Spamcop plugin
Hi, I am using SA 3.0.4. I was wondering if it is possible to turn off the spamcop reporting plugin without recompiling, and how? Thanks in advance
Re: SA 3.1.0-rc1 and rc2: Extra LF in headers
From: Maurice Lucas [EMAIL PROTECTED] Hello, I have a problem with both 3.1.0-rc1 and 3.1.0-rc2. Some off my mail is checked by SA and marked as spam but gets an extra LF causing the rest of my tools to ignore the X-Spam-Status header field. This is a sample message, I do have more for developers. This problem isn't occuring on every email but on a few a day. --- Start sample --- Received: from MUNGLED ([MUNGLED]) by MUNGLED with Microsoft SMTPSVC(6.0.3790.1830); Tue, 13 Sep 2005 00:45:20 +0200 Received: (qmail 1327 invoked from network); 12 Sep 2005 22:45:19 - Received: from localhost by MUNGLED with SpamAssassin (version 3.1.0-rc2); Tue, 13 Sep 2005 00:45:19 +0200 Content-class: urn:content-classes:message Subject: SPAM(43.8) Viagra letter for our subscribers MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Date: Tue, 13 Sep 2005 09:30:55 +0200 Message-ID: [EMAIL PROTECTED] X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: SPAM(43.8) Viagra letter for our subscribers Thread-Index: AcW366dzQ7Zbq0hdSEuQ1d1ysB6ADA== X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 From: [EMAIL PROTECTED] To: =?iso-8859-1?Q?Sjarlie_Dresm=E9?= [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.0-rc2 (2005-08-27) on=20 capella.taos-it.nl X-Spam-Level: *** THAT may explain what the mad Russian is doing with these high scoring spams. He found a hole that affects systems that use the X-Spam-Flag for something important. (I don't. I route via the spam message in the subject.) I wonder if he is ending the line with lfcrlf to create that confusion. Supposedly a lone lf not preceded by a cr is not really a newline for email. But SpamAssassin, thinking 'ix-ishly, does. If so I gotta give the guy credit for being passably clever. {^_^} Joanne
Re: local.cf ignored?
From: [EMAIL PROTECTED] Hi, I have a mail server with qmail, qmailscanner, fetchmail, spamassassin, clamav installed . My linux distribution is debian sarge. When spamassasin check a mail I notice in the header of the mail the following: X-Spam-Status: Yes, hits=10.2 required=4.0 The problem is the content of file /etc/mail/spamassassin/local.cf is: rewrite_header Subject *SPAM* required_hits 5 #rewrite_subject 1 report_header 1 report_safe 1 skip_rbl_checks 0 You can notice that the line required_hits 5 is different from mail checked (required=4.0). It seems that the file local.cf is ignored by spamassassin. How can know which is the file spamassasin using when check mails? I have already tried to force the configuration file with spamd -C /etc/mail/spamassassin/local.cf but nothing change. Someone have any ideas? Overridden in ~/.spamassassin/user_prefs? You are overriding the configuration directory when you start spamd or run spamassassin? {^_^}
Re: Spam with Re[2]: or Re[4]:
Um, yes. That is not unusual for either issue. You've heard of Bcc? {^_^} - Original Message - From: Jeffrey N. Miller [EMAIL PROTECTED] Go a lot of spam last night with subject lines Re[2] or [4] or [5] Most are Cialis or sperm pill spam. Also I received one of these emails that was addressed to another user???
Re: SA 3.1.0-rc1 and rc2: Extra LF in headers
Maurice Lucas wrote: Hello, I have a problem with both 3.1.0-rc1 and 3.1.0-rc2. Some off my mail is checked by SA and marked as spam but gets an extra LF causing the rest of my tools to ignore the X-Spam-Status header field. That's weird, X-Spam headers from 3.1 should be above a received header. Does all of your mail have its X-Spam headers appended to the end of the existing headers? Daryl
Re: Very simple user query...
