Re: how to submit a spammer?
On Friday, July 8, 2005, 6:44:55 AM, Kris Deugau wrote: jj-ml wrote: I've received once a day a spam from [EMAIL PROTECTED] (fidbroker.com) Since it is a french company and i live in france, i call them (the phone number is in the spam) and tell them to stop. They told me they will do so, but of course they don't do anything. Obsiouly, they already had pb with their previous ISP and change their email address. If the sender address is consistent in any way, blacklist them. If not, check the message headers or body to see if there's anything consistent between messages that you can write a rule or set of rules for. If you feel like making the effort, track down their ISP and let them know that their user is generating spam. So i want to submit the website and their email to a RBL so that everybody can tag them as spam. How to do so? http://www.surbl.org and http://www.uribl.com both accept submissions in one form or another. Check through their websites and see if they're what you're looking for. I very good way to submit spam for inclusion on SURBLs is to use SpamCop. The sc.surbl.org list is derived from the spamvertised site data there. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Failed to run DNS_FROM_AHBL_RHSBL RBL SpamAssassin test
What version of Net::DNS? I vaguely recall that may be related. Loren
Re: messages with no body
header __L_MSG_HAS_C_TYPE_M Content-Type =~ /^(message|multipart)/i rawbody __L_MSG_HAS_BODY /\S/ describe L_MSG_NO_BODY Raw message does not have any body data meta L_MSG_NO_BODY (!__L_MSG_C_TYPE_M !__L_MSG_BODY) score L_MSG_NO_BODY 0.1 BTW, I am doing this so that postfix can trap the rule after the message has undergone filtering, so that the message can simply be rejected (there's no judgement as to spamminess here, just a check to see if the message has any content). Note that in business circles content includes the subject. As far as I know, rawbody won't see a subject. It is fairly common to send one line questions in the subject with an empty body, and one line replies likewise. Your rule would dump these mails, which is why the versions I wrote of this would check for lack of body, subject, and to. If you don't have a body and you don't have a subject there isn't much content. If you don't have a to, then it is pretty useless. But just lacking a body isn't imho sufficient to conclude content-less. Loen
Adding information messages to SPAM
Hi, I am currently running Spamassassin with Postfix and Clamav. Everything is working well but I would like to see whether the following is possible and how to go about it. At the moment we send all SPAM messages onto the recipient with the subject line flagged as SPAM and this works well. However, we have had a couple of false positives that I would like to be made aware of. Is there anyway of placing a message - say at the top of the mail - stating that if this message has been incorrectly flagged as SPAM then please let us know. Is there any way of doing this with Spamassassin? I only want to flag those reported as SPAM though. Many thanks, Dean
Logwatch message triggers spamd to consume 900+MB of RAM
Once of my servers can generate fairly large logwatch emails. These emails cause spamassassin to consume memory until it's killed. I removed any custom rules that I had (I had some sare rules) and the problem still occurred. I caught a bunch of data in a log file while spamd was running. Things look normal up until ... Jul 13 02:41:44 ls2 spamd[4413]: debug: uri found: mailto:[EMAIL PROTECTED] Jul 13 02:41:44 ls2 spamd[4413]: debug: uri found: mailto:[EMAIL PROTECTED] Jul 13 02:41:44 ls2 spamd[4413]: debug: uri found: mailto:[EMAIL PROTECTED] Jul 13 02:41:44 ls2 spamd[4413]: debug: uri found: mailto:[EMAIL PROTECTED] Jul 13 02:41:44 ls2 spamd[4413]: debug: uri found: mailto:[EMAIL PROTECTED] Jul 13 02:41:44 ls2 spamd[4413]: debug: uri found: mailto:[EMAIL PROTECTED] Jul 13 02:41:44 ls2 spamd[4413]: debug: uri found: mailto:[EMAIL PROTECTED] There are several hundred of these messages each with a different email address... and then the log continues with ... Jul 13 02:41:44 ls2 spamd[4413]: debug: uri found: mailto:[EMAIL PROTECTED] Jul 13 02:41:44 ls2 spamd[4413]: debug: uri found: mailto:[EMAIL PROTECTED] Jul 13 02:41:44 ls2 spamd[4413]: debug: URIDNSBL: domains to query: learningpatterns.com e-unitas.co.kr linuxmedicalnews.com thesasclan.co.uk Jul 13 02:41:44 ls2 spamd[4413]: debug: is Net::DNS::Resolver available? yes Jul 13 02:41:44 ls2 spamd[4413]: debug: Net::DNS version: 0.48 Jul 13 02:41:44 ls2 spamd[4413]: debug: all '*From' addrs: [EMAIL PROTECTED] Jul 13 02:41:46 ls2 spamd[4413]: debug: Running tests for priority: 0 Jul 13 02:41:46 ls2 spamd[4413]: debug: running header regexp tests; score so far=0 Jul 13 02:41:46 ls2 spamd[4413]: debug: SPF: message was delivered entirely via trusted relays, not required Jul 13 02:41:46 ls2 spamd[4413]: debug: all '*To' addrs: [EMAIL PROTECTED] [EMAIL PROTECTED] Jul 13 02:41:46 ls2 spamd[4413]: debug: SPF: message was delivered entirely via trusted relays, not required Jul 13 02:41:46 ls2 spamd[4413]: debug: running body-text per-line regexp tests; score so far=-102.82 After that the spamd server needs to be killed and restarted. Any ideas? P.S. This happens with spamassassin 3.0.4 fed via spamd fed via exim. Tested with standard gentoo install and used a clean bayes/whitelist database. -- Edward Muller - Interlix [EMAIL PROTECTED] 417-862-0573 PGP Key: http://interlix.com/Members/edwardam/pgpkeys pgpsJ7GGhkuzW.pgp Description: PGP signature
Re: Logwatch message triggers spamd to consume 900+MB of RAM
How big was the mail? By default spamd will skip mails over 250K, unless you have changed this value (or your install has). Loren
Re: Adding information messages to SPAM
report_safe values are related to this. I believe you need the value that encapsulates the spam as an attachment. I forget what glue you said you were using, exim? I believe that it may override some SA options with its own way of doing things, and this may be one of those areas. Possibly there is an Exim option if the obvious SA options don't seem to work. Loren
HELP bv lottery spam
