Re: subject - why not all caps?

[Jonathan Nichols]

As for the all caps rule, it is hard to understand why it was written 
not to fire on a single

excessively long word.





Probably because end users are morons and think that if they put lots of 
capital letters in the subject that you'll somehow prioritize it 
differently. Our helpdesk guy is assulted with such stupidity on a daily 
basis. ;)

md5sum/sha1sum signatures available, was RE: Gif-Only spams

[William Stearns]

Good evening, all,

On Thu, 9 Jun 2005, Chris Santerre wrote:


From: Sven Riedel [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 09, 2005 10:19 AM

has anyone developed a good strategy against spams
that contain a random text and the actual spam in
an image within a multipart/alternative mail?

Short of entirely blocking mails containing images, that
is.


Check out the interesting idea at www.rulesemporium.com/forums/

entitled: Image attachment MD5 footprint RBL

Pretty cool.


	The forums appear to be down at the moment, so I couldn't read the 
thread involved.
	I'm guessing the idea is to have a set of md5sums of known spam 
attachments (images and others), so when a new message comes in, the spam 
filter md5sums/sha1sums each mime part and does a dns lookup on


6f2b009a213b916d391407a7f86c0300.attach.uribl.com

, which returns a 127.0.0.2 if that's a known spam attachment?

	razor, pyzor, and dcc do this with custom client apps and 
protocols (just try getting the razor protocol from Vipul or Jordan ;-). 
I kind of like the idea of doing it with dns and simple md5 or sha1 
checksums.  Enough so that I extracted around 21,000 unique attachments 
from the 3.5G of the last 3 years of hand-checked spam.  I hand-checked 
9,791 of those attachments (*) and placed their md5sums and sha1sums up at 
http://www.stearns.org/spamattach/ 
(http://www.stearns.org/spamattach/combined.md5sums and 
http://www.stearns.org/spamattach/combined.sha1sums hold all of the sums)


	Is someone willing to do the SA plugin to ms5/sha1 sum each 
non-text mime part (or even just the images for efficiency)?  If so, I'd 
be glad to create a zone to test from.
	For all those that aren't sure it's worth redoing the razor, 
pyzor, and dcc work in a dns-based rbl, I guess I'd answer I'm not sure 
either.  :-)  On the other hand, I've already done a hand-checked set of 
sums, the plugin shouldn't be all that hard, and we can throw it at a 
corpus to see how well it works.  It might just help enough to be worth 
it

Cheers,
- Bill

* I had to stop when my eyes glazed over.  :-)

---
"The sign on the window next to the entrance of OptInRealBig's
offices in Westminster leaves no room for misunderstanding.  Or irony.
NO SOLICITING."
http://www.westword.com/issues/2004-01-29/feature.html/3/index.html
--
William Stearns ([EMAIL PROTECTED]).  Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:   http://www.stearns.org
--

Re: subject - why not all caps?

[Matt Kettler]

Hi Matt,

thanks for your reply.
It seems these guys know how SA treats their messages :(

There have been discussions before about "amplifying" rules, but I am not 
sure whether

it is possible. I would say that both english and german versions of this
"BUSINESS PROPOSAL" share a few characteristics that could be combined 
like a meta

rule
- subject all caps
- at least one run of all caps words somewhere in the body
- mentioning dollars (is detected)
- mentioning specific places (Lagos and Abijan are common - there are 
spelling variants on Abidjan)


As for the all caps rule, it is hard to understand why it was written not 
to fire on a single

excessively long word.


I think it was written to not fire on a single word, such as ALERT, HELP, 
or HI. The length of the word was never a consideration.


Besides, the SUBJ_ALL_CAPS rule pretty much decidedly sucks as a spam rule. 
Take a look at STATISTICS-set3.txt. 1.6% or spam and 0.2% of nonspam. 
That's not many hits and not a very good S/O. 

Re: SURBL, SA 3.0.4, and firewalls

[Theo Van Dinter]

On Sat, Jul 09, 2005 at 07:47:22PM -0400, Dr Robert Young wrote:
> Is there any information available on what configuration your firewall 
> needs in order to make use of SURBL in SA 3.0.4? Forts, etc??

SURBL needs DNS to function.

-- 
Randomly Generated Tagline:
Cop: "He's making a break for it. Get him!" 
 Fry: "No, no, I was just picking my nose." 
 Cop: "He's picking his nose. Get him!" 


pgpxptV6N1qqE.pgp
Description: PGP signature

Re: subject - why not all caps?

[hamann . w]

>> At 12:38 PM 7/9/2005, [EMAIL PROTECTED] wrote:
>> 
>> 
>> >I just received this spam (some of them really get their stuff translated 
>> >well now) but was
>> >surprised that it did not trigger subject all caps rule
>> 
>> 
>>  From the eval test code for that rule:
>> 
>> 
>> # don't match one word subjects
>> 
>> 
>> Since that subject only has one word, it would have missed.
>> 
>> Besides, SUBJ_ALL_CAPS isn't enough score to be worth worrying over.. it's 
>> less than 1.0.
>> 
>> 
>> 

Hi Matt,

thanks for your reply.
It seems these guys know how SA treats their messages :(

There have been discussions before about "amplifying" rules, but I am not sure 
whether
it is possible. I would say that both english and german versions of this
"BUSINESS PROPOSAL" share a few characteristics that could be combined like a 
meta
rule
- subject all caps
- at least one run of all caps words somewhere in the body
- mentioning dollars (is detected)
- mentioning specific places (Lagos and Abijan are common - there are spelling 
variants on Abidjan)

As for the all caps rule, it is hard to understand why it was written not to 
fire on a single
excessively long word.

Wolfgang Hamann

SURBL, SA 3.0.4, and firewalls

[Dr Robert Young]

Is there any information available on what configuration your firewall 
needs in order to make use of SURBL in SA 3.0.4? Forts, etc??

Re: How can I correctly detect these spams?

[Thomas Booms]

jdow schrieb:


From: "Thomas Booms" <[EMAIL PROTECTED]>

 


Loren Wilton schrieb:

   


Well, header I have on detected spams like these (possibly I need to
reconfigure something) to get the above lists:

X-Spam-Status: No, score=-1.8 required=1.5 tests=BAYES_00,
DATE_IN_FUTURE_03_06 autolearn=ham version=3.0.4


   


This says that the message is NOT spam.  Bayes in particular is convinced
that it was ham, and has auto-learned it as such.  It looks like your
 


Bayes
 


database is corrupt and will need to be rebuilt at some point.

However, before doing that, we need to figure out why all this hit was
date-in-future.

I'm a little concerned that that initial Received header from Qmail may
 


be
 


keeping SA from analyzing the return headers.  This could case a lot fo
 


the
 


net tests to fail.  Hiwever, maybe that header is ok.  Others that know
 


more
 


about received headers than I do will look at it.

If that spam had been in English the body text would have nailed it.
"Greencard lottery" is pretty much a guaranteed spam indicator all by
itself.  This looks like a case where a few of the rules for these things
could profitably be translated to German, by someone that speaks both
languages.  (I don't, or I'd just do it.)

There is a good chance though that register-usa.com should have hit
 


SURBL.
 


This makes me think your net tests aren't working.  Since this is 3.0.4,
they should be by default.

Why don't you run "spamassassin --lint -D" and post the output.  My guess
 


is
 


you either have a problem with the Net::DNS version, or init.pre insn't
installed correctly.  (Of course you might be starting SA with the -L
parameter that disables net tests.)

