Re: How to increase score of URIDNSBL?
I don't know what all rules hit on this for you, but there are some SARE rules that should have triggered, and there will be some new ones very soon for the display:none trick. Between those and surbl, most of your spams of this sort should be caught. If you aren't running bayes, you might consider it. This is a wonderful example of something that should hit bayes-99 with very little training on your part. You would just need to adjust the bayes_99 score up to about 4 to make it functional. Loren
Re: How to increase score of URIDNSBL?
From: Roman Volf [EMAIL PROTECTED] Sent: Monday, June 06, 2005 7:53 AM I recieved a spam (http://www.keystreams.com/~volfman/spamd-msg.txt - I stripped the X-Spam headers from the message) that only scored a 4.4, even though the URIDNSBL showed a hit. Here is the debug from spamd - http://www.keystreams.com/~volfman/spamd-debug.txt Is upping the score that a URIDNSBL hit gives a good idea? I mark spam at 5.0. Is this possible? Any suggestions? If you would use uribl [1] with the standard usage line your score was added another 3 points. [1]http://www.uribl.com/ With kind regards, Met vriendelijke groet, Maurice Lucas TAOS-IT
* SPAM * Xnote.com considers this message as SPAM *** RE: Message that conitinually gets bypassed
Spam detection software, running on the system vibe.xnote.com, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Here you go, attached are two. Keep in mind, if I were to forward this mail to myself, it would get flagged. It just seems to be getting by when they send it. Content analysis details: (9.9 points, 5.0 required) pts rule name description -- -- 1.7 MSGID_FROM_MTA_ID Message-Id for external message added locally 0.4 SARE_HOMELOAN BODY: Home mortgage stuff 1.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5000] 0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50% [cf: 100] 0.0 HTML_90_100BODY: Message is 90% to 100% HTML 1.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 3.1 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [67.108.238.3 listed in sbl-xbl.spamhaus.org] 0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist [URIs: mrratenow.com droppedr8z.com] 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: mrratenow.com droppedr8z.com] 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: mrratenow.com droppedr8z.com] 4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist [URIs: droppedr8z.com] -7.3 AWLAWL: From: address is in the auto white-list The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. ---BeginMessage--- Here you go, attached are two. Keep in mind, if I were to forward this mail to myself, it would get flagged. It just seems to be getting by when they send it. -Original Message- From: Robert Menschel [mailto:[EMAIL PROTECTED] Sent: Thursday, May 26, 2005 6:53 PM To: Alan Fullmer Cc: users@spamassassin.apache.org Subject: Re: Message that conitinually gets bypassed Hello Alan, Thursday, May 26, 2005, 9:20:51 AM, you wrote: AF I have this message that continually gets by Spam Assassin. The headers AF have no indication that SA has even touched it. I will post the headers AF below, as well as the message. Unfortunately, you posted the text, and you posted the headers, but you didn't post the message. Your text says, visit our Website and there's no link anywhere for the sucker to use. We are missing some very important information, and can't debug your problem properly without it. If you had sent the message as a message, attached (forward as attachment), I'd be able to save your message to my system, run SA against them, and do an analysis. I can't do that the way you cut and pasted the message. See the just updated http://wiki.apache.org/spamassassin/DoYouWantMySpam for some other ideas. Bob Menschel ---BeginMessage--- Dear Homeowner, You have been pre-approved for a $402,000 Home Loan at a 3.45% Fixed Rate. This offer is being extended to you unconditionally and your credit is in no way a factor. To take Advantage of this Limited Time opportunity all we ask is that you visit our Website and complete the 1 minute post Approval Form. Enter Here Sincerely, Esteban Tanner Regional CEO Turn off notiiifications heeere. ---End Message--- ---BeginMessage--- Dear Homeowner, You have been pre-approved for a $402,000 Home Loan at a 3.45% Fixed Rate. This offer is being extended to you unconditionally and your credit is in no way a factor. To take Advantage of this Limited Time opportunity all we ask is that you visit our Website and complete the 1 minute post Approval Form. Enter Here Sincerely, Esteban Tanner Regional CEO Turn off notiiifications heeere. ---End Message--- ---End Message---
Re: How to increase score of URIDNSBL?
At 01:53 AM 6/6/2005, Roman Volf wrote: I recieved a spam (http://www.keystreams.com/~volfman/spamd-msg.txt - I stripped the X-Spam headers from the message) that only scored a 4.4, even though the URIDNSBL showed a hit. Here is the debug from spamd - http://www.keystreams.com/~volfman/spamd-debug.txt Is upping the score that a URIDNSBL hit gives a good idea? I mark spam at 5.0. Is this possible? Any suggestions? To be specific, that's URIBL_SBL. Let's look at the mass-check results for this test: 20.829 42.0571 0.70800.983 0.421.00 URIBL_SBL It's got a S/O of 98.3%, which means that 1.7% of the email that rule hits is nonspam. You could probably raise the score a little bit safely. However, because the FP rate is low but not insignificant but I would be careful and not go over 2.0 with it. As someone else suggested, adding the uribl.com tests would also be helpful, but it's hard to say if uribl.com had that link listed at the time you got the message. SURBL lists the domain in AB, OB, SC and WS now, but none of them had it before. However, the more checks you use, the more chances you'll be checking the list that got it reported first. p.s. the SA list moved off incubator a long time ago (Although the address does still work, and probably will indefinitely, the current real address is users@spamassassin.apache.org)
Re: How to increase score of URIDNSBL?
On Monday, June 6, 2005, 7:02:17 AM, Matt Kettler wrote: As someone else suggested, adding the uribl.com tests would also be helpful, but it's hard to say if uribl.com had that link listed at the time you got the message. SURBL lists the domain in AB, OB, SC and WS now, but none of them had it before. However, the more checks you use, the more chances you'll be checking the list that got it reported first. keystreams.com is not on any SURBLs currently. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
RE: Unsubsribe
Randomly Generated Tagline: I'd rather see my sister in a whorehouse than my brother using windows. - Sam Creasey Ahahahahahahahahahahahah! Theo, you rock! --Chris
Anyone seeing Account closed emails ?
Anyone seeing this type of email coming through with a header of *WARNING* YOUR EMAIL ACCOUNT WILL BE CLOSED ? Didn't know if someone already had a ruleset out before I starting working on one for my system. Ron Ron Nutter [EMAIL PROTECTED] Network Infrastructure Security Manager Information Technology Services(502)863-7002 Georgetown College Georgetown, KY40324-1696
OT: Mail/Spam Stats and MRTG
Does anyone have any suggestions for using mrtg to produce a graph showing the amount of received email and how much of it was flagged as spam? I am using mrtg, sendmail, and procmail on all the same server. Thanks! ...Jake -- Jake Colman Sr. Applications Developer Principia Partners LLC Harborside Financial Center 1001 Plaza Two Jersey City, NJ 07311 (201) 209-2467 www.principiapartners.com
Re: Anyone seeing Account closed emails ?