Would someone shed some light on why this message wasn't scanned/tagged and some info about the headers? 1. I don't remember ever seeing the wait headers that appear at the top of this message - what are they? I did notice a delay in receiving this message as if receiving a large file. However, it appears to be a plain-text msg with an attached txt file with a bunch of email addys. 2. The worst part of this is that the usual headers indicating a scan by MY SpamAssassin ARE NOT THERE AT ALL! My server is Luke.wa9als.com, and at the end you see my normal headers from clamav. However, just above that, the clamav-milter and X-Spam lines were added by my ISP (starband). My other emails this morning DO HAVE the usual headers from MY SA, thus indicating that SA is in fact running as usual. Why would this one spammy email escape scanning? Thanks! - John X-EMS: wait 10s X-EMS: wait 20s X-EMS: wait 30s X-EMS: wait 40s X-EMS: wait 50s X-EMS: wait 60s X-EMS: wait 70s X-EMS: wait 80s X-EMS: wait 90s X-EMS: wait 100s Return-Path: [EMAIL PROTECTED] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from localhost (localhost.localdomain [127.0.0.1]) by wa9als.com (Postfix) with ESMTP id 4734733E679 for [EMAIL PROTECTED]; Wed, 13 Jul 2005 05:11:29 -0500 (EST) Received: from pop.starband.net [148.78.247.66] by localhost with POP3 (fetchmail-6.2.5) for [EMAIL PROTECTED] (single-drop); Wed, 13 Jul 2005 05:11:29 -0500 (EST) Received: from hercules.email.starband.net ([unix socket]) by hercules (Cyrus v2.2.1-BETA) with LMTP; Wed, 13 Jul 2005 10:04:12 + X-Sieve: CMU Sieve 2.2 Received: from cassiopeia.email.starband.net ([10.78.249.22]) by hercules.email.starband.net (8.12.11/8.12.11) with ESMTP id j6DA4Cr2030399 for [EMAIL PROTECTED]; Wed, 13 Jul 2005 06:04:12 -0400 Received: from netcsape975.com (bib69.tbm.tudelft.nl [130.161.217.82]) by cassiopeia.email.starband.net (8.12.11/8.12.11) with SMTP id j6DA3h8l032495 for [EMAIL PROTECTED]; Wed, 13 Jul 2005 06:03:44 -0400 Message-Id: [EMAIL PROTECTED] From: Lotto bv [EMAIL PROTECTED] To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: AWARD NOTIFICATION;FINAL NOTICE Date: Wed, 13 Jul 2005 12:05:01 +0200 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=fbdfff19-c01f-44ef-821e-ba9f11455aa0 X-Virus-Scanned: ClamAV 0.80/967/Mon Jul 4 17:36:05 2005 clamav-milter version 0.80j on cassiopeia X-Spam-Status: No, hits=3.4 tagged_above=0 required=5 X-Spam-Level: *** X-Spam-Report: FORGED_RCVD_HELO,MIME_BOUND_MANY_HEX,SARE_SUB_WINNING_NOT,SUBJ_ALL_CAPS X-Spam-Flag: NO X-Virus-Status: No X-Virus-Checker-Version: Luke wa9als.com running clamassassin 1.2.1 with ClamAV 0.86.1/977/Tue Jul 12 17:53:40 2005 signatures 33.977 Status: X-Antivirus: AVG for E-mail 7.0.336 [267.8.13]
SpamAssassin integrated with MailScanner, using per-user configuration in SQL or otherwise?
Hi, I know this is not the ideal location to ask this, as it IS more a MailScanner question, but shall ask in case anyone here has experience with it. I'm researching integrating SpamAssassin into a MailScanner setup, and from reading the documentation for MailScanner, I get the impression that due to the way MailScanner calls the SpamAssassin Perl module, MailScanner will perform all scanning using one single user. I haven't yet seen a way to specify to MailScanner to pass the necessary arguments to cause SpamAssassin to use per-user configurations (either file-based or SQL-based). Is this in fact possible? Appreciate any help. Roshan
Re: SpamAssassin integrated with MailScanner, using per-user configuration in SQL or otherwise?
[EMAIL PROTECTED] wrote: Hi, I know this is not the ideal location to ask this, as it IS more a MailScanner question, but shall ask in case anyone here has experience with it. I'm researching integrating SpamAssassin into a MailScanner setup, and from reading the documentation for MailScanner, I get the impression that due to the way MailScanner calls the SpamAssassin Perl module, MailScanner will perform all scanning using one single user. I haven't yet seen a way to specify to MailScanner to pass the necessary arguments to cause SpamAssassin to use per-user configurations (either file-based or SQL-based). Is this in fact possible? Appreciate any help. Roshan Roshan in a word 'no' -- -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: HELP bv lottery spam
Norton AV makes wait headers similar (but not identical) to what you see when it is scanning outbound mail for a virus, as I recall. I suspect this is something similar, but I don't recognize the header. Do you have user rules enabled? If so, check your syslog for an insecure dependency warning from SA when this message was processed. Somehow if you get one of those it is guaranteed that SA won't scan the message, at least using procmail. Loren
Re: Logwatch message triggers spamd to consume 900+MB of RAM
Edward Muller wrote: P.S. This happens with spamassassin 3.0.4 fed via spamd fed via exim. Tested with standard gentoo install and used a clean bayes/whitelist database. You need to setup exim to limit the size of msgs it sends to spamd to 250k. I do not believe this is in place by default. Search the users list archives for a couple of months back when this was discussed several times. Michael signature.asc Description: OpenPGP digital signature
Re: Logwatch message triggers spamd to consume 900+MB of RAM
Edward Muller wrote: Once of my servers can generate fairly large logwatch emails. These emails cause spamassassin to consume memory until it's killed. I removed any custom rules that I had (I had some sare rules) and the problem still occurred. [...] Any ideas? Whitelist the logwatch source email address?? HTH, Matías.
Re: What is WOMR?
Hello Martin, Tuesday, July 12, 2005, 1:50:18 PM, you wrote: MCac I have a FP that hit on SARE_SPEC_FROM_WOMR and the MCac description is Email from address points to WOMR. I tried to MCac find more information but the only thing I can find is a radio MCac station in Cape Cod. With a score of 4.0, this station must be MCac bad :) Anyone have more information on this? Can you send that FP to me, so I can refine the rule? Bob Menschel
RE: Failed to run DNS_FROM_AHBL_RHSBL RBL SpamAssassin test
Thank you! Turns out Net::DNS wasn't installed. That took care of it. - jody -Original Message- From: Loren Wilton [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 12, 2005 8:00 PM To: users@spamassassin.apache.org Subject: Re: Failed to run DNS_FROM_AHBL_RHSBL RBL SpamAssassin test What version of Net::DNS? I vaguely recall that may be related. Loren
tiff file spam
Is there a way to mark as spam an email which contains basically nothing but an image.tiff file which is, itself, the spam message being displayed as a graphic? Dr. Robert Young ALI Database Consultants 1151 Williams Dr Aiken SC 29803 USA WWW: http://www.aliconsultants.com Tele: 1-803-648-5931 Toll free in US: 1-866-257-8970 Fax:1-803-641-0345 Email: [EMAIL PROTECTED] Source of Rdb Controller, software for database analysis performance tuning
attachments?
I think I know the answer here, but does spamd scan attachments if you are using milter-spamc v 0.25 as the sendmail- spamd link?? Dr. Robert Young ALI Database Consultants 1151 Williams Dr Aiken SC 29803 USA WWW: http://www.aliconsultants.com Tele: 1-803-648-5931 Toll free in US: 1-866-257-8970 Fax:1-803-641-0345 Email: [EMAIL PROTECTED] Source of Rdb Controller, software for database analysis performance tuning
RE: SpamAssassin w/POP3 SMTP outsourced e-mail server...
