Re: DNS failing... why? (works fine on cmd line)
All, Thank you to everyone who replied on this thread. FWIW, the issue was in fact with Net::DNS. I actually had previously had contact with him regarding other problems, but 0.51 was working for me on another system, so I was a little surprised that this was the fix. I upgraded to the newest (0.53) and the problem has gone away. Thanks everyone! email builder [EMAIL PROTECTED] wrote: I have a new spamd instance I am trying to start up on a server that sitsbehind another firewall (linux) machine (which I *think* is irrelevant, butthat's the only different thing from our other setups that work fine) that issomehow missing DNS connections:'''debug: is Net::DNS::Resolver available? yesdebug: Net::DNS version: 0.51debug: trying (3) motorola.com...debug: looking up NS for 'motorola.com'debug: NS lookup of motorola.com failed horribly = Perhaps your resolv.confisn't pointing at a valid server?debug: All NS queries failed = DNS unavailable (set dns_available tooverride)debug: is DNS available? 0'''However, when I telnet to port 53 of one of the IP addresses given in/etc/resolv.conf, it works just fine:'''[EMAIL PROTECTED] cat /etc/resolv.conf nameserver 123.456.7.8nameserver 987.654.1.1[EMAIL PROTECTED] telnet 123.456.7.8 53Trying 123.456.7.8...Connected to 123.456.7.8.xxx.yyy.net (123.456.7.8).Escape character is '^]'.quitConnection closed by foreign host.'''So, is spamd trying to dig the NS of motorola.com? That works on the commandline too:'''[EMAIL PROTECTED] dig ns motorola.com; DiG 9.2.5 ns motorola.com;; global options: printcmd;; Got answer:;; -HEADER- opcode: QUERY, status: NOERROR, id: 24784;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:;motorola.com. IN NS;; ANSWER SECTION:motorola.com. 3594 IN NS motgate.mot.com.motorola.com. 3594 IN NS ftpbox.mot.com.motorola.com. 3594 IN NS dns31.mot.com.motorola.com. 3594 IN NS dns11.mot.com.motorola.com. 3594 IN NS motgate.motorola.de.;; Query time: 3 msec;; SERVER: 123.456.7.8#53(123.456.7.8);; WHEN: Tue Jul 19 13:14:17 2005;; MSG SIZE rcvd: 150'''So does this mean that it's actually an issue with Net::DNS orNet::DNS::Resolver? They are about as up to date as they get I think(Net::DNS .52 is out now, but I don't really think that's going to fixit...?).What should I look at next? What is spamd doing that I am not doing on thecommand line???TIA!Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs Start your day with Yahoo! - make it your home page
Please test sc2.surbl.org (and xs.surbl.org)
sc2.surbl.org, the improved version of the SpamCop SURBL list, is ready for testing. So is the new version of xs.surbl.org, which is now more accurate, has far fewer FPs, etc. sc2 adds resolved IP checks, meaning sites hosted on the same networks are detected immediately upon the first report. It also means that folks should continue to use SpamCop reporting if they want to contribute to a very powerful SURBL list. Your SpamCop reports now have even more power in sc2. In cases of the worst spammers, SpamCop reporting leads to essentially immediate listing in sc2. sc2 is on about 15 public nameservers and xs is on 22. That's probably not enough for running large production servers on, but it should be plenty for corpus checks and mail servers with small to medium message volumes. If you have rsync access to the SURBL zone files you can also mirror the files locally for testing of course. The sc2 and xs zones are currently available via rsync. (If you have a large volume mail server, please apply for rsync access so that you can mirror the zone files locally: http://www3.surbl.org/rsync-signup.html and offload the public nameservers.) After sc2 is tested for a while we will turn it into the production sc.surbl.org list, assuming it has better performance than the current list, which seems quite likely. At that point sc2 will go away, since it will have become sc. xs may go into the 128th bit of multi.surbl.org if it tests well. Please test sc2 and the revised xs and let us know how they perform for you. Those with large spam and ham corpora (such as the SpamAssassin developers) are encouraged to test and please let us know. Here are SpamAssassin 3.0.1 and later configs for using these two lists: urirhsbl URIBL_SC2_SURBL sc2.surbl.org. body URIBL_SC2_SURBL eval:check_uridnsbl('URIBL_SC2_SURBL') describe URIBL_SC2_SURBL Has URI in SC2 at http://www.surbl.org/lists.html tflagsURIBL_SC2_SURBL net score URIBL_SC2_SURBL 3.0 urirhsbl URIBL_XS_SURBL xs.surbl.org. body URIBL_XS_SURBL eval:check_uridnsbl('URIBL_XS_SURBL') describe URIBL_XS_SURBL Has URI in XS - Testing tflagsURIBL_XS_SURBL net score URIBL_XS_SURBL 2.0 SpamAssassin 2.64 rules and scores using SpamCopURI 0.22 or later look like this: uri SC2_URI_RBL eval:check_spamcop_uri_rbl('sc2.surbl.org','127.0.0.2') describe SC2_URI_RBL Has URI in SC2 at http://www.surbl.org/lists.html tflagsSC2_URI_RBL net score SC2_URI_RBL 3.0 uri XS_URI_RBL eval:check_spamcop_uri_rbl('xs.surbl.org','127.0.0.2') describe XS_URI_RBL Has URI in XS - Testing tflagsXS_URI_RBL net score XS_URI_RBL 2.0 Jeff C. -- Don't harm innocent bystanders.
