attachments?

That's raw message size, including attachments, encoding, and everything else.


Spamc isn't even aware of attachments, so it just looks at the whole message 
size.

Re: setup spamassassin on Fedora 2

[Mick Szucs]

Kenneth Porter wrote:
website,
http://www.firstpr.com.au/web-mail/Postfix-SA-Anomy-Maildrop/
http://www.firstpr.com.au/web-mail/Postfix-SA-Anomy-Maildrop/
   I'm setting up SpamAssassin by following the instructions on this
You're using FC2, which is RPM-based, so use the SpamAssassin RPM to 
install. It comes with FC2. Use yum to install it: yum install 
spamassassin. Same with postfix or sendmail. For bleeding-edge SA, 
check the SA website and the list archives for how to rebuild SA using 
the source RPM. (We might even have a wiki page on this.)


Latest and greatest pre-built at atrpms.net:
   http://www.atrpms.net/
Along with handy yum, apt-get and up2date config help.
Mick

Re: Custom rule

[Matt Kettler]

Joe Zitnik wrote:
 I'd like to write a custom rule that would allow e-mail in from users
 that have an attachment with a weird in house extension like foo.bar . 
 How would I do this?

You'd need to use a full rule, as body and rawbody won't be able to see the mime
section headers.

You'll want to have the rule target headers like this:
Content-Disposition: attachment; filename=EVI-Attachment-Warning.txt

Sometimes, these headers wrap like this one:

Content-Disposition: attachment;
filename=00_non_deliverable.cf

A full rule won't cover the linewrap, so you need to include an optional \s or .
 after the attachment part.

So something like this should work:

full L_FOO_BAR  /Content-Disposition: attachment;.{0,30}
filename=.{0,50}\.foo\.bar/i



Some files can have an inline disposition, but I doubt your in-house extension
does. That's usually used for text, html and/or graphics that a mail client can
render.

Re: --lint tells me I need 0.34 dns

[Theo Van Dinter]

On Fri, May 20, 2005 at 12:08:05AM -0700, Justin Mason wrote:
 It might make sense to turn some of those optional-but-recommended
 dependencies into requirements, in packages for platforms where
 apt-get-style systems are available; if the user doesn't have to
 do additional work to get them, then we should get them by default.

As I was saying, that's up to the distro people to figure out.  If they make
available appropriate revisions of different modules, they can update the spec
file appropriately.

We can't really guess what resources people have available.
apt-get/up2date/yum/etc may not be used.  In this case, I can build RPM
for most any platform, it's a package management system, not a package
distribution system.  ;)

The argument is basically: make it easier for users.  Which is a good
goal, but think about this scenario:  We suggest people build their own
RPMs from our source, they try and find that Net::DNS 0.34 is required,
but their (choosing details randomly) Fedora Core 1 distro only includes
0.31.  Now what?  We've just made their lives more difficult.

I'd rather have SA install and function, and then if people want to
enable extra functionality they jump through hoops then having them do
the hoops to use SA at all.

-- 
Randomly Generated Tagline:
Bender: Aw, I think I got whiplash. 
 Leela: You can't have whiplash, you don't have a neck. 
 Bender: I meant ass whiplash. 


pgpLuaffG6PN6.pgp
Description: PGP signature

Re: SA Sometimes Being Bypassed?

[Matt Kettler]

Jake Colman wrote:
MK == Matt Kettler [EMAIL PROTECTED] writes:
 
 
MK Jake Colman wrote:
 If my sendmail server is down, a backup MX in a different domain 
 catches all
 my email.  When my sendmail server comes back up, the backup MX dumps 
 all the
 mail it's been holding for me.  It seems that all the email sent to me 
 in
 this manner bypasses my SA filtering.  Why should this be?  I beleive 
 that
 what I am saying is accurate because if I examine the email headers for
 emails sent by the backup MX, they do not have my X-Spam headers.
 
MK How do you call spamassassin for your normal mail?
 
MK Without knowing how normal mail gets to SA, it's hard to guess why
MK mail from the secondary isn't getting to SA.
 
 I use a /etc/procmailrc with the following contents:
 

Hmmm, does the unscanned mail get delivered to a mailbox on the server running
procmail, or does it go around it? Check your Received: headers.

Re: SA Sometimes Being Bypassed?

