Spamassassin 3.0.3 and no scan for a domain ?
Hi i use SpamAssassin 3.0.3 with qmail-scanner 1.25st for relaying emails to another server after scan and check ... I want know if it's possible that say at spamassasin don't scan a email for the destination [EMAIL PROTECTED] ? or put into the local.cf a whitelist_for (this option exist ?) [EMAIL PROTECTED] ? thanks for your help smime.p7s Description: S/MIME Cryptographic Signature
Re: couple of issues
On 6/10/2005 5:05 AM +0200, jdow wrote: Out of curiosity what TTL exists on the surbl server lookups? man dig Niek Baakman
Re: DNS lookups
Kenneth Porter wrote: > Bob Proulx wrote: > > In both cases you would need to modify /etc/resolv.conf to use the > > local nameserver instead of the current one. > > Wiki fodder? Good point. Okay, here is the initial page with the above information. http://wiki.apache.org/spamassassin/CachingNameserver Bob
Re: Amusing phish email...
From: "Matt Kettler" <[EMAIL PROTECTED]> > I just got a paypal phish with this as the target URL: > > http://www.%66%72%61%75%64%65onli%6E%65access*MUNGED*.com/my_paypal/PayPal/ > > > Which when you hover over it in thunderbird shows up as: > > www.fraudeonlineaccess*MUNGED*.com > > > Truth in advertising? > > Ok, so the actual site is just a web host, and the beginning with "fraud" is > unintentional on the part of the site operator.. > > still, it is an amusing choice of hosts for a phisher... There is a real fraudeonlineaccess*MUNGED*.com listed in whois. The data entries are obviously fraudulant. {^_^}
Re: RE: couple of issues
From: "Jeff Chan" <[EMAIL PROTECTED]> > On Thursday, June 9, 2005, 12:23:09 PM, Tom Kern wrote: > > > Well, here's one that just got thru. > > if your SA doesn't block it, here it is- > > > > > Easy, convenient and discreet - order prescription drugs online. > > http://lpjth.bqe4xctm83tjxcb.bullionismia-MUNGED.com > > BTW That domain got added to JP and AB 10 hours before your "just > now" time of 19:00 UTC: > > Thu Jun 9 09:18:01 UTC 2005 > Thu Jun 9 08:43:01 UTC 2005 > > So there may be something broken about your installation. As > Dave Funk said, try sending yourself a test message with > some of the SURBL test points and see if they are hitting: > > http://www.surbl.org/faq.html#test-uris > > if they're not hitting, you have some debugging to do. Out of curiosity what TTL exists on the surbl server lookups? {^_^}
Re: Possibly useful Stats Script.
Nigel Frankcom wrote: A colleague has written a script to supply some summary (and detail) statistics for SA. Actually its a work in progress, but what it does it does well. Craig Morrison has written a script for logwatch that shows message scan times and a mean average - plus a few other summary details. Its not full of bells and whistles since its my first real awk script, but it does give some useful information. I'm still working on it, the END pattern will be maturing as time progresses and I get a better feel for awk. Craig's not subscribed here (yet), hence my posting this. I'm here now. :-) -- Craig Morrison http://www.mtsprofessional.com/ A Win32 Email server that works for You.
Amusing phish email...
I just got a paypal phish with this as the target URL: http://www.%66%72%61%75%64%65onli%6E%65access*MUNGED*.com/my_paypal/PayPal/ Which when you hover over it in thunderbird shows up as: www.fraudeonlineaccess*MUNGED*.com Truth in advertising? Ok, so the actual site is just a web host, and the beginning with "fraud" is unintentional on the part of the site operator.. still, it is an amusing choice of hosts for a phisher...
Re: RE: couple of issues
On Thursday, June 9, 2005, 12:23:09 PM, Tom Kern wrote: > Well, here's one that just got thru. > if your SA doesn't block it, here it is- > Easy, convenient and discreet - order prescription drugs online. > http://lpjth.bqe4xctm83tjxcb.bullionismia-MUNGED.com BTW That domain got added to JP and AB 10 hours before your "just now" time of 19:00 UTC: Thu Jun 9 09:18:01 UTC 2005 Thu Jun 9 08:43:01 UTC 2005 So there may be something broken about your installation. As Dave Funk said, try sending yourself a test message with some of the SURBL test points and see if they are hitting: http://www.surbl.org/faq.html#test-uris if they're not hitting, you have some debugging to do. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: couple of issues
>Kern, Tom wrote: >> Well, here's one that just got thru. >> if your SA doesn't block it, here it is- >> >http://lpjth.bqe4xctm83tjxcb.bullionismia.com > >That one hit the following in my SA 2.64 with all the surbl.org and uribl.com >lists added: > >AB_URI_RBL >BLACK_URI_RBL >JP_URI_RBL > >But it did not hit SC, WS, or OB. > >But again, Time HAS passed since you got it. My check has no bearing whatsoever >on what happened when it first got to your network. By the time you get my >reply, with this URL in it, it should hit the above lists in your config (if >you >have them, not all are in a default setup) > >Black is hosted at uribl.com instead of surbl.org and certainly isn't a >default, >it's rather new and still in it's infancy,, you have to hand add the config for >that one. > >If you send me the same URL an hour from now, the hits could change. You can >post examples all you want, but the fact of the matter is: > >None of the URIBLs is psychic. None can list a domain faster than it can be >reported to them. This means that some spam will arrive and not match the test. >Time of check is a factor when you talk about URIBLs. It's a MAJOR factor. > Wow, hard to find. Registered taoday at annulet.com using name servers for the suspended domain of aicstrungcb. biz. Already been updated to use positionxloc. biz for name service (a domain registered almost 5 months ago, but never used). Of course, fraudulent registeration of all domains involved. multitrade group / omnicorporation Paul Shupak [EMAIL PROTECTED]
Re: couple of issues
On Thursday, June 9, 2005, 12:44:47 PM, Matt Kettler wrote: > Kern, Tom wrote: >> Well, here's one that just got thru. >> if your SA doesn't block it, here it is- >> > http://lpjth.bqe4xctm83tjxcb.bullionismia.com That one belongs to Michael Lindsay iMedia, along with a majority of spam URI domains on the Internet. SURBL lists will be detecting these much sooner real soon now Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Possibly useful Stats Script.