Ronald I. Nutter wrote: Anyone seeing this type of email coming through with a header of *WARNING* YOUR EMAIL ACCOUNT WILL BE CLOSED ? Didn't know if someone already had a ruleset out before I starting working on one for my system. Hi, That is a Mytob virus variant. Maybe you should install a virus scanner like clamav. Regards, Rick
Re: Anyone seeing Account closed emails ?
Ronald I. Nutter wrote: Anyone seeing this type of email coming through with a header of *WARNING* YOUR EMAIL ACCOUNT WILL BE CLOSED ? Didn't know if someone already had a ruleset out before I starting working on one for my system. I'm getting them, but they are all picked up as viruses: At Sat May 21 02:05:16 2005 the virus scanner said: Command: account-details.zip-account-details.pif Infection: W32/[EMAIL PROTECTED] ClamAV Module: account-details.zip was infected: Worm.Mytob.BT Bitdefender: Found virus Win32.Worm.Mytob.AW in file account-details.zip
Re: OT: Mail/Spam Stats and MRTG
Jake Colman wrote: Does anyone have any suggestions for using mrtg to produce a graph showing the amount of received email and how much of it was flagged as spam? I am using mrtg, sendmail, and procmail on all the same server. You need to write an external program (script) for the SNMPdeamon on the server. It returns a single number computed out of sendmail/procmail maillog of whatever you want to monitor. Then use MRTG to manipulate the value (cumulative vs last-5-minutes). Here we use Cricket to monitor SpamAssassin performance in quasi-real-time. But I didn't set it up myself. HTHAL, Paolo --- SpamAssassin-based email antispam/antivirus solutions Italian/English-to/from-Croatian translations
Re: Anyone seeing Account closed emails ?
On Mon, 6 Jun 2005, Rick Macdougall wrote:
Ronald I. Nutter wrote:
Anyone seeing this type of email coming through with a header of
*WARNING* YOUR EMAIL ACCOUNT WILL BE CLOSED ?
Didn't know if someone already had a ruleset out before I starting
working on one for my system.
That is a Mytob virus variant. Maybe you should install a virus scanner
like clamav.
Rick
Yes, that text is associated with a Mytob virus variant and if it's
in a live virus clamav will kill it.
However I've seen a number of those from stillborn virus mis-fires and
clamav will ignore those (IE the text is there but the payload is either
truncated or totally missing).
That then, is a job for SA.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
Re: Mail/Spam Stats and MRTG
Does anyone have any suggestions for using mrtg to produce a graph showing the amount of received email and how much of it was flagged as spam? I am using mrtg, sendmail, and procmail on all the same server. This wouldn't be perfect, but I'd write a script in the scripting language of your choice that reads in the mail log, counts the lines containing checking message, counts the lines containing identified spam, then spits out both numbers in an MRTG-compatible format. I can't remember the exact config syntax, but I think you can tell MRTG that this is going to be a constantly-incrementing number, not the diff between this run and the previous run. If that's not possible, then you'd have to have your script do the math. (I'd count the checking message lines rather than a message count from Sendmail because the latter would count messages sent out from the server as well, not just the messages SA saw.)
RE: Mail/Spam Stats and MRTG
Here are a couple of files that we use to get the stats we need. The glmrtg.pl script counts the number of lines containing the requested text in the last five minutes (configurable). I didn't write this script. I'm not even sure where it came from. I think it might have come with the mrtg distro. The mrtgspam script just outputs the necessary lines in mrtg format. I hope this helps. Kris -Original Message- From: Jake Colman [mailto:[EMAIL PROTECTED] Sent: Monday, June 06, 2005 10:21 AM To: users@spamassassin.apache.org Subject: OT: Mail/Spam Stats and MRTG Does anyone have any suggestions for using mrtg to produce a graph showing the amount of received email and how much of it was flagged as spam? I am using mrtg, sendmail, and procmail on all the same server. Thanks! ...Jake -- Jake Colman Sr. Applications Developer Principia Partners LLC Harborside Financial Center 1001 Plaza Two Jersey City, NJ 07311 (201) 209-2467 www.principiapartners.com glmrtg.pl Description: glmrtg.pl mrtgspam Description: mrtgspam
Re: OT: Mail/Spam Stats and MRTG
At 08:20 AM Monday, 6/6/2005, Jake Colman wrote -= Does anyone have any suggestions for using mrtg to produce a graph showing the amount of received email and how much of it was flagged as spam? I am using mrtg, sendmail, and procmail on all the same server. Try this: http://users.2z.net/rpuhek/scripts_public/spamd/ Ed Kasky ~ Randomly Generated Quote (274 of 477): Difficulties increase the nearer we approach our goal. -Goethe (1749-1832)
Re: More spam humor :-)
We've reviewed your mortgage on 113 Daum in Iowa City and we are confident that we can save you money... Nah, it's the We've reviewed your mortgage on PO Box 10275 and we are confident that we can save you money... That gets me. Cheaper than $38/year? Sign me up! Bryan Britt Beltane Web Services -- ICQ: 53037451 Bryan L. Britt501-327-8558 Beltane Web Services, Conway, ARhttp://www.beltane.com ~~Support Private Communications on the Internet~~
RE: OT: Mail/Spam Stats and MRTG
Does anyone know of any scripts that utilize the SA 3.x log file format to keep track of what rules fire in nice manager friendly graphs? -- Benjamin Story, CCNA CCDA Client Server Technical Analyst www.dotfoods.com IT Helpdesk x2312 -Original Message- From: Ed Kasky [mailto:[EMAIL PROTECTED] Sent: Monday, June 06, 2005 10:39 AM To: Jake Colman; users@spamassassin.apache.org Subject: Re: OT: Mail/Spam Stats and MRTG At 08:20 AM Monday, 6/6/2005, Jake Colman wrote -= Does anyone have any suggestions for using mrtg to produce a graph showing the amount of received email and how much of it was flagged as spam? I am using mrtg, sendmail, and procmail on all the same server. Try this: http://users.2z.net/rpuhek/scripts_public/spamd/ Ed Kasky ~ Randomly Generated Quote (274 of 477): Difficulties increase the nearer we approach our goal. -Goethe (1749-1832)
Re: More spam humor :-)
Loren Wilton wrote: I have to admit though that this is the most amusing hostname that Jill has come up with (that I've seen) so far. :-) I recently received a porn spam with a wildcard domain name. One of the links was to http://horrible.b_jobs.com -- Kelson Vibber SpeedGate Communications www.speed.net
Re: More spam humor :-)
List Mail User wrote: My favorite, for a long time has been: ... my name is Linda. I teach 4'th grade math class at a junior h i g h. ... I rather liked the irony in this one: Real Cllgeoe Girls Neeswt Tnocoelhgy for Gteting Off! Find out what these cleolge girls REALLY learend at shocol... -- Kelson Vibber SpeedGate Communications www.speed.net
RE: validating i.p.'s
