Re: problem with FORGED_HOTMAIL_RCVD
Russ Ringer wrote: This triggered FORGED_HOTMAIL_RCVD. Another bug? Received: from bay0-smtp02.bay0.hotmail.com (65.54.241.109) by mail.avtcorp.com with SMTP; 31 May 2005 23:43:25 - Message-ID: [EMAIL PROTECTED] X-Originating-IP: [63.226.220.248] X-Originating-Email: [EMAIL PROTECTED] Received: from officepc ([63.226.220.248]) by BAY0-SMTP02.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 31 May 2005 16:43:22 -0700 ---snip --- Of the top of my head, it looks like the test would pass on the headers you've shown. I do believe it checks more though. You'll need to either post a full message on the list, or if you believe it to be a bug, create a bug in bugzilla and attach (via create new attachment in bugzilla -- not copy and paste) a full message to the bug. Daryl
Re: possible memory memory with SA 3.0.3 under Debian Linux
Are you limiting the size of msgs that exim is sending to spamd to scan? For folks using Exim, please see Justin's msg to the users list the other day: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200505.mbox/[EMAIL PROTECTED] You really need to be limiting the msgs you send to spamd and it appears that the default Exim install does not do this. Thanks for that advice, we'll be definitely trying that out, but this does not appear to fit our experience. We've been using this for at least a year now, with the exact same exim/exiscan-setup and and configuration, only with different versions of spamassassin. Now we changed from Gentoo based systems (which did not use sa 3.02) to Debian based systems (with 3.03 initially), still using the same version/config of exim/exiscan. When used in combination with Spamassassin 3.03, we got the said memory problems. Since we downgraded to 3.02 yesterday, the problems have disappeared. -- ___ Thomas Jacob -Softwareentwickler- IMS Internet-Media-Service GmbH Bärensteiner Straße 7 01277 Dresden Fon: +49 351 2112033 Fax: +49 351 2112020 Email: [EMAIL PROTECTED] Pungenday 7th of Confusion, 3171 signature.asc Description: This is a digitally signed message part
Re: possible memory memory with SA 3.0.3 under Debian Linux
Now we changed from Gentoo based systems (which did not use sa 3.02) to Debian based systems (with 3.03 initially), still using the same version/config of exim/exiscan. When used in combination with Spamassassin 3.03, we got the said memory problems. Since we downgraded to 3.02 yesterday, the problems have disappeared. Correction, this is not in fact true. The problems did occur again also with 3.02 both on non-Debian systems and on Debian systems overnight, but have stopped now, so they seem to be more related to oversized email, not to a spamassassin problem sorry about that. signature.asc Description: This is a digitally signed message part
Re: drop in graph??
Paul Boven wrote: Mike Jackson wrote: I'm sure there are some PHP hackers who have much nicer graphs than I do, but I found the easiest thing to do was to extract numbers from my logs with some perl scripts and paste them into Excel. Management likes Excel and it makes pretty charts. :) It's not automated, but it does have lots of primary colours. You can save yourself a lot of time with the Spreadsheet::WriteExcel CPAN module. I don't know if you can use it to make the charts and graphs, but at least you can have it write out the data. Instead of making a spreadsheet, how about a bit of gnuplot? Input: (generated by some overly complicated script-magic I don't dare share in here) #date recvd spamrej FN FP Vir 2005-04-03: 18615 11776 4445163 0 93 2005-04-04: 20920 10750 520673 0 131 2005-04-05: 19325 9368541270 0 150 2005-04-06: 22396 11259 580386 0 95 2005-04-07: 20741 8981649975 0 116 2005-04-08: 23526 12300 6222120 0 115 2005-04-09: 21856 14664 6489128 1 91 ^ Uhoh... gnuplotrc: set terminal png small color picsize 800 500 set output 'spamstats.png' set format x '%Y-%m-%d' set key outside set xdata time set timefmt %Y-%m-%d set xtics rotate set xtics 86400 plot 'bayes.log' using 1:2 title ' received' with linespoints, \ 'bayes.log' using 1:3 title 'spam' with linespoints, \ 'bayes.log' using 1:4 title ' rejected' with linespoints, \ 'bayes.log' using 1:($5+$6) title 'false' with linespoints, \ 'bayes.log' using 1:7 title 'virus' with linespoints set output 'percentage.png' plot 'bayes.log' using 1:(100*$5/($2)) title ' %falseneg' with linespoints, \ 'bayes.log' using 1:(100*$6/($2)) title ' %falsepos' with linespoints And then it's just 'gnuplot gnuplotrc' and presto, pretty pictures. Regards, Paul Boven. i like it... thanks i was gonna go rrdtool but i like the looks of this. but why isnt your complicated script-magic I don't dare share in here GNU public licesnce ;) ronan -- Regards Ronan McGlue Info. Services QUB