Hi, A colleague has written a script to supply some summary (and detail) statistics for SA. I've not been able to get anything of much Admin use from sa-stats.pl; during setup and conf (and day to day running) I'm interested in scantimes and mean averages. Craig Morrison has written a script for logwatch that shows message scan times and a mean average - plus a few other summary details. Craig's not subscribed here (yet), hence my posting this. http://www.2cah.com/lwspamd.html Kind regards Nigel
Re: Gif-Only spams
Ben Hanson wrote: Hmm, scoring certain attachments (.gif, .jpg, etc) based on a calculated checksum (md5 or otherwise). Now that I think about it, I recall Razor used to run into false positives with one of the background images in a set of Outlook stationery (because some spammers had used the same template). The key point being that Razor generates signatures from all MIME parts, images included. Depending on the default config, it may already take care of these. -- Kelson Vibber SpeedGate Communications
RE: couple of issues
> >True, you might list associated domains. However, URIBLs still >aren't psychic, >they're just smart enough to do research :) > >However, the important point still remains: Time of check IS a >major factor when >talking about URIBLs. You cannot assume that two URIBL checks >are comparable if >they are made at different times. > >In particular, you can't assume a URIBL is being bypassed >because you got a >negative result when a message came in, but you get a positive >result when hand >checking the domain 1 hour later. You've changed two >variables, time of scan and >method of scan. > >It *might* be a strangely encoded message that's fooling SA, >but more likely >that 1hour was enough time for it to get listed. True, and I'll take it one step further...not every mirror updates at the same time :) Only way to help the situation, is to go submit missed domains to URIBL.com, and will get right on it ;) --Chris
RE: couple of issues
Chris Santerre wrote: > ... It also helps we have people throughout the > timezones. So at any time of the day...someone is awake :) Could it be said... the sun never sets on SURBL? :) -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
Re: couple of issues
Chris Santerre wrote: >>None of the URIBLs is psychic. None can list a domain faster >>than it can be >>reported to them. This means that some spam will arrive and >>not match the test. >>Time of check is a factor when you talk about URIBLs. It's a >>MAJOR factor. > > > Actually thats not quite true :) > > You report one domain, we research it. We find others connected to that > domain. How we do that is our business ;) But you might report one, and we > add 30-50 from it. Those haven't been used in the spam run yet. True, you might list associated domains. However, URIBLs still aren't psychic, they're just smart enough to do research :) However, the important point still remains: Time of check IS a major factor when talking about URIBLs. You cannot assume that two URIBL checks are comparable if they are made at different times. In particular, you can't assume a URIBL is being bypassed because you got a negative result when a message came in, but you get a positive result when hand checking the domain 1 hour later. You've changed two variables, time of scan and method of scan. It *might* be a strangely encoded message that's fooling SA, but more likely that 1hour was enough time for it to get listed. If strange encodings are a concern, you should be running SA 3.0.4 not 2.63. If that's not an option, make sure your Mail::SpamCopURI module is v 0.25. That won't cover as many obfuscation tricks as 3.0.4 covers, but it will get some that 0.24 misses.
Re: DNS lookups
* Jon Dossey <[EMAIL PROTECTED]>: > You'd "hack" SA instead of just installing bind, and letting it just > cache the response? Or djbdns... > Talk about wagging the dog ... Indeed -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED]
RE: couple of issues
> >None of the URIBLs is psychic. None can list a domain faster >than it can be >reported to them. This means that some spam will arrive and >not match the test. >Time of check is a factor when you talk about URIBLs. It's a >MAJOR factor. Actually thats not quite true :) You report one domain, we research it. We find others connected to that domain. How we do that is our business ;) But you might report one, and we add 30-50 from it. Those haven't been used in the spam run yet. Our goal isn't just zero FP, but speed. Trying to get those domains before they are used. It also helps we have people throughout the timezones. So at any time of the day...someone is awake :) Chris Santerre System Admin and SARE/URIBL Ninja http://www.rulesemporium.com http://www.uribl.com
Re: Gif-Only spams
Hmm, scoring certain attachments (.gif, .jpg, etc) based on a calculated checksum (md5 or otherwise). To be time efficient it would have to be an enable/disable option for older hardware, presumably. The disadvantages are cpu time, network traffic, the need for servers to store the checksum recognized. They could be generated by examining up to some maximum amount of data from images. Advantages? I remember receiving for a time a series of daily ED drug spams that seemed to have nothing in common, for weeks about a year ago. Different apparent source, different subjects. But it was always the same image. This sort of image checksum matching would have been able to cut those off after the requisite quantity had been reported. I like it. Of course, I can play devil's advocate and presume a professional spammer might theoretically use some sort of image processing automation to switch a single pixel in a bank of transparent lines at the bottom of the image (or top or sides) switched to the background color, changing checksums for each repetition of spam they spew. Ben
RE: couple of issues
On Thu, 9 Jun 2005, Kern, Tom wrote: > Perhaps, I'm not sure. > Is there a way to tell? > Also, I have seen some go through that I know are in spamcop. > > Do you know of a way to troubleshoot spamcop? > i plan on upgrading sa, but I can't just yet, so I'd like to figure this out. > > Thanks for your help Get a hotmail/yahoo/gmail free web-based mail account. Send mail to your regular address containing the SURBL testpoint URL. (IE "http://surbl-org-permanent-test-point. com" with out the space ) This -should- be tagged, regardless. If it isn't start SA in debug mode (with the '-D') option and retest, then look at the debug logs to see what did or did not fire. Compare that with a spamassassin -D run to see what's different. Note, you do not want to leave spamd running with the '-D' option unless you have a very low volume mail server or -lots- of free disk space. ;) See the SURBL FAQ for more info: http://www.surbl.org/faq.html -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: couple of issues (whoops, double posted)
Matt Kettler wrote: > Kern, Tom wrote: > >>Well, here's one that just got thru. >>if your SA doesn't block it, here it is- >> > > http://lpjth.bqe4xctm83tjxcb.bullionismia.com > > That one hit the following in my SA 2.64 with all the surbl.org and uribl.com > lists added: sorry for the double post everyone. I didn't notice that the OP included both the normal and the incubator versions of the list address. 50 lashes with a wet noodle for me not noticing :) 50 to Tom for doing it in the first place... :)
RE: couple of issues (whoops, double posted)
Sorry. my bad. won't happen again... Matt Kettler wrote: > Matt Kettler wrote: >> Kern, Tom wrote: >> >>> Well, here's one that just got thru. >>> if your SA doesn't block it, here it is- >>> >> >> http://lpjth.bqe4xctm83tjxcb.bullionismia.com >> >> That one hit the following in my SA 2.64 with all the surbl.org and >> uribl.com lists added: > > sorry for the double post everyone. I didn't notice that the > OP included both the normal and the incubator versions of the list > address. > > 50 lashes with a wet noodle for me not noticing :) > > 50 to Tom for doing it in the first place... :)
Re: couple of issues
Kern, Tom wrote: > Well, here's one that just got thru. > if your SA doesn't block it, here it is- > http://lpjth.bqe4xctm83tjxcb.bullionismia.com That one hit the following in my SA 2.64 with all the surbl.org and uribl.com lists added: AB_URI_RBL BLACK_URI_RBL JP_URI_RBL But it did not hit SC, WS, or OB. But again, Time HAS passed since you got it. My check has no bearing whatsoever on what happened when it first got to your network. By the time you get my reply, with this URL in it, it should hit the above lists in your config (if you have them, not all are in a default setup) Black is hosted at uribl.com instead of surbl.org and certainly isn't a default, it's rather new and still in it's infancy,, you have to hand add the config for that one. If you send me the same URL an hour from now, the hits could change. You can post examples all you want, but the fact of the matter is: None of the URIBLs is psychic. None can list a domain faster than it can be reported to them. This means that some spam will arrive and not match the test. Time of check is a factor when you talk about URIBLs. It's a MAJOR factor.