Re: Please test sc2.surbl.org (and xs.surbl.org)
From: Jeff Chan [EMAIL PROTECTED] Is this correct as ammended? I added the TXT strings Here are SpamAssassin 3.0.1 and later configs for using these two lists: urirhsbl URIBL_SC2_SURBL sc2.surbl.org. TXT body URIBL_SC2_SURBL eval:check_uridnsbl('URIBL_SC2_SURBL') describe URIBL_SC2_SURBL Has URI in SC2 at http://www.surbl.org/lists.html tflagsURIBL_SC2_SURBL net score URIBL_SC2_SURBL 3.0 urirhsbl URIBL_XS_SURBL xs.surbl.org. TXT body URIBL_XS_SURBL eval:check_uridnsbl('URIBL_XS_SURBL') describe URIBL_XS_SURBL Has URI in XS - Testing tflagsURIBL_XS_SURBL net score URIBL_XS_SURBL 2.0 This passes lint, at least. {^_^}
Re: Please test sc2.surbl.org (and xs.surbl.org)
On Monday, July 25, 2005, 12:33:08 AM, jdow jdow wrote: From: Jeff Chan [EMAIL PROTECTED] Is this correct as ammended? I added the TXT strings Here are SpamAssassin 3.0.1 and later configs for using these two lists: Please try: urirhsbl URIBL_SC2_SURBL sc2.surbl.org. A127.0.0.2 body URIBL_SC2_SURBL eval:check_uridnsbl('URIBL_SC2_SURBL') describe URIBL_SC2_SURBL Has URI in SC2 at http://www.surbl.org/lists.html tflagsURIBL_SC2_SURBL net score URIBL_SC2_SURBL 3.0 urirhsbl URIBL_XS_SURBL xs.surbl.org.A127.0.0.2 body URIBL_XS_SURBL eval:check_uridnsbl('URIBL_XS_SURBL') describe URIBL_XS_SURBL Has URI in XS - Testing tflagsURIBL_XS_SURBL net score URIBL_XS_SURBL 2.0 Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Please test sc2.surbl.org (and xs.surbl.org)
jdow wrote: From: Jeff Chan [EMAIL PROTECTED] Is this correct as ammended? I added the TXT strings Here are SpamAssassin 3.0.1 and later configs for using these two lists: urirhsbl URIBL_SC2_SURBL sc2.surbl.org. TXT body URIBL_SC2_SURBL eval:check_uridnsbl('URIBL_SC2_SURBL') describe URIBL_SC2_SURBL Has URI in SC2 at http://www.surbl.org/lists.html tflagsURIBL_SC2_SURBL net score URIBL_SC2_SURBL 3.0 urirhsbl URIBL_XS_SURBL xs.surbl.org. TXT body URIBL_XS_SURBL eval:check_uridnsbl('URIBL_XS_SURBL') describe URIBL_XS_SURBL Has URI in XS - Testing tflagsURIBL_XS_SURBL net score URIBL_XS_SURBL 2.0 This passes lint, at least. {^_^} Another --lint test pass on this one, and both Jeff's varients fail to parse on SA 3.0.4 for me. -- -- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: spamc doesn't add headers
Le lundi 25 Juillet 2005 01:05, jdow a écrit : christophe, you DO know that cat spam merely prints out your raw spam file so it should not have any markup in it. If you want to view a permanent marked up file you need to run: spamc spam spam_marked_up Or something like that. Remember that spamc takes stdin, filters, and feeds back out stdout. So spamc spam is not saving anything to the spam file. OK thanks jdow and Theo. I am sorry to be so naive but i thought that inserting a line like : add_header spam Flag _YESNOCAPS_ in the /etc/mail/spamassassin/local.cf file would say to spamc to insert the proper flag in the spam file. Actually this is what i need spamc to do so that kmail (my mail client) treats the spam properly. As i read to do so in many tutorials on the internet, i put 2 filters : - 1st one is applying spamc on every mail 250kB - 2nd one is detecting the presence of X-Spam-Flag: YES in a message So i do _need_ spamc to insert this flag in the message. But the problem is that in kmail(1.7.1) i don't know the name of the command 'spamc spam spam_marked_up' will not work. I read kmail documentation, and whatever i do it doesn't get this output. Now it's a kmail problem. Thanks for your help. -- Christophe pgp9Oay0a1x1W.pgp Description: PGP signature
Re: Please test sc2.surbl.org (and xs.surbl.org)
OK the prior rules were still wrong. These will work: urirhsbl URIBL_SC2_SURBL sc2.surbl.org. A body URIBL_SC2_SURBL eval:check_uridnsbl('URIBL_SC2_SURBL') describe URIBL_SC2_SURBL Has URI in SC2 at http://www.surbl.org/lists.html tflagsURIBL_SC2_SURBL net score URIBL_SC2_SURBL 3.0 urirhsbl URIBL_XS_SURBL xs.surbl.org.A body URIBL_XS_SURBL eval:check_uridnsbl('URIBL_XS_SURBL') describe URIBL_XS_SURBL Has URI in XS - Testing tflagsURIBL_XS_SURBL net score URIBL_XS_SURBL 2.0 Lints just fine on our SA3 with A and no addresses or numbers. (A is preferred over TXT.) Note that we're using urirhsbl not urirhssub since sc2.surbl.org and xs.surbl.org are standalone lists (for testing) and not part of multi.surbl.org. These lists will eventually go away as standalone lists, to very likely go into multi instead. Then you'll need to delete the sc2 rule and change xs to urirhssub and multi. We'll send an official announcement on the SURBL announcement list when this actually happens: http://lists.surbl.org/mailman/listinfo/announce Until then, please test sc2 and xs and let us know how they work for you. Jeff C. -- Don't harm innocent bystanders.