Jesse, You might want to look into SimpleFilter (www.simplefilter.com). There is a free trial and the service is cheap. Tim -- Forwarded message -- From: Jesse Shumaker [EMAIL PROTECTED] Date: Jul 5, 2005 2:59 AM Subject: SpamAssassin w/POP3 SMTP outsourced e-mail server... To: users@spamassassin.apache.org Here is my situation. Currently, our e-mail isn't managed within our organization. We have a third party ISP who is hosting the e-mail for us. We simply configure our Outlook clients to authenticate to their SMTP/POP servers. Is there a way that I could setup a SpamAssassin box at each of my sites to filter each Outlook clients' outgoing and incoming mail? I'm not sure if this is possible and I am a novice on the technology of e-mail. Here's how I see it working: It would be just like a web proxy. The outlook clients are redirectd to the spamassassin box which filters the e-mail and forwards/relays the requests onto our ISP's e-mail servers. If you can assist me at all with this I would be greatly appreciated. thanks
Blacklisting
I'm attempting to blacklist @freelotto.com Is this the correct way edit the local.cf file? # This is the right place to customize your installation of SpamAssassin. # # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be # tweaked. # ### # # rewrite_header Subject *SPAM* # report_safe 1 # trusted_networks 212.17.35. # lock_method flock blacklist_from [EMAIL PROTECTED] Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
very low scoring (ie large negative numbers) spam
I have several spam that scored very low on SA 3.0.4 w/ milter-spamc 0.25 X-Spam-Status: NO, hits=-145.70 required=5.00 X-Spam-Status: NO, hits=-153.70 required=5.00 X-Spam-Status: NO, hits=-146.00 required=5.00 X-Spam-Status: NO, hits=-153.80 required=5.00 X-Spam-Status: NO, hits=-153.90 required=5.00 Since all the scores are similar, I am wondering if there is a common cause .? Are there any suggestions on how to investigate the source of the wildly negative score, or does it look familiar? Is there an option in spamd/milter-spamc to allow the detailed results of spam scoring to be returned (which test contributed which score to the total) for ALL email ( spam and non-spam)?? Dr. Robert Young ALI Database Consultants 1151 Williams Dr Aiken SC 29803 USA WWW: http://www.aliconsultants.com Tele: 1-803-648-5931 Toll free in US: 1-866-257-8970 Fax:1-803-641-0345 Email: [EMAIL PROTECTED] Source of Rdb Controller, software for database analysis performance tuning
Re: very low scoring (ie large negative numbers) spam
Dr Robert Young wrote: I have several spam that scored very low on SA 3.0.4 w/ milter-spamc 0.25 *X-Spam-Status: * NO, hits=-145.70 required=5.00 *X-Spam-Status: * NO, hits=-153.70 required=5.00 *X-Spam-Status: * NO, hits=-146.00 required=5.00 *X-Spam-Status: * NO, hits=-153.80 required=5.00 X-Spam-Status: NO, hits=-153.90 required=5.00 Since all the scores are similar, I am wondering if there is a common cause .? Are there any suggestions on how to investigate the source of the wildly negative score, or does it look familiar? Looks like the messages are matching a whitelist_from or all_spam_to statement. Commonly this is somebody doing the simple thing and adding: whitelist_from [EMAIL PROTECTED] Which unfortunately whitelists all spam that forges itself as being from an address in your domain. You'll want to use whitelist_from_rcvd instead, or better yet, modify your setup so internal mail doesn't get fed to SA at all and remove the whitelist.
Re: very low scoring (ie large negative numbers) spam
Dr Robert Young [EMAIL PROTECTED] wrote on 07/13/2005 11:11:17 AM: I have several spam that scored very low on SA 3.0.4 w/ milter-spamc 0.25 X-Spam-Status: NO, hits=-145.70 required=5.00 X-Spam-Status: NO, hits=-153.70 required=5.00 X-Spam-Status: NO, hits=-146.00 required=5.00 X-Spam-Status: NO, hits=-153.80 required=5.00 X-Spam-Status: NO, hits=-153.90 required=5.00 Since all the scores are similar, I am wondering if there is a common cause .? Are there any suggestions on how to investigate the source of the wildly negative score, or does it look familiar? Is there an option in spamd/milter-spamc to allow the detailed results of spam scoring to be returned (which test contributed which score to the total) for ALL email ( spam and non-spam)?? You're more than likely hitting a whitelist entry in your local.cf Add a -A to your milter startup for a detailed report. Andy
Re: SpamAssassin integrated with MailScanner, using per-user configuration in SQL or otherwise?
On Wed, 2005-07-13 at 12:19 +0100, Martin Hepworth - [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: Hi, I know this is not the ideal location to ask this, as it IS more a MailScanner question, but shall ask in case anyone here has experience with it. I'm researching integrating SpamAssassin into a MailScanner setup, and from reading the documentation for MailScanner, I get the impression that due to the way MailScanner calls the SpamAssassin Perl module, MailScanner will perform all scanning using one single user. I haven't yet seen a way to specify to MailScanner to pass the necessary arguments to cause SpamAssassin to use per-user configurations (either file-based or SQL-based). Is this in fact possible? Appreciate any help. Roshan Roshan in a word 'no' In that case, what would the pros and cons be of running SpamAssassin through MailScanner, vs. running SpamAssassin outside of MailScanner, in an exim environment. One argument I'd seen before is that with the spamc/spamd combination, if spamd broke, spamc would hang indefinitely, but I see that the latest versions of spamc don't seem to have this problem, with the default '-f' safe-failover option. They also claim that as a result of the SpamAssassin.pm being called directly through MailScanner, that the performance is far higher than that of using spamc/spamd or multiple spamassassin invocations, but of course there aren't any benchmarks on this. What other issues should one consider? Roshan
Re: Logwatch message triggers spamd to consume 900+MB of RAM
On Wednesday 13 July 2005 07:16 am, Michael Parker wrote: Edward Muller wrote: P.S. This happens with spamassassin 3.0.4 fed via spamd fed via exim. Tested with standard gentoo install and used a clean bayes/whitelist database. You need to setup exim to limit the size of msgs it sends to spamd to 250k. I do not believe this is in place by default. Search the users list archives for a couple of months back when this was discussed several times. I can't find a way to do that with what I understand to be the standard way to feed email to spamd from exim, which is to just give it the ip address/port of the spamd server like so at the top of the exim configuration file: spamd_address = 127.0.0.1 783 I guess I could have exim call spamc directly in my acl_smtp_data stanza though and then use a an if conditional. -- Edward Muller - Interlix [EMAIL PROTECTED] 417-862-0573 PGP Key: http://interlix.com/Members/edwardam/pgpkeys pgpe0Yp4f74gI.pgp Description: PGP signature
Re: messages with no body
