Re: DNS failing... why? (works fine on cmd line)

[email builder]

All,

 Thank you to everyone who replied on this thread. FWIW, the issue was in fact with Net::DNS. I actually had previously had contact with him regarding other problems, but 0.51 was working for me on another system, so I was a little surprised that this was the fix. I upgraded to the newest (0.53) and the problem has gone away.

Thanks everyone!
email builder [EMAIL PROTECTED] wrote:
I have a new spamd instance I am trying to start up on a server that sitsbehind another firewall (linux) machine (which I *think* is irrelevant, butthat's the only different thing from our other setups that work fine) that issomehow missing DNS connections:'''debug: is Net::DNS::Resolver available? yesdebug: Net::DNS version: 0.51debug: trying (3) motorola.com...debug: looking up NS for 'motorola.com'debug: NS lookup of motorola.com failed horribly = Perhaps your resolv.confisn't pointing at a valid server?debug: All NS queries failed = DNS unavailable (set dns_available tooverride)debug: is DNS available? 0'''However, when I telnet to port 53 of one of the IP addresses given
 in/etc/resolv.conf, it works just fine:'''[EMAIL PROTECTED] cat /etc/resolv.conf nameserver 123.456.7.8nameserver 987.654.1.1[EMAIL PROTECTED] telnet 123.456.7.8 53Trying 123.456.7.8...Connected to 123.456.7.8.xxx.yyy.net (123.456.7.8).Escape character is '^]'.quitConnection closed by foreign host.'''So, is spamd trying to dig the NS of motorola.com? That works on the commandline too:'''[EMAIL PROTECTED] dig ns motorola.com;  DiG 9.2.5  ns motorola.com;; global options: printcmd;; Got answer:;; -HEADER- opcode: QUERY, status: NOERROR, id: 24784;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:;motorola.com. IN NS;;
 ANSWER SECTION:motorola.com. 3594 IN NS motgate.mot.com.motorola.com. 3594 IN NS ftpbox.mot.com.motorola.com. 3594 IN NS dns31.mot.com.motorola.com. 3594 IN NS dns11.mot.com.motorola.com. 3594 IN NS motgate.motorola.de.;; Query time: 3 msec;; SERVER: 123.456.7.8#53(123.456.7.8);; WHEN: Tue Jul 19 13:14:17 2005;; MSG SIZE rcvd: 150'''So does this mean that it's actually an issue with Net::DNS orNet::DNS::Resolver? They are about as up to date as they get I think(Net::DNS .52 is out now, but I don't really think that's going to fixit...?).What should I look at next? What is spamd doing that I am not doing on thecommand line???TIA!Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs 
		 Start your day with Yahoo! - make it your home page 

Please test sc2.surbl.org (and xs.surbl.org)

[Jeff Chan]

sc2.surbl.org, the improved version of the SpamCop SURBL list, is
ready for testing.  So is the new version of xs.surbl.org, which
is now more accurate, has far fewer FPs, etc.

sc2 adds resolved IP checks, meaning sites hosted on the same
networks are detected immediately upon the first report.  It also
means that folks should continue to use SpamCop reporting if they
want to contribute to a very powerful SURBL list.  Your SpamCop
reports now have even more power in sc2.  In cases of the worst
spammers, SpamCop reporting leads to essentially immediate
listing in sc2.

sc2 is on about 15 public nameservers and xs is on 22.  That's
probably not enough for running large production servers on, but
it should be plenty for corpus checks and mail servers with small
to medium message volumes.

If you have rsync access to the SURBL zone files you can also
mirror the files locally for testing of course.  The sc2 and xs
zones are currently available via rsync. (If you have a large
volume mail server, please apply for rsync access so that you can
mirror the zone files locally: http://www3.surbl.org/rsync-signup.html
and offload the public nameservers.)

After sc2 is tested for a while we will turn it into the
production sc.surbl.org list, assuming it has better performance
than the current list, which seems quite likely.  At that point
sc2 will go away, since it will have become sc.

xs may go into the 128th bit of multi.surbl.org if it tests well.

Please test sc2 and the revised xs and let us know how they
perform for you.  Those with large spam and ham corpora (such as
the SpamAssassin developers) are encouraged to test and please
let us know.


Here are SpamAssassin 3.0.1 and later configs for using these two lists:

urirhsbl  URIBL_SC2_SURBL  sc2.surbl.org.
body  URIBL_SC2_SURBL  eval:check_uridnsbl('URIBL_SC2_SURBL')
describe  URIBL_SC2_SURBL  Has URI in SC2 at http://www.surbl.org/lists.html
tflagsURIBL_SC2_SURBL  net

score URIBL_SC2_SURBL  3.0

urirhsbl  URIBL_XS_SURBL   xs.surbl.org.
body  URIBL_XS_SURBL   eval:check_uridnsbl('URIBL_XS_SURBL')
describe  URIBL_XS_SURBL   Has URI in XS - Testing
tflagsURIBL_XS_SURBL   net

score URIBL_XS_SURBL   2.0


SpamAssassin 2.64 rules and scores using SpamCopURI 0.22 or later look like 
this:

uri   SC2_URI_RBL  eval:check_spamcop_uri_rbl('sc2.surbl.org','127.0.0.2')
describe  SC2_URI_RBL  Has URI in SC2 at http://www.surbl.org/lists.html
tflagsSC2_URI_RBL  net

score SC2_URI_RBL  3.0

uri   XS_URI_RBL   eval:check_spamcop_uri_rbl('xs.surbl.org','127.0.0.2')
describe  XS_URI_RBL   Has URI in XS - Testing
tflagsXS_URI_RBL   net

score XS_URI_RBL   2.0


Jeff C.
--
Don't harm innocent bystanders.

Re: Please test sc2.surbl.org (and xs.surbl.org)

[jdow]

From: Jeff Chan [EMAIL PROTECTED]
Is this correct as ammended? I added the TXT strings

 Here are SpamAssassin 3.0.1 and later configs for using these two lists:


urirhsbl  URIBL_SC2_SURBL  sc2.surbl.org.   TXT
body  URIBL_SC2_SURBL  eval:check_uridnsbl('URIBL_SC2_SURBL')
describe  URIBL_SC2_SURBL  Has URI in SC2 at http://www.surbl.org/lists.html
tflagsURIBL_SC2_SURBL  net

score URIBL_SC2_SURBL  3.0

urirhsbl  URIBL_XS_SURBL   xs.surbl.org.   TXT
body  URIBL_XS_SURBL   eval:check_uridnsbl('URIBL_XS_SURBL')
describe  URIBL_XS_SURBL   Has URI in XS - Testing
tflagsURIBL_XS_SURBL   net

score URIBL_XS_SURBL   2.0


This passes lint, at least.

