Re: cannot open bayes databases

[Anthony DeRobertis]

FYI, I just saw this message after upgrading to Sarge. The solution is to use
db4.2_upgrade on your bayes and AWL dbs.

RE: Outlook plugin

[Steven Manross]

I'd be happy to beta that one..  :)

Steven



I've got something like that in the works.  :)

Hopefully I can get a beta release put out soon, management has OK'ed us
to release
it as GPL software, so I need to do a little documentation and get my
dev to clean
up a few errors and build a vanilla .msi for those that don't have MS
development
tools to compile the code.

The bad part is that it requires a MAPI connection to Exchange public
folders, so it
won't help out folks like Vadym who are using Outlook in POP or IMAP
mode.

--matt

Re: spamcop_uri not working

[List Mail User]

>...
>
>went to this barn on the weekend and was shocked by what goes on inside 
>http://kwiktera.com/maui/five/oh.html its pretty messed up
>
>
>
>
>I'm running sa with amavis-new
>Thanks a lot
>
>
Don't even have to check - kwiktera. com - Brazilian porn - name
servers currently in foracyntro34. com.

Paul Shupak
[EMAIL PROTECTED]

P.S.  The false registration in Canada is new - most are fraudulently
registrered in Ecuador.  The 'MX' of 127.0.0.1 is pretty standard though.

Re: uridnsbl only spamhaus in 3.0.4 ?

[Daryl C. W. O'Shea]

Dallas L. Engelken wrote:

I'm running a more recent snapshot and URI's that are dotted-decimal are
not being reversed and checked properly against uridnsbl lists.  For
example, a test on '202.99.223.139'.


You mean they ARE being lookup up, right?  Not are not?

Daryl

Re: A question

[Matt Yackley]

Irina said:

Hi Irina,

> Thank you all for answering me.
>
> I found one link that may be very interesting
> (http://wiki.apache.org/spamassassin/CustomRulesets)
>
> Next, I thought if there is a place for automatic uploading rules, then may
> be notifying me and I would reload SA.  That is what I asked in my email.
> It is bad that I want to free up my time by using somebody else's rules.
> Sorry, but may be someone shares.

Don't worry about using other people's rules, thats why we released them :)  The
more people that use them the better I say.

If you find some of the custom rulesets that you like, RulesDuJour (RDJ) can be 
a
big help.  You can set it up to run via a cron job once per day, tell it which
custom sets you want to use and it will go out and check for updated sets.  You 
can
have it automatically update your copy of the file and then restart 
spamd/amavis/etc
and email you a notice of which sets were updated.

I think this link was posted already. but just in case:
http://www.exit0.us/index.php?pagename=RulesDuJour

Also, some of us need to update the SA wiki custom rules page, due to new sets 
that
are not listed there at this time.

Check out http://www.rulesemporium.com for more rules by the SARE Ninjas and if 
you
haven't found it yet take a peek at http://www.exit0.us/ for more rules and 
other
tips

If you do decide to run any custom sets, make sure to check them to see if they 
are
applicable to your systems and then add them in one or two at a time to make 
sure
that you don't have any problems.

> I also have NOT used Bayes.  Don't know how safe it is.  Would I just submit
> a spam message and I don't have to anything else, or ham the same way?  Not
> sure.
>
> Thank you again.
> Let me know what you think.
>

Cheers,

matt

RE: uridnsbl only spamhaus in 3.0.4 ?

[Dallas L. Engelken]

> 
> It wants to query the domain: 212.203.31.2 It does so here:
> 
> debug: URIDNSBL: query for 212.203.31.2 took 1 seconds to 
> look up (sbl.spamhaus.org.:2.31.203.212)
> debug: URIDNSBL: queries completed: 1 started: 0
> debug: URIDNSBL: queries active:  at Tue Jun  7 18:10:32 2005
> 
> So, why is URIDNSBL only asking sbl.spamhaus.org ?
> If i replace that ip with 127.0.0.2, spamassassin tells me this:
>  *  0.6 URIBL_SBL Contains an URL listed in the SBL blocklist
>  *  [URIs: 127.0.0.2]
> 
> So it does work, but only for sbl.spamhaus.org.
> This is the odd thing, because in 25_uribl.cf all the 
> surbl.org's are enabled too.
> And in local.cf I added multi.uribl.com as well. Those are 
> not queried.
> 
> It only does this with IPs. Urls are checked against all the 
> uridnsbl's.
> 

I'm not sure exactly when it was corrected in the trunk, but
dotted-decimal URI's are not scanned against anything but SBL in prior
to and including 3.0.4  I think 3.0.4 still has the NS lookup issue
I reported back in november also
(http://mail-archives.apache.org/mod_mbox/spamassassin-dev/200411.mbox/%
[EMAIL PROTECTED]), but I
havent checked for a while.

I'm running a more recent snapshot and URI's that are dotted-decimal are
not being reversed and checked properly against uridnsbl lists.  For
example, a test on '202.99.223.139'.

#

x-spam-report shows...

# echo -e "From: dallase\n\nhttp://202.99.223.139/help/\n " | spam
X-Spam-Report:
*  0.0 MISSING_DATE Missing Date: header
* -0.0 NO_RELAYS Informational: message was not relayed via SMTP
*  0.1 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address
in URL
*  1.4 DOMAIN_RATIO BODY: Message body mentions many internet
domains
*  1.8 URIBL_SBL Contains an URL listed in the SBL blocklist
*  [URIs: 202.99.223.139]
*  2.4 URIBL_BLACK Contains an URL listed in the URIBL blacklist
*  [URIs: 202.99.223.139]
*  3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
blocklist
*  [URIs: 202.99.223.139]
*  1.2 URIBL_PH_SURBL Contains an URL listed in the PH SURBL
blocklist
*  [URIs: 202.99.223.139]
*  1.0 TO_CC_NONE No To: or Cc: header
*  1.6 MISSING_SUBJECT Missing Subject: header
* -0.0 NO_RECEIVED Informational: message has no Received
headers
* -2.6 AWL AWL: From: address is in the auto white-list


tcpdump shows...

21:30:50.992486 dev.nmgi.com.32879 > main.nmgi.com.domain:  32762+ TXT?
139.223.99.202.sbl.spamhaus.org. (49) (DF)
21:30:50.994192 dev.nmgi.com.32879 > main.nmgi.com.domain:  32763+ A?
139.223.99.202.multi.uribl.com. (48) (DF)
21:30:50.995491 dev.nmgi.com.32879 > main.nmgi.com.domain:  32764+ A?
139.223.99.202.multi.surbl.org. (48) (DF)
21:30:51.033813 main.nmgi.com.domain > dev.nmgi.com.32879:  32762 1/0/0
(114)
21:30:51.281404 main.nmgi.com.domain > dev.nmgi.com.32879:  32764 1/0/0
(64)
21:30:53.064747 main.nmgi.com.domain > dev.nmgi.com.32879:  32763 1/4/0
(128)

spamd debug shows...

@400042a6586503d675c4 [4884] dbg: uridnsbl: domain "202.99.223.139"
listed (URIBL_SBL):
"http://www.spamhaus.org/SBL/sbl.lasso?query=SBL27327";
@400042a6586510ea6fcc [4884] dbg: uridnsbl: domain "202.99.223.139"
listed (URIBL_PH_SURBL): 127.0.0.10
@400042a6586510f0a98c [4884] dbg: uridnsbl: domain "202.99.223.139"
listed (URIBL_SC_SURBL): 127.0.0.10
@400042a65867040eb81c [4884] dbg: uridnsbl: domain "202.99.223.139"
listed (URIBL_BLACK): 127.0.0.2
@400042a65867056e3c64 [4884] dbg: check:
tests=AWL,DOMAIN_RATIO,MISSING_DATE,MISSING_SUBJECT,NORMAL_HTTP_TO_IP,NO
_RECEIVED,NO_RELAYS,TO_CC_NONE,URIBL_BLACK,URIBL_PH_SURBL,URIBL_SBL,URIB
L_SC_SURBL
@400042a658670602d374 [4884] info: spamd: result: Y 10 -
AWL,DOMAIN_RATIO,MISSING_DATE,MISSING_SUBJECT,NORMAL_HTTP_TO_IP,NO_RECEI
VED,NO_RELAYS,TO_CC_NONE,URIBL_BLACK,URIBL_PH_SURBL,URIBL_SBL,URIBL_SC_S
URBL
scantime=2.2,size=45,user=root,uid=200,required_score=5.0,rhost=localhos
t,raddr=127.0.0.1,rport=51712,mid=(unknown),autolearn=no

##

I recommend running the trunk, it handles dotted-decimal Ips now, better
redirect detection, as well as standalone domains that do not have
http:// in front of them, plus numerous other uri detection additions
and fixes.

D

Re: Outlook plugin

[Matt Yackley]

Steven Dickenson said:
> Vadym Chepkov wrote:
>> I have read ResendingMailWithHeaders document and I couldn't find is there a
>> plug-in available for
>> Outlook so you can provide a feedback to Bayes just by pressing 'Spam' or 
>> 'Ham'
>> buttons? Thank
>> you.
>
> Nothing I've found yet.
>
> This page comes close:
> http://www.peculiarities.com/code/outlook.html
>
> It has code to "report" spam or ham or an Outlook public folder.  When
> used in conjunction with Exchange, you can run sa-learn on the public
> folder through IMAP.  Problem is the code is basically a VBA macro.  To
> make it really useful, someone would need to turn it into an Outlook
> add-in that creates commandbar icons and probably right-click menu options.
>
> Anyway care to take this task on?
>
> - S
>

I've got something like that in the works.  :)

Hopefully I can get a beta release put out soon, management has OK'ed us to 
release
it as GPL software, so I need to do a little documentation and get my dev to 
clean
up a few errors and build a vanilla .msi for those that don't have MS 
development
tools to compile the code.

The bad part is that it requires a MAPI connection to Exchange public folders, 
so it
won't help out folks like Vadym who are using Outlook in POP or IMAP mode.

--matt

Re: A question

[Jim Knuth]

Hallo und guten Morgen jdow,

Heute (am 08.06.2005 - 03:42 Uhr)
   schriebst Du: 

> I think it comes from Yiddish.

maybe ;) ... long time ago

kiebitzen = in German = ueber die Schulter schauen - jemand was
abgucken


-- 
Viele Grüße, Kind regards,
 Jim Knuth
 [EMAIL PROTECTED]
 ICQ #277289867
 PGP Fingerprint: 
 54C9 1A46 D3B2 95B6 454D 
 74FA AC73 773E 1F78 066F
--
Zufalls-Zitat
--
Die große Frage, die ich trotz meines dreißigjährigen Studiums
der weiblichen Seele nicht zu beantworten vermag, lautet: 'Was
will eine Frau eigentlich?' [Sigmund Freud]
--
Der Text hat nichts mit dem Empfänger der Mail zu tun
--

Virus free. Checked by NOD32 Version 1.1132 Update 07.06.2005

Re: A question

[jdow]

From: "Irina" <[EMAIL PROTECTED]>


> Hello Joanne,
> I am not really sure what you meant by
> kibitz the SARE process
>
> Sorry, English is not my native language and some words don't go together.

Kibitz is what onlookers do behind the chess player's backs second
guessing their efforts. I think it comes from Yiddish. (They seem to
have a lot of fun colorful words for so many things it's boring to
express in English.)

> If you mean I would share my rules?  I don't mind at all.  But first I
would

That is good. More ninjas (rule authors) is a good thing.

{^_-}

spamcop_uri not working

[Kern, Tom]

I keep getting spam with url's of know spammers but i never see the email 
tagged or blocked.

i'm running sa 2.63(yeah, i know i gotta upgrade) and i block the mail with a 
score of 4 and tag at 3.
spamcop_uri's score is 4 by default and yet nothing gets blocked or even tagged.
here's a sample email-

Doesn't "expecting the unexpected" make the unexpected expected?

went to this barn on the weekend and was shocked by what goes on inside 
http://kwiktera.com/maui/five/oh.html its pretty messed up




I'm running sa with amavis-new
Thanks a lot

Re: Outlook plugin

[Steven Dickenson]

Vadym Chepkov wrote:

I have read ResendingMailWithHeaders document and I couldn't find is there a 
plug-in available for
Outlook so you can provide a feedback to Bayes just by pressing 'Spam' or 'Ham' 
buttons? Thank
you.