On 7/12/2005 8:59 PM, Loren Wilton wrote: Note that in business circles content includes the subject. As far as I know, rawbody won't see a subject. It is fairly common to send one line questions in the subject with an empty body, and one line replies likewise. I have trained my users better than that, which is why I don't care about these tests. Other people might tho. -- Eric A. Hallhttp://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Re: Logwatch message triggers spamd to consume 900+MB of RAM
On Wednesday 13 July 2005 05:06 am, Loren Wilton wrote: How big was the mail? By default spamd will skip mails over 250K, unless you have changed this value (or your install has). Where is this configured? Loren -- Edward Muller - Interlix [EMAIL PROTECTED] 417-862-0573 PGP Key: http://interlix.com/Members/edwardam/pgpkeys pgp2AHlf7kBdg.pgp Description: PGP signature
Re: Logwatch message triggers spamd to consume 900+MB of RAM
Okay so it looks like if any of the $spam_ variables are not evaluated then the the messages are not run through spam assassin.. So my acl_check_content (acl_smtp_data) looks like this now: acl_check_content: # Spam markups ... only run if the messages are 80k in size # Add the spam score header warn message = X-Spam-Score: $spam_score ($spam_bar) condition = ${if {$message_size}{80k}{1}{0}} spam = mail:true # Add the spam report header warn message = X-Spam-Report: $spam_report condition = ${if {$message_size}{80k}{1}{0}} spam = mail:true # If the spam score is 4 or more then markup the Subject line warn message = Subject: {Spam?} $h_subject condition = ${if {$message_size}{80k}{1}{0}} condition = ${if ={$spam_score_int}{40}{1}{0}} spam = mail:true # If the spam score is 8 or more markup the subject line with a HighScoreSpam # notice warn message = Subject: {HighScoreSpam?} $h_subject condition = ${if {$message_size}{80k}{1}{0}} condition = ${if ={$spam_score_int}{60}{1}{0}} spam = mail:true # Add X-Spam-Flag if spam is over system-wide threshold warn message = X-Spam-Flag: YES condition = ${if {$message_size}{80k}{1}{0}} condition = ${if ={$spam_score_int}{40}{1}{0}} spam = mail:true # Reject spam messages with score = 10 deny message = This message scored $spam_score points. Congratulations! condition = ${if {$message_size}{80k}{1}{0}} condition = ${if ={$spam_score_int}{100}{1}{0}} spam = mail:true ... On Wednesday 13 July 2005 01:42 pm, Edward Muller wrote: On Wednesday 13 July 2005 07:16 am, Michael Parker wrote: Edward Muller wrote: P.S. This happens with spamassassin 3.0.4 fed via spamd fed via exim. Tested with standard gentoo install and used a clean bayes/whitelist database. You need to setup exim to limit the size of msgs it sends to spamd to 250k. I do not believe this is in place by default. Search the users list archives for a couple of months back when this was discussed several times. I can't find a way to do that with what I understand to be the standard way to feed email to spamd from exim, which is to just give it the ip address/port of the spamd server like so at the top of the exim configuration file: spamd_address = 127.0.0.1 783 I guess I could have exim call spamc directly in my acl_smtp_data stanza though and then use a an if conditional. -- Edward Muller - Interlix [EMAIL PROTECTED] 417-862-0573 PGP Key: http://interlix.com/Members/edwardam/pgpkeys pgpFKtHR9nUGA.pgp Description: PGP signature
Re: How to shut down
I know my SA works buy bayes doesnt. I get msgs marked as spam with score over 5.0 but i have never seen autolearn=spam or ham. I get only autolearn=no or autolearn=failed. Here is the question: after i run sa-learn --clear and lets say that in my conf file i hava bayes min ham and spam learnset to 10(deafult 200). Does this mean that until i feed sa with spam and ham 10 of each at least it will not use bayes ?or it means that it won't use bayes until it has at least in its database and its learning from every single msg marked as spam ?? - Original Message - From: Pierre Thomson To: Michael ; users@spamassassin.apache.org Sent: Tuesday, July 12, 2005 4:34 PM Subject: RE: How to shut down Michael, For me, the quickest way to get Bayes going is with auto_learn. (NOTE: you have to have your other rules working pretty well for this to be effective.) I use: bayes_auto_learn_threshold_nonspam 0.0bayes_auto_learn_threshold_spam 12.0bayes_auto_learn 1 Emails scoring below zero (mostly outboundor whitelisted mail) are learned as ham; emails scoring over 12 are learned as spam. On our gateway (10,000 messages per day) I can re-train Bayes from scratch in an hour or so. Then I feed it any false negatives to learn as spam, and any false positives withhigh Bayes scores as ham. The latter case is pretty rare. I never feed large batches to sa-learn, and since I'm running SA under MailScanner the Bayes rebuilds are automatic. Good luck Pierre Thomson BIC -Original Message-From: Michael [mailto:[EMAIL PROTECTED]Sent: Tuesday, July 12, 2005 3:52 PMTo: Bret Miller; users@spamassassin.apache.orgSubject: Re: How to shut down and eveyrthing is working fast like before. What is the best way to feed the bayes with spam considering that there is no mail kept at the server? All users download their mail and thats it.The spamassassin is marking spamsover 5.0 butwhenit wants to autolearn it says failed(I assume that because the rest of the time it says autolearn=no). Now i know that bayes has0 in its database and i wantto feeditwith some spam so it can start learning.Please sugest some ways tofeed spam into bayes.(do i have to prepare it somehow?) - Original Message - From: Bret Miller To: users@spamassassin.apache.org Sent: Tuesday, July 12, 2005 3:44 PM Subject: RE: How to shut down I'd run "sa-learn --force-expire"and see if that helps the speed a bit. From: Michael [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 12, 2005 12:24 PMTo: Sander Holthaus - Orange XLCc: users@spamassassin.apache.orgSubject: Re: How to shut down The whole thing is that yesterday i did sa-learn spam with spam folder and today the server is runing very slowely now. Emails from to local users take about 3 hours to deliver. I`m runing RH 9.2 with postfix and spamassassin 3.0.4. I know i can kill processes but every time i try to kill spamd its still there. Then when i try service spamd stop it gives me a msg that INET socket is already running. I thought if i stop spamassassin competly from running maybe the mail will work fast again. I have only about 20 email account on the server and 20 domain aliases so there is not too much traffic at all. I have non stop stuff coming tom y server for the accounts that are not here and i know this is slowing it down a bit but at this time is runnng very poorly. - Original Message - From: Sander Holthaus - Orange XL To: [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Sent: Tuesday, July 12, 2005 1:56 PM Subject: RE: How to shut down That might be a little overkill though it does the job ;-) Stopping runningthings on *nix platforms is generally done by killing them, along withtheir children. "man kill" will teach you how. Programs that start when during boot usually have special scripts to both start and stop them, your best option is to use them. Where they live depends on your platform and distribution, use the supplied documentation, the man command and google to find out exactly where. If you don't want it to run at all at bootup, disable the script (various ways of doing that). Kind Regards, Sander Holthaus PS: Never turn on things for which you don't know how to turn them off.