From: Steve [Spamassasin] [EMAIL PROTECTED] jdow wrote: You do not say which version of spamassassin you are using. If it is not 3.04 an upgrade might help. It's 3.04 - the latest stable build that's made it into Gentoo Portage * Is there somewhere where I can report spams which aren't caught by the default configuration in order to feed-back into future improvements? There are places to report them manually. I'm familiar with razor-report, for example - but it is a real pain to mess about with this command line tool when all my mail is managed remotely over IMAP I have a strong personal bias against automating anything related to spam REPORTING. Please examine the downsides of automatic reporting before proceeding. I absolutely do not want to report automatically - in the sense that I am adamant that I want human intervention before reporting. Conversely - given the task of establishing a remote shell; finding the correct email in maildir - and verifying it is indeed the mail I determined was a spam in my email client - followed by manually reporting it individually to each service... I'm inclined not to bother. If, for example I had an IMAP folder into which I drop spam that my mail server should report on my behalf -then reporting would become far less of a chore. Simple matter of coding. That is how I handle ham and spam training. I simply dunk it into ham and spam folders and let a cron job run sa-learn over the two folders. In this case you'd probably have to code up something that takes the folder apart properly, forwards the mail appropriately, then tosses it. I haven't done such a thing. But there are perl tools for reading messages via IMAP that could be used as the core of a new tool. {^_^}
Re: SA 3.1.0-rc1 and rc2: Extra LF in headers
On Wed, 2005-09-14 at 03:17 -0400, Daryl C. W. O'Shea wrote: Maurice Lucas wrote: Hello, I have a problem with both 3.1.0-rc1 and 3.1.0-rc2. Some off my mail is checked by SA and marked as spam but gets an extra LF causing the rest of my tools to ignore the X-Spam-Status header field. That's weird, X-Spam headers from 3.1 should be above a received header. Does all of your mail have its X-Spam headers appended to the end of the existing headers? No and yes below is your message and some other spam of yesterday The main difference is in the lines ham: X-Spam-Checker-Version: SpamAssassin 3.1.0-rc2 (2005-08-27) on MUNGLED X-Spam-Level: Spam: Received: from localhost by MUNGLED with SpamAssassin (version 3.1.0-rc2); Wed, 14 Sep 2005 03:38:25 +0200 The spam mail is received by SA while the ham is only checked by -- Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 19001 invoked by alias); 14 Sep 2005 07:16:58 - Delivered-To: [EMAIL PROTECTED] Received: (qmail 18998 invoked from network); 14 Sep 2005 07:16:58 - Received: from unknown (HELO MUNGLED) (MUNGLED) by MUNGLED with SMTP; 14 Sep 2005 07:16:58 - Received: (qmail 8858 invoked from network); 14 Sep 2005 07:17:22 - X-Spam-Checker-Version: SpamAssassin 3.1.0-rc2 (2005-08-27) on MUNGLED X-Spam-Level: X-Spam-Status: No, hits=0.0 required=7.0 tests=none autolearn=no version=3.1.0-rc2 Received: from MUNLED (MUNGLED [MUNGLED]) by MUNGLED ([MUNGLED]) with ESMTP via TCP; 14 Sep 2005 07:17:22 - Received: from MUNGLED (MUNGLED [MUNGLED]) (authenticated user MUNGLED) by MUNGLED (MUNGLED [MUNGLED]) (Cipher TLSv1:RC4-MD5:128) (MDaemon.PRO.v6.8.5.R) with ESMTP id 63-md5000118.tmp for [EMAIL PROTECTED]; Wed, 14 Sep 2005 02:17:16 -0500 Received: from [MUNGLED] ([MUNGLED]) (authenticated bits=0) by MUNGLED (8.12.8/8.12.8) with ESMTP id j8E7HEKK014456 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 14 Sep 2005 03:17:14 -0400 Message-ID: [EMAIL PROTECTED] Date: Wed, 14 Sep 2005 03:17:13 -0400 From: Daryl C. W. O'Shea [EMAIL PROTECTED] User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Maurice Lucas CC: Spamassassin Subject: Re: SA 3.1.0-rc1 and rc2: Extra LF in headers Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Authenticated-Sender: [EMAIL PROTECTED] X-MDRemoteIP: MUNGLED X-Return-Path: MUNGLED X-MDaemon-Deliver-To: MUNGLED - SPAM message - Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 9032 invoked by alias); 14 Sep 2005 01:38:01 - Delivered-To: [EMAIL PROTECTED] Received: (qmail 9029 invoked from network); 14 Sep 2005 01:38:01 - Received: from unknown (HELO MUNGLED) (MUNGLED) by MUNGLED with SMTP; 14 Sep 2005 01:38:01 - Received: (qmail 23704 invoked from network); 14 Sep 2005 01:38:25 - Received: