Re[2]: Pharamcudical list of words in a table

[Robert Menschel]

Hello Ilan,
 
 Tuesday, September 6, 2005, 12:07:24 AM, you wrote:
 
IA> I keep getting these kind of pharm. spam where a list of
 IA> drugs and their prices is arranged in an html table. ...  
 
 IA> Obviously, the OBFU rule set is not that sophisticated. 
 
Could have fooled me, since none of that spam is reaching me. 
 
However, since it is reaching others, I'd like to look at enhancing the OBFU rule set. 
 
But since none of that spam is reaching me, I have no samples to work by. 
 
If you (or anyone else) can zip a dozen or so of those spam into one package and email it to me, I'll do as Loren described, and see what patterns I can find to enhance the OBFU rule set with.  I'll then compare my ideas with Loren's, and between us we should come up with something useful. 
 
Bob Menschel
 

RE: SpamCop listing internal hotmail servers?

[Greg Allen]

I think I will just block your email address Porn guy.

Spamcop is used in SA for scoring and discussing how Spamcop works or
doesn't work for a short time could help some people with false positives.

Yea, I will shut up about Spamcop now.

Thanks



> -Original Message-
> From: Dan Hollis [mailto:[EMAIL PROTECTED]
> Sent: Friday, September 09, 2005 7:40 PM
> To: Greg Allen
> Cc: users@spamassassin.apache.org
> Subject: RE: SpamCop listing internal hotmail servers?
>
>
> please take this penis waving offlist. this is spamassassin, not
> my-dick-is-bigger-than-your-dick.
>
>

RE: SpamCop listing internal hotmail servers?

[Dan Hollis]

please take this penis waving offlist. this is spamassassin, not 
my-dick-is-bigger-than-your-dick.

RE: SpamCop listing internal hotmail servers?

[Greg Allen]

> >
> > From where I stand, he's right on the mark.  Spamcop is run by morons,
>
> To insult other system administrators will not help to build a better
> society.

I only insulted Spamcop admins because they are idiots. Actually, I don't
even really consider it an insult. I consider an insult an untrue statement
meant to hurt someone's feelings. Since this is a true statement, and I
don't care about their feelings... well it is just a statement of fact.

If they had better accuracy standards for their service maybe it would be a
'better society'.

> spam was sent from a mail server inside our network.  On further
> investigation we discovered that one of the servers inside our network
> for which our mail gateway relay email, was poorly setup as an open
> relay and this server had indeed been used by spammers to send out
> some 2+ emails per day for a day or three.

Wow 20k a day? Hmmm... Maybe you should test your servers better before
putting them online?

>
> So I am grateful to Spamcop helping us to identify a problem that
> could cause us serious problems if it went on undetected.


So, I guess you are saying that you needed help locking down your email
servers and they helped you. That is good, but they promote themselves to be
a spam blocking service, not a free service to admins who don't know how to
lock down their servers. I am happy they were able to help you. Maybe they
are good for something. I should start referring new admins to them for free
support services.

Re: Question on TO_MALFORMED

[Kris Deugau]

[EMAIL PROTECTED] wrote:
> I had a client receive an email which was marked as a spam email.  The
> big hit on this was from the TO_MALFORMED.  This seems to be a away
> that some of these vendors/lists send out messages.  I can add them to
> a whitelist, but I thought I would just see if there is something
> better than that I can do (sorry don't use bayes here)

> To: Newsletter Subscribers,
>  Newsletter list

Short of convincing the senders to fix their To: field, there's not much
you can do to actually fix the problem.

As workarounds, you can whitelist the senders or drop the score for
TO_MALFORMED, or (if you're more ambitious) some meta rules and subrules
to reduce the score for this sender hitting TO_MALFORMED.

Given the real problem, however, I'd guess that you may occasionally see
other problems with this/these sender(s).

(For instance, you can't use whitelist_to with them, which is one
"proper" way to whitelist a mailing list.)