Nothing I've found yet.

This page comes close:
http://www.peculiarities.com/code/outlook.html

It has code to "report" spam or ham or an Outlook public folder.  When 
used in conjunction with Exchange, you can run sa-learn on the public 
folder through IMAP.  Problem is the code is basically a VBA macro.  To 
make it really useful, someone would need to turn it into an Outlook 
add-in that creates commandbar icons and probably right-click menu options.


Anyway care to take this task on?

- S

Re: Outlook plugin

[Vadym Chepkov]

Hi

It's Outlook XP. FreeBSD server runs SpamAssassin-3.0.1, access to the 
mailboxes through 
qpopper-4.0.5 (POP).

--- Matt Yackley <[EMAIL PROTECTED]> wrote:

> Vadym Chepkov said:
> > Hi,
> >
> > I have read ResendingMailWithHeaders document and I couldn't find is there 
> > a plug-in
> > available for
> > Outlook so you can provide a feedback to Bayes just by pressing 'Spam' or 
> > 'Ham'
> > buttons? Thank
> > you.
> >
> > Sincerely,
> > Vadym Chepkov
> 
> Hi Vadym,
> 
> What version of Outlook are you using, full or Express? If full Outlook is it 
> 98,
> 2000, 2003, etc.?
> 
> Are you using it to connect to a POP3 or IMAP server or are you using it in an
> Exchange setup via MAPI?
> 
> --matt
> 


Sincerely yours,
  Vadym Chepkov

Re: Outlook plugin

[Matt Yackley]

Vadym Chepkov said:
> Hi,
>
> I have read ResendingMailWithHeaders document and I couldn't find is there a 
> plug-in
> available for
> Outlook so you can provide a feedback to Bayes just by pressing 'Spam' or 
> 'Ham'
> buttons? Thank
> you.
>
> Sincerely,
> Vadym Chepkov

Hi Vadym,

What version of Outlook are you using, full or Express? If full Outlook is it 
98,
2000, 2003, etc.?

Are you using it to connect to a POP3 or IMAP server or are you using it in an
Exchange setup via MAPI?

--matt

Re: A question

[Kelson]

Irina wrote:

We don't use SURBL network tests because we use RBL lists from mail server
itself.


SURBL works differently.  Most RBLs are designed to check the sending 
server (usually by IP address).  SURBLs look at links embedded in the 
messages themselves.


For example, if I include a link to http://www.example.com/ in this 
message, a SURBL will check example.com, but a standard RBL will check 
the IP address of mail.apache.org (since that's the server that will 
probably send you this message).


--
Kelson Vibber
SpeedGate Communications 

Re: A question

[Kelson]

Irina wrote:

I also have NOT used Bayes.  Don't know how safe it is.  Would I just submit
a spam message and I don't have to anything else, or ham the same way?  Not
sure.


Some people have problems with Bayes, but many find that it does help a 
lot.  It does require you to train it with both spam and ham, and if you 
enable autolearn, it may be worth setting the config item 
bayes_auto_learn_threshold_nonspam to 0 to avoid poisoning it with new 
spam that doesn't trip any rules.


In short, Bayes works by finding the trends in both spam and ham, then 
comparing each new message to those trends.  It needs to be able to 
compare junk mail to legit mail in order to determine that, for example, 
"pills" is more likely to show up in spam, "the" is neutral, and "ninja" 
is more likely to show up in personal correspondence.


--
Kelson Vibber
SpeedGate Communications 

Re: A question

[Irina]

Hello Joanne,
I am not really sure what you meant by
kibitz the SARE process

Sorry, English is not my native language and some words don't go together.
If you mean I would share my rules?  I don't mind at all.  But first I would
like to rewrite them as I mentioned in my previous email, so rules that were
not caught for the last month would not be included (I've been collecting
spam for a month).  I also said that they are not perfect and can slow down
the process of emails on a heavy mail server.  Our mail server is a busy
server and when we are really hit with spam...  that is why I am looking
into redoing and optimizing them as fast as possible :-)
Most of them contain links, also phrases and misspells inside the message
and misspells on subjects.


Irina
===

- Original Message -
From: "jdow" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, June 07, 2005 7:55 PM
Subject: Re: A question


> From: "Rick Macdougall" <[EMAIL PROTECTED]>
> > Irina wrote:
> >
> > >Thank you all for answering me.
> > >
> > >I found one link that may be very interesting
> > >(http://wiki.apache.org/spamassassin/CustomRulesets)
> > >
> > >
> > >
> > >I first should mention, I am a new SUBSCRIBER, not a new user to SA.  I
> have
> > >been using it for a couple of years.  Over that period I have created
> > >thousands of LOCAL_ rules (if I go and grep on describe or score in
> > >/etc/mail/spamassassin :-).  If you only saw my MISSPELLES.  The
bad
> > >thing I was not writing it professionally, as I used \d+ for example,
or
> too
> > >many | inside one rule.  In short, they work, but not polished.
> > >
> > >What I found that creating own rules can be so competitive with a new
> spam
> > >coming in.  As you know spam messages change every minute or so.  What
I
> am
> > >trying to achieve?  Free up my time.  There are few things I've thought
> > >about.
> > >
> > >I have been collecting spam (before discarding) for almost a month.
> Wrote a
> > >little program to rewrite LOCAL_ rules that were found and will not
> recreate
> > >the ones that were not caught.  And I am about to redo all.
> > >
> > >Next, I thought if there is a place for automatic uploading rules, then
> may
> > >be notifying me and I would reload SA.  That is what I asked in my
email.
> > >It is bad that I want to free up my time by using somebody else's
rules.
> > >Sorry, but may be someone shares.
> > >
> > >I also have NOT used Bayes.  Don't know how safe it is.  Would I just
> submit
> > >a spam message and I don't have to anything else, or ham the same way?
> Not
> > >sure.
> > >
> > >Thank you again.
> > >Let me know what you think.
> > >
> > >
> > >
> > Hi  Irina,
>
> > You should not feel bad for using the RDJ rulesets (other people's
> > rules) and you should also look into using Bayes as it can help
> > dramatically.
>
> Proud is a term that comes to mind if they work. And if she has gotten
> at all adept at it maybe she'd like to at least kibitz the SARE process
> and submit new rules ideas she has.
>
> {^_-}   Joanne
>
>
>

Re: A question

[Irina]

Rick, nice to hear good words about NetAccess.  I will definitely say hello
to Gary and Tim.  You must have left long ago (I have been with NetAccess
with more than for 5 years).

As of SA we use.

I will look into using RDJ rulesets since nobody minds :-)  And Bayes as
well.

We don't use SURBL network tests because we use RBL lists from mail server
itself.

Thank you very much for offering a help if needed.


Irina
=






- Original Message -
From: "Rick Macdougall" <[EMAIL PROTECTED]>
To: "Irina" <[EMAIL PROTECTED]>
Cc: 
Sent: Tuesday, June 07, 2005 7:13 PM
Subject: Re: A question


> Irina wrote:
>
> >Thank you all for answering me.
> >
> >I found one link that may be very interesting
> >(http://wiki.apache.org/spamassassin/CustomRulesets)
> >
> >
> >
> >I first should mention, I am a new SUBSCRIBER, not a new user to SA.  I
have
> >been using it for a couple of years.  Over that period I have created
> >thousands of LOCAL_ rules (if I go and grep on describe or score in
> >/etc/mail/spamassassin :-).  If you only saw my MISSPELLES.  The bad
> >thing I was not writing it professionally, as I used \d+ for example, or
too
> >many | inside one rule.  In short, they work, but not polished.
> >
> >What I found that creating own rules can be so competitive with a new
spam
> >coming in.  As you know spam messages change every minute or so.  What I
am
> >trying to achieve?  Free up my time.  There are few things I've thought
> >about.
> >
> >I have been collecting spam (before discarding) for almost a month.
Wrote a
> >little program to rewrite LOCAL_ rules that were found and will not
recreate
> >the ones that were not caught.  And I am about to redo all.
> >
> >Next, I thought if there is a place for automatic uploading rules, then
may
> >be notifying me and I would reload SA.  That is what I asked in my email.
> >It is bad that I want to free up my time by using somebody else's rules.
> >Sorry, but may be someone shares.
> >
> >I also have NOT used Bayes.  Don't know how safe it is.  Would I just
submit
> >a spam message and I don't have to anything else, or ham the same way?
Not
> >sure.
> >
> >Thank you again.
> >Let me know what you think.
> >
> >
> >
> Hi  Irina,
>
> I'm an ex-NAS user myself (left because the ISP I work for now had DSL
> for me for free, no other reason.).
>
> You should not feel bad for using the RDJ rulesets (other people's
> rules) and you should also look into using Bayes as it can help
> dramatically.
>
> I hope you are also using the SURBL network tests at that will also
> catch about 80% of the spam that comes in.
>
> If you need any help with anything SA related,  feel free to ask and you
> can call me directly (I'm up by King's Forest).
>
> Say Hi to Gary and Tim for me and tell Gary that I found a good home for
> the servers I offered him.
>
> Regards,
>
> Rick
>
>

Re: Outlook plugin

[Matt Kettler]

Vadym Chepkov wrote:
> Hi,
> 
> I have read ResendingMailWithHeaders document and I couldn't find is there a 
> plug-in available for
> Outlook so you can provide a feedback to Bayes just by pressing 'Spam' or 
> 'Ham' buttons? Thank
> you.

Not that I'm aware of.

Re: A question

[Rick Macdougall]

jdow wrote:


From: "Rick Macdougall" <[EMAIL PROTECTED]>
 


Irina wrote:

   


Thank you all for answering me.

I found one link that may be very interesting
(http://wiki.apache.org/spamassassin/CustomRulesets)



I first should mention, I am a new SUBSCRIBER, not a new user to SA.  I
 


have
 


been using it for a couple of years.  Over that period I have created
thousands of LOCAL_ rules (if I go and grep on describe or score in
/etc/mail/spamassassin :-).  If you only saw my MISSPELLES.  The bad
thing I was not writing it professionally, as I used \d+ for example, or
 


too
 


many | inside one rule.  In short, they work, but not polished.

What I found that creating own rules can be so competitive with a new
 


spam
 


coming in.  As you know spam messages change every minute or so.  What I
 


am
 


trying to achieve?  Free up my time.  There are few things I've thought
about.

I have been collecting spam (before discarding) for almost a month.
 


Wrote a
 


little program to rewrite LOCAL_ rules that were found and will not
 


recreate
 


the ones that were not caught.  And I am about to redo all.

Next, I thought if there is a place for automatic uploading rules, then
 


may
 


be notifying me and I would reload SA.  That is what I asked in my email.
It is bad that I want to free up my time by using somebody else's rules.
Sorry, but may be someone shares.

I also have NOT used Bayes.  Don't know how safe it is.  Would I just
 


submit
 


a spam message and I don't have to anything else, or ham the same way?
 


Not
 


sure.

Thank you again.
Let me know what you think.



 


Hi  Irina,
   



 


You should not feel bad for using the RDJ rulesets (other people's
rules) and you should also look into using Bayes as it can help
dramatically.
   



Proud is a term that comes to mind if they work. And if she has gotten
at all adept at it maybe she'd like to at least kibitz the SARE process
and submit new rules ideas she has.

{^_-}   Joanne
 



Perhaps a new Ninja to add to the fold :)

Regards,

Rick (resident Samurai)

Re: 3.0.4 scores

[Theo Van Dinter]

On Wed, Jun 08, 2005 at 01:39:46AM +0200, wolfgang wrote:
> thanks. I understand this
> - was only a "labelling" problem
> - has been fixed in 3.0.4.

Yes.

-- 
Randomly Generated Tagline:
No, I do not know what the Schadenfreude is.  Please tell me, because
 I'm dying to know.
 