  Loren





 


Here's what you wanted (by spamassassin --lint -D):

spamassassin --lint -D
debug: SpamAssassin version 3.0.4
debug: Score set 0 chosen.
debug: running in taint mode? yes
debug: Running in taint mode, removing unsafe env vars, and resetting PATH
debug: PATH included '/sbin', keeping.
debug: PATH included '/usr/sbin', keeping.
debug: PATH included '/usr/local/sbin', keeping.
debug: PATH included '/root/bin', keeping.
debug: PATH included '/usr/local/bin', keeping.
debug: PATH included '/usr/local/news/bin', keeping.
debug: PATH included '/usr/bin', keeping.
debug: PATH included '/usr/X11R6/bin', keeping.
debug: PATH included '/bin', keeping.
debug: PATH included '/var/qmail/bin', keeping.
debug: PATH included '/usr/local/bin/ezmlm', keeping.
debug: PATH included '/usr/local/sbin', keeping.
debug: PATH included '/usr/games', keeping.
debug: PATH included '/opt/gnome/bin', keeping.
debug: PATH included '/opt/kde3/bin', keeping.
debug: PATH included '/usr/lib/java/jre/bin', keeping.
debug: Final PATH set to:

   


/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/local/news/bin
:/usr/bin:/usr/X11R6/bin:/bin:/var/qmail/bin:/usr/local/bin/ezmlm:/usr/local
/sbin:/usr/games:/opt/gnome/bin:/opt/kde3/bin:/usr/lib/java/jre/bin
 


debug: diag: module installed: DBI, version 1.48
debug: diag: module installed: DB_File, version 1.811
debug: diag: module installed: Digest::SHA1, version 2.10
debug: diag: module installed: IO::Socket::UNIX, version 1.21
debug: diag: module installed: MIME::Base64, version 3.05
debug: diag: module installed: Net::DNS, version 0.52
   



Good version, I believe.

 


debug: diag: module not installed: Net::LDAP ('require' failed)
debug: diag: module installed: Razor2::Client::Agent, version 2.72
debug: diag: module installed: Storable, version 2.15
debug: diag: module installed: URI, version 1.35
debug: ignore: using a test message to lint rules
debug: using "/etc/mail/spamassassin/init.pre" for site rules init.pre
debug: config: read file /etc/mail/spamassassin/init.pre
debug: using "/usr/share/spamassassin" for default rules dir
debug: config: read file /usr/share/spamassassin/10_misc.cf
debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf
debug: config: read file /usr/share/spamassassin/20_body_tests.cf
debug: config: read file /usr/share/spamassassin/20_compensate.cf
debug: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf
debug: config: read file /usr/share/spamassassin/20_drugs.cf
debug: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf
debug: config: read file /usr/share/spamassassin/20_head_tests.cf
debug: config: read file /usr/share/spamassassin/20_html_tests.cf
debug: config: read file /usr/share/spamassassin/20_meta_tests.cf
debug: config: read file /usr/share/spamassassin/20_phrases.cf
debug: config: read file /usr/share/spamassassin/20_porn.cf
debug: config: read file /usr/share/spamassassin/20_ratware.cf
debug: config: read file /usr/share/spamassassin/20_uri_tests.cf
debug: config: read file /usr/share/spamassassin/23_bayes.cf
debug: config: read file /usr/share/spamassassin/25_body_tests_es.cf
debug: config: read file /usr/share/spamassassin/25_hashcash.cf
debug: config: read file /usr/shar

Re: How can I correctly detect these spams?

[Thomas Booms]

jdow schrieb:


From: "Thomas Booms" <[EMAIL PROTECTED]>


 


Loren Wilton schrieb:

   


Well, header I have on detected spams like these (possibly I need to
reconfigure something) to get the above lists:

X-Spam-Status: No, score=-1.8 required=1.5 tests=BAYES_00,
DATE_IN_FUTURE_03_06 autolearn=ham version=3.0.4


   


This says that the message is NOT spam.  Bayes in particular is convinced
that it was ham, and has auto-learned it as such.  It looks like your
 


Bayes
 


database is corrupt and will need to be rebuilt at some point.

However, before doing that, we need to figure out why all this hit was
date-in-future.

I'm a little concerned that that initial Received header from Qmail may
 


be
 


keeping SA from analyzing the return headers.  This could case a lot fo
 


the
 


net tests to fail.  Hiwever, maybe that header is ok.  Others that know
 


more
 


about received headers than I do will look at it.

If that spam had been in English the body text would have nailed it.
"Greencard lottery" is pretty much a guaranteed spam indicator all by
itself.  This looks like a case where a few of the rules for these things
could profitably be translated to German, by someone that speaks both
languages.  (I don't, or I'd just do it.)

There is a good chance though that register-usa.com should have hit
 


SURBL.
 


This makes me think your net tests aren't working.  Since this is 3.0.4,
they should be by default.

Why don't you run "spamassassin --lint -D" and post the output.  My guess
 


is
 


you either have a problem with the Net::DNS version, or init.pre insn't
installed correctly.  (Of course you might be starting SA with the -L
parameter that disables net tests.)

  Loren





 


Well, here's the content of my init.pre and then the running
spamassassin task:

# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# This file will be loaded before *all other* configuration files,
   


including
 


# the system configuration.  As such, it's a good place to set things that
# will affect how those files are parsed, like which plugins are loaded
# etc.
#

   


###
 


# RelayCountry - add metadata for Bayes learning, marking the countries
# a message was relayed through
#
# loadplugin Mail::SpamAssassin::Plugin::RelayCountry

# URIDNSBL - look up URLs found in the message against several DNS
# blocklists.
#
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL

# Hashcash - perform hashcash verification.
#
loadplugin Mail::SpamAssassin::Plugin::Hashcash

# SPF - perform SPF verification.
#
loadplugin Mail::SpamAssassin::Plugin::SPF

(I've never touched that file)

/usr/bin/perl -T -w /usr/bin/spamd -q -H /etc/mail/spamassassin
\_ spamd child
\_ spamd child
\_ spamd child
\_ spamd child
\_ spamd child
   



Contents of local.cf also matter. If you have DNS rules off or your
DNS misconfigured from what SA wants it isn't going to work well.

{^_^}




 


Here's the content of my local.cf:

rewrite_subject 1
report_safe 2
trusted_networks 
user_scores_dsn DBI:mysql::
user_scores_sql_username 
user_scores_sql_password 
user_scores_sql_custom_query SELECT preference, value FROM _TABLE_ 
WHERE username = _USERNAME_ OR username = '$GLOBAL' OR username = 
CONCAT('%',_DOMAIN_) ORDER BY username ASC

razor_config /etc/mail/spamassassin/.razor/razor-agent.conf
urirhssub   URIBL_BLACK  multi.uribl.com.A   2
bodyURIBL_BLACK  eval:check_uridnsbl('URIBL_BLACK')
describeURIBL_BLACK  Contains an URL listed in the URIBL blacklist
tflags  URIBL_BLACK  net
score   URIBL_BLACK  3.0

urirhssub   URIBL_GREY  multi.uribl.com.A   4
bodyURIBL_GREY  eval:check_uridnsbl('URIBL_GREY')
describeURIBL_GREY  Contains an URL listed in the URIBL greylist
tflags  URIBL_GREY  net
score   URIBL_GREY  1.0

The 1st 3 lines were added a few minutes ago.

Thomas

--
Booms EDV
- hosting & more -
Herrenstrasse 10
D-59073 Hamm

www.booms-edv.de
[EMAIL PROTECTED]

Re: subject - why not all caps?

[Matt Kettler]

At 12:38 PM 7/9/2005, [EMAIL PROTECTED] wrote:


I just received this spam (some of them really get their stuff translated 
well now) but was

surprised that it did not trigger subject all caps rule



From the eval test code for that rule:


# don't match one word subjects


Since that subject only has one word, it would have missed.

Besides, SUBJ_ALL_CAPS isn't enough score to be worth worrying over.. it's 
less than 1.0.