Score an entire cf file
Hi, list! I'm developing a custom cf file to block messages with specific strings and I would like to know if is it possible to score an entire file with the same value without using the command "score RULE_NAME X.XX" for each rule in the archive. Thanks in advance. Reginaldo O. Andrade Network Administrator
New drug variants
Hi, list! I received today new variants of those annoying spams with "drugs" (described below) that SpamAssassin 3.0.3 with default cf files didn't block them. Someone knows what to do? VlAacute;GRAgrave; CIcirc;Agrave;LlS Thanks in advance! Reginaldo O. Andrade Network Administrator
Re: Score an entire cf file
I'm developing a custom cf file to block messages with specific strings and I would like to know if is it possible to score an entire file with the same value without using the command score RULE_NAME X.XX for each rule in the archive. No. You need a score per rule. If you think about it, different rules hit on different things, so they shouldn't all have the same score. If you are feeling lazy, there are two things you might do: 1.Don't give any scores. All rules with names that don't start with __ get a default score of 1. 2.Change all of the rule names to start with two underscores, and then make one or several absolutely huge meta rules at the end that gather up all of the rules into a single rule, then score it. I don't recommend either of these actions. Loren
Re: New drug variants
hi make sure the URI-RBL plugin is enabled in init.pre, that you have a recent version of Net::DNS Perl Module and maybe add the JP URI-RBL as per instructions at www.surbl.org Also alot of the rules @ www.rulesemporium.org can help too.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 Reginaldo O. Andrade wrote: Hi, list! I received today new variants of those annoying spams with drugs (described below) that SpamAssassin 3.0.3 with default cf files didn't block them. Someone knows what to do? VlAacute;GRAgrave; CIcirc;Agrave;LlS Thanks in advance! Reginaldo O. Andrade Network Administrator ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: Question on ISP's, verizon TBS.
On Thursday 02 June 2005 14:33, Gene Heskett typed: Greetings; I rx'd several copies of what I think was a viri yesterday, purportedly coming from verizon.net, my isp. A very short text message mentioning my account, with a 60 kilobyte .zip file attached. The thing that bothers me is that it was addressed to that gibberish string they use as the primry account identifier, and not to the alias you all see this message coming from. Which to me means the viri generator has access to data that is not supposed to be public. Their machinery has been compromised, The verizon id, as I remember, was machine generated. This means that a worm can generate it. It'll hit a lot of invalid accounts, but with free zombienets, does it matter?
Re: max-conn-per-child spamd flag?
LW == Loren Wilton [EMAIL PROTECTED] writes: I just noticed the --max-conn-per-child option in the spamd man page. While the description is fairly straightforward, I'm curious if anyone else is using this LW Yes, many people , why, and if it's helped with spamd processes consuming RAM (which is what I'm trying to fix at the moment). LW Which is why people are using it. In 3.0.1 and to a lesser extent in LW 3.0.2, spamd children could get real fat and stay that way for a long LW time, eating the machine for dinner. Setting max-con-per-child to a LW lower number will make the fat kids die quicker, so there is much less LW chance of them all being fat at once. LW Depending on the weather, phase of the moon, amount of ram you have, LW and other things, you may find limits from a couple hundred down to LW about 5 to be appropriate. I'd probably suggest 100 to 50 as a good LW starting range to play with. LW Dont forget the -m option. If you have more than about 5 children LW running and don't have a huge email flow you might do well to cut the LW number of children down to the 3 to 10 range. Loren, What is considered huge email flow and what are appropriate values for connections and children? I have a home network and use it to host a mail server for my published domain. Almost 90% of the email received by my server is spam. A huge number of additional sendmail connections are rejected because of unknown users are other invalid crap. In the past 24 hours I received appx 1000 valid messages if which only appx 100 were non-spam. I received over 45000 invalid smtp connections over the same period. In order to sopy my server (running on old harware) from being brought to its knees, I use the following spamd/sendmail configuration: spamd: default number of children sendmail: daemon_children 25, rate_throttle 3, rcpt_throttle 3 Does this make sense? Should I (can I) reduce the numebr of sendmail children to better match spamd? Thanks for your help and insight. ...Jake -- Jake Colman Sr. Applications Developer Principia Partners LLC Harborside Financial Center 1001 Plaza Two Jersey City, NJ 07311 (201) 209-2467 www.principiapartners.com
