Re: yet another uribl evasion example

[Loren Wilton]

> would it be reasonable to add a rule to check for anomalies in URLs? 
> what's the best (TM) way?

SARE, at least at the moment.

Loren

Re: Uri rules

[Robert Menschel]

Hello martin,

Sunday, June 12, 2005, 4:58:35 AM, you wrote:

ms> Has the behaviour of the uri rule been changed at some point to match the
ms> whole of the URL? I have just noticed I am getting some FP when one of my
ms> uri rules matches against the URL rather than URI.

Not that I'm aware of.  To my knowledge the URI rule always matches
the full URL.  There are several SA and/or SARe rules which depend upon this.

Or do you mean something different by URI and URL than I do.  I
generally use the definitions found at
http://www.adp-gmbh.ch/web/uri_url_urn.html -- including:
>  URI = Uniform Resource Identifier
> There are two types of URIs: URLs and URNs
In other words, a URL /is/ a URI.

Section 1.3 of http://www.zvon.org/tmRFC/RFC2396/Output/ gives as
examples of URIs:
> http://www.math.uio.no/faq/compression-faq/part1.html
> mailto:[EMAIL PROTECTED]
(those are the two most applicable to SA)
> ftp://ftp.is.co.za/rfc/rfc1808.txt
etc.

ms> To prevent FP would be very difficult, I think to match the whole of the URL
ms> with uri rules is not such a good thing, if you wanted to match something in
ms> a URL it would be quite easy to do so in a body rule but to match just
ms> against URI isn't so easy.

Why?  As recommended, if you have an avoidable FP in an SA
distribution rule, post it to bugzilla, and we'll see if we can get
rid of the FP.  (Remember, however, that sometimes ham-hits on
low-scoring rules are intentionally -- an FP is one that flags a
non-spam as a spam.)

If your ham hit is in a SARE rule rather than an SA rule (more likely,
IMO), then post the specifics either here or on the SARE forum, and
we'll see if it's worth avoiding.

Bob Menschel

Re: yet another uribl evasion example

[Robert Menschel]

Hello mouss,

Monday, June 13, 2005, 8:15:27 AM, you wrote:

m> I just got the spam below (headers removed except few).

m> would it be reasonable to add a rule to check for anomalies in URLs?
m> what's the best (TM) way?

1) As has been suggested, upgrade.

2) Grab the SARE header rules file, which has rules for various types
of header obfuscation.

Note that those with 3.0.4 and the new header file get some
double-hits. We'll be running a new overlap analysis soon to get rid
of the duplicates.

Bob Menschel

Re: Fw: SpamAssassin assistance

[Sean Sowell]

Jim Schueler wrote on Monday, June 13, 2005 1138


> I should have been more specific in my original request.  The stock rule to
> detect HELO forgery is exactly what I'm looking for.

Am new to SA so I don't know how these tests really work or why none were
displayed in your spample.  But here are the HELO forgery rules that may relate:

FAKE_HELO_MSN, MAIL_COM, EMAIL_COM, EUDORAMAIL, EXCITE, LYCOS, YAHOO_CA, and
MAIL_COM_DOM.

HELO_DYNAMIC_IPADDR, DHCP, HCC, ATTBI, ROGERS, ADELPHIA, DIALIN, HEXIP,
SPLIT_IP, YAHOOBB, OOL, IPADDR2, RR2, COMCAST, TELIA, VTR, CHELLO_NO, CHELLO_NL,
VELOX, NTL, and HOME_NL.

FORGED_RCVD_HELO

RCVD_HELO_IP_MISMATCH

RCVD_NUMERIC_HELO

RCVD_FAKE_HELO_DOTCOM

NO_RDNS_DOTCOM_HELO

These tests are described on the wiki at
http://spamassassin.apache.org/tests_3_0_x.html.  I cooked up an Excel
spreadsheet for easier sorting and organizing, and can send it to you off-list
if you want.

HTH,

Sean Sowell
www.twin-dad.com

Re: yet another uribl evasion example

[mouss]

Theo Van Dinter wrote:

On Mon, Jun 13, 2005 at 05:15:27PM +0200, mouss wrote:

however, it doesn't trigger surbl checks, since  the '&' is considered 
as the end of the url.



What version are you running?  This was fixed in 3.0.4.



thanks for the reply. I am running 3.0.3. time to upgrade... (not in a 
hurry though, very few spams get through...)


now, I am still thinking about the forged helo part. Is this fixed? and 
if not, is there a way to "fix" it (without getting FPs)?

Re: DNS lookup fails

[Kenneth Porter]

--On Sunday, June 12, 2005 12:49 AM +0100 "Michele Neylon:: Blacknight" 
<[EMAIL PROTECTED]> wrote:



Kenneth Porter wrote:

Why are you listing anything besides 127.0.0.1? That's only useful if
your local nameserver is down. In that case just make another
resolve.conf to install until you fix your nameserver.


Em no. The only time 127.0.0.1 is the _only_ valid entry is if you are
running DNS on the same machine


I think that was my point. If you're not running a local nameserver, you 
shouldn't have that entry. And if you are, you don't need the others. You 
wouldn't have both in to use the remote systems as a backup for the local 
server, because if the local server's unstable, it shouldn't be in there at 
all until you fix it.

Re: yet another uribl evasion example

[Bill Landry]

- Original Message - 
From: "Michele Neylon:: Blacknight" <[EMAIL PROTECTED]>

> Niek wrote:
> > Eer, no. You can keep 0.49. Only if you upgrade netdns to the b0rked
0.50,
> > you'll run into trouble. So either keep netdns @ 0.49 or upgrade to
0.51.
> > Upgrading is not needed for sa 3.0.4 afaik.
> >
> > Niek Baakman
> >
> 0.51 gives me the same problems :)

I just started following this thread, so I not quite sure what the issue is
with SA 3.0.4 and Net::DNS 0.51.  I have been running both these since
Saturday, and all appears to be working fine here.

Bill

Re: Fw: SpamAssassin assistance

[Ed Kasky]

You can see that 69.244.154.112 is listed in dnsbl.sorbs.net.  Not sure 
which MTA you are using but an rbl check might have found this and rejected 
it at the MTA.


I run rbl checks using sendmail 8.13.3 and reject nearly 50% of mail based 
on a combination of rbl checks and a fairly large access.db (Thank you Theo!)


Do you have an AV scanner running?  If not, it helps as well...

$ spam-stats
SpamAssassin Results for:
Mon Jun 13 13:42:55 PDT 2005
spam: 166 / clean: 440 / skipped: 0
total: 606
processed: 606
=
RBL rejects:
spamcop: 62
maps rbl+: 228
njabl.org: 13
spamhaus: 27
**Rejected due to pre-greeting traffic: 42
**Virus trapped: 15
Total rejected by access.db: 450

Ed Kasky
~
Randomly Generated Quote (322 of 477):
I'd enjoy the day more if it started later.


At 10:33 AM Monday, 6/13/2005, Jim Schueler wrote -=>

My users have been getting particularly insidious emails containing a
windows virus that purports to come from the system administrator.