{^_^}

Re: Please test sc2.surbl.org (and xs.surbl.org)

[Jeff Chan]

On Monday, July 25, 2005, 12:33:08 AM, jdow jdow wrote:
 From: Jeff Chan [EMAIL PROTECTED]
 Is this correct as ammended? I added the TXT strings

 Here are SpamAssassin 3.0.1 and later configs for using these two lists:

Please try:

urirhsbl  URIBL_SC2_SURBL  sc2.surbl.org.   A127.0.0.2
body  URIBL_SC2_SURBL  eval:check_uridnsbl('URIBL_SC2_SURBL')
describe  URIBL_SC2_SURBL  Has URI in SC2 at http://www.surbl.org/lists.html
tflagsURIBL_SC2_SURBL  net

score URIBL_SC2_SURBL  3.0

urirhsbl  URIBL_XS_SURBL   xs.surbl.org.A127.0.0.2
body  URIBL_XS_SURBL   eval:check_uridnsbl('URIBL_XS_SURBL')
describe  URIBL_XS_SURBL   Has URI in XS - Testing
tflagsURIBL_XS_SURBL   net

score URIBL_XS_SURBL   2.0


Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Re: Please test sc2.surbl.org (and xs.surbl.org)

[Martin Hepworth]

jdow wrote:

From: Jeff Chan [EMAIL PROTECTED]
Is this correct as ammended? I added the TXT strings



Here are SpamAssassin 3.0.1 and later configs for using these two lists:




urirhsbl  URIBL_SC2_SURBL  sc2.surbl.org.   TXT
body  URIBL_SC2_SURBL  eval:check_uridnsbl('URIBL_SC2_SURBL')
describe  URIBL_SC2_SURBL  Has URI in SC2 at http://www.surbl.org/lists.html
tflagsURIBL_SC2_SURBL  net

score URIBL_SC2_SURBL  3.0

urirhsbl  URIBL_XS_SURBL   xs.surbl.org.   TXT
body  URIBL_XS_SURBL   eval:check_uridnsbl('URIBL_XS_SURBL')
describe  URIBL_XS_SURBL   Has URI in XS - Testing
tflagsURIBL_XS_SURBL   net

score URIBL_XS_SURBL   2.0


This passes lint, at least.

{^_^}


Another --lint test pass on this one, and both Jeff's varients fail to 
parse on SA 3.0.4 for me.


--
--
Martin Hepworth
Senior Systems Administrator
Solid State Logic Ltd
tel: +44 (0)1865 842300

**

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.   

**

Re: spamc doesn't add headers

[christophe]

Le lundi 25 Juillet 2005 01:05, jdow a écrit :
 christophe, you DO know that cat spam merely prints out your raw
 spam file so it should not have any markup in it.
 If you want to view a permanent marked up file you need to run:
 spamc  spam spam_marked_up
 Or something like that. Remember that spamc takes stdin, filters, and
 feeds back out stdout. So spamc spam is not saving anything to the
 spam file.

OK thanks jdow and Theo. I am sorry to be so naive but i thought that 
inserting a line like :
add_header spam Flag _YESNOCAPS_
in the /etc/mail/spamassassin/local.cf file would say to spamc to insert the 
proper flag in the spam file.
Actually this is what i need spamc to do so that kmail (my mail client) treats 
the spam properly. As i read to do so in many tutorials on the internet, i 
put 2 filters :
- 1st one is applying spamc on every mail  250kB
- 2nd one is detecting the presence of X-Spam-Flag: YES in a message
So i do _need_ spamc to insert this flag in the message.
But the problem is that in kmail(1.7.1) i don't know the name of the command 
'spamc  spam  spam_marked_up' will not work.
I read kmail documentation, and whatever i do it doesn't get this output.
Now it's a kmail problem.
Thanks for your help.

-- 
Christophe


pgp9Oay0a1x1W.pgp
Description: PGP signature

Re: Please test sc2.surbl.org (and xs.surbl.org)

[Jeff Chan]

OK the prior rules were still wrong.  These will work:

urirhsbl  URIBL_SC2_SURBL  sc2.surbl.org.   A
body  URIBL_SC2_SURBL  eval:check_uridnsbl('URIBL_SC2_SURBL')
describe  URIBL_SC2_SURBL  Has URI in SC2 at http://www.surbl.org/lists.html
tflagsURIBL_SC2_SURBL  net

score URIBL_SC2_SURBL  3.0

urirhsbl  URIBL_XS_SURBL   xs.surbl.org.A
body  URIBL_XS_SURBL   eval:check_uridnsbl('URIBL_XS_SURBL')
describe  URIBL_XS_SURBL   Has URI in XS - Testing
tflagsURIBL_XS_SURBL   net

score URIBL_XS_SURBL   2.0

Lints just fine on our SA3 with A and no addresses or numbers.
(A is preferred over TXT.)

Note that we're using urirhsbl not urirhssub since sc2.surbl.org
and xs.surbl.org are standalone lists (for testing) and not part of
multi.surbl.org.

These lists will eventually go away as standalone lists, to very
likely go into multi instead.  Then you'll need to delete the sc2
rule and change xs to urirhssub and multi.  We'll send an
official announcement on the SURBL announcement list when this
actually happens: 

  http://lists.surbl.org/mailman/listinfo/announce

Until then, please test sc2 and xs and let us know how they work
for you.

Jeff C.
--
Don't harm innocent bystanders.

Re: spamc doesn't add headers

[Thomas Arend]

Am Montag, 25. Juli 2005 10:50 schrieb christophe:
 Le lundi 25 Juillet 2005 01:05, jdow a écrit :
  christophe, you DO know that cat spam merely prints out your raw
  spam file so it should not have any markup in it.
  If you want to view a permanent marked up file you need to run:
  spamc  spam spam_marked_up
  Or something like that. Remember that spamc takes stdin, filters, and
  feeds back out stdout. So spamc spam is not saving anything to the
  spam file.

