Re: Procmail for site wide usage
There generally is no specific procmail log file. It is generally in one of the mail log files in /var/log/wherever. {^_^} - Original Message - From: Thomas Arend [EMAIL PROTECTED]
Re: Procmail for site wide usage
You are developing a severe stutter. {o.o} - Original Message - From: Thomas Arend [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: 2005 July, 21, Thursday 20:40 Subject: Re: Procmail for site wide usage
Re: URIDNSBL and subdomains
On Thu, 21 Jul 2005, Loren Wilton wrote: Sounds like an surbl problem if spamsite.com isn't listed. That's just an example I made up... :) The leading subdomains are supposed to be trimmed off, since they are usually identifying strings for a given spam target rather than an actual part of the target name. OK, so that's supposed to happen. Is there any way to have the entire host checked? I've seen a good volume of junk where the domain is clean, but if I do a manual lookup on the entire hostname in the spam it is indeed listed. Thanks, Charles There are a few cases where things go to three levels rather than just two, but they are exceptions. Loren - Original Message - From: Charles Sprickman [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Thursday, July 21, 2005 7:28 PM Subject: URIDNSBL and subdomains Hello, I've been watching some of the misses that have passed through spamassassin (3.0.4) lately and they are pretty clean; no DNS BL hits, etc. One thing I did notice is that many of them have a fairly contorted URL for the spamvertized products, ie: kjekliennxiffiennnkenc.spamsite.com This doesn't trigger any URIDNSBL hits, but if I punch the entire URI into the surbl.org checker it does hit. It seems as if the SA check is looking only at the domain part and not the subdomain. Is this expected? Is there a switch to flip to get the whole hostname checked? Thanks, Charles ___ Charles Sprickman NetEng/SysAdmin Bway.net - New York's Best Internet - www.bway.net [EMAIL PROTECTED] - 212.655.9344
Re: Procmail for site wide usage
Never mind - Earthlink had an email stick in its craw or else Fetchmail did not like it at all. {^_^} - Original Message - From: jdow [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: 2005 July, 21, Thursday 23:16 Subject: Re: Procmail for site wide usage You are developing a severe stutter. {o.o} - Original Message - From: Thomas Arend [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: 2005 July, 21, Thursday 20:40 Subject: Re: Procmail for site wide usage
Re: URIDNSBL and subdomains
OK, so that's supposed to happen. Is there any way to have the entire host checked? I've seen a good volume of junk where the domain is clean, but if I do a manual lookup on the entire hostname in the spam it is indeed listed. I *suspect* what is happening here is that the domain isn't in surbl when the mail comes through, but it is 15 minutes later when you check. The alternative is that there is a difference in the two-level/three-level split decision between SA 3.0.4 and surbl. Neither works with the full domain; that was a decision from the start at surbl. The split is based on the tail of the domain name. It is (I think) a little more than the TLD that goes into the decision, but that is the basic concept. For instance, dribble.spammy.com will only check spammy.com. dribble.spammy.co.uk will check spammy.co.uk. The idea is to find the real host name denuded of any directory names. Sometimes this will deliberately miss a spamsite. For instance, myspamsite.yahoo.com will not be listed, because yahoo.com isn't a pure spam host. Instead, a request will be sent to Yahoo to get the site removed. Jeff will likely be along sooner or later and can give considerably more detail on how all of this really works. Loren
Re: Procmail for site wide usage
Am Freitag, 22. Juli 2005 08:15 schrieb jdow: There generally is no specific procmail log file. It is generally in one of the mail log files in /var/log/wherever. Yes. But you can create user user specific lof file with LOGFILE=$HOME/.procmail.log Thomas -- icq:133073900 http://www.t-arend.de pgpNKHB3Ygxln.pgp Description: PGP signature
Bayes poisoning ?
Hi We are using Spamassassin + Postfix + Mailscanner on our SMTP servers. Of late I have noticed that a lot of ham mails are getting a high BAYES score. I have overriden bayes with lower scores in order to avoid false postives ( and possibly mail loss ) How do I de-poison the bayes database, and are there any ways to avoid bayes poisoning ? Thanks Ram -- Netcore Solutions Pvt. Ltd. Website: http://www.netcore.co.in Spamtraps: http://cleanmail.netcore.co.in/directory.html --
Re: Bayes poisoning ?
