Early Questions
Hi All (just joined, so please be gentle;-) ), I have just installed spamassassin v3.0.4 in a test environment (which is a mirror of the live environment) and have a number of questions, which I can not see within the manuals/support documentation. Firstly, this is my configuration: Server: Linux (RH9.0), with spamassassin installed from spamassassin.org web site using make etc (not RPM's). This machine then runs both IMAP and POP3 for clients. MTA is sendmail Client(s): Windows XP. All running Windows XP and MS Outlook 2000. All users connct to POP3 Server (on Linux machine) and use PST files to download their e-mail(s). General: Setup is such that spamassassin is site wide (not per user) - as per management request. All working fine at the moment - just about to switch on bayes Questions: (q1) Given that this is a site-wide installation, how do I get the requisite 200 e-mails (spam/ham) for spamassassin to work with? Where should I put these (an individual mailbox)? Thanks Mark
Forged outlook headers with outlook
hello Using SA 3.0.4 I have been receiving false positives with the rule FORGED_MUA_OUTLOOK being added to email that is sent from Outlook 6 (2003?). Have looked in the archives and the only suggestion is to set the score to zero; which defeats the idea surely. Is there something wrong with the rule such that messages from Outlook appear to have forged headers when in fact Outlook did generate them? Is the rule correct and perhaps somehow the headers of the mail have been altered in transit to trigger the rule? Suggestions appreciated. thanks rolf.
Re: Forged outlook headers with outlook
I think the last time this happened had something to do with the received headers in the message, if I recall correctly. There was a fix for an instance of this fairly recently, but I don't recall the details. The fix may have been in the 3.1 stream. Loren
Re: Early Questions
Mark Williams wrote on Tue, 19 Jul 2005 08:32:11 +0100: (q1) Given that this is a site-wide installation, how do I get the requisite 200 e-mails (spam/ham) for spamassassin to work with? Collect them from the mailboxes you are allowed to check. Maybe just your own. Where should I put these (an individual mailbox)? You actively learn the messages via sa-learn to Bayes. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de http://msie.winware.org
DATE_IN_FUTURE false positive
Hi all I’ve some problem with the DATE_IN_FUTURE rules since it cause a false positive. Does anyone have any suggestion? I am considering to decrease the score of this rule but I concern that it will cause more spam get through. Thanks
ruleset for antidrug.cf
Hi list, Our servers are frequently getting spam mails with taablets , or ta.blets in the subject. I run rules_du_jour regularly, I am surprised there is no ruleset for catching this kind of subjects /\bta+\.?b(let)?s\b/ Has someone already a ruleset for this Thanks Ram -- Netcore Solutions Pvt. Ltd. Website: http://www.netcore.co.in Spamtraps: http://cleanmail.netcore.co.in/directory.html --
Re: DATE_IN_FUTURE false positive
Ratchanee Wongwisarnsee wrote on Tue, 19 Jul 2005 16:09:26 +0700: Iâve some problem with the DATE_IN_FUTURE rules since it cause a false positive Well, some details may help. Also, if possible, please send text/plain only, thanks :-) Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de http://msie.winware.org
Re: Forged outlook headers with outlook
I think the last time this happened had something to do with the received headers in the message, if I recall correctly. There was a fix for an instance of this fairly recently, but I don't recall the details. The fix may have been in the 3.1 stream. Thank you. I have 3.0.4 here and no particularly convenient way to look at 3.1. If 3.1 does contain the fix would someone be able to post or send the relevant lines of the rules? I'd love to incorporate them in the local config here. cheers rolf.
(OT) SURBL local-DNS sample file?
Hi, what follows is certainly OT for SpamAssassin. I am setting up SA3 with SURBL support, and I am configuring RBLDNSD in order to run a local SURBL copy. Before asking for rsync permission, I'd like to test the configuration on a non-production system (with a non-production IP address). I need a sample of the files that are actually downloaded with rsync, but I've not been able to find any sample to use on surbl.org and related sites. I am not a DNS expert to write my own. Can someone provide me a sample? Would SURBL.org people mind publishing a sample rsync file on their pages? Thanks for your attention, Paolo
RE: (OT) SURBL local-DNS sample file?