One email header contains the following entry:

Received: from motorcityinteractive.com
(pcp09017048pcs.watrfd01.mi.comcast.net [69.244.154.112])
by mail.tqis.com (8.11.6/8.11.6) with ESMTP id j5AMQTR17538
for <[EMAIL PROTECTED]>; Fri, 10 Jun 2005 18:26:29 -0400

The host name in this line (motorcityinteractive) is obviously forged-  but
not detected by SpamAssassin.  Here is SpamAssassin's report on the email:

 pts rule name  description
 --
--
 0.0 NO_REAL_NAME   From: does not include a real name
 1.7 MSGID_FROM_MTA_ID  Message-Id for external message added locally
 0.2 HTML_20_30 BODY: Message is 20% to 30% HTML
 0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 0.0 HTML_MESSAGE   BODY: HTML included in message
-2.6 BAYES_00   BODY: Bayesian spam probability is 0 to 1%
[score: 0.]
 2.0 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP
address
[69.244.154.112 listed in dnsbl.sorbs.net]
 0.0 MISSING_MIMEOLEMessage has X-MSMail-Priority, but no X-MimeOLE
 1.1 PRIORITY_NO_NAME   Message has priority, but no X-Mailer/User-Agent

I would expect this test would be part of the distributed SpamAssassin
configuration files.  Can anybody recommend an approach other than
reinventing the wheel?

 -Jim
--- End of Forwarded Message ---


--
Open WebMail Project (http://openwebmail.org)

RE: couple of issues

[Kern, Tom]

It got tagged using this test but others keep coming in.
is there anything else i can do to the spamcop_uri file to make it fire?
other people on this list are tagging the same spam that in my system is going 
thru

thanks


David B Funk wrote:
> On Thu, 9 Jun 2005, Kern, Tom wrote:
> 
>> Perhaps, I'm not sure.
>> Is there a way to tell?
>> Also, I have seen some go through that I know are in spamcop.
>> 
>> Do you know of a way to troubleshoot spamcop?
>> i plan on upgrading sa, but I can't just yet, so I'd like to figure
>> this out. 
>> 
>> Thanks for your help
> 
> Get a hotmail/yahoo/gmail free web-based mail account.
> Send mail to your regular address containing the SURBL testpoint URL.
> (IE "http://surbl-org-permanent-test-point. com" with out the space )
> This -should- be tagged, regardless.
> 
> If it isn't start SA in debug mode (with the '-D') option and
> retest, then look at the debug logs to see what did or did not
> fire. Compare that with a spamassassin -D run to see what's
> different.
> 
> Note, you do not want to leave spamd running with the '-D'
> option unless you have a very low volume mail server or -lots-
> of free disk space. ;)
> 
> See the SURBL FAQ for more info: http://www.surbl.org/faq.html

Re: yet another uribl evasion example

[Michele Neylon:: Blacknight]

Niek wrote:
> Eer, no. You can keep 0.49. Only if you upgrade netdns to the b0rked 0.50,
> you'll run into trouble. So either keep netdns @ 0.49 or upgrade to 0.51.
> Upgrading is not needed for sa 3.0.4 afaik.
> 
> Niek Baakman
> 
0.51 gives me the same problems :)

Re: yet another uribl evasion example

[Theo Van Dinter]

On Mon, Jun 13, 2005 at 09:42:35PM +0200, wolfgang wrote:
> - 3.0.4 appears to bring new challenges (Net::DNS version and such)

3.0.4 should be a drop-in replacement for earlier versions.  People seem
to be having issues if they also upgrade Net::DNS, but there's no
requirement to do so.

3.0.4 fixes many bugs, some pretty important, so it's highly recommended to
update.

-- 
Randomly Generated Tagline:
I'm practicing assertiveness.  Do you think that's okay?


pgpO4c0Apsuhv.pgp
Description: PGP signature

Re: Boost up Spamassassin option

[Stefan Ewert]

> On another paw, more memory is generally a good way to speed up the
> spamassassin operation. A good DNS setup is also required so that you
> do not get delays in DNS lookups. Do not select DNS tests for sites
> that no longer exist. That is a major slow down.
>
sorry, i cant follow you, where can i read something about this topic?

> Now, when you complain about speeds how about some numbers. What is
> the processor speed, what is the amount of memory, what other things
> run on the computer, how long is "spamassassin --lint" taking, how
> long is a typical message processing take, and so forth. Give us
> something to work with. THen we can tell you what is wrong. Of
> particular interest are non-stock things you are doing. Did you add
> additional DNS tests, for example?
>
first of all im not complaining, this is a misunderstanding. i just want to 
help a little in the development of SA. im new in this list, so  never heard 
about this idea before ;)
here are the facts: amd3000+, 512 MB, desktop pc, lint  takes 5 secs, id guess 
a typical messages takes about 25 secs.
im using the standard configuration file, so from my side i didnt add any 
other tests like dns. theres no nameserver running on my pc.

just thougt, it would be very simple to stop testing at the right moment, but 
it seems like i know to few about this filtering process.

-- 
MUM, CAN I GO OUT AND CODE TONIGHT?

Re: yet another uribl evasion example

[Niek]

On 6/13/2005 9:42 PM +0200, wolfgang wrote:

- 3.0.4 appears to bring new challenges (Net::DNS version and such)


Eer, no. You can keep 0.49. Only if you upgrade netdns to the b0rked 0.50,
you'll run into trouble. So either keep netdns @ 0.49 or upgrade to 0.51.
Upgrading is not needed for sa 3.0.4 afaik.

Niek Baakman

Re: yet another uribl evasion example

[wolfgang]

In an older episode (Monday 13 June 2005 21:20), Raymond Dijkxhoorn wrote:

> Any reason not wanting to upgrade to 3.0.4 ?

yes.
- our spamchecker machines' distributor is slow with upgrades while i can 
patch existing 3.0.2 code on them.

- 3.0.4 appears to bring new challenges (Net::DNS version and such)

Re: yet another uribl evasion example

[Raymond Dijkxhoorn]

Hi!


On Mon, Jun 13, 2005 at 05:15:27PM +0200, mouss wrote:

however, it doesn't trigger surbl checks, since  the '&' is considered
as the end of the url.



What version are you running?  This was fixed in 3.0.4.


can the fix be applied to 3.0.3?


Any reason not wanting to upgrade to 3.0.4 ?

Bye,
Raymond.

Re: yet another uribl evasion example

[wolfgang]

In an older episode (Monday 13 June 2005 18:10), Theo Van Dinter wrote:
> On Mon, Jun 13, 2005 at 05:15:27PM +0200, mouss wrote:
> > however, it doesn't trigger surbl checks, since  the '&' is considered 
> > as the end of the url.
> 
> What version are you running?  This was fixed in 3.0.4.

can the fix be applied to 3.0.3?

cheers,

wolfgang

Re: Fw: SpamAssassin assistance

[Jim Schueler]

I should have been more specific in my original request.  The stock rule to 
detect HELO forgery is exactly what I'm looking for.