[Matt Kettler]

Martin Hepworth wrote:
 Jake
 
 have a look at the output of spamassassin -D --lint mailmessage. You
 might be trusting the secondary MX or it might be bypassing you SA
 system altogether.
 

SpamAssassin's concept of trust has nothing to do with it.

There's no X-Spam-* headers, so SA is being bypassed completely.

SA ALWAYS adds at least X-Spam-Checker-Version header, regardless of trust.
(unless you use spamc and the size is over the limit for -s).


Based on the procmail config that Jake posted, one of the following must be 
true:

1) the messages are too large to be scanned (250k) and thus being bypassed by
spamc (250k-255k) or his procmail rule (256k).

2) the messages from the secondary are never reaching the box that runs SA via
procmail, and are being delivered to a mailbox elsewhere.

3) The messages from the secondary are reaching the box running SA via procmail,
but are relayed without local delivery. (procmail only gets called as the
message is delivered on the local box)


I suspect 2). Particularly if there's some kind of fetchmail,
multi-server-pop-client, or internal groupware server involved in the picture.

3) Is really a theoretical problem, it's possible but highly unlikely. You'd
have a pretty weird server that relays mail for a user only if it came in from a
secondary MX.


Looking at the Received: path and size of some of the messages should clear up
what's going on.

whitelists

[Thomas Deaton]

Should local 
whitelists go into /etc/mail/spamassassin/local.cf 
or 
/etc/MailScanner/rules/spam.whitelist.rules
?
Is one more 
effective than the other?

thanks

E-mail correspondence to and from this address may be subject to the 
North Carolina Public Records Law and may be disclosed to third parties by an
authorized county official. If you have received this communication in 
error , please do not distribute it. Please notify the sender by E-mail 
at the address shown and delete the original message.

Thank you

Re: SA Sometimes Being Bypassed?

[Jake Colman]

Let me explain this system, since it might be relevant to the discussion.

This is a simple home-based network server that is processing mail for its
own domain.  This domain (jnc.com) is known to the world and all email sent
to [EMAIL PROTECTED] is delivered to the sendmail running on my box.  All users
have their mailboxes on this system and they use imap to view their email.

Since this machine has a dynamic IP address I use dyndns to host the DNS and
MX entries for jnc.com.  I also use them a a mail relay to forward all my
email to my sendmail server and as a backup MX if my server is down.

When my server is up, all email is processed by my SA.  If my server is down,
my email is held for me at the backup MX.  When my server comes back, the
backup MX sends me all my email.  It appears to me that when my email is
delivered in that scenario that it bypassed my SA.  

Is this at all possible?  Or if it works for one scenario it must work for
both? 

The size of the email should not be an issue since it is all the standrd spam
crap we all get.

...Jake

 MK == Matt Kettler [EMAIL PROTECTED] writes:

   MK Martin Hepworth wrote:
Jake

have a look at the output of spamassassin -D --lint mailmessage. You
might be trusting the secondary MX or it might be bypassing you SA
system altogether.


   MK SpamAssassin's concept of trust has nothing to do with it.

   MK There's no X-Spam-* headers, so SA is being bypassed completely.

   MK SA ALWAYS adds at least X-Spam-Checker-Version header, regardless of 
trust.
   MK (unless you use spamc and the size is over the limit for -s).


   MK Based on the procmail config that Jake posted, one of the following must 
be true:

   MK 1) the messages are too large to be scanned (250k) and thus being 
bypassed by
   MK spamc (250k-255k) or his procmail rule (256k).

   MK 2) the messages from the secondary are never reaching the box that runs 
SA via
   MK procmail, and are being delivered to a mailbox elsewhere.

   MK 3) The messages from the secondary are reaching the box running SA via 
procmail,
   MK but are relayed without local delivery. (procmail only gets called as the
   MK message is delivered on the local box)


   MK I suspect 2). Particularly if there's some kind of fetchmail,
   MK multi-server-pop-client, or internal groupware server involved in the 
picture.

   MK 3) Is really a theoretical problem, it's possible but highly unlikely. 
You'd
   MK have a pretty weird server that relays mail for a user only if it came 
in from a
   MK secondary MX.


   MK Looking at the Received: path and size of some of the messages should 
clear up
   MK what's going on.