Re: Just upgraded to SA3.0.4

[Dr Robert Young]

I looked around on the web for references to the "no active 
filter"found several links but nothing that explained what it 
meant. It was always just a link "peripheral" to some other issue, not 
the main target  of the article/posting. I am not even sure it is a 
problem...but the wording is just 'suggestive' enough to make me worry!



On Jul 9, 2005, at 2:42 PM, jdow wrote:


That, sir, appears to be a problem with your milter or sendmail config.

What does that second entry mean to you?

{^_^}
- Original Message -
From: "Dr Robert Young" <[EMAIL PROTECTED]>
To: 
Sent: 2005 July, 09, Saturday 05:06
Subject: Just upgraded to SA3.0.4



I just upgraded a box that had a "broken" Sa 2.63 to SA 3.0.4

I noticed the following in the maillog...is this normal for a very
"low" activity system. The "no active filter" has me worried.

Using spamassassin and spamc to send in the "sample" emails" showed
them to be working, but that does not test the sendmail-> milter-spamc
link

Jul  9 07:12:20 email2 sendmail[1175]: NOQUEUE: connect from
gorilla.jungle.com [38.151.210.157]
Jul  9 07:12:20 email2 sendmail[1175]: j69BCKK8001175: Milter: no
active filter
Jul  9 07:12:20 email2 sendmail[1175]: j69BCKK8001175:
gorilla.jungle.com [38.151.210.157] did not issue MAIL/EXPN/VRFY/ETRN
during connection to MTA
Jul  9 07:15:01 email2 sendmail[1199]: NOQUEUE: connect from
[209.202.135.142]
Jul  9 07:15:01 email2 sendmail[1199]: j69BF1K8001199: Milter: no
active filter
Jul  9 07:15:01 email2 sendmail[1199]: j69BF1K8001199:
[209.202.135.142] did not issue MAIL/EXPN/VRFY/ETRN during connection
to MTA











Dr. Robert Young
ALI Database Consultants
1151 Williams Dr
Aiken SC 29803
USA

WWW: http://www.aliconsultants.com
Tele: 1-803-648-5931
Toll free in US: 1-866-257-8970 Fax:1-803-641-0345
Email: [EMAIL PROTECTED]
"Source of Rdb Controller, software for database analysis &  
performance tuning"

Re: How can I correctly detect these spams?

[jdow]

From: "Thomas Booms" <[EMAIL PROTECTED]>

> Loren Wilton schrieb:
>
> >>Well, header I have on detected spams like these (possibly I need to
> >>reconfigure something) to get the above lists:
> >>
> >>X-Spam-Status: No, score=-1.8 required=1.5 tests=BAYES_00,
> >>DATE_IN_FUTURE_03_06 autolearn=ham version=3.0.4
> >>
> >>
> >
> >This says that the message is NOT spam.  Bayes in particular is convinced
> >that it was ham, and has auto-learned it as such.  It looks like your
Bayes
> >database is corrupt and will need to be rebuilt at some point.
> >
> >However, before doing that, we need to figure out why all this hit was
> >date-in-future.
> >
> >I'm a little concerned that that initial Received header from Qmail may
be
> >keeping SA from analyzing the return headers.  This could case a lot fo
the
> >net tests to fail.  Hiwever, maybe that header is ok.  Others that know
more
> >about received headers than I do will look at it.
> >
> >If that spam had been in English the body text would have nailed it.
> >"Greencard lottery" is pretty much a guaranteed spam indicator all by
> >itself.  This looks like a case where a few of the rules for these things
> >could profitably be translated to German, by someone that speaks both
> >languages.  (I don't, or I'd just do it.)
> >
> >There is a good chance though that register-usa.com should have hit
SURBL.
> >This makes me think your net tests aren't working.  Since this is 3.0.4,
> >they should be by default.
> >
> >Why don't you run "spamassassin --lint -D" and post the output.  My guess
is
> >you either have a problem with the Net::DNS version, or init.pre insn't
> >installed correctly.  (Of course you might be starting SA with the -L
> >parameter that disables net tests.)
> >
> >Loren
> >
> >
> >
> >
> >
> Here's what you wanted (by spamassassin --lint -D):
>
> spamassassin --lint -D
> debug: SpamAssassin version 3.0.4
> debug: Score set 0 chosen.
> debug: running in taint mode? yes
> debug: Running in taint mode, removing unsafe env vars, and resetting PATH
> debug: PATH included '/sbin', keeping.
> debug: PATH included '/usr/sbin', keeping.
> debug: PATH included '/usr/local/sbin', keeping.
> debug: PATH included '/root/bin', keeping.
> debug: PATH included '/usr/local/bin', keeping.
> debug: PATH included '/usr/local/news/bin', keeping.
> debug: PATH included '/usr/bin', keeping.
> debug: PATH included '/usr/X11R6/bin', keeping.
> debug: PATH included '/bin', keeping.
> debug: PATH included '/var/qmail/bin', keeping.
> debug: PATH included '/usr/local/bin/ezmlm', keeping.
> debug: PATH included '/usr/local/sbin', keeping.
> debug: PATH included '/usr/games', keeping.
> debug: PATH included '/opt/gnome/bin', keeping.
> debug: PATH included '/opt/kde3/bin', keeping.
> debug: PATH included '/usr/lib/java/jre/bin', keeping.
> debug: Final PATH set to:
>
/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/local/news/bin
:/usr/bin:/usr/X11R6/bin:/bin:/var/qmail/bin:/usr/local/bin/ezmlm:/usr/local
/sbin:/usr/games:/opt/gnome/bin:/opt/kde3/bin:/usr/lib/java/jre/bin
> debug: diag: module installed: DBI, version 1.48
> debug: diag: module installed: DB_File, version 1.811
> debug: diag: module installed: Digest::SHA1, version 2.10
> debug: diag: module installed: IO::Socket::UNIX, version 1.21
> debug: diag: module installed: MIME::Base64, version 3.05
> debug: diag: module installed: Net::DNS, version 0.52

Good version, I believe.

> debug: diag: module not installed: Net::LDAP ('require' failed)
> debug: diag: module installed: Razor2::Client::Agent, version 2.72
> debug: diag: module installed: Storable, version 2.15
> debug: diag: module installed: URI, version 1.35
> debug: ignore: using a test message to lint rules
> debug: using "/etc/mail/spamassassin/init.pre" for site rules init.pre
> debug: config: read file /etc/mail/spamassassin/init.pre
> debug: using "/usr/share/spamassassin" for default rules dir
> debug: config: read file /usr/share/spamassassin/10_misc.cf
> debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf
> debug: config: read file /usr/share/spamassassin/20_body_tests.cf
> debug: config: read file /usr/share/spamassassin/20_compensate.cf
> debug: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf
> debug: config: read file /usr/share/spamassassin/20_drugs.cf
> debug: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf
> debug: config: read file /usr/share/spamassassin/20_head_tests.cf
> debug: config: read file /usr/share/spamassassin/20_html_tests.cf
> debug: config: read file /usr/share/spamassassin/20_meta_tests.cf
> debug: config: read file /usr/share/spamassassin/20_phrases.cf
> debug: config: read file /usr/share/spamassassin/20_porn.cf
> debug: config: read file /usr/share/spamassassin/20_ratware.cf
> debug: config: read file /usr/share/spamassassin/20_uri_tests.cf
> debug: config: read file /usr/share/spamassassin/23_bayes.cf
> debug: config: read file /usr/share/spamassassin/25_body_tes

Re: How can I correctly detect these spams?