Maybe all you need is to check PTR records for the MTA's connecting to you. -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: 03 June 2005 08:56 PM To: Rick Macdougall Cc: Thomas Deaton; users@spamassassin.apache.org Subject: Re: validating i.p.'s Rick Macdougall wrote: Thomas Deaton wrote: How do I check that an incoming email has a valid i.p.? thanks Hi, If it's not a valid IP then how does it get to your server ? Tcp blind spoofing attack? This is not exactly a workable option for most attackers in trying to deliver mail unless your mailserver runs a very badly written tcp stack that has highly predictable ISN's. Even semi-predictable ones like Windows 95 aren't easy to do a blind spoofing attack against if you want to fake a whole session, but it's quite possible against something like AIX 4.3. I guess Thomas needs to make it more clear what IP address he's looking to validate. The IP of the host dropping it off to your MTA obviously must be valid, otherwise there would be no return route and the TCP connection would never open in the first place. (unless someone did a blind spoofing attack, which as said above, isn't easy in most cases)
Re: validating i.p.'s
Pieter Combrinck wrote: Maybe all you need is to check PTR records for the MTA's connecting to you. In actuality this thread has nothing to do with validating IP addresses at all. It's really about detecting spoofed domains. Check the rest of the thread, it's already been answered pretty well. As for validating the IP by checking the PTR record.. well, if it's invalid (i.e. unrouteable) you won't even get a connection on a non-broken mailserver, so you won't even have an IP address to check. Fortunately, you also won't have a message to deal with either. Moral of the story: use a server OS with at least semi-good TCP ISN selection. Really the main reason to check for PTR records is not to check if the IP is valid, but to check if the site is at least somewhat properly administered. Only the completely clueless fail to have PTR records for their mailservers.
RE: OT New Math :-)
-Original Message- From: David B Funk [mailto:[EMAIL PROTECTED] My favorite, for a long time has been: ... my name is Linda. I teach 4'th grade math class at a junior h i g h. ... I think I got about 20 copies of that message. Paul Shupak Ah, but you have to understand she's teaching New Math. (Anybody here old enough to remember Tom Lehrer's song about New Math? ;) Here're the lyrics. I've put an mp3 on my server: http://newsroom.mbooth.com/esn/NewMath.mp3 New Math - Tom Lehrer Some of you who have small children may have perhaps been put in the embarrassing position of being unable to do your child's arithmetic homework because of the current revolution in mathematics teaching known as the New Math. So as a public service here tonight I thought I would offer a brief lesson in the New Math. Tonight we're going to cover subtraction. This is the first room I've work for a while that didn't have a blackboard so we will have to make due with more primitive visual aids, as they say in the ad biz. Consider the following subtraction problem, which I will write up here: 342 - 173. Now remember how we used to do that. Three from two is nine; carry the one, and if you're under 35 or went to a private school you say seven from three is six, but if you're over 35 and went to a public school you say eight from four is six; carry the one so we have 169. But in the new approach, as you know, the important thing is to understand what you're doing rather than to get the right answer. Here's how they do it now. You can't take three from two, Two is less than three, So you look at the four in the tens place. Now that's really four tens, So you make it three tens, Regroup, and you change a ten to ten ones, And you add them to the two and get twelve, And you take away three, that's nine. Is that clear? Now instead of four in the tens place You've got three, 'cause you added one, That is to say, ten, to the two, But you can't take seven from three, So you look in the hundreds place. From the three you then use one To make ten ones... (and you know why four plus minus one Plus ten is fourteen minus one? 'cause addition is commutative, right.) And so you have thirteen tens, And you take away seven, And that leaves five... Well, six actually. But the idea is the important thing. Now go back to the hundreds place, And you're left with two. And you take away one from two, And that leaves...? Everybody get one? Not bad for the first day! Hooray for new math, New-hoo-hoo-math, It won't do you a bit of good to review math. It's so simple, So very simple, That only a child can do it! Now that actually is not the answer that I had in mind, because the book that I got this problem out of wants you to do it in base eight. But don't panic, base eight is just like base ten really, if you're missing two fingers. Shall we have a go at it? Hang on. You can't take three from two, Two is less than three, So you look at the four in the eights place. Now that's really four eights, So you make it three eights, Regroup, and you change an eight to eight ones, And you add them to the two, And you get one-two base eight, Which is ten base ten, And you take away three, that's seven. Now instead of four in the eights place You've got three, 'cause you added one, That is to say, eight, to the two, But you can't take seven from three, So you look at the sixty-fours. Sixty-four? how did sixty-four get into it? I hear you cry. Well, sixty-four is eight squared, don't you see? (Well, you ask a silly question you get a silly answer.) From the three you then use one To make eight ones, And you add those ones to the three, And you get one-three base eight, Or, in other words, In base ten you have eleven, And you take away seven, And seven from eleven is four. Now go back to the sixty-fours, And you're left with two, And you take away one from two, And that leaves...? Now, let's not always see the same hands. One, that's right! Whoever got one can stay after the show and clean the erasers. Hooray for new math, New-hoo-hoo-math, It won't do you a bit of good to review math. It's so simple, So very simple, That only a child can do it! Come back tomorrow night. We're gonna do fractions. Now I've often thought I'd like to write a mathematics text book someday because I have a title that I know will sell a million copies. I'm gonna call it Tropic of Calculus.
Re: How to increase score of URIDNSBL?
... On Monday, June 6, 2005, 7:02:17 AM, Matt Kettler wrote: As someone else suggested, adding the uribl.com tests would also be helpful, but it's hard to say if uribl.com had that link listed at the time you got the message. SURBL lists the domain in AB, OB, SC and WS now, but none of them had it before. However, the more checks you use, the more chances you'll be checking the list that got it reported first. keystreams.com is not on any SURBLs currently. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/ keystreams. com seems to be a legitimate hosting company; Which is not to say that they are or are not spam friendly and/or have some customers who are bad actors. They do have a five year history and seem to themselves have been clean (unclear how many domains they own or operate, or if any of them have a bad history). Paul Shupak [EMAIL PROTECTED]
New 1MB spam run?