 OK thanks jdow and Theo. I am sorry to be so naive but i thought that
 inserting a line like :
 add_header spam Flag _YESNOCAPS_
 in the /etc/mail/spamassassin/local.cf file would say to spamc to insert
 the proper flag in the spam file.
 Actually this is what i need spamc to do so that kmail (my mail client)
 treats the spam properly. As i read to do so in many tutorials on the
 internet, i put 2 filters :
 - 1st one is applying spamc on every mail  250kB
 - 2nd one is detecting the presence of X-Spam-Flag: YES in a message
 So i do _need_ spamc to insert this flag in the message.
 But the problem is that in kmail(1.7.1) i don't know the name of the
 command 'spamc  spam  spam_marked_up' will not work.
 I read kmail documentation, and whatever i do it doesn't get this output.
 Now it's a kmail problem.
 Thanks for your help.

I use spamassassin -d | spamc as a filter in kamil. The first part deletes 
al previous maurup an than spamc checks the mail. You ned no redirecktion in 
kmail.


Thomas 

-- 
icq:133073900
http://www.t-arend.de


pgpbfHk6utDMN.pgp
Description: PGP signature

Bogus MS 'critical update'

[Nigel kendrick]

I have just had a bogus Microsoft update slip through the net. Is there a
rule to combat these? In any case, here's the info in case it's of use:


From: MS Technical Services [EMAIL PROTECTED]
Subject line: Newest Microsoft Critical Pack
The attachment was Upgrade9591.exe

Here's the body, minus HTML formatting:

  MicrosoftAll Products |  Support |  Search |  Microsoft.com Guide   
Microsoft Home
 
MS Customer

this is the latest version of security update, the July 2005, Cumulative
Patch update which eliminates all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express as well as three
newly discovered vulnerabilities. Install now to continue keeping your
computer secure from these vulnerabilities, the most serious of which could
allow an malicious user to run executable on your computer. This update
includes the functionality of all previously released patches.  


 System requirements  Windows 95/98/Me/2000/NT/XP 
 This update applies to  MS Internet Explorer, version 4.01 and later
MS Outlook, version 8.00 and later
MS Outlook Express, version 4.01 and later  
 Recommendation Customers should install the patch at the earliest
opportunity. 
 How to install Run attached file. Choose Yes on displayed dialog box. 
 How to use You don't need to do anything after installing this item. 

Microsoft Product Support Services and Knowledge Base articles can be found
on the Microsoft Technical Support web site. For security-related
information about Microsoft products, please visit the Microsoft Security
Advisor web site, or Contact Us. 

Thank you for using Microsoft products.

Please do not reply to this message. It was sent from an unmonitored e-mail
address and we are unable to respond to any replies.



The names of the actual companies and products mentioned herein are the
trademarks of their respective owners.  

 Contact Us  |  Legal  |  TRUSTe  
 C2005 Microsoft Corporation. All rights reserved. Terms of Use  |  Privacy
Statement |  Accessibility  

Parsing of uncoded UTF-8 message

[Alex S Moore]

I have messages that give this error from sa-learn.  SA is 3.0.4.  Perl 
is 5.8.7.  HTML-Parser is 3.45


Parsing of undecoded UTF-8 will give garbage when decoding entities at 
/opt/csw/share/perl/csw/Mail/SpamAssassin/HTML.pm line 182.


Attached is an example, which is ham.  The HTML::Parser man page says 
something about passing utf8 to p-parse, or some such, but I do not 
understand what this means.  Is there a patch to SA to fix this?


If it matters, here is my locale settings.  I tried with LC_ALL=C and 
that did not help.


[EMAIL PROTECTED] tmp]# locale
LANG=
LC_CTYPE=C
LC_NUMERIC=C
LC_TIME=C
LC_COLLATE=C
LC_MONETARY=C
LC_MESSAGES=C
LC_ALL=

Thanks, Alex


sa_learn_error.gz
Description: GNU Zip compressed data

Re: ALL_TRUSTED appearing on spam

[Matt Kettler]

mouss wrote:
 John T. Yocum wrote:
 
 Hello,

 I've recently noticed that a lot of spam is getting through SpamAssassin,
 and it's getting the ALL_TRUSTED test listed on it. The issue with that
 is, I only have one IP trusted, and that's my own mail server.

 snip from local.cf
 # Trusted Networks
 trusted_networks 69.25.118.171
 /snip

 As you can see in the below set of headers the message came from
 218.222.75.209. Yet, it's trusted.

 Return-Path: [EMAIL PROTECTED]
 Received: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp
 [218.222.75.209])
  by kangaroo.publicmx.com (8.13.4/8.13.4) with ESMTP id
 j6OKabJS014331
  for [EMAIL PROTECTED]; Sun, 24 Jul 2005 13:36:40 -0700
 
 
 My understanding (but I may be wrong) is that ALL_TRUSTED means all
 received headers are trusted, which seems the case. It doesn't mean the
 origin client is trusted.
 

You are incorrect mouss. It does in fact mean that all hosts involved are
trusted hosts. Well, it actually means there are no untrusted hosts, but unless
there's an unparseable header it's the same thing.

Suggestions:

1) add a /32 to the end of your trusted networks statement. The docs SAY it will
work without a netmask, but my experience with 2.6x is that it did not work, so
I always specify a mask.

2) the other causes when SA fails to be able to parse the Received: headers.
That header looks normal to me, but try running the message through spamassassin
-D and see what SA has to say about the Received: path in it's debug output.

Bogus MS 'critical update' - PANIC OVER

[Nigel kendrick]

Apologies - just noticed that the mail was picked up from a third party
server, not our in-house one, and was dumped into the wrong folder due to an
Outlook rules error. 

I've just tried sending an .exe through our mail server and it was blocked.

NK

Re: Parsing of uncoded UTF-8 message

[Matt Kettler]

Alex S Moore wrote:
 I have messages that give this error from sa-learn.  SA is 3.0.4.  Perl
 is 5.8.7.  HTML-Parser is 3.45
 
 Parsing of undecoded UTF-8 will give garbage when decoding entities at
 /opt/csw/share/perl/csw/Mail/SpamAssassin/HTML.pm line 182.
 
 Attached is an example, which is ham.  The HTML::Parser man page says
 something about passing utf8 to p-parse, or some such, but I do not
 understand what this means.  Is there a patch to SA to fix this?

Yes, there is a patch, but all it does is swallow the message.

The developers tested and proved this message is not harmful, so you can safely
ignore it. It's a byproduct of the HTML::Parser code warning about a problem
that doesn't appear to matter with SA the way SA uses it.


http://bugzilla.spamassassin.org/show_bug.cgi?id=4046

Re: Parsing of uncoded UTF-8 message

[Alex S Moore]

Matt Kettler wrote:

Alex S Moore wrote:


I have messages that give this error from sa-learn.  SA is 3.0.4.  Perl
is 5.8.7.  HTML-Parser is 3.45

Parsing of undecoded UTF-8 will give garbage when decoding entities at
/opt/csw/share/perl/csw/Mail/SpamAssassin/HTML.pm line 182.

