Re: delivering spam all spam to a seperate mailbox.

[Loren Wilton]

Spamassassin only filters mail and assigns a score, it does no routing.  If
the mail is marked as spam, SA is working correctly and doing what it is
supposed to do.

The routing would have to be done by an external program that looks at the
results from SA..

Loren

delivering spam all spam to a seperate mailbox.

[Daniel Buchanan]

I'm using spamassassin version 3.0.4 with postfix 2.1.4 configured to 
use sendmail on mandrake 10.1.  At one point I had all spam going to a 
seperate address.  Latter on in the day it stopped.  I'm using webmin 
version 1.2.1 to manage the configs.  I have set the procmail spam 
delivery to append to mbox-format mail file spam.  Spam is a valid user 
on my system, but it has no shell access and it started out that way.  
The system does corectly identify the spam as I get the messages in the 
orginal destination mailbox.  I'm calling spamassassin by using the 
content filter option.  Here are the revilant lines from the postfix 
master.cf file:
smtp   inetn   -   y   -   -   smtpd  -o 
content_filter=spamassassin  (modified this line)


spamassassinunix   -n   n   -   -   pipe   user=nobody 
argv=/usr/bin/spamc -f -e /usr/sbin/sendmail.postfix -oi -f ${sender) 
${recipient}   (added this line to end of file)


I have no clue how i borke this and thus no clue on how to fix it.

# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
###
#
# rewrite_header Subject *SPAM*
# report_safe 1
# trusted_networks 212.17.35.
# lock_method flock

required_hits 5
rewrite_header Subject [SPAM]
report_safe 0
auto_whitelist_path /var/spool/spamassassin/auto-whitelist
auto_whitelist_file_mode 0666
dcc_home   /var/lib/dcc

(shouldn't the entry for the spam mailbox be here?) 

RE: Load balancing spamd

[email builder]

Bump.  :)  Gary, please share how you do this!  Thanks!

> > > How do you (make and) balance the calls to the AV servers?  How do you
> > > (make
> > > and) balance the calls to the spamd machines?  I am very interested in
> > > these
> > > details!
> > 
> > We just call them in order case on the connection line.  On two of the 4
> > SMTP gateways we use node 1 as the primary and node 2 as the secondary,
> > on the other two, just the opposite.  I know this is the poor mans way
> > of doing this but we are lazy and haven't made our way to using
> > something like LVS.
> 
> Please show how you do this.  :)  Please!  :)  For example, are you calling
> your AV backend with Postfix's content_filter setting?  I'm not sure if/how
> it supports more than one host?  Here is a simple one:
> 
> content_filter = amavis:[123.456.7.8]:10024
> 
> How do you point it to more than one place?
> 
> Then for SA, are you using spamc and spamd with -d and -H options to use
> DNS-based round robin load balancing?  Is the spamc in something like a
> global maildrop filter?
> 
> How are you doing these things?  I presume you are not using weighted load
> balancing?
> 
> > > We are edging up to 95K a day now on only two machines.  You can
> > imagine
> > > we
> > > are anxious to start using the other boxes we have rarin' to go!
> > 
> > Ironically, when we first started this we had everything running on 4
> > machines and it started choking.  So, we went with the two backend ends.
> > It chocked.  Then we kicked the -m from 30 to 6.  6 is a small number
> > but it seems to be working fine.  We have found for our environment that
> > 6 to 8 works well.
> 
> I've seen the same thing.  We started with a dedicated SA box and set it to
> 20 children and it just choked.  It is not a slow box, either.  There were
> comments on another thread a day ago that dedicated boxes can handle that
> many children, but our experience is that SA hums along much better at
> around
> the default, even on a beefy dedicated box.
> 
> > > > We
> > > > recently upgrade all of the hardware to Dell Dimension 4700's with
> > 1.5gb
> > > > ram each.  Budget was $5200.
> > > >
> > > > Machines are idle.
> > > 
> > > Sweet.  ;)
> > > 
> > 
> > And it was overall cheap
> > 
> > > Why?  Because your DNS costs to query your RBL list in Postfix is very
> > > heavy/slowing you down?  Are you going to mirror just one chosen RBL
> > out
> > > there or a combination of several??
> > > 
> > > Do you run DCC in your SA environment?  If so, you are over their
> > > recommended
> > > limit for hosting a DCC server (we are nearing it - 100K a day I
> > think).
> > > Do
> > > you run a DCC server for yourself?  Any issues to be aware of?
> > > 
> > 
> > It's on the TODO list.  Item 629 I believe... :)  There are other
> > pressing items to fix/work on.  This is working great but will be
> > readdressed during the next maintenance upgrade (which is about every 90
> > days).
> 
> Please elaborate on your RBL plans (and why you decided to do it).  Thanks
> a
> TON!
> 




__ 
Yahoo! Mail for Mobile 
Take Yahoo! Mail with you! Check email on your mobile phone. 
http://mobile.yahoo.com/learn/mail 

Re: Manual bayes expiration in MySQL database

[email builder]

> >> Don't expire things manually.
> >>
> >>
> >
> > 1. Why not?
> >
> > 2. On a Bayes SQL setup with multiple servers feeding/reading the db,
> > should one server be responsible for expiration or should each
> > opportunistically take care of it?
> >
> >
> I'll be more specific, don't expire things by doing the SQL commands
> yourself.
> 
> It is fine to expire manually by running sa-learn --force-expire.

Default auto_expire setting is 1, is it not?  Why do these other people cron
sa-learn to manually exprire then?  What advantage does that have over
letting SA do it opportunistically (unless perhaps your server is NEVER not
busy?)??
 
Does sa-learn --force-expire need to be executed within a username context
(-u option unless you run it as the right user), or does it not care about
users?


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: What the hell is that?