Would SURBL.org people mind publishing a sample rsync file on their pages? I've forwarded your request to the URIBL.com group as well. It has some problems in that neither SURBL or URIBL allows just anyone to rsync. You have to be allowed to do it. But a few know better then me, so I'll see what they say. If its no big deal, then sure, we would have no problem with a test file. Chris Santerre SysAdmin and SARE/URIBL ninja http://www.uribl.com http://www.rulesemporium.com
Re: False positives received from localhost
[EMAIL PROTECTED] wrote: I've had a couple of these since upgrading to 3.0.4. Headers with NO IP address in it, just this: Received: from localhost by (our server) I assume that if it's not a bug on my end, some users and/or servers are sending out from 127.0.0.1, which in turn sets off: RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL Strange that qmail would not put an IP address in the received from: headrs, though... SA should ignore 127.0.0.1. However, you might want to double-check to see if your SA box resolves localhost as 127.0.0.1 or as some other IP. (I have seen boxes configured to do this...)
Re: Early Questions
Mark Williams wrote: Hi All (just joined, so please be gentle;-) ), I have just installed spamassassin v3.0.4 in a test environment (which is a mirror of the live environment) and have a number of questions, which I can not see within the manuals/support documentation. Firstly, this is my configuration: Server: Linux (RH9.0), with spamassassin installed from spamassassin.org web site using make etc (not RPM's). This machine then runs both IMAP and POP3 for clients. MTA is sendmail Client(s): Windows XP. All running Windows XP and MS Outlook 2000. All users connct to POP3 Server (on Linux machine) and use PST files to download their e-mail(s). General: Setup is such that spamassassin is site wide (not per user) - as per management request. All working fine at the moment - just about to switch on bayes Questions: (q1) Given that this is a site-wide installation, how do I get the requisite 200 e-mails (spam/ham) for spamassassin to work with? Where should I put these (an individual mailbox)? Doesn't matter where you put them, what you need to do is feed them to sa-learn --ham and sa-learn --spam. After sa-learn has examined them and added tokens to it's bayes DB, the emails are no longer needed. You'll need to do your sa-learn runs as the same user your mail scanning gets executed as. Since you're using sendmail this will likely be root. However, if you use spamd, it will be very averse to scanning mail while running as root, and will setuid itself to nobody to prevent security holes. The home directory for nobody isn't writable by nobody, so SA won't use bayes while this is going on. (And don't fix it by giving nobody a home dir that it can write to! Many processes use nobody and expect it to be homeless. Giving it a homedir can weaken your system's security in the event an exploit occurs.) What you'll want to do in this case is create a separate spamd user, and add -u spamd to your spamd start up. Then when you want to learn mail, su yourself to spamd.
Re: ruleset for antidrug.cf
Ramprasad A Padmanabhan wrote: Hi list, Our servers are frequently getting spam mails with taablets , or ta.blets in the subject. I run rules_du_jour regularly, I am surprised there is no ruleset for catching this kind of subjects /\bta+\.?b(let)?s\b/ Has someone already a ruleset for this One problem with the above regex.. it will match tablets or tabs in an un-obfuscated form. If it were a single word to avoid, I'd suggest using a negative-look-ahead, but since there's two I might re-write the above into something like this: body __L_TABS_ANY/\bta+\.?b(?:let)?s\b/i body __L_TABLETS/\btablets\b/i body __L_TABS /\btabs\b/i meta L_TABS_OBFU__L_TABS_ANY !(__L_TABLETS || __L_TABS) score L_TABS_OBFU 0.1 Notes: Body rules do match subject lines, so I chose body instead of header. I also added ?: to your () arround let to prevent perl from wastefully creating a backreference which won't be used. Since the rule is completely untested, I gave it a tiny score. Test it with the small score, watching for it hitting nonspam messages, before giving it any real score.