 -Jim


On Mon, 13 Jun 2005 13:53:40 -0400, Steven Dickenson wrote
> Jim Schueler wrote:
> > My users have been getting particularly insidious emails containing a  
> > windows virus that purports to come from the system administrator.
> 
> [snip]
> 
> > I would expect this test would be part of the distributed SpamAssassin  
> > configuration files.  Can anybody recommend an approach other than   
> > reinventing the wheel?
> 
> I'm fairly certain SA has some stock rules that deal with HELO 
> forgery, but since I'm not totally familier with them, I'll let 
> others speak to that.
> 
> What I can suggest is that you put an AV scanner in your mail path.  
> I'm partial to calling ClamAV from Exim, where I can do SMTP-time 
> rejects of viruses.  Depending on your MTA, you may also be able to 
> do some of these HELO checks during the SMTP session.
> 
> FWIW, I've seen many legitimate sites present incorrect or even 
> invalid HELO data.  Particularly Windows sites behind NAT boxes, or 
> small sites using low-cost broadband where setting up rDNS is impossible.
> 
> - S


--
Open WebMail Project (http://openwebmail.org)

Re: Rmail. How to filter spamassassin tags.

[Don Saklad]

Thank you Evan! Thank you Justin!

...If you would, please let me know of any Rmail groups.

RE: Advice for a weekend spam assassin?

[Ugo Bellavance]

Stuart Johnston  wrote:
> James Bucanek wrote:
>> 
>> When I installed SA, I also installed Pyzor (there was some
> reason I couldn't get Razor or DCC to compile, but I can't
> remember what that is now).
>> 
>> I was all set to configure it, when I just became totally
> confused.  The only documentation I could find was the man
> pages, in that typically dense Unix man page style:
> "server= sets the server"  Of course, this doesn't
> tell you what a "server" is, does, or what address you should
> put there.  I certainly wasn't going to just start putting in
> random addresses, possibly screwing up the entire Pyzor
> network, when I had no idea what I was doing.
>> 
>> Do you have a link to a step-by-step instructions that
> explains how to set up Pyzor?  Maybe I'll make Pyzor my project or
> next weekend. 
> 
> I've found this page pretty helpful:
> 
> http://wiki.apache.org/spamassassin/SingleUserUnixInstall

SA usually detects pyzor's presence automatically once it is installed.
No config required.

Do a --lint test and look for pyzor entries.

Re: Fw: SpamAssassin assistance

[Steven Dickenson]

Jim Schueler wrote:
My users have been getting particularly insidious emails containing a  
windows virus that purports to come from the system administrator. 


[snip]

I would expect this test would be part of the distributed SpamAssassin  
configuration files.  Can anybody recommend an approach other than   
reinventing the wheel? 


I'm fairly certain SA has some stock rules that deal with HELO forgery, 
but since I'm not totally familier with them, I'll let others speak to that.


What I can suggest is that you put an AV scanner in your mail path.  I'm 
partial to calling ClamAV from Exim, where I can do SMTP-time rejects of 
viruses.  Depending on your MTA, you may also be able to do some of 
these HELO checks during the SMTP session.


FWIW, I've seen many legitimate sites present incorrect or even invalid 
HELO data.  Particularly Windows sites behind NAT boxes, or small sites 
using low-cost broadband where setting up rDNS is impossible.


- S

Re: Advice for a weekend spam assassin?

[Stuart Johnston]

James Bucanek wrote:


When I installed SA, I also installed Pyzor (there was some reason I couldn't 
get Razor or DCC to compile, but I can't remember what that is now).

I was all set to configure it, when I just became totally confused.  The only documentation I could find 
was the man pages, in that typically dense Unix man page style: "server= sets the 
server"  Of course, this doesn't tell you what a "server" is, does, or what address you 
should put there.  I certainly wasn't going to just start putting in random addresses, possibly screwing 
up the entire Pyzor network, when I had no idea what I was doing.

Do you have a link to a step-by-step instructions that explains how to set up 
Pyzor?  Maybe I'll make Pyzor my project or next weekend.


I've found this page pretty helpful:

http://wiki.apache.org/spamassassin/SingleUserUnixInstall

Re: Rmail. How to filter spamassassin tags.

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


fwiw, this kind of question, usually regarding SpamAssassin headers, comes
up all the time on MH-specific groups I'm on -- so it certainly would not
be OT for an rmail group I think.

(I'm an MH person, not an rmail user, so can't help you.)

- --j.

Evan Platt writes:
> At 02:49 AM 6/13/2005, you wrote:
> >Where would there be basic instructive details for users with
> >rather spotty levels of expertise, little expertise, no expertise
> >about how to compose, setup dotfiles for filtering Rmail
> >spamassassin tags?
> 
> Probably in a rmail group? It wouldn't need to be spamassassin 
> specific, would it? Just a manual of how to setup a filter based on a header? 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFCrcdDMJF5cimLx9ARAnaSAKCHMXKmwOMnSUfOyUmfru12Pw6jlwCfcn7C
njWwJbfzUTGKj3vob5IK7QA=
=GD+v
-END PGP SIGNATURE-

Re: Fw: SpamAssassin assistance

[Matt Kettler]

Jim Schueler wrote:
> My users have been getting particularly insidious emails containing a  
> windows virus that purports to come from the system administrator. 
>  
> One email header contains the following entry: 
>  

> I would expect this test would be part of the distributed SpamAssassin  
> configuration files.  Can anybody recommend an approach other than   
> reinventing the wheel? 

In general Your expectations are beyond what SpamAssassin is designed to do.

SA is NOT intended to be a virus scanner, it's only intended to detect spam.

Install a virus scanner, such as clamav, and run your mail through it at the MTA
level. Virus scanners can update signatures much more frequently than SA can.


That said, the forgery CAN be detected by SpamAssassin, but only if you publish
SPF records for your domain. Right now, motorcityinteractive.com lacks any SPF
records, so SPF assumes that all hosts in the world are valid sources of mail
claiming to be from motorcityinteractive.com.

SPF is pretty easy, it's just a TXT record you publish in DNS.

http://spf.pobox.com/

RE: Spamassassin 3.0.4 Reporter.pm error

[Aaron Grewell]

> Quoting wolfgang <[EMAIL PROTECTED]>:
> 
> > Apparently, downgrading Net::DNS to 0.49 seems to fix this problem. 
> > Can anyone else comment on this?
> 
> Doing just that worked for me here.
> 

I had to do the same.  0.5x didn't work at all. I didn't see anything about
it in the Net-DNS Bug List, but then I'm not sure exactly what the problem
is so I may just be missing it.  Has anybody tried the SVN to see if it's
been fixed?  If not, we should probably get a handle on what exactly is
broken and see if we can't get somebody to fix it.  CPAN has spoiled me, I
hate back-revving from source. :)

-Aaron

Re: Rmail. How to filter spamassassin tags.

[Evan Platt]

At 02:49 AM 6/13/2005, you wrote:

Where would there be basic instructive details for users with
rather spotty levels of expertise, little expertise, no expertise
about how to compose, setup dotfiles for filtering Rmail
spamassassin tags?



Probably in a rmail group? It wouldn't need to be spamassassin 
specific, would it? Just a manual of how to setup a filter based on a header? 

Fw: SpamAssassin assistance

[Jim Schueler]

My users have been getting particularly insidious emails containing a  
windows virus that purports to come from the system administrator. 
 