[jdow]

From: "Thomas Booms" <[EMAIL PROTECTED]>


> Loren Wilton schrieb:
>
> >>Well, header I have on detected spams like these (possibly I need to
> >>reconfigure something) to get the above lists:
> >>
> >>X-Spam-Status: No, score=-1.8 required=1.5 tests=BAYES_00,
> >>DATE_IN_FUTURE_03_06 autolearn=ham version=3.0.4
> >>
> >>
> >
> >This says that the message is NOT spam.  Bayes in particular is convinced
> >that it was ham, and has auto-learned it as such.  It looks like your
Bayes
> >database is corrupt and will need to be rebuilt at some point.
> >
> >However, before doing that, we need to figure out why all this hit was
> >date-in-future.
> >
> >I'm a little concerned that that initial Received header from Qmail may
be
> >keeping SA from analyzing the return headers.  This could case a lot fo
the
> >net tests to fail.  Hiwever, maybe that header is ok.  Others that know
more
> >about received headers than I do will look at it.
> >
> >If that spam had been in English the body text would have nailed it.
> >"Greencard lottery" is pretty much a guaranteed spam indicator all by
> >itself.  This looks like a case where a few of the rules for these things
> >could profitably be translated to German, by someone that speaks both
> >languages.  (I don't, or I'd just do it.)
> >
> >There is a good chance though that register-usa.com should have hit
SURBL.
> >This makes me think your net tests aren't working.  Since this is 3.0.4,
> >they should be by default.
> >
> >Why don't you run "spamassassin --lint -D" and post the output.  My guess
is
> >you either have a problem with the Net::DNS version, or init.pre insn't
> >installed correctly.  (Of course you might be starting SA with the -L
> >parameter that disables net tests.)
> >
> >Loren
> >
> >
> >
> >
> >
> Well, here's the content of my init.pre and then the running
> spamassassin task:
>
> # This is the right place to customize your installation of SpamAssassin.
> #
> # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
> # tweaked.
> #
> # This file will be loaded before *all other* configuration files,
including
> # the system configuration.  As such, it's a good place to set things that
> # will affect how those files are parsed, like which plugins are loaded
> # etc.
> #
>
###
>
> # RelayCountry - add metadata for Bayes learning, marking the countries
> # a message was relayed through
> #
> # loadplugin Mail::SpamAssassin::Plugin::RelayCountry
>
> # URIDNSBL - look up URLs found in the message against several DNS
> # blocklists.
> #
> loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
>
> # Hashcash - perform hashcash verification.
> #
> loadplugin Mail::SpamAssassin::Plugin::Hashcash
>
> # SPF - perform SPF verification.
> #
> loadplugin Mail::SpamAssassin::Plugin::SPF
>
> (I've never touched that file)
>
> /usr/bin/perl -T -w /usr/bin/spamd -q -H /etc/mail/spamassassin
> \_ spamd child
> \_ spamd child
> \_ spamd child
> \_ spamd child
> \_ spamd child

Contents of local.cf also matter. If you have DNS rules off or your
DNS misconfigured from what SA wants it isn't going to work well.

{^_^}

Re: Just upgraded to SA3.0.4

[jdow]

That, sir, appears to be a problem with your milter or sendmail config.

What does that second entry mean to you?

{^_^}
- Original Message - 
From: "Dr Robert Young" <[EMAIL PROTECTED]>
To: 
Sent: 2005 July, 09, Saturday 05:06
Subject: Just upgraded to SA3.0.4


> I just upgraded a box that had a "broken" Sa 2.63 to SA 3.0.4
> 
> I noticed the following in the maillog...is this normal for a very 
> "low" activity system. The "no active filter" has me worried.
> 
> Using spamassassin and spamc to send in the "sample" emails" showed 
> them to be working, but that does not test the sendmail-> milter-spamc  
> link
> 
> Jul  9 07:12:20 email2 sendmail[1175]: NOQUEUE: connect from 
> gorilla.jungle.com [38.151.210.157]
> Jul  9 07:12:20 email2 sendmail[1175]: j69BCKK8001175: Milter: no 
> active filter
> Jul  9 07:12:20 email2 sendmail[1175]: j69BCKK8001175: 
> gorilla.jungle.com [38.151.210.157] did not issue MAIL/EXPN/VRFY/ETRN 
> during connection to MTA
> Jul  9 07:15:01 email2 sendmail[1199]: NOQUEUE: connect from 
> [209.202.135.142]
> Jul  9 07:15:01 email2 sendmail[1199]: j69BF1K8001199: Milter: no 
> active filter
> Jul  9 07:15:01 email2 sendmail[1199]: j69BF1K8001199: 
> [209.202.135.142] did not issue MAIL/EXPN/VRFY/ETRN during connection 
> to MTA
> 
> 
> 

subject - why not all caps?

[hamann . w]

I just received this spam (some of them really get their stuff translated well 
now) but was
surprised that it did not trigger subject all caps rule

Wolfgang Hamann


Received: (qmail 13636 invoked by uid 94); 9 Jul 2005 16:00:06 -
Received: from 127.0.0.1 by amadeus3 (envelope-from <[EMAIL PROTECTED]>, uid 
82) with qmail-scanner-1.24 
 (hbedv: 6.28.0.18/6.28.0.83. localrules: ???.  
 Clear:RC:0(127.0.0.1):. 
 Processed in 0.076688 secs); 09 Jul 2005 16:00:06 -
Received: from localhost (127.0.0.1)
  by localhost with SMTP; 9 Jul 2005 16:00:06 -
Received: from fwdallmx.t-online.com [194.25.134.90]
by localhost with POP3 (fetchmail-6.2.3)
for [EMAIL PROTECTED] (single-drop); Sat, 09 Jul 2005 18:00:06 +0200 
(CEST)
Received: from wmailmta06of.seamail.go.com ([199.181.134.43]) by 
mailin18.sul.t-online.de
with smtp id 1DrHE2-0P7Dxg0; Sat, 9 Jul 2005 17:26:42 +0200
Received: (qmail 20617 invoked from network); 9 Jul 2005 15:26:41 -
Received: from wmailweba03.seamail.go.com (HELO WMAILWEBA03) (10.192.72.77)
  by wmailmta06o.seamail.go.com with SMTP; 9 Jul 2005 15:26:41 -
Message-ID: <[EMAIL PROTECTED]>
Date: Sat, 9 Jul 2005 08:26:41 -0700 (PDT)
From: Akume Adigwe <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject:  GESCHAEFTSVORSCHLAG 
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
X-Mailer: GoMail 3.0.1
X-TOI-SPAM: u;0;2005-07-09T15:26:51Z
X-TOI-VIRUSSCAN: unchecked
X-TOI-MSGID: bd901acb-11c2-4557-8b9a-212fc0419762
X-Seen: false
X-Spam-Level: *
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on amadeus3.local
X-Spam-Status: No, score=1.2 required=5.0 tests=BAYES_00,NA_DOLLARS,
RCVD_IN_BL_SPAMCOP_NET autolearn=no version=3.0.4


 GESCHAEFTSVORSCHLAG 
Zuerst muß ich Ihre Zuversicht in dieser Verhandlung bitten, dies ist auf Grund 
seiner lage als das Sein total VERTRAULICH und-GEHEIMNIS.

Aber ich weiß, daß eine Verhandlung dieses Ausmaßes irgendeinen ängstlich und 
besorgt machen wird, aber ich versichere Sie, daß aller in ordnung seien wird 
am Ende des Tages. Wir haben entschieden Sie durch faxsendung wegen der 
Dringlichkeit dieser Verhandlung zu erreichen, als wir davon zuverlässig 
ueberzeugt worden sind von seiner Schnelligkeit und Vertraulichkeit. Lassen Sie 
mich zuerst Vorstellen. Ich bin Herr ADIGWE AKUME.
ein rechnungspruefer bei der Union Bank Nigeria PLC, Lagos. Ich kam zu ihrer 
kontakt in meiner privaten Suchen für eine zuverlässige und anständige Person, 
um eine sehr vertrauliche Verhandlung zu erledigen, die die Übertragung von 
einer riesigen Summe von Geld zu einem fremden Konto, das maximale Zuversicht 
erfordert. DER VORSCHLAG: Ein Ausländer, Verstorbene Ingenieur Manfred Becker, 
ein Õl Händler / Unternehmer mit dem Bundes Regierung von Nigeria.