Re: 3.0.3/4 uses all CPUs after tie (uuencoded attachments)?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 due to perl array behaviour, and SpamAssassin's optimisation for speed (ie. keeping multiple renditions of the message contents in RAM if possible), yes, exponential growth is expected. that's why message size limits are *required* ;) - --j. Thomas Jacob writes: > > Yes, a size limit is *required*. It's very important to limit > > the size of messages scanned by SpamAssassin. > > Well, we're limiting the size of emails that spamd sees now, maybe > that will "solve" the problem, and of course it's generally sensibly to > do this, as there isn't really much spam larger than lets say 250k, > but still, when scanning a single 10mb mail makes the spamd process dealing > with that mail eat >2 gigabytes of main memory until all of it is exhausted, > that doesn't seem like "normal" programm behaviour, does it? > > What could it possibly do with that much memory for a 10mb mail? ;) > > --Dxnq1zWXvFF0Q93v > Content-Type: application/pgp-signature; name="signature.asc" > Content-Description: Digital signature > Content-Disposition: inline > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.1 (GNU/Linux) > > iD8DBQFCqJE/gF9cFv867HwRAnrmAJ90MxIHmYLpEmu2rF3xgfBxagN9kACbB0Bk > d8DYXAZyrlf4PqiJwn3+lv4=pZMm > -END PGP SIGNATURE- > > --Dxnq1zWXvFF0Q93v-- -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFCqJXPMJF5cimLx9ARAmNAAJ90VGr4MPmdxUMFkNo0k+rF1caWoACgnwh9 BCYn0/eARe9p27+ZRboG3CY= =nwFz -END PGP SIGNATURE-
RE: couple of issues
Well, here's one that just got thru. if your SA doesn't block it, here it is- Easy, convenient and discreet - order prescription drugs online. http://lpjth.bqe4xctm83tjxcb.bullionismia.com The higher the buildings, the lower the morals. People often grudge others what they cannot enjoy themselves. Faithless is he that says farewell when the road darkens. Matt Kettler wrote: > Kern, Tom wrote: >> I'm running sa 2.63 with spamcop_uri. >> I'm still getting mail thru that has url's pointing to know spammers. >> When I grep maillog for spamcop_uri, i see that its working but NOT >> for the emails that have been getting thru. The score for spamcop is >> 4, which is the same score i use to kill spam. I tag at 3. >> Yet its not killed or tagged. >> I'm running sa with amavisd-new. >> >> > > Ok... What's the problem here? Do you somehow expect spamcop URIBL to > never change? > > One thing to keep in mind is that spamcop URIBL is a very dynamic > test and it's contents change rapidly over time as new domains are > added and removed. It might not have a domain listed at the time you > receive the message, but hours, > minutes, or even seconds later it can be added automatically. (The SC > URIBL auto-updates every 5 or 15 minutes, I forget which.) > > Just because a message misses spamcop URI the first time around, but > later > matches it does not mean spamcop URI is being bypassed, it means it > was not in > the spamcop URIBL at that time.
Re: DNS lookups
From: "Ronan McGlue" <[EMAIL PROTECTED]> > Matt Kettler wrote: > > At 08:32 AM 6/9/2005, Ronan McGlue wrote: > > > >> anyclues as to why SA isnt 'apparently' using the hosts file?? > > > > > > This is because SA doesn't use the system resolver, it uses Net::DNS's > > resolver. This gives SA a lot of control over queries, but doesn't take > > advantage of things like /etc/hosts, and only uses your primary DNS. > > ahhh ok > anyway i can hack it?? > *goes off to read CPAN*... tinydns. That's a caching only name server. It can reduce the number of lookups for your primary DNS, perhaps. {^_^}
Re: DNS lookups
From: "Jeff Chan" <[EMAIL PROTECTED]> > On Thursday, June 9, 2005, 5:32:23 AM, Ronan McGlue wrote: > > Niek wrote: > >> On 6/9/2005 2:19 PM +0200, Ronan McGlue wrote: > >> > >>> sry should have added that the DNS order in /etc/resolv.conf is also > >>> correct... > >> > >> > >> What order ? The nameservers are used randomly... > > again, my semantics need work... :S > > > the DNS *is in* order in /etc/resolv.conf... > > > > anyclues as to why SA isnt 'apparently' using the hosts file?? > > > ronan > > Don't use /etc/hosts for anything other than specifying the > basics of your local machine. /etc/hosts is only used by the > system during boot time before BIND is up. After that, BIND > is responsible for name resolution. There is a nice little trick if you have this line in your /etc/host.conf file: "order hosts,bind". Add addresses to which you do not want any information sent to that list. The effect is amusing. It is also quite handy when one of the SARE sites goes down. You can override the rotary DNS lookup and actually make rules downloads. {^_-} <- sneaky old bit**, ain't I?
Re: 3.0.3/4 uses all CPUs after tie (uuencoded attachments)?
> Yes, a size limit is *required*. It's very important to limit > the size of messages scanned by SpamAssassin. Well, we're limiting the size of emails that spamd sees now, maybe that will "solve" the problem, and of course it's generally sensibly to do this, as there isn't really much spam larger than lets say 250k, but still, when scanning a single 10mb mail makes the spamd process dealing with that mail eat >2 gigabytes of main memory until all of it is exhausted, that doesn't seem like "normal" programm behaviour, does it? What could it possibly do with that much memory for a 10mb mail? ;) signature.asc Description: Digital signature
RE: Gif-Only spams
On Thu, 9 Jun 2005, Chris Santerre wrote: > >There are image processing algorithms that are much better at 'looking' > >at two images and giving a 'distance' value. (Only problem is > >that they're > >compute intensive). > > Well then don't use MD5 :) > > Hell then just pull a sample from the image. Not that this will stop > spammers from reverse eng the code and changing the default sample bits. > Change the sample bits every SA release. > > DOn't know, I'm just spouting off ideas :) He asked! Sorry, no criticism intended, I got the impression that a pilot project was already underway using MD5. I was just worried about creating a large image library with MD5 to only later find out that it prevented doing the 'distance' type operations. There are better tools for this kind of task, I can check with my image processing buddies to see what they'd recommend. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Gif-Only spams
Absolutely - that's why I said "scoring" rather than blocking. :) All I meant was that a few e-Bay phishers start using the e-bay logo, it gets marked as a "spam image" and all future e-bay e-mails will have +1 added to them. Shouldn't be enough on its own to counteract AWL, Bayes, etc. for a big sender like e-Bay, but you'd be introducing a weakness. Just something to keep in mind, don't mean to poke holes in the idea. Anything that results in less spam makes me happy. :) Evan Chris Santerre wrote: And for Evan's comment: "You'd end up scoring all legit e-mails that image hash shows up in." One single rule should NEVER trigger an email to be labeled spam ;) --Chris
Re: Moving bayes database to a new SA installation
Alejandro Lengua wrote: >Hi! > >I am installing a new email server with spamassin included, >but I would like to extract the database I have created >in my old spamassassin bayes database and copy it >to the new installation. > >Is this possible?, what is the easier way to do this? >Of course both SA intallations are version 3.03 > >Thanks in advance >Alejandro > > > If both are running a 3.0+ version, then you should be able to run sa-learn --backup > backup.txt on the old machine and then sa-learn --restore=backup.txt on the new machine. man sa-learn for more information. If you have more than one DB (ie not sitewide) then you'll have to do this once for each user. You might also be able to get away with just copying the bayes_* files from one machine to another, but you need to be sure it's running the same versions of everything. Michael signature.asc Description: OpenPGP digital signature
RE: Gif-Only spams