Attached is an example, which is ham.  The HTML::Parser man page says
something about passing utf8 to p-parse, or some such, but I do not
understand what this means.  Is there a patch to SA to fix this?



Yes, there is a patch, but all it does is swallow the message.

The developers tested and proved this message is not harmful, so you can safely
ignore it. It's a byproduct of the HTML::Parser code warning about a problem
that doesn't appear to matter with SA the way SA uses it.



Thanks for the reply Matt.  I just learned another 108 spam messages and 
did not get the 'Parsing of undecoded UTF-8...' message.  So, I will 
just ignore the message the next time that I see it.


Alex

Raising Razor score in SA 3.0.4?

[Dr Robert Young]

If I have a spam with a RAZOR2_CHECK score of 1.5, can I user the syntax ( in local.cf) score RAZOR2_CHECK 3.0 to increase the test's "score" when it is hit? I know this works for the normal "rule based" tests, but I was unsure about he razor type query test.      Dr. Robert Young ALI Database Consultants 1151 Williams Dr Aiken SC 29803 USA  WWW: http://www.aliconsultants.com Tele: 1-803-648-5931 Toll free in US: 1-866-257-8970 Fax:1-803-641-0345 Email: [EMAIL PROTECTED] "Source of Rdb Controller, software for database analysis   performance tuning"  

Re: Raising Razor score in SA 3.0.4?

[Matt Kettler]

Dr Robert Young wrote:
 If I have a spam with a RAZOR2_CHECK score of 1.5, can I user the syntax
 ( in local.cf) 
 
 score RAZOR2_CHECK 3.0 
 
 to increase the test's score when it is hit? 
 
 I know this works for the normal rule based tests, but I was unsure
 about he razor type query test. 

It works for any test with a fixed score, i.e.: anything except the AWL, which
determines it's score dynamically.

A weekend SpamAssassin success - and a Razor score question

[James Bucanek]

Greetings,

My weekend spam assassination resumed yesterday, when I found a few hour to 
implement the suggestions from the list last month (well, some of them -- there 
were so many good suggestions).

I upgraded SA to 3.0.4.  That went as smooth as silk.

Installed Razor 2.75.  Very much unlike my previous attempt to install Razor 
1.x, this also went very smoothly.  It took me about 2 hours to download the 
software, upgrade SA, install Razor, read the docs and configure everything to 
work together.

My spam detection rate has improved significantly.  So a hearty thanks to all 
the list members who answered my cries for help last month!

Now, my question. I have upped the scored for the RAZOR rules by adding a 
morerazor.cf file to my /etc/mail/spamassassin directory with something like

score RAZOR2_CF_RANGE_51_100 0 (1.5) 0 (1.5)
score RAZOR2_CHECK 0 (1.5) 0 (1.5)

This has gotten my spam detection rates above the 97% mark for the first time. 
I'd like to consider raising the RAZOR rule scores more, but I want to 
understand the difference between the scores before I do that.

It seems obvious that RAZOR2_CF_RANGE_XX_YY means that the razor server give 
this message between an X and Y probability of being spam.

But what does the RAZOR2_CHECK score mean? Poking around, I would guess that it 
means that Razor has determined the confidence value for the message is 
higher than the threshold I've configured in the Razor config files; but I can 
find no documentation that states that.

TIA,

James

-- 
James Bucanek mailto:[EMAIL PROTECTED]

Re: A weekend SpamAssassin success - and a Razor score question

[Theo Van Dinter]

On Mon, Jul 25, 2005 at 08:09:55AM -0700, James Bucanek wrote:
 But what does the RAZOR2_CHECK score mean? Poking around, I would guess that 
 it means that Razor has determined the confidence value for the message is 
 higher than the threshold I've configured in the Razor config files; but I 
 can find no documentation that states that.

Yeah, that's pretty much it.  RAZOR2_CHECK returns to you the same yes/no
as razor_check.  The other ones ignore your cf setting and just look at
the raw cf from the message.

-- 
Randomly Generated Tagline:
Somebody should iron you.
 
--Ralph Wiggum
  Wild Barts Can't Be Broken (Episode AABF07)


pgpHcAM65aeVY.pgp
Description: PGP signature

Re: A weekend SpamAssassin success - and a Razor score question

[Matt Kettler]

James Bucanek wrote:
 Greetings,
 
 My weekend spam assassination resumed yesterday, when I found a few hour to 
 implement the suggestions from the list last month (well, some of them -- 
 there were so many good suggestions).
 
 I upgraded SA to 3.0.4.  That went as smooth as silk.
 
 Installed Razor 2.75.  Very much unlike my previous attempt to install Razor 
 1.x, this also went very smoothly.  It took me about 2 hours to download the 
 software, upgrade SA, install Razor, read the docs and configure everything 
 to work together.
 
 My spam detection rate has improved significantly.  So a hearty thanks to all 
 the list members who answered my cries for help last month!
 
 Now, my question. I have upped the scored for the RAZOR rules by adding a 
 morerazor.cf file to my /etc/mail/spamassassin directory with something like
 
 score RAZOR2_CF_RANGE_51_100 0 (1.5) 0 (1.5)
 score RAZOR2_CHECK 0 (1.5) 0 (1.5)
 
 This has gotten my spam detection rates above the 97% mark for the first 
 time. I'd like to consider raising the RAZOR rule scores more, but I want to 
 understand the difference between the scores before I do that.
 
 It seems obvious that RAZOR2_CF_RANGE_XX_YY means that the razor server give 
 this message between an X and Y probability of being spam.

Unfortunately, that's not the case. It's the razor confidence factor
(abbreviated cf by the razor debug output), which is NOT a percentage-chance of
spam.

This score ranges from -100 to +100, with 0 being undecided, and +100 being the
strongest chance of spam. The entire scoring system is based on the TeS system,
which is undocumented, but revolves around ranking reporters as trusted or not.

I'd venture to say that razor has some considerable bias towards 100 on fresh
objects, as they get reported a handful of times by good reporters they appear
to immediately become 100 until revoked down.

This was extraordinarily true right around the introduction of e8, where the
small set of reporting data caused razor to jump wildly and nearly every message
matching e8 got a cf of 100. That should have stabilized by now.

While you can definitely say that razor believes a CF of 100 has a higher chance
of being spam than 99, you cannot directly translate these to probabilities, it
doesn't seem to be a very linear function.