The best thing to do is probably throw the current database away and start over. As you seem to have several users, you should have bayes working again within a very few hours, or less. You should delete the current database, reset the scores to normal (and increase the bayes_99 score to something around 4 if you aren't using 3.0.4), and then manually train Bayes on a few hundred known ham and spam before letting autolearning take over. The other thing you should do is decrease bayes autolearn ham threshold to 0 or even -.1 or so. By default it is too high, and will far too often lead to bayes poisioning if the state of the database isn't watched carefully. You may also want to take the bayes autolearn spam threshold up to a higher value than it has by default; although this usually isn't required. Loren
Re: URIDNSBL and subdomains
... On Thu, 21 Jul 2005, Loren Wilton wrote: Sounds like an surbl problem if spamsite.com isn't listed. That's just an example I made up... :) ... Bad choice of example: spamsite. com is an actual spamsite. The domain example.com is reserved for exactly this type of usage and should generally be used when speaking of generic domains; Also, the notation domain.tld is well understood to be an example of a generic domain also. In general listing the real site causing problems is good for everyone else on the list - some will block it, others will take more extreme action: Letting everybody know is only rarely a bad thing. Paul Shupak [EMAIL PROTECTED]
Detecting ISO Encoded Subjects
A lot of my spam lately has had an ISO encoded subject line, like: =?iso-8859-1?B?T2ZmaWNlIHNvZnR3YXJlIC0gNzUlIE9GRg==?= Since none of my friends ever use ISO encoded subject lines, I wanted to create a rule to flags those messages. However, everything I've found indicates that Spamassassin tests the decoded subject line, not the raw subject line. I've tried: header SUBJECT_ISO_ENCODED Subject =~ /=?iso-8859/i but that doesn't seem to work. Is there any way I can run a rule on the raw header to detect whether or not it's encoded? If so, could you please show me how? TIA. Joseph D. Wagner
Re: Detecting ISO Encoded Subjects
On Friday, July 22, 2005 at 12:32:34 PM, [EMAIL PROTECTED] confabulated: A lot of my spam lately has had an ISO encoded subject line, like: =?iso-8859-1?B?T2ZmaWNlIHNvZnR3YXJlIC0gNzUlIE9GRg==?= Since none of my friends ever use ISO encoded subject lines, I wanted to create a rule to flags those messages. However, everything I've found indicates that Spamassassin tests the decoded subject line, not the raw subject line. I've tried: header SUBJECT_ISO_ENCODED Subject =~ /=?iso-8859/i but that doesn't seem to work. From a previous message to the list I dug up: header RULE_NAME HeaderName:raw ~=//. (3.0.0 or higher) Checks header without any QP or base64 decoding. Best for looking for illegal unencoded characters in... Is there any way I can run a rule on the raw header to detect whether or not it's encoded? If so, could you please show me how? TIA. Joseph D. Wagner --- Duane Hill | Network Operations - YourNetPlus.Com, Inc. | E-mail Administrator - [EMAIL PROTECTED] --- This message is made of 100% recycled electrons.
Re: Procmail for site wide usage
Mark Williams [EMAIL PROTECTED] wrote: (Q) Given that this RH machine runs only POP3 (management will not allow anything else) This is really the key - from a SA standpoint, the best you can do is mark the message as spam and let the MUA (Outlook) deal with putting things into the proper folders on the user's machine (in the .pst file). I don't know OL well enough, but I suspect that there is likely a registry hack you can do or a rule you can create that the users can import that will look at the headers and put the message into the proper folders. -- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Chris Barnes AOL IM: CNBarnes [EMAIL PROTECTED]Yahoo IM: chrisnbarnes
behavior with amavisd-new-20030616-p10
Hi, i would like to know if there's some special feature that needs to be enabled/disabled in order to work 100% compliant with amavis. I'm my actual installation (Exim 4.50 + amavisd-new-20030616-p10 + ClamAV 0.86 + SpamAssassin 3.0 on a Debian Sarge platform) the MTA passes the email to amavis that checks for antivirus correctly but about the spam checks and it's behavior i'm not sure that all works fine. I can see in the amavis logs that the spam checks are being made but no headers are added to the body of the email before being delivered to the user Mailbox. This X-Headers are for me quite important because further tasks are based on those headers. In example, i can see that a email is classified above the spam limit (11 points) and the message is delivered anyway. Seems that the interaction between MTA and amavis is not good, or between SA and amavis is not good maybe. Any ideas will be welcomed. Thanks in advance, jonathan
Re: behavior with amavisd-new-20030616-p10
Jonathan Gonzalez wrote: Hi, i would like to know if there's some special feature that needs to be enabled/disabled in order to work 100% compliant with amavis. I'm my actual installation (Exim 4.50 + amavisd-new-20030616-p10 + ClamAV 0.86 + SpamAssassin 3.0 on a Debian Sarge platform) the MTA passes the email to amavis that checks for antivirus correctly but about the spam checks and it's behavior i'm not sure that all works fine. I can see in the amavis logs that the spam checks are being made but no headers are added to the body of the email before being delivered to the user Mailbox. This X-Headers are for me quite important because further tasks are based on those headers. Amavis does it's own message tagging, and does not keep SA's markups. It consults spamassassin merely as a scanner. I'm not an amavis expert, so I can't tell you how, but I can tell you that it's amavis you need to reconfigure if you want these added, as only amavis will generate them.