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Brett Cove writes:
> Ryan L. Sun wrote:
> > That explanation makes senses.
> > Spammers show their scripts to us, lol.
> 
> Yep, and if anyone was wondering, those ratware templates were supposto 
> generate one of our friendly (and increasingly common) geocities links.
> 
> ex) 'http://uk.geocities.com/Freddie_Shuler/?ElxF8=US FDA approves all 
> of our'
> > 
> >  >> http://{%LOGWITHID:{%ROTF:E:\EveryDayDomain\all01.txt%}?{%RND:^
> >  >> %}={%ROTF:E:\EveryDayDomain\CompanyTest\pharrotates.txt%}%}

interesting! BTW this google search:
http://www.google.com/search?q=%22everydaydomain%22&filter=0
gives some more results along the same lines, including some more
inputs and outputs.  for example:

http://mail.sarai.net/pipermail/aaj-ke-naam/2005-August/005316.html :

  http://{%LOGWITHID:{%RND:.%}.{%ROTF:E:\EveryDayDomain\all01.txt%}/{
  %ROTF:E:\EveryDayDomain\GE\fold(TA).txt%}/


  {%ROTF:E:\book1done.txt%}

  {%ROTF:E:\book4done.txt%}

  {%ROTF:E:\book2done.txt%}
  %}

my notes:

- - %LOGWITHID: my guess is that dumps the random data to a log file, so
  that list-washing is possible in response to bounces or domain lookups,
  even with all sorts of data scrubbed (even the URLs).

- - bookNdone.txt: Project Gutenberg texts.  this results in the lines like
  'the beast of burden, which suffers blows and hunger, and works' and
  'through the little grounds, and stopped for no other purpose than to
  say, ' in
  http://lists.ucc.gu.uwa.edu.au/pipermail/ucc/2005-August/012847.html .

- - A very very good way to find patterns is to figure out the "random"
  patterns.  In some other examples on that google search, and the
  example above, you can see "{%RND:.%}" producing e.g.
  "7KHq.ux", so I think  means "mixed upper, lowercase and digits
  for up to 5 chars" and  means "lowercase for up to 5 chars".

- - My bet: it's the same spammer, possibly subcontracting to a few
  mail-sending guys.  He/she has been producing a *lot* of spam, and
  certainly tries to get past SpamAssassin.

- - "EveryDayDomain" doesn't appear in google at all, except in similar
  broken spam.   So it's a spammer tool that's being kept very quiet (or
  else is very new).

- - http://listes.tice.ac-caen.fr/pipermail/atelier12/2005-August.txt is
  an incredible collection of spam from this spammer ;)

- --j.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFC+oIMMJF5cimLx9ARAoTgAJwIUdQ48gCjtYknzwiROTIODDl8vQCfcxxw
CTpW2XuZ+C0e1ipaT1JLYiY=
=HtZd
-END PGP SIGNATURE-

Re: Manual bayes expiration in MySQL database

[BQ]

On 8/10/05, Bob Pierce <[EMAIL PROTECTED]> wrote:
> We're running spamassassin with a MySQL bayes database that is shared by
> 4 scanning servers.
> 
> We had been initially using the bayes auto expire option in local.cf,
> but found that this occasionally caused table corruption.
> 
> With auto expire turned off, everything works fine, but after a while
> our bayes database gets huge (~9 million records in bayes_token).
> 
> Does anybody have a good tip on how to manually expire some of those
> records from the database?

As was already said, use sa-learn --force-expire to expire the Bayes database.
On our busy servers I set this up so it's run from cron every night at
4AM. Gives pretty good results.

Cheers,

BQ

Re: What the hell is that?

[Brett Cove]

Ryan L. Sun wrote:

That explanation makes senses.
Spammers show their scripts to us, lol.


Yep, and if anyone was wondering, those ratware templates were supposto 
generate one of our friendly (and increasingly common) geocities links.


ex) 'http://uk.geocities.com/Freddie_Shuler/?ElxF8=US FDA approves all 
of our'


-Brett

On 8/10/05, *Steve Martin* <[EMAIL PROTECTED] 
> wrote:


So basically, the spammer's script failed to "generate" a URL from
the "code" containing %LOGWITHID, etc. and send you the raw template
instead.

Your browser played too smart and figured out a place to go from that.

Safari just complains that it is an invalid address.

On Aug 10, 2005, at 12:21 PM, Matt Kettler wrote:

 >> http://{%LOGWITHID:{%ROTF:E:\EveryDayDomain\all01.txt%}?{%RND:^
 >> %}={%ROT
 >> F:E:\EveryDayDomain\CompanyTest\pharrotates.txt%}%}

--
Steve Martin  http://www.cheezmo.com/
Smart Calibration, LLC   http://www.smartcalibration.com/
The Widescreen Movie Center http://www.widemovies.com/
Letterboxed Movie TV Schedule  http://www.widemovies.com/lbx.html

Re: What the hell is that?

[Loren Wilton]

Isn't that a cute spam misfire?  Certainly shows something about how 
some of these programs work.
 
        Loren
 

Re: spamassassin --lint failed, Rules Du Jour

[Loren Wilton]

You don't say what version of SA you are running.  But from the output, it
appears that you have a recent SA version and a very old set of options in
your local.cf file.  You also have an unusably old version of Net::DNS on
your system, so net tests won't work in SA.

This problem really has nothing to do with RDJ or rulesemporium rules.
The first problem is (or should be) in local.cf, and can be fixed by
correcting the rewrite_subject line to the newer syntax.  The second problem
requires upgrading to a recent version of Net::DNS.  How you do this depends
on your system.

You shold start by just opening a shell as the user SA runs under and
entering "spamassassin --lint".  This should give you the same general
output you see in the RDJ log.  If so, you can enter
"spamassassin -D --lint" and get a whole pile of output.  However, while
that may show more problems, it won't really add much useful to the lint
errors for these two cases.

Loren

- Original Message - 
From: "Andrew Markebo" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, August 10, 2005 6:25 AM
Subject: spamassassin --lint failed, Rules Du Jour


> Hello!
>
> Just started with Rules Du Jour, and added a couple of rules. When
> running rulesdujour, I get the followin messages, how do I check what
> happened and straighten it out?
>
> How do I enable debug?
>
> Complete log attached as a file.
>
> /Andy
>
>
> ***WARNING***: spamassassin --lint failed.
> Rolling configuration files back, not restarting SpamAssassin.
> Rollback command is:  mv -f
> /etc/spamassassin/70_sare_bayes_poison_nxm.cf
> /etc/spamassassin/RulesDuJour/70_sare_bayes_poison_nxm.cf.2; rm -f
> /etc/spamassassin/70_sare_bayes_poison_nxm.cf;
>
> Lint output: config: SpamAssassin failed to parse line, skipping:
> rewrite_subject 1
> config: SpamAssassin failed to parse line, skipping: subject_tag
> [SPAM]
> Net::DNS version is 0.31, but need 0.34dnsavailable-1 at
> /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/Dns.pm line 1230.
> lint: 2 issues detected.  please rerun with debug enabled for more
information.
>
>






>
>
> -- 
>  Everything that was magical was just a way of describing the world in
> words it couldn't ignore.
> - "Pyramids" by Terry Pratchett
>

Scores problems

[Juan Machado]

Hello,
 
I've been using 
Spamassasin for years now and it seems to be that something happened after my 
last OS update.
 