I just recently received a run of spam which would push some system's scan-size limit. These messages have a very short text part and consist mostly of an attached image file. The file is a gigantic 2952 x 3937 pixel jpeg that is 774,568 bytes in binary form, making for a base-64 encoded email over 1 meg. Some of you using spamc or other tools with size limits might want to bump up your size limits. (the relay shows up in spamcop currently) More amusing than the fact that the oversized image is tough to view on a PC, the spam seems to be advertising local stores by their street addresses, and appears to be in Guatemala. That's a long way to go to buy shoes from Maryland, USA. For anyone interested, here's some headers and a bit of body off one: Return-Path: [EMAIL PROTECTED] Received: from gold.guate.net (gold.guate.net [200.12.63.200] (may be forged)) by xanadu.evi-inc.com (8.12.8/8.12.8) with ESMTP id j56HW51U016177 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for [EMAIL PROTECTED]; Mon, 6 Jun 2005 13:32:07 -0400 Received: from usuario-hyhaya5 (ip-50-221.guate.net.gt [200.12.50.221] (may be forged)) by gold.guate.net (8.12.9/8.12.5) with ESMTP id j56I2Opg020328 for [EMAIL PROTECTED]; Mon, 6 Jun 2005 12:02:24 -0600 Message-ID: [EMAIL PROTECTED] From: top shoes [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: nueva linea de verano Date: Mon, 6 Jun 2005 11:31:53 +0100 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_1796513849613620103153874 Status: This is a multi-part message in MIME format. --=_NextPart_1796513849613620103153874 Content-type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable adquiere los ultimos estilos de verano --=_NextPart_1796513849613620103153874 Content-Type: image/jpeg; name=volante 8 mujer verano.jpg Content-Transfer-Encoding: base64 Content-Description: volante 8 mujer verano.jpg Content-Disposition: attachment; filename=volante 8 mujer verano.jpg snip
Re: SpamAssassin CVS confusion
On Mon, Jun 06, 2005 at 11:47:46AM -0600, Chris Blaise wrote: In trying to figure out what could have changed in spamd.raw between those versions I looked at the CVS commits under tags/spamassassin_release_3_0_1/ , tags/spamassassin_release_3_0_2/, and tags/spamassassin_release_3_0_1/. It didn't look like much changed. I assume you mean SVN, not CVS. So as per the bug report, I downloaded today's daily build release (spamassassin_20050606105134.tar.gz) and through CVS and noticed that there That'll be 3.1, btw. However, when I looked at the release 3.03 of spamd.raw, I don't see this support in the code. I guess my confusion is that will this work be in the next release of SpamAssassin or will it continue to be on a development-only branch? trunk is currently the 3.1 development area. When 3.1 is released, it will get its own branch and then trunk will become 3.2 development. We don't typically backport development changes to a stable branch like 3.0 unless there's a large overriding reason to do so (bug fixes, etc). -- Randomly Generated Tagline: Besides, I wasn't envisioning building the full scale, hurl flaming tar filled pottery at peasants over castle walls type of trebuchet. More like the hurl flaming jet puffed marshmallows at chipmunks over the picnic table trebuchet. :-) - Timothy MacDonald pgpyWBIwq7zD9.pgp Description: PGP signature
RE: New 1MB spam run?
Thanks for the heads up Matt. I've told amavisd to start scanning 1+MB emails for the time being. SA has been bored since I implemented greylisting anyway.
RDJ errors
Hey all - I am brand new to RDJ. I just set up my script and I am getting the no index errors below. Is this normal? ** Rules Du Jour Run Summary:RulesDuJour Run Summary on vidar: No index found for ruleset named SARE_REDIRECT_POST300. Check that this ruleset is still valid. Ruleset for html coding abuse has changed on vidar. Version line: # Version: 01.03.06 SARE Specific Ruleset has changed on vidar. Version line: # Version: 01.03.05 SARE BIZ/Marketing/Learning Ruleset (for SA ver. 2.5x and greater) has changed on vidar. Version line: # Version: 01.02.02 # The BML set has been renamed to match SARE's updated standards, the new name is 72_sare_bml_post25x.cf SARE Fraud Detection Ruleset (for SA ver. 2.5x and greater) has changed on vidar. Version line: # Version: 01.03.02 # NOTE: Please update your scripts to pull this file from it's new location http://www.rulesemporium.com/rules/99_sare_fraud_post25x.cf SARE Spoof Ruleset for SpamAssassin has changed on vidar. Version line: # Version: 1.06.12 SARE OEM Ruleset for SpamAssassin has changed on vidar. Version line: # Version: 1.05.07 No index found for ruleset named SARE_GENLSUBJ1. Check that this ruleset is still valid. No index found for ruleset named SARE_GENLSUBJ2. Check that this ruleset is still valid. No index found for ruleset named SARE_GENLSUBJ3. Check that this ruleset is still valid. No index found for ruleset named SARE_UNSUB. Check that this ruleset is still valid. No index found for ruleset named SARE_uri0. Check that this ruleset is still valid. No index found for ruleset named SARE_uri1. Check that this ruleset is still valid.
Stopping Processing if in 'whitelist_from'
I'm running SA 3.0.2 as a daemon on my local workstation to filter messages before my Inbox delivered via procmail and spamc. Over a weekend I can easily have 1,000 messages on my POP server. Monday mornings can take over 2 hours to pull and process messages. SA does a great job at tagging the spam, I think mainly because of DCC and network checks, so I would like to not change that part of the setup. The majority of the messages I receive are status reports from various servers and come from a few email addresses. I've added them in my user_prefs file as 'whitelist_from [EMAIL PROTECTED]' so they get scored down and never tagged. What I would like to have happen is have SA stop any further checks if it matches the whitelist_from field and just pass it through. Is this possible? -ken -- If you can read this ... thank a system administrator.