Er war bis seinen Tod vor drei Jahren in einem grä?lichen Flugzeug absturz als 
Unternehmer bei der regierung taetig, Herr Becker war unsere kunde hier bei der 
Union Bank PLC., Lagos, und hatte ein schlie?end kontohaben von USD$18.5M 
(Achtzehn Million, Fünf Hundert Tausend, US Dollar) welcher die Bank erwartet 
jetzt fraglos, durch seine Verwandten behaupten zu werden oder Andererseit wird 
den ganze menge als nichtzubehaupten deklarieren und wird zu einem 
Afrikanischen Vertrauen-Fond für waffen und Munitionbesorgung bei einer der 
freiheitbewegung hier in Afrika gespendet wird. Leidenschaftliche wertvolle 
Anstrengungen werden durch die Union-Bank gemacht, um in Kontakt mit einen von 
der Becker Familie oder Verwandten festzustellen aber hat bis jetzt zu keinem 
Erfoelg gegeben. 
Es ist wegen der wahrgenommen Mõglichkeit keiner Verwandte der Becker zu 
finden, (er hatte keine bekannte Frau und Kinder) daß das Management unter dem 
Einfluß dessen Sitzung Vorsitzender, General Kalu Uke Kalu (Ausgeschieden) der 
eine Anordnung für den Fond als NICHT ZUBEHAUPTEN deklariert werden sollte, und 
dann zum dem Vertrauen-Fond f?r Waffen und Munitionbesorgung ausgeben, die den 
Kurs von Krieg in Afrika infolgedessen gespendet werden.

Um diese Negative-Entwicklung abzuwenden, ich und einige meiner bewährten 
Kollegen in der Bank haben abgeschlossen das geld nach ihrer zustimmung zu 
ueberweisen und suchen jetzt Ihre Erlaubnis damit Sie sich als der Verwandter 
der Verstorbene Engr. Manfred Becker deklarieren damit der Fond in der hoehe 
von USD$18.5M würden infolgedessen ?berwiesen werden und würden in Ihr 
Bank-Konto als der Nutznie?er (Verwndter der Becker) gezahlt werden .Alles 
beurkunden und beweis Ihnen zu ermõglichen, diesen Fond zu behaupten werden wir 
zu ihrer verfuegung stellen damit alles geklappt worden ist, und wir versichern 
Sie ein 100% Risiko freie Verwicklung. Ihr Anteil wäre 30% von der totalen 
Menge. 10% ist für Aufwendungen bei der ueberweissung bearbeitung beiseite 
gesetzt worden, während die restlichen 60% für mich und meine Kollegen für 
Anlage-Zwecke in Ihrem Land w?re Wenn dieser V

RE: rules_du_jour script and firewall ports?

[Dave Duffner - PSCGi]

Dr Robert Young  decided to say on Friday, July 08, 
2005 8:46 PM:

> Anyone have information on which ports would need to be opened for
> rules_du_jour to function? 

As the other reply mentioned, it's just Port 80.  But
we made a bonehead move recently and with Chris's help we
determined that an internal firewall was blocking the IP
for RulesEmporium.com that RDJ needs to pull the updated 
files.  We use both an external and internal firewall, the
IP blocks were on the internal and hadn't been moved to 
the external - thus we kept getting RDJ errors from the 
cronjob on overnight runs.

Ping and traceroute the RulesEmp domain and ensure
you can get responses.  If not, check that you've blocked
one or more points of the path to that domain as it takes
some weird hops from certain locations!  If all that's 
clear, you can ping & traceroute to it and you still get
errors, you'll need to provide more detail here for a 
better resolution.

 Dave Duffner
 President
 PSCGi
 Paradise Shore Communications Group
 www.pscginternet.com





I--I
Message scanned by MailScanner, and is believed to be clean.  
CONFIDENTIALITY NOTICE:  This transmission intended for the
specified destination and person.  If this is not you, this
e-mail must be deleted immediately. www.pscginternet.com

Re: How can I correctly detect these spams?

[Thomas Booms]

Kai Schaetzl schrieb:

It seems you are not using *any* custom rules. You may want to check out 
RDJ and SARE.


Kai

 

I've found in my debugging infos the part, where Razor wasnt be able to 
read its config file. This part i've corrected with positive debugging 
infos. Hope it's working now. If you want, i will send here the new 
debugging output.


Thomas

--
Booms EDV
- hosting & more -
Herrenstrasse 10
D-59073 Hamm

www.booms-edv.de
[EMAIL PROTECTED]

Re: How can I correctly detect these spams?

[Kai Schaetzl]

It seems you are not using *any* custom rules. You may want to check out 
RDJ and SARE.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Re: Just upgraded to SA3.0.4

[Kai Schaetzl]

Dr Robert Young wrote on Sat, 9 Jul 2005 08:06:45 -0400:

> Jul  9 07:12:20 email2 sendmail[1175]: j69BCKK8001175: Milter: no 
> active filter 
> Jul  9 07:12:20 email2 sendmail[1175]: j69BCKK8001175: 
> gorilla.jungle.com [38.151.210.157] did not issue MAIL/EXPN/VRFY/ETRN 
> during connection to MTA

I can't tell you if that "no active filter" is ok. But the last line tells 
us there was only a connect and helo, no attempt to deliver a mail to you. 
When you send the sample mail to you that should be different.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Re: How can I correctly detect these spams?

[Thomas Booms]

Loren Wilton schrieb:


Well, header I have on detected spams like these (possibly I need to
reconfigure something) to get the above lists:

X-Spam-Status: No, score=-1.8 required=1.5 tests=BAYES_00,
DATE_IN_FUTURE_03_06 autolearn=ham version=3.0.4
   



This says that the message is NOT spam.  Bayes in particular is convinced
that it was ham, and has auto-learned it as such.  It looks like your Bayes
database is corrupt and will need to be rebuilt at some point.

However, before doing that, we need to figure out why all this hit was
date-in-future.

I'm a little concerned that that initial Received header from Qmail may be
keeping SA from analyzing the return headers.  This could case a lot fo the
net tests to fail.  Hiwever, maybe that header is ok.  Others that know more
about received headers than I do will look at it.

If that spam had been in English the body text would have nailed it.
"Greencard lottery" is pretty much a guaranteed spam indicator all by
itself.  This looks like a case where a few of the rules for these things
could profitably be translated to German, by someone that speaks both
languages.  (I don't, or I'd just do it.)

There is a good chance though that register-usa.com should have hit SURBL.
This makes me think your net tests aren't working.  Since this is 3.0.4,
they should be by default.

Why don't you run "spamassassin --lint -D" and post the output.  My guess is
you either have a problem with the Net::DNS version, or init.pre insn't
installed correctly.  (Of course you might be starting SA with the -L
parameter that disables net tests.)