-- Homer Simpson
   When Flanders Failed


pgpsiXO1LRhIx.pgp
Description: PGP signature

Re: A question

[jdow]

From: "Rick Macdougall" <[EMAIL PROTECTED]>
> Irina wrote:
>
> >Thank you all for answering me.
> >
> >I found one link that may be very interesting
> >(http://wiki.apache.org/spamassassin/CustomRulesets)
> >
> >
> >
> >I first should mention, I am a new SUBSCRIBER, not a new user to SA.  I
have
> >been using it for a couple of years.  Over that period I have created
> >thousands of LOCAL_ rules (if I go and grep on describe or score in
> >/etc/mail/spamassassin :-).  If you only saw my MISSPELLES.  The bad
> >thing I was not writing it professionally, as I used \d+ for example, or
too
> >many | inside one rule.  In short, they work, but not polished.
> >
> >What I found that creating own rules can be so competitive with a new
spam
> >coming in.  As you know spam messages change every minute or so.  What I
am
> >trying to achieve?  Free up my time.  There are few things I've thought
> >about.
> >
> >I have been collecting spam (before discarding) for almost a month.
Wrote a
> >little program to rewrite LOCAL_ rules that were found and will not
recreate
> >the ones that were not caught.  And I am about to redo all.
> >
> >Next, I thought if there is a place for automatic uploading rules, then
may
> >be notifying me and I would reload SA.  That is what I asked in my email.
> >It is bad that I want to free up my time by using somebody else's rules.
> >Sorry, but may be someone shares.
> >
> >I also have NOT used Bayes.  Don't know how safe it is.  Would I just
submit
> >a spam message and I don't have to anything else, or ham the same way?
Not
> >sure.
> >
> >Thank you again.
> >Let me know what you think.
> >
> >
> >
> Hi  Irina,

> You should not feel bad for using the RDJ rulesets (other people's
> rules) and you should also look into using Bayes as it can help
> dramatically.

Proud is a term that comes to mind if they work. And if she has gotten
at all adept at it maybe she'd like to at least kibitz the SARE process
and submit new rules ideas she has.

{^_-}   Joanne

Re: spamcop_uri not working

[Matt Kettler]

Kern, Tom wrote:
> I keep getting spam with url's of know spammers but i never see the email 
> tagged or blocked.
> 
> i'm running sa 2.63(yeah, i know i gotta upgrade)

Yeah, really soon. You've got a remote DoS vulnerability in your mime parser.
(2.64 and higher are immune)

 and i block the mail with a score of 4 and tag at 3.
> spamcop_uri's score is 4 by default and yet nothing gets blocked or even 
> tagged.
> here's a sample email-

1) do you have /etc/mail/spamassassin/spamcop_uri.cf ?

2) does spamassassin --lint run cleanly?

Does this weblink fire off the SC test?

http://surbl-org-permanent-test-point.com/

Outlook plugin

[Vadym Chepkov]

Hi,

I have read ResendingMailWithHeaders document and I couldn't find is there a 
plug-in available for
Outlook so you can provide a feedback to Bayes just by pressing 'Spam' or 'Ham' 
buttons? Thank
you.

Sincerely,
Vadym Chepkov

Re: 3.0.4 scores

[wolfgang]

In an older episode (Wednesday 08 June 2005 00:54), Theo Van Dinter wrote:
> On Wed, Jun 08, 2005 at 12:50:59AM +0200, wolfgang wrote:
> Per the Changes file, the full information is in Bugzilla bug 4367:
> 
> http://bugzilla.spamassassin.org/show_bug.cgi?id=4367
> 
> The short version is that the SpamAssassin rule names didn't match the SORBS
> result codes.

thanks. I understand this
- was only a "labelling" problem
- has been fixed in 3.0.4.

correct me if I am wrong here,

regards,

wolfgang

spamcop_uri not working

[Kern, Tom]

I keep getting spam with url's of know spammers but i never see the email 
tagged or blocked.

i'm running sa 2.63(yeah, i know i gotta upgrade) and i block the mail with a 
score of 4 and tag at 3.
spamcop_uri's score is 4 by default and yet nothing gets blocked or even tagged.
here's a sample email-

Doesn't "expecting the unexpected" make the unexpected expected?

went to this barn on the weekend and was shocked by what goes on inside 
http://kwiktera.com/maui/five/oh.html its pretty messed up




I'm running sa with amavis-new
Thanks a lot

Re: A question

[Rick Macdougall]

Irina wrote:


Thank you all for answering me.

I found one link that may be very interesting
(http://wiki.apache.org/spamassassin/CustomRulesets)



I first should mention, I am a new SUBSCRIBER, not a new user to SA.  I have
been using it for a couple of years.  Over that period I have created
thousands of LOCAL_ rules (if I go and grep on describe or score in
/etc/mail/spamassassin :-).  If you only saw my MISSPELLES.  The bad
thing I was not writing it professionally, as I used \d+ for example, or too
many | inside one rule.  In short, they work, but not polished.

What I found that creating own rules can be so competitive with a new spam
coming in.  As you know spam messages change every minute or so.  What I am
trying to achieve?  Free up my time.  There are few things I've thought
about.

I have been collecting spam (before discarding) for almost a month.  Wrote a
little program to rewrite LOCAL_ rules that were found and will not recreate
the ones that were not caught.  And I am about to redo all.

Next, I thought if there is a place for automatic uploading rules, then may
be notifying me and I would reload SA.  That is what I asked in my email.
It is bad that I want to free up my time by using somebody else's rules.
Sorry, but may be someone shares.

I also have NOT used Bayes.  Don't know how safe it is.  Would I just submit
a spam message and I don't have to anything else, or ham the same way?  Not
sure.

Thank you again.
Let me know what you think.

 


Hi  Irina,

I'm an ex-NAS user myself (left because the ISP I work for now had DSL 
for me for free, no other reason.).


You should not feel bad for using the RDJ rulesets (other people's 
rules) and you should also look into using Bayes as it can help 
dramatically.


I hope you are also using the SURBL network tests at that will also 
catch about 80% of the spam that comes in.


If you need any help with anything SA related,  feel free to ask and you 
can call me directly (I'm up by King's Forest).


Say Hi to Gary and Tim for me and tell Gary that I found a good home for 
the servers I offered him.


Regards,

Rick

Re: A question

[Irina]

Thank you all for answering me.

I found one link that may be very interesting
(http://wiki.apache.org/spamassassin/CustomRulesets)



I first should mention, I am a new SUBSCRIBER, not a new user to SA.  I have
been using it for a couple of years.  Over that period I have created
thousands of LOCAL_ rules (if I go and grep on describe or score in
/etc/mail/spamassassin :-).  If you only saw my MISSPELLES.  The bad
thing I was not writing it professionally, as I used \d+ for example, or too
many | inside one rule.  In short, they work, but not polished.

What I found that creating own rules can be so competitive with a new spam
coming in.  As you know spam messages change every minute or so.  What I am
trying to achieve?  Free up my time.  There are few things I've thought
about.

I have been collecting spam (before discarding) for almost a month.  Wrote a
little program to rewrite LOCAL_ rules that were found and will not recreate
the ones that were not caught.  And I am about to redo all.

Next, I thought if there is a place for automatic uploading rules, then may
be notifying me and I would reload SA.  That is what I asked in my email.
It is bad that I want to free up my time by using somebody else's rules.
Sorry, but may be someone shares.

I also have NOT used Bayes.  Don't know how safe it is.  Would I just submit
a spam message and I don't have to anything else, or ham the same way?  Not
sure.

Thank you again.
Let me know what you think.

Irina Kalachnikova
Systems Programmer
NetAccess Systems Inc.
[EMAIL PROTECTED]
===



- Original Message -
From: "Matt Kettler" <[EMAIL PROTECTED]>
To: "Irina" <[EMAIL PROTECTED]>
Cc: 
Sent: Tuesday, June 07, 2005 5:40 PM
Subject: Re: A question


> Irina wrote:
> > Hello at SA list.
> >
> > I am a new subscriber - don't get angry if I did something wrong :-)
> >
> >
> > 1.   Is there any place and/or are there any tools that are available
> > for updating SA rules automatically (on FreeBSD)?
>
> http://www.exit0.us/index.php?pagename=RulesDuJour
>
> Note: this is intended to update add-on rulesets.
>
> The only way to update the standard rules is to install the new version of
SA.
> To understand why you can't upgrade the standard rules without upgrading
SA read:
> http://wiki.apache.org/spamassassin/VirusScannerTypeUpdates
>
> Although SA 3.0 and higher use a perceptron instead of a genetic algorithm
to
> tally scores, the overall process is much the same and still takes about
the
> same amount of time because the mass-check runs take a long time to run.
>
> >
> > 2.   What can I use to check on SA configuration from a Perl program
> > (spamassassin --lint)?
>
> Stolen straight from the spamassassin code:
>
> # create the tester factory
> my $spamtest = new Mail::SpamAssassin(
>   {
> rules_filename  => $opt{'configpath'},
> site_rules_filename => $opt{'siteconfigpath'},
> userprefs_filename  => $opt{'prefspath'},
> local_tests_only=> $opt{'local'},
> debug   => defined( $opt{'debug-level'} ),
> dont_copy_prefs => ( $opt{'create-prefs'} ? 0 : 1 ),
> PREFIX  => $PREFIX,
> DEF_RULES_DIR   => $DEF_RULES_DIR,
> LOCAL_RULES_DIR => $LOCAL_RULES_DIR,
>   }
> );
>
> 
>
> if ( $opt{'lint'} ) {
>   $spamtest->debug_diagnostics();
>   my $res = $spamtest->lint_rules();
>   warn "lint: $res issues detected.  please rerun with debug enabled for
more
> information.\n" if ($res);
>   exit $res ? 1: 0;
> }
>

Re: 3.0.4 scores

[Theo Van Dinter]

On Wed, Jun 08, 2005 at 12:50:59AM +0200, wolfgang wrote:
> sorry, not being an native english speaker, Isimply don't understand what 
> this 
> is about, could someone re-phrase that?

Per the Changes file, the full information is in Bugzilla bug 4367:

http://bugzilla.spamassassin.org/show_bug.cgi?id=4367

The short version is that the SpamAssassin rule names didn't match the SORBS
result codes.

-- 
Randomly Generated Tagline:
Lockwood's Long Shot:
The chances of getting eaten up by a lion on Main Street
aren't one in a million, but once would be enough.


pgptukSzzkhfy.pgp
Description: PGP signature

Re: 3.0.4 scores

[wolfgang]

In an older episode (Tuesday 07 June 2005 22:17), Theo Van Dinter wrote:
> On Tue, Jun 07, 2005 at 04:13:48PM -0400, Pete O'Hara wrote:
> > I ran a diff on the scores between 3.0.3 and 3.0.4 and it looks like 
> > RCVD_IN_SORBS_MISC, RCVD_IN_SORBS_SOCKS and  RCVD_IN_SORBS_SMTP scores 
> > played some musical chairs or am I not seeing this correctly?
> 
> Yes, they did.  The SORBS results apparently got changed at some point,
> so our naming was off.

sorry, not being an native english speaker, Isimply don't understand what this 
is about, could someone re-phrase that?

thanks,

wolfgang

Re: A question

[Matt Kettler]

Irina wrote:
> Hello at SA list.
>  
> I am a new subscriber - don't get angry if I did something wrong :-)
>  
>  
> 1.   Is there any place and/or are there any tools that are available
> for updating SA rules automatically (on FreeBSD)?

http://www.exit0.us/index.php?pagename=RulesDuJour

Note: this is intended to update add-on rulesets.

The only way to update the standard rules is to install the new version of SA.
To understand why you can't upgrade the standard rules without upgrading SA 
read:
http://wiki.apache.org/spamassassin/VirusScannerTypeUpdates

Although SA 3.0 and higher use a perceptron instead of a genetic algorithm to
tally scores, the overall process is much the same and still takes about the
same amount of time because the mass-check runs take a long time to run.

>  
> 2.   What can I use to check on SA configuration from a Perl program
> (spamassassin --lint)?