Local.cf settings seem to be ignored
Title: Local.cf settings seem to be ignored I'm running SA 3.0.3 on RH ES 3.0 acting as a mail gateway with spamd, qmail qmail-scanner. The local.cf contains: required_score 8.0 skip_rbl_checks 1 report_safe 0 use_dcc 0 use_pyzor 0 use_razor2 0 use_bayes 1 bayes_path /etc/mail/spamassassin bayes_auto_learn 1 bayes_auto_learn_threshold_nonspam 0.1 bayes_auto_learn_threshold_spam 12 lock_method flock Yet any message that comes through the gateway has it's score listed as only requiring 5.0 hits instead of 8.0. Autolearning appears to be active but the databases are not being kept in the /etc/mail/spamassassin. I ran spamassassin -D --lint as root and as the user spamd is running under and it seems to pull the right information, but only for the test. What am I doing wrong? Thanks in advance. Scott
Re: Anyone seeing Account closed emails ?
On Jun 6, 2005, at 11:27 AM, Rick Macdougall wrote: That is a Mytob virus variant. Maybe you should install a virus scanner like clamav. I got one before clamav and/or Vexira learned about it... i think both are noticing it now. Vivek Khera, Ph.D. +1-301-869-4449 x806 smime.p7s Description: S/MIME cryptographic signature
Re: Stopping Processing if in 'whitelist_from'
Ken Schweigert wrote: I'm running SA 3.0.2 as a daemon on my local workstation to filter messages before my Inbox delivered via procmail and spamc. snip What I would like to have happen is have SA stop any further checks if it matches the whitelist_from field and just pass it through. Is this possible? No. The speed gains from doing this would be pretty small anyway. By the time SA recognizes that the message is whitelisted, it's already sent out most network checks (in the normal case it makes sense to do these as early as possible, so that you're doing the rest of the work while you wait for answers). However, you can write a simple procmail rule to avoid calling spamc for these messages. This has a lot of extra benefits (no possible bayes autolearning) and gets you the most performance gain possible (you even save the overhead of calling spamc!). In general don't rely on SA's built-in whitelists. They're there, and are useful, but you're better off whitelisting at a higher layer by not calling SA in the first place. The built-in whitelists are really there for people who can't avoid calling SA. (ie: very simple milters)
Re: Anyone seeing Account closed emails ?
On Jun 6, 2005, at 12:10 PM, David B Funk wrote: However I've seen a number of those from stillborn virus mis- fires and clamav will ignore those (IE the text is there but the payload is either truncated or totally missing). That then, is a job for SA. and the idiot mail system that did such neutering should be banned from the earth. there's absolutely no reason to strip a virus from an email then let the rest of the message through. Vivek Khera, Ph.D. +1-301-869-4449 x806 smime.p7s Description: S/MIME cryptographic signature
Re: Local.cf settings seem to be ignored
Proctor, Scott wrote: I'm running SA 3.0.3 on RH ES 3.0 acting as a mail gateway with spamd, qmail qmail-scanner. The local.cf contains: required_score 8.0 I don't think it matters what your local.cf says is your required score, as qmail-scanner has it's own thresholds and does it's own markups. I'm pretty sure it uses SA only for score generation. Check your qmail-scanner configuration files.
Re: New 1MB spam run?
In an older episode (Monday 06 June 2005 20:08), Matt Kettler wrote: I just recently received a run of spam which would push some system's scan-size limit. AFAIK, there is no default scan-size limit in SA, correct? regards, wolfgang
70_sare_whitelist.cf
The latest 70_sare_whitelist.cf doesn't lint well on the latest 3.1.0 cvs snapshot. It apparently doesn't like the added comment at the end. Perhaps the comment should be prefixed with # so it doesn't get flagged as a warning. Bret
Re: OT: Mail/Spam Stats and MRTG
We uses these scripts with mrtg/postfix/clamav/spamassassin/procmail to sample the logfiles each time mrtg runs. mc1:/usr/local/mis/sbin # cat sacleanratio.mrtg #!/bin/bash tail -n 1000 /var/log/mail |grep spamd |grep clean message |wc -l |sed -e s/ tail -n 1000 /var/log/mail |grep spamd |grep seconds, |wc -l |sed -e s/ *//g echo 0 echo 0 mc1:/usr/local/mis/sbin # cat saspamratio.mrtg #!/bin/bash tail -n 1000 /var/log/mail |grep spamd |grep identified spam |wc -l |sed -e tail -n 1000 /var/log/mail |grep spamd |grep seconds, |wc -l |sed -e s/ *//g echo 0 echo 0 mc1:/usr/local/mis/sbin # cat satime.mrtg #!/bin/bash tail -n 5000 /var/log/mail |grep spamd |grep seconds |cut -d: -f5 |cut -d -ftdc -e 1000 `awk -f /usr/local/mis/sbin/avg.awk ~/num.txt` * p echo 0 echo 0 echo 0 mc1:/usr/local/mis/sbin # cat saratio.mrtg #!/bin/bash tail -n 1000 /var/log/mail |grep spamd |grep clean message |wc -l |sed -e s/ tail -n 1000 /var/log/mail |grep spamd |grep identified spam |wc -l |sed -e echo 0 echo 0 mc1:/usr/local/mis/sbin # more ../etc/mrtg/load.cfg WorkDir: /usr/local/apache/htdocs/mrtg WithPeak[_]: ymw #Options[_]: growright, gauge, nopercent, nolegend, nobanner, noo #AbsMax[_]: 40 XSize[_]: 500 YSize[_]: 160 Target[load]: `cat /proc/loadavg |cut -d -f1 ;echo 0 ; echo 0; echo 0` ShortLegend[load]: 1 min. YLegend[load]: CPU Load Options[load]: growright, gauge, nopercent, nolegend, nobanner, noo MaxBytes[load]: 30 Unscaled[load]: d Title[load]: CPU Load Analysis PageTop[load]: H3Load Analysis/H3 Target[spamd]: `/usr/local/mis/sbin/satime.mrtg` YLegend[spamd]: MilliSeconds Options[spamd]: growright, gauge, nopercent, nolegend, nobanner, noo ShortLegend[spamd]: Millisec MaxBytes[spamd]: 2 Title[spamd]: Spamd processing time averages PageTop[spamd]: H3spamd processing time average/H3 Target[cratio]: `/usr/local/mis/sbin/sacleanratio.mrtg` YLegend[cratio]: Messages Options[cratio]: growright, gauge, nopercent, nolegend, nobanner, dorelpercent, integer ShortLegend[cratio]: Messages Legend1[cratio]: Clean Messages Legend2[cratio]: Total Messages LegendI[cratio]: Clean Messages LegendO[cratio]: Total Messages MaxBytes[cratio]: 500 Title[cratio]: Clean versus total email PageTop[cratio]: H3Clean versus total email/H3 Target[sratio]: `/usr/local/mis/sbin/saspamratio.mrtg` YLegend[sratio]: Messages Options[sratio]: growright, gauge, nopercent, nolegend, nobanner, dorelpercent, integer ShortLegend[sratio]: Messages Legend1[sratio]: Spam Messages Legend2[sratio]: Total Messages LegendI[sratio]: Spam Messages LegendO[sratio]: Total Messages MaxBytes[sratio]: 500 Title[sratio]: Spam versus total email PageTop[sratio]: H3Spam versus total email/H3 On Mon, Jun 06, 2005 at 11:20:47AM -0400, Jake Colman wrote: Does anyone have any suggestions for using mrtg to produce a graph showing the amount of received email and how much of it was flagged as spam? I am using mrtg, sendmail, and procmail on all the same server. Thanks! ...Jake -- Jake Colman Sr. Applications Developer Principia Partners LLC Harborside Financial Center 1001 Plaza Two Jersey City, NJ 07311 (201) 209-2467 www.principiapartners.com -- /* Jason Philbrook | Midcoast Internet Solutions - Internet Access, KB1IOJ| Hosting, and TCP-IP Networks for Midcoast Maine http://f64.nu/ | http://www.midcoast.com/ */
Re: RDJ errors
Thomas Cameron wrote: Hey all - I am brand new to RDJ. I just set up my script and I am getting the no index errors below. Is this normal? Nope, it's not normal. You are missing some configuration entries for those rulesets. Those are not included in the stock RDJ config file so you have to tell RDJ what and where they are. There are links on the www.rulesemporium.com web site that explain how to add the configuration entries, however I am noticing that they are all missing (404) at the moment! I'll see if we can track down the relavent information. Chris Thielen signature.asc Description: OpenPGP digital signature
Re: Is Bayes Really Necessary?