procmailrc being bypassed - again
I posted this problem last week and was told that it might be due to an SA problem when overwhelmed by too many connections. This problem only occurs when my server has been off-line and then gets swamped from the backup MX once it comes back on-line. I use the default number of spamd children and have configured sendmail for 25 daemon children. SA works perfectly and is filtering wonderfully except for this one situation when I come back on-line and get swampled. The initial batch of emails that I receive are clearly missing my SA headers. This seems to imply that SA ignored it. What do I do about this?! TIA! ...Jake -- Jake Colman Sr. Applications Developer Principia Partners LLC Harborside Financial Center 1001 Plaza Two Jersey City, NJ 07311 (201) 209-2467 www.principiapartners.com
Re: 3.0.3 uses all CPUs after tie
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 can you repro this reliably? if so, output from -D and/or an strace - -f -p $spamdpid would be helpful. where does tie come in? (from the subj line). - --j. Matthew Daubenspeck writes: I am using Spamassassin 3.0.3 on a Gentoo AMD64 system with exim and exiscan. This has worked VERY well for months without a single issue. All of the sudden spamd eventually uses all of both CPU's and nearly locks the machine. I have tried downgrading to 3.0.2 with the same result. I have been using several of the RulesDuJour's and first started to suspect that. I removed all of the files from /etc/mail/spamassassin except for the following local.cf: required_hits 5 skip_rbl_checks 0 use_bayes 0 score HELO_DYNAMIC_IPADDR 2 score ALL_TRUSTED 0 use_auto_whitelist 0 When spamd is running normally its processes look as such: # ps aux | grep spamd root 29434 0.0 1.6 66712 33828 ?Ss 21:13 0:00 /usr/sbin/spamd -d -r /var/run/spamd.pid -m 5 -c -H root 29442 0.1 1.8 69712 37152 ?S21:13 0:00 spamd child root 29443 0.0 1.7 68852 36300 ?S21:13 0:00 spamd child root 29444 0.0 1.7 68444 35904 ?S21:13 0:00 spamd child root 29445 0.0 1.7 68124 35584 ?S21:13 0:00 spamd child root 29446 0.0 1.7 68160 35600 ?S21:13 0:00 spamd child When both CPU's are pegged at 100%, they look like this: # ps aux | grep spamd root 10097 0.2 5.6 152336 117208 ? Ss 10:32 0:06 /usr/sbin/spamd -d -r /var/run/spamd.pid -m 5 -c -H root 10378 0.9 6.8 176116 141012 ? S10:32 0:19 spamd child root 10379 1.0 6.6 170452 136024 ? S10:32 0:22 spamd child root 10380 0.9 6.8 174528 140080 ? S10:32 0:19 spamd child nobody 10381 27.1 38.0 818616 783476 ? R10:32 9:20 spamd child root 10382 0.7 6.4 167376 133004 ? S10:32 0:16 spamd child I'm sure pasting that to a message screwed everything up, so you can also see them at http://daubnet.dyndns.org:3000/foo/spamassassin For some reason, one of the processes switches from being owned by root to owned by nobody. Its state also changes from S to R. The only way I can clear this is by killing all spamd processes and restarting the service. I was initially using bayes, but thought that might have something to do with it so I disabled it. This made no change. I've tried everything I can think of but nothing makes any difference. I have searched the archives and can't seem to find a solution. I know the list has heard this a million times, but I have changed nothing as far as settings in months :) Any suggestions? -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFCn1KnMJF5cimLx9ARAvkNAJ9RzXGvFxCHkrSKcpBAVuaizjpASACgr/i6 wpy5hgHz/nI9P1s0hgHvYaM= =lgor -END PGP SIGNATURE-
Re: 3.0.3 uses all CPUs after tie
On Thu, Jun 02, 2005 at 11:40:39AM -0700, Justin Mason wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 can you repro this reliably? if so, output from -D and/or an strace - -f -p $spamdpid would be helpful. It randomly happens after an hour or so of use. Next time it happens I will try both and send it to the list. where does tie come in? (from the subj line). Whoops. That should have been time :)
Re: procmailrc being bypassed - again
On Thu, 2 Jun 2005, Jake Colman wrote:
I posted this problem last week and was told that it might be due to an SA
problem when overwhelmed by too many connections. This problem only occurs
when my server has been off-line and then gets swamped from the backup MX
once it comes back on-line.