Stolen straight from the spamassassin code:

# create the tester factory
my $spamtest = new Mail::SpamAssassin(
  {
rules_filename  => $opt{'configpath'},
site_rules_filename => $opt{'siteconfigpath'},
userprefs_filename  => $opt{'prefspath'},
local_tests_only=> $opt{'local'},
debug   => defined( $opt{'debug-level'} ),
dont_copy_prefs => ( $opt{'create-prefs'} ? 0 : 1 ),
PREFIX  => $PREFIX,
DEF_RULES_DIR   => $DEF_RULES_DIR,
LOCAL_RULES_DIR => $LOCAL_RULES_DIR,
  }
);



if ( $opt{'lint'} ) {
  $spamtest->debug_diagnostics();
  my $res = $spamtest->lint_rules();
  warn "lint: $res issues detected.  please rerun with debug enabled for more
information.\n" if ($res);
  exit $res ? 1: 0;
}

A question

[Irina]

Hello at SA list.
 
I am a new subscriber - don't get angry if I did 
something wrong :-)
 
 
1.   Is there any place and/or are there 
any tools that are available for updating SA rules automatically (on 
FreeBSD)?
 
2.   What can I use to check on SA 
configuration from a Perl program (spamassassin --lint)?
 
 
Thank you for your help in advance
Irina

Re: 3.0.4 scores

[Theo Van Dinter]

On Tue, Jun 07, 2005 at 04:13:48PM -0400, Pete O'Hara wrote:
> I ran a diff on the scores between 3.0.3 and 3.0.4 and it looks like 
> RCVD_IN_SORBS_MISC, RCVD_IN_SORBS_SOCKS and  RCVD_IN_SORBS_SMTP scores 
> played some musical chairs or am I not seeing this correctly?

Yes, they did.  The SORBS results apparently got changed at some point,
so our naming was off.

-- 
Randomly Generated Tagline:
You are not my son!
 
-- Homer Simpson
   Boy-Scoutz n the Hood


pgpyu02knlsnh.pgp
Description: PGP signature

3.0.4 scores

[Pete O'Hara]

Hi,
I ran a diff on the scores between 3.0.3 and 3.0.4 and it looks like 
RCVD_IN_SORBS_MISC, RCVD_IN_SORBS_SOCKS and  RCVD_IN_SORBS_SMTP scores 
played some musical chairs or am I not seeing this correctly?


Pete

[EMAIL PROTECTED]> diff -u Mail-SpamAssassin-3.0.3/rules/50_scores.cf 
Mail-SpamAssassin-3.0.4/rules/50_scores.cf
--- Mail-SpamAssassin-3.0.3/rules/50_scores.cf  2005-04-27 
16:47:40.0 -0400
+++ Mail-SpamAssassin-3.0.4/rules/50_scores.cf  2005-06-05 
21:31:24.0 -0400

@@ -502,9 +502,9 @@
score RCVD_IN_SORBS_BLOCK 0
score RCVD_IN_SORBS_DUL 0 0.137 0 1.987
score RCVD_IN_SORBS_HTTP 0 0 0 0.043
-score RCVD_IN_SORBS_MISC 0 0 0 0.338
-score RCVD_IN_SORBS_SMTP 0 1.597 0 2.493
-score RCVD_IN_SORBS_SOCKS 0 1.847 0 2.054
+score RCVD_IN_SORBS_SOCKS 0 0 0 0.338
+score RCVD_IN_SORBS_MISC 0 1.597 0 2.493
+score RCVD_IN_SORBS_SMTP 0 1.847 0 2.054
score RCVD_IN_SORBS_WEB 0 0 0 0.007
score RCVD_IN_SORBS_ZOMBIE 0 0.819 0 0
score RCVD_IN_XBL 0 2.511 0 3.076
@@ -693,6 +693,7 @@
# URIDNSBL
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
score URIBL_AB_SURBL 0 2.007 0 0.417
+score URIBL_JP_SURBL 0 1.539 0 2.462
score URIBL_OB_SURBL 0 1.996 0 3.213
score URIBL_PH_SURBL 0 0.839 0 2.000
score URIBL_SBL 0 0.629 0 0.996
[EMAIL PROTECTED]>

Re: Is SPF working 100%? Problems with hotmail.com

[Raul Dias]

On Tue, 2005-06-07 at 12:49 -0500, David B Funk wrote:
> On Tue, 7 Jun 2005, Raul Dias wrote:
> 
> > SPF would never work if not there, right?
> > Note that it does work, but not always.
> >
> > I have never see it fail from calling the spamassassin form the command
> > line, just as spamd.
> > It has enough permission for spamd to read it.
> >
> > Could it be that it happens because of some timeout issue, network issue
> > (timeout) or not enough spamd children available makes it skips some
> > tests? Or something like this?
> 
> SPF requires one (or more) DNS lookups, so there's always the possbility
> of network timeouts.


wouldn't this be logged ?

-Raul Dias

Re: SA 3.0.2 - SQL User Preferences failing for all but required_score

[Michael Parker]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

JamesDR wrote:

> Kevin Marvin wrote:
>
>> HELP! I cant get this figured out for the life of me. Here is
>> what I have...
>>
>> I have SA 3.0.2, using a Postgres database to store user
>> preferences. When I run a test instance and pass a test message
>> to it (using spamc and spamd) and the blacklist_from entries
>> never get read...
>>
>> Here is my local.cf:
>>

>>
>>
>> user_scores_dsn DBI:Pg:dbname=exim;host=localhost
>> user_scores_sql_username spam user_scores_sql_password
>> pass
>>
>> user_scores_sql_custom_query SELECT preference, value FROM
>> userpref WHERE username = _USERNAME_ OR username = '$GLOBAL' OR
>> username = '%'||_DOMAIN_ ORDER BY username ASC
>
>
>  Almost there :-D
>
> allow_user_rules 1
>
>
WHOA!!!

No.  Please do not spread this sort of advice around.  There are VERY
VERY FEW reasons to use allow_user_rules in SpamAssassin.  It is not
needed at all in this case.

For folks running with allow_user_rules turned on I encourage you to
evaluate why you are doing so.  It opens you up to all sort of
security risks and performance problems, and 99.9% of the time not
necessary.

Michael
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCpebwG4km+uS4gOIRAskOAKCYVDKCJUmyQSrR5nSDmOCBO7XZFgCeMiMg
29J7RVzuuJ5OCG2FzDe6tiE=
=dDUg
-END PGP SIGNATURE-

Re: SA 3.0.2 - SQL User Preferences failing for all but required_score

[JamesDR]

JamesDR wrote:

Kevin Marvin wrote:


Sorry list,
Michael set me straight on allow_user_rules :-D

--
Thanks,
James

Pb with attachment removed from email

[WEISS Alexandre]

Hi

Sometimes, don't know exactly when... When people receive email through our
mail mta Linux Redhat AS 3.0 Taroon update 3 2.4.21-27.0.2.ELsmp (Postfix +
Trend(IMSS 5.5) + SA 3.0.3 then third party mail server with attachment of
about 2Mo, the attachment is "destroyed" when passed over spamassassin scan.
Here is a log sample. You can see original mail size :
from=, size=2295839, nrcpt=1 (queue active)
to=, relay=localhost[127.0.0.1], delay=6, status=sent (250 Ok:
queued as 2353F73545) ---> Trend Filter IMSS 5.5
from=, size=2296058, nrcpt=1 (queue active)
from=, size=2381, nrcpt=1 (queue active)

After passing through SA, the email size is about 2381 instead of 2295839
I know that SA bypass scan of email >250ko but i think mail is "look at" just
to check size and then directly forwarded to the next transport.

Perhaps i'm wrong and there is no pipe is mail is >250k

I've check antivirus log and the transaction went ok

The result is that le recipient receive the email but with no trace of the
attachment
Last time, it was with a pdf file 2Mo
Help would be very appreciated !

Alex

Re: SA 3.0.2 - SQL User Preferences failing for all but required_score

[JamesDR]

Kevin Marvin wrote:

HELP!  I cant get this figured out for the life of me.  Here is what I
have...

I have SA 3.0.2, using a Postgres database to store user preferences.  When
I run a test instance and pass a test message to it (using spamc and spamd)
and the blacklist_from entries never get read...

Here is my local.cf:

user_scores_dsn DBI:Pg:dbname=exim;host=localhost
user_scores_sql_usernamespam
user_scores_sql_passwordpass

user_scores_sql_custom_querySELECT preference, value FROM userpref WHERE
username = _USERNAME_ OR username = '$GLOBAL' OR username = '%'||_DOMAIN_
ORDER BY username ASC



Almost there :-D

allow_user_rules1


--
Thanks,
James

Re: SA 3.0.2 - SQL User Preferences failing for all but required_score

[Kevin Marvin]

You, sir, are a GENIUS!

That fixed it perfectly.  Thank you very much!  Name the brand of e-beer and
I will send it your way.


- Kevin

On 6/7/05 1:00 PM, "Michael Parker" <[EMAIL PROTECTED]> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Kevin Marvin wrote:
> 
>> spamd -x -q -C /etc/mail/test/ --siteconfigpath=/etc/mail/test -p
> 
> Are you sure you mean -C /etc/mail/test/? Normally that would be
> something like /usr/share/spamassassin, which is where all of the
> default .cf/rules files are installed.
> 
> Michael
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.2.4 (Darwin)
> 
> iD8DBQFCpeCuG4km+uS4gOIRAuGxAJ0XcBwPgNbNcqgEwayQZG9B2BYUkACfZ8y3
> gQrAkc9U1RXDi72hN3FUXkM=
> =MVGs
> -END PGP SIGNATURE-
> 

Re: SA 3.0.2 - SQL User Preferences failing for all but required_score

[Michael Parker]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Kevin Marvin wrote:

> spamd -x -q -C /etc/mail/test/ --siteconfigpath=/etc/mail/test -p

Are you sure you mean -C /etc/mail/test/? Normally that would be
something like /usr/share/spamassassin, which is where all of the
default .cf/rules files are installed.

Michael
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCpeCuG4km+uS4gOIRAuGxAJ0XcBwPgNbNcqgEwayQZG9B2BYUkACfZ8y3
gQrAkc9U1RXDi72hN3FUXkM=
=MVGs
-END PGP SIGNATURE-

Re: SA 3.0.2 - SQL User Preferences failing for all but required_score

[Kevin Marvin]

Ok..

   preference| value
-+
 required_score  | 4.0
 blacklist_from  | [EMAIL PROTECTED]
 blacklist_from  | [EMAIL PROTECTED]
 score USER_IN_BLACKLIST | 100
 required_score  | 3.0
 report_safe | 0
 use_razor2  | 1
 use_pyzor   | 1
 use_dcc | 1
 score USER_IN_WHITELIST | -10

Now the run produces...