Re: spamc doesn't add headers
Am Montag, 25. Juli 2005 10:50 schrieb christophe: Le lundi 25 Juillet 2005 01:05, jdow a écrit : christophe, you DO know that cat spam merely prints out your raw spam file so it should not have any markup in it. If you want to view a permanent marked up file you need to run: spamc spam spam_marked_up Or something like that. Remember that spamc takes stdin, filters, and feeds back out stdout. So spamc spam is not saving anything to the spam file. OK thanks jdow and Theo. I am sorry to be so naive but i thought that inserting a line like : add_header spam Flag _YESNOCAPS_ in the /etc/mail/spamassassin/local.cf file would say to spamc to insert the proper flag in the spam file. Actually this is what i need spamc to do so that kmail (my mail client) treats the spam properly. As i read to do so in many tutorials on the internet, i put 2 filters : - 1st one is applying spamc on every mail 250kB - 2nd one is detecting the presence of X-Spam-Flag: YES in a message So i do _need_ spamc to insert this flag in the message. But the problem is that in kmail(1.7.1) i don't know the name of the command 'spamc spam spam_marked_up' will not work. I read kmail documentation, and whatever i do it doesn't get this output. Now it's a kmail problem. Thanks for your help. I use spamassassin -d | spamc as a filter in kamil. The first part deletes al previous maurup an than spamc checks the mail. You ned no redirecktion in kmail. Thomas -- icq:133073900 http://www.t-arend.de pgpbfHk6utDMN.pgp Description: PGP signature
Bogus MS 'critical update'
I have just had a bogus Microsoft update slip through the net. Is there a rule to combat these? In any case, here's the info in case it's of use: From: MS Technical Services [EMAIL PROTECTED] Subject line: Newest Microsoft Critical Pack The attachment was Upgrade9591.exe Here's the body, minus HTML formatting: MicrosoftAll Products | Support | Search | Microsoft.com Guide Microsoft Home MS Customer this is the latest version of security update, the July 2005, Cumulative Patch update which eliminates all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express as well as three newly discovered vulnerabilities. Install now to continue keeping your computer secure from these vulnerabilities, the most serious of which could allow an malicious user to run executable on your computer. This update includes the functionality of all previously released patches. System requirements Windows 95/98/Me/2000/NT/XP This update applies to MS Internet Explorer, version 4.01 and later MS Outlook, version 8.00 and later MS Outlook Express, version 4.01 and later Recommendation Customers should install the patch at the earliest opportunity. How to install Run attached file. Choose Yes on displayed dialog box. How to use You don't need to do anything after installing this item. Microsoft Product Support Services and Knowledge Base articles can be found on the Microsoft Technical Support web site. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site, or Contact Us. Thank you for using Microsoft products. Please do not reply to this message. It was sent from an unmonitored e-mail address and we are unable to respond to any replies. The names of the actual companies and products mentioned herein are the trademarks of their respective owners. Contact Us | Legal | TRUSTe C2005 Microsoft Corporation. All rights reserved. Terms of Use | Privacy Statement | Accessibility
Parsing of uncoded UTF-8 message
I have messages that give this error from sa-learn. SA is 3.0.4. Perl is 5.8.7. HTML-Parser is 3.45 Parsing of undecoded UTF-8 will give garbage when decoding entities at /opt/csw/share/perl/csw/Mail/SpamAssassin/HTML.pm line 182. Attached is an example, which is ham. The HTML::Parser man page says something about passing utf8 to p-parse, or some such, but I do not understand what this means. Is there a patch to SA to fix this? If it matters, here is my locale settings. I tried with LC_ALL=C and that did not help. [EMAIL PROTECTED] tmp]# locale LANG= LC_CTYPE=C LC_NUMERIC=C LC_TIME=C LC_COLLATE=C LC_MONETARY=C LC_MESSAGES=C LC_ALL= Thanks, Alex sa_learn_error.gz Description: GNU Zip compressed data
Re: ALL_TRUSTED appearing on spam
mouss wrote: John T. Yocum wrote: Hello, I've recently noticed that a lot of spam is getting through SpamAssassin, and it's getting the ALL_TRUSTED test listed on it. The issue with that is, I only have one IP trusted, and that's my own mail server. snip from local.cf # Trusted Networks trusted_networks 69.25.118.171 /snip As you can see in the below set of headers the message came from 218.222.75.209. Yet, it's trusted. Return-Path: [EMAIL PROTECTED] Received: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp [218.222.75.209]) by kangaroo.publicmx.com (8.13.4/8.13.4) with ESMTP id j6OKabJS014331 for [EMAIL PROTECTED]; Sun, 24 Jul 2005 13:36:40 -0700 My understanding (but I may be wrong) is that ALL_TRUSTED means all received headers are trusted, which seems the case. It doesn't mean the origin client is trusted. You are incorrect mouss. It does in fact mean that all hosts involved are trusted hosts. Well, it actually means there are no untrusted hosts, but unless there's an unparseable header it's the same thing. Suggestions: 1) add a /32 to the end of your trusted networks statement. The docs SAY it will work without a netmask, but my experience with 2.6x is that it did not work, so I always specify a mask. 2) the other causes when SA fails to be able to parse the Received: headers. That header looks normal to me, but try running the message through spamassassin -D and see what SA has to say about the Received: path in it's debug output.
Bogus MS 'critical update' - PANIC OVER
Apologies - just noticed that the mail was picked up from a third party server, not our in-house one, and was dumped into the wrong folder due to an Outlook rules error. I've just tried sending an .exe through our mail server and it was blocked. NK
Re: Parsing of uncoded UTF-8 message
Alex S Moore wrote: I have messages that give this error from sa-learn. SA is 3.0.4. Perl is 5.8.7. HTML-Parser is 3.45 Parsing of undecoded UTF-8 will give garbage when decoding entities at /opt/csw/share/perl/csw/Mail/SpamAssassin/HTML.pm line 182. Attached is an example, which is ham. The HTML::Parser man page says something about passing utf8 to p-parse, or some such, but I do not understand what this means. Is there a patch to SA to fix this? Yes, there is a patch, but all it does is swallow the message. The developers tested and proved this message is not harmful, so you can safely ignore it. It's a byproduct of the HTML::Parser code warning about a problem that doesn't appear to matter with SA the way SA uses it. http://bugzilla.spamassassin.org/show_bug.cgi?id=4046
Re: Parsing of uncoded UTF-8 message
Matt Kettler wrote: Alex S Moore wrote: I have messages that give this error from sa-learn. SA is 3.0.4. Perl is 5.8.7. HTML-Parser is 3.45 Parsing of undecoded UTF-8 will give garbage when decoding entities at /opt/csw/share/perl/csw/Mail/SpamAssassin/HTML.pm line 182. Attached is an example, which is ham. The HTML::Parser man page says something about passing utf8 to p-parse, or some such, but I do not understand what this means. Is there a patch to SA to fix this? Yes, there is a patch, but all it does is swallow the message. The developers tested and proved this message is not harmful, so you can safely ignore it. It's a byproduct of the HTML::Parser code warning about a problem that doesn't appear to matter with SA the way SA uses it. Thanks for the reply Matt. I just learned another 108 spam messages and did not get the 'Parsing of undecoded UTF-8...' message. So, I will just ignore the message the next time that I see it. Alex
Raising Razor score in SA 3.0.4?