 
 But what does the RAZOR2_CHECK score mean? Poking around, I would guess that 
 it means that Razor has determined the confidence value for the message is 
 higher than the threshold I've configured in the Razor config files; but I 
 can find no documentation that states that.

Yes, this means that cf was = min_cf in your razor config.

Re: ALL_TRUSTED appearing on spam

[John T. Yocum]

Thanks. I tried adding the /32 to the end, but that didn't have an effect.
I did run the headers through spamassassin -D and got the following.

debug: received-header: unknown format: from U075209.ppp.dion.ne.jp
(U075209.ppp.dion.ne.jp
debug: metadata: X-Spam-Relays-Trusted:
debug: metadata: X-Spam-Relays-Untrusted:

Thus, it was tagged as ALL_TRUSTED.

What is really odd, is this only happens to direct delivered mail, any
message relayed via another host, doesn't get the ALL_TRUSTED flag.

Thanks,
John

 mouss wrote:
 John T. Yocum wrote:

 Hello,

 I've recently noticed that a lot of spam is getting through
 SpamAssassin,
 and it's getting the ALL_TRUSTED test listed on it. The issue with that
 is, I only have one IP trusted, and that's my own mail server.

 snip from local.cf
 # Trusted Networks
 trusted_networks 69.25.118.171
 /snip

 As you can see in the below set of headers the message came from
 218.222.75.209. Yet, it's trusted.

 Return-Path: [EMAIL PROTECTED]
 Received: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp
 [218.222.75.209])
  by kangaroo.publicmx.com (8.13.4/8.13.4) with ESMTP id
 j6OKabJS014331
  for [EMAIL PROTECTED]; Sun, 24 Jul 2005 13:36:40 -0700


 My understanding (but I may be wrong) is that ALL_TRUSTED means all
 received headers are trusted, which seems the case. It doesn't mean the
 origin client is trusted.


 You are incorrect mouss. It does in fact mean that all hosts involved are
 trusted hosts. Well, it actually means there are no untrusted hosts, but
 unless
 there's an unparseable header it's the same thing.

 Suggestions:

 1) add a /32 to the end of your trusted networks statement. The docs SAY
 it will
 work without a netmask, but my experience with 2.6x is that it did not
 work, so
 I always specify a mask.

 2) the other causes when SA fails to be able to parse the Received:
 headers.
 That header looks normal to me, but try running the message through
 spamassassin
 -D and see what SA has to say about the Received: path in it's debug
 output.

Re: ALL_TRUSTED appearing on spam

[John T. Yocum]

Thanks for the info.

I fixed that Received line, by removing the line wrap, and it was no
longer ALL_TRUSTED.

Now that I know what the issue is, I just need to figure out why the
header is getting munged.

Thanks,
John

 John T. Yocum wrote:
 Thanks. I tried adding the /32 to the end, but that didn't have an
 effect.
 I did run the headers through spamassassin -D and got the following.

 debug: received-header: unknown format: from U075209.ppp.dion.ne.jp
 (U075209.ppp.dion.ne.jp
 debug: metadata: X-Spam-Relays-Trusted:
 debug: metadata: X-Spam-Relays-Untrusted:

 Thus, it was tagged as ALL_TRUSTED.

 What is really odd, is this only happens to direct delivered mail, any
 message relayed via another host, doesn't get the ALL_TRUSTED flag.


 Well, that much makes sense. SA can't parse the Received: headers your
 server
 generates, but it can parse ones generated by outside servers. Thus,
 outside
 mail with another relay will show up as having been through an untrusted
 host.


 The problem you need to track down is why can't SA parse your Received:
 headers.

 Based on the debug output you got it could be an issue with line-wrap
 formating.

 At casual glance, the headers you quoted look correct, but it's impossible
 to
 tell if they're really correct because they've been copy-pasted into an
 email
 message which adds line wraps.


 To check that, you need to look at a set of pristine message headers, not
 a
 copy-paste of them, in a hex editor. (The process of copy-pasting can
 change
 linewrap formats, replace tabs with spaces, and other sundry things that
 would
 matter here).

 One thing I can tell you is that there MUST NOT be a linewrap between the
 end of
 the RDNS hostname and the [ for the IP address.

 This quotation should be only 3 lines long:

 Received: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp
 [218.222.75.209])
  by kangaroo.publicmx.com (8.13.4/8.13.4) with ESMTP id j6OKabJS014331
  for [EMAIL PROTECTED]; Sun, 24 Jul 2005 13:36:40 -0700


 But I'm assuming the extra linewrap after .jp was added by your mail
 client.

Re: ALL_TRUSTED appearing on spam

[John T. Yocum]

I decided to run spamd in debug mode, and log what it was seeing. This is
what I found for a direct delivered message..

debug: received-header: unknown format: from fluidhostingc.com (unknown)
by kangaroo.publicmx.com;

Searched around on Google, and saw a reference that atleast in
spamass-milter 0.2, the milter fakes the received header to appease SA.
However, that method doesn't work so well.

--John

 Thanks for the info.

 I fixed that Received line, by removing the line wrap, and it was no
 longer ALL_TRUSTED.

 Now that I know what the issue is, I just need to figure out why the
 header is getting munged.

 Thanks,
 John

 John T. Yocum wrote:
 Thanks. I tried adding the /32 to the end, but that didn't have an
 effect.
 I did run the headers through spamassassin -D and got the following.

 debug: received-header: unknown format: from U075209.ppp.dion.ne.jp
 (U075209.ppp.dion.ne.jp
 debug: metadata: X-Spam-Relays-Trusted:
 debug: metadata: X-Spam-Relays-Untrusted:

 Thus, it was tagged as ALL_TRUSTED.

 What is really odd, is this only happens to direct delivered mail, any
 message relayed via another host, doesn't get the ALL_TRUSTED flag.


 Well, that much makes sense. SA can't parse the Received: headers your
 server
 generates, but it can parse ones generated by outside servers. Thus,
 outside
 mail with another relay will show up as having been through an untrusted
 host.


 The problem you need to track down is why can't SA parse your Received:
 headers.

 Based on the debug output you got it could be an issue with line-wrap
 formating.

 At casual glance, the headers you quoted look correct, but it's
 impossible
 to
 tell if they're really correct because they've been copy-pasted into an
 email
 message which adds line wraps.


 To check that, you need to look at a set of pristine message headers,
 not
 a
 copy-paste of them, in a hex editor. (The process of copy-pasting can
 change
 linewrap formats, replace tabs with spaces, and other sundry things that
 would
 matter here).