(spamd)
spamd -x -q -C /etc/mail/test/ --siteconfigpath=/etc/mail/test -p
9898 -D
trying to connect to syslog/unix...
no error connecting to syslog/unix
logging enabled:
facility: mail
socket:   unix
output:   syslog
creating INET socket:
Listen: 128
LocalAddr: 127.0.0.1
LocalPort: 9898
Proto: 6
ReuseAddr: 1
Type: 1
debug: SpamAssassin version 3.0.2
debug: Score set 0 chosen.
debug: Storable module v2.13 found
debug: Preloading modules with HOME=/tmp/spamd-31429-init
debug: ignore: test message to precompile patterns and load modules
debug: using "/etc/mail/test/init.pre" for site rules init.pre
debug: config: read file /etc/mail/test/init.pre
debug: using "/etc/mail/test" for default rules dir
debug: config: read file /etc/mail/test/local.cf
debug: using "/etc/mail/test" for site rules dir
debug: config: read file /etc/mail/test/local.cf
debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC
debug: plugin: registered
Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x91dcb14)
debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC
debug: plugin: registered
Mail::SpamAssassin::Plugin::Hashcash=HASH(0x91f8550)
debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC
debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x920cce4)
debug: bayes: no dbs present, cannot tie DB R/O:
/tmp/spamd-31429-init/.spamassassi
n/bayes_toks
debug: Score set 1 chosen.
debug:  MIME PARSER START 
debug: main message type: text/plain
debug: parsing normal part
debug: added part, type: text/plain
debug:  MIME PARSER END 
debug: bayes: no dbs present, cannot tie DB R/O:
/tmp/spamd-31429-init/.spamassassi
n/bayes_toks
debug: metadata: X-Spam-Relays-Trusted:
debug: metadata: X-Spam-Relays-Untrusted:
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x91dcb14)
implements 'par
sed_metadata'
debug: is Net::DNS::Resolver available? yes
debug: Net::DNS version: 0.48
debug: trying (3) linux.org...
debug: looking up NS for 'linux.org'
debug: NS lookup of linux.org succeeded => Dns available (set dns_available
to hard
code)
debug: is DNS available? 1
debug: decoding: no encoding detected
debug: URIDNSBL: domains to query:
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x91dcb14)
implements 'che
ck_post_dnsbl'
debug: is spam? score=0 required=5
debug: tests=
debug: subtests=
server started on port 9898/tcp (running version 3.0.2)
logmsg: server started on port 9898/tcp (running version 3.0.2)
logmsg: server successfully spawned child process, pid 31431
logmsg: server successfully spawned child process, pid 31432
logmsg: server successfully spawned child process, pid 31433
logmsg: server successfully spawned child process, pid 31435
logmsg: server successfully spawned child process, pid 31436
server pid: 31429
logmsg: connection from Safe02 [127.0.0.1] at port 51427
debug: Conf::SQL: executing SQL: SELECT preference, value FROM userpref
WHERE usern
ame = '[EMAIL PROTECTED]' OR username = '$GLOBAL' OR username =
'%'||'architel.com
' ORDER BY username ASC, prefid ASC
debug: retrieving prefs for [EMAIL PROTECTED] from SQL server
debug: user has changed
debug: bayes: 31431 tie-ing to DB file R/O
/usr/exim/.spamassassin/bayes_toks
debug: bayes: 31431 tie-ing to DB file R/O
/usr/exim/.spamassassin/bayes_seen
debug: bayes: found bayes db version 3
debug: bayes: Not available for scanning, only 0 spam(s) in Bayes DB < 200
debug: bayes: 31431 untie-ing
debug: bayes: 31431 untie-ing db_toks
debug: bayes: 31431 untie-ing db_seen
debug: Score set 1 chosen.
logmsg: processing message (unknown) for [EMAIL PROTECTED]:501.
debug: bayes: 31431 tie-ing to DB file R/O
/usr/exim/.spamassassin/bayes_toks
debug: bayes: 31431 tie-ing to DB file R/O
/usr/exim/.spamassassin/bayes_seen
debug: bayes: found bayes db version 3
debug: bayes: Not available for scanning, only 0 spam(s) in Bayes DB < 200
debug: bayes: 31431 untie-ing
debug: bayes: 31431 untie-ing db_toks
debug: bayes: 31431 untie-ing db_seen
debug: metadata: X-Spam-Relays-Trusted:
debug: metadata: X-Spam-Relays-Untrusted:
debug:  MIME PARSER START 
debug: main message type: text/plain
debug: parsing normal part
debug: added part, type: text/plain
debug:  MIME PARSER END 
debug: decoding: no encoding detected
debug: URIDNSBL: domains to query:
debug: auto-learn: currently using scoreset 1.
debug: auto-learn: message score: 0, computed score for autolearn: 0
debug: auto-learn? ham=0.1, spam=12, body-points

Re: SA 3.0.2 - SQL User Preferences failing for all but required_score

[Michael Parker]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Kevin Marvin wrote:

> preference | value
> -+ required_score
> | 4.0 blacklist_from | [EMAIL PROTECTED]
> blacklist_from | [EMAIL PROTECTED] score USER_IN_BLACKLIST |
> 100 required_score | 3.0 report_safe | 0
> use_razor2 | 1 use_pyzor | 1 use_dcc
> | 1 score USER_IN_WHITELIST | -10 use_auto_whitelist | 0
>

I'm not sure if this is it, and I don't have time to test it and see,
but it might be the fact that you've got the use_auto_whitelist there
which is admin only, and only allowed in a .cf file.  Try removing
that and see if it helps.

Michael
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCpd53G4km+uS4gOIRAgxhAJ4tC0i4IxAMWin38mOQ8h3mXy6xawCaA1Du
VxMoh/jZTugWVNIexAurj24=
=HcDs
-END PGP SIGNATURE-

Re: Is SPF working 100%? Problems with hotmail.com

[David B Funk]

On Tue, 7 Jun 2005, Raul Dias wrote:

> SPF would never work if not there, right?
> Note that it does work, but not always.
>
> I have never see it fail from calling the spamassassin form the command
> line, just as spamd.
> It has enough permission for spamd to read it.
>
> Could it be that it happens because of some timeout issue, network issue
> (timeout) or not enough spamd children available makes it skips some
> tests? Or something like this?

SPF requires one (or more) DNS lookups, so there's always the possbility
of network timeouts.



-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: SA 3.0.2 - SQL User Preferences failing for all but required_score

[Kevin Marvin]

   preference| value
-+
 required_score  | 4.0
 blacklist_from  | [EMAIL PROTECTED]
 blacklist_from  | [EMAIL PROTECTED]
 score USER_IN_BLACKLIST | 100
 required_score  | 3.0
 report_safe | 0
 use_razor2  | 1
 use_pyzor   | 1
 use_dcc | 1
 score USER_IN_WHITELIST | -10
 use_auto_whitelist  | 0



On 6/7/05 12:43 PM, "Michael Parker" <[EMAIL PROTECTED]> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Kevin Marvin wrote:
> 
>> debug: Conf::SQL: executing SQL: SELECT preference, value FROM
>> userpref WHERE username = '[EMAIL PROTECTED]' OR username =
>> '$GLOBAL' OR username = '%'||'architel.com' ORDER BY username ASC
> 
> If you run the query above in psql what does it give you?
> 
> Michael
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.2.4 (Darwin)
> 
> iD8DBQFCpdzaG4km+uS4gOIRAga/AJ44VjU53w8kEuz7PQlOsnpol4n6ZgCcDUIT
> U461nxACyJjw0oblKxEeQeo=
> =6tGG
> -END PGP SIGNATURE-
> 

Re: SA 3.0.2 - SQL User Preferences failing for all but required_score

[Michael Parker]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Kevin Marvin wrote:

> debug: Conf::SQL: executing SQL: SELECT preference, value FROM
> userpref WHERE username = '[EMAIL PROTECTED]' OR username =
> '$GLOBAL' OR username = '%'||'architel.com' ORDER BY username ASC

If you run the query above in psql what does it give you?

Michael
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCpdzaG4km+uS4gOIRAga/AJ44VjU53w8kEuz7PQlOsnpol4n6ZgCcDUIT
U461nxACyJjw0oblKxEeQeo=
=6tGG
-END PGP SIGNATURE-

SA 3.0.2 - SQL User Preferences failing for all but required_score

[Kevin Marvin]

HELP!  I cant get this figured out for the life of me.  Here is what I
have...

I have SA 3.0.2, using a Postgres database to store user preferences.  When
I run a test instance and pass a test message to it (using spamc and spamd)
and the blacklist_from entries never get read...

Here is my local.cf:

user_scores_dsn DBI:Pg:dbname=exim;host=localhost
user_scores_sql_usernamespam
user_scores_sql_passwordpass

user_scores_sql_custom_querySELECT preference, value FROM userpref WHERE
username = _USERNAME_ OR username = '$GLOBAL' OR username = '%'||_DOMAIN_
ORDER BY username ASC

#  

# These values can be overridden by editing ~/.spamassassin/user_prefs.cf
# (see spamassassin(1) for details)

# These should be safe assumptions and allow for simple visual sifting
# without risking lost emails.

required_hits 5
report_safe 0
rewrite_header Subject [SPAM]


# Default template. Try to keep it under 78 columns (inside the the dots
below).
#  

clear_report_template
report Spam detection software, running on the system "_HOSTNAME_", has
report processed this incoming email If you have any questions, see
report _CONTACTADDRESS_ for details.
report 
report Content analysis details:   (_SCORE_ points)
report
report " pts rule name  description"
report   --
--
report _SUMMARY_
#  



This file, along with a duplicate of the other files in my
/etc/mail/spamassassin folder are stored in /etc/mail/test.  I run the
following as the test server:

 spamd -x -q -D -C /etc/mail/test --siteconfigpath=/etc/mail/test  -p 9898

And this for the test client:

spamc -d localhost -p 9898 -u [EMAIL PROTECTED] < mb2


Here are the contents of mb2

>From [EMAIL PROTECTED]  Wed Feb  2 10:10:15 2005
Return-Path: <[EMAIL PROTECTED]>
X-Originating-IP: [66.194.13.227]
X-Originating-Email: [EMAIL PROTECTED]
X-Sender: [EMAIL PROTECTED]
From: "Kevin Marvin" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Test Message from CLI
Date: Wed, 02 Feb 2005 16:09:21 +
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
X-OriginalArrivalTime: 02 Feb 2005 16:10:02.0339 (UTC)
FILETIME=[A6A6A330:01C50941]



This is a test / demo message.  It should / should not get tagged based on
the SQL settings.  I used this message from another mailbox as a template
for the header content.

- Kevin



And here is the log from the server...


logmsg: connection from Safe02 [127.0.0.1] at port 35842
debug: Conf::SQL: executing SQL: SELECT preference, value FROM userpref
WHERE username = '[EMAIL PROTECTED]' OR username = '$GLOBAL' OR username =
'%'||'architel.com' ORDER BY username ASC
debug: retrieving prefs for [EMAIL PROTECTED] from SQL server
debug: user has changed
debug: bayes: no dbs present, cannot tie DB R/O:
/usr/exim/.spamassassin/bayes_toks
debug: Score set 1 chosen.
logmsg: processing message (unknown) for [EMAIL PROTECTED]:501.
debug: bayes: no dbs present, cannot tie DB R/O:
/usr/exim/.spamassassin/bayes_toks
debug: metadata: X-Spam-Relays-Trusted:
debug: metadata: X-Spam-Relays-Untrusted:
debug:  MIME PARSER START 
debug: main message type: text/plain
debug: parsing normal part
debug: added part, type: text/plain
debug:  MIME PARSER END 
debug: decoding: no encoding detected
debug: URIDNSBL: domains to query:
debug: Running tests for priority: 0
debug: running header regexp tests; score so far=0
debug: running body-text per-line regexp tests; score so far=0
debug: running uri tests; score so far=0
debug: running raw-body-text per-line regexp tests; score so far=0
debug: running full-text regexp tests; score so far=0
debug: Running tests for priority: 500
debug: running meta tests; score so far=0
debug: running header regexp tests; score so far=0
debug: running body-text per-line regexp tests; score so far=0
debug: running uri tests; score so far=0
debug: running raw-body-text per-line regexp tests; score so far=0
debug: running full-text regexp tests; score so far=0
debug: auto-learn: currently using scoreset 1.
deb

Re: Running SA on mail gateway and mail server

[JamesDR]

Paul Porter wrote:

Hello,

I have just installed a mail gateway box to soften the load on our 
internal mail server. Both servers are running SpamAssassin (details 
below) and I noticed that the internal mail server is scanning messages 
from our mail gateway eventhough they have already been scanned and 
marked up.


Is there a way to tell SpamAssassin on our internal mail server to not 
rescan mail which is already marked up?


Here are the details:

Mail Gateway: SpamAssassin 3.0.1 and Postfix on RedHat Enterprise Linux 4

Mail Server:  FreeBSD 4.10 box running Postfix, SpamAssassin 2.63, and 
ClamAV (via Amavis).


Thanks,

Paul




Yes, check the archives for the answer. I'm not a postfix/amavis person, 
but i've seen this asked many times and there have been many good solutions.

HTH
--
Thanks,
James

Running SA on mail gateway and mail server

[Paul Porter]

Hello,

I have just installed a mail gateway box to soften the load on our 
internal mail server. Both servers are running SpamAssassin (details 
below) and I noticed that the internal mail server is scanning messages 
from our mail gateway eventhough they have already been scanned and 
marked up.


Is there a way to tell SpamAssassin on our internal mail server to not 
rescan mail which is already marked up?


Here are the details:

Mail Gateway: SpamAssassin 3.0.1 and Postfix on RedHat Enterprise Linux 4

Mail Server:  FreeBSD 4.10 box running Postfix, SpamAssassin 2.63, and 
ClamAV (via Amavis).


Thanks,

Paul

Re: uridnsbl only spamhaus in 3.0.4 ?