Rule Advice
We're working with someone who has a domain that starts with a number: 360skincare.com. So it gets bit by FROM_STARTS_WITH_NUMS. I also see some for suspicious hostname. A little more background: the sender appears to come from pacbell.net isp and using a webmail client. Are these suspicious hostname entries appearing because the hostname starts with a number? Any other advice on these headers to help the user not appear as sending spam? I suspect they are out of luck for the bl rules if pacbell is on a block list. Here are the full headers (since upgraded to 3.0.4): From: [EMAIL PROTECTED] Date: July 9, 2005 2:00:29 PM MST To: [EMAIL PROTECTED] Subject: Re: here you go Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 31028 invoked from network); 9 Jul 2005 21:00:29 - Received: from localhost (127.0.0.1) by localhost with SMTP; 9 Jul 2005 21:00:29 - Received: from adsl-64-165-17-127.dsl.sndg02.pacbell.net (adsl-64-165-17-127.dsl.sndg02.pacbell.net [64.165.17.127]) by webmail.360skincare.com (IMP) with HTTP for [EMAIL PROTECTED]@localhost; Sat, 9 Jul 2005 17:00:29 -0400 Message-Id: [EMAIL PROTECTED] References: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.3 X-Originating-Ip: 64.165.17.127 X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on hidden2 X-Spam-Level: *** X-Spam-Status: Yes, score=7.5 required=5.0 tests=FROM_STARTS_WITH_NUMS, HELO_DYNAMIC_DHCP,HELO_DYNAMIC_HCC,HELO_DYNAMIC_IPADDR, RCVD_IN_NJABL_DUL autolearn=no version=3.0.3 X-Spam-Report: * 0.1 HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP) * 1.5 HELO_DYNAMIC_HCC Relay HELO'd using suspicious hostname (HCC) * 2.8 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1) * 1.5 FROM_STARTS_WITH_NUMS From: starts with nums * 1.7 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP * [64.165.17.127 listed in combined.njabl.org]
White list by IP address
Hi, Is it possible to whitelist an IP scope? Say I want to trust every one in 192.168.* . Is there a way of adding this scope of IP's to the spamassassin whitelist? Thanks,
New 419 Variation?
Here's what looks to be a new variation of the 419 scams. Haven't seen one like this before. This one doesn't seem to mention any $ amount. The headers are a little scrambled because of Notes. (Yes, it's worse than Outlook when it comes to dealing with headers). Received: from python.stepan.com ([198.180.157.12]) by nf-nt2.stepan.com (Lotus Domino Release 6.0.3) with ESMTP id 2005071314542137-63132 ; Wed, 13 Jul 2005 14:54:21 -0500 Received: from mk-smarthost-2.mail.uk.tiscali.com (mk-smarthost-2.mail.uk.tiscali.com [212.74.114.38]) by python.stepan.com (8.13.3/8.13.3) with ESMTP id j6DJtlnf037603 for [EMAIL PROTECTED]; Wed, 13 Jul 2005 14:55:52 -0500 (CDT) (envelope-from [EMAIL PROTECTED]) Received: from mk-cpfront-3.mail.uk.tiscali.com ([212.74.114.5]:50479 helo=mk-cpfrontend.uk.tiscali.com) by mk-smarthost-2.mail.uk.tiscali.com with esmtp (Exim 4.50) id 1DsmY1-000FfC-Lz; Wed, 13 Jul 2005 20:05:35 +0100 Received: from [81.136.36.125] by mk-cpfrontend.uk.tiscali.com with HTTP; Wed, 13 Jul 2005 20:05:30 +0100 PostedDate: 07/13/2005 02:05:30 PM $MessageID: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Subject: in good faith SendTo: [EMAIL PROTECTED] MIME_Version: 1.0 X_Virus_Scanned: ClamAV version 0.86.1, clamav-milter version 0.86 on python.stepan.com X_Virus_Status: Clean X_Spam_Flag: NO X_Scanned_By: milter-spamc/0.25.321 ( [198.180.157.12]); Wed, 13 Jul 2005 14:55:54 -0500 X_Spam_Status: NO, hits=0.20 required=5.70 X_Spam_Level: X_Spam_Report: Content analysis details: (0.2 points, 5.7 required) pts rule name description -- -- 0.0 NO_REAL_NAME From: does not include a real name 0.1 OFFSHORE_SCAM BODY: Off Shore Scams 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5040] X_Greylist: Delayed for 00:49:51 by milter-greylist-2.0rc5 (python.stepan.com [198.180.157.12]); Wed, 13 Jul 2005 14:55:54 -0500 (CDT) $MIMETrack: Itemize by SMTP Server on NF_NT2/Stepan/US(Release 6.0.3|September 26, 2003) at 07/13/2005 02:54:21 PM,MIME-CD by Notes Client on Andy Jezierski/Stepan/US(Release 6.0.4|June 01, 2004) at 07/13/2005 02:57:50 PM,MIME-CD complete at 07/13/2005 02:57:51 PM SMTPOriginator: [EMAIL PROTECTED] RoutingState: $UpdatedBy: CN=NF_NT2/O=Stepan/C=US $Orig: AB11274DABD6565A8625703D006D58B9 Categories: $Revisions: RouteServers: CN=NF_NT2/O=Stepan/C=US RouteTimes: 07/13/2005 02:54:21 PM-07/13/2005 02:54:21 PM $MsgTrackFlags: 0 DeliveredDate: 07/13/2005 02:54:21 PM ExpireDate: Importance: Dear C .e .o/President, I am a registered Financial Security Agent of the FSA (Financial Services Authority) in the UK, attached to the department of Treasury. Arising from the Continuous Admittance of New Countries/Member into the merging EU(European Community is a recent directive from the Bank of England that all dormant account be redirected into Government archives. I have been in charge of a particular Dormant/Suspense account which no one from my very professional investigation using the extensive data protection database. This bond has been in a dormant state since 2000 and the department has been changing custodian of the bonds for the past three (3)years. What is needed at this stage is to find a very reliable, confidential and responsible friend who would assist me in the claims of these bonds without it reverting to the state. In this case, i would initiate a systematic transfer of the said bonds into a Dedicated Account opened in your name or company name, whichever you find most appropriate. I would therefore need your response in order to grant you access to the detailed facts and figures of the bond. I have been able to contact you based on information retrieved from the credit reference database attached to my institution. I will be most willing to go into partnership with you to see this project completed in earnest. I assure you that there would be no issues to your name or person. All you would be required to do is to open an offshore account for this purpose. I hope you understand why I cannot disclose exclusive data to you at this stage. Do kindly respond to me via my email address below or my fax number. Upon this, I would be able to send you more details regarding this project. If I do not hear from you in the next few days, I would assume you are not interested but if you are, do also provide a phone/fax numbers you could be reached on. I look forward to an excellent business relationship with you. Yours Sincerely, Mr. Walter Bentley. Financial Service Authority (FSA). Fax: + 448452801535 Email:[EMAIL PROTECTED] participatory financial proposal ___ Book yourself something to look forward to in 2005. Cheap flights - http://www.tiscali.co.uk/travel/flights/ Bargain holidays - http://www.tiscali.co.uk/travel/holidays/
Re: How to shut down
I know my SA works buy bayes doesnt. I get msgs marked as spam with score over 5.0 but i have never seen autolearn=spam or ham. I get only autolearn=no or autolearn=failed. Here is the question: after i run sa-learn --clear and lets say that in my conf file i hava bayes min ham and spam learn set to 10(deafult 200). Does this mean that until i feed sa with spam and ham 10 of each at least it will not use bayes ?or it means that it won't use bayes until it has at least in its database and its learning from every single msg marked as spam ?? Have you tried running spamassassin -D --lint yet? = Kevin W. Gagel Network Administrator Information Technology Services (250) 561-5848 local 448 --- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://avas.cnc.bc.ca ---
Re: White list by IP address
Jose Guevarra wrote: Hi, Is it possible to whitelist an IP scope? Say I want to trust every one in 192.168.* . Is there a way of adding this scope of IP's to the spamassassin whitelist? It's not a whitelist per-se, but if you add those IP's to trusted_networks, said emails will wind up matching ALL_TRUSTED if they don't go through an untrusted machines.