from localhost by MUNGLED with SpamAssassin (version 3.1.0-rc2); Wed, 14 Sep 2005 03:38:25 +0200 From: Earline Aguilar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: SPAM(11.5) Become an employee of our company. Date: Tue, 13 Sep 2005 10:42:16 -0700 Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.0-rc2 (2005-08-27) on capella.taos-it.nl X-Spam-Level: *** X-Spam-Status: Yes, hits=11.5 required=7.0 tests=BAYES_00=-2.599, RCVD_IN_BL_SPAMCOP_NET=1.558,RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046,RCVD_IN_WHOIS_BOGONS=2.43, RCVD_IN_WHOIS_INVALID=2.234,RCVD_IN_XBL=3.897,UNPARSEABLE_RELAY=0.001 autolearn=no version=3.1.0-rc2 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_43277F11.58AE5373 With kind regards, Maurice Lucas
RE: Spamcop plugin
Hi Not sure what you mean by this, but if it's a true plugin then you can comment out the entry in /etc/mail/spamassassin/init.pre and restart spamd/amavis-new/MailScanner/whatever and it will disable the plugin. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Lefteris Tsintjelis [mailto:[EMAIL PROTECTED] Sent: 14 September 2005 07:21 To: users@spamassassin.apache.org Subject: Spamcop plugin Hi, I am using SA 3.0.4. I was wondering if it is possible to turn off the spamcop reporting plugin without recompiling, and how? Thanks in advance ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: Spamcop plugin
Hi Martin, and thanks for your reply, I mean this: ... debug: SpamCop - sent FROM [EMAIL PROTECTED] debug: SpamCop - received 250 sender [EMAIL PROTECTED] ok debug: SpamCop - sent TO [EMAIL PROTECTED] debug: SpamCop - received 250 recipient [EMAIL PROTECTED] ok debug: SpamCop - sent DATA debug: SpamCop - received 250 go ahead ok: Message 1357171055 accepted debug: SpamCop - sent QUIT debug: SpamCop - received 221 vmx1.spamcop.net debug: SpamAssassin: spam reported to SpamCop. ... I have just checked the init.pre and there is no such thing. Now that you mentioned it I do recall something there about SpamCop but that was, I believe, in previous releases (3.0.1 if I am not mistaken). It seems like for every SPAM report there is a forced report generated to SpamCop. Can I turn this off now that there is no such option in init.pre? My init.pre: loadplugin Mail::SpamAssassin::Plugin::URIDNSBL loadplugin Mail::SpamAssassin::Plugin::Hashcash loadplugin Mail::SpamAssassin::Plugin::SPF Martin Hepworth wrote: Hi Not sure what you mean by this, but if it's a true plugin then you can comment out the entry in /etc/mail/spamassassin/init.pre and restart spamd/amavis-new/MailScanner/whatever and it will disable the plugin. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Lefteris Tsintjelis [mailto:[EMAIL PROTECTED] Sent: 14 September 2005 07:21 To: users@spamassassin.apache.org Subject: Spamcop plugin Hi, I am using SA 3.0.4. I was wondering if it is possible to turn off the spamcop reporting plugin without recompiling, and how? Thanks in advance
Re: Very simple user query...
jdow wrote: I absolutely do not want to report automatically - in the sense that I am adamant that I want human intervention before reporting. Conversely - given the task of establishing a remote shell; finding the correct email in maildir - and verifying it is indeed the mail I determined was a spam in my email client - followed by manually reporting it individually to each service... I'm inclined not to bother. If, for example I had an IMAP folder into which I drop spam that my mail server should report on my behalf -then reporting would become far less of a chore. Simple matter of coding. That is how I handle ham and spam training. I simply dunk it into ham and spam folders and let a cron job run sa-learn over the two folders. In this case you'd probably have to code up something that takes the folder apart properly, forwards the mail appropriately, then tosses it. I haven't done such a thing. But there are perl tools for reading messages via IMAP that could be used as the core of a new tool. Hmmm - given that this seems such an obvious thing to want, and because I'm quite laz^H^H^Hbusy these days, I'd hoped that there such thing pre-existed. It strikes me that the best way to do this would be with a daemon which monitors the IMAP folders for user-identified spam; salearn and report it - then move it to the same folder as the automatically identified spam. I realise that it wouldn't be a herculean effort to implement this but I'm very reluctant to re-invent the wheel.