[Niek]

On 6/7/2005 6:13 PM +0200, Theo Van Dinter wrote:

The debug output specified what happened.  The domains were all in the
skip list, and SURBL and such doesn't have IPs looked up.  SBL does do
IPs, so it was queried.


debug: uri found: http://pics.ebaystatic.com/aw/pics/x.gif
debug: uri found: http://pics.ebaystatic.com/aw/pics/spacer.gif
debug: uri found: http://pages.ebay.com/help/community/png-priv.html
debug: uri found: http://cgi4.ebay.com/ws1/eBayISAPI.dll?OptinLoginShow
debug: uri found: http://pages.ebay.com/help/account_protection.html
debug: uri found: http://212.203.31.2/.a/.a/Aw-Confirm/update/login/login.html
debug: uri found: 
http://signin.ebay.com/eBayISAPI.dll?SignIn&ssPageName=h:h:sin:US
debug: uri found: 
http://pics.ebaystatic.com/aw/pics/aboutme/v3/ebay_logo_39x18.gif
debug: URIDNSBL: found domain ebaystatic.com in skip list
debug: URIDNSBL: found domain ebaystatic.com in skip list
debug: URIDNSBL: found domain ebay.com in skip list
debug: URIDNSBL: found domain ebay.com in skip list
debug: URIDNSBL: found domain ebay.com in skip list
debug: URIDNSBL: found domain ebay.com in skip list
debug: URIDNSBL: found domain ebaystatic.com in skip list
debug: URIDNSBL: domains to query: 212.203.31.2

It wants to query the domain: 212.203.31.2
It does so here:

debug: URIDNSBL: query for 212.203.31.2 took 1 seconds to look up 
(sbl.spamhaus.org.:2.31.203.212)
debug: URIDNSBL: queries completed: 1 started: 0
debug: URIDNSBL: queries active:  at Tue Jun  7 18:10:32 2005

So, why is URIDNSBL only asking sbl.spamhaus.org ?
If i replace that ip with 127.0.0.2, spamassassin tells me this:
*  0.6 URIBL_SBL Contains an URL listed in the SBL blocklist
*  [URIs: 127.0.0.2]

So it does work, but only for sbl.spamhaus.org.
This is the odd thing, because in 25_uribl.cf all the surbl.org's are enabled 
too.
And in local.cf I added multi.uribl.com as well. Those are not queried.

It only does this with IPs. Urls are checked against all the uridnsbl's.

Niek Baakman

Re: debug output to file?

[David B Funk]

On Tue, 7 Jun 2005, Bob McClure Jr wrote:

> On Tue, Jun 07, 2005 at 10:42:07AM -0400, Mike Schrauder wrote:
> > pardon my complete unix ignorance, I have been trying to figure
> > out how to get debug output to a file so I can go back and look
[snip..]
> > i've also tried  spamassassin -D -t < test2.txt > test2.out | more
> > just so I could look, but that doesn't work.  Can you give a
> > windows user a clue?  TIA
>
>   spamassassin -D -t < test2.txt > test2.out 2> dbug.out
>
> 2 is the file handle for stderr.

Other trick, if you want stdout & stderr to go into the same file
use:
spamassassin -D -t < test2.txt > test2.out 2>&1

The syntax '2>' says work on file handle #2, the '>&1' says
make it go to the same place that file handle #1 (usually stdout)
has been routed to.

So if you wanted it all to go into a pipe (so that you can feed it
to 'grep', 'more' or some other utility) use:

  spamassassin -D -t < test2.txt 2>&1 | more

While we're at tricks, if you want to test a particular rule, try:

  spamassassin -t -D rulesrun=255 < test2.txt test2.out 2>&1

The '-D rulesrun=255' option says show the processing of all rules
as they hit if they have a non-zero score. Only issue with this is
that the '__RULE' syntax (for creating meta-rules) have no score and
so don't show. If debugging such critters, change them to '_T_RULE'
names, those have a small but non-zero score and thus show.

-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

HELP Bayes not running

[John Fleming]

X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
version=3.0.3

Shouldn't I have a Bayes entry for every mail?  I've never really had any 
issues with Bayes - It's always worked, and worked well for me.  I use 
Postfix and call spamc using procmail, so the setup is very simple.


I just happened to notice today that none of my emails have a Bayes score in 
the Status.  I ran -D --lint and this did successfully do a Bayes rating.


I also notice that they all say "tests=none".

Any ideas?  Tell me details if you need more specifics.  I have restarted 
SpamAssassin without effect.


THANKS - John

RE: debug output to file?

[Mike Schrauder]

thanks to all

>& test.debug spamassassin -D -t < test.txt > test.out
AND
spamassassin -D -t < test.txt > test.out 2> test.debug

both do exactly what I need.  Thanks!

> -Original Message-
> From: Bob McClure Jr [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, June 07, 2005 10:53 AM
> To: users@spamassassin.apache.org
> Subject: Re: debug output to file?
> 
> On Tue, Jun 07, 2005 at 10:42:07AM -0400, Mike Schrauder wrote:
> > pardon my complete unix ignorance, I have been trying to figure out 
> > how to get debug output to a file so I can go back and look 
> at it. I 
> > also want to look at the marked up email w/ report so I am 
> using this:
> > 
> >  spamassassin -D -t < test2.txt > test2.out
> > 
> > How could I also redirect the debug output to a file.
> > 
> > i've also tried  spamassassin -D -t < test2.txt > test2.out | more 
> > just so I could look, but that doesn't work.  Can you give 
> a windows 
> > user a clue?  TIA
> 
>   spamassassin -D -t < test2.txt > test2.out 2> dbug.out
> 
> 2 is the file handle for stderr.
> 
> > Mike Schrauder
> > Specialty Blades, Inc.
> 
> Cheers,
> -- 
> Bob McClure, Jr. Bobcat Open Systems, Inc.
> [EMAIL PROTECTED]  http://www.bobcatos.com God is 
> more interested in our availability than our ability.
> 
> 

Re: Question about SPF checks

[Matt Kettler]

Ronny Nussbaum wrote:
> Hello,
> I've tried to find an answer to this, but couldn't.
>  
> I'm using SA 3.0.3, invoked by Amavisd-New (latest version), on Fedora
> Core 3.
>  
> I've installed the Mail::SPF::Query module, and it works fine.
>  
> My question is, how can I disable it from being used by SA?
>  
> I'm looking for another way besides giving the value of zero to all SPF
> tests in my local.cf .
> In a way, I want to "uninstall" it, so that SA is not even aware of it.

Remove the SPF plugin from your init.pre

This is the line you want to comment out:
loadplugin Mail::SpamAssassin::Plugin::SPF

Re: Question about SPF checks

[alan premselaar]

Ronny Nussbaum wrote:

Hello,
I've tried to find an answer to this, but couldn't.
 
I'm using SA 3.0.3, invoked by Amavisd-New (latest version), on Fedora 
Core 3.
 
I've installed the Mail::SPF::Query module, and it works fine.
 
My question is, how can I disable it from being used by SA?
 
I'm looking for another way besides giving the value of zero to all SPF 
tests in my local.cf .

In a way, I want to "uninstall" it, so that SA is not even aware of it.
 
Thanks
 
-RoNNY


Ronny,

 you should be able to comment out the loadplugin line for SPF in the 
init.pre file (in /etc/mail/spamassassin on my installation)


Alan

Re: uridnsbl only spamhaus in 3.0.4 ?

[Theo Van Dinter]

On Tue, Jun 07, 2005 at 06:11:18PM +0200, Niek wrote:
> On 6/7/2005 5:39 PM +0200, Chris Santerre wrote:
> >URIBL has not officially requested to be included yet. We are doing some
> >behind the scenes beef ups. Our front end seems to be ever improving. :) 
> 
> I know, but that doesn't matter in this case.
> The ip listed in multi.surbl.org too, but SA seems to be checking
> spamhaus only.

The debug output specified what happened.  The domains were all in the
skip list, and SURBL and such doesn't have IPs looked up.  SBL does do
IPs, so it was queried.

-- 
Randomly Generated Tagline:
"And just what is "UNIX' single point of failure," anyway?" Should we infer
 then that Windows is better because it offers multiple points of failure?"
 - David Wollmann from Linux Today


pgpcHPviSQ4fy.pgp
Description: PGP signature

Re: uridnsbl only spamhaus in 3.0.4 ?

[Niek]

On 6/7/2005 5:39 PM +0200, Chris Santerre wrote:

URIBL has not officially requested to be included yet. We are doing some
behind the scenes beef ups. Our front end seems to be ever improving. :) 


I know, but that doesn't matter in this case.
The ip listed in multi.surbl.org too, but SA seems to be checking
spamhaus only.

Niek Baakman

Question about SPF checks

[Ronny Nussbaum]

Hello,
I've tried to find an answer to this, but couldn't.
 
I'm using SA 3.0.3, invoked by Amavisd-New (latest version), on Fedora Core 3.
 
I've installed the Mail::SPF::Query module, and it works fine.
 
My question is, how can I disable it from being used by SA?
 
I'm looking for another way besides giving the value of zero to all SPF tests in my local.cf.
In a way, I want to "uninstall" it, so that SA is not even aware of it.
 
Thanks
 
-RoNNY

Re: debug output to file?

[Bob McClure Jr]

On Tue, Jun 07, 2005 at 10:42:07AM -0400, Mike Schrauder wrote:
> pardon my complete unix ignorance, I have been trying to figure
> out how to get debug output to a file so I can go back and look
> at it. I also want to look at the marked up email w/ report so
> I am using this:
> 
>  spamassassin -D -t < test2.txt > test2.out
> 
> How could I also redirect the debug output to a file.
> 
> i've also tried  spamassassin -D -t < test2.txt > test2.out | more 
> just so I could look, but that doesn't work.  Can you give a
> windows user a clue?  TIA

  spamassassin -D -t < test2.txt > test2.out 2> dbug.out

2 is the file handle for stderr.

> Mike Schrauder
> Specialty Blades, Inc.

Cheers,
-- 
Bob McClure, Jr. Bobcat Open Systems, Inc.
[EMAIL PROTECTED]  http://www.bobcatos.com
God is more interested in our availability than our ability.

RE: uridnsbl only spamhaus in 3.0.4 ?

[Chris Santerre]

>-Original Message-
>From: Niek [mailto:[EMAIL PROTECTED]
>Sent: Tuesday, June 07, 2005 10:48 AM
>To: users@spamassassin.apache.org
>Subject: uridnsbl only spamhaus in 3.0.4 ?
>
>
>Hi,
>
>I just downgraded from a svn version to 3.0.4

*snip*

>
>And that's it, no surbl.org or uribl.com lookups.
>At the time of writing this email, the ip was listed in 
>multi.uribl.com.
>
>Is anyone else seeing this too, or is it just me ?
>
>Niek Baakman

URIBL has not officially requested to be included yet. We are doing some
behind the scenes beef ups. Our front end seems to be ever improving. :) 

IMHO, I think we will be in the next release.  (Doesn't mean you can't use
it now...s.)

*cough*
>OVERALL%   SPAM% HAM% S/ORANK   SCORE  NAME
>  2620823081 31270.881   0.000.00  (all messages)
>100.000  88.0685  11.93150.881   0.000.00  (all messages as %)
> 65.949  74.8754   0.06400.999   1.003.00  URIBL_BLACK
*cough*

And I've sinced removed the FP that was hit ;)

(Thank you again, little birdy who gave me that data!)

Chris Santerre 
System Admin and SARE/URIBL Ninja
http://www.rulesemporium.com 
http://www.uribl.com

Re: Would a normalization plugin make sense?

[Loren Wilton]

> Would this make sense? Can this be included into spamassassin, or
> are the current internals structured in way that makes the introduction
> of such plugins hard/impossible?

The concept of normalization has been discussed under various names over
time.  My personal impression is nobody really knows if this would help,
hurt, or be a waste of time.  Although you will certainly find enough
opinions one way or the other.

I suspect that you could do this as a plugin, but I also suspect you would
have to take ugly liberties with the internal data storage in SA.  For
instance, I suspect (but do not know) that plugins are probably not supposed
to modify the mail text.  You could certainly do something like this by
patching permsgstatus.pm.