   Loren



 


Here's what you wanted (by spamassassin --lint -D):

spamassassin --lint -D
debug: SpamAssassin version 3.0.4
debug: Score set 0 chosen.
debug: running in taint mode? yes
debug: Running in taint mode, removing unsafe env vars, and resetting PATH
debug: PATH included '/sbin', keeping.
debug: PATH included '/usr/sbin', keeping.
debug: PATH included '/usr/local/sbin', keeping.
debug: PATH included '/root/bin', keeping.
debug: PATH included '/usr/local/bin', keeping.
debug: PATH included '/usr/local/news/bin', keeping.
debug: PATH included '/usr/bin', keeping.
debug: PATH included '/usr/X11R6/bin', keeping.
debug: PATH included '/bin', keeping.
debug: PATH included '/var/qmail/bin', keeping.
debug: PATH included '/usr/local/bin/ezmlm', keeping.
debug: PATH included '/usr/local/sbin', keeping.
debug: PATH included '/usr/games', keeping.
debug: PATH included '/opt/gnome/bin', keeping.
debug: PATH included '/opt/kde3/bin', keeping.
debug: PATH included '/usr/lib/java/jre/bin', keeping.
debug: Final PATH set to: 
/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/local/news/bin:/usr/bin:/usr/X11R6/bin:/bin:/var/qmail/bin:/usr/local/bin/ezmlm:/usr/local/sbin:/usr/games:/opt/gnome/bin:/opt/kde3/bin:/usr/lib/java/jre/bin

debug: diag: module installed: DBI, version 1.48
debug: diag: module installed: DB_File, version 1.811
debug: diag: module installed: Digest::SHA1, version 2.10
debug: diag: module installed: IO::Socket::UNIX, version 1.21
debug: diag: module installed: MIME::Base64, version 3.05
debug: diag: module installed: Net::DNS, version 0.52
debug: diag: module not installed: Net::LDAP ('require' failed)
debug: diag: module installed: Razor2::Client::Agent, version 2.72
debug: diag: module installed: Storable, version 2.15
debug: diag: module installed: URI, version 1.35
debug: ignore: using a test message to lint rules
debug: using "/etc/mail/spamassassin/init.pre" for site rules init.pre
debug: config: read file /etc/mail/spamassassin/init.pre
debug: using "/usr/share/spamassassin" for default rules dir
debug: config: read file /usr/share/spamassassin/10_misc.cf
debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf
debug: config: read file /usr/share/spamassassin/20_body_tests.cf
debug: config: read file /usr/share/spamassassin/20_compensate.cf
debug: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf
debug: config: read file /usr/share/spamassassin/20_drugs.cf
debug: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf
debug: config: read file /usr/share/spamassassin/20_head_tests.cf
debug: config: read file /usr/share/spamassassin/20_html_tests.cf
debug: config: read file /usr/share/spamassassin/20_meta_tests.cf
debug: config: read file /usr/share/spamassassin/20_phrases.cf
debug: config: read file /usr/share/spamassassin/20_porn.cf
debug: config: read file /usr/share/spamassassin/20_ratware.cf
debug: config: read file /usr/share/spamassassin/20_uri_tests.cf
debug: config: read file /usr/share/spamassassin/23_bayes.cf
debug: config: read file /usr/share/spamassassin/25_body_tests_es.cf
debug: config: read file /usr/share/spamassassin/25_hashcash.cf
debug: config: read file /usr/share/spamassassin/25_spf.cf
debug: config: read file /usr/share/spamassassin/25_uribl.cf
debug: config: read file /usr/share/spamassassin/30_text_de.cf
debug: config: read file /usr/share/spamassassin

Just upgraded to SA3.0.4

[Dr Robert Young]

I just upgraded a box that had a "broken" Sa 2.63 to SA 3.0.4

I noticed the following in the maillog...is this normal for a very 
"low" activity system. The "no active filter" has me worried.


Using spamassassin and spamc to send in the "sample" emails" showed 
them to be working, but that does not test the sendmail-> milter-spamc  
link


Jul  9 07:12:20 email2 sendmail[1175]: NOQUEUE: connect from 
gorilla.jungle.com [38.151.210.157]
Jul  9 07:12:20 email2 sendmail[1175]: j69BCKK8001175: Milter: no 
active filter
Jul  9 07:12:20 email2 sendmail[1175]: j69BCKK8001175: 
gorilla.jungle.com [38.151.210.157] did not issue MAIL/EXPN/VRFY/ETRN 
during connection to MTA
Jul  9 07:15:01 email2 sendmail[1199]: NOQUEUE: connect from 
[209.202.135.142]
Jul  9 07:15:01 email2 sendmail[1199]: j69BF1K8001199: Milter: no 
active filter
Jul  9 07:15:01 email2 sendmail[1199]: j69BF1K8001199: 
[209.202.135.142] did not issue MAIL/EXPN/VRFY/ETRN during connection 
to MTA

Re: How can I correctly detect these spams?

[Thomas Booms]

Loren Wilton schrieb:


Well, header I have on detected spams like these (possibly I need to
reconfigure something) to get the above lists:

X-Spam-Status: No, score=-1.8 required=1.5 tests=BAYES_00,
DATE_IN_FUTURE_03_06 autolearn=ham version=3.0.4
   



This says that the message is NOT spam.  Bayes in particular is convinced
that it was ham, and has auto-learned it as such.  It looks like your Bayes
database is corrupt and will need to be rebuilt at some point.

However, before doing that, we need to figure out why all this hit was
date-in-future.

I'm a little concerned that that initial Received header from Qmail may be
keeping SA from analyzing the return headers.  This could case a lot fo the
net tests to fail.  Hiwever, maybe that header is ok.  Others that know more
about received headers than I do will look at it.

If that spam had been in English the body text would have nailed it.
"Greencard lottery" is pretty much a guaranteed spam indicator all by
itself.  This looks like a case where a few of the rules for these things
could profitably be translated to German, by someone that speaks both
languages.  (I don't, or I'd just do it.)

There is a good chance though that register-usa.com should have hit SURBL.
This makes me think your net tests aren't working.  Since this is 3.0.4,
they should be by default.

Why don't you run "spamassassin --lint -D" and post the output.  My guess is
you either have a problem with the Net::DNS version, or init.pre insn't
installed correctly.  (Of course you might be starting SA with the -L
parameter that disables net tests.)

   Loren



 

Well, here's the content of my init.pre and then the running 
spamassassin task:


# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# This file will be loaded before *all other* configuration files, including
# the system configuration.  As such, it's a good place to set things that
# will affect how those files are parsed, like which plugins are loaded
# etc.
#
###

# RelayCountry - add metadata for Bayes learning, marking the countries
# a message was relayed through
#
# loadplugin Mail::SpamAssassin::Plugin::RelayCountry

# URIDNSBL - look up URLs found in the message against several DNS
# blocklists.
#
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL

# Hashcash - perform hashcash verification.
#
loadplugin Mail::SpamAssassin::Plugin::Hashcash

# SPF - perform SPF verification.
#
loadplugin Mail::SpamAssassin::Plugin::SPF

(I've never touched that file)

/usr/bin/perl -T -w /usr/bin/spamd -q -H /etc/mail/spamassassin
\_ spamd child
\_ spamd child
\_ spamd child
\_ spamd child
\_ spamd child


--
Booms EDV
- hosting & more -
Herrenstrasse 10
D-59073 Hamm

www.booms-edv.de
[EMAIL PROTECTED]

Re: How can I correctly detect these spams?

[Loren Wilton]

> Well, header I have on detected spams like these (possibly I need to
> reconfigure something) to get the above lists:
>
> X-Spam-Status: No, score=-1.8 required=1.5 tests=BAYES_00,
> DATE_IN_FUTURE_03_06 autolearn=ham version=3.0.4

This says that the message is NOT spam.  Bayes in particular is convinced
that it was ham, and has auto-learned it as such.  It looks like your Bayes
database is corrupt and will need to be rebuilt at some point.

However, before doing that, we need to figure out why all this hit was
date-in-future.

I'm a little concerned that that initial Received header from Qmail may be
keeping SA from analyzing the return headers.  This could case a lot fo the
net tests to fail.  Hiwever, maybe that header is ok.  Others that know more
about received headers than I do will look at it.