I use the default number of spamd children and have configured sendmail for
25 daemon children. SA works perfectly and is filtering wonderfully except
for this one situation when I come back on-line and get swampled. The
initial batch of emails that I receive are clearly missing my SA headers.
This seems to imply that SA ignored it.
What do I do about this?!
From your comments, I'm going to infer that you're using
sendmail+procmail+spamc+spamd rather than sendmail+milter+spamd
This means that you're running SA at delivery time rather than incoming
connection time.
The easy way to prevent SA overload in that scenario is to single-thread
the delivery process at those times. Just tell your sendmail to queue
messages and deliver at the queue run rather than deliver immediately.
At queue-run time, the messages are removed from the queue and processed
one-at-a-time.
You may be able to automate this, try reducing your 'queue-loadave' value
to something just above the usual loadave value for your machine.
(the confQUEUE_LA value in your .mc file or QueueLA in your .cf file).
Idea is that when your machine is handling that backup MX flood, its
loadave goes up and triggers the queuing behavior.
If the loadave does -not- go up (due to waiting for things like DNS
queries) then you'll have to manually trigger the queuing behavior.
Edit your sendmail.cf (or .mc) file to add the 'Expensive' flag (e)
to your local mailer and run sendmail with the 'HoldExpensive=true'
option set. (can do this from the command line, start sendmail with
the '-OHoldExpensive=true' argument added.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
What is MSGID_FROM_MTA_ID ?
Could someone please explain what this is MSGID_FROM_MTA_ID My messages that I send from outlook all seem to have that.
Re: Use of localhost.rfc-ignorant.org?
On Tue, May 31, 2005 at 05:22:06PM -0500, Stewart, John wrote: Hmm, in my copy of SA 3.0.3 an ipwhois rule is present, but commented out with a note saying disabled since ipwhois is going away. By any chance are you using an older version of SA? Aye, thanks. I'm using 2.6.4, yes. I don't have that rule name in my 2.6.4 installation. As far as I can see it arrived some time in 3.0.x (x = 2). Maybe you have an updated rulefile, in which case it might have other out of date things ? Nick
Re: 3.0.3 uses all CPUs after tie
It randomly happens after an hour or so of use. Next time it happens I will try both and send it to the list. To follow up on the Debian thread with the same problem: Since seems to happen for several people, during the last days, could it be that this is not in fact exim/exiscan related, but some sort of bug/attack on spamassassin/perl thru spam containing certain triggers, causing buffer overflows? I've tried analyzed our scanning logs a bit today, from the times when the memory usage exploded, and there were was nothing unusual about the size or number of scanned mail. signature.asc Description: Digital signature
At wit's end - SA is *still* tagging list traffic!
All - I have added these to my local.cf: whitelist_from_rcvd [EMAIL PROTECTED] But I am still seeing list traffic with spam samples being tagged. Can someone please tell me what on Earth I need to do to tell SA to ignore anything on this list? Procmail rules are not an option - I use SA on a relay server which uses a milter. Thanks Thomas
Re: At wit's end - SA is *still* tagging list traffic!
All - I have added these to my local.cf: whitelist_from_rcvd [EMAIL PROTECTED] But I am still seeing list traffic with spam samples being tagged. Can someone please tell me what on Earth I need to do to tell SA to ignore anything on this list? Procmail rules are not an option - I use SA on a relay server which uses a milter. Thanks Thomas Thomas, I assume you are restarting spamassassin after you make your changes. If not then that is what the problem is. If so then it may be your milter. What is it using for your configuration, what does spamassassin --lint show you. = Kevin W. Gagel Network Administrator Information Technology Services (250) 561-5848 local 448 --- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://avas.cnc.bc.ca ---
Re: At wit's end - SA is *still* tagging list traffic!
On Thu, Jun 02, 2005 at 04:32:05PM -0500, Thomas Cameron wrote: I have added these to my local.cf: whitelist_from_rcvd [EMAIL PROTECTED] 1) That's not a valid line, rtm. :) 2) The mails come from spamassassin.apache.org, not apache.org. You can try something like: whitelist_from_rcvd [EMAIL PROTECTED] apache.org Other possible issues include not having the envelope sender in the headers, so SA can't figure out where the mail is actually from, but give the above a shot first. -- Randomly Generated Tagline: I'm not making any money with my Liberal Arts degree... - Peter Mulvey pgp6OcXCZpfhX.pgp Description: PGP signature
RE: At wit's end - SA is *still* tagging list traffic!