If I have a spam with a RAZOR2_CHECK score of 1.5, can I user the syntax ( in local.cf) score RAZOR2_CHECK 3.0 to increase the test's "score" when it is hit? I know this works for the normal "rule based" tests, but I was unsure about he razor type query test. Dr. Robert Young ALI Database Consultants 1151 Williams Dr Aiken SC 29803 USA WWW: http://www.aliconsultants.com Tele: 1-803-648-5931 Toll free in US: 1-866-257-8970 Fax:1-803-641-0345 Email: [EMAIL PROTECTED] "Source of Rdb Controller, software for database analysis performance tuning"
Re: Raising Razor score in SA 3.0.4?
Dr Robert Young wrote: If I have a spam with a RAZOR2_CHECK score of 1.5, can I user the syntax ( in local.cf) score RAZOR2_CHECK 3.0 to increase the test's score when it is hit? I know this works for the normal rule based tests, but I was unsure about he razor type query test. It works for any test with a fixed score, i.e.: anything except the AWL, which determines it's score dynamically.
A weekend SpamAssassin success - and a Razor score question
Greetings, My weekend spam assassination resumed yesterday, when I found a few hour to implement the suggestions from the list last month (well, some of them -- there were so many good suggestions). I upgraded SA to 3.0.4. That went as smooth as silk. Installed Razor 2.75. Very much unlike my previous attempt to install Razor 1.x, this also went very smoothly. It took me about 2 hours to download the software, upgrade SA, install Razor, read the docs and configure everything to work together. My spam detection rate has improved significantly. So a hearty thanks to all the list members who answered my cries for help last month! Now, my question. I have upped the scored for the RAZOR rules by adding a morerazor.cf file to my /etc/mail/spamassassin directory with something like score RAZOR2_CF_RANGE_51_100 0 (1.5) 0 (1.5) score RAZOR2_CHECK 0 (1.5) 0 (1.5) This has gotten my spam detection rates above the 97% mark for the first time. I'd like to consider raising the RAZOR rule scores more, but I want to understand the difference between the scores before I do that. It seems obvious that RAZOR2_CF_RANGE_XX_YY means that the razor server give this message between an X and Y probability of being spam. But what does the RAZOR2_CHECK score mean? Poking around, I would guess that it means that Razor has determined the confidence value for the message is higher than the threshold I've configured in the Razor config files; but I can find no documentation that states that. TIA, James -- James Bucanek mailto:[EMAIL PROTECTED]
Re: A weekend SpamAssassin success - and a Razor score question
On Mon, Jul 25, 2005 at 08:09:55AM -0700, James Bucanek wrote: But what does the RAZOR2_CHECK score mean? Poking around, I would guess that it means that Razor has determined the confidence value for the message is higher than the threshold I've configured in the Razor config files; but I can find no documentation that states that. Yeah, that's pretty much it. RAZOR2_CHECK returns to you the same yes/no as razor_check. The other ones ignore your cf setting and just look at the raw cf from the message. -- Randomly Generated Tagline: Somebody should iron you. --Ralph Wiggum Wild Barts Can't Be Broken (Episode AABF07) pgpHcAM65aeVY.pgp Description: PGP signature
Re: A weekend SpamAssassin success - and a Razor score question
James Bucanek wrote: Greetings, My weekend spam assassination resumed yesterday, when I found a few hour to implement the suggestions from the list last month (well, some of them -- there were so many good suggestions). I upgraded SA to 3.0.4. That went as smooth as silk. Installed Razor 2.75. Very much unlike my previous attempt to install Razor 1.x, this also went very smoothly. It took me about 2 hours to download the software, upgrade SA, install Razor, read the docs and configure everything to work together. My spam detection rate has improved significantly. So a hearty thanks to all the list members who answered my cries for help last month! Now, my question. I have upped the scored for the RAZOR rules by adding a morerazor.cf file to my /etc/mail/spamassassin directory with something like score RAZOR2_CF_RANGE_51_100 0 (1.5) 0 (1.5) score RAZOR2_CHECK 0 (1.5) 0 (1.5) This has gotten my spam detection rates above the 97% mark for the first time. I'd like to consider raising the RAZOR rule scores more, but I want to understand the difference between the scores before I do that. It seems obvious that RAZOR2_CF_RANGE_XX_YY means that the razor server give this message between an X and Y probability of being spam. Unfortunately, that's not the case. It's the razor confidence factor (abbreviated cf by the razor debug output), which is NOT a percentage-chance of spam. This score ranges from -100 to +100, with 0 being undecided, and +100 being the strongest chance of spam. The entire scoring system is based on the TeS system, which is undocumented, but revolves around ranking reporters as trusted or not. I'd venture to say that razor has some considerable bias towards 100 on fresh objects, as they get reported a handful of times by good reporters they appear to immediately become 100 until revoked down. This was extraordinarily true right around the introduction of e8, where the small set of reporting data caused razor to jump wildly and nearly every message matching e8 got a cf of 100. That should have stabilized by now. While you can definitely say that razor believes a CF of 100 has a higher chance of being spam than 99, you cannot directly translate these to probabilities, it doesn't seem to be a very linear function. But what does the RAZOR2_CHECK score mean? Poking around, I would guess that it means that Razor has determined the confidence value for the message is higher than the threshold I've configured in the Razor config files; but I can find no documentation that states that. Yes, this means that cf was = min_cf in your razor config.