One email header contains the following entry: 
 
Received: from motorcityinteractive.com  
(pcp09017048pcs.watrfd01.mi.comcast.net [69.244.154.112])  
by mail.tqis.com (8.11.6/8.11.6) with ESMTP id j5AMQTR17538  
for <[EMAIL PROTECTED]>; Fri, 10 Jun 2005 18:26:29 -0400 
 
The host name in this line (motorcityinteractive) is obviously forged-  but  
not detected by SpamAssassin.  Here is SpamAssassin's report on the email: 
 
 pts rule name  description  
 --  
--  
 0.0 NO_REAL_NAME   From: does not include a real name  
 1.7 MSGID_FROM_MTA_ID  Message-Id for external message added locally  
 0.2 HTML_20_30 BODY: Message is 20% to 30% HTML  
 0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts  
 0.0 HTML_MESSAGE   BODY: HTML included in message  
-2.6 BAYES_00   BODY: Bayesian spam probability is 0 to 1%  
[score: 0.]  
 2.0 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP  
address  
[69.244.154.112 listed in dnsbl.sorbs.net]  
 0.0 MISSING_MIMEOLEMessage has X-MSMail-Priority, but no X-MimeOLE  
 1.1 PRIORITY_NO_NAME   Message has priority, but no X-Mailer/User-Agent 
 
I would expect this test would be part of the distributed SpamAssassin  
configuration files.  Can anybody recommend an approach other than   
reinventing the wheel? 
 
 -Jim 
--- End of Forwarded Message --- 
 
 
-- 
Open WebMail Project (http://openwebmail.org) 
 

Re: SpamAssassin milter and logs

[Matt Kettler]

Tim Boyer wrote:

> Matt -
> 
> I'll take your word for it, but... why?  All MIMEDefang is doing is calling
> SpamAssassin, right?  Once control is passed to SpamAssassin, shouldn't it
> be doing the logging?

At the level SA is being called by MIMEDefang, SA is not a program, it is just a
library.

It's generally considered VERY bad form for libraries to reconfigure logging on
their own. That's a feature the calling program should have complete control 
over.

Since SA is being called as a part of MIMEDefang's process space, it's subject
to how MD wants to run logging.

I'd also venture to guess that  mimedefang is a "well behaved" unix process and
doesn't do logging directly to files itself either. It's probably dumping the
events to syslog and it's up to your syslogd to write the events to files.
That's the "*nix-correct" way for daemons to log, as it allows centralized
management of logging instead of having to configure each program separately.

You should be able to configure what facility mimedefang uses for logging, and
it's probably defaulting to "mail". You should be able to switch it to something
like 'local5' and have your syslogd write local5.* to /var/log/mimedefang or
whatever you want.

warning minor rant follows:

Spamd supports bypassing syslog and logging directly to files, but IMHO, that's
mostly a hack for people who don't know how to administer their syslog daemon.
(eventually you WILL have to learn how since so many programs use this,
including your kernel. syslog is really flexible and convenient. Once you know
it, you can manipulate most of the logs on your system with it.)

The only  real benefit of supporting direct writes in a daemon is to allow it to
run in an environment without syslog support, such as a heavily locked-down
chroot jail which has no allowance for sockets and pipes controlled by processes
outside the chroot.

Re: Can't write into world-writable directories?

[Steven Dickenson]

Peter Guhl wrote:

Sendmail, Spamass-Milter.

After installing spamass-milter it is set to run as root but it has a
security fallback; it doesn't use root all the time. Maybe that's
causing this behaviour that it writes into /root/.spamassassin but using
the user "spamd".


Likely so.  I would set the bayes path explicitly in local.cf 
(bayes_path option) to a certain location, and ensure that this 
"fallback" account that Spamass-Milter is using has write privledges 
there.  I'm not familir with Sendmail or it's milters, so this is all I 
can offer.


- S

RE: Uri rules

[Bret Miller]

> Has the behaviour of the uri rule been changed at some point
> to match the
> whole of the URL? I have just noticed I am getting some FP
> when one of my
> uri rules matches against the URL rather than URI.
> To prevent FP would be very difficult, I think to match the
> whole of the URL
> with uri rules is not such a good thing, if you wanted to
> match something in
> a URL it would be quite easy to do so in a body rule but to match just
> against URI isn't so easy.

This would probably be best handled by filing a bug report at
http://bugzilla.spamassassin.org/. You should be specific about your
rule and what was hit that shouldn't be, probably attaching a sample of
the message if possible.

Bret

Per-domain Spam Statistics

[Matthew Yette]

I run a qmail-scanner server (1.24) with SA 2.64 and clamav. Redhat 7.3.
Was wondering if there are any scripts that can easily (or not so)
integrate into my current setup that will parse the qmail logs and give
me spam filtering stats per each domain we filter for.

--
Matthew Yette
Senior Engineer - NOC/Operations
MA Polce Consulting, Inc.
[EMAIL PROTECTED]
315-838-1644 (w)
315-356-0597 (f)
AIM/Yahoo: MAPolceNOC
MSN: [EMAIL PROTECTED]

Re: OT : How to 'nomail' this list

[Bob McClure Jr]

On Mon, Jun 13, 2005 at 10:06:22AM -0400, Theo Van Dinter wrote:
> On Mon, Jun 13, 2005 at 08:56:04AM -0400, Ugo Bellavance wrote:
> > I want to interact with this list via nntp (gmane), but since this list
> > is member-only, I must subscribe to post.  I didn't find the way to set
> > the option not to receive messages from the list.
> 
> I don't believe this is possible via ezmlm.  Either you're subscribed (and
> receive mails) or you're not.

Check with your list owner, but I believe you can send an empty email
to -allow-subscribe@.  I own an ezmlm list and I
use that to allow a subscriber to post from an alternate address but
not have list traffic sent there, since they already get it at their
primary address.

> -- 
> Randomly Generated Tagline:
> Well, you know boys, a nuclear reactor is a lot like a woman.  You just
>  have to read the manual and press the right button.
>  
>   -- Homer Simpson
>  Homer Defined

Homer didn't happen to mention where he found the manual (for women)
did he?

Cheers,
-- 
Bob McClure, Jr. Bobcat Open Systems, Inc.
[EMAIL PROTECTED]  http://www.bobcatos.com
God is more interested in our availability than our ability.

Re: Boost up Spamassassin option

[jdow]

Some scores have negative values. Some of the negative values are
big enough to make 30 into a negative score.

This is a discussion that comes up quite often. And it's been decided
every time that no change should be made.

On another paw, more memory is generally a good way to speed up the
spamassassin operation. A good DNS setup is also required so that you
do not get delays in DNS lookups. Do not select DNS tests for sites
that no longer exist. That is a major slow down.

Now, when you complain about speeds how about some numbers. What is
the processor speed, what is the amount of memory, what other things
run on the computer, how long is "spamassassin --lint" taking, how
long is a typical message processing take, and so forth. Give us
something to work with. THen we can tell you what is wrong. Of
particular interest are non-stock things you are doing. Did you add
additional DNS tests, for example?