OS: RH 
4
Spamassasin ver 
3.0.4
Invoking via 
Amavis-new
 
3 weeks ago when we 
did an OS and SA update, our users started getting 50-100 spam messages a day 
(we're dropping any message with a hits>6.5) ... they used to get 1 or 0 a 
day.
 
We decided to go 
back to the previous version of SA to see if that fixes the problem ... no 
luck.
After testing 
different things, I decided to increase the timeouts of SA, Razor and Phyzor to 
60. After that, it normalized a little bit to 2 to 8 non-detected spam messages 
per user.
 
My question is about 
user_prefs file.
 
We're getting a lot 
of PORN messages that are not being caught by SA. The header of these messages 
looks like:
 

X-Virus-Scanned: amavisd-new at itos.uga.eduX-Spam-Status: No, hits=4.329 
tagged_above=-999 required=6 tests=SARE_URI_NO_THANKS, 
URIBL_SBLX-Spam-Level: 
My question is : 
Should this header show more tests ? Like the one for the PORN stuff ? The 
message is question should be caught by SA, NO WAY is going to pass a good SA 
installation (I won't send the message to the list .. it is really 
nasty)
 
Under 
/usr/share/spamassassin, I have the following files:
 
10_misc.cf 
20_html_tests.cf 25_hashcash.cf  
60_whitelist.cf20_anti_ratware.cf 
20_meta_tests.cf 
25_spf.cf   
languages20_body_tests.cf   
20_phrases.cf    
25_uribl.cf 
triplets.txt20_compensate.cf   
20_porn.cf   
30_text_de.cf   
user_prefs20_dnsbl_tests.cf  
20_ratware.cf    
30_text_fr.cf   
user_prefs.template20_drugs.cf    
20_uri_tests.cf  
30_text_nl.cf20_fake_helo_tests.cf  
23_bayes.cf  
30_text_pl.cf20_head_tests.cf   
25_body_tests_es.cf  50_scores.cf
user_prefs file 
doesn't have anything like the one I found at http://spamassassin.apache.org/tests_3_0_x.html
 
Any idea 
?
 
Thank a lot for your 
help.
 
 
 

Juan 
MachadoManager, Technology 
Solutions DivisionITOS - Carl Vinson Institute of 
GovernmentThe University of 
Georgia

Re: What the hell is that?

[Ryan L. Sun]

That explanation makes senses. 
Spammers show their scripts to us, lol.On 8/10/05, Steve Martin <[EMAIL PROTECTED]> wrote:
So basically, the spammer's script failed to "generate" a URL fromthe "code" containing %LOGWITHID, etc. and send you the raw template
instead.Your browser played too smart and figured out a place to go from that.Safari just complains that it is an invalid address.On Aug 10, 2005, at 12:21 PM, Matt Kettler wrote:>> http://{%LOGWITHID:{%ROTF:E:\EveryDayDomain\all01.txt%}?{%RND:^
>> %}={%ROT>> F:E:\EveryDayDomain\CompanyTest\pharrotates.txt%}%}--Steve
Martin  http://www.cheezmo.com/Smart Calibration, LLC   http://www.smartcalibration.com/The Widescreen Movie Center
http://www.widemovies.com/Letterboxed Movie TV Schedule  http://www.widemovies.com/lbx.html

RE: What the hell is that?

[Chris Santerre]

Google 
searching on terms only brings up a link to this:
 
 http://UF.vrv.valuehomeway.com/i7f/
 
 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL28542 
 
HTH,
 
--Chris 

  -Original Message-From: Ryan L. Sun 
  [mailto:[EMAIL PROTECTED]Sent: Wednesday, August 10, 2005 1:08 
  PMTo: users@spamassassin.apache.orgSubject: What the 
  hell is that?
  Date: {%LOGWITHID:Tue, 09 Aug 2005 06:21:42 
  +0600%} From: "bobby shirley" <[EMAIL PROTECTED]> To: 
  xxSubject: re: buffy buffy 
  http://{%LOGWITHID:{%ROTF:E:\EveryDayDomain\all01.txt%}?{%RND:^%}={%ROT 
  F:E:\EveryDayDomain\CompanyTest\pharrotates.txt%}%} 
  RegardsI followed the link and it goes to: http://mail.sarai.net/pipermail/aaj-ke-naam/2005-August/005327.htmlI am using firefox 1.0 on RedHat ES3  

Re: What the hell is that?

[Steve Martin]

So basically, the spammer's script failed to "generate" a URL from  
the "code" containing %LOGWITHID, etc. and send you the raw template  
instead.


Your browser played too smart and figured out a place to go from that.

Safari just complains that it is an invalid address.

On Aug 10, 2005, at 12:21 PM, Matt Kettler wrote:

http://{%LOGWITHID:{%ROTF:E:\EveryDayDomain\all01.txt%}?{%RND:^ 
%}={%ROT

F:E:\EveryDayDomain\CompanyTest\pharrotates.txt%}%}


--
Steve Martin  http://www.cheezmo.com/
Smart Calibration, LLC   http://www.smartcalibration.com/
The Widescreen Movie Centerhttp://www.widemovies.com/
Letterboxed Movie TV Schedule  http://www.widemovies.com/lbx.html

Re: What the hell is that?

[Matt Kettler]

Ryan L. Sun wrote:
> *Date:* {%LOGWITHID:Tue, 09 Aug 2005 06:21:42 +0600%}
> *From:* "bobby shirley" <[EMAIL PROTECTED]
> >
> *To:* xx
> *Subject:* re: buffy
> buffy
> 
> http://{%LOGWITHID:{%ROTF:E:\EveryDayDomain\all01.txt%}?{%RND:^%}={%ROT
> F:E:\EveryDayDomain\CompanyTest\pharrotates.txt%}%}
> 
> 
> Regards
> 
> I followed the link and it goes to:
> http://mail.sarai.net/pipermail/aaj-ke-naam/2005-August/005327.html
> I am using firefox 1.0 on RedHat ES3

Looks like your firefox failed to lookup "%LOGWITHID" as a hostname. After it
failed it did a web search for "%LOGWITHID" and ended up there.