Re: Early Questions
Mark Williams wrote: I have just installed spamassassin v3.0.4 in a test environment (which is a mirror of the live environment) and have a number of questions, which I can not see within the manuals/support documentation. Firstly, this is my configuration: Server: Linux (RH9.0), with spamassassin installed from spamassassin.org web site using make etc (not RPM's). This machine then runs both IMAP and POP3 for clients. MTA is sendmail Surely your not going live with a distribution as old and unsupported as RedHat 9! Do you want to become a spam zombie? I urge you strongly to look at moving up to RedHat Enterprise Linux 4, CentOS 4 or a recent Fedora release. Also, you really should stick with the RPMS, it makes management and future upgrades much smoother. Client(s): Windows XP. All running Windows XP and MS Outlook 2000. All users connct to POP3 Server (on Linux machine) and use PST files to download their e-mail(s). General: Setup is such that spamassassin is site wide (not per user) - as per management request. All working fine at the moment - just about to switch on bayes Questions: (q1) Given that this is a site-wide installation, how do I get the requisite 200 e-mails (spam/ham) for spamassassin to work with? Where should I put these (an individual mailbox)? Use bayes autolearning so that you don't have to bother to much. Also setup some aliases like [EMAIL PROTECTED] and [EMAIL PROTECTED] where users can forward wrongly classified mail for you to reclassify. Don't try to use someone else's bayes db and don't use just your personal email since it won't match the bayes characteristics of the entire company. Note that you can also modify the number of spam and ham messages the bayes db needs before it starts scoring with these two rules in local.cf: bayes_min_ham_num 100 bayes_min_spam_num 50 be careful about setting it to low though, the less bayes knows about your org's email characteristics the more likely false positives are. Jay
Re: Early Questions
Jay Lee wrote: Mark Williams wrote: I have just installed spamassassin v3.0.4 in a test environment (which is a mirror of the live environment) and have a number of questions, which I can not see within the manuals/support documentation. Firstly, this is my configuration: Server: Linux (RH9.0), with spamassassin installed from spamassassin.org web site using make etc (not RPM's). This machine then runs both IMAP and POP3 for clients. MTA is sendmail Surely your not going live with a distribution as old and unsupported as RedHat 9! Do you want to become a spam zombie? I urge you strongly to look at moving up to RedHat Enterprise Linux 4, CentOS 4 or a recent Fedora release. Also, you really should stick with the RPMS, it makes management and future upgrades much smoother. Client(s): Windows XP. All running Windows XP and MS Outlook 2000. All users connct to POP3 Server (on Linux machine) and use PST files to download their e-mail(s). General: Setup is such that spamassassin is site wide (not per user) - as per management request. All working fine at the moment - just about to switch on bayes Questions: (q1) Given that this is a site-wide installation, how do I get the requisite 200 e-mails (spam/ham) for spamassassin to work with? Where should I put these (an individual mailbox)? Use bayes autolearning so that you don't have to bother to much. Also setup some aliases like [EMAIL PROTECTED] and [EMAIL PROTECTED] where users can forward wrongly classified mail for you to reclassify. Don't try to use someone else's bayes db and don't use just your personal email since it won't match the bayes characteristics of the entire company. Note that you can also modify the number of spam and ham messages the bayes db needs before it starts scoring with these two rules in local.cf: bayes_min_ham_num 100 bayes_min_spam_num 50 be careful about setting it to low though, the less bayes knows about your org's email characteristics the more likely false positives are. Jay I just wanted to add something to this quick. You may also want to (perhaps even *should*) alter the autolearn thresholds if you are going to use bayes autolearning. The default values have been seen to autolearn in the wrong direction sometimes. I have changed mine to: bayes_auto_learn_threshold_nonspam -0.1 bayes_auto_learn_threshold_spam 10.0 Also, note that while users can forward email to the spam@ and ham@ addresses referred to above, they must do so as an attachment so the original email is untouched. Regular forwarding will add/alter headers which will cause bayes nightmares. And finally as a general note..a lot of people seem to not use bayes for one reason or another..and tend to have autolearning disabled. However with the correct settings and some careful monitoring (at least in the beginning) bayes w/autolearn can work wonders. BTW, im also running RH9 AND SA 2.64, but this was installed almost 2 years ago ;) Still running great though. -Jim