-- 
Jake Colman
Sr. Applications Developer
Principia Partners LLC
Harborside Financial Center
1001 Plaza Two
Jersey City, NJ 07311
(201) 209-2467
www.principiapartners.com

Re: Custom rule

[Joe Zitnik]

A couple of further questions. I was looking through your howto on the spamassassin site, and didn't see any info on full type rules. So where I would normally put header, body, etc, I'd put full, correct? Is there some way I could eliminate the /Content-Disposition: attachment;.{0,30} portion of the rule and just search for the filename=.{0,50}\.foo\.bar/i portion of the rule, since because the extension is specific to our organization, a match on that filename would be enough? Matt Kettler [EMAIL PROTECTED] 5/20/2005 11:16:58 AM 
Joe Zitnik wrote: I'd like to write a custom rule that would allow e-mail in from users that have an attachment with a weird in house extension like foo.bar .  How would I do this?You'd need to use a full rule, as body and rawbody won't be able to see the mimesection headers.You'll want to have the rule target headers like this:Content-Disposition: attachment; filename="EVI-Attachment-Warning.txt"Sometimes, these headers wrap like this one:Content-Disposition: attachment; filename="00_non_deliverable.cf"A full rule won't cover the linewrap, so you need to include an optional \s or .after the attachment part.So something like this should work:full L_FOO_BAR  /Content-Disposition: attachment;.{0,30}filename=.{0,50}\.foo\.bar/iSome files can have an inline disposition, but I doubt your in-house extensiondoes. That's usually used for text, html and/or graphics that a mail client canrender.

Re: Custom rule

[Matt Kettler]

Joe Zitnik wrote:
 A couple of further questions.  I was looking through your howto on the
 spamassassin site, and didn't see any info on full type rules.  So where
 I would normally put header, body, etc, I'd put full, correct? 

Yes.

full is a rule type that examines the full message text. I didn't cover them in
the howto because they're not commonly used. Their primary use is in examining
mime boundaries, or in examining base64 or QP encodings that both body and
rawbody rules can't see.

You can find a description of the full keyword in the Mail::SpamAssassin::Conf
manpage.


 Is there
 some way I could eliminate the /Content-Disposition: attachment;.{0,30}
 portion of the rule and just search for the filename=.{0,50}\.foo\.bar/i
 portion of the rule, since because the extension is specific to our
 organization, a match on that filename would be enough?

Yes, that would in general be fine. I made it a bit more specific that needed,
with the expectation you could trim it down as desired.

Also, I thought you wanted to match filename.foo.bar instead of
filename.bar, so you can ditch the \.foo part.

Re: whitelists

[Matt Kettler]

Thomas Deaton wrote:
 Should local whitelists go into /etc/mail/spamassassin/local.cf
 or /etc/MailScanner/rules/spam.whitelist.rules
 ?
 Is one more effective than the other?

They operate differently, and in general the MailScanner level whitelist
(spam.whitelist.rules) is better than using SA's whitelists in local.cf.

However, beware that this file is a MailScanner file, and does not accept
SpamAssassin whitelist_from type syntax.

MailScanner's whitelist can also act on the relay IP.

SA's whitelists, while useful, are in general a little bit of a hack intended to
help those who can't do whitelisting at a higher layer. Tools above SA have
clear access to the message envelope, and tend to suffer less from the
ambiguities that SA suffers from when guessing at the envelope based on hints in
the message headers.

Re: --lint tells me I need 0.34 dns

[Eric Wood]

- Original Message - 
From: [EMAIL PROTECTED]
 Yes.  0.34 is necessary for SpamAssassin 3.0.

 two questions:

 1.  What breaks in SA when using Net::NDS version 0.31 ?

Nothing should break.  The INSTALL file states that spamassassin will
silently skip certain tests if/when a particular perl module is not
installed or not up to a required version.

 2.  What is the easiest way to update Net::DNS to 0.34 ?

This was very easy:
   perl -MCPAN -e shell[as root]
   o conf prerequisites_policy ask
   install Net::DNS
   quit

which is cool for just updating a particular perl module.  I did it for the
first time yesterday on two FC1 systems.  Then use a spamassassin 3.x.x. rpm
to install the main program and restart the daemon.  It's documented in the
middle of the INSTALL file.

-eric wood