 One thing I can tell you is that there MUST NOT be a linewrap between
 the
 end of
 the RDNS hostname and the [ for the IP address.

 This quotation should be only 3 lines long:

 Received: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp
 [218.222.75.209])
  by kangaroo.publicmx.com (8.13.4/8.13.4) with ESMTP id
 j6OKabJS014331
  for [EMAIL PROTECTED]; Sun, 24 Jul 2005 13:36:40 -0700


 But I'm assuming the extra linewrap after .jp was added by your mail
 client.

Re: Please test sc2.surbl.org (and xs.surbl.org)

[jdow]

From: Jeff Chan [EMAIL PROTECTED]

 On Monday, July 25, 2005, 12:33:08 AM, jdow jdow wrote:
  From: Jeff Chan [EMAIL PROTECTED]
  Is this correct as ammended? I added the TXT strings

  Here are SpamAssassin 3.0.1 and later configs for using these two
lists:

 Please try:

 urirhsbl  URIBL_SC2_SURBL  sc2.surbl.org.   A127.0.0.2
 body  URIBL_SC2_SURBL  eval:check_uridnsbl('URIBL_SC2_SURBL')
 describe  URIBL_SC2_SURBL  Has URI in SC2 at
http://www.surbl.org/lists.html
 tflagsURIBL_SC2_SURBL  net

 score URIBL_SC2_SURBL  3.0

 urirhsbl  URIBL_XS_SURBL   xs.surbl.org.A127.0.0.2
 body  URIBL_XS_SURBL   eval:check_uridnsbl('URIBL_XS_SURBL')
 describe  URIBL_XS_SURBL   Has URI in XS - Testing
 tflagsURIBL_XS_SURBL   net

 score URIBL_XS_SURBL   2.0

config: SpamAssassin failed to parse line, skipping: urirhsbl
URIBL_SC2_SURBL  sc2.surbl.org.   A127.0.0.2
config: SpamAssassin failed to parse line, skipping: urirhsbl
URIBL_XS_SURBL   xs.surbl.org.A127.0.0.2


Note that it passes if I use TXT.

{^_^}

Re: ALL_TRUSTED appearing on spam

[John T. Yocum]

Fixed the problem. Looks like the howto I followed for setting up
spamass-milter was wrong. After redoing my sendmail config for it, all is
well.

Thanks for all the help everyone.

--John

 I decided to run spamd in debug mode, and log what it was seeing. This is
 what I found for a direct delivered message..

 debug: received-header: unknown format: from fluidhostingc.com (unknown)
 by kangaroo.publicmx.com;

 Searched around on Google, and saw a reference that atleast in
 spamass-milter 0.2, the milter fakes the received header to appease SA.
 However, that method doesn't work so well.

 --John

 Thanks for the info.

 I fixed that Received line, by removing the line wrap, and it was no
 longer ALL_TRUSTED.

 Now that I know what the issue is, I just need to figure out why the
 header is getting munged.

 Thanks,
 John

 John T. Yocum wrote:
 Thanks. I tried adding the /32 to the end, but that didn't have an
 effect.
 I did run the headers through spamassassin -D and got the following.

 debug: received-header: unknown format: from U075209.ppp.dion.ne.jp
 (U075209.ppp.dion.ne.jp
 debug: metadata: X-Spam-Relays-Trusted:
 debug: metadata: X-Spam-Relays-Untrusted:

 Thus, it was tagged as ALL_TRUSTED.

 What is really odd, is this only happens to direct delivered mail, any
 message relayed via another host, doesn't get the ALL_TRUSTED flag.


 Well, that much makes sense. SA can't parse the Received: headers your
 server
 generates, but it can parse ones generated by outside servers. Thus,
 outside
 mail with another relay will show up as having been through an
 untrusted
 host.


 The problem you need to track down is why can't SA parse your Received:
 headers.

 Based on the debug output you got it could be an issue with line-wrap
 formating.

 At casual glance, the headers you quoted look correct, but it's
 impossible
 to
 tell if they're really correct because they've been copy-pasted into an
 email
 message which adds line wraps.


 To check that, you need to look at a set of pristine message headers,
 not
 a
 copy-paste of them, in a hex editor. (The process of copy-pasting can
 change
 linewrap formats, replace tabs with spaces, and other sundry things
 that
 would
 matter here).

 One thing I can tell you is that there MUST NOT be a linewrap between
 the
 end of
 the RDNS hostname and the [ for the IP address.

 This quotation should be only 3 lines long:

 Received: from U075209.ppp.dion.ne.jp (U075209.ppp.dion.ne.jp
 [218.222.75.209])
  by kangaroo.publicmx.com (8.13.4/8.13.4) with ESMTP id
 j6OKabJS014331
  for [EMAIL PROTECTED]; Sun, 24 Jul 2005 13:36:40 -0700


 But I'm assuming the extra linewrap after .jp was added by your mail
 client.

Re: Please test sc2.surbl.org (and xs.surbl.org)

[Tim Litwiller]

jdow wrote:

  From: "Jeff Chan" [EMAIL PROTECTED]

  
  
Here are SpamAssassin 3.0.1 and later configs for using these two lists:

urirhsbl  URIBL_SC2_SURBL  sc2.surbl.org.
body  URIBL_SC2_SURBL  eval:check_uridnsbl('URIBL_SC2_SURBL')
describe  URIBL_SC2_SURBL  Has URI in SC2 at

  
  http://www.surbl.org/lists.html
  
  
tflagsURIBL_SC2_SURBL  net

score URIBL_SC2_SURBL  3.0

urirhsbl  URIBL_XS_SURBL   xs.surbl.org.
body  URIBL_XS_SURBL   eval:check_uridnsbl('URIBL_XS_SURBL')
describe  URIBL_XS_SURBL   Has URI in XS - Testing
tflagsURIBL_XS_SURBL   net

score URIBL_XS_SURBL   2.0

  
  
config: SpamAssassin failed to parse line, skipping: urirhsbl
URIBL_SC2_SURBL  sc2.surbl.org.
config: SpamAssassin failed to parse line, skipping: urirhsbl
URIBL_XS_SURBL   xs.surbl.org.

Debug on:
debug: plugin: registered
Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa4b3a18)
debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC
debug: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0xa4b50ec)
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa4c8efc)
implements 'parse_config'
debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa4b3a18)
implements 'parse_config'
config: SpamAssassin failed to parse line, skipping: urirhsbl
URIBL_SC2_SURBL  sc2.surbl.org.
config: SpamAssassin failed to parse line, skipping: urirhsbl
URIBL_XS_SURBL   xs.surbl.org.