Re: ALL_TRUSTED appearing on spam
Thanks. I tried adding the /32 to the end, but that didn't have an effect. I did run the headers through spamassassin -D and got the following. debug: received-header: unknown format: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp debug: metadata: X-Spam-Relays-Trusted: debug: metadata: X-Spam-Relays-Untrusted: Thus, it was tagged as ALL_TRUSTED. What is really odd, is this only happens to direct delivered mail, any message relayed via another host, doesn't get the ALL_TRUSTED flag. Thanks, John mouss wrote: John T. Yocum wrote: Hello, I've recently noticed that a lot of spam is getting through SpamAssassin, and it's getting the ALL_TRUSTED test listed on it. The issue with that is, I only have one IP trusted, and that's my own mail server. snip from local.cf # Trusted Networks trusted_networks 69.25.118.171 /snip As you can see in the below set of headers the message came from 218.222.75.209. Yet, it's trusted. Return-Path: [EMAIL PROTECTED] Received: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp [218.222.75.209]) by kangaroo.publicmx.com (8.13.4/8.13.4) with ESMTP id j6OKabJS014331 for [EMAIL PROTECTED]; Sun, 24 Jul 2005 13:36:40 -0700 My understanding (but I may be wrong) is that ALL_TRUSTED means all received headers are trusted, which seems the case. It doesn't mean the origin client is trusted. You are incorrect mouss. It does in fact mean that all hosts involved are trusted hosts. Well, it actually means there are no untrusted hosts, but unless there's an unparseable header it's the same thing. Suggestions: 1) add a /32 to the end of your trusted networks statement. The docs SAY it will work without a netmask, but my experience with 2.6x is that it did not work, so I always specify a mask. 2) the other causes when SA fails to be able to parse the Received: headers. That header looks normal to me, but try running the message through spamassassin -D and see what SA has to say about the Received: path in it's debug output.
Re: ALL_TRUSTED appearing on spam
Thanks for the info. I fixed that Received line, by removing the line wrap, and it was no longer ALL_TRUSTED. Now that I know what the issue is, I just need to figure out why the header is getting munged. Thanks, John John T. Yocum wrote: Thanks. I tried adding the /32 to the end, but that didn't have an effect. I did run the headers through spamassassin -D and got the following. debug: received-header: unknown format: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp debug: metadata: X-Spam-Relays-Trusted: debug: metadata: X-Spam-Relays-Untrusted: Thus, it was tagged as ALL_TRUSTED. What is really odd, is this only happens to direct delivered mail, any message relayed via another host, doesn't get the ALL_TRUSTED flag. Well, that much makes sense. SA can't parse the Received: headers your server generates, but it can parse ones generated by outside servers. Thus, outside mail with another relay will show up as having been through an untrusted host. The problem you need to track down is why can't SA parse your Received: headers. Based on the debug output you got it could be an issue with line-wrap formating. At casual glance, the headers you quoted look correct, but it's impossible to tell if they're really correct because they've been copy-pasted into an email message which adds line wraps. To check that, you need to look at a set of pristine message headers, not a copy-paste of them, in a hex editor. (The process of copy-pasting can change linewrap formats, replace tabs with spaces, and other sundry things that would matter here). One thing I can tell you is that there MUST NOT be a linewrap between the end of the RDNS hostname and the [ for the IP address. This quotation should be only 3 lines long: Received: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp [218.222.75.209]) by kangaroo.publicmx.com (8.13.4/8.13.4) with ESMTP id j6OKabJS014331 for [EMAIL PROTECTED]; Sun, 24 Jul 2005 13:36:40 -0700 But I'm assuming the extra linewrap after .jp was added by your mail client.
Re: ALL_TRUSTED appearing on spam
I decided to run spamd in debug mode, and log what it was seeing. This is what I found for a direct delivered message.. debug: received-header: unknown format: from fluidhostingc.com (unknown) by kangaroo.publicmx.com; Searched around on Google, and saw a reference that atleast in spamass-milter 0.2, the milter fakes the received header to appease SA. However, that method doesn't work so well. --John Thanks for the info. I fixed that Received line, by removing the line wrap, and it was no longer ALL_TRUSTED. Now that I know what the issue is, I just need to figure out why the header is getting munged. Thanks, John John T. Yocum wrote: Thanks. I tried adding the /32 to the end, but that didn't have an effect. I did run the headers through spamassassin -D and got the following. debug: received-header: unknown format: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp debug: metadata: X-Spam-Relays-Trusted: debug: metadata: X-Spam-Relays-Untrusted: Thus, it was tagged as ALL_TRUSTED. What is really odd, is this only happens to direct delivered mail, any message relayed via another host, doesn't get the ALL_TRUSTED flag. Well, that much makes sense. SA can't parse the Received: headers your server generates, but it can parse ones generated by outside servers. Thus, outside mail with another relay will show up as having been through an untrusted host. The problem you need to track down is why can't SA parse your Received: headers. Based on the debug output you got it could be an issue with line-wrap formating. At casual glance, the headers you quoted look correct, but it's impossible to tell if they're really correct because they've been copy-pasted into an email message which adds line wraps. To check that, you need to look at a set of pristine message headers, not a copy-paste of them, in a hex editor. (The process of copy-pasting can change linewrap formats, replace tabs with spaces, and other sundry things that would matter here). One thing I can tell you is that there MUST NOT be a linewrap between the end of the RDNS hostname and the [ for the IP address. This quotation should be only 3 lines long: Received: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp [218.222.75.209]) by kangaroo.publicmx.com (8.13.4/8.13.4) with ESMTP id j6OKabJS014331 for [EMAIL PROTECTED]; Sun, 24 Jul 2005 13:36:40 -0700 But I'm assuming the extra linewrap after .jp was added by your mail client.