Thomas, You can do one of two things: whitelist_to users@spamassassin.apache.org or whitelist_from_rcvd [EMAIL PROTECTED] apache.org I prefer the latter. Notice the correct format as opposed to what you used. Make sure to restart SA after performing a --lint. Kris -Original Message- From: Thomas Cameron [mailto:[EMAIL PROTECTED] Sent: Thursday, June 02, 2005 4:32 PM To: users@spamassassin.apache.org Subject: At wit's end - SA is *still* tagging list traffic! All - I have added these to my local.cf: whitelist_from_rcvd [EMAIL PROTECTED] But I am still seeing list traffic with spam samples being tagged. Can someone please tell me what on Earth I need to do to tell SA to ignore anything on this list? Procmail rules are not an option - I use SA on a relay server which uses a milter. Thanks Thomas
Re: At wit's end - SA is *still* tagging list traffic!
- Original Message - From: Thomas Cameron [EMAIL PROTECTED] All - I have added these to my local.cf: whitelist_from_rcvd [EMAIL PROTECTED] But I am still seeing list traffic with spam samples being tagged. Can someone please tell me what on Earth I need to do to tell SA to ignore anything on this list? Procmail rules are not an option - I use SA on a relay server which uses a milter. See the whitelist_from_rcvd section of: http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Conf.html#whitelist_and_blacklist_options for a description of how to properly use this whitelist feature. I have my entry setup as follows: whitelist_from_rcvd [EMAIL PROTECTED] apache.org SpamAssassin List See if that works for you... HTH, Bill
RE: At wit's end - SA is *still* tagging list traffic!
On Thu, 2005-06-02 at 16:42 -0500, Kristopher Austin wrote: Thomas, You can do one of two things: whitelist_to users@spamassassin.apache.org or whitelist_from_rcvd [EMAIL PROTECTED] apache.org I prefer the latter. Notice the correct format as opposed to what you used. Make sure to restart SA after performing a --lint. Kris Not that I am arguing, but that's not what the man page says. The example for whitelist_from_rcvd there shows this: whitelist_from_rcvd [EMAIL PROTECTED] Why is your syntax better? Again, not arguing, just want to understand. Thomas
Re: At wit's end - SA is *still* tagging list traffic!
Better yet teach your system to bypass SpamAssassin for all the
SpamAssassin lists. Sometimes a simple whitelist entry might not
be enough.
{^_-}
- Original Message -
From: Kristopher Austin [EMAIL PROTECTED]
Thomas,
You can do one of two things:
whitelist_to users@spamassassin.apache.org
or
whitelist_from_rcvd [EMAIL PROTECTED] apache.org
I prefer the latter. Notice the correct format as opposed to what you
used. Make sure to restart SA after performing a --lint.
Kris
-Original Message-
From: Thomas Cameron [mailto:[EMAIL PROTECTED]
All -
I have added these to my local.cf:
whitelist_from_rcvd [EMAIL PROTECTED]
But I am still seeing list traffic with spam samples being tagged. Can
someone please tell me what on Earth I need to do to tell SA to ignore
anything on this list? Procmail rules are not an option - I use SA on a
relay server which uses a milter.
Thanks
Thomas
Re: At wit's end - SA is *still* tagging list traffic!
Thomas Cameron wrote: Not that I am arguing, but that's not what the man page says. The example for whitelist_from_rcvd there shows this: whitelist_from_rcvd [EMAIL PROTECTED] Why is your syntax better? Again, not arguing, just want to understand. Thomas Actually, the man page says: whitelist_from_rcvd [EMAIL PROTECTED] sergeant.org You need both the email address it's from and the server it is rcvd from. Daryl
Re: max-conn-per-child spamd flag?