Loren Wilton wrote: You'ld think that there should be some way to do a reverse DNS to determine from an ip the domains that exist on that ip. I suspect though that the whole internet fabric is designed the other way around, and that this information is probably something that no single registrar would know. In theory, a reverse lookup could give you all the hostnames associated with that IP. In reality, almost no one actually sets up multiple reverse DNS records for such sites. So yes, it's difficult.
Re: New 1MB spam run?
In an older episode (Monday 06 June 2005 21:17), Matt Kettler wrote: wolfgang wrote: In an older episode (Monday 06 June 2005 20:08), Matt Kettler wrote: I just recently received a run of spam which would push some system's scan-size limit. If you use spamc, there's a default limit of 250k. see the spamc manpage for command-line options to change this. thanks for pointing that out, we are using spamc. which limit would you recommend to scan the mails you mentioned? assuming the scan-size limit would be changed from default 250k to 1250k, how would that affect ressource consumption? thanks, wolfgang
RE: Is Bayes Really Necessary?
David Brodbeck wrote:
Loren Wilton wrote:
You'ld think that there should be some way to do a reverse DNS to
determine from an ip the domains that exist on that ip. I suspect
though that the whole internet fabric is designed the other way
around, and that this information is probably something that no
single registrar would know.
In theory, a reverse lookup could give you all the hostnames
associated with that IP. In reality, almost no one actually sets up
multiple reverse DNS records for such sites. So yes, it's difficult.
Maybe a reverse SPF record is called for...
_spf.0.0.10.in-addr.arp TXT example.org, some.example.com...
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -emap{y/a-z/l-za-k/;print}shift Jjhi pcdiwtg Ptga wprztg,
Re: New 1MB spam run?
On Mon, Jun 06, 2005 at 09:41:05PM +0200, wolfgang wrote: assuming the scan-size limit would be changed from default 250k to 1250k, how would that affect ressource consumption? It's highly recommended that people do *NOT* increase the max scan size past the default of 250k. Do so at your own risk. -- Randomly Generated Tagline: I see! So the cockpits are going to be filled with drunks with guns ... Co-pilot, switch seats with me! I can't get another DUI! and if the cop gets nosy, plug him! - Lewis Black, The Daily Show 2002.07.17 pgpwc40jMEj1y.pgp Description: PGP signature
Re: New 1MB spam run?
Theo Van Dinter wrote: On Mon, Jun 06, 2005 at 09:41:05PM +0200, wolfgang wrote: assuming the scan-size limit would be changed from default 250k to 1250k, how would that affect ressource consumption? It's highly recommended that people do *NOT* increase the max scan size past the default of 250k. Do so at your own risk. It will definitely bump up resource usage. That said, if you've got plenty of ram to spare, you should be able to raise your limit safely. Theo, correct me if I'm wrong, but I can't imagine that SA's memory resource usage penalty for large messages is worse than 16x message size, so make sure you've got at least 16mb * number of spamd children of ram to spare if you're going to add a meg. This does point out a direction that the SA devel team needs to start considering for future releases. Bandwidth is increasing, and SURBL is putting more pressure on spammers to use embedded images instead of web links, so spam message sizes are on the rise. Admittedly this example is unusual (but I did get a run of them), and the largest common spam I've seen is 80kb. However, keep in mind that 2 years ago that kind of size was unheard of. Still it would be particularly unfortunate for SA to get caught in a situation where a mass-outbreak of large spam hit and SA couldn't handle scanning it. If nothing else, it would be good to do the scan-size limits based on the text-section message size, as opposed to the raw message size with all attachments that most parts of SA will ignore (all except full rules). To do that you'd need to take measures to make sure the binary sections don't wind up using extra resources inside SA, but that shouldn't be hard and might be true currently.
RE: Is Bayes Really Necessary?
On Mon, 6 Jun 2005 [EMAIL PROTECTED] wrote:
David Brodbeck wrote:
Loren Wilton wrote:
You'ld think that there should be some way to do a reverse DNS to
determine from an ip the domains that exist on that ip. I suspect
though that the whole internet fabric is designed the other way
around, and that this information is probably something that no
single registrar would know.
In theory, a reverse lookup could give you all the hostnames
associated with that IP. In reality, almost no one actually sets up
multiple reverse DNS records for such sites. So yes, it's difficult.
Maybe a reverse SPF record is called for...
_spf.0.0.10.in-addr.arp TXT example.org, some.example.com...
Two-fold problem with either of those solutions:
1) It would depend upon the spammer actually registering and keeping
accurate that kind of data. (Do you really think that they'll want
to give the farm away ;).