Re: Please test sc2.surbl.org (and xs.surbl.org)
From: Jeff Chan [EMAIL PROTECTED] On Monday, July 25, 2005, 12:33:08 AM, jdow jdow wrote: From: Jeff Chan [EMAIL PROTECTED] Is this correct as ammended? I added the TXT strings Here are SpamAssassin 3.0.1 and later configs for using these two lists: Please try: urirhsbl URIBL_SC2_SURBL sc2.surbl.org. A127.0.0.2 body URIBL_SC2_SURBL eval:check_uridnsbl('URIBL_SC2_SURBL') describe URIBL_SC2_SURBL Has URI in SC2 at http://www.surbl.org/lists.html tflagsURIBL_SC2_SURBL net score URIBL_SC2_SURBL 3.0 urirhsbl URIBL_XS_SURBL xs.surbl.org.A127.0.0.2 body URIBL_XS_SURBL eval:check_uridnsbl('URIBL_XS_SURBL') describe URIBL_XS_SURBL Has URI in XS - Testing tflagsURIBL_XS_SURBL net score URIBL_XS_SURBL 2.0 config: SpamAssassin failed to parse line, skipping: urirhsbl URIBL_SC2_SURBL sc2.surbl.org. A127.0.0.2 config: SpamAssassin failed to parse line, skipping: urirhsbl URIBL_XS_SURBL xs.surbl.org.A127.0.0.2 Note that it passes if I use TXT. {^_^}
Re: ALL_TRUSTED appearing on spam
Fixed the problem. Looks like the howto I followed for setting up spamass-milter was wrong. After redoing my sendmail config for it, all is well. Thanks for all the help everyone. --John I decided to run spamd in debug mode, and log what it was seeing. This is what I found for a direct delivered message.. debug: received-header: unknown format: from fluidhostingc.com (unknown) by kangaroo.publicmx.com; Searched around on Google, and saw a reference that atleast in spamass-milter 0.2, the milter fakes the received header to appease SA. However, that method doesn't work so well. --John Thanks for the info. I fixed that Received line, by removing the line wrap, and it was no longer ALL_TRUSTED. Now that I know what the issue is, I just need to figure out why the header is getting munged. Thanks, John John T. Yocum wrote: Thanks. I tried adding the /32 to the end, but that didn't have an effect. I did run the headers through spamassassin -D and got the following. debug: received-header: unknown format: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp debug: metadata: X-Spam-Relays-Trusted: debug: metadata: X-Spam-Relays-Untrusted: Thus, it was tagged as ALL_TRUSTED. What is really odd, is this only happens to direct delivered mail, any message relayed via another host, doesn't get the ALL_TRUSTED flag. Well, that much makes sense. SA can't parse the Received: headers your server generates, but it can parse ones generated by outside servers. Thus, outside mail with another relay will show up as having been through an untrusted host. The problem you need to track down is why can't SA parse your Received: headers. Based on the debug output you got it could be an issue with line-wrap formating. At casual glance, the headers you quoted look correct, but it's impossible to tell if they're really correct because they've been copy-pasted into an email message which adds line wraps. To check that, you need to look at a set of pristine message headers, not a copy-paste of them, in a hex editor. (The process of copy-pasting can change linewrap formats, replace tabs with spaces, and other sundry things that would matter here). One thing I can tell you is that there MUST NOT be a linewrap between the end of the RDNS hostname and the [ for the IP address. This quotation should be only 3 lines long: Received: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp [218.222.75.209]) by kangaroo.publicmx.com (8.13.4/8.13.4) with ESMTP id j6OKabJS014331 for [EMAIL PROTECTED]; Sun, 24 Jul 2005 13:36:40 -0700 But I'm assuming the extra linewrap after .jp was added by your mail client.