LW Dont forget the -m option. If you have more than about 5 children LW running and don't have a huge email flow you might do well to cut the LW number of children down to the 3 to 10 range. What is considered huge email flow and what are appropriate values for connections and children? I'd think 5 children should be good for a few thousand mail/hour at least, given a decent box (= 1GHz) to run SA. A home net like you describe would probably run perfectly happily with 1 or 2 children at most. Anything above that is likely to just be sitting there using resources. Of course, if you have the resources to burn, then it probably isn't worth cutting the number of children down. Look at it this way: how long does it take a child to process a message, on average (total time, not processor time)? Maybe a few seconds at most? Let's say 5 seconds as an estimate. Then each child can process 3600/5 = 720 messages/hour. You are receiving 1K messages/day, which is 1000/24=42 messages/hour. A single child would then have 17 times the capacity you need, and would be idle 94% of the time. Five children taken together will be idle something like 99% of the time. Of course these are steady-state estimates, and queuing theory says that things can get nasty for a while in burst modes if you only have one or two children. So having 5 children can result in keeping the throughput time down in the area of 10-20 seconds total queuing+processing time per mail when you get a sudden flood of 50 or 100 mails in a short period of time. Still, more than 3 children is probably overkill under any situation for your mail rate. Does this make sense? Should I (can I) reduce the numebr of sendmail children to better match spamd? Sendmail I don't know beans about, so hopefully someone else will be able to answer those questions. Or possibly you can answer them yourself, if you just consider the mail process as a long queue with lumps in it, and determine what the overall linear processing time for a mail item is. If you know the single-item processing time, you can assume (for lack of better measurement information) that you can get a throughput that will be something like (single item rate * number of parallel processes * 0.8) before things got to hell and the queue depths start to blow out the top. Loren
[SOLVED] Re: At wit's end - SA is *still* tagging list traffic!
On Thu, 2005-06-02 at 16:32 -0500, Thomas Cameron wrote: All - I have added these to my local.cf: whitelist_from_rcvd [EMAIL PROTECTED] But I am still seeing list traffic with spam samples being tagged. Can someone please tell me what on Earth I need to do to tell SA to ignore anything on this list? Procmail rules are not an option - I use SA on a relay server which uses a milter. Thanks Thomas I was whitelisting apache.org instead of spamassassin.apache.org. I assumed (bad, I know) that child domains would be covered by whitelisting the parent domain. Now my local.cf setting is: whitelist_from_rcvd [EMAIL PROTECTED] Thanks to all who helped. Thomas
[REALLY SOLVED THIS TIME] Re: At wit's end - SA is *still* tagging list traffic!
On Thu, 2005-06-02 at 16:32 -0500, Thomas Cameron wrote: All - I have added these to my local.cf: whitelist_from_rcvd [EMAIL PROTECTED] But I am still seeing list traffic with spam samples being tagged. Can someone please tell me what on Earth I need to do to tell SA to ignore anything on this list? Procmail rules are not an option - I use SA on a relay server which uses a milter. Thanks Thomas My last was a typo - the line in local.cf is whitelist_from_rcvd [EMAIL PROTECTED] apache.org That causes SA to score messages with -100. Thanks all! Thomas
Re: [SOLVED] Re: At wit's end - SA is *still* tagging list traffic!
- Original Message - From: Thomas Cameron [EMAIL PROTECTED] On Thu, 2005-06-02 at 16:32 -0500, Thomas Cameron wrote: All - I have added these to my local.cf: whitelist_from_rcvd [EMAIL PROTECTED] But I am still seeing list traffic with spam samples being tagged. Can someone please tell me what on Earth I need to do to tell SA to ignore anything on this list? Procmail rules are not an option - I use SA on a relay server which uses a milter. Thanks Thomas I was whitelisting apache.org instead of spamassassin.apache.org. I assumed (bad, I know) that child domains would be covered by whitelisting the parent domain. Now my local.cf setting is: whitelist_from_rcvd [EMAIL PROTECTED] You still need the RDNS entry at this end of this line if you want it to work properly. Bill
Re: [SOLVED] Re: At wit's end - SA is *still* tagging list traffic!
Now my local.cf setting is: whitelist_from_rcvd [EMAIL PROTECTED] You still have it wrong. That is the syntax for whitelist_from. Whitelist_from_rcvd takes TWO arguments, not one. That line as you have it will be ignored. Loren
Re: [REALLY SOLVED THIS TIME] Re: At wit's end - SA is *still* tagginglist traffic!
- Original Message - From: Thomas Cameron [EMAIL PROTECTED] On Thu, 2005-06-02 at 16:32 -0500, Thomas Cameron wrote: All - I have added these to my local.cf: whitelist_from_rcvd [EMAIL PROTECTED] But I am still seeing list traffic with spam samples being tagged. Can someone please tell me what on Earth I need to do to tell SA to ignore anything on this list? Procmail rules are not an option - I use SA on a relay server which uses a milter. Thanks Thomas My last was a typo - the line in local.cf is whitelist_from_rcvd [EMAIL PROTECTED] apache.org That causes SA to score messages with -100. One other thing you might want to consider doing, if you are also using bayes with autolearn, is add the following entry to your local.cf, so as not to possibly autolearn spammy text included in SA list messages as ham: bayes_ignore_to users@spamassassin.apache.org Bill
Are the RBL scores high enough?