{^_^}
- Original Message - 
From: "Stefan Ewert" <[EMAIL PROTECTED]>
To: 
Sent: 2005 June, 13, Monday 08:06
Subject: Boost up Spamassassin option


Hi,

does anyone know about a option which speeds up spamassassin extremly:

order the tests: fastest first, getting slower , slowest is the last test in
the list (dns perhaps, razor, pyzor, dcc).

and now: stop testing the mail, as soon as spamscore is greater than needed
to
be marked as a spam mail.
i dont want to know if this mail has got 30 points, im just interested in a
decision between spam and not spam.

regards s.
-- 
"UNIX ist benutzerfreundlich - es ist nur etwas wählerisch..." (Walter
Misar)

Re: OT : How to 'nomail' this list

[Alex Pleiner]

* Ugo Bellavance <[EMAIL PROTECTED]> [2005-06-13 14:57]:
> Hi,

>   I want to interact with this list via nntp (gmane), but since this list
> is member-only, I must subscribe to post.  I didn't find the way to set
> the option not to receive messages from the list.

> A hint?

Ugo,

if they use ezmlm-idx instead of plain ezmlm, than you can subscribe to 
a post-only account.

[EMAIL PROTECTED]

http://www.ezmlm.org/ezman/ezman1.html#allow

Alex

-- 
Alex Pleinerzeitform Internet Dienste
mailto:[EMAIL PROTECTED]  Fraunhoferstraße 5
PGP S/MIME: http://key.zeitform.de/ap   64283 Darmstadt, Germany
Tel./Fax: +49 (0) 6151 155-635 / -634   http://www.zeitform.de
Jabber: [EMAIL PROTECTED]

Re: yet another uribl evasion example

[Theo Van Dinter]

On Mon, Jun 13, 2005 at 05:15:27PM +0200, mouss wrote:
> however, it doesn't trigger surbl checks, since  the '&' is considered 
> as the end of the url.

What version are you running?  This was fixed in 3.0.4.

-- 
Randomly Generated Tagline:
Farfignewton.. the cookie of the stars..


pgpsZrzZT49iY.pgp
Description: PGP signature

yet another uribl evasion example

[mouss]

I just got the spam below (headers removed except few).

this hasn't been caught at reception time. It now triggers 
RCVD_IN_BL_SPAMCOP_NET.


however, it doesn't trigger surbl checks, since  the '&' is considered 
as the end of the url.

debug: URIDNSBL: domains to query: ins.com nusv.com
and I was surprised that the following works:
# host "nusv.com&wnrsyaidip4elp2wjw0z1li.henogenyhb.com"
nusv.com&wnrsyaidip4elp2wjw0z1li.henogenyhb-MUNGED.com has address 
221.11.133.42


would it be reasonable to add a rule to check for anomalies in URLs? 
what's the best (TM) way?


another note is that the host (221.3.157.245) issues a helo of 
mx.adelphia.net, but 221.3.157.245 is in China while mx.adelphia.net is 
in US. shouldn't this trigger a forged helo? one can also see that the 
from addr is in .il (let's ignore the msg id). that makes 3 distant 
parts of the world:)




--- spam follows -
...
Received: from unknown (HELO mx.adelphia.net) (221.3.157.245)
...
message-id: <[EMAIL PROTECTED]>
From: "Keeley Tate" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: It isn't too good to be true. angelfish


When it comes to applications like MS Office, or Windows etc. they ask a 
pretty penny. We figured,
scrap the manual, scrap the box, you really only need the CD so thats 
what we did.


You can have the CD's sent to you, or download instead, your choice.


For downloading - Browse up 
http://nusv.com&wnrsyaidip4elp2wjw0z1li.henogenyhb-MUNGED.com/
For shipped CD's - Browse up 
http://ins.com&dwpw3ibhdwafswlbxe.henogenyhb-MUNGED.com/



You'll be shocked at our pricing.

Re: Boost up Spamassassin option

[Theo Van Dinter]

On Mon, Jun 13, 2005 at 05:06:45PM +0200, Stefan Ewert wrote:
> does anyone know about a option which speeds up spamassassin extremly:

Used to exist in 2.4, didn't work and cause a bigger performance drag
than it provided anyway, so we took it out.  There's talk about a new
way to add it back in so it doesn't suck, but no actual code has been
written yet.  Maybe 3.2.

BTW: it's called "short-circuit", for future reference. :)

-- 
Randomly Generated Tagline:
Do the voices in my head bother you?


pgpxtVWQdXnlf.pgp
Description: PGP signature

Re: OT : How to 'nomail' this list

[Chris Thielen]

Theo Van Dinter wrote:


On Mon, Jun 13, 2005 at 08:56:04AM -0400, Ugo Bellavance wrote:
 


I want to interact with this list via nntp (gmane), but since this list
is member-only, I must subscribe to post.  I didn't find the way to set
the option not to receive messages from the list.
   



I don't believe this is possible via ezmlm.  Either you're subscribed (and
receive mails) or you're not.

 

There should, however, be a digest mode available.  That would reduce 
the frequency of emails to once per day (you could then add a MUA rule 
to delete the email automatically).


signature.asc
Description: OpenPGP digital signature

Boost up Spamassassin option

[Stefan Ewert]

Hi,

does anyone know about a option which speeds up spamassassin extremly:

order the tests: fastest first, getting slower , slowest is the last test in 
the list (dns perhaps, razor, pyzor, dcc).

and now: stop testing the mail, as soon as spamscore is greater than needed to 
be marked as a spam mail.
i dont want to know if this mail has got 30 points, im just interested in a 
decision between spam and not spam.

regards s.
-- 
"UNIX ist benutzerfreundlich - es ist nur etwas wählerisch..." (Walter Misar)

Re: Antwort: What means "sysread(9) not ready"?

[Gene Heskett]

On Monday 13 June 2005 05:39, Nico Prenzel wrote:
> size=2>of course I mean
> sysread(8) a
> typo :-) 

Please do not post in html only format.  There are those of us who do 
not enable the display of html for reasons of security, particularly 
on *this* list.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
99.35% setiathome rank, not too shabby for a WV hillbilly
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2005 by Maurice Eugene Heskett, all rights reserved.

Re: OT : How to 'nomail' this list

[Theo Van Dinter]

On Mon, Jun 13, 2005 at 08:56:04AM -0400, Ugo Bellavance wrote:
>   I want to interact with this list via nntp (gmane), but since this list
> is member-only, I must subscribe to post.  I didn't find the way to set
> the option not to receive messages from the list.

I don't believe this is possible via ezmlm.  Either you're subscribed (and
receive mails) or you're not.

-- 
Randomly Generated Tagline:
Well, you know boys, a nuclear reactor is a lot like a woman.  You just
 have to read the manual and press the right button.
 
-- Homer Simpson
   Homer Defined


pgpqJ7acssHKF.pgp
Description: PGP signature

OT : How to 'nomail' this list

[Ugo Bellavance]

Hi,

I want to interact with this list via nntp (gmane), but since this list
is member-only, I must subscribe to post.  I didn't find the way to set
the option not to receive messages from the list.

A hint?

Thanks,

Ugo

Re: Can't write into world-writable directories?

[Peter Guhl]

On Thu, 2005-06-09 at 11:05 -0400, Steven Dickenson wrote:
> Peter Guhl wrote:
> > Well, still... somehow I don't get why the software is running as spamd
> > and tries to write into /root. I wouldn't say anything if the sofware
> > inwvolved wasn't designed to cooperate (spamd, spamass-milter). But -
> > well, it works now.
> 
> Whatever is calling spamc (or interfacing with spamd) is setting the 
> username to root.  This is general a bad thing, IMHO.