2 Questions
I have 2 questions. 1. Does anyone know if spamassassin is going to support DKIM when Yahoo and Cisco get it released? 2. Is there a quick way to blacklist a country? Some background for #2: I have a customer who wants to filter anything coming from China or Korea but for obvious reasons I don't want to make this a site wide type of filter. I have spamassassins spamd installed on 5 servers and I am using spamc to access them over a gigabit backplane network from several mail stores. I use procmail to do the email backup, calling spamc, email forwarding and dumping email to a user accessible junkmail folder if spamassassin determines that an email is spam. The pool of spamassassin machines have a replicated database with each of the users preferences in it. We have a web site we designed for our users to log into so they can control their own preferences that updates the database. Is there some test I can tell my customer to add to his preferences to filter China? I didn't see anything that filters based on locale.
RE: New 419 Variation?
Title: Message It still looks like it triggers your OFFSHORE_SCAM rule. Am I wrong in assuming that it should tag higher than 0.1 points for that rule? Does it FP often as to warrant such a low score? --Matthew YetteSenior Engineer - NOC/OperationsMA Polce Consulting, Inc.[EMAIL PROTECTED]315-838-1644 (w)315-356-0597 (f)AIM/Yahoo: MAPolceNOCMSN: [EMAIL PROTECTED] -Original Message-From: Andy Jezierski [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 13, 2005 4:17 PMTo: users@spamassassin.apache.orgSubject: New 419 Variation?Here's what looks to be a new variation of the 419 scams. Haven't seen one like this before. This one doesn't seem to mention any $ amount. The headers are a little scrambled because of Notes. (Yes, it's worse than Outlook when it comes to dealing with headers). Received: from python.stepan.com ([198.180.157.12]) by nf-nt2.stepan.com (Lotus Domino Release 6.0.3) with ESMTP id 2005071314542137-63132 ; Wed, 13 Jul 2005 14:54:21 -0500 Received: from mk-smarthost-2.mail.uk.tiscali.com (mk-smarthost-2.mail.uk.tiscali.com [212.74.114.38]) by python.stepan.com (8.13.3/8.13.3) with ESMTP id j6DJtlnf037603 for [EMAIL PROTECTED]; Wed, 13 Jul 2005 14:55:52 -0500 (CDT) (envelope-from [EMAIL PROTECTED]) Received: from mk-cpfront-3.mail.uk.tiscali.com ([212.74.114.5]:50479 helo=mk-cpfrontend.uk.tiscali.com) by mk-smarthost-2.mail.uk.tiscali.com with esmtp (Exim 4.50) id 1DsmY1-000FfC-Lz; Wed, 13 Jul 2005 20:05:35 +0100 Received: from [81.136.36.125] by mk-cpfrontend.uk.tiscali.com with HTTP; Wed, 13 Jul 2005 20:05:30 +0100 PostedDate: 07/13/2005 02:05:30 PM $MessageID: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Subject: in good faith SendTo: [EMAIL PROTECTED] MIME_Version: 1.0 X_Virus_Scanned: ClamAV version 0.86.1, clamav-milter version 0.86 on python.stepan.com X_Virus_Status: Clean X_Spam_Flag: NO X_Scanned_By: milter-spamc/0.25.321 ( [198.180.157.12]); Wed, 13 Jul 2005 14:55:54 -0500 X_Spam_Status: NO, hits=0.20 required=5.70 X_Spam_Level: X_Spam_Report: Content analysis details: (0.2 points, 5.7 required) pts rule name description -- -- 0.0 NO_REAL_NAME From: does not include a real name 0.1 OFFSHORE_SCAM BODY: Off Shore Scams 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5040] X_Greylist: Delayed for 00:49:51 by milter-greylist-2.0rc5 (python.stepan.com [198.180.157.12]); Wed, 13 Jul 2005 14:55:54 -0500 (CDT) $MIMETrack: Itemize by SMTP Server on NF_NT2/Stepan/US(Release 6.0.3|September 26, 2003) at 07/13/2005 02:54:21 PM,MIME-CD by Notes Client on Andy Jezierski/Stepan/US(Release 6.0.4|June 01, 2004) at 07/13/2005 02:57:50 PM,MIME-CD complete at 07/13/2005 02:57:51 PM SMTPOriginator: [EMAIL PROTECTED] RoutingState: $UpdatedBy: CN=NF_NT2/O=Stepan/C=US $Orig: AB11274DABD6565A8625703D006D58B9 Categories: $Revisions: RouteServers: CN=NF_NT2/O=Stepan/C=US RouteTimes: 07/13/2005 02:54:21 PM-07/13/2005 02:54:21 PM $MsgTrackFlags: 0 DeliveredDate: 07/13/2005 02:54:21 PM ExpireDate: Importance: Dear C .e .o/President, I am a registered Financial Security Agent of the FSA (Financial Services Authority) in the UK, attached to the department of Treasury. Arising from the Continuous Admittance of New Countries/Member into the merging EU(European Community is a recent directive from the Bank of England that all dormant account be redirected into Government archives. I have been in charge of a particular Dormant/Suspense account which no one from my very professional investigation using the extensive data protection database. This bond has been in a dormant state since 2000 and the department has been changing custodian of the bonds for the past three (3)years. What is needed at this stage is to find a very reliable, confidential and responsible friend who would assist me in the claims of these bonds without it reverting to the state. In this case, i would initiate a systematic transfer of the said bonds into a Dedicated Account opened in your name or company name, whichever you find most appropriate. I would therefore need your response in order to grant you access to the detailed facts and figures of the bond. I have been able to contact you based on information retrieved from the credit reference database attached to my institution. I will be most willing to go into partnership with you to see this project completed in earnest. I assure you that there would be no issues to your name or person. All you would be required to do is to open an offshore account for this purpose. I hope you understand why I cannot disclose exclusive data to you at this stage. Do kindly
Re: 2 Questions
Mark Hamilton wrote: I have 2 questions. 1. Does anyone know if spamassassin is going to support DKIM when Yahoo and Cisco get it released? 2. Is there a quick way to blacklist a country? pre-built as a RBL for your convenience: http://www.blackholes.us/ Which can be made into a SA rule pretty easy if you have DNS checks enabled: header RCVD_IN_CHINA_KR eval:check_rbl('countrycnkr', 'cn-kr.blackholes.us.') describe RCVD_IN_CHINA_KR Received from China or Korea tflags RCVD_IN_CHINA_KRnet score RCVD_IN_CHINA_KR 1.0 Note, watch for line-wraps, that's supposed to only be 4 lines of text.