For example, try doing "turkeybacon" as a destination. Firefox will fail the
lookup, do a web search (using google or whatever your default search engine is)
and jump to the first hit:

http://www.livejournal.com/userinfo.bml?user=turkeybacon

Re: Statistics for Spamassassin / Spam

[Matt Kettler]

Claude Kries wrote:
> Hi there,
> 
> it would be nice to hear of some statistical tools you are using, to
> analyze how much spam SA filtered during a period of some time.
> 
> Any out ther? Maybe some generating nice HTML output or something?

There's some misc mrtg scripts out there, which use MRTG's pretty graph
generation tools.

I use MailScanner-mrtg, since I run MailScanner:
http://mailscannermrtg.sourceforge.net/

There's a lot of others out there too:
http://users.2z.net/rpuhek/scripts_public/spamd/
http://www.roads.lut.ac.uk/txt/exim-mrtg.html
http://vvv.csma.biz/apps/mrtg-spamscorer.shtml



And several that aren't mrtg based such as this text-mode analyzer:
http://david.hexstream.co.uk/linux/scripts/

What the hell is that?

[Ryan L. Sun]

Date: {%LOGWITHID:Tue, 09 Aug 2005 06:21:42 +0600%}  
From: "bobby shirley" <[EMAIL PROTECTED]> 
To: xx
Subject: re: buffy 





buffy 
 
http://{%LOGWITHID:{%ROTF:E:\EveryDayDomain\all01.txt%}?{%RND:^%}={%ROT 
F:E:\EveryDayDomain\CompanyTest\pharrotates.txt%}%} 
 
 
Regards

I followed the link and it goes to: http://mail.sarai.net/pipermail/aaj-ke-naam/2005-August/005327.html
I am using firefox 1.0 on RedHat ES3
 

Is there a UNIX socket test client program (a la NetCat)?

[Herb Martin]

Is there a UNIX socket test client program (a la NetCat)?

I need to test a variety of UNIX (not IP/INET) socket daemons for both
syntax and "are you running".

Is there a program that can read-write to an arbitrary Unix-type socket in a
manner similar to NetCat or Telnet?

My simple attempts to adapt the "Perl Cookbook"
Unix socket program didn't work and no one on the comp.lang.perl.misc
newsgroup has been able to offer a suggestion.

Perl code is nice but a compiled program is fine too.

I am running SpamAssassin, and a variet of other programs listening on Unix
sockets and it would help a great deal if I could interactively test such
sockets.


--
Herb Martin

Re: DCC vs Razor2

[Clay Irving]

On Tue, Aug 09, 2005 at 02:04:20PM -0400, Dr Robert Young wrote:

> We have been using Razor2 for some time on SA 3.0.4. I was recently   
> reading about DCC. We have never tried it, so I was wondering about  
> opinions as to its use. How effective is it? Should it be used with,  
> or in place of, Razor? 

DCC_CHECK is the number two or three rule hit in the spam I receive.

-- 
Clay Irving <[EMAIL PROTECTED]>
In America sex is an obsession; in other parts of the world it is a fact.
- Marlene Dietrich 

Re: When is Bulk "Bulk"

[jdow]

From: "John Rudd" <[EMAIL PROTECTED]>

On Aug 10, 2005, at 5:02 AM, JamesDR wrote:


Loren Wilton wrote:

My $.02 here...
Why doesn't he put together a nice presentation package and mail it 
to

them? I think I know the real reason -- it costs money. It could be
argued that sending an email costs money, but hardly the cost of 
putting
together a decent presentation on a few sheets of flashy/nice paper 
and
mailing it to prospective customers. This is a higher cost to the 
sender
Just to play devil's advocate here for a moment: what if his business 
is
website design?  What would YOU think of getting a snail mail from 
someone

claiming to be a genius website whiz?  What *I* would think (if I even
opened junk paper mail, which I don't) is "this guy claims to be a 
web whiz

and he doesn't even know about email?  I'm going to give this guy my
business?  I don't *think* so!"
And into the roundfile it would go.
Loren


True, he didn't specify what was being advertised, so it could be 
anything. For arguments sake, I was thinking along the lines of 
something that provided a product / service outside that of 
hosting/web design. Tho the issue still remains, if his prospective 
clients didn't ask to be sent info, by UCE's terms, it's spam.




And, personally, if I got a snail mail from a web designer, and it 
opened with "In order to avoid sending you spam, I'm sending you a 
one-time snail-mail flyer", I would actually respect that level of 
consideration and 'out of the box' thinking.  I would be MORE likely to 
go look up their portfolio and consider their services, than if they 
had spammed me.


The idea that I should be less interested in them just because they 
didn't email me seems to be ... rather limited thinking.


For one, if they're a decent graphic designer, their flyer will be laid 
out as well as their web pages.  If they're not a decent enough graphic 
designer to do a decent flyer layout, why do I want them working on my 
web page?


Nobody reads the credits anymore. They walk out of movies when the
credits roll. And they don't bother to see who designed the really
nice web sites they just visited. Ah well. That is likely as not
how I'd find a web designer if I had need of one.

{^_-}

Re: SA doesn't use my scores from local.cf

[Matt Kettler]

ddaasd wrote:
> Hi,
> I have a problem with SpamAssassin. I would appreciate if someone could
> help me.
> 
>  My setup is:
> 
> I’ve upgraded to SpamAssassin version 3.0.3  running on Perl version
> 5.8.0. I am using in conjunction with spamass-milter - Version 0.3.0 and
> Sendmail 8.12.11. The OS is RHEL 3.


> 
> 1)  It seams that my customized scores from
> /etc/mail/spamassasssin/local.cf don’t work.


Did you restart spamd after editing this file? In order to avoid wasting CPU
time, spamd only reads /etc/mail/spamassassin/*.cf when it starts up. It only
reads user_prefs files when it's scanning a message.

The spamassassin command line on the other hand, parses everything from scratch
as it's a new instance.
> 
> The problem is that DEAR_SOMETHING, DEAR_FRIEND etc have no effect as
> they weren’t there. Is this a parse error or I miss something? How can I
> customize my score for different tests?
> 
>  
> 2 ) The result of #spamassasin -d --lint:
> 
>  Net::DNS version is 0.31, but need 0.34dnsavailable-1 at
> /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/Dns.pm line 1230.
> 
>  What is this DNS? I think it has nothing to do with BIND…. Should I
> upgrade something?