Re: behavior with amavisd-new-20030616-p10
Matt Kettler wrote: Amavis does it's own message tagging, and does not keep SA's markups. It consults spamassassin merely as a scanner. I'm not an amavis expert, so I can't tell you how, but I can tell you that it's amavis you need to reconfigure if you want these added, as only amavis will generate them. As a follow-up to myself, I found it in the amavis FAQ: http://www.ijs.si/software/amavisd/#faq-spam Amavis ONLY adds the x-spam-* headers when the score is above the tag level Note that tag level isn't when amavis considers a message to be spam, that's tag2 level (brilliantly clear, no?)
Re: behavior with amavisd-new-20030616-p10 - SOLVED!
:-) Funny! I have been reading, quite quick :) and have found the error. Was a error of mine. I didn't populate a variable with my domains, because such variable indicates amavis to put or not put the X headers. The variable is @local_domains_acl = qw( .example.com .example2.com ); Once populated X-headers started to be written. Thanks for your help :) BR, jonathan Matt Kettler wrote: Matt Kettler wrote: Amavis does it's own message tagging, and does not keep SA's markups. It consults spamassassin merely as a scanner. I'm not an amavis expert, so I can't tell you how, but I can tell you that it's amavis you need to reconfigure if you want these added, as only amavis will generate them. As a follow-up to myself, I found it in the amavis FAQ: http://www.ijs.si/software/amavisd/#faq-spam Amavis ONLY adds the x-spam-* headers when the score is above the tag level Note that tag level isn't when amavis considers a message to be spam, that's tag2 level (brilliantly clear, no?)
Re: Procmail for site wide usage
Chris Barnes wrote: This is really the key - from a SA standpoint, the best you can do is mark the message as spam and let the MUA (Outlook) deal with putting things into the proper folders on the user's machine (in the .pst file). I don't know OL well enough, but I suspect that there is likely a registry hack you can do or a rule you can create that the users can import that will look at the headers and put the message into the proper folders. No need for registry hacks, depending on how you flag the message. both Outlook and Outlook Express will filter on words in the subject, so a subject tag will work easily (Tools-Message Rules). I'm not familiar enough to know whether you can filter on an arbitrary header, though. -- Kelson Vibber SpeedGate Communications www.speed.net
Verify using SARE updates
I used an update script from SARE (www.rulesemporium.com) and subscribed to the following lists: TRIPWIRE, EVILNUMBERS, SARE_RANDOM, SARE_FRAUD, SARE_ADULT, ANTIDRUG Now the update seems to work just fine. And I find the rules in /etc/ spamassassin. But how can be sure they are working? I mean I haven't seen a real increase in positive identifications. And some things that I think would be caught by some of these rules (although I haven't looked through them) get through undetected. Or perhaps there are some other rules I should consider implementing and some of these that I should consider removing? Thanks for any input. Curtis
www.rulesemporium.com unreachable
Hi, http connections to www.rulesemporium.com are timing out here. Maybe someone in charge is reading this and can fix it ... regards, wolfgang
Re: www.rulesemporium.com unreachable
At 12:58 PM Friday, 7/22/2005, wolfgang wrote -= Hi, http connections to www.rulesemporium.com are timing out here. Maybe someone in charge is reading this and can fix it ... This seems to happen once in a a while... I wonder if it's ISP related? Ed Kasky ~ Randomly Generated Quote (454 of 480): Warranty and guarantee clauses are voided by payment of the invoice.
Re: www.rulesemporium.com unreachable
wolfgang wrote: Hi, http connections to www.rulesemporium.com are timing out here. Maybe someone in charge is reading this and can fix it ... regards, wolfgang There seems to be an issue with the filesystem on that box. Email sent to the appropriate people, but it looks like a manual power cycle will be necessary. signature.asc Description: OpenPGP digital signature