>-Original Message- >From: David B Funk [mailto:[EMAIL PROTECTED] >Sent: Thursday, June 09, 2005 2:16 PM >To: Chris Santerre >Cc: users@spamassassin.apache.org >Subject: RE: Gif-Only spams > > >On Thu, 9 Jun 2005, Chris Santerre wrote: > >> >My only comment on a system like this is that it could be >> >easily subverted. >> >A spammer could use automated image editting tools to randomly >> >change some >> >aspect of the file that would give it a totally different >MD5 sum. Like >> >changing the lower right pixel to a different color would >> >throw the md5 sum >> >way off. >> >> I completely agree. But I'd like to see it tried. Then maybe >combine it with >> distancing techniques to see how distant one MD5 is to another. > >Nice try, but the crypto characteristic of MD5 makes this totally >impractical. One of the attributes of MD5 (by design) is that >even small >changes in the input cause signficant changes in the output. >This is intended to deter attackers from breaking crypto systems >with incremental guessing methods. > >Try this; take a 100Kbyte text file, get a MD5 sum, change one letter >(say a 'b' to 'c') and re-calculate the MD5 sum. >Note that almost every digit of that 32 digit hex value has changed, >even tho you've changed only 1 bit out of 800,000 bits of data in >that file. > >There are image processing algorithms that are much better at 'looking' >at two images and giving a 'distance' value. (Only problem is >that they're >compute intensive). Well then don't use MD5 :) Hell then just pull a sample from the image. Not that this will stop spammers from reverse eng the code and changing the default sample bits. Change the sample bits every SA release. DOn't know, I'm just spouting off ideas :) He asked! And for Evan's comment: "You'd end up scoring all legit e-mails that image hash shows up in." One single rule should NEVER trigger an email to be labeled spam ;) --Chris
RE: Gif-Only spams
On Thu, 9 Jun 2005, Chris Santerre wrote: > >My only comment on a system like this is that it could be > >easily subverted. > >A spammer could use automated image editting tools to randomly > >change some > >aspect of the file that would give it a totally different MD5 sum. Like > >changing the lower right pixel to a different color would > >throw the md5 sum > >way off. > > I completely agree. But I'd like to see it tried. Then maybe combine it with > distancing techniques to see how distant one MD5 is to another. Nice try, but the crypto characteristic of MD5 makes this totally impractical. One of the attributes of MD5 (by design) is that even small changes in the input cause signficant changes in the output. This is intended to deter attackers from breaking crypto systems with incremental guessing methods. Try this; take a 100Kbyte text file, get a MD5 sum, change one letter (say a 'b' to 'c') and re-calculate the MD5 sum. Note that almost every digit of that 32 digit hex value has changed, even tho you've changed only 1 bit out of 800,000 bits of data in that file. There are image processing algorithms that are much better at 'looking' at two images and giving a 'distance' value. (Only problem is that they're compute intensive). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Moving bayes database to a new SA installation
Alejandro Lengua wrote: I am installing a new email server with spamassin included, but I would like to extract the database I have created in my old spamassassin bayes database and copy it to the new installation. Is this possible?, what is the easier way to do this? Of course both SA intallations are version 3.03 Sure. Just copy the bayes_* files over to your new server. You may run into problems if the version of the db libraries are different. In that case, see: http://wiki.apache.org/spamassassin/DbDumpAndLoad - S
Re: Razor issues with SpamAssassin (update)
You're right. I am running it as a daemon, and it seems SuSE 9 ships with a /etc/sysconfig/spamd file that includes (for some godawful reason) the -L option. I have just removed that and it seems to be using network tests now. Yes!! Thanks again... JON >>> Theo Van Dinter <[EMAIL PROTECTED]> 6/9/2005 1:16:24 PM >>> On Thu, Jun 09, 2005 at 12:51:33PM -0400, Jonathan Lutz wrote:> However, when I run: spamassassin -D -t < spamfile on it, it shows a> whole bunch more such as DCC_CHECK and a bunch of URIBL tags as it> should. Network checks are seemingly only working on a "local" level. > > Any reason why this might be?You haven't mentioned any specifics about how you're calling SA, butperhaps you're running with -L?-- Randomly Generated Tagline:Leela: "It's amazing that your people can fall in love so fast." Zoidberg: "Love? That word is unknown here. I'm simply looking for a female swollen with eggs to accept my genetic material." Fry: "You and me both, brother."
RE: Gif-Only spams
On Thu, 9 Jun 2005, Bret Miller wrote: > > has anyone developed a good strategy against spams > > that contain a random text and the actual spam in > > an image within a multipart/alternative mail? > > > > Short of entirely blocking mails containing images, that > > is. > > SURBL, URIBL Sorry, but SURBL, URIBL et-al only help if there is a URL in the spam. The spam under discussion here contain ONLY some random text and an image, no URL. Usual instance is an image that contains the ad with a phone number but occasionally ad + URL (inside the image). EG those fake college degree spams. Bayes + 'image-only' rules help, somtimes the spammers use an unusual style of HTML to reference the image and can be caught with a custom rule. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Lower detection rates
On Thu, Jun 09, 2005 at 11:37:35AM -0600, Carnegie, Martin wrote: > The Net:DNS ver is as follows DNS.pm,v 2.107 2004/02/21 12:44:18 ctriv > Exp $ That doesn't actually state the version, just the revision value of the file. Try: perl -MNet::DNS -e 'print $Net::DNS::VERSION,"\n"' -- Randomly Generated Tagline: A Smith & Wesson beats four aces. pgpZhxTgquUU9.pgp Description: PGP signature
RE: Gif-Only spams
> Baby steps ;) Agreed!
RE: Lower detection rates
Hi Andy, The Net:DNS ver is as follows DNS.pm,v 2.107 2004/02/21 12:44:18 ctriv Exp $ We are not currenlty using Bayes and are right now talking about implementing Razor and/or Pyzor and/or DCC. I am thinking that you hit on the URIBL because we might have been early receipiants of the message and the sites were not listed yet. Could be wrong though. Could you possibly send me the break down on the scores for your hits. Just curious to seewhat hit where. Thanks -Original Message- From: Andy Jezierski [mailto:[EMAIL PROTECTED] Sent: Thursday, June 09, 2005 11:24 AM To: users@spamassassin.apache.org Subject: Re: Lower detection rates "Carnegie, Martin" <[EMAIL PROTECTED]> wrote on 06/09/2005 12:09:20 PM: > Hi All, > > In the past 3 weeks or so, we have really noticed a decrease in the > detection rate for spam. We have not changed our system other than > upgrading to 3.0.3 to see if it would help. We have turned on URIBL > and SURLB and also have the following custom rules in place: > [snip] Are you sure your network test are working? That message scored very high on my system, although my SURBL scores have been bumped up. X-Spam-Status: Yes, score=19.4 required=5.7 tests=BAYES_80,DATE_IN_PAST_12_24, RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,SARE_RECV_IP_218078,SARE_USERAG_3, TW_RX,URIBL_OB_SURBL,URIBL_SBL autolearn=unavailable version=3.0.2 May want to check that your Net::DNS is up to date. Andy
Re: couple of issues
Kern, Tom wrote: > I'm running sa 2.63 with spamcop_uri. > I'm still getting mail thru that has url's pointing to know spammers. > When I grep maillog for spamcop_uri, i see that its working but NOT for the > emails that have been getting thru. > The score for spamcop is 4, which is the same score i use to kill spam. I tag > at 3. > Yet its not killed or tagged. > I'm running sa with amavisd-new. > > Ok... What's the problem here? Do you somehow expect spamcop URIBL to never change? One thing to keep in mind is that spamcop URIBL is a very dynamic test and it's contents change rapidly over time as new domains are added and removed. It might not have a domain listed at the time you receive the message, but hours, minutes, or even seconds later it can be added automatically. (The SC URIBL auto-updates every 5 or 15 minutes, I forget which.) Just because a message misses spamcop URI the first time around, but later matches it does not mean spamcop URI is being bypassed, it means it was not in the spamcop URIBL at that time.