Re: Please test sc2.surbl.org (and xs.surbl.org)
jdow wrote: From: "Jeff Chan" [EMAIL PROTECTED] Here are SpamAssassin 3.0.1 and later configs for using these two lists: urirhsbl URIBL_SC2_SURBL sc2.surbl.org. body URIBL_SC2_SURBL eval:check_uridnsbl('URIBL_SC2_SURBL') describe URIBL_SC2_SURBL Has URI in SC2 at http://www.surbl.org/lists.html tflagsURIBL_SC2_SURBL net score URIBL_SC2_SURBL 3.0 urirhsbl URIBL_XS_SURBL xs.surbl.org. body URIBL_XS_SURBL eval:check_uridnsbl('URIBL_XS_SURBL') describe URIBL_XS_SURBL Has URI in XS - Testing tflagsURIBL_XS_SURBL net score URIBL_XS_SURBL 2.0 config: SpamAssassin failed to parse line, skipping: urirhsbl URIBL_SC2_SURBL sc2.surbl.org. config: SpamAssassin failed to parse line, skipping: urirhsbl URIBL_XS_SURBL xs.surbl.org. Debug on: debug: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa4b3a18) debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0xa4b50ec) debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa4c8efc) implements 'parse_config' debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa4b3a18) implements 'parse_config' config: SpamAssassin failed to parse line, skipping: urirhsbl URIBL_SC2_SURBL sc2.surbl.org. config: SpamAssassin failed to parse line, skipping: urirhsbl URIBL_XS_SURBL xs.surbl.org. Er - oops. 3.04 {^_^} this is what it took to make it work for me urirhssub URIBL_SC2_SURBL sc2.surbl.org. A 127.0.0.2 body URIBL_SC2_SURBL eval:check_uridnsbl('URIBL_SC2_SURBL') describe URIBL_SC2_SURBL Has URI in SC2 at http://www.surbl.org/lists.html tflags URIBL_SC2_SURBL net score URIBL_SC2_SURBL 3.0 urirhssub URIBL_XS_SURBL xs.surbl.org. A 127.0.0.2 body URIBL_XS_SURBL eval:check_uridnsbl('URIBL_XS_SURBL') describe URIBL_XS_SURBL Has URI in XS - Testing tflags URIBL_XS_SURBL net score URIBL_XS_SURBL 2.0
Re: Jupiter Media redirector abuse
Jeff Chan wrote: Pretty elaborate obfuscation: a href=http://www.enterprisestorageforum.com/RealMedia/ads/click_lx.ads/ew/mistress/www.cometrees.com/management/features/article/4899482848/lbnyvio/OasDefault/Sun_Storage_SolutionCenter_1a/accessunit4.html/4681978795193130586212279675?ooftpqz.WINCriTCoNDI.COm target=_blankfont size=5 color=1C1CFFubC1icck here to 0rder suppose/font/font/b/u/abrbr Actual target site is blackhat: wincritcondi.com I wrote to Jupitermedia about it (owner of enterprisestorageforum.com) to close their redirector. Would someone see if this gets detected correctly on recent SA? Jeff C. SA won't detect wincritcondi.com, just enterprisestorageforum.com. It appears this redirector has been removed, but I'll write a redirector pattern for it if someone says otherwise. Daryl
Re: SA report fails with Razor2 ?
Brian Ipsen wrote: Hi, When trying to report spam manually using # spamassassin -r (mailfile) I get an error like: razor2 report failed: No such file or directory Died at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Reporter.pm line 148, GEN1 line 1. 1 message(s) examined. Insecure dependency in connect while running with -T switch at /usr/lib/perl5/5.8.0/i386-linux-thread-multi/IO/Socket.pm line 114. I'm using SA 3.0.4 - any idea why this fails ?? Regards, /Brian I haven't looked into the IO::Socket issue, but there is a bug on it that you might want to look at: http://bugzilla.spamassassin.org/show_bug.cgi?id=3939 Daryl
bayes_sql_username doesn't work in 3.1.0pre4/postgres.
It seems that sa always tries to login to the db as the running user instead of the defined db user. Is this the expected behavior? If so the documentation should be changed. schu
Re: bayes_sql_username doesn't work in 3.1.0pre4/postgres.
Matthew Schumacher wrote: It seems that sa always tries to login to the db as the running user instead of the defined db user. Is this the expected behavior? If so the documentation should be changed. schu Nothing is that code has changed in forever, so you're gonna have to provide a little more information. I know for a fact that it is working just fine for MySQL, I haven't' used it under Postgresql in a while but the principle is the same. Are you certain you didn't misspell the option or something? Try running spamassassin --lint and see what it says. Michael signature.asc Description: OpenPGP digital signature
Re: bayes_sql_username doesn't work in 3.1.0pre4/postgres.
Michael Parker wrote: Matthew Schumacher wrote: It seems that sa always tries to login to the db as the running user instead of the defined db user. Is this the expected behavior? If so the documentation should be changed. schu Nothing is that code has changed in forever, so you're gonna have to provide a little more information. I know for a fact that it is working just fine for MySQL, I haven't' used it under Postgresql in a while but the principle is the same. Are you certain you didn't misspell the option or something? Try running spamassassin --lint and see what it says. Michael Thanks for your reply Michael. After further looking, the problem isn't the username or the connect_db method, it's the _initialize_db method that is failing. The debugging prints, unable to initialize database for nobody user, aborting! which caused me to think that it was trying to connect as nobody, but then discovered that initialize and connect where different things. I tracked down where _initialize_db() returns 0, it's at line 1750: return 0 unless ($create_entry_p); I'm not sure what this is for, but whatever it is, it keeps the database from becoming initialized which is causing bayes to not work for me. Any information on how to get around this would be great... thanks, schu
generating rule stats from spamd logs