Er - oops. 3.04
{^_^}


  

this is what it took to make it work for me

urirhssub URIBL_SC2_SURBL sc2.surbl.org. A 127.0.0.2
body URIBL_SC2_SURBL eval:check_uridnsbl('URIBL_SC2_SURBL')
describe URIBL_SC2_SURBL Has URI in SC2 at
http://www.surbl.org/lists.html
tflags URIBL_SC2_SURBL net
score URIBL_SC2_SURBL 3.0

urirhssub URIBL_XS_SURBL xs.surbl.org. A 127.0.0.2
body URIBL_XS_SURBL eval:check_uridnsbl('URIBL_XS_SURBL')
describe URIBL_XS_SURBL Has URI in XS - Testing
tflags URIBL_XS_SURBL net
score URIBL_XS_SURBL 2.0

Re: Jupiter Media redirector abuse

[Daryl C. W. O'Shea]

Jeff Chan wrote:

Pretty elaborate obfuscation:

a
href=http://www.enterprisestorageforum.com/RealMedia/ads/click_lx.ads/ew/mistress/www.cometrees.com/management/features/article/4899482848/lbnyvio/OasDefault/Sun_Storage_SolutionCenter_1a/accessunit4.html/4681978795193130586212279675?ooftpqz.WINCriTCoNDI.COm
target=_blankfont size=5 color=1C1CFFubC1icck here to 0rder 
suppose/font/font/b/u/abrbr

Actual target site is blackhat:

  wincritcondi.com

I wrote to Jupitermedia about it (owner of
enterprisestorageforum.com) to close their redirector.

Would someone see if this gets detected correctly on recent SA?

Jeff C.


SA won't detect wincritcondi.com, just enterprisestorageforum.com.

It appears this redirector has been removed, but I'll write a redirector 
pattern for it if someone says otherwise.



Daryl

Re: SA report fails with Razor2 ?

[Daryl C. W. O'Shea]

Brian Ipsen wrote:

Hi,

 When trying to report spam manually using

# spamassassin -r  (mailfile)

I get an error like:

razor2 report failed: No such file or directory Died at
/usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Reporter.pm line 148,
GEN1 line 1.
1 message(s) examined.
Insecure dependency in connect while running with -T switch at
/usr/lib/perl5/5.8.0/i386-linux-thread-multi/IO/Socket.pm line 114.

I'm using SA 3.0.4 - any idea why this fails ??

Regards,
/Brian


I haven't looked into the IO::Socket issue, but there is a bug on it 
that you might want to look at:


http://bugzilla.spamassassin.org/show_bug.cgi?id=3939


Daryl

bayes_sql_username doesn't work in 3.1.0pre4/postgres.

[Matthew Schumacher]

It seems that sa always tries to login to the db as the running user
instead of the defined db user.  Is this the expected behavior?  If so
the documentation should be changed.

schu

Re: bayes_sql_username doesn't work in 3.1.0pre4/postgres.

[Michael Parker]

Matthew Schumacher wrote:

It seems that sa always tries to login to the db as the running user
instead of the defined db user.  Is this the expected behavior?  If so
the documentation should be changed.

schu

  

Nothing is that code has changed in forever, so you're gonna have to
provide a little more information.  I know for a fact that it is working
just fine for MySQL, I haven't' used it under Postgresql in a while but
the principle is the same.  Are you certain you didn't misspell the
option or something?  Try running spamassassin --lint and see what it says.

Michael


signature.asc
Description: OpenPGP digital signature

Re: bayes_sql_username doesn't work in 3.1.0pre4/postgres.

[Matthew Schumacher]

Michael Parker wrote:
 Matthew Schumacher wrote:
 
 
It seems that sa always tries to login to the db as the running user
instead of the defined db user.  Is this the expected behavior?  If so
the documentation should be changed.

schu

 

 
 Nothing is that code has changed in forever, so you're gonna have to
 provide a little more information.  I know for a fact that it is working
 just fine for MySQL, I haven't' used it under Postgresql in a while but
 the principle is the same.  Are you certain you didn't misspell the
 option or something?  Try running spamassassin --lint and see what it says.
 
 Michael

Thanks for your reply Michael.

After further looking, the problem isn't the username or the connect_db
method, it's the _initialize_db method that is failing.

The debugging prints, unable to initialize database for nobody user,
aborting! which caused me to think that it was trying to connect as
nobody, but then discovered that initialize and connect where different
things.

I tracked down where _initialize_db() returns 0, it's at line 1750:

return 0 unless ($create_entry_p);

I'm not sure what this is for, but whatever it is, it keeps the database
from becoming initialized which is causing bayes to not work for me.

Any information on how to get around this would be great...

thanks,

schu

generating rule stats from spamd logs

[Charles Sprickman]

Hi,

Anyone aware of anything that can parse a day's spamd logs and then give a 
summary of total hits per rule?  I noticed since 3.0.x that all rule hits 
are in the logs now:


Jul 25 22:44:49 spamd2 spamd[59436]: result: Y 14 - 
BAYES_60,DATE_IN_FUTURE_03_06,DNS_FROM_RFC_POST,URIBL_BLACK,URIBL_JP_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL 
scantime=6.7,size=2027,mid=[EMAIL PROTECTED],bayes=0.781998195315203,autolearn=disabled


I've got three spamd boxes logging to one server.  I already run 
sa-stats.pl daily, but I'd like to see more information about what rules 
are hitting.  I did see a few things in the wiki, but most of them look to 
be tied to snarfing MTA logs.


Thanks,

Charles

RBL lookup failures

[Daniel O'Connor]

Hi,
I am using Spam Assassin 3.0.4 called from MIMEDefang 2.51 on a FreeBSD
4.9 box with perl 5.6.2 and I get the following messages in my maillog
on occasion..