Hi there I'm finding a fair chunk of spam gets past SA-3.0.3 with scores of 3-4 out of 5 even though it got 2+ network test hits. e.g. spamd[18676]: result: . 3 - DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,FROM_HAS_MIXED_NUMS,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL scantime=4.4,size=1435,mid=[EMAIL PROTECTED],autolearn=disabled This had a Subject line of russian X unusably in action fervid - so I'm guessing it was spam (;-) - even though it only got a score of 3/5. Obviously the default values are set that way as a way of implying confidence in what that means, it's just that I wonder if they need updating? I guess I'm referring to the scores in 50_scores.cf. e.g. RCVD_IN_NJABL_PROXY has a value of 1.0 - and yet the FAQ on the NJABL web site (of course) tells you to set score NJABL_PROXY 3.0 :-) But the wonderful authors of SA know far more than I do - so are the current levels still deemed to be correct? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
URIDNSBL.pm improvements in 3.1?
So I've noticed that the URIDNSBL.pm in the 3.1 snapshots seems to recognize obfuscated URIs much better than in 3.0.x. In other words I was looking at a message that my relatively well maintained 3.0.3 installation didn't catch. Then I tried running the same message through my personal 3.1 snapshot installation. The 3.1 installation gave the message a comparatively high score (do to the domain being listed in multiple SURBLs). The message in question contained some lines like this: copy-paste the u[r]l to finish. ez-rate*MUNGED*.info The 3.1 code recoginized the domain name readily, looked it up and found it in almost all of the SURBLs. But the 3.0.3 code didn't spot it (and the message scored on bayes alone). Is there any straightforward way to backport some of this goodness to 3.0.x? I don't mind running the development snapshots at home but at work I have to answer to a couple thousand users... Ben
Re: Are the RBL scores high enough?
At 07:56 PM 6/2/2005, Jason Haar wrote: DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,FROM_HAS_MIXED_NUMS,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL scantime=4.4,size=1435,mid=[EMAIL PROTECTED],autolearn=disabled This had a Subject line of russian X unusably in action fervid - so I'm guessing it was spam (;-) - even though it only got a score of 3/5. Obviously the default values are set that way as a way of implying confidence in what that means, it's just that I wonder if they need updating? I guess I'm referring to the scores in 50_scores.cf. e.g. RCVD_IN_NJABL_PROXY has a value of 1.0 - and yet the FAQ on the NJABL web site (of course) tells you to set score NJABL_PROXY 3.0 :-) But the wonderful authors of SA know far more than I do - so are the current levels still deemed to be correct? If one's wrong, they are ALL wrong. SA's rule scores are evolved based on a real-world test of a hand-sorted corpus of fresh spam and ham. The whole scoreset is evolved simultaneously to optimize the placement pattern. Of course, one thing that can affect accuracy is if some spams are accidentally misplaced into the ham pile it can cause some heavy score biasing to occur. A little bit of this is unavoidable, as human mistakes happen, but a lot of it will cause deflated scores and a lot of FNs.
Re: Are the RBL scores high enough?
Matt Kettler wrote: e.g. RCVD_IN_NJABL_PROXY has a value of 1.0 - and yet the FAQ on the NJABL web site (of course) tells you to set score NJABL_PROXY 3.0 :-) But the wonderful authors of SA know far more than I do - so are the current levels still deemed to be correct? If one's wrong, they are ALL wrong. By that do you mean that a false positive in one RBL tends to show up in them all? Probably too much sharing of data/same sources? SA's rule scores are evolved based on a real-world test of a hand-sorted corpus of fresh spam and ham. The whole scoreset is evolved simultaneously to optimize the placement pattern. ...and that's why I asked :-) Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: Anyone know what Microsoft's Intelligent Message Filter does WRT tagging?
Matt Kettler wrote: I highly doubt a MS product would take advantage of results from another product. On the other hand, IF they're using statistical scoring, and IF they include the headers in the score, then you might be able to just tag suspected spam with a header. Eventually the system would learn that messages with that header had a high spam probability. I've seen it work with other bayes filters before.
Re: URIDNSBL.pm improvements in 3.1?