Re: 2 Questions
Mark Hamilton wrote: I have 2 questions. 1. Does anyone know if spamassassin is going to support DKIM when Yahoo and Cisco get it released? Whoops, forgot to answer this part.. It looks like a plugin is being developed: http://mail-archives.apache.org/mod_mbox/spamassassin-commits/200501.mbox/[EMAIL PROTECTED] And said plugin appears to be included with SA 3.1.0-pre3.
Re: 2 Questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Kettler writes: Mark Hamilton wrote: I have 2 questions. 1. Does anyone know if spamassassin is going to support DKIM when Yahoo and Cisco get it released? Whoops, forgot to answer this part.. It looks like a plugin is being developed: http://mail-archives.apache.org/mod_mbox/spamassassin-commits/200501.mbox/[EMAIL PROTECTED] And said plugin appears to be included with SA 3.1.0-pre3. however, that's for DK -- DKIM is different... but I think we probably will, bar any craziness like DKIM's licensing terms blocking it. (right now the terms permit us to use DK iirc, but DKIM includes new logic from Cisco, so may have different terms.) - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD4DBQFC1YgMMJF5cimLx9ARAkJNAJ0bLmlFBqykwI5hHIn6fIiQIvWEdgCVEX4L 0sWtkr9MX7D9WFkTCSCPAw== =AJF6 -END PGP SIGNATURE-
Re: Logwatch message triggers spamd to consume 900+MB of RAM
From: Edward Muller [EMAIL PROTECTED] Subject: Re: Logwatch message triggers spamd to consume 900+MB of RAM If you did the sensible thing the logwatch messages would never go through the spamassassin at all. I use procmail here and it's really easy to teach that tool to skip feeding spamc for specific messages, such as those from this group or in your case logwatch. {^_^}
Re: Blacklisting
On Jul 13, 2005, at 11:55 AM, Jean-Paul Natola wrote: I'm attempting to blacklist @freelotto.com Is this the correct way edit the local.cf file? RTFM. http://spamassassin.apache.org/full/3.0.x/dist/doc/ Mail_SpamAssassin_Conf.html Steven --- Steven Dickenson [EMAIL PROTECTED] http://www.mrchuckles.net
Trying to understand whitelist_from_rcvd
If this is set in local.cf whitelist_from_rcvd@gold.com gold.com trusted_networks gold.com ( via the IP address } and the incoming email header looks like (xxx added by me) Received: from email1.gold.com (relay1.gold.com [xxx.xxx.xxx.xxx]) by kashmir.gold.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 3QYTCQ3J; Wed, 13 Jul 2005 16:46:03 -0400 Received: from jdfulwiler.com ([xxx.xxx.xxx.xxx]) by email1.gold.com (8.12.10/8.12.10) with SMTP id j6DKkGNJ020346 for [EMAIL PROTECTED]; Wed, 13 Jul 2005 16:46:17 -0400 Message-Id: [EMAIL PROTECTED] From: Dagnija Ragland [EMAIL PROTECTED] To: Hashim Ojeda [EMAIL PROTECTED] will the email be treated as white and get scored a -100 accordingly? It's the first Received line I am wondering about matching with the white list.. Dr. Robert Young ALI Database Consultants 1151 Williams Dr Aiken SC 29803 USA WWW: http://www.aliconsultants.com Tele: 1-803-648-5931 Toll free in US: 1-866-257-8970 Fax:1-803-641-0345 Email: [EMAIL PROTECTED] Source of Rdb Controller, software for database analysis performance tuning
Re: Logwatch message triggers spamd to consume 900+MB of RAM
Whitelist the logwatch source email address?? Would not help if the problem is an oversized message. A whitelist is just another rule applied to the message, and doen't bypass SA processing. He would need a way to bypass the message around SA, so that SA never sees it in the first place. Loren
Re: tiff file spam
Is there a way to mark as spam an email which contains basically nothing but an image.tiff file which is, itself, the spam message being displayed as a graphic? Jpegs and gifs are much more common than tiff files here for that sort of thing. But between SA rules, SARE rules, and Bayes, these always get caught, with rather high scores. Bayes is your friend here. Loren
Re: attachments?
I think I know the answer here, but does spamd scan attachments if you are using milter-spamc v 0.25 as the sendmail- spamd link?? SA doesn't scan binary attachments. It will scan text and similar attachments. As far as I know, spamd doesn't really scan attachments (or mail) itself, except inasmuch as it calls SA to do the work. Also, spamd will bypass any mail that is too large, if it can determine that. Don't know if it can in the situation you describe. Loren
Re: very low scoring (ie large negative numbers) spam
I have several spam that scored very low on SA 3.0.4 w/ milter-spamc 0.25 X-Spam-Status: NO, hits=-145.70 required=5.00 X-Spam-Status: NO, hits=-153.70 required=5.00 X-Spam-Status: NO, hits=-146.00 required=5.00 X-Spam-Status: NO, hits=-153.80 required=5.00 X-Spam-Status: NO, hits=-153.90 required=5.00 Since all the scores are similar, I am wondering if there is a common cause . Almost certainly. Are there any suggestions on how to investigate the source of the wildly negative score, or does it look familiar? A score of -100 almost certainly indicates a whitelist hit of some sort or other. The 40..50 part of the score is harder to determine. I would guess these are similar mails and are accumulating about the same hits, which could be any old batch of rules. Another possibility is they are hitting TWO whitelist rules and getting -200, and then getting 50..60 points added back to the score from other rule hits. If you look at one of those messages (if you have it) it should show the rules hit, even without the scores. Many of us could fairly quickly tell you where the scores are coming from. Loren
Re: How to shut down
I know my SA works buy bayes doesnt. I get msgs marked as spam with score over 5.0 but i have never seen autolearn=spam or ham. I get only autolearn=no or autolearn=failed. Here is the question: after i run sa-learn --clear and lets say that in my conf file i hava bayes min ham and spam learn set to 10(deafult 200). Does this mean that until i feed sa with spam and ham 10 of each at least it will not use bayes ? Yes. Of course it may not work well with only 20 messages to look at, which is why the 200 limit was picked. Loren