Well, you are right. But that's something I can handle if I want - just
didn't have the time yet.

> What MTA are you running?  How are you calling spamassassin?

Sendmail, Spamass-Milter.

After installing spamass-milter it is set to run as root but it has a
security fallback; it doesn't use root all the time. Maybe that's
causing this behaviour that it writes into /root/.spamassassin but using
the user "spamd".

Regards
   Peter

-- 
Peter Guhl <[EMAIL PROTECTED]>
NetzWerkCenter GmbH

Re: SA/RDJ/Bogus Virus Warnings Problem

[Dimitri Yioulos]

On Monday June 13 2005 7:46 am, Dimitri Yioulos wrote:
> On Sunday June 12 2005 7:07 pm, Chris Thielen wrote:
> > Hi Tim, Dimitri,
> >
> > Sorry to resurrect such an old thread!  I'm a bit concerned with the 500
> > error code being downloaded into the SA_DIR.
> >
> > Tim Jackson wrote:
> > >>Lint output: config: SpamAssassin failed to parse line, skipping:
> > >> config: SpamAssassin failed to parse line, skipping: 
> > >>config: SpamAssassin failed to parse line, skipping: Error 500
> > >>Internal Server Error [timj.co.uk]
> > >>...
> > >
> > >This bothers me a lot (and it looks like a generalised problem) and I am
> > >cc'ing Chris the RDJ maintainer. Chris, how is it that a download which
> > >has had a 500 error is managing to get saved to disk as a ruleset which
> > >SA then tries to use? Surely any 5xx error should mean that the
> > >downloaded page is discarded? Or did I screw something up? (a page with
> > >the title of "Error 500" certainly *should* have been sent with a HTTP
> > >500 code)
> >
> > RDJ does include code for both curl and wget to only copy rulesets that
> > have been "downloaded". The test for downloaded is if the server
> > returned a 200 code or not.  Error messages are sent back to the
> > administrator if the codes are 4xx or 5xx.
> >
> > Dimitri or any other RDJ users, have you continued to see this behavior
> > with a relatively recent version of RDJ?
> >
> >
> > Chris Thielen
>
> Chris,
>
> I haven't had RDJ pull down Bogus Virus Warnings for a while now, since I
> was unable to correct the 500 error code problem, and it would cause SA to
> role back all of the updating that had just been done.  Now, I run wget to
> download Bogus.  I should probably script that, but it sure would be nice
> if RDJ could handle the chore, since that's what it's for.  I'm casting no
> aspersions upon anyone for the problem, but if you're experiencing it, then
> either we both have a misconfiguration, or there is an issue somewhere.
>
> Sorry I can't help with it.
>
> Dimitri

Ooops.  Sorry for contigous posts.  I just read Tim's reply (thanks, Tim).  
I'll try again to have RDJ pull down Bogus now.  Am hopeful.

Dimitri

Re: SA/RDJ/Bogus Virus Warnings Problem

[Dimitri Yioulos]

On Sunday June 12 2005 7:07 pm, Chris Thielen wrote:
> Hi Tim, Dimitri,
>
> Sorry to resurrect such an old thread!  I'm a bit concerned with the 500
> error code being downloaded into the SA_DIR.
>
> Tim Jackson wrote:
> >>Lint output: config: SpamAssassin failed to parse line, skipping:
> >> config: SpamAssassin failed to parse line, skipping: 
> >>config: SpamAssassin failed to parse line, skipping: Error 500
> >>Internal Server Error [timj.co.uk]
> >>...
> >
> >This bothers me a lot (and it looks like a generalised problem) and I am
> >cc'ing Chris the RDJ maintainer. Chris, how is it that a download which
> >has had a 500 error is managing to get saved to disk as a ruleset which
> >SA then tries to use? Surely any 5xx error should mean that the
> >downloaded page is discarded? Or did I screw something up? (a page with
> >the title of "Error 500" certainly *should* have been sent with a HTTP
> >500 code)
>
> RDJ does include code for both curl and wget to only copy rulesets that
> have been "downloaded". The test for downloaded is if the server
> returned a 200 code or not.  Error messages are sent back to the
> administrator if the codes are 4xx or 5xx.
>
> Dimitri or any other RDJ users, have you continued to see this behavior
> with a relatively recent version of RDJ?
>
>
> Chris Thielen

Chris,

I haven't had RDJ pull down Bogus Virus Warnings for a while now, since I was 
unable to correct the 500 error code problem, and it would cause SA to role 
back all of the updating that had just been done.  Now, I run wget to 
download Bogus.  I should probably script that, but it sure would be nice if 
RDJ could handle the chore, since that's what it's for.  I'm casting no 
aspersions upon anyone for the problem, but if you're experiencing it, then 
either we both have a misconfiguration, or there is an issue somewhere.

Sorry I can't help with it.

Dimitri

Re: Sa stats using rrdtool?

[MIKE YRABEDRA]

Ronan,

Do you have a sample of what they look like, the graphs?



on 6/13/05 8:01 AM, Ronan McGlue at [EMAIL PROTECTED] wrote:

> MIKE YRABEDRA wrote:
>> on 6/13/05 6:07 AM, Bart Verwilst at [EMAIL PROTECTED] wrote:
>> 
>> 
>>> Hi
>>> 
>>> Try MailGraph :) That's what I'm using for my servers..
>>> Google for mailgraph, first hit :)
>>> 
>>> See ya
>> 
>> 
>> 
>> Looks good, but I think I passed it over because I am not using postfix. I
>> am using Communigate Pro.
>> 
>> However, my spamd writes to it's own log so maybe it will still work.
>> 
>> Only one way to find out ;-)
> 
> you could also try gnu plot... i was also looking for a 'drop in'
> graphing program and found GNUplot was exactly what i wanted...
> 
> i use sa-stats.pl to read the log file then simply grep on the day >
> pipe to a file and plot on the basis of that. v simple, clean and pretty :)
> ill show u the script if u want.. its only 10 or so lines long :)
> easy
> 
> Ronan
>> 
>> 
>> 
>>> -Original Message-
>>> From: MIKE YRABEDRA [mailto:[EMAIL PROTECTED]
>>> Sent: Monday, June 13, 2005 12:04 PM
>>> To: users@spamassassin.apache.org
>>> Subject: Sa stats using rrdtool?
>>> 
>>> 
>>> Hello,
>>> 
>>> I have googled far and wide and kind not find an answer.
>>> 
>>> Does anyone know of a solution that will process a spamd log and then
>>> output
>>> the stats using rrdtool?
>>> 
>>> There are tons of things using mrtg, but even by the developers opinion,
>>> mrtg is dead, rrd will take it's place.
>>> 
>>> 
>>> 
>> 
>> 
>> 
>> 
> 


++
Mike Yrabedra (President) :-)>
323 Inc. 
Our Sites:
MacDock.com
MacAgent.com

++
W: http://www.323inc.com/
P: 770.382.1195
F: 734.448.5164
E: [EMAIL PROTECTED]
I: ichatmacdock
++
"Whatever you do, work at it with all your heart,
as working for the Lord, not for men."
~Colossians 3:23 <{{{><
++
Scanned by the MPP v2.1, http://www.messagepartners.com 

Re: Sa stats using rrdtool?