On Thu, Jun 02, 2005 at 05:23:56PM -0700, Ben Poliakoff wrote: Is there any straightforward way to backport some of this goodness to 3.0.x? I don't mind running the development snapshots at home but at work I have to answer to a couple thousand users... We're working on getting 3.0.4 done, which has some backports for things like obfuscation and such. For instance, it'll handle the newline in URL, ampersand in host, etc, stuff that's been getting through. That's all separate from the URIBL stuff, actually. 3.1 also has improvements for URIBL, such as getting the URIs out of a message in a priority ordering, etc. -- Randomly Generated Tagline: Isn't shrimp on Barbie a little kinky? pgplTRkLaa8lr.pgp Description: PGP signature
Re: URIDNSBL.pm improvements in 3.1?
Theo, Is there any straightforward way to backport some of this goodness to 3.0.x? I don't mind running the development snapshots at home but at work I have to answer to a couple thousand users... We're working on getting 3.0.4 done, which has some backports for things like obfuscation and such. For instance, it'll handle the newline in URL, ampersand in host, etc, stuff that's been getting through. Would it be possible to also include the JP SURBL list in 3.0.4 ? We get a lot of questions about that right now... Since we withdraw the data from WS some months ago now, in preparation of SA 3.1. Hopefully it can also be added in 3.0.4. That's all separate from the URIBL stuff, actually. 3.1 also has improvements for URIBL, such as getting the URIs out of a message in a priority ordering, etc. Yes i am pretty happy with 3.1 so far, runs like a charm. Bye. Raymond.
Re: URIDNSBL.pm improvements in 3.1?
On Fri, Jun 03, 2005 at 03:14:41AM +0200, Raymond Dijkxhoorn wrote: Would it be possible to also include the JP SURBL list in 3.0.4 ? Already done. ;) -- Randomly Generated Tagline: Home Safety Tip #2: Don't fry bacon, when your naked. pgpk1tTKaoguu.pgp Description: PGP signature
Re: URIDNSBL.pm improvements in 3.1?
Hi Theo/Daryl! On Fri, Jun 03, 2005 at 03:14:41AM +0200, Raymond Dijkxhoorn wrote: Would it be possible to also include the JP SURBL list in 3.0.4 ? The JP SURBL list was added to the 3.0 branch two weeks ago. Already done. ;) Great! Hopefully the score will be a little better then its now with the 3.1. Its grown a lot since the last score run was done i think. Bye, Raymond.
Re: URIDNSBL.pm improvements in 3.1?
Does 3.04 or 3.1 contain any way to COUNT Subject: header lines?
If not they are wildly incomplete, IMAO.
{^_^}
- Original Message -
From: Theo Van Dinter [EMAIL PROTECTED]
Re: Are the RBL scores high enough?
At 08:41 PM 6/2/2005, Jason Haar wrote: If one's wrong, they are ALL wrong. By that do you mean that a false positive in one RBL tends to show up in them all? Probably too much sharing of data/same sources? No, I mean if one score in the ruleset is wrong, every score in the ruleset is wrong. Since they are scored simultaneously, the score of one rule impacts the score of every other rule in the whole ruleset.
Who did it?
Dear all, I have been recently added to this tool. BOTH the IT team and the ISP claim they know nothing about it! Is there any means to know who added me? regards nabil
Re: Score an entire cf file
Reginaldo O. Andrade wrote: Hi, list! I'm developing a custom cf file to block messages with specific strings and I would like to know if is it possible to score an entire file with the same value without using the command score RULE_NAME X.XX for each rule in the archive. Thanks in advance. Reginaldo O. Andrade Network Administrator One way to get the desired effect would be to do something like: perl -ne 'next if /(^#)|(^describe)|(^score)|(^$)/; @a = split; print score\t$a[1] 5.00\n;' somefile.cf local.cf where somefile.cf is the rule file. Replace my sample score of 5.00 with your desired score, and local.cf with your actual local.cf file location. (actually, for your case, a temp file might be in order, then paste back into your file). --Rich
Re: Question on ISP's, verizon TBS.
Hmmm. You mistake Verizon for someone who gives a care I think. (Indeed this list will get this reply but most assuredly since Verizon chooses to blacklist everyone outside Verizon as a solution to spam.) On Jun 2, 2005, at 9:33 AM, Gene Heskett wrote: IMO, somebody at VZ needs to have a suitably sized fire built under them, but to whom do I actually send the nastygram?