Erm, It's DNS.. Domain Name System.. It's how names get resolved to IP
addresses, a very fundamental basic of the Internet.

SA uses a DNS module to do various RBL lookups. If you don't want to bother with
those rules you can ignore these warnings, otherwise you should try to get a
newer version of the Net::DNS perl module.

> 
> 
> 3)  I can’t use user_prefs from /home/user/.spamassassin/user_prefs
> 
>  
> 
> From the logs I see that SpamAssassin wants to write/read from
>  /root/.spamassassin/user_prefs. Why root?
> 
> I found out that the problem is that nobody has no home directory. I
> understand that. But when I run SA as root it reads from
> /root/.spamassassin/user_prefs. Shoudn’t SA read the user_prefs file of
> the recipient?

No, it shouldn't use the recipient automatically.

Consider the following:

1) SpamAssassin doesn't always know who the recipient is, as it can only guess
based on the To: header. However, what about a message that's To:
users@spamassassin.apache.org but was remailed to you by the list? There's not
always header saying who the recipient is, since the list effectively remails it
to you as a Bcc.

2) There might be multiple recipients (think Cc:, etc).

3) The recipient might not have an account on the local box (think relaying
mailserver, or even outbound mail you sent)


SpamAssassin uses the userid that *executes* it.

Spamd uses the userid that executed spamc, or the user passed to the -u command
line of either app.

If it finds it's going to scan mail as root, it falls back to nobody for safety.


> Isn’t this the point here, to customize for every recipient different
> rules? So, why is SA stucked to /root/.spamassassin/user_prefs?

Because that's who called SA.
> 
>  
> How can I customize rules for every user?

Ditch spamass-milter. You generally can't do this with a MTA layer filter.
Instead you'll want to do it at the MDA layer (i.e. procmail)and pass the
envelope recipient to -u. Some milters might be able to do this, but they often
run into the "what to do when there's multiple recipients for the same message"
problem.

There's drawbacks and advantages to each different layer of calling SA, so while
 a milter has several advantages, per-user customization is one of it's 
weaknesses.

Some generalities about the trade-offs of calling SA at different parts of the
mail chain. Yes there's some exceptions and variation among tools, but baring
some considerable coding cleverness, these are the limits of a straightforward
implementation at a given layer:

1) smtp-time in the MTA: (ie: milters, qmail-scanner, etc)
+can reject (properly)
+scanning is done once per message not per recipient
-inbound mail rate must be limited by a number of processes, or else system load
will explode if a rush of mail comes in all at once. (most do this using spamd
which has built-in child limiting)
-usually have very limited per-user flexibility

2) mta-queue layer (mailscanner is the only one I'm aware of):
+inbound mail can be queued quickly without waiting for SA to scan it.
+scanning can done per-message or per recipient (with some MTA queuing options)
+bursts of high volume have little impact on system load
-sustained high volume can cause mail queue to get large (Mailscanner does shift
to emergency mode to alleviate this, but that bypasses scanning)
-somewhat limited per-user flexibility (better than with milter, but still one
SA user_prefs)
-can't reject, can only generate post-delivery bounces (bad idea), quarantine,
delete, or deliver.

3) MDA layer (ie: procmail)
+high degree of per-user flexibility, as passing -u to spamc allows separate
user_prefs
-multi-recipient messages must be re-scanned
-can't reject...

4) MUA layer (ie: called from within kmail)
+complete end-user control of scanning
-isn'

Re: When is Bulk "Bulk"

[John Rudd]

On Aug 10, 2005, at 5:02 AM, JamesDR wrote:


Loren Wilton wrote:

My $.02 here...
Why doesn't he put together a nice presentation package and mail it 
to

them? I think I know the real reason -- it costs money. It could be
argued that sending an email costs money, but hardly the cost of 
putting
together a decent presentation on a few sheets of flashy/nice paper 
and
mailing it to prospective customers. This is a higher cost to the 
sender
Just to play devil's advocate here for a moment: what if his business 
is
website design?  What would YOU think of getting a snail mail from 
someone

claiming to be a genius website whiz?  What *I* would think (if I even
opened junk paper mail, which I don't) is "this guy claims to be a 
web whiz

and he doesn't even know about email?  I'm going to give this guy my
business?  I don't *think* so!"
And into the roundfile it would go.
Loren


True, he didn't specify what was being advertised, so it could be 
anything. For arguments sake, I was thinking along the lines of 
something that provided a product / service outside that of 
hosting/web design. Tho the issue still remains, if his prospective 
clients didn't ask to be sent info, by UCE's terms, it's spam.




And, personally, if I got a snail mail from a web designer, and it 
opened with "In order to avoid sending you spam, I'm sending you a 
one-time snail-mail flyer", I would actually respect that level of 
consideration and 'out of the box' thinking.  I would be MORE likely to 
go look up their portfolio and consider their services, than if they 
had spammed me.


The idea that I should be less interested in them just because they 
didn't email me seems to be ... rather limited thinking.


For one, if they're a decent graphic designer, their flyer will be laid 
out as well as their web pages.  If they're not a decent enough graphic 
designer to do a decent flyer layout, why do I want them working on my 
web page?

Re: Bayes Training

[Kris Deugau]

Joe Borg wrote:
> When spam messages and not detected, my users typically forward this
> spam as an rfc822 attachment to a special account
> ([EMAIL PROTECTED]). I was then thinking of bouncing the actual
> attachment (spam) to another specific account ([EMAIL PROTECTED]),

Any reason you don't just extract the attachment and learn it?

(Or extract the attachment and stuff it into a mail folder for manual
sorting and later manual learning or periodic automated learning.)

That would avoid the (potential) mistakes, hassles, and screwups that go
along with resending a spam (and therefore replacing "correct" headers,
or adding misleading or useless headers).

-kgd
-- 
Get your mouse off of there!  You don't know where that email has been!

RE: AutoWhiteList

[Casey King]

Since waiting for a reply concerning my issue, I pulled the src.rpm off the
CD. 3.0.1 and installed it, and still the same problemwhy is my
auto-whitelist file(s) not showing up?