> *  2.3 TO_MALFORMED To: has a malformed address

Wow.  That's a big change from 2.64:

score TO_MALFORMED 0.345 0.274 0.907 0.640

-kgd
-- 
Get your mouse off of there!  You don't know where that email has been!

SUMMARY: Compile issues

[Doug Hubbard]

This corrected the issue, somewhere along the line the 
/usr/include/sysexits.h file had been deleted from this system. I 
replaced it with the file from one of the other Solaris 8 boxes and all 
is good again.

Thanks

David B Funk wrote:


On Thu, 8 Sep 2005, Doug Hubbard wrote:


I am trying to install Spamassassin 3.04 (finally trying to get current
from 2.63) and having a compile time issue.

I am running Solaris 8 with perl 5.8.6. and gcc 3.4.2. All other modules
that I have tried seem to build fine on this box (Apache, qpopper,
sendmail, bind)
When I attempt to run make on the SA code (after perl Makefile.PL) I get
the following error output (make has been run once, so the initial clean
output is missing, if it will help I can run a make dist clean and 
rebuild).


make -f spamc/Makefile spamc/spamc
make[1]: Entering directory `/export/builds/Mail-SpamAssassin-3.0.4'
gcc  -g -O2 spamc/spamc.c spamc/libspamc.c spamc/utils.c \


[snip..]


spamc/libspamc.c:1224: error: `EX_OSERR' undeclared (first use in this
function)
make[1]: *** [spamc/spamc] Error 1
make: *** [spamc/spamc] Error 2

I have tried googling the errors with no luck, neither could I find
anything in the FAQ, front page or the bundled Docs,
What am I missing?
Thanks.



You're missing a system include file that should define the 'sysexits'
symbols, usually "/usr/include/sysexits.h"

Brute force, try:

 find /usr/include -type f -name '*.h' -print | xargs grep EX_OSERR

see if you find anything. (Solaris may put its include files in
places other than '/usr/include', adjust accordingly).

Dave



--

*
Doug Hubbard - IT Manager
TrackMaster, an Equibase Company
email [EMAIL PROTECTED] 
Website www.trackmaster.com 
*


This message is intended only for the use of the Addressee and may contain 
information that is PRIVILEGED and CONFIDENTIAL. If you are not the intended 
recipient, you are hereby notified that any dissemination of this communication 
is strictly prohibited. If you have received this communication in error, 
please erase all copies of the message and its attachments and notify us 
immediately.
Thank you!
begin:vcard
fn:Doug Hubbard
n:Hubbard;Doug
org:TrackMaster, an Equibase Company
adr:;;14515 56th Ave SE;Everett;WA;98208;USA
email;internet:[EMAIL PROTECTED]
title:IT Manager
tel;work:650-316-1020 x138
tel;fax:781-623-0331
tel;pager:650-599-8883
tel;home:425-338-9520
x-mozilla-html:TRUE
url:http://www.trackmaster.com
version:2.1
end:vcard

Question on TO_MALFORMED

[Martin.Carnegie]

Hi All,

I had a client receive an email which was marked as a spam email.  The
big hit on this was from the TO_MALFORMED.  This seems to be a away that
some of these vendors/lists send out messages.  I can add them to a
whitelist, but I thought I would just see if there is something better
than that I can do (sorry don't use bayes here)