Re: Razor issues with SpamAssassin (update)
On Thu, Jun 09, 2005 at 12:51:33PM -0400, Jonathan Lutz wrote: > However, when I run: spamassassin -D -t < spamfile on it, it shows a > whole bunch more such as DCC_CHECK and a bunch of URIBL tags as it > should. Network checks are seemingly only working on a "local" level. > > Any reason why this might be? You haven't mentioned any specifics about how you're calling SA, but perhaps you're running with -L? -- Randomly Generated Tagline: Leela: "It's amazing that your people can fall in love so fast." Zoidberg: "Love? That word is unknown here. I'm simply looking for a female swollen with eggs to accept my genetic material." Fry: "You and me both, brother." pgp4EQ910zz4L.pgp Description: PGP signature
RE: couple of issues
Perhaps, I'm not sure. Is there a way to tell? Also, I have seen some go through that I know are in spamcop. Do you know of a way to troubleshoot spamcop? i plan on upgrading sa, but I can't just yet, so I'd like to figure this out. Thanks for your help [EMAIL PROTECTED] wrote: > Kern, Tom wrote: >> When I grep maillog for spamcop_uri, i see that its working but NOT >> for the emails that have been getting thru. > > Are you suggesting that the mails that have been getting through > should have been caught by spamcop_uri? > > The nature of the spamcop_uri beast is such that an email might not > match (when you receive it)... and then fifteen minutes later (when > you test it), it may match. So perhaps everything is working?
Re: Lower detection rates
"Carnegie, Martin" <[EMAIL PROTECTED]> wrote on 06/09/2005 12:09:20 PM: > Hi All, > > In the past 3 weeks or so, we have really noticed a decrease in the > detection rate for spam. We have not changed our system other than > upgrading to 3.0.3 to see if it would help. We have turned on URIBL > and SURLB and also have the following custom rules in place: > [snip] Are you sure your network test are working? That message scored very high on my system, although my SURBL scores have been bumped up. X-Spam-Status: Yes, score=19.4 required=5.7 tests=BAYES_80,DATE_IN_PAST_12_24, RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,SARE_RECV_IP_218078,SARE_USERAG_3, TW_RX,URIBL_OB_SURBL,URIBL_SBL autolearn=unavailable version=3.0.2 May want to check that your Net::DNS is up to date. Andy
RE: couple of issues
Kern, Tom wrote: > When I grep maillog for spamcop_uri, i see that its working but NOT > for the emails that have been getting thru. Are you suggesting that the mails that have been getting through should have been caught by spamcop_uri? The nature of the spamcop_uri beast is such that an email might not match (when you receive it)... and then fifteen minutes later (when you test it), it may match. So perhaps everything is working? -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
Re: couple of issues
At 10:00 AM 6/9/2005, you wrote: I'm running sa 2.63 with spamcop_uri. Might be worth upgrading.. :) I'm still getting mail thru that has url's pointing to know spammers. When I grep maillog for spamcop_uri, i see that its working but NOT for the emails that have been getting thru. The score for spamcop is 4, which is the same score i use to kill spam. I tag at 3. Yet its not killed or tagged. I'm running sa with amavisd-new. Thanks for your help Spamassassin doesn't kill - but not sure by tag if you mean SPAM in the subject. Posting the headers from one of the non-tagged messages would probably help, as well as the relevent line in your config.
Re: Gif-Only spams
The other big problem I see is phishers (or spammers trying to poison the system) intentionally inserting images normally found in legitimate e-mails (eg, e-bay). You'd end up scoring all legit e-mails that image hash shows up in. Evan Sven Riedel wrote: Hi, has anyone developed a good strategy against spams that contain a random text and the actual spam in an image within a multipart/alternative mail? Short of entirely blocking mails containing images, that is. Regs, Sven -- BAGHUS GmbH EDV und Internetdienstleistungen Staffelseestr. 2 81477 München Tel.: 0 89 / 8 71 81 - 4 84 Fax.: 0 89 / 8 71 81 - 4 88 www.baghus.net, [EMAIL PROTECTED] HRB: 144283, USt-IdNr: DE224865405 --
Lower detection rates
Hi All, In the past 3 weeks or so, we have really noticed a decrease in the detection rate for spam. We have not changed our system other than upgrading to 3.0.3 to see if it would help. We have turned on URIBL and SURLB and also have the following custom rules in place: 70_sare_adult.cf 70_sare_genlsubj0.cf 70_sare_header0.cf 70_sare_html0.cf 70_sare_obfu0.cf 70_sare_specific.cf 99_chickenpox.cf 99_custom.cf 99_mangled.cf 99_sare_fraud_post25x.cf 99_weeds.cf Hopefully this is everything you need :) This is a sample of what is getting in. Microsoft Mail Internet Headers Version 2.0 Received: from atcoinss.atco.ca ([192.210.9.70]) by is030.atco.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 8 Jun 2005 22:15:58 -0600 Received: from atcoinss.atco.ca ([192.210.5.122]) by atcoinss.atco.ca (SMSSMTP 4.0.0.59) with SMTP id M2005060822155726541 for <[EMAIL PROTECTED]>; Wed, 08 Jun 2005 22:15:57 -0600 Received: from [218.81.247.57] (helo=oldbuthealthy.com) by atcoinss.atco.ca with smtp (Exim ) for [EMAIL PROTECTED] id 1DgESR-0001v0-B7; Wed, 08 Jun 2005 22:15:57 -0600 Message-ID: <[EMAIL PROTECTED]> Date: Wed, 08 Jun 2005 18:44:17 +0900 Reply-To: "man orendorff" <[EMAIL PROTECTED]> From: "man orendorff" <[EMAIL PROTECTED]> User-Agent: 8.0 for Windows sub 6014 MIME-Version: 1.0 To: "Josh Catrett" <[EMAIL PROTECTED]> Subject: Choose a better site for less, quality taablets made by leading manufacturers. Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on atcoinss.atco.ca X-Spam-Level: X-Spam-Status: No, score=4.1 required=5.0 tests=DATE_IN_PAST_12_24, SARE_USERAG_3 autolearn=disabled version=3.0.3 Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 09 Jun 2005 04:15:58.0035 (UTC) FILETIME=[EFEAEA30:01C56CA9] At our licensed chemist-site, customers can choose from a wide selection of brand name and generic medicals. It is legitimate to shoppe for rxmeds in this way. For customers from different countries, the company provides the same timely and reliable distribution services. Select our store for leading rxdrugs on Pain, Erectile muscle Dysfunction, Stress, Man's care, Sleeping Disorder, Obesity and other disorders. http://vrhp.a.effectivereliefforall.com/koop/ It is easier to pocket moola on rxdrugs at our store. so much as I could wish. But Mr. e! May be his si at a third could resist it with energy Copperfield was teaching mester is wo rse at -' ('Much he knew about it hiAvignon, a mself!') said Miss Betsey in a ach, and I inquired after the Castle and the Aged parenthesis. - 'And I hop e I should have . In one thing, howeve improved, being very anxio us to learn, and he very
Re: DNS lookups