-Original Message-
From: Casey King [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 09, 2005 3:15 PM
To: users@spamassassin.apache.org
Subject: AutoWhiteList


I seem to be at a loss.  I have installed SA 3.0.4 on two identical
machines.  Both machines are running CentOS4.1.  Other software loaded would
include:

Sendmail 8-13.4-1 (from src rpm)
Clamav 0-86 (tar file)
MailScanner 4.44.1-1 (tar)
MailWatch 1.0.1 (tar)
phpMyAdmin 2.6.3-pl1 (tar)
Webmin 1.210 (tar)

Both machines run smooth, but when I was trying to figure out what is
getting AutoWhite listed, I found that "box2" did not have:

/root/.spamassassin/auto-whitelist
/root/.spamassassin/auto-whitelist.mutex

"box1" does have:
/root/.spamassassin/auto-whitelist

"Box1" and "Box2" are being built to replace a MailScanner system already in
use.  Upon review of this system, I can see I will run into issues if I
cannot check what is being auto-whitelisted.  I do find it strange that I
installed SA the same way on both machines and have different results.  I
tried to uninstall SA from "Box 2" by using this command:

rpm -e spamassassin

I am not sure if this is the best way to uninstall SA, but I do not know of
another.  I then reinstalled it two ways:

1. rpmbuild -tb Mail-SpamAssassin-3.0.4.tar.gz
   cd to /usr/src/redhat/RPMS/i386

These three files are in this directory
   perl-Mail-SpamAssassin-3.0.4-1.i386.rpm
   spamassassin-tools-3.0.4-1.i386.rpm
   spamassassin-3.0.4-1.i386.rpm

I installed the files (first my moving the tools rpm to another directory
and then moving it back and installing it separately)

2. Through untar, I cd to the Mail-SpamAssassin-3.0.4 directory and
installed via the INSTALL file instructions.

Both ways to install were successful, but I was still unable to see any of
the files I was looking for.  I would appreciate any feedback on what I am
doing wrong and any other approaches I can take to resolve this problem.

Casey

RE: When is Bulk "Bulk"

[Bowie Bailey]

From: Greg Allen [mailto:[EMAIL PROTECTED]
> 
> But I must say, some people on the list appear to be giving their own
> personal opinion as if they are only referring to their own email inbox,
> without regard to users on their system. Maybe they are not really
> administrators of multi-user systems, I don't know. If they are
> administrating large systems I would have to wonder what secret lists they
> had developed.
> 
> But if you do manage multiple users accounts, you have to provide industry
> standard anti-spam protection without blocking on your own definition of
> "spam". Now if you are only talking your own email box, you can define
> every email except emails from your mom as spam, not much of anyone would
> give a hoot what you block in your own inbox.

The responses you get depend on the questions you ask.  If you ask "Is this
spam?", you will generally get personal opinions.  These opinions may be
quite different from the policies implemented by the corporate mail servers.

I my case, I have a very strict personal view of spam.  However, most of my
email clients are salesmen, so I have to be careful of what criteria I use
for spam.  In fact, my server does not block spam at all for most accounts.
It simply tags it and then the individual users can decide for themselves
what to do with the tagged emails.

There is also the limitation of what spam blockers can do.  A one-shot
hand-typed email with a real From address and no obfuscation would probably
not be caught by SA unless it is full of sales buzzwords and other
spam-sign.

Bowie

Re: Spamassassin and mystic generated mails..

[List Mail User]

>...
>It happens once in a while that I get mails with subjects like:
>
>Subject: Re[3]: talk thread about his pills
>
>and it contains a bunch of random char words, and lots of links to
>like "Eugene.subsidises.net" where in the Eugene varies inside the
>mail and sibidises between the mail..
>
>So is it possible to in some way sort of count links, or count links
>that are equal in domain, somewhere in spamassassin? 
>
>Or hmm a python-script.. could maybe do it.. ;-)
>
> /Andy
>
>
>The text is like (Lets hope that the one who knows doesn't skip this
>message ;-):
>
>Expe ce thr es lon gas rien 
>ee tim ger or ms Wor de shi 
>g wit hou ld Wi ppin hin 24 
>rs SP -M UR The 
>we and Saf Wa Ph 
>acy is Ne st The 
>est y of arm Inc e Yo 
>xual Des Spe ume by % reas 
>ur Se ire and rm vol 500 100 
>ural and de Eff - in con t to wel wn bra
>% Nat No Si ects tras l-kno 
>nds. Expe ce thr es lon gas 
>
>The HTML like
>
>class=3Ds19>Usu
>  http://Ivanova.homespuns.net/vcl/?theman";>class=3Ds19>se is 
>  http://Zapata.homespuns.net/vcl/?theman";>class=3Ds19>f A pil
>  http://Rempel.homespuns.net/vcl/?theman";>class=3Ds19>n Bef
>  http://Badova.homespuns.net/vcl/?theman";>
>
>-- 
>Remember don't look at the palm, look into it!
>
>

One of a group of sites selling "Sperm enhancement" snake oil.
Run by Leo Kuvayev.  Registration is false - name and address are actually
a gay escort service.  Contact emails at sent.com - a domain in the group
of fastmail.fm (Jeremy Howard) - seemingly only used by spammers.

Hope that explains it (put together the word fragments to "see"
the advertisement - this one promises increased volume - some claim for
better "taste".

Paul Shupak
[EMAIL PROTECTED]

Re: spamassassin --lint failed, Rules Du Jour

[Andrew Markebo]

Ahh

Found out how to get the debug messages, running spamassassin with
--lint and debug.. Starting to look through the messages, not found
anything yet... including them for your enjoyment..

 /Andy

/ Andrew Markebo <[EMAIL PROTECTED]> wrote:
| Hello!
|
| Just started with Rules Du Jour, and added a couple of rules. When
| running rulesdujour, I get the followin messages, how do I check what
| happened and straighten it out?
|
| How do I enable debug?
|
| Complete log attached as a file.
|
| /Andy

[...]



thefile.txt.gz
Description: linted and debug.. 


-- 
 The eye of the compiler rests on the code!

Statistics for Spamassassin / Spam

[Claude Kries]

Hi there,

it would be nice to hear of some statistical tools you are using, to 
analyze how much spam SA filtered during a period of some time.


Any out ther? Maybe some generating nice HTML output or something?

kind regards
claude

spamassassin --lint failed, Rules Du Jour

[Andrew Markebo]

Hello!

Just started with Rules Du Jour, and added a couple of rules. When
running rulesdujour, I get the followin messages, how do I check what
happened and straighten it out?

How do I enable debug?

Complete log attached as a file.