Thanks

Microsoft Mail Internet Headers Version 2.0
Received: from atcoinss.atco.ca ([192.210.9.70]) by .atco.com with
Microsoft SMTPSVC(5.0.2195.6797);
 Thu, 8 Sep 2005 08:35:53 -0600
Received: from atcoinss.atco.ca ([192.210.5.122])
 by atcoinss.atco.ca (SMSSMTP 4.0.0.59) with SMTP id
M2005090808354707874
 ; Thu, 08 Sep 2005 08:35:47 -0600
Received: from [206.71.72.15] (helo=weccmail.wecc.biz)
by atcoinss.atco.ca with esmtp (Exim )
id 1EDNVD-0004Qu-0j; Thu, 08 Sep 2005 08:35:47 -0600
Received: from [192.168.1.206] ([192.168.1.206]) by weccmail.wecc.biz
with Microsoft SMTPSVC(6.0.3790.211);
 Thu, 8 Sep 2005 08:34:45 -0600
Mime-Version: 1.0 (Apple Message framework v734)
Content-Type: multipart/alternative; boundary=Apple-Mail-7--293489716
Message-Id: <[EMAIL PROTECTED]>
Cc: WECC Staff
From: WECC Weekly <[EMAIL PROTECTED]>
Subject: Possible Spam: WECC Weekly E-Newsletter
Date: Thu, 8 Sep 2005 08:34:41 -0600
To: Newsletter Subscribers,
 Newsletter list
X-Mailer: Apple Mail (2.734)
X-OriginalArrivalTime: 08 Sep 2005 14:34:45.0161 (UTC)
FILETIME=[75000190:01C5B482]
X-Spam-Prev-Subject: WECC Weekly E-Newsletter
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on
atcoinss.atco.ca
X-Spam-Level: *
X-Spam-Status: Yes, score=5.2 required=5.0
tests=BIZ_TLD,CLICK_BELOW_CAPS,
HTML_50_60,HTML_MESSAGE,HTML_TAG_EXIST_TBODY,TO_MALFORMED 
autolearn=disabled version=3.0.4
X-Spam-Report: 
*  2.3 TO_MALFORMED To: has a malformed address
*  0.7 CLICK_BELOW_CAPS BODY: Asks you to click below (in
capital letters)
*  1.3 BIZ_TLD URI: Contains an URL in the BIZ top-level domain
*  0.2 HTML_TAG_EXIST_TBODY BODY: HTML has "tbody" tag
*  0.5 HTML_50_60 BODY: Message is 50% to 60% HTML
*  0.2 HTML_MESSAGE BODY: HTML included in message
Return-Path: [EMAIL PROTECTED]

--Apple-Mail-7--293489716
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=WINDOWS-1252;
delsp=yes;
format=flowed

--Apple-Mail-7--293489716
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=WINDOWS-1252


--Apple-Mail-7--293489716--

Re: SA 3.0.4 ingnores bayes

[Mathias Wrede]

Hello James,

* JamesDR wrote:
>> All filters seems to work, except bayes. My 'local.cf' is untouched
>> (dir: /etc/mail/spamassassin) and use_bayes is set explicit to 1.
>>
>> How can I figure out my problem?
>>
> Do a spmamassassin --lint -D and look for any bayes errors/calls. Post
> back what you find.

thanks for your quick reply. I've figured out my problem by testing with
# spammassassin -t -D < spam.txt

I had to renew my database. The counter said, that there where too less
material to work with (58 messages). My old data has gone lost. Now,
after 'sa-learn --clear' and the renewal everything seems to be fine.
:-)

Regards
Mathias

Re: SpamCop listing internal hotmail servers?

[Frank DeChellis DSL]

>
> On Wed, Sep 07, 2005 at 07:04:39PM -0700, John Rudd wrote:
> >
> > On Sep 7, 2005, at 6:23 PM, Michele Neylon:: Blacknight.ie wrote:
> >
> > >Greg Allen wrote:
> > >>Spamcop users are idiots too. When you have end users pushing
> > >>the 'this is spam' button when they get an email that they
> > >>don't like from their own friends or family, well... you get Spamcop.
> > >
> > >That's a lovely generalisation and bears little relation to reality.
> >
> > From where I stand, he's right on the mark.  Spamcop is run by morons,
>
> To insult other system administrators will not help to build a better
> society.  I have recently received mail from Spamcop to inform me that
> spam was sent from a mail server inside our network.  On further
> investigation we discovered that one of the servers inside our network
> for which our mail gateway relay email, was poorly setup as an open
> relay and this server had indeed been used by spammers to send out
> some 2+ emails per day for a day or three.
>
> So I am grateful to Spamcop helping us to identify a problem that
> could cause us serious problems if it went on undetected.
>

Spamcop has also helped us find leaks in our system from time to time.  I
imagine that being in the business of curtailing spam also includes
identifying sources and giving the sys admins a chance to rectify problems
before listing them.