Re: False positives received from localhost
Matt Kettler wrote: SA should ignore 127.0.0.1. However, you might want to double-check to see if your SA box resolves localhost as 127.0.0.1 or as some other IP. (I have seen boxes configured to do this...) There are also some older versions of NSCD that were vulnerable to a sort of reverse cache poisoning. We saw this happen with a Red Hat 7.3 server a while back. Sendmail would receive a connection from a server with IP address 1.2.3.4. It would then do a reverse DNS lookup. But whoever set up rDNS for 1.2.3.4 had set it to resolve to localhost. For some reason NSCD would not only cache that result, but it would reverse it on the assumption that the resolution was symmetric. From then on, connections to localhost would go to 1.2.3.4 instead of 127.0.0.1. Unfortunately the last version of NSCD released for Red Hat 7.3 was still vulnerable, though Fedora Legacy is preparing an updated package. May or may not be relevant, but thought I'd pass along the info just in case. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: HELP: Looking for mac mail server software
Thanks all for the recommendations. I now have SA and postfix running on OS X. Considering my experience with OS X, and linux prior to this, I need to take a bow. grin. Anyone have a good procmailrc file? From the page that helped a bit: http://developer.apple.com/server/fighting_spam.html First I noticed there was no /etc/watchdog.conf file - I simply created it. Did I do something wrong there? Second, my procmail: LOGFILE=/var/log/procmail # this can be deleted after testing VERBOSE=no HOME=/Users/$USER DROPPRIVS=yes :0fiw | spamc # call spamassassin INCLUDERC=$HOME/.procmail # allow users to create their own recipes :0: * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\* /dev/null #trash all messages with a very high spam score :0w | /usr/bin/cyrus/bin/deliver -a $USER -m user/$USER # if not told otherwise, deliver all messages to the user's inbox and local.cf: (I can't copy paste between my vnc session on that machine and here, so I may make a typo, but spamassassin --lint runs clean): rewrite_header Subject *SPAM* use_bayes 1 bayes_auto_learn 1 required_score 6.00 Yet no messages are marked, and the gtube messages comes through fine. Thanks all. :) Evan
Re: Early Questions
Jay Lee wrote: Mark Williams wrote: I have just installed spamassassin v3.0.4 in a test environment (which is a mirror of the live environment) and have a number of questions, which I can not see within the manuals/support documentation. Firstly, this is my configuration: Server: Linux (RH9.0), with spamassassin installed from spamassassin.org web site using make etc (not RPM's). This machine then runs both IMAP and POP3 for clients. MTA is sendmail Surely your not going live with a distribution as old and unsupported as RedHat 9! Do you want to become a spam zombie? I urge you strongly to look at moving up to RedHat Enterprise Linux 4, CentOS 4 or a recent Fedora release. Also, you really should stick with the RPMS, it makes management and future upgrades much smoother. Please don't say things like that. RedHat 9 can be perfectly secure and reliable. I have seen new installs of RedHat turned into IRC Bots overnight by virue of their poor use of RPMs. I would have good faith in a server running a three year old kernel, locked down by an Admin who built his own sources, and knew his s*t inside and out. I would have no faith in a server that was running the latest distro/RPM/package just because it was the latest. If you rely on the version number of your distro and the build skills of an unknown party to be the extent of your security awareness, you are certain to end up on someones RBL. DAve
SA report fails with Razor2 ?