>... >On Thursday, June 9, 2005, 5:32:23 AM, Ronan McGlue wrote: >> Niek wrote: >>> On 6/9/2005 2:19 PM +0200, Ronan McGlue wrote: >>> sry should have added that the DNS order in /etc/resolv.conf is also correct... >>> >>> >>> What order ? The nameservers are used randomly... >> again, my semantics need work... :S > >> the DNS *is in* order in /etc/resolv.conf... > > >> anyclues as to why SA isnt 'apparently' using the hosts file?? > >> ronan > >Don't use /etc/hosts for anything other than specifying the >basics of your local machine. /etc/hosts is only used by the >system during boot time before BIND is up. After that, BIND >is responsible for name resolution. > >Jeff C. >-- >Jeff Chan >mailto:[EMAIL PROTECTED] >http://www.surbl.org/ > > For most machines, this is both true and the preferred method of name lookup. But for OSs with nsswitch.conf, it neither *must* be true, nor is it always desirable; I have a large number of multi-homed machines with different firewall rules for different interfaces and not all daemons "listen" on all interfaces - so for *some* machines, I use a line like: hosts: files dns inside of nsswitch.conf and specify unique names for the different interfaces. This allows me to avoid long timeouts if I "ssh" to a machine, which only accepts connections on one interface (i.e. with the default behavior, I would get the interfaces chosen randomly, and in some cases wait 30+ seconds for timeouts before the only interface "listening" which will respond is attempted). I also have other machines with other daemons also setup "asymmetrically" (i.e. not "listening" on all interfaces). Still, in general, your advice is correct, and only for special cases should the default (AFAIK on every OS with nsswitch.com), be changed in the manner I just described. Just to note: At least on NetBSD, the default is hosts: dns, files, nis which will act exactly like Jeff suggested - and is probably the correct choice for >90% of all machines/environments. Also, the host file format cannot on most OSs deal properly with multi-homed hosts anyway (it will always and only choose the "first" match). Possible a [Notfound = return] clause might be properly inserted in the list for many situations (in particular when using NIS or NIS+). Also, doing what I have described, greatly complicates both the setup and maintenance of the machines which use a non-standard resolution ordering rule. By far the simplist and easiest case is when the hosts file contains localhost and the name(s) of the local interfaces only - then soon after boot, everything uses BIND (just like Jeff said). Much more likely, is the possibility that the Perl DNS module simply ignores nsswitch.conf and does calls to the resolver library (or the corresponding functions on some OSs) rather than call gethostbyname(), etc. Also remember, some people still use NIS and/or NIS+, so BIND/DNS is not the correct answer for all environments, but is for most. Now, I have to go and check the Perl module to see what is does (I do remember, that at one point it would only use the first nameserver entry in resolve.conf - all written with "roll-your-own" code that didn't always act like the rest of the system). Paul Shupak [EMAIL PROTECTED]
couple of issues
I'm running sa 2.63 with spamcop_uri. I'm still getting mail thru that has url's pointing to know spammers. When I grep maillog for spamcop_uri, i see that its working but NOT for the emails that have been getting thru. The score for spamcop is 4, which is the same score i use to kill spam. I tag at 3. Yet its not killed or tagged. I'm running sa with amavisd-new. Thanks for your help
couple of issues
I'm running sa 2.63 with spamcop_uri. I'm still getting mail thru that has url's pointing to know spammers. When I grep maillog for spamcop_uri, i see that its working but NOT for the emails that have been getting thru. The score for spamcop is 4, which is the same score i use to kill spam. I tag at 3. Yet its not killed or tagged. I'm running sa with amavisd-new. Thanks for your help
Bayes
If working properly, shouldn't every email have a BAYES_nn entry? My spam has a high Bayes entry, I have a few ham that have a BAYES_50 entry, but most of the ham has NO BAYES entry. Is this normal?? I thought I used to get a BAYES_nn on every one. When I don't see the BAYES_nn entry, I worry that it's not working! Tnx - John
Re: Razor issues with SpamAssassin (update)
An update to this problem: I have a piece of spam that was not identified as such. The header shows only: * 1.7 SARE_RECV_FEP5 Message contains known spam format However, when I run: spamassassin -D -t < spamfile on it, it shows a whole bunch more such as DCC_CHECK and a bunch of URIBL tags as it should. Network checks are seemingly only working on a "local" level. Any reason why this might be? JON >>> "Jonathan Lutz" <[EMAIL PROTECTED]> 6/8/2005 1:39:46 PM >>> I have just set up a little mail server with Postfx and Spamassassin2.63 with the newest Razor installed (of course). Spamassassin seemsto be working fine, and running spamassassin -D --lint shows Razorappearing to be working fine.. but unfortunately it is not tagging anymessages. So far I have received a few hundred spam messages and notone had a RAZOR-related spam tag. Any idea on what this could be?
RE: Gif-Only spams
>-Original Message- >From: Geoff Manning [mailto:[EMAIL PROTECTED] >Sent: Thursday, June 09, 2005 11:45 AM >To: users@spamassassin.apache.org >Subject: RE: Gif-Only spams > > >> Check out the interesting idea at www.rulesemporium.com/forums/ >> >> entitled: Image attachment MD5 footprint RBL > > >My only comment on a system like this is that it could be >easily subverted. >A spammer could use automated image editting tools to randomly >change some >aspect of the file that would give it a totally different MD5 sum. Like >changing the lower right pixel to a different color would >throw the md5 sum >way off. I completely agree. But I'd like to see it tried. Then maybe combine it with distancing techniques to see how distant one MD5 is to another. Baby steps ;) --Chris
Re: DNS lookups
--On Thursday, June 09, 2005 10:25 AM -0600 Bob Proulx <[EMAIL PROTECTED]> wrote: Kenneth Porter wrote: If it's a Red Hat system (including Fedora), just install the caching-nameserver RPM. It pulls in BIND and installs appropriate config files. Then edit resolv.conf to point to localhost. If it is a Debian system just install bind9 and the default configuration is a caching nameserver. apt-get install bind9 In both cases you would need to modify /etc/resolv.conf to use the local nameserver instead of the current one. Wiki fodder?
Re: 3.0.3/4 uses all CPUs after tie (uuencoded attachments)?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thomas Jacob writes: > It seems, that for us at least, this is caused by Spamassassin scanning > larger (>1mb) mails containing uuencoded files, without mime attachment > headers > or anything. > > But this only seems to happen sometimes or when spamd has been running > for a little while, for if we feed an email that appears to have caused > the memory problem into a restarted spamd, nothing happens. > > When spamd chokes on such a mail, it slowly but constantly increases its > memory usage, eating up all the systems memory. > > We haven't been using a size-limit for exiscan/exim up till now, but > that can hardly be the root cause of the problem, for why would > need spamd gigabytes of memory when processing, let's say, a 10mb > mail? Yes, a size limit is *required*. It's very important to limit the size of messages scanned by SpamAssassin. - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFCqG3YMJF5cimLx9ARAjqMAJsH/5RAmcpO7+/r/0aYqyIjYSkw+QCgha28 hVX6guQ1qJhGDUTc9/muuYk= =y2uS -END PGP SIGNATURE-
Re: DNS lookups
Kenneth Porter wrote: > If it's a Red Hat system (including Fedora), just install the > caching-nameserver RPM. It pulls in BIND and installs appropriate config > files. Then edit resolv.conf to point to localhost. If it is a Debian system just install bind9 and the default configuration is a caching nameserver. apt-get install bind9 In both cases you would need to modify /etc/resolv.conf to use the local nameserver instead of the current one. Bob
Moving bayes database to a new SA installation
Hi! I am installing a new email server with spamassin included, but I would like to extract the database I have created in my old spamassassin bayes database and copy it to the new installation. Is this possible?, what is the easier way to do this? Of course both SA intallations are version 3.03 Thanks in advance Alejandro
RE: Gif-Only spams
> Check out the interesting idea at www.rulesemporium.com/forums/ > > entitled: Image attachment MD5 footprint RBL My only comment on a system like this is that it could be easily subverted. A spammer could use automated image editting tools to randomly change some aspect of the file that would give it a totally different MD5 sum. Like changing the lower right pixel to a different color would throw the md5 sum way off.