If that spam had been in English the body text would have nailed it.
"Greencard lottery" is pretty much a guaranteed spam indicator all by
itself.  This looks like a case where a few of the rules for these things
could profitably be translated to German, by someone that speaks both
languages.  (I don't, or I'd just do it.)

There is a good chance though that register-usa.com should have hit SURBL.
This makes me think your net tests aren't working.  Since this is 3.0.4,
they should be by default.

Why don't you run "spamassassin --lint -D" and post the output.  My guess is
you either have a problem with the Net::DNS version, or init.pre insn't
installed correctly.  (Of course you might be starting SA with the -L
parameter that disables net tests.)

Loren

Re: How can I correctly detect these spams?

[jdow]

From: "Thomas Booms" <[EMAIL PROTECTED]>

> I have changed the set the REPORT_SAFE to 2 now and get the headers.
> What you see it are network tests running or not?
>
> 
>
> >From - Sat Jul  9 12:58:05 2005
> X-UIDL: 1120906515.M816654P13835051595651361458.host1
> X-Mozilla-Status: 0001
> X-Mozilla-Status2: 1000
> Return-Path: <[EMAIL PROTECTED]>
> Delivered-To: [EMAIL PROTECTED]
> Received: from localhost by host1.booms-edv.de
> with SpamAssassin (version 3.0.4);
> Sat, 09 Jul 2005 12:55:05 +0200
> From: "Juliana Cope" <[EMAIL PROTECTED]>
> To: "Thomas.booms" <[EMAIL PROTECTED]>
> Subject: ***SPAM*** Try Vi:agra Today
> Date: Sat, 09 Jul 2005 04:47:57 -0700
> Message-Id: <[EMAIL PROTECTED]>
> X-Spam-Level: **
> X-Spam-Status: Yes, score=14.7 required=1.5 tests=BAYES_99,DRUGS_ERECTILE,
> DRUGS_ERECTILE_OBFU,HELO_DYNAMIC_DHCP,HELO_DYNAMIC_IPADDR,
> MIME_BOUND_DD_DIGITS,RCVD_BY_IP,SUBJECT_DRUG_GAP_VIA autolearn=no
> version=3.0.4
> X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on
host1.booms-edv.de
> X-Spam-Report:
> *  0.1 RCVD_BY_IP Received by mail server with no name
> *  4.4 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr
1)
> *  0.3 SUBJECT_DRUG_GAP_VIA Subject contains a gappy version of 'viagra'
> *  1.2 HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP)
> *  4.1 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary
> *  3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
> *  [score: 1.]
> *  0.2 DRUGS_ERECTILE Refers to an erectile drug
> *  0.9 DRUGS_ERECTILE_OBFU Obfuscated reference to an erectile drug
> X-Spam-Flag: YES
>
> 
>
> Thomas

No, they aren't. You must not have a DNS with which SpamAssassin is
happy. It may be the perl NET:DNS module or the basic DNS setup at
your place.

{^_^}

Re: How can I correctly detect these spams?

[Thomas Booms]

Loren Wilton schrieb:


How can I see in mail header about if network tests run?
   



You would see tests like SURBL and other net tests hitting.  For instance:

1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
]
3.1 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
   [222.100.230.130 listed in sbl-xbl.spamhaus.org]
1.6 DNS_FROM_RFC_POST  RBL: Envelope sender in
postmaster.rfc-ignorant.org
1.0 URIBL_SBL  Contains an URL listed in the SBL blocklist
   [URIs: iprohealth.info]
0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
   [URIs: iprohealth.info]
4.0 URIBL_JP_SURBL Has URI in JP at http://www.surbl.org/lists.html
   [URIs: iprohealth.info]
1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
   [URIs: iprohealth.info]
3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
   [URIs: iprohealth.info]
4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
   [URIs: iprohealth.info]

All of those are network tests.  There are also more than that.


 


Is it enough to not post the mail bodies, only the headers here to get
helped to set better rules?
   



We can tell you what hit from the headers and possibly suggest things from
that.  To be definitive we would need to see the body also.

However, as a general rule if you get net tests working and perhaps pick up
some rules from rulesemporium, you should be doing pretty well.

   Loren



 


I have changed the set the REPORT_SAFE to 2 now and get the headers.
What you see it are network tests running or not?




From - Sat Jul  9 12:58:05 2005

X-UIDL: 1120906515.M816654P13835051595651361458.host1
X-Mozilla-Status: 0001
X-Mozilla-Status2: 1000
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: from localhost by host1.booms-edv.de
with SpamAssassin (version 3.0.4);
Sat, 09 Jul 2005 12:55:05 +0200
From: "Juliana Cope" <[EMAIL PROTECTED]>
To: "Thomas.booms" <[EMAIL PROTECTED]>
Subject: ***SPAM*** Try Vi:agra Today
Date: Sat, 09 Jul 2005 04:47:57 -0700
Message-Id: <[EMAIL PROTECTED]>
X-Spam-Level: **
X-Spam-Status: Yes, score=14.7 required=1.5 tests=BAYES_99,DRUGS_ERECTILE,
DRUGS_ERECTILE_OBFU,HELO_DYNAMIC_DHCP,HELO_DYNAMIC_IPADDR,
	MIME_BOUND_DD_DIGITS,RCVD_BY_IP,SUBJECT_DRUG_GAP_VIA autolearn=no 
	version=3.0.4

X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on host1.booms-edv.de
X-Spam-Report: 
	*  0.1 RCVD_BY_IP Received by mail server with no name

*  4.4 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP 
addr 1)
*  0.3 SUBJECT_DRUG_GAP_VIA Subject contains a gappy version of 'viagra'
*  1.2 HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP)
*  4.1 MIME_BOUND_DD_DIGITS Spam tool pattern in MIME boundary
*  3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
*  [score: 1.]
*  0.2 DRUGS_ERECTILE Refers to an erectile drug
*  0.9 DRUGS_ERECTILE_OBFU Obfuscated reference to an erectile drug
X-Spam-Flag: YES



Thomas

--
Booms EDV
- hosting & more -
Herrenstrasse 10
D-59073 Hamm

www.booms-edv.de
[EMAIL PROTECTED]

Re: How can I correctly detect these spams?

[Thomas Booms]

Loren Wilton schrieb:


How can I see in mail header about if network tests run?
   



You would see tests like SURBL and other net tests hitting.  For instance:

1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
]
3.1 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
   [222.100.230.130 listed in sbl-xbl.spamhaus.org]
1.6 DNS_FROM_RFC_POST  RBL: Envelope sender in
postmaster.rfc-ignorant.org
1.0 URIBL_SBL  Contains an URL listed in the SBL blocklist
   [URIs: iprohealth.info]
0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
   [URIs: iprohealth.info]
4.0 URIBL_JP_SURBL Has URI in JP at http://www.surbl.org/lists.html
   [URIs: iprohealth.info]
1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
   [URIs: iprohealth.info]
3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
   [URIs: iprohealth.info]
4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
   [URIs: iprohealth.info]

All of those are network tests.  There are also more than that.


 


Is it enough to not post the mail bodies, only the headers here to get
helped to set better rules?
   



We can tell you what hit from the headers and possibly suggest things from
that.  To be definitive we would need to see the body also.

However, as a general rule if you get net tests working and perhaps pick up
some rules from rulesemporium, you should be doing pretty well.