If this is an idea that interests you enough to work on it, I personally
would suggest you grab the ball and run with it -- find out if this really
helps or not.  It doesn't much matter how you get code working to test your
conclusion.  If the results are wonderful and the code is ugly beyond belief
I'm sure someone will be willing to rewrite as needed.  If the results
aren't any good, then the code won't matter much anyway.  ;-)

Loren

RE: debug output to file?

[Jon Dossey]

> pardon my complete unix ignorance, I have been trying to figure
> out how to get debug output to a file so I can go back and look
> at it. I also want to look at the marked up email w/ report so
> I am using this:
> 
>  spamassassin -D -t < test2.txt > test2.out
> 
> How could I also redirect the debug output to a file.
> 
> i've also tried  spamassassin -D -t < test2.txt > test2.out | more
> just so I could look, but that doesn't work.  Can you give a
> windows user a clue?  TIA
> 
> Mike Schrauder
> Specialty Blades, Inc.
> 

Or, if you wanted to watch, just skip the -D (daemonize option).  It'll
just sit in the foreground and you can watch it do its thing.  


.jon

Re: this receive line only in spam?

[Loren Wilton]

> But I'm not so sure yet so my question is do you know of any HAM that uses
> receive lines like this?

Not sure, but running some mass-checks now to see.

Loren

RE: debug output to file?

[Kristopher Austin]

Spamassassin -D -t test2.out would work.  In *nix
environments you just choose the level by putting the number in front of
the redirect.

This should help you get up to speed on Linux I/O redirection:
http://www.cpqlinux.com/redirect.html

Kris

-Original Message-
From: Mike Schrauder [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, June 07, 2005 9:42 AM
To: users@spamassassin.apache.org
Subject: debug output to file?

pardon my complete unix ignorance, I have been trying to figure
out how to get debug output to a file so I can go back and look
at it. I also want to look at the marked up email w/ report so
I am using this:

 spamassassin -D -t < test2.txt > test2.out

How could I also redirect the debug output to a file.

i've also tried  spamassassin -D -t < test2.txt > test2.out | more 
just so I could look, but that doesn't work.  Can you give a
windows user a clue?  TIA

Mike Schrauder
Specialty Blades, Inc.

RE: Would a normalization plugin make sense?

[Sven Riedel]

> Or one could do like Theo, and strip all HTML content from 
> the emails. :)
Or do that. I'd love to do that. But unfortunately, some users
actually like html mails. No accounting for taste :)

> The problem with the normalization, is like anything else. 
> One mans ham,
> anothers spam. Repetitive letters show up in item codes, code 
> snippets,
> fubar'd uuencoding, ect...
> 
> It would also void out a lot of pre-exhisting rules that look 
> for some of
> these filter bypassing codes. 

Which is why I suggested introducing a  different code class.

So "body", "rawbody", "full", "header", "uri" scan the regular 
mail, but "normalbody" scans the normalized mail.

> I always try to turn their attempts to bypass, into spam flags. 
True, but with viiagraa, ciia-liis etc., you either get to write
new rules every other day or write rather expensive ones.

And in an international organization (not that I am, but just for
arguments sake), can you sleep well awarding 
body /\bv.{0,3}i.{0,3}a.{0,3}g.{0,3}r.{0,3}a\b/i a score of 5.0 if some
portugese, burmese or danish word would match that pattern as well?
:)

Regs,
Sven

uridnsbl only spamhaus in 3.0.4 ?

[Niek]

Hi,

I just downgraded from a svn version to 3.0.4
I've noticed SA only utilized spamhaus for uridnsbl's.
I check my /usr/share/spamassassin/25_uribl.cf it has all the surbl.org
zones listed + I enabled multi.uribl.com in local.cf.

loadplugin Mail::SpamAssassin::Plugin::URIDNSBL is turn on in init.pre.
Here's the relevant section of spamassassin -D:

debug: URIDNSBL: found domain ebaystatic.com in skip list
debug: URIDNSBL: found domain ebaystatic.com in skip list
debug: URIDNSBL: found domain ebay.com in skip list
debug: URIDNSBL: found domain ebay.com in skip list
debug: URIDNSBL: found domain ebay.com in skip list
debug: URIDNSBL: found domain ebay.com in skip list
debug: URIDNSBL: found domain ebaystatic.com in skip list
debug: URIDNSBL: domains to query: 212.203.31.2

debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x84f7de0) implements 
'check_tick'
debug: URIDNSBL: query for 212.203.31.2 took 0 seconds to look up 
(sbl.spamhaus.org.:2.31.203.212)
debug: URIDNSBL: queries completed: 1 started: 0
debug: URIDNSBL: queries active:  at Tue Jun  7 16:42:30 2005

And that's it, no surbl.org or uribl.com lookups.
At the time of writing this email, the ip was listed in multi.uribl.com.

Is anyone else seeing this too, or is it just me ?

Niek Baakman

RE: debug output to file?

[Thomas Deaton]

>&test2.out spamassassin -D.

-Original Message-
From: Mike Schrauder [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 07, 2005 10:42 AM
To: users@spamassassin.apache.org
Subject: debug output to file?


pardon my complete unix ignorance, I have been trying to figure
out how to get debug output to a file so I can go back and look
at it. I also want to look at the marked up email w/ report so
I am using this:

 spamassassin -D -t < test2.txt > test2.out

How could I also redirect the debug output to a file.

i've also tried  spamassassin -D -t < test2.txt > test2.out | more 
just so I could look, but that doesn't work.  Can you give a
windows user a clue?  TIA

Mike Schrauder
Specialty Blades, Inc.



E-mail correspondence to and from this address may be subject to the 
North Carolina Public Records Law and may be disclosed to third parties by an
authorized county official. If you have received this communication in 
error , please do not distribute it. Please notify the sender by E-mail 
at the address shown and delete the original message.

Thank you

debug output to file?

[Mike Schrauder]

pardon my complete unix ignorance, I have been trying to figure
out how to get debug output to a file so I can go back and look
at it. I also want to look at the marked up email w/ report so
I am using this:

 spamassassin -D -t < test2.txt > test2.out

How could I also redirect the debug output to a file.

i've also tried  spamassassin -D -t < test2.txt > test2.out | more 
just so I could look, but that doesn't work.  Can you give a
windows user a clue?  TIA

Mike Schrauder
Specialty Blades, Inc.

Re: Anyone seeing Account closed emails ?

[Kris Deugau]

Vivek Khera wrote:
> and the idiot mail system that did such neutering should be banned
> from the earth.  there's absolutely no reason to strip a virus from
> an email then let the rest of the message through.

Actually, it's occasionally the virus itself that misfires and forgets
to attach a copy of itself.I've seen those coming from infected
customer systems to other customer accounts - no outside systems
involved, so I'm certain the virus wasn't just stripped off by our virus
scan.

I *DID*, however, find a customer once that managed to get infected with
a VBscript virus that attached itself to LEGITIMATE email.  They were
upset because their mail didn't seem to be getting through.

-kgd
-- 
Get your mouse off of there!  You don't know where that email has been!

RE: Would a normalization plugin make sense?

[Chris Santerre]

>-Original Message-
>From: Sven Riedel [mailto:[EMAIL PROTECTED]
>Sent: Tuesday, June 07, 2005 8:58 AM
>To: users@spamassassin.apache.org
>Subject: Would a normalization plugin make sense?
>
>
>Hi,
>since a lot of spam nowadays tries to get past the filters
>by multiplying random letters, wouldn't it make sense to
>introduce normalization plugins to spamassassin?
>
>These would run over the mail once before the actual scanning
>starts, and perform transformations on the decoded mail body.
>
>Some functions I could think of off of the  top of my head would
>be:
>- reducing multiple consecutive letter instances to one occurance
>of the given letter
>
>- Transforming html-entities to their given roman letter equivalent
>
>- removing all non-alphanumericals from the mail body
>
>This would require a new new rule calls (e.g. normalbody), to avoid
>breaking existing rulesets.
>
>Would this make sense? Can this be included into spamassassin, or 
>are the current internals structured in way that makes the introduction
>of such plugins hard/impossible?

Or one could do like Theo, and strip all HTML content from the emails. :)
If I didn't have such retarded starfish here, I would do it. 

The problem with the normalization, is like anything else. One mans ham,
anothers spam. Repetitive letters show up in item codes, code snippets,
fubar'd uuencoding, ect...

It would also void out a lot of pre-exhisting rules that look for some of
these filter bypassing codes. 

I always try to turn their attempts to bypass, into spam flags. 

Chris Santerre 
System Admin and SARE/URIBL Ninja
http://www.rulesemporium.com 
http://www.uribl.com

Re: Disable user verification into spamassassin

[Matt Kettler]

At 09:44 AM 6/7/2005, Phibee Network operation Center wrote:
Ok i thinks that it's qmail-scanner for start with -u ... i put "verbose" 
into the config .. if i put "Fast_SpamAssassin", only -u are removed ?


I don't know, I'm no expert on qmail-scanner.

However, it looks like trying to pass -u is something that qmail-scanner 
always does. 

Re: Disable user verification into spamassassin

[Phibee Network operation Center]

Matt Kettler a écrit :


At 04:13 AM 6/7/2005, Phibee Network operation Center wrote:


Hi

i small question on SPamAssassin 3.0.3:

Jun  7 10:07:07 gw spamd[3329]: connection from gw.srv2.schevingt.org 
[127.0.0.1] at port 45929
Jun  7 10:07:07 gw spamd[3329]: handle_user: unable to find user 
'[EMAIL PROTECTED]'!
Jun  7 10:07:07 gw spamd[3329]: Still running as root: user not 
specified with -u, not found, or set to root.  Fall back to nobody.


For all emails that he receive, he see if i can find the account on 
the localhost, but this is

a relay and he don't have account, he sent to another mail server 

where is the option for he don't search all user into pam ? (i don't 
use personal user rules)




Spamassassin doesn't ever search for users. Period. However, if you 
pass the -u parameter to spamc, it will try to use that user.


So, if you don't want SA to try to setuid to momo.Octopo, don't pass 
that user to spamc -u.




Ok i thinks that it's qmail-scanner for start with -u ... i put 
"verbose" into the config .. if i put "Fast_SpamAssassin", only -u are 
removed ?


thanks



smime.p7s
Description: S/MIME Cryptographic Signature

RE: Disable user verification into spamassassin

[Jon Dossey]

> At 04:13 AM 6/7/2005, Phibee Network operation Center wrote:
> >Hi
> >
> >i small question on SPamAssassin 3.0.3:
> >
> >Jun  7 10:07:07 gw spamd[3329]: connection from gw.srv2.schevingt.org
> >[127.0.0.1] at port 45929
> >Jun  7 10:07:07 gw spamd[3329]: handle_user: unable to find user
> >'[EMAIL PROTECTED]'!
> >Jun  7 10:07:07 gw spamd[3329]: Still running as root: user not
specified
> >with -u, not found, or set to root.  Fall back to nobody.
> >
> >For all emails that he receive, he see if i can find the account on
the
> >localhost, but this is
> >a relay and he don't have account, he sent to another mail server

> >
> >where is the option for he don't search all user into pam ? (i don't
use
> >personal user rules)
> 
> 
> Spamassassin doesn't ever search for users. Period. However, if you
pass
> the -u parameter to spamc, it will try to use that user.
> 
> So, if you don't want SA to try to setuid to momo.Octopo, don't pass
that
> user to spamc -u.
> 

I believe the mailertable contains the answer to all his questions.
Which would make it most definitely not a SA problem, but I'll try and
help.

On top of the missing user, I believe sendmail is attempting to deliver
locally.

What he needs to do, is configure an entry in mailertable (usually
/etc/mail/mailertable).  For example:

#mailer table example(!) entry
Microsoft.com   esmtp:[10.100.10.5]

...would then forward all messages this gateway receives, that are
addressed to (someone)@microsoft.com, to an SMTP server at address
10.100.10.5.  This is similar to the configuration I use to forward mail
from linux email gateways to an exchange server on the LAN.