Hi, Anyone aware of anything that can parse a day's spamd logs and then give a summary of total hits per rule? I noticed since 3.0.x that all rule hits are in the logs now: Jul 25 22:44:49 spamd2 spamd[59436]: result: Y 14 - BAYES_60,DATE_IN_FUTURE_03_06,DNS_FROM_RFC_POST,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=6.7,size=2027,mid=[EMAIL PROTECTED],bayes=0.781998195315203,autolearn=disabled I've got three spamd boxes logging to one server. I already run sa-stats.pl daily, but I'd like to see more information about what rules are hitting. I did see a few things in the wiki, but most of them look to be tied to snarfing MTA logs. Thanks, Charles
RBL lookup failures
Hi, I am using Spam Assassin 3.0.4 called from MIMEDefang 2.51 on a FreeBSD 4.9 box with perl 5.6.2 and I get the following messages in my maillog on occasion.. Jul 26 12:43:36 cain sm-mta[81183]: j6Q3DUp1081183: from=[EMAIL PROTECTED], size=4221, class=-30, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=smtp, relay=mx2.freebsd.org [216.136.204.119] Jul 26 12:43:36 cain mimedefang-multiplexor[80550]: Slave 0 stderr: Failed to run __RFC_IGNORANT_ENVFROM RBL SpamAssassin test, skipping: (Can't call method bgsend on an undefined value at /usr/local/lib/perl5/site_perl/5.6.2/Mail/SpamAssassin/Dns.pm line 112. ) Jul 26 12:43:36 cain mimedefang-multiplexor[80550]: Slave 0 stderr: Failed to run NO_DNS_FOR_FROM RBL SpamAssassin test, skipping: (Can't call method bgsend on an undefined value at /usr/local/lib/perl5/site_perl/5.6.2/Mail/SpamAssassin/Dns.pm line 141. ) Jul 26 12:43:36 cain mimedefang-multiplexor[80550]: Slave 0 stderr: Failed to run DNS_FROM_AHBL_RHSBL RBL SpamAssassin test, skipping: (Can't call method bgsend on an undefined value at /usr/local/lib/perl5/site_perl/5.6.2/Mail/SpamAssassin/Dns.pm line 112. ) Jul 26 12:43:36 cain mimedefang.pl[80553]: MDLOG,j6Q3DUp1081183,mail_in,,,[EMAIL PROTECTED],[EMAIL PROTECTED],6-BETA1 iwi + wpa_supplicant fails, and sometimes silently reboots ie the slave errors. I have.. skip_rbl_checks 0 use_razor2 0 ### # Add your own customised scores for some tests below. The default scores are # read from the installed spamassassin.cf file, but you can override them # here. To see the list of tests and their default scores, go to # http://spamassassin.taint.org/tests.html . urirhssub URIBL_JP_SURBL multi.surbl.org.A 64 body URIBL_JP_SURBL eval:check_uridnsbl('URIBL_JP_SURBL') describe URIBL_JP_SURBL Has URI in JP at http://www.surbl.org/lists.html tflagsURIBL_JP_SURBL net score URIBL_JP_SURBL3.0 trusted_networks 203.31.81.0/24 203.122.192.0/26 dns_available yes in the MD .cf file. Anyone have any clues about how I can resolve this? Thanks. -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au The nice thing about standards is that there are so many of them to choose from. -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C pgpdwEUguwRD5.pgp Description: PGP signature
Re: Please test sc2.surbl.org (and xs.surbl.org)
On Monday, July 25, 2005, 12:06:10 PM, jdow jdow wrote: From: Jeff Chan [EMAIL PROTECTED] On Monday, July 25, 2005, 12:33:08 AM, jdow jdow wrote: From: Jeff Chan [EMAIL PROTECTED] Is this correct as ammended? I added the TXT strings Here are SpamAssassin 3.0.1 and later configs for using these two lists: Please try: urirhsbl URIBL_SC2_SURBL sc2.surbl.org. A127.0.0.2 body URIBL_SC2_SURBL eval:check_uridnsbl('URIBL_SC2_SURBL') describe URIBL_SC2_SURBL Has URI in SC2 at http://www.surbl.org/lists.html tflagsURIBL_SC2_SURBL net score URIBL_SC2_SURBL 3.0 urirhsbl URIBL_XS_SURBL xs.surbl.org.A127.0.0.2 body URIBL_XS_SURBL eval:check_uridnsbl('URIBL_XS_SURBL') describe URIBL_XS_SURBL Has URI in XS - Testing tflagsURIBL_XS_SURBL net score URIBL_XS_SURBL 2.0 config: SpamAssassin failed to parse line, skipping: urirhsbl URIBL_SC2_SURBL sc2.surbl.org. A127.0.0.2 config: SpamAssassin failed to parse line, skipping: urirhsbl URIBL_XS_SURBL xs.surbl.org.A127.0.0.2 Note that it passes if I use TXT. {^_^} Did you see my follow up message? A without anything after it should work. It worked on my SA3. TXT will also work, but A is preferred. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Bayes is a cpu hog ?
Hi all, I am using Spamassassin on our SMTP servers with almost 2 mails an hour. The problem is the machine is almost always heavily loaded. Spamassassin takes a lot of time and I think the Bayes checking / learning is the real cpu hog ? Also I feel bayes is no good for a server like ours , we process mails for different customers , so bayesian learning for one customer has little sense for the other. I would like to completely disable bayes , can someone provide some inputs on this. Thanks Ram -- Netcore Solutions Pvt. Ltd. Website: http://www.netcore.co.in Spamtraps: http://cleanmail.netcore.co.in/directory.html --
Re: Please test sc2.surbl.org (and xs.surbl.org)
Jeff Chan wrote: On Monday, July 25, 2005, 3:11:40 PM, Tim Litwiller wrote: this is what it took to make it work for me _urirhssub_ URIBL_SC2_SURBL sc2.surbl.org. A127.0.0.2 body URIBL_SC2_SURBL eval:check_uridnsbl('URIBL_SC2_SURBL') describe URIBL_SC2_SURBL Has URI in SC2 at http://www.surbl.org/lists.html tflagsURIBL_SC2_SURBL net score URIBL_SC2_SURBL 3.0 _urirhssub_ URIBL_XS_SURBL xs.surbl.org.A127.0.0.2 body URIBL_XS_SURBL eval:check_uridnsbl('URIBL_XS_SURBL') describe URIBL_XS_SURBL Has URI in XS - Testing tflagsURIBL_XS_SURBL net score URIBL_XS_SURBL 2.0 That will work, but it's technically incorrect since the standalone lists sc2 and xs aren't bitmask-encoded, which is what urirhssub is intended for. Standalone lists should be used with urirhsbl, so correct, working rules for these are: urirhsbl URIBL_SC2_SURBL sc2.surbl.org. A body URIBL_SC2_SURBL eval:check_uridnsbl('URIBL_SC2_SURBL') describe URIBL_SC2_SURBL Has URI in SC2 at http://www.surbl.org/lists.html tflagsURIBL_SC2_SURBL net score URIBL_SC2_SURBL 3.0 urirhsbl URIBL_XS_SURBL xs.surbl.org.A body URIBL_XS_SURBL eval:check_uridnsbl('URIBL_XS_SURBL') describe URIBL_XS_SURBL Has URI in XS - Testing tflagsURIBL_XS_SURBL net score URIBL_XS_SURBL 2.0 Please give them a try and let us know how they work for you. Jeff C. that works now - either something changed or I did something wrong earlier.