   Loren



 

Well, header I have on detected spams like these (possibly I need to 
reconfigure something) to get the above lists:



From - Fri Jul  8 23:49:19 2005

X-UIDL: 1120816053.M599315P13835051595651358838.host1
X-Mozilla-Status: 0001
X-Mozilla-Status2: 
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 8304 invoked by uid 567); 8 Jul 2005 09:47:23 -
Received: from 212.244.155.196 by host1 (envelope-from <[EMAIL PROTECTED]>, uid 502) with qmail-scanner-1.25 
(clamdscan: 0.86.1/971. spamassassin: 3.0.4.  
Clear:RC:0(212.244.155.196):SA:0(-1.8/1.5):. 
Processed in 1.2544 secs); 08 Jul 2005 09:47:23 -

Received: from unknown (HELO freesulf.de) (212.244.155.196)
 by 0 with SMTP; 8 Jul 2005 09:47:21 -
Message-ID: <[EMAIL PROTECTED]>
Date: Fri, 08 Jul 2005 11:26:35 -0200
Reply-To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
User-Agent: Mozilla 4.78 [en] (Windows NT 5.0; U)
X-Accept-Language: en-us
MIME-Version: 1.0
To: "Brett Koehler" <[EMAIL PROTECTED]>
Subject: Jetzt bewerben USA Green-Cards Leben und Arbeiten in USA / Live and 
work in the United States
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-1.8 required=1.5 tests=BAYES_00,
DATE_IN_FUTURE_03_06 autolearn=ham version=3.0.4
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on host1.booms-edv.de


   
-- Deutsch hier-German here /English see 2 nd part --

Die US Regierung vergibt wieder 50,000 GreenCards.
Leben und Arbeiten in den USA

Nehmen Sie am diesjaehrigen Green Card Programm der US-Regierung teil 
und verschaffen Sie sich das Leben und die Freiheit, die Sie verdienen.

Green-Card  Program 2005!  Jetzt bewerben!

Verpassen Sie nicht Ihre Chance! 


hier klicken:
http://register-usa.com/de/application.htm


Seems I have only a conclusion of tests.

Thomas

--
Booms EDV
- hosting & more -
Herrenstrasse 10
D-59073 Hamm

www.booms-edv.de
[EMAIL PROTECTED]

Re: How can I correctly detect these spams?

[Loren Wilton]

> How can I see in mail header about if network tests run?

You would see tests like SURBL and other net tests hitting.  For instance:

 1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
 [Blocked - see
]
 3.1 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
[222.100.230.130 listed in sbl-xbl.spamhaus.org]
 1.6 DNS_FROM_RFC_POST  RBL: Envelope sender in
postmaster.rfc-ignorant.org
 1.0 URIBL_SBL  Contains an URL listed in the SBL blocklist
[URIs: iprohealth.info]
 0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
[URIs: iprohealth.info]
 4.0 URIBL_JP_SURBL Has URI in JP at http://www.surbl.org/lists.html
[URIs: iprohealth.info]
 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: iprohealth.info]
 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
[URIs: iprohealth.info]
 4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: iprohealth.info]

All of those are network tests.  There are also more than that.


> Is it enough to not post the mail bodies, only the headers here to get
> helped to set better rules?

We can tell you what hit from the headers and possibly suggest things from
that.  To be definitive we would need to see the body also.

However, as a general rule if you get net tests working and perhaps pick up
some rules from rulesemporium, you should be doing pretty well.

Loren

Re: Still need to work on Mail SpamAssassin 3.1.0

[Kai Schaetzl]

The Doctor wrote on Fri, 8 Jul 2005 17:22:02 -0600:

> Next suggestion?

Take a long sleep and ask yourself if the attitude you are currently 
showing will get you any further.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Re: How can I filter this kind of spam?

[Kai Schaetzl]

Michael Moyse wrote on Fri, 08 Jul 2005 17:55:32 +0100:

> To me it looks like a duck and sounds like a duck  I'm probably wrong 
> and missing something here because I'm no expert so I'm happy to be 
> enlightened.

Ok, I enlighten you ;-) I hope I'm not wrong. Now that I look again at the 
headers it turns out I was wrong as well, see below.

>From the headers:

Received: (qmail 10812 invoked by uid 567); 5 Jul 2005 12:03:20 - 
Received: from 65.33.195.76 by host1 (envelope-from 
<[EMAIL PROTECTED]>, uid 502) with 
qmail-scanner-1.25 
(clamdscan: 0.86.1/967. spamassassin: 3.0.4.   
Clear:RC:0(65.33.195.76):SA:0(0.0/1.5):. 
Processed in 0.44071 secs); 05 Jul 2005 12:03:20 - 
Received: from unknown (HELO ss) (65.33.195.76) 
 by 0 with SMTP; 5 Jul 2005 12:03:19 - 

>> 65.33.195.76 = 76.195.33.65.cfl.res.rr.com !

Received: from vitalmex.com.mx (mail1.vitalmex.com.mx [148.223.241.181]) 
by 76.195.33.65.cfl.res.rr.com (Pastfix) with ESMTP id 0456EDBA28 
for <[EMAIL PROTECTED]>; Tue, 05 Jul 2005 05:21:23 -0700 

The mail went:
vitalmex -> Roadrunner (Po/astfix) -> boom-edv.de (qmail)
The last Received line looks forged (Pastfix), there's also no SMTP 
running at 76.195.33.65.cfl.res.rr.com (=no open/abusable relay). This 
suggests that the mail was sent out directly from that roadrunner account 
and the last Received plus all vitalmex stuff is completely forged. Also, 
a spammer which abused a Roadrunner account would obviously not send 
openly from his own MX and giving you a return-path which leads back to 
him.

So, what you actually have to block is .rr.com and not .vitalmex.com.mx or 
.mx. This mail would have never reached us, because we already block all 
of .rr.com :-)


Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Re: SpamAssassin w/POP3 & SMTP outsourced e-mail server...

[Kai Schaetzl]

Jesse Shumaker wrote on Fri, 8 Jul 2005 01:51:13 -0700:

> I want to do 
> what you say you've created at home but don't have documentation on how to 
> set this up.

virusscanning + SA: check out MailScanner or MIMEDefang.
BTW: most Linux systems can adapt to different hardware quite nicely. If you 
use the default kernel of a Suse distribution you can even switch between AMD 
and Intel.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Re: SURBL & SA 3.0.4

[Kai Schaetzl]

Dr Robert Young wrote on Fri, 8 Jul 2005 20:34:00 -0400:

> Is there a particular "port" and/or "protocol (TCP/UDP) that must be 
> opened on any firewalls that might be on the network for the plugin to 
> work?

Probably 53. If you have control of the firewall, then simply shut it off 
for a few minutes and test. If it then works you can check out which ports 
you have to open in addition.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Re: rpm installation and dependencies

[Kai Schaetzl]

Jim Maul wrote on Fri, 08 Jul 2005 11:40:11 -0400:

> http://perl.arix.com/cpan2rpm/

Thanks, I had a look at it. Unfortunately, looks like too much work 
compared to --nodeps ;-)

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Re: How can I correctly detect these spams?

[Thomas Booms]

You need URIBL lookups. See www.surbl.org and www.uribl.com for
information.

I've installed that stuff several times because of some problems I got 
in the beginning. On the last install it seems something went wrong and 
no Net::DNS was installed. So I've made it a few days again.



Do you have network tests turned off?


No. The flags for local tests arent on startup of the init script.


I ask because SURBL should be included by default in 3.0.4 and they did hit 
your examples on
my server, but not on yours. Trying to catch these based simply on the
content of the message without any blacklist lookups is trying to hit a
moving target. Rules cannot be updated fast enough to catch new
varieties and by the time the rules are updated, spammers have changed
their techniques. You need network tests enabled if you want to be more
accurate with these.

 


How can I see in mail header about if network tests run?

Is it enough to not post the mail bodies, only the headers here to get 
helped to set better rules?


Thomas

--
Booms EDV
- hosting & more -
Herrenstrasse 10
D-59073 Hamm

www.booms-edv.de
[EMAIL PROTECTED]