---
Frank DeChellis
Internet Access Worldwide
3 East Main StreetWelland, Ontario, CanadaL3B 3W4
905-714-1400 fax 905-732-0524
www.iaw.com
--

Re: SA 3.0.4 ingnores bayes

[JamesDR]

Mathias Wrede wrote:

Hi,

is there anybody who could give me a hint?
The facts:
- I've upgraded SA from 2.64 to 3.0.4
- SA is called by amavisd-new
- 'sa-learn --sync' is done and the sa-learn with the cyrus-mailboxes
  seems to be ok.
- 'sa-learn --backup' result is a file with more than 200.000 entrys.
- 'auto-whitelist' is new in /var/spool/amavis/.spamassassin/bayes
- Should I set 'use_auto_whitelist' to 0 for testing?
- 'bayes_path' is set to '/var/spool/amavis/.spamassassin/bayes'
- Perl is used in the version 5.8.1

All filters seems to work, except bayes. My 'local.cf' is untouched
(dir: /etc/mail/spamassassin) and use_bayes is set explicit to 1.

How can I figure out my problem?


Thanks
Mathias


Do a spmamassassin --lint -D and look for any bayes errors/calls. Post 
back what you find.


--
Thanks,
JamesDR


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Attachement name test

[Arthur Kerpician]

Loren Wilton wrote:


This is completely untested, but something along these lines might work for
you.

header __BOGUS_SENDERFrom =~ /[EMAIL PROTECTED]/i
full__ATTACH_HDR/\nContent-Type\:.{0,100}\sname=\".{1,50}\.pps\"/is
metaBLOCK_STUPID_PPS__BOGUS_SENDER && __ATTACH_HDR
scoreBLOCK_STUPID_PPS100

Of course, if this guy is SENDING, then this means you must be using SA to
scan OUTgoing mail as well as incoming?
 

It definitely worked! The user is outside the organisation so no 
outgoing filtering is needed, just incoming.

A dot should be added before the TLD in the header test and it's fine.
Thanks Loren

SA 3.0.4 ingnores bayes

[Mathias Wrede]

Hi,

is there anybody who could give me a hint?
The facts:
- I've upgraded SA from 2.64 to 3.0.4
- SA is called by amavisd-new
- 'sa-learn --sync' is done and the sa-learn with the cyrus-mailboxes
  seems to be ok.
- 'sa-learn --backup' result is a file with more than 200.000 entrys.
- 'auto-whitelist' is new in /var/spool/amavis/.spamassassin/bayes
- Should I set 'use_auto_whitelist' to 0 for testing?
- 'bayes_path' is set to '/var/spool/amavis/.spamassassin/bayes'
- Perl is used in the version 5.8.1

All filters seems to work, except bayes. My 'local.cf' is untouched
(dir: /etc/mail/spamassassin) and use_bayes is set explicit to 1.

How can I figure out my problem?


Thanks
Mathias

Re: SpamCop listing internal hotmail servers?

[Johann Spies]

On Wed, Sep 07, 2005 at 07:04:39PM -0700, John Rudd wrote:
> 
> On Sep 7, 2005, at 6:23 PM, Michele Neylon:: Blacknight.ie wrote:
> 
> >Greg Allen wrote:
> >>Spamcop users are idiots too. When you have end users pushing
> >>the 'this is spam' button when they get an email that they
> >>don't like from their own friends or family, well... you get Spamcop.
> >
> >That's a lovely generalisation and bears little relation to reality.
> 
> From where I stand, he's right on the mark.  Spamcop is run by morons, 

To insult other system administrators will not help to build a better
society.  I have recently received mail from Spamcop to inform me that
spam was sent from a mail server inside our network.  On further
investigation we discovered that one of the servers inside our network
for which our mail gateway relay email, was poorly setup as an open
relay and this server had indeed been used by spammers to send out
some 2+ emails per day for a day or three.