/Andy


***WARNING***: spamassassin --lint failed.
Rolling configuration files back, not restarting SpamAssassin.
Rollback command is:  mv -f
/etc/spamassassin/70_sare_bayes_poison_nxm.cf
/etc/spamassassin/RulesDuJour/70_sare_bayes_poison_nxm.cf.2; rm -f
/etc/spamassassin/70_sare_bayes_poison_nxm.cf;

Lint output: config: SpamAssassin failed to parse line, skipping:
rewrite_subject 1
config: SpamAssassin failed to parse line, skipping: subject_tag
[SPAM]
Net::DNS version is 0.31, but need 0.34dnsavailable-1 at
/usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/Dns.pm line 1230.
lint: 2 issues detected.  please rerun with debug enabled for more information.



rulesdejouroutput.txt.gz
Description: The complete messagelog


-- 
 Everything that was magical was just a way of describing the world in
words it couldn't ignore.
- "Pyramids" by Terry Pratchett

Re: When is Bulk "Bulk"

[JamesDR]

Loren Wilton wrote:

My $.02 here...
Why doesn't he put together a nice presentation package and mail it to
them? I think I know the real reason -- it costs money. It could be
argued that sending an email costs money, but hardly the cost of putting
together a decent presentation on a few sheets of flashy/nice paper and
mailing it to prospective customers. This is a higher cost to the sender



Just to play devil's advocate here for a moment: what if his business is
website design?  What would YOU think of getting a snail mail from someone
claiming to be a genius website whiz?  What *I* would think (if I even
opened junk paper mail, which I don't) is "this guy claims to be a web whiz
and he doesn't even know about email?  I'm going to give this guy my
business?  I don't *think* so!"

And into the roundfile it would go.

Loren





True, he didn't specify what was being advertised, so it could be 
anything. For arguments sake, I was thinking along the lines of 
something that provided a product / service outside that of hosting/web 
design. Tho the issue still remains, if his prospective clients didn't 
ask to be sent info, by UCE's terms, it's spam.


--
Thanks,
James

SA doesn't use my scores from local.cf

[ddaasd]

Hi,
I have a problem with SpamAssassin. I would
appreciate if someone could help me.
 My setup is:
I’ve upgraded to SpamAssassin
version
3.0.3  running on Perl version 5.8.0. I
am using in conjunction with spamass-milter - Version 0.3.0 and
Sendmail 8.12.11.
The OS is RHEL 3.
 
Spamd runs as nobody.
 
nobody   
4859 1  0
12:21 ?    00:00:00 /usr/bin/spamd -d -u
nobody -c
-m5 -H -s /var/log/spamd.log --siteconfigpath=/etc/mail/spamassassin
--configpath=/usr/share/spamassassin 
nobody   
4862  4859  0
12:21 ?    00:00:00 spamd child  

nobody   
4863  4859  0
12:21 ?    00:00:00 spamd child  

nobody   
4864  4859  0
12:21 ?    00:00:00 spamd child  

nobody   
4865  4859  0
12:21 ?    00:00:00 spamd child  

nobody   
4866  4859  0
12:21 ?    00:00:00 spamd child 
 
root 
4881 1  0
12:22 ?    00:00:00 spamass-milter -p
/var/run/spamass.sock -f -r 15 -b [EMAIL PROTECTED]
 
My problems are the following:
 
1) 
It seams that my
customized
scores from /etc/mail/spamassasssin/local.cf don’t work.
 
Local.cf:
 
required_hits 4.5
rewrite_header Subject [SPAM]
report_safe 0
score DEAR_SOMETHING 4
score DEAR_FRIEND 4
 
This file is read by SA (I’ve seen that
from spamassassin -D -u nobody). The required_hits are also ok.
The problem is that
DEAR_SOMETHING, DEAR_FRIEND
etc have no effect as they weren’t there. Is this a parse error or I
miss
something? How can I customize my score for different tests?
 
2 ) The result of #spamassasin -d --lint:
 Net::DNS version is
0.31, but need
0.34dnsavailable-1 at
/usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/Dns.pm
line 1230.
 What is this DNS? I
think it has nothing to
do with BIND…. Should I upgrade something?

3) 
I can’t use
user_prefs from
/home/user/.spamassassin/user_prefs
 
From the logs I see that
SpamAssassin wants
to write/read from  /root/.spamassassin/user_prefs.
Why root?
I found out that the problem is
that nobody
has no home directory. I understand that. But when I run SA as root it
reads from
/root/.spamassassin/user_prefs. Shoudn’t SA read the user_prefs file of
the
recipient?
Isn’t this the point here, to customize for
every recipient different rules? So, why is SA stucked to
/root/.spamassassin/user_prefs?
 
How can I customize rules for every user?
 
Thanks a lot.
 
ddaas
 
 

RE: Bayes Training

[Joe Borg]

-Original Message-
From: Loren Wilton [mailto:[EMAIL PROTECTED] 
Sent: 10 August 2005 11:43
To: users@spamassassin.apache.org
Subject: Re: Bayes Training

> As you can see the second 'From' is the true spammer, whilst the first
> 'From' is my own reporting account. My worry here is that bayes will use
my
> reporting account as a 'shortcut'. Is there any way of avoiding this (i.e.
> can I tell bayes to ignore the first from header but not the second)?

While this isn't desirable for obvious reasons, I think in this case you
will be ok, as long as that account is used ONLY for spam.  Bayes learns
tokens, not token combinations or sequences.  As a result, it will doubtless
learn that name as a really spammy token.  But if that doesn't show up in
any ham, you should be fine.  It will just be wasting some effort learning a
token that doesn't really show up in spam or (hopefully) ham.

Loren

Hi Loren,

Thanks for the info. Will stick to my current method then :)
Joe

RE: DCC vs Razor2

[Sander Holthaus - Orange XL]

William Albert wrote:
> Dr Robert Young wrote:
> 
>> We have been using Razor2 for some time on SA 3.0.4. I was recently
>> reading about DCC. We have never tried it, so I was wondering about
>> opinions as to its use. How effective is it? Should it be used with,
>> or in place of, Razor?
> 
> SpamAssassin will use both, so there's no need to choose
> between the two unless network traffic is a major concern.

I would use both. Razor2 is more effective than DCC, but DCC seems to
generate more errors in connecting, so perhaps it could have the same
recognition rate as Razor2.
There is no guarentee that either one won't produce false positives or that
it has an 100% uptime. So using both (and perhaps even Pyzor) for me seems a
sensible thing.