Jul 26 12:43:36 cain sm-mta[81183]: j6Q3DUp1081183: from=[EMAIL PROTECTED], 
size=4221, class=-30, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, 
daemon=smtp, relay=mx2.freebsd.org [216.136.204.119]
Jul 26 12:43:36 cain mimedefang-multiplexor[80550]: Slave 0 stderr: Failed to 
run __RFC_IGNORANT_ENVFROM RBL SpamAssassin test, skipping:   (Can't call 
method bgsend on an undefined value at 
/usr/local/lib/perl5/site_perl/5.6.2/Mail/SpamAssassin/Dns.pm line 112. )
Jul 26 12:43:36 cain mimedefang-multiplexor[80550]: Slave 0 stderr: Failed to 
run NO_DNS_FOR_FROM RBL SpamAssassin test, skipping:  (Can't call method 
bgsend on an undefined value at 
/usr/local/lib/perl5/site_perl/5.6.2/Mail/SpamAssassin/Dns.pm line 141. )
Jul 26 12:43:36 cain mimedefang-multiplexor[80550]: Slave 0 stderr: Failed to 
run DNS_FROM_AHBL_RHSBL RBL SpamAssassin test, skipping:  (Can't call method 
bgsend on an undefined value at 
/usr/local/lib/perl5/site_perl/5.6.2/Mail/SpamAssassin/Dns.pm line 112. )
Jul 26 12:43:36 cain mimedefang.pl[80553]: 
MDLOG,j6Q3DUp1081183,mail_in,,,[EMAIL PROTECTED],[EMAIL PROTECTED],6-BETA1 
iwi + wpa_supplicant fails, and sometimes silently reboots

ie the slave errors.

I have..
skip_rbl_checks 0
use_razor2 0

###
# Add your own customised scores for some tests below.  The default scores are
# read from the installed spamassassin.cf file, but you can override them
# here.  To see the list of tests and their default scores, go to
# http://spamassassin.taint.org/tests.html .

urirhssub URIBL_JP_SURBL  multi.surbl.org.A   64
body  URIBL_JP_SURBL  eval:check_uridnsbl('URIBL_JP_SURBL')
describe  URIBL_JP_SURBL  Has URI in JP at http://www.surbl.org/lists.html
tflagsURIBL_JP_SURBL  net

score URIBL_JP_SURBL3.0

trusted_networks 203.31.81.0/24 203.122.192.0/26
dns_available yes

in the MD .cf file.

Anyone have any clues about how I can resolve this?
Thanks.

-- 
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
The nice thing about standards is that there
are so many of them to choose from.
  -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C
 


pgpdwEUguwRD5.pgp
Description: PGP signature

Re: Please test sc2.surbl.org (and xs.surbl.org)

[Jeff Chan]

On Monday, July 25, 2005, 12:06:10 PM, jdow jdow wrote:
 From: Jeff Chan [EMAIL PROTECTED]

 On Monday, July 25, 2005, 12:33:08 AM, jdow jdow wrote:
  From: Jeff Chan [EMAIL PROTECTED]
  Is this correct as ammended? I added the TXT strings

  Here are SpamAssassin 3.0.1 and later configs for using these two
 lists:

 Please try:

 urirhsbl  URIBL_SC2_SURBL  sc2.surbl.org.   A127.0.0.2
 body  URIBL_SC2_SURBL  eval:check_uridnsbl('URIBL_SC2_SURBL')
 describe  URIBL_SC2_SURBL  Has URI in SC2 at
 http://www.surbl.org/lists.html
 tflagsURIBL_SC2_SURBL  net

 score URIBL_SC2_SURBL  3.0

 urirhsbl  URIBL_XS_SURBL   xs.surbl.org.A127.0.0.2
 body  URIBL_XS_SURBL   eval:check_uridnsbl('URIBL_XS_SURBL')
 describe  URIBL_XS_SURBL   Has URI in XS - Testing
 tflagsURIBL_XS_SURBL   net

 score URIBL_XS_SURBL   2.0

 config: SpamAssassin failed to parse line, skipping: urirhsbl
 URIBL_SC2_SURBL  sc2.surbl.org.   A127.0.0.2
 config: SpamAssassin failed to parse line, skipping: urirhsbl
 URIBL_XS_SURBL   xs.surbl.org.A127.0.0.2


 Note that it passes if I use TXT.

 {^_^}


Did you see my follow up message?  A without anything after it
should work.  It worked on my SA3.  TXT will also work, but A is
preferred. 

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Bayes is a cpu hog ?

[Ramprasad A Padmanabhan]

Hi all,
   I am using Spamassassin on our SMTP servers with almost 2 mails
an hour. The problem is the machine is almost always heavily loaded.
Spamassassin takes a lot of time and I think the Bayes checking /
learning is the real cpu hog ? 
   Also I feel bayes is no good for a server like ours , we process
mails for different customers , so bayesian learning for one customer
has little sense for the other.

I would like to completely disable bayes , can someone provide some
inputs on this.

Thanks
Ram


--
Netcore Solutions Pvt. Ltd.
Website:  http://www.netcore.co.in
Spamtraps: http://cleanmail.netcore.co.in/directory.html
--

Re: Please test sc2.surbl.org (and xs.surbl.org)

[Tim Litwiller]

Jeff Chan wrote:


On Monday, July 25, 2005, 3:11:40 PM, Tim Litwiller wrote:
 


this is what it took to make it work for me
   



 


_urirhssub_ URIBL_SC2_SURBL  sc2.surbl.org.   A127.0.0.2
body  URIBL_SC2_SURBL  eval:check_uridnsbl('URIBL_SC2_SURBL')
describe  URIBL_SC2_SURBL  Has URI in SC2 at http://www.surbl.org/lists.html
tflagsURIBL_SC2_SURBL  net
score URIBL_SC2_SURBL  3.0
   



 


_urirhssub_ URIBL_XS_SURBL   xs.surbl.org.A127.0.0.2
body  URIBL_XS_SURBL   eval:check_uridnsbl('URIBL_XS_SURBL')
describe  URIBL_XS_SURBL   Has URI in XS - Testing
tflagsURIBL_XS_SURBL   net
score URIBL_XS_SURBL   2.0
   



That will work, but it's technically incorrect since the
standalone lists sc2 and xs aren't bitmask-encoded, which is what
urirhssub is intended for.  Standalone lists should be used with
urirhsbl, so correct, working rules for these are:


urirhsbl  URIBL_SC2_SURBL  sc2.surbl.org.   A
body  URIBL_SC2_SURBL  eval:check_uridnsbl('URIBL_SC2_SURBL')
describe  URIBL_SC2_SURBL  Has URI in SC2 at http://www.surbl.org/lists.html
tflagsURIBL_SC2_SURBL  net

score URIBL_SC2_SURBL  3.0

urirhsbl  URIBL_XS_SURBL   xs.surbl.org.A
body  URIBL_XS_SURBL   eval:check_uridnsbl('URIBL_XS_SURBL')
describe  URIBL_XS_SURBL   Has URI in XS - Testing
tflagsURIBL_XS_SURBL   net

score URIBL_XS_SURBL   2.0


Please give them a try and let us know how they work for you.

Jeff C.
 


that works now - either something changed or I did something wrong earlier.