So I am grateful to Spamcop helping us to identify a problem that
could cause us serious problems if it went on undetected.

Regards
Johann
-- 
Johann Spies  Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch

 "Submit yourselves therefore to God. Resist the devil, 
  and he will flee from you."James 4:7 

Re: [sa-list] Re: global bayes database?

[Dan Mahoney, System Admin]

On Fri, 9 Sep 2005, Michael Parker wrote:


Oh, you want an entirely different Bayes storage module, one that
doesn't exist.  You're more than welcome to create your own, perldoc
Mail::SpamAssassin::BayesStore to get a sense of the API that you must
implement.  I'll leave the issues surrounding combining of bayes
databases as an exercise to the reader (suggest you search the archives
for previous msgs on this topic).


Interesting.  The API looks fairly straightforward.

Support for full-blown-multi-bayes isn't something I could see myself 
implementing right now, based purely on time constraints, but I don't 
think it's particularly hard.


Still, the tweak to add a call that does nspam_nham_get, and if it's less 
than the required number for effective bayes, uses the system bayes DBs 
for scanning (but not learning, if autolearn is deemed appropriate) should 
be easy enough.


I've searched the users list -- my issues with token collision are nil -- 
I'm sure everything I've got is in the "new" format since any attempts I 
made to try and get my original users stuff in crashed my systems.


I'm going to note this more for anyone else who searches this list than 
for myself -- scoring on multiple bayes counts could have disasterous 
circumstances.  Since it *has* to be read-only...


(since everyone gets the same spam -- see 
http://article.gmane.org/gmane.mail.spam.spamassassin.general/60376 )


..any admin must realize that for all they know, their user could work 
for Pfizer or SmithKline -- and you could be tagging all their legit 
workmail as bad.  Normal bayes prevents this (or forces the user to accept 
that since they don't consider the names of drugs a bad thing, they have 
to deal with the spam).


To pull an old phrase...one mans junk is another's treasure.

Still, this could be as simple as calling the bayes algorithm twice, once 
as $user, once as $system -- and maintaining a different (probably 
slightly lower) set of scores for $system.


Given, maybe the multi-bayes option should even be off by default for 
users with a good corpus (define good...200 messages?  a thousand?).


But I know that since I get more email, use pine and a shell, and 
religiously shuffle all my spam to spamassassin -r, that I'm more likely 
to have a complete corpus than those users which use outlook and have to 
rely on the automatic learning features.


Okay, I've babbled enough.

-Dan

--

Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---

RE: MIMEDefang/SpamAssassin deleting headers

[Ryan McBride]

If that's the case, it means its not actually putting the headers in,
meaning SA isn't scanning it. Its just removing the headers from the
previous spam system.

Back to the drawing board :-( Thanks!!

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Friday, 9 September 2005 2:45 PM
To: users@spamassassin.apache.org
Subject: RE: MIMEDefang/SpamAssassin deleting headers

Ryan McBride wrote:
> Could anyone explain what Milter would be deleting the X-Spam-Score
> header? I had a looking in my sendmail.mc file and I couldn't find
> anything bleeding obvious in there. Im using Fedora Core 4, Latest
> Ver of Sendmail, SpamAssassin & MIMEDefang.   

It's mimedefang

check /etc/mail/mimedefang-filter... mine has these lines
# Delete any existing X-Spam-Score header?
action_delete_header("X-Spam-Score");

These are in the "else" part of the "if spam"... prevents X-Spam-Score
headers that are already on the email as it is received from being
confused with X-Spam-Score headers that the mimedefang host would add

-- 
Matthew.van.Eerde (at) hbinc.com   805.964.4554 x902
Hispanic Business Inc./HireDiversity.com   Software Engineer