Hi, When trying to report spam manually using # spamassassin -r (mailfile) I get an error like: razor2 report failed: No such file or directory Died at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Reporter.pm line 148, GEN1 line 1. 1 message(s) examined. Insecure dependency in connect while running with -T switch at /usr/lib/perl5/5.8.0/i386-linux-thread-multi/IO/Socket.pm line 114. I'm using SA 3.0.4 - any idea why this fails ?? Regards, /Brian
Re: HELP: Looking for mac mail server software
CommuniGate Pro is great; I used it for a number of years. The per-user licensing scheme is rather expensive, though. On 7/17/05, Jeffrey Lee [EMAIL PROTECTED] wrote: try communigate prowww.stalker.comOn Jul 16, 2005, at 9:21 PM, Jonathan Nichols wrote: OS X uses Postfix by default (at least it does on my Powerbook running Tiger).While it's not graphical per-sea, it's not difficult to set up.I'm sure someone out there has written a GUIfor it.Check out VersionTracker. Postfix Enabler: http://www.cutedgesystems.com/software/PostfixEnabler/ More good stuff here, even some SpamAssassin on OS X articles! :) http://www.afp548.com/
DNS failing... why? (works fine on cmd line)
I have a new spamd instance I am trying to start up on a server that sits behind another firewall (linux) machine (which I *think* is irrelevant, but that's the only different thing from our other setups that work fine) that is somehow missing DNS connections: ''' debug: is Net::DNS::Resolver available? yes debug: Net::DNS version: 0.51 debug: trying (3) motorola.com... debug: looking up NS for 'motorola.com' debug: NS lookup of motorola.com failed horribly = Perhaps your resolv.conf isn't pointing at a valid server? debug: All NS queries failed = DNS unavailable (set dns_available to override) debug: is DNS available? 0 ''' However, when I telnet to port 53 of one of the IP addresses given in /etc/resolv.conf, it works just fine: ''' [EMAIL PROTECTED] cat /etc/resolv.conf nameserver 123.456.7.8 nameserver 987.654.1.1 [EMAIL PROTECTED] telnet 123.456.7.8 53 Trying 123.456.7.8... Connected to 123.456.7.8.xxx.yyy.net (123.456.7.8). Escape character is '^]'. quit Connection closed by foreign host. ''' So, is spamd trying to dig the NS of motorola.com? That works on the command line too: ''' [EMAIL PROTECTED] dig ns motorola.com ; DiG 9.2.5 ns motorola.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24784 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;motorola.com. IN NS ;; ANSWER SECTION: motorola.com. 3594IN NS motgate.mot.com. motorola.com. 3594IN NS ftpbox.mot.com. motorola.com. 3594IN NS dns31.mot.com. motorola.com. 3594IN NS dns11.mot.com. motorola.com. 3594IN NS motgate.motorola.de. ;; Query time: 3 msec ;; SERVER: 123.456.7.8#53(123.456.7.8) ;; WHEN: Tue Jul 19 13:14:17 2005 ;; MSG SIZE rcvd: 150 ''' So does this mean that it's actually an issue with Net::DNS or Net::DNS::Resolver? They are about as up to date as they get I think (Net::DNS .52 is out now, but I don't really think that's going to fix it...?). What should I look at next? What is spamd doing that I am not doing on the command line??? TIA! Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
Re: DNS failing... why? (works fine on cmd line)
net.dns 0.51 is known to have various problems with SA, most or all of which are fixed in version 52. Or 49, for that matter. I don't recall if this is one of them, but it might be worth the test to see. Loren
Re: ruleset for antidrug.cf
On Tue, 2005-07-19 at 21:34, Matt Kettler wrote: Ramprasad A Padmanabhan wrote: Hi list, Our servers are frequently getting spam mails with taablets , or ta.blets in the subject. I run rules_du_jour regularly, I am surprised there is no ruleset for catching this kind of subjects /\bta+\.?b(let)?s\b/ Has someone already a ruleset for this One problem with the above regex.. it will match tablets or tabs in an un-obfuscated form. I think that is ok in the subject. subject with tablets even un obfuscated still deserves a score around 1 Thanks Ram -- Netcore Solutions Pvt. Ltd. Website: http://www.netcore.co.in Spamtraps: http://cleanmail.netcore.co.in/directory.html --