Don't forget to re-make the mailertable file:
[EMAIL PROTECTED] mail]# makemap hash mailertable.db < mailertable

Hopefully I understood your problem correctly :)

Thanks,
Jon Dossey
DELTA HEALTH GROUP

Re: Disable user verification into spamassassin

[Matt Kettler]

At 04:13 AM 6/7/2005, Phibee Network operation Center wrote:

Hi

i small question on SPamAssassin 3.0.3:

Jun  7 10:07:07 gw spamd[3329]: connection from gw.srv2.schevingt.org 
[127.0.0.1] at port 45929
Jun  7 10:07:07 gw spamd[3329]: handle_user: unable to find user 
'[EMAIL PROTECTED]'!
Jun  7 10:07:07 gw spamd[3329]: Still running as root: user not specified 
with -u, not found, or set to root.  Fall back to nobody.


For all emails that he receive, he see if i can find the account on the 
localhost, but this is

a relay and he don't have account, he sent to another mail server 

where is the option for he don't search all user into pam ? (i don't use 
personal user rules)



Spamassassin doesn't ever search for users. Period. However, if you pass 
the -u parameter to spamc, it will try to use that user.


So, if you don't want SA to try to setuid to momo.Octopo, don't pass that 
user to spamc -u.

Would a normalization plugin make sense?

[Sven Riedel]

Hi,
since a lot of spam nowadays tries to get past the filters
by multiplying random letters, wouldn't it make sense to
introduce normalization plugins to spamassassin?

These would run over the mail once before the actual scanning
starts, and perform transformations on the decoded mail body.

Some functions I could think of off of the  top of my head would
be:
- reducing multiple consecutive letter instances to one occurance
of the given letter

- Transforming html-entities to their given roman letter equivalent

- removing all non-alphanumericals from the mail body

This would require a new new rule calls (e.g. normalbody), to avoid
breaking existing rulesets.

Would this make sense? Can this be included into spamassassin, or 
are the current internals structured in way that makes the introduction
of such plugins hard/impossible?

Regs,
Sven

Re: SpamAssassin 3.0.4 Released

[Theo Van Dinter]

On Tue, Jun 07, 2005 at 09:14:52AM -0400, Theo Van Dinter wrote:
> > http://www.apache.org/dist/spamassassin//Mail-SpamAssassin-3.0.4.tar.bz2.md5
> > http://www.apache.org/dist/spamassassin/source/Mail-SpamAssassin-3.0.4.tar.bz2.md5
> Yes, under source/ is the correct path.  Is there something pointing at the
> parent that needs to be updated?  (I didn't see anything when I looked
> yesterday.)

Of course, after I respond, I find the links you're talking about.  ;)

I just updated them on the website, the new version should be publically
available in the near future after the files sync out.

-- 
Randomly Generated Tagline:
Alone!  I'm alone!  I'm a lonely, insignificant speck on a has-been
 planet orbited by a cold, indifferent sun!
 
-- Homer Simpson
   El Viaje Misterioso de Nuestro Homer


pgp4crI5sxi9d.pgp
Description: PGP signature

Re: SpamAssassin 3.0.4 Released

[Theo Van Dinter]

On Tue, Jun 07, 2005 at 01:07:49PM +0200, Maurice Lucas wrote:
> I'm unable to download/view the gpg/md5/sha1 signature from the website
> eg.
> http://www.apache.org/dist/spamassassin//Mail-SpamAssassin-3.0.4.tar.bz2.md5
> had to be
> http://www.apache.org/dist/spamassassin/source/Mail-SpamAssassin-3.0.4.tar.bz2.md5

Hi,

Yes, under source/ is the correct path.  Is there something pointing at the
parent that needs to be updated?  (I didn't see anything when I looked
yesterday.)

-- 
Randomly Generated Tagline:
See these?  American donuts.  Glazed, powdered, and raspberry-filled.
 Now, how's that for freedom of choice.
 
-- Homer Simpson
   The Crepes of Wrath


pgpyJ045CM6Dp.pgp
Description: PGP signature

Re: Is SPF working 100%? Problems with hotmail.com

[Raul Dias]

On Tue, 2005-06-07 at 09:12 +0200, Niek wrote:
> On 6/6/2005 10:50 PM +0200, Raul Dias wrote:
> > Ok, I findout some stuff here:
> > 
> > 1 - This is not the only message this happens.  Other messages that 
> > should have triggered SPF rules did not.
> > 
> > 2 - This is happening when using spamd.
> > 
> > 3 - When running these messages by hand against spamassassin -D
> > never got a missing SPF rule.
> > 
> > So, for some reason, spamd sometimes skips SPF tests.
> > Is this right?  Would spamd skip some tests for any reason? Load?
> > Network timeout?
> 
> Do you load the spf plugin in init.pre ?
> 
> Niek Baakman

Yes.

$ grep SPF /etc/mail/spamassassin/init.pre
# SPF - perform SPF verification.
loadplugin Mail::SpamAssassin::Plugin::SPF



SPF would never work if not there, right?
Note that it does work, but not always.

I have never see it fail from calling the spamassassin form the command
line, just as spamd.
It has enough permission for spamd to read it.

Could it be that it happens because of some timeout issue, network issue
(timeout) or not enough spamd children available makes it skips some
tests? Or something like this?


Thanks,

Raul Dias

RE: Local.cf settings seem to be ignored

[Proctor, Scott]

Yes multiple times. 

-Original Message-
From: Vinayak Royadu [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, June 07, 2005 8:38 AM
To: Proctor, Scott
Cc: Matt Kettler; users@spamassassin.apache.org
Subject: RE: Local.cf settings seem to be ignored

On Tue, 2005-06-07 at 17:52, Proctor, Scott wrote:
> There is nothing is the qmail-scanner config file for this nor in the 
> documentation.  The documentation does mention changing your local.cf 
> file.
> 
> Any other ideas?
> 
Did you restart spamd after changing local.cf?

> Thanks!
> 
> Scott
> 
> -Original Message-
> From: Matt Kettler [mailto:[EMAIL PROTECTED]
> Sent: Monday, June 06, 2005 2:45 PM
> To: Proctor, Scott
> Cc: users@spamassassin.apache.org
> Subject: Re: Local.cf settings seem to be ignored
> 
> Proctor, Scott wrote:
> > I'm running SA 3.0.3 on RH ES 3.0 acting as a mail gateway with 
> > spamd,
> 
> > qmail & qmail-scanner.  The local.cf contains:
> > required_score 8.0
> 
> I don't think it matters what your local.cf says is your required 
> score, as qmail-scanner has it's own thresholds and does it's own 
> markups. I'm pretty sure it uses SA only for score generation.
> 
> Check your qmail-scanner configuration files.

RE: Local.cf settings seem to be ignored

[Proctor, Scott]

There is nothing is the qmail-scanner config file for this nor in the
documentation.  The documentation does mention changing your local.cf
file.

Any other ideas?

Thanks!

Scott 

-Original Message-
From: Matt Kettler [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 06, 2005 2:45 PM
To: Proctor, Scott
Cc: users@spamassassin.apache.org
Subject: Re: Local.cf settings seem to be ignored

Proctor, Scott wrote:
> I'm running SA 3.0.3 on RH ES 3.0 acting as a mail gateway with spamd,

> qmail & qmail-scanner.  The local.cf contains:
> required_score 8.0

I don't think it matters what your local.cf says is your required score,
as qmail-scanner has it's own thresholds and does it's own markups. I'm
pretty sure it uses SA only for score generation.

Check your qmail-scanner configuration files.

Re: SpamAssassin 3.0.4 Released

[Maurice Lucas]

Hello,

I'm unable to download/view the gpg/md5/sha1 signature from the website
eg.
http://www.apache.org/dist/spamassassin//Mail-SpamAssassin-3.0.4.tar.bz2.md5
had to be
http://www.apache.org/dist/spamassassin/source/Mail-SpamAssassin-3.0.4.tar.bz2.md5

With kind regards,
Met vriendelijke groet,

Maurice Lucas
TAOS-IT

this receive line only in spam?

[Menno van Bennekom]

I get a lot of med-spams lately that look the same, short, 2 lines with
one url, below that some text (from a book?).
Often it gets marked as spam because of the url, but not always because
bayes has no real grip on this mail.
Maybe there is a way to recognise them in the second receive-line because
of the special helo and port text.
I want to block it with this at the MTA level because I couldn't find HAM
with this text (port-number and special helo syntax).
But I'm not so sure yet so my question is do you know of any HAM that uses
receive lines like this?

Thanks
Menno van Bennekom

Received: from [66.98.106.84] (port=4465 helo=[Batista])
Received: from [180.111.168.219] (port=4464 helo=[discharge])
Received: from [221.54.120.107] (port=4548 helo=[benchmark])
Received: from [240.232.66.156] (port=4015 helo=[infrared])
Received: from [123.120.113.68] (port=4426 helo=[chronograph])
Received: from [130.98.112.26] (port=4102 helo=[lash])
Received: from [50.188.174.87] (port=4590 helo=[simplifications])
Received: from [188.109.189.81] (port=4054 helo=[barbiturates])
Received: from [62.170.216.71] (port=4317 helo=[dispatching])
Received: from [62.103.177.85] (port=4163 helo=[mangler])
Received: from [47.187.43.74] (port=4578 helo=[Basie])
Received: from [47.119.220.88] (port=4434 helo=[slats])
Received: from [224.62.78.91] (port=3290 helo=[inorganic])
Received: from [231.153.167.126] (port=3319 helo=[custodians])
Received: from [48.224.115.129] (port=4000 helo=[rephrasing])
Received: from [116.68.119.88] (port=4486 helo=[restate])
Received: from [116.217.80.102] (port=4232 helo=[mechanizations])
Received: from [93.80.205.52] (port=4084 helo=[emulation])
Received: from [141.51.44.132] (port=4292 helo=[unsanitary])
Received: from [169.90.217.201] (port=4098 helo=[Apatosaurus])
Received: from [162.120.144.32] (port=4240 helo=[transceive])
Received: from [74.93.157.193] (port=2259 helo=[incompatible])
Received: from [153.24.175.209] (port=4170 helo=[Hercules])
Received: from [140.218.69.178] (port=4354 helo=[contrition])
Received: from [146.198.92.136] (port=4568 helo=[culprit])
Received: from [209.30.112.183] (port=4266 helo=[Argo])
Received: from [144.199.150.185] (port=4024 helo=[enticer])
Received: from [63.210.57.193] (port=4253 helo=[cerebellum])

Disable user verification into spamassassin

[Phibee Network operation Center]

Hi

i small question on SPamAssassin 3.0.3:

Jun  7 10:07:07 gw spamd[3329]: connection from gw.srv2.schevingt.org 
[127.0.0.1] at port 45929
Jun  7 10:07:07 gw spamd[3329]: handle_user: unable to find user 
'[EMAIL PROTECTED]'!
Jun  7 10:07:07 gw spamd[3329]: Still running as root: user not 
specified with -u, not found, or set to root.  Fall back to nobody.


For all emails that he receive, he see if i can find the account on the 
localhost, but this is

a relay and he don't have account, he sent to another mail server 

where is the option for he don't search all user into pam ? (i don't use 
personal user rules)


Thanks for your help



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Is SPF working 100%? Problems with hotmail.com

[Niek]

On 6/6/2005 10:50 PM +0200, Raul Dias wrote:

Ok, I findout some stuff here:

1 - This is not the only message this happens.  Other messages that 
should have triggered SPF rules did not.


2 - This is happening when using spamd.

3 - When running these messages by hand against spamassassin -D
never got a missing SPF rule.

So, for some reason, spamd sometimes skips SPF tests.
Is this right?  Would spamd skip some tests for any reason? Load?
Network timeout?


Do you load the spf plugin in init.pre ?

Niek Baakman

Check relaying MTA has valid PTR

[Justin]

Hi

Running SA 3.03-1
Sendmail 8.12.11-4
RHEL 3
Configured using MailScanner 4.41.3

Can anyone tell me the name of the SA test (if there is one) that can check for 
a valid PTR in the sender IP? Sendmail can be configured to delay/reject sender 
IP's with invalid/missing PTR's but this will reject legit mail as well.

I would prefer SA to do the check and score appropriately.

Rgds

Justin

And I said, "Yes, a pet rat. He's very clean and he hasn't got bubonic plague."
And the policeman said, "Well that's reassuring."