Some stats for recognized spam ( >10 ) over the last 10 days:

BAYES_99  ( 97%)
RAZOR2_CHECK  ( 86%) <--
  RAZOR2_CF_RANGE_51_100  ( 86%) <--
HTML_MESSAGE  ( 69%)
 DIGEST_MULTIPLE  ( 66%)
 URIBL_BLACK  ( 66%)
 PYZOR_CHECK  ( 57%) <--
  URIBL_JP_SURBL  ( 57%)
   DCC_CHECK  ( 57%) <--
   URIBL_SBL  ( 54%)
 URIBL_SC2_SURBL  ( 51%)
  URIBL_OB_SURBL  ( 51%)
  URIBL_XS_SURBL  ( 47%)

Kind Regards,
Sander Holthaus

Re: Bayes Training

[Loren Wilton]

> As you can see the second 'From' is the true spammer, whilst the first
> 'From' is my own reporting account. My worry here is that bayes will use
my
> reporting account as a 'shortcut'. Is there any way of avoiding this (i.e.
> can I tell bayes to ignore the first from header but not the second)?

While this isn't desirable for obvious reasons, I think in this case you
will be ok, as long as that account is used ONLY for spam.  Bayes learns
tokens, not token combinations or sequences.  As a result, it will doubtless
learn that name as a really spammy token.  But if that doesn't show up in
any ham, you should be fine.  It will just be wasting some effort learning a
token that doesn't really show up in spam or (hopefully) ham.

Loren

Re: Spamassassin and mystic generated mails..

[Loren Wilton]

The spamcop uri tests and URIBL are your friends here.  They will probably
catch those links and mark the thing out of consideration, unless you are
one of the unlucky few that get new links in the first few minutes.

I haven't figures out why that particular form of obfuscation is showing up
in the mails.  I think it may be a spamware misfire.  If you play around
with that you will find that you can move pieces around and form a complete
spam message.  I suspect that was text for a table obfuscation spam, but it
didn't get placed into the table.

If you look at that stuff for a few minutes a fairly obvious rule to catch
it should become apparent.

Loren


- Original Message - 
From: "Andrew Markebo" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, August 10, 2005 1:06 AM
Subject: Spamassassin and mystic generated mails..


> It happens once in a while that I get mails with subjects like:
>
> Subject: Re[3]: talk thread about his pills
>
> and it contains a bunch of random char words, and lots of links to
> like "Eugene.subsidises.net" where in the Eugene varies inside the
> mail and sibidises between the mail..
>
> So is it possible to in some way sort of count links, or count links
> that are equal in domain, somewhere in spamassassin?
>
> Or hmm a python-script.. could maybe do it.. ;-)
>
>  /Andy
>
>
> The text is like (Lets hope that the one who knows doesn't skip this
> message ;-):
>
> Expe ce thr es lon gas rien
> ee tim ger or ms Wor de shi
> g wit hou ld Wi ppin hin 24
> rs SP -M UR The
> we and Saf Wa Ph
> acy is Ne st The
> est y of arm Inc e Yo
> xual Des Spe ume by % reas
> ur Se ire and rm vol 500 100
> ural and de Eff - in con t to wel wn bra
> % Nat No Si ects tras l-kno
> nds. Expe ce thr es lon gas
>
> The HTML like
>
> class=3Ds19>Usu
>   http://Ivanova.homespuns.net/vcl/?theman";> class=3Ds19>se is 
>   http://Zapata.homespuns.net/vcl/?theman";> class=3Ds19>f A pil
>   http://Rempel.homespuns.net/vcl/?theman";> class=3Ds19>n Bef
>   http://Badova.homespuns.net/vcl/?theman";>
>
> -- 
> Remember don't look at the palm, look into it!

Bayes Training

[Joe Borg]

Hi,
I'm trying to figure out a proper way how to teach spamassassin new spam.
I'm using v. 3.04. My Setup consists of Sendmail and Spamassassin (via
procmail). Subsequently mail is retrieved by users using POP3. 

When spam messages and not detected, my users typically forward this spam as
an rfc822 attachment to a special account ([EMAIL PROTECTED]). I was
then thinking of bouncing the actual attachment (spam) to another specific
account ([EMAIL PROTECTED]), which I've setup so that mails received on
this account are learned as spam. I've also taken care of ignoring the
'ReSent' headers added in bouncing a message. My only issue now is that when
a message is bounced (I use PC Pine to bounce messages), there are two
'From' headers. Eg. 


>From [EMAIL PROTECTED]  Wed Aug 10 10:55:28 2005
Return-Path: < [EMAIL PROTECTED] >
Received: from localhost ([125.125.125.25])
by mailhost.mydomain.com (8.12.11/8.12.11) with ESMTP id
j7A8tRQt018687
for <[EMAIL PROTECTED]>; Wed, 10 Aug 2005 10:55:28 +0200
From: "Spammer Me" <[EMAIL PROTECTED]>

As you can see the second 'From' is the true spammer, whilst the first
'From' is my own reporting account. My worry here is that bayes will use my
reporting account as a 'shortcut'. Is there any way of avoiding this (i.e.
can I tell bayes to ignore the first from header but not the second)?  

Alternatively do you have any suggestions as to how I should train bayes?
Thanks,
Joe

Spamassassin and mystic generated mails..

[Andrew Markebo]

It happens once in a while that I get mails with subjects like:

Subject: Re[3]: talk thread about his pills

and it contains a bunch of random char words, and lots of links to
like "Eugene.subsidises.net" where in the Eugene varies inside the
mail and sibidises between the mail..

So is it possible to in some way sort of count links, or count links
that are equal in domain, somewhere in spamassassin? 

Or hmm a python-script.. could maybe do it.. ;-)

 /Andy


The text is like (Lets hope that the one who knows doesn't skip this
message ;-):

Expe ce thr es lon gas rien 
ee tim ger or ms Wor de shi 
g wit hou ld Wi ppin hin 24 
rs SP -M UR The 
we and Saf Wa Ph 
acy is Ne st The 
est y of arm Inc e Yo 
xual Des Spe ume by % reas 
ur Se ire and rm vol 500 100 
ural and de Eff - in con t to wel wn bra
% Nat No Si ects tras l-kno 
nds. Expe ce thr es lon gas 

The HTML like

class=3Ds19>Usu
  http://Ivanova.homespuns.net/vcl/?theman";>se is 
  http://Zapata.homespuns.net/vcl/?theman";>f A pil
  http://Rempel.homespuns.net/vcl/?theman";>n Bef
  http://Badova.homespuns.net/vcl/?theman";>