2) The size of DNS answers would quickly get large enough to cause
technical problems. DNS normally uses UDP packets to keep overhead
low (one small packet for query, another for the response). As soon
as you get more than about 500~1000 bytes of data in an answer you'll
have to switch to TCP if you want to get the full data. (A lot more
load on the DNS servers and more network overhead. ;(
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
Re: RDJ errors
Chris Thielen wrote: Thomas Cameron wrote: Hey all - I am brand new to RDJ. I just set up my script and I am getting the no index errors below. Is this normal? Nope, it's not normal. You are missing some configuration entries for those rulesets. Those are not included in the stock RDJ config file so you have to tell RDJ what and where they are. There are links on the www.rulesemporium.com web site that explain how to add the configuration entries, however I am noticing that they are all missing (404) at the moment! I'll see if we can track down the relavent information. The RDJ snippet files should be restored to the web site within the hour. Chris Thielen signature.asc Description: OpenPGP digital signature
Is SPF working 100%? Problems with hotmail.com
hi, Is the SPF code working 100%? I got a mail from hotmail that did not get any SPF result. here is a snippet of the header: From: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] Received: from hotmail.com (bay23-f11.bay23.hotmail.com [64.4.22.61]) FOO2*** (8.12.5/8.11.6) with ESMTP id j56K53jT028676 for [EMAIL PROTECTED]; Mon, 6 Jun 2005 17:05:07 -0300 Now playing with SPF with dig: $ dig hotmail.com TXT ... hotmail.com.2649IN TXT v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.com include:spf-c.hotmail.com include:spf-d.hotmail.com ~all ... $ dig spf-b.hotmail.com TXT ... spf-b.hotmail.com. 2669IN TXT v=spf1 ip4:199.103.90.0/23 ip4:204.182.144.0/24 ip4:204.255.244.0/23 ip4:206.138.168.0/21 ip4:64.4.0.0/18 ip4:65.54.128.0/17 ip4:207.68.128.0/18 ip4:207.68.192.0/20 ip4:207.82.250.0/23 ip4:207.82.252.0/23 ip4:209.1.112.0/23 ~all ... And here it is 64.4.0.0/18, which 64.4.22.61 belongs. So, my question is why there was no SPF_* result for this entry? Is this a bug? Or am I missing the point? Mail::SPF::Query is the latest one. Other hotmail messages got the SPF_HELO_PASS fine. - Raul Dias
Re: How to increase score of URIDNSBL?
[all snipped] keystreams. com seems to be a legitimate hosting company; Which is not to say that they are or are not spam friendly and/or have some customers who are bad actors. They do have a five year history and seem to themselves have been clean (unclear how many domains they own or operate, or if any of them have a bad history). Paul Shupak [EMAIL PROTECTED] Why are we discussing the legitimacy of keystreams.com when the spam sample I sent in was sent *to* keystreams.com. FYI, we've actually been around since April of 1999 previously known as Realshell.com. -- Roman Volf Keystreams Internet Solutions [EMAIL PROTECTED] Roman, Sorry about any implication that you or keystreams wasn't clean. I must have just glazed over your post and responded to Jeff's, saying that, indeed, you seemed clean. Jeff's own later message (I read it after responding), pointed out exactly as you said, that keystreams was the victim, not a perpetrator. Sorry; I just immediately jump to check mode for some posts, and you looked immediately clean - and I meant to respond in that way, but not offend anyone who might have said differently. Obviously, I chose the wrong side to try not to upset. Again, I apologize for any implied offense - none was intended. (When I mean to say bad things, I think that the archives will show I do not often mince my words.) I only meant to point out I didn't do a thorough check because none seemed to be necessary (i.e. keystreams immediately looked to be an upright and legitimate company). Sincerely, Paul Shupak [EMAIL PROTECTED]
Re: Is SPF working 100%? Problems with hotmail.com
Ok, I findout some stuff here: 1 - This is not the only message this happens. Other messages that should have triggered SPF rules did not. 2 - This is happening when using spamd. 3 - When running these messages by hand against spamassassin -D never got a missing SPF rule. So, for some reason, spamd sometimes skips SPF tests. Is this right? Would spamd skip some tests for any reason? Load? Network timeout? Any pointer is appreciated. - Raul Dias On Mon, 2005-06-06 at 17:32 -0300, Raul Dias wrote: hi, Is the SPF code working 100%? I got a mail from hotmail that did not get any SPF result. here is a snippet of the header: From: [EMAIL PROTECTED] Return-Path: [EMAIL PROTECTED] Received: from hotmail.com (bay23-f11.bay23.hotmail.com [64.4.22.61]) FOO2*** (8.12.5/8.11.6) with ESMTP id j56K53jT028676 for [EMAIL PROTECTED]; Mon, 6 Jun 2005 17:05:07 -0300 Now playing with SPF with dig: $ dig hotmail.com TXT ... hotmail.com.2649IN TXT v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.com include:spf-c.hotmail.com include:spf-d.hotmail.com ~all ... $ dig spf-b.hotmail.com TXT ... spf-b.hotmail.com. 2669IN TXT v=spf1 ip4:199.103.90.0/23 ip4:204.182.144.0/24 ip4:204.255.244.0/23 ip4:206.138.168.0/21 ip4:64.4.0.0/18 ip4:65.54.128.0/17 ip4:207.68.128.0/18 ip4:207.68.192.0/20 ip4:207.82.250.0/23 ip4:207.82.252.0/23 ip4:209.1.112.0/23 ~all ... And here it is 64.4.0.0/18, which 64.4.22.61 belongs. So, my question is why there was no SPF_* result for this entry? Is this a bug? Or am I missing the point? Mail::SPF::Query is the latest one. Other hotmail messages got the SPF_HELO_PASS fine. - Raul Dias -- Raul Dias [EMAIL PROTECTED]
Re: How to increase score of URIDNSBL?
List Mail User wrote: Again, I apologize for any implied offense - none was intended. (When I mean to say bad things, I think that the archives will show I do not often mince my words.) I only meant to point out I didn't do a thorough check because none seemed to be necessary (i.e. keystreams immediately looked to be an upright and legitimate company). Sincerely, Paul Shupak I have to admit, I was a bit shocked by your posting Paul. I've never seen you say anything as nice as: keystreams. com seems to be a legitimate hosting company Coming from you, high praise indeed. :)
Re: How to increase score of URIDNSBL?
Roman, Sorry about any implication that you or keystreams wasn't clean. I must have just glazed over your post and responded to Jeff's, saying that, indeed, you seemed clean. Jeff's own later message (I read it after responding), pointed out exactly as you said, that keystreams was the victim, not a perpetrator. Sorry; I just immediately jump to check mode for some posts, and you looked immediately clean - and I meant to respond in that way, but not offend anyone who might have said differently. Obviously, I chose the wrong side to try not to upset. Again, I apologize for any implied offense - none was intended. (When I mean to say bad things, I think that the archives will show I do not often mince my words.) I only meant to point out I didn't do a thorough check because none seemed to be necessary (i.e. keystreams immediately looked to be an upright and legitimate company). Sincerely, Paul Shupak [EMAIL PROTECTED] No worries. It happens. -- Roman Volf Keystreams Internet Solutions [EMAIL PROTECTED]
Re: How to increase score of URIDNSBL?