[Ronan McGlue]

MIKE YRABEDRA wrote:

on 6/13/05 8:01 AM, Ronan McGlue at [EMAIL PROTECTED] wrote:



MIKE YRABEDRA wrote:


on 6/13/05 6:07 AM, Bart Verwilst at [EMAIL PROTECTED] wrote:




Hi

Try MailGraph :) That's what I'm using for my servers..
Google for mailgraph, first hit :)

See ya




Looks good, but I think I passed it over because I am not using postfix. I
am using Communigate Pro.

However, my spamd writes to it's own log so maybe it will still work.

Only one way to find out ;-)


you could also try gnu plot... i was also looking for a 'drop in'
graphing program and found GNUplot was exactly what i wanted...

i use sa-stats.pl to read the log file then simply grep on the day >
pipe to a file and plot on the basis of that. v simple, clean and pretty :)
ill show u the script if u want.. its only 10 or so lines long :)
easy

Ronan




That would be awesome!  Feel free to contact me off-list if you want. :-)>


ive no probs showing the clunkyness of my bash'ing ability... just dont 
comoment if its negative :D


feel free to note the name of the spamd server ;)

i have two scripts... one for hourly 'live' stats and one for 'yesterday'

LIVE
=

[EMAIL PROTECTED]:/home/ronan/stats# cat /etc/cron.hourly/live.sh
#!/bin/bash

# to be run every hour to give live updated stats

hour=`date +%k`
#let "hour -= 1"
date=`date +%d/%m/%y`
/usr/local/bin/sa-stats.pl -l /var/log/maillog -s 'today midnight' 1> 
/home/ronan/stats/spam_live.txt
/bin/grep "%" /home/ronan/stats/spam_live.txt |egrep -v ":"|awk '{print 
$2,$3+$6,$3,$6}' > /home/ronan/stats/daily_live.tmp
cat /home/ronan/stats/daily_live.tmp | head -$hour > 
/home/ronan/stats/daily_live.txt


cat > /home/ronan/stats/gnuplot.live << EOFEOF
set terminal png small color picsize 1000 200
set grid
set title "Hourly Live Mail Stats (GMT)"
set xtics 0,1,23
set time
set output '/var/www/htdocs/spam_live.png'
set xr [0:23]
plot \
'/home/ronan/stats/daily_live.txt' using 1:2 title 'total' with lines, \
'/home/ronan/stats/daily_live.txt' using 1:3 title 'tagged spam' with 
lines, \

'/home/ronan/stats/daily_live.txt' using 1:4 title 'tagged ham' with lines
EOFEOF

gnuplot /home/ronan/stats/gnuplot.live

#rm /home/ronan/stats/spam_live.txt /home/ronan/stats/daily_live.tmp 
/home/ronan/stats/daily_live.txt /home/ronan/stats/gnuplot.live



DAILY
=
[EMAIL PROTECTED]:/home/ronan/stats# cat /etc/cron.daily/sa.sh
#!/bin/bash

# to be run after 12 at night so that the day -1 is correct

suff=`date +%m_%Y`
day=`date +%e`
let "day -= 1"
/usr/local/bin/sa-stats.pl -l /var/log/maillog.1 -s 'yesterday midnight' 
1> /home/ronan/stats/spam${suff}_${day}.txt
/bin/grep "%" /home/ronan/stats/spam${suff}_${day}.txt|/bin/egrep -v ":" 
|awk '{print $2,$3+$6,$3,$6}' > /home/ronan/stats/daily${suff}_${day}.txt

cat > /home/ronan/stats/gnuplot.${suff}_${day} << EOFEOF
set terminal png small color picsize 1000 200
set time
set grid
set xtics 0,1,23
set title "Spam vs Ham for ${day}_${suff}"
set output '/var/www/htdocs/spam${suff}_${day}.png'
set xr [0:23]
plot \
'/home/ronan/stats/daily${suff}_${day}.txt' using 1:2 title 'Total 
Messages' with lines, \
'/home/ronan/stats/daily${suff}_${day}.txt' using 1:3 title 'tagged 
spam' with lines, \
'/home/ronan/stats/daily${suff}_${day}.txt' using 1:4 title 'tagged ham' 
with lines

EOFEOF
gnuplot /home/ronan/stats/gnuplot.${suff}_${day}

cat > /var/www/htdocs/index.html << HTMLEOF





HTMLEOF

HAM=`/bin/grep -i "total ham" 
/home/ronan/stats/spam${suff}_${day}.txt|awk '{print $5}'`
SPAM=`/bin/grep -i "total spam" 
/home/ronan/stats/spam${suff}_${day}.txt|awk '{print $5}'`

cat >> /home/ronan/stats/weekly.totals << STATS
${suff}_${day},$HAM,$SPAM
STATS
#rm -f /home/ronan/stats/spam${suff}_${day}.txt 
/home/ronan/stats/daily${suff}_${day}.txt 
/home/ronan/stats/gnuplot.${suff}_${day}



HTH
Ronan


-Mike





--


Regards

Ronan McGlue
Info. Services
QUB

Re: Sa stats using rrdtool?

[MIKE YRABEDRA]

on 6/13/05 8:01 AM, Ronan McGlue at [EMAIL PROTECTED] wrote:

> MIKE YRABEDRA wrote:
>> on 6/13/05 6:07 AM, Bart Verwilst at [EMAIL PROTECTED] wrote:
>> 
>> 
>>> Hi
>>> 
>>> Try MailGraph :) That's what I'm using for my servers..
>>> Google for mailgraph, first hit :)
>>> 
>>> See ya
>> 
>> 
>> 
>> Looks good, but I think I passed it over because I am not using postfix. I
>> am using Communigate Pro.
>> 
>> However, my spamd writes to it's own log so maybe it will still work.
>> 
>> Only one way to find out ;-)
> 
> you could also try gnu plot... i was also looking for a 'drop in'
> graphing program and found GNUplot was exactly what i wanted...
> 
> i use sa-stats.pl to read the log file then simply grep on the day >
> pipe to a file and plot on the basis of that. v simple, clean and pretty :)
> ill show u the script if u want.. its only 10 or so lines long :)
> easy
> 
> Ronan
>> 


That would be awesome!  Feel free to contact me off-list if you want. :-)>

-Mike

Re: Sa stats using rrdtool?

[Ronan McGlue]

MIKE YRABEDRA wrote:

on 6/13/05 6:07 AM, Bart Verwilst at [EMAIL PROTECTED] wrote:



Hi

Try MailGraph :) That's what I'm using for my servers..
Google for mailgraph, first hit :)

See ya




Looks good, but I think I passed it over because I am not using postfix. I
am using Communigate Pro.

However, my spamd writes to it's own log so maybe it will still work.