Re: DNS lookups
Jon Dossey wrote: > > You'd "hack" SA instead of just installing bind, and letting it just > cache the response? Yes, although that would be rather ugly, and probably much harder to implement than installing a caching nameserver. You also wouldn't reap all the benefits that a local caching nameserver would give you.
RE: Gif-Only spams
>-Original Message- >From: Sven Riedel [mailto:[EMAIL PROTECTED] >Sent: Thursday, June 09, 2005 10:19 AM >To: users@spamassassin.apache.org >Subject: Gif-Only spams > > >Hi, >has anyone developed a good strategy against spams >that contain a random text and the actual spam in >an image within a multipart/alternative mail? > >Short of entirely blocking mails containing images, that >is. > >Regs, >Sven Check out the interesting idea at www.rulesemporium.com/forums/ entitled: Image attachment MD5 footprint RBL Pretty cool. --Chris
RE: Gif-Only spams
> has anyone developed a good strategy against spams > that contain a random text and the actual spam in > an image within a multipart/alternative mail? > > Short of entirely blocking mails containing images, that > is. SURBL, URIBL SURBL is included in SA 3.x, so if you haven't upgraded, this might be a good reason to do so. For SA 2.63, you can get the spamcopuri plugin and install it. Remember it's a patch to SA, so you have to have the right SA version/spamcopuri plugin match. Bret
Re: DNS lookups
--On Thursday, June 09, 2005 11:03 AM -0400 Steven Dickenson <[EMAIL PROTECTED]> wrote: We run bind with no zones on our SA gateway to serve as a DNS cache. Helps take a load off DNS lookups for common hosts. You can easily do this with any other DNS daemon as well. Google for caching nameserver. If it's a Red Hat system (including Fedora), just install the caching-nameserver RPM. It pulls in BIND and installs appropriate config files. Then edit resolv.conf to point to localhost.
Re: DNS lookups
Ronan McGlue wrote: This is because SA doesn't use the system resolver, it uses Net::DNS's resolver. This gives SA a lot of control over queries, but doesn't take advantage of things like /etc/hosts, and only uses your primary DNS. ahhh ok anyway i can hack it?? *goes off to read CPAN*... We run bind with no zones on our SA gateway to serve as a DNS cache. Helps take a load off DNS lookups for common hosts. You can easily do this with any other DNS daemon as well. Google for caching nameserver. - S
Re: Can't write into world-writable directories?
Peter Guhl wrote: Well, still... somehow I don't get why the software is running as spamd and tries to write into /root. I wouldn't say anything if the sofware inwvolved wasn't designed to cooperate (spamd, spamass-milter). But - well, it works now. Whatever is calling spamc (or interfacing with spamd) is setting the username to root. This is general a bad thing, IMHO. What MTA are you running? How are you calling spamassassin? - S
RE: DNS lookups
> Matt Kettler wrote: > > At 08:32 AM 6/9/2005, Ronan McGlue wrote: > > > >> anyclues as to why SA isnt 'apparently' using the hosts file?? > > > > > > This is because SA doesn't use the system resolver, it uses Net::DNS's > > resolver. This gives SA a lot of control over queries, but doesn't take > > advantage of things like /etc/hosts, and only uses your primary DNS. > > ahhh ok > anyway i can hack it?? > *goes off to read CPAN*... You'd "hack" SA instead of just installing bind, and letting it just cache the response? Talk about wagging the dog ... .jon
Gif-Only spams
Hi, has anyone developed a good strategy against spams that contain a random text and the actual spam in an image within a multipart/alternative mail? Short of entirely blocking mails containing images, that is. Regs, Sven -- BAGHUS GmbH EDV und Internetdienstleistungen Staffelseestr. 2 81477 München Tel.: 0 89 / 8 71 81 - 4 84 Fax.: 0 89 / 8 71 81 - 4 88 www.baghus.net, [EMAIL PROTECTED] HRB: 144283, USt-IdNr: DE224865405 --
Re: DNS lookups
Matt Kettler wrote: At 08:32 AM 6/9/2005, Ronan McGlue wrote: anyclues as to why SA isnt 'apparently' using the hosts file?? This is because SA doesn't use the system resolver, it uses Net::DNS's resolver. This gives SA a lot of control over queries, but doesn't take advantage of things like /etc/hosts, and only uses your primary DNS. ahhh ok anyway i can hack it?? *goes off to read CPAN*... -- Regards Ronan McGlue Info. Services QUB
Re: DNS lookups
At 08:32 AM 6/9/2005, Ronan McGlue wrote: anyclues as to why SA isnt 'apparently' using the hosts file?? This is because SA doesn't use the system resolver, it uses Net::DNS's resolver. This gives SA a lot of control over queries, but doesn't take advantage of things like /etc/hosts, and only uses your primary DNS.
Re: DNS lookups
Victor Brilon wrote: --- Ronan McGlue <[EMAIL PROTECTED]> wrote: yes, but BIND isnt running on the machine in question... (atm) The nets guys here are seeing a lot of lookups from this SPAMD machine for our mailhubs to the Local dns... which is an extra couple of miliseconds i want to avoid by specifying them in the /etc/hosts file. I've restarted INETD but the SPAMD machine is still looking up the hubs to send the results of the messages back... Check your nsswitch.conf file and see how your hostname entries are being resolved. It might be avoiding the hosts file altogether. /etc/nsswitch.conf . . hosts: files dns . . . yeah i thought that might be the case but i made sure... Victor this is baffling... am I doing something so montrously daft you have all overlooked it... spamd running on dedicated machine serving 3 mailhubs all of which are in hosts file nsswitch is as above resolv.conf has dns's anything else is should check?? spamd's command line??? /usr/bin/spamd -d -r /var/log/spamd.pid -m 10 -i 143.117.x.x -A 143.117.y.y,143.117.z.z,143.117.u.u -- Regards Ronan McGlue Info. Services QUB
Re: DNS lookups
Jeff Chan wrote: On Thursday, June 9, 2005, 5:32:23 AM, Ronan McGlue wrote: Niek wrote: On 6/9/2005 2:19 PM +0200, Ronan McGlue wrote: sry should have added that the DNS order in /etc/resolv.conf is also correct... What order ? The nameservers are used randomly... again, my semantics need work... :S the DNS *is in* order in /etc/resolv.conf... anyclues as to why SA isnt 'apparently' using the hosts file?? ronan Don't use /etc/hosts for anything other than specifying the basics of your local machine. /etc/hosts is only used by the system during boot time before BIND is up. After that, BIND is responsible for name resolution. Jeff C. yes, but BIND isnt running on the machine in question... (atm) The nets guys here are seeing a lot of lookups from this SPAMD machine for our mailhubs to the Local dns... which is an extra couple of miliseconds i want to avoid by specifying them in the /etc/hosts file. I've restarted INETD but the SPAMD machine is still looking up the hubs to send the results of the messages back... -- Regards Ronan McGlue Info. Services QUB
Re: DNS lookups
On Thursday, June 9, 2005, 5:32:23 AM, Ronan McGlue wrote: > Niek wrote: >> On 6/9/2005 2:19 PM +0200, Ronan McGlue wrote: >> >>> sry should have added that the DNS order in /etc/resolv.conf is also >>> correct... >> >> >> What order ? The nameservers are used randomly... > again, my semantics need work... :S > the DNS *is in* order in /etc/resolv.conf... > anyclues as to why SA isnt 'apparently' using the hosts file?? > ronan Don't use /etc/hosts for anything other than specifying the basics of your local machine. /etc/hosts is only used by the system during boot time before BIND is up. After that, BIND is responsible for name resolution. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: 3.0.3/4 uses all CPUs after tie (uuencoded attachments)?