... List Mail User wrote: Again, I apologize for any implied offense - none was intended. (When I mean to say bad things, I think that the archives will show I do not often mince my words.) I only meant to point out I didn't do a thorough check because none seemed to be necessary (i.e. keystreams immediately looked to be an upright and legitimate company). Sincerely, Paul Shupak I have to admit, I was a bit shocked by your posting Paul. I've never seen you say anything as nice as: keystreams. com seems to be a legitimate hosting company Coming from you, high praise indeed. :) Matt, I often defend people in private, but I admit I much more commonly blast people in public. You haven't seen the private defenses I've made of known ROSKO spammers to various groups when I felt the wrong person or organization was being blamed (though I do usually document who I think is *really* responsible - usually another well-known spammer). There is a large difference between being not guilty and being innocent. I wanted to save Jeff et. al. any unneeded effort since indeed keystreams did not even possibly qualify for SURBLs; If ChrisS had said exactly the same thing, I would have dug more, because of the possiblity of being grey, but from what I did dig up, I'm pretty certain I still wouldn't have found anything bad. The only reason for quotes around my use of seems, is that I do make mistakes - but usually in the other direction (like when I got the telco for Oslo Noway blacklisted for a day around the world - seems SBC would/will not put through calls to prefix:1000 - I didn't check well enough and they have since changed their domain contacts to use a number that can be called from North America). Paul Shupak [EMAIL PROTECTED]
SpamAssassin 3.0.4 Released
SpamAssassin 3.0.4 is released! SpamAssassin 3.0.4 contains several important bug fixes and is highly recommended for use over previous versions. SpamAssassin is a mail filter which uses advanced statistical and heuristic tests to identify spam (also known as unsolicited bulk email). Highlights of the release - - Certain invalid Content-Type headers would cause SpamAssassin to incorrectly process parts of the message. - Certain long message headers could cause slowness when parsing the message. - Added in SURBL JP list. - URI anti-obfuscation updates. - Additional bug fixes. Downloading --- You can pick up the release here: http://spamassassin.apache.org/ You can also find it on your favorite CPAN mirror (you may need to wait a day or so for the release to propagate). md5sum of archive files: ba6e1bd95f6f9f3882f73212a11dbe46 Mail-SpamAssassin-3.0.4.tar.bz2 51926fe5aabaf57eed2c09061fe8fb02 Mail-SpamAssassin-3.0.4.tar.gz 657caa6c2f0dfbea79614597b8375c6d Mail-SpamAssassin-3.0.4.zip sha1sum of archive files: 60ee3e1fac753ff77ae20ed3932a0d5ae051d1d5 Mail-SpamAssassin-3.0.4.tar.bz2 df37b629ab7b8a3fbb370c16537c59749eac1927 Mail-SpamAssassin-3.0.4.tar.gz af01cc459a1f8885df872436745725025bdb2f09 Mail-SpamAssassin-3.0.4.zip The release files also have a .asc accompanying them. The file serves as an external GPG signature for the given release file. The signing key is available via the wwwkeys.pgp.net key server, as well as http://spamassassin.apache.org/released/GPG-SIGNING-KEY The key information is: pub 1024D/265FA05B 2003-06-09 SpamAssassin Signing Key [EMAIL PROTECTED] Key fingerprint =3D 26C9 00A4 6DD4 0CD5 AD24 F6D7 DEE0 1987 265F A05B Note: GnuPG 1.4.0, and possibly 1.3.x versions, seem to have problems verifying certain signature files, including the type as used for SpamAssassin releases. If you are running an affected version, please verify the code using both MD5 and SHA1 sum values instead. The SpamAssassin Developers pgpGfvqASONEx.pgp Description: PGP signature
Re[2]: Message that conitinually gets bypassed
Hello Alan, Monday, June 6, 2005, 6:51:31 AM, you wrote: AF Here you go, attached are two. AF Keep in mind, if I were to forward this mail to myself, it would get AF flagged. It just seems to be getting by when they send it. In the copies you attached, there are no Received headers. From: George [EMAIL PROTECTED] To: Mark Stringer [EMAIL PROTECTED] Subject: Attention Date: Sun, 5 Jun 2005 16:06:14 -0600 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0073_01C56A6C.8E2E5320 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcT9+CUlRgRKMiKZSj+BjT+PHEf8rQ== Dear Homeowner, That strongly implies that the message somehow bypassed all email systems, including yours any any others. It's as if the system which created the spam dumped it directly onto your system, without going through any email system. Therefore SA didn't see it, because SA is normally called by email systems to check the emails. If you can figure out why this email reached you without any received headers, then you're well on the way to solving this problem. Bob Menschel AF -Original Message- AF From: Robert Menschel [mailto:[EMAIL PROTECTED] AF Sent: Thursday, May 26, 2005 6:53 PM AF To: Alan Fullmer AF Cc: users@spamassassin.apache.org AF Subject: Re: Message that conitinually gets bypassed AF Hello Alan, AF Thursday, May 26, 2005, 9:20:51 AM, you wrote: AF I have this message that continually gets by Spam Assassin. The headers AF have no indication that SA has even touched it. I will post the AF headers AF below, as well as the message. AF Unfortunately, you posted the text, and you posted the headers, but AF you didn't post the message. Your text says, visit our Website AF and there's no link anywhere for the sucker to use. We are missing AF some very important information, and can't debug your problem properly AF without it. AF If you had sent the message as a message, attached (forward as AF attachment), I'd be able to save your message to my system, run SA AF against them, and do an analysis. I can't do that the way you cut and AF pasted the message. AF See the just updated AF http://wiki.apache.org/spamassassin/DoYouWantMySpam for some other AF ideas. AF Bob Menschel -- Best regards, Robertmailto:[EMAIL PROTECTED]
Re: 70_sare_whitelist.cf
Hello Bret, Monday, June 6, 2005, 12:13:13 PM, you wrote: BM The latest 70_sare_whitelist.cf doesn't lint well on the latest 3.1.0 BM cvs snapshot. It apparently doesn't like the added comment at the end. BM Perhaps the comment should be prefixed with # so it doesn't get flagged BM as a warning. Sho'nuff. Done. Version 01.00.04 ready for download. Bob Menschel