Re: very low scoring (ie large negative numbers) spam
On Wed, Jul 13, 2005 at 03:56:50PM -0700, Loren Wilton wrote: Another possibility is they are hitting TWO whitelist rules and getting -200, and then getting 50..60 points added back to the score from other rule hits. That's not really possible. In 3.0, there's only a single -100 whitelist rule. It'll only ever hit once. I'm voting for AWL, probably with a static whitelist as well. -- Randomly Generated Tagline: Oh, I love your magazine. My favorite section is `How to Increase Your Word Power.' That thing is really, really, really ... good. -- Homer Simpson Mr. Lisa Goes To Washington pgp7zdaZce0Fr.pgp Description: PGP signature
Re: 2 Questions
Mark Hamilton wrote: I have 2 questions. 1. Does anyone know if spamassassin is going to support DKIM when Yahoo and Cisco get it released? 2. Is there a quick way to blacklist a country? pre-built as a RBL for your convenience: http://www.blackholes.us/ Which can be made into a SA rule pretty easy if you have DNS checks enabled: header RCVD_IN_CHINA_KR eval:check_rbl('countrycnkr', 'cn-kr.blackholes.us.') describe RCVD_IN_CHINA_KR Received from China or Korea tflags RCVD_IN_CHINA_KRnet score RCVD_IN_CHINA_KR 1.0 Note, watch for line-wraps, that's supposed to only be 4 lines of text. Hey, that was painless and effective. Thanks Mark
Re: HELP bv lottery spam
- Original Message - From: Loren Wilton [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Wednesday, July 13, 2005 6:32 AM Subject: Re: HELP bv lottery spam Norton AV makes wait headers similar (but not identical) to what you see when it is scanning outbound mail for a virus, as I recall. I suspect this is something similar, but I don't recognize the header. Do you have user rules enabled? If so, check your syslog for an insecure dependency warning from SA when this message was processed. Somehow if you get one of those it is guaranteed that SA won't scan the message, at least using procmail. No user rules, just site-wide. I am using procmail. I only have the single example at this time, so I'm not going to worry about it much yet. Thanks for the thoughts. John
sa-learn user
Hi I'm having some difficulty finding out exactly which user I should be running sa-learn is. The following is an output of 'ps -ef' from my mail server: # ps -ef UIDPID PPID C STIME TTY TIME CMD root 1308 1 0 04:21 ?00:00:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0 -stderrlogger=/usr/lib/courier-imap/sbin/courierlogger -st root 1343 1 0 04:21 ?00:00:00 /usr/lib/courier-imap/sbin/courierlogger imapd root 1384 1 0 04:21 ?00:00:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0 -stderrlogger=/usr/lib/courier-imap/sbin/courierlogger -st root 1401 1 0 04:21 ?00:00:00 /usr/lib/courier-imap/sbin/courierlogger imapd-ssl qscand1441 1 0 04:21 ?00:00:00 lt-clamd start root 1852 1 0 04:21 ?00:00:25 /usr/bin/sophie -D spamd 2501 1 0 04:22 ?00:00:00 /usr/bin/spamd -d -q -m10 -s /var/log/spamd/spamd.log --pidfile=/var/run/spamd/spamd.pid --socketpath=/var/qmai root 2621 1 0 04:22 ?00:00:00 /bin/sh /command/svscanboot root 2623 2621 0 04:22 ?00:00:00 svscan /service root 2624 2621 0 04:22 ?00:00:00 readproctitle service errors: . root 2625 2623 0 04:22 ?00:00:00 supervise qmail-send root 2626 2623 0 04:22 ?00:00:00 supervise log root 2627 2623 0 04:22 ?00:00:00 supervise qmail-smtpd root 2628 2623 0 04:22 ?00:00:00 supervise log root 2629 2623 0 04:22 ?00:00:00 supervise qmail-pop3d root 2630 2623 0 04:22 ?00:00:00 supervise log root 2631 2623 0 04:22 ?00:00:00 supervise qmail-pop3ds root 2632 2623 0 04:22 ?00:00:00 supervise log qmails2633 2625 0 04:22 ?00:00:35 qmail-send vpopmail 2634 2627 0 04:22 ?00:00:02 /usr/local/bin/tcpserver -v -H -R -l 0 -x /home/vpopmail/etc/tcp.smtp.cdb -c 100 -u 509 -g 502 0 smtp /usr/loca vpopmail 2635 2629 0 04:22 ?00:00:01 /usr/local/bin/tcpserver -l 0 -R -H -v -u509 -g502 0 110 /var/qmail/bin/qmail-popup spock /home/vpopmail/bin/vc qmaill2636 2626 0 04:22 ?00:00:03 /usr/local/bin/multilog t s5000 n30 /var/log/qmail qmaill2638 2628 0 04:22 ?00:02:46 /usr/local/bin/multilog ts1000 n30 /var/log/qmail/smtpd qmaill2645 2630 0 04:22 ?00:00:00 multilog t /var/log/qmail/pop3d qmaill2646 2632 0 04:22 ?00:00:00 multilog t /var/log/qmail/pop3ds vpopmail 2647 2631 0 04:22 ?00:00:00 /usr/local/bin/tcpserver -l 0 -R -H -v -u509 -g502 0 995 /usr/sbin/stunnel /usr/local/etc/pop3s.conf root 2651 2633 0 04:22 ?00:00:03 qmail-lspawn ./Maildir/ qmailr2652 2633 0 04:22 ?00:00:01 qmail-rspawn qmailq2653 2633 0 04:22 ?00:00:07 qmail-clean root 29978 1 0 12:08 ?00:00:06 /usr/bin/trophie -D spamd10749 2501 0 15:49 ?00:01:30 spamd child spamd11089 2501 0 15:49 ?00:01:20 spamd child spamd11177 2501 1 15:49 ?00:01:47 spamd child spamd11463 2501 1 15:49 ?00:01:41 spamd child spamd11871 2501 0 15:50 ?00:01:32 spamd child vpopmail 11980 2634 0 18:27 ?00:00:00 /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true vpopmail 11983 11980 0 18:27 ?00:00:00 /usr/local/bin/recordio /usr/local/bin/rblsmtpd -r relays.ordb.org -r bl.spamcop.net /var/qmail/bin/qmail-smtpd qscand 12052 11980 0 18:28 ?00:00:00 /usr/bin/perl -T /dev/fd/4//var/qmail/bin/qmail-scanner-queue.pl spamd12683 2501 0 18:31 ?00:00:00 spamd child spamd12698 2501 0 18:31 ?00:00:00 spamd child spamd12872 2501 0 18:31 ?00:00:00 spamd child vpopmail 12942 2634 0 18:31 ?00:00:00 /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true vpopmail 12943 12942 0 18:31 ?00:00:00 /usr/local/bin/recordio /usr/local/bin/rblsmtpd -r relays.ordb.org -r bl.spamcop.net /var/qmail/bin/qmail-smtpd spamd12953 2501 0 18:31 ?00:00:00 spamd child spamd12993 2501 0 18:31 ?00:00:00 spamd child I'd appreciate it if anyone could spot the user. Regards Lee
Proper way to override scores
I often want to alter the scores of already set filters in the SARE and other custom filter sets.. what/where is the proper places to do this without altering each individual set which will get over-written down the road thanks