It seems, that for us at least, this is caused by Spamassassin scanning larger (>1mb) mails containing uuencoded files, without mime attachment headers or anything. But this only seems to happen sometimes or when spamd has been running for a little while, for if we feed an email that appears to have caused the memory problem into a restarted spamd, nothing happens. When spamd chokes on such a mail, it slowly but constantly increases its memory usage, eating up all the systems memory. We haven't been using a size-limit for exiscan/exim up till now, but that can hardly be the root cause of the problem, for why would need spamd gigabytes of memory when processing, let's say, a 10mb mail? signature.asc Description: This is a digitally signed message part
Re: Can't write into world-writable directories?
Peter Guhl wrote: Nope, it was right. But it needed to explicitly own .spamassassin to spamd:spamd. World-writable didn't work... (maybe /root is specially protected?). /root isn't protected specially, it is protected with file permissions. You can't write to /root directory unless you have write and execute permissions for the /root directory. -- Cevher Cemal Bozkur +-+-+-+-+-+-+-+-+-+ YÖRE NET Teknoloji Tel:+90 212 234 00 90
Re: DNS lookups
Niek wrote: On 6/9/2005 2:19 PM +0200, Ronan McGlue wrote: sry should have added that the DNS order in /etc/resolv.conf is also correct... What order ? The nameservers are used randomly... again, my semantics need work... :S the DNS *is in* order in /etc/resolv.conf... anyclues as to why SA isnt 'apparently' using the hosts file?? ronan Niek Baakman -- Regards Ronan McGlue Info. Services QUB
Re: DNS lookups
On 6/9/2005 2:19 PM +0200, Ronan McGlue wrote: sry should have added that the DNS order in /etc/resolv.conf is also correct... What order ? The nameservers are used randomly... Niek Baakman
Re: DNS lookups
Niek wrote: On 6/9/2005 2:15 PM +0200, Ronan McGlue wrote: hi SA is continually looking up my 3 mailhubs to our local DNS even though i have them hardcoded into /etc/hosts and /etc/nsswitch.conf is configured properly etc etc... How can I make SA use the hosts file if such an option exists... anyone else notice this behaviour?? ronan perhaps the file to use is /etc/resolv.conf ? sry should have added that the DNS order in /etc/resolv.conf is also correct... Niek Baakman -- Regards Ronan McGlue Info. Services QUB
Re: DNS lookups
On 6/9/2005 2:15 PM +0200, Ronan McGlue wrote: hi SA is continually looking up my 3 mailhubs to our local DNS even though i have them hardcoded into /etc/hosts and /etc/nsswitch.conf is configured properly etc etc... How can I make SA use the hosts file if such an option exists... anyone else notice this behaviour?? ronan perhaps the file to use is /etc/resolv.conf ? Niek Baakman
Re: Can't write into world-writable directories?
On Thu, 2005-06-09 at 13:03 +0200, Peter Guhl wrote: > Cannot write to /root/.spamassassin/user_prefs: Permission denied > > /root/.spamassassin/ is world-writable (of course I can't leave it like > this, but apparently this error message points me to the wrong > direction. Nope, it was right. But it needed to explicitly own .spamassassin to spamd:spamd. World-writable didn't work... (maybe /root is specially protected?). Well, still... somehow I don't get why the software is running as spamd and tries to write into /root. I wouldn't say anything if the sofware inwvolved wasn't designed to cooperate (spamd, spamass-milter). But - well, it works now. Regards Peter -- Peter Guhl <[EMAIL PROTECTED]> NetzWerkCenter GmbH
DNS lookups
hi SA is continually looking up my 3 mailhubs to our local DNS even though i have them hardcoded into /etc/hosts and /etc/nsswitch.conf is configured properly etc etc... How can I make SA use the hosts file if such an option exists... anyone else notice this behaviour?? ronan -- Regards Ronan McGlue Info. Services QUB
Can't write into world-writable directories?
Cannot write to /root/.spamassassin/user_prefs: Permission denied /root/.spamassassin/ is world-writable (of course I can't leave it like this, but apparently this error message points me to the wrong direction. FreeBSD 5.4, Spamassassin 3.0.3. Everybody heard about before? Regards Peter -- Peter Guhl <[EMAIL PROTECTED]> NetzWerkCenter GmbH
Re: user wise preferences from database
Ramprasad A Padmanabhan wrote: Hi, I want to use Spamassassin with Postfix-Mailscanner or Postfix-amavisd for an ISP level spam filter. All users are virtual, and I would like to give the users full control for setting their rulesets For eg, A user must be able to set his own scores for the DRUGS_ERECTILE or DCC_CHECKS. ( say he works in a pharmacy ) Since there may be several thousands of users and most users would not make custom settings ( though in theory they can ); it is not practical to have users home directories. Ideally I should be able to get the prefernces from a database or ldap per user Is this possible ? Can someone point me some links to how this can be done Thanks Ram I'm not sure about postfix, I don't use it. Spamassassin is very customizable in that manor (via sql.) http://wiki.apache.org/spamassassin/UsingSQL http://wiki.apache.org/spamassassin/WebUserInterfaces I threw the last link in, it's got some interfaces. I don't personally use any of those, my users don't have the need to change settings... too much. HTH -- Thanks, JamesDR
user wise preferences from database
Hi, I want to use Spamassassin with Postfix-Mailscanner or Postfix-amavisd for an ISP level spam filter. All users are virtual, and I would like to give the users full control for setting their rulesets For eg, A user must be able to set his own scores for the DRUGS_ERECTILE or DCC_CHECKS. ( say he works in a pharmacy ) Since there may be several thousands of users and most users would not make custom settings ( though in theory they can ); it is not practical to have users home directories. Ideally I should be able to get the prefernces from a database or ldap per user Is this possible ? Can someone point me some links to how this can be done Thanks Ram -- Netcore Solutions Pvt. Ltd. Website: http://www.netcore.co.in Spamtraps: http://cleanmail.netcore.co.in/directory.html --