Only one way to find out ;-)


you could also try gnu plot... i was also looking for a 'drop in' 
graphing program and found GNUplot was exactly what i wanted...


i use sa-stats.pl to read the log file then simply grep on the day > 
pipe to a file and plot on the basis of that. v simple, clean and pretty :)

ill show u the script if u want.. its only 10 or so lines long :)
easy

Ronan





-Original Message-
From: MIKE YRABEDRA [mailto:[EMAIL PROTECTED]
Sent: Monday, June 13, 2005 12:04 PM
To: users@spamassassin.apache.org
Subject: Sa stats using rrdtool?


Hello,

I have googled far and wide and kind not find an answer.

Does anyone know of a solution that will process a spamd log and then
output
the stats using rrdtool?

There are tons of things using mrtg, but even by the developers opinion,
mrtg is dead, rrd will take it's place.











--


Regards

Ronan McGlue
Info. Services
QUB

Re: Sa stats using rrdtool?

[MIKE YRABEDRA]

on 6/13/05 6:07 AM, Bart Verwilst at [EMAIL PROTECTED] wrote:

> Hi
> 
> Try MailGraph :) That's what I'm using for my servers..
> Google for mailgraph, first hit :)
> 
> See ya


Looks good, but I think I passed it over because I am not using postfix. I
am using Communigate Pro.

However, my spamd writes to it's own log so maybe it will still work.

Only one way to find out ;-)


> -Original Message-
> From: MIKE YRABEDRA [mailto:[EMAIL PROTECTED]
> Sent: Monday, June 13, 2005 12:04 PM
> To: users@spamassassin.apache.org
> Subject: Sa stats using rrdtool?
> 
> 
> Hello,
> 
> I have googled far and wide and kind not find an answer.
> 
> Does anyone know of a solution that will process a spamd log and then
> output
> the stats using rrdtool?
> 
> There are tons of things using mrtg, but even by the developers opinion,
> mrtg is dead, rrd will take it's place.
> 
> 
> 

Rmail. How to filter spamassassin tags.

[Don Saklad]

Where would there be basic instructive details for users with
rather spotty levels of expertise, little expertise, no expertise
about how to compose, setup dotfiles for filtering Rmail
spamassassin tags?... the ideal would be instructive details that
explain line by line, expression by expression what would be
included in a dotfile for filtering and what each expression,
how each term will act.

Reference
For Rmail users where spamassassin tags appear on messages
already, here are hints, tips and pointers about how to filter
http://www.emacswiki.org/cgi-bin/emacs/Rmail

RE: Sa stats using rrdtool?

[Bart Verwilst]

Hi

Try MailGraph :) That's what I'm using for my servers..
Google for mailgraph, first hit :)

See ya

-Original Message-
From: MIKE YRABEDRA [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 13, 2005 12:04 PM
To: users@spamassassin.apache.org
Subject: Sa stats using rrdtool?


Hello,

I have googled far and wide and kind not find an answer.

Does anyone know of a solution that will process a spamd log and then
output
the stats using rrdtool?

There are tons of things using mrtg, but even by the developers opinion,
mrtg is dead, rrd will take it's place.

Sa stats using rrdtool?

[MIKE YRABEDRA]

Hello,

I have googled far and wide and kind not find an answer.

Does anyone know of a solution that will process a spamd log and then output
the stats using rrdtool?

There are tons of things using mrtg, but even by the developers opinion,
mrtg is dead, rrd will take it's place.

Frequent database breakage - recovery?

[Sven Riedel]

Hi,
my bayesian databases are frequently broken (why, I'm not sure - 
spamassassin is called via amavisd-new, the training takes place
via sa-lean and nothing else is accessing the databases).

I've included db_recover to my amavisd-new startup script, to
migitate the breakages. Somehow db_recover doesn't seem to be
able to find the databases, since it reports that the database
is ok while amavis complains about an inconsistent database.

This is what I'm doing in the startup script:

   amavis_db_dir=/var/amavis_root/db
   bayes_db_dir=/var/amavis_root/etc/mail/spamassassin/bayes
   awl_db_dir=/var/amavis_root/etc/mail/spamassassin/awl

   for db in $amavis_db_dir/cache.db \
 $amavis_db_dir/cache-expiry.db \
 $amavis_db_dir/nanny.db \
 $amavis_db_dir/snmp.db \
 $bayes_db_dir/bayes_seen \
 $bayes_db_dir/bayes_toks \
 $awl_db_dir/awl ; do
  if [ -e $db ] ; then
 /usr/bin/db4.3_verify $db
 if [ $? -ne 0 ] ; then
if [ $db = $bayes_db_dir/bayes_seen -o \
 $db = $bayes_db_dir/bayes_toks -o \
 $db = $awl_db_dir/awl ] ; then
 /usr/local/sbin/sa_db_reset
else 
   rm -f $db
fi
else 
# initialize the database if it doesn't exist
fi
   done

Can anyone tell me how I'm calling db_recover wrong? It doesnt
seem to have a parameter to tell it what database file to 
actually check.

Regs,
Sven

--

BAGHUS GmbH
EDV und Internetdienstleistungen

Staffelseestr. 2
81477 München

Tel.: 0 89 / 8 71 81 - 4 84
Fax.: 0 89 / 8 71 81 - 4 88

www.baghus.net, [EMAIL PROTECTED]
HRB: 144283, USt-IdNr: DE224865405

--
 

Antwort: What means "sysread(9) not ready"?

[Nico Prenzel]

of course I mean sysread(8) a typo :-) 

What means "sysread(9) not ready"?

[Nico Prenzel]

Hello forum,

i got the following lines in my log many times.
I use debain 3.1 and SA (current trunk)!

Mon Jun 13 07:59:19 2005 [18985] dbg: prefork: sysread(8) not ready, wait
max 0 secs

If no one knows, I'll open a bug ticket.

[SPAM] Passing parameters to a plugin

[Rick Measham]

I have written a plugin that determines a spam according the the 
recipient address. I accept email to [EMAIL PROTECTED] where 
hexval is the expiry time of the address as a hex'd epoch time.


My questions may be better served on the devel list, but I'm new here :)

Here's my rule:
header TIMED_RECIPIENT eval:check_timed_recipient()

Now I'd like my rule to be something like this:
header TIMED_RECIPIENT_1 eval:check_timed_recipient($RECIPIENT, 1)

In this rule, there are parameters passed to the plugin, however I can't 
get it to work.


Firstly, I made up the $RECIPIENT variable. Is there any way to get the 
recipient? I imagine there is because the rule is loaded from the 
recipient's home directory.


The second problem is more fundamental: My parameters are not finding 
their way into @_ in the check_timed_recipient function. I've looked at 
the other plugins and there seems to be no difference between what I'm 
doing and what they're doing.


(The second parameter is the allowance in hours. This enables me to give 
a higher score depending on HOW long ago the address expired)


Thanks and Cheers!
Rick Measham

Re: SA/RDJ/Bogus Virus Warnings Problem

[Tim Jackson]

On Sun, 12 Jun 2005 18:07:39 -0500
Chris Thielen <[EMAIL PROTECTED]> wrote:

> Sorry to resurrect such an old thread!  I'm a bit concerned with the
> 500 error code being downloaded into the SA_DIR.

I think you may be able to let this one die peacefully. I checked my
configuration and it looks like there was an screwup my end and the 500
error page was being returned with a 200 code. Sorry folks, entirely my
fault.

Tim