RE: Spamcop plugin
Hmm Looking at the docs you can alter things like to the to/from addresses etc.. But there doesn't seem much of a way to turn this offhave you tried setting the max size of these reports to zero in local.cf?? spamcop_max_report_size 0 -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Lefteris Tsintjelis [mailto:[EMAIL PROTECTED] Sent: 14 September 2005 09:54 To: Martin Hepworth Cc: users@spamassassin.apache.org Subject: Re: Spamcop plugin Hi Martin, and thanks for your reply, I mean this: ... debug: SpamCop - sent FROM [EMAIL PROTECTED] debug: SpamCop - received 250 sender [EMAIL PROTECTED] ok debug: SpamCop - sent TO [EMAIL PROTECTED] debug: SpamCop - received 250 recipient [EMAIL PROTECTED] ok debug: SpamCop - sent DATA debug: SpamCop - received 250 go ahead ok: Message 1357171055 accepted debug: SpamCop - sent QUIT debug: SpamCop - received 221 vmx1.spamcop.net debug: SpamAssassin: spam reported to SpamCop. ... I have just checked the init.pre and there is no such thing. Now that you mentioned it I do recall something there about SpamCop but that was, I believe, in previous releases (3.0.1 if I am not mistaken). It seems like for every SPAM report there is a forced report generated to SpamCop. Can I turn this off now that there is no such option in init.pre? My init.pre: loadplugin Mail::SpamAssassin::Plugin::URIDNSBL loadplugin Mail::SpamAssassin::Plugin::Hashcash loadplugin Mail::SpamAssassin::Plugin::SPF Martin Hepworth wrote: Hi Not sure what you mean by this, but if it's a true plugin then you can comment out the entry in /etc/mail/spamassassin/init.pre and restart spamd/amavis-new/MailScanner/whatever and it will disable the plugin. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Lefteris Tsintjelis [mailto:[EMAIL PROTECTED] Sent: 14 September 2005 07:21 To: users@spamassassin.apache.org Subject: Spamcop plugin Hi, I am using SA 3.0.4. I was wondering if it is possible to turn off the spamcop reporting plugin without recompiling, and how? Thanks in advance ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: Spamcop plugin
Yes, I was very Hmm myself about this one... but anyway... Great idea, just tried it but didn't work, can I assume then that there is no proper way of turning this thing off other than hacking the code? Nothing else is mentioned about the SpamCop plugin other than those three things and googling around wasn't much help either. Martin Hepworth wrote: Hmm Looking at the docs you can alter things like to the to/from addresses etc.. But there doesn't seem much of a way to turn this offhave you tried setting the max size of these reports to zero in local.cf?? spamcop_max_report_size 0
Re: local.cf ignored?
Hi, I have a mail server with qmail, qmailscanner, fetchmail, spamassassin, clamav installed . My linux distribution is debian sarge. When spamassasin check a mail I notice in the header of the mail the following: X-Spam-Status: Yes, hits=10.2 required=4.0 The problem is the content of file /etc/mail/spamassassin/local.cf is: rewrite_header Subject *SPAM* required_hits 5 #rewrite_subject 1 report_header 1 report_safe 1 skip_rbl_checks 0 You can notice that the line required_hits 5 is different from mail checked (required=4.0). It seems that the file local.cf is ignored by spamassassin. How can know which is the file spamassasin using when check mails? I have already tried to force the configuration file with spamd -C /etc/mail/spamassassin/local.cf but nothing change. Someone have any ideas? Overridden in ~/.spamassassin/user_prefs? You are overriding the configuration directory when you start spamd or run spamassassin? {^_^} I can't find ~/.spamassassin/user_prefs file nowhere. I'm sure file does not exist
Re: Very simple user query...
On Dienstag, 13. September 2005 22:15 Markus Eskola wrote: Just a quick question regarding the reporting... Do you guys report all spam (including the once that SA allready caught) or only the ones that got thru the net? All - because others may have other rules, probably not identifying this as SPAM. Imagine you get 5 points because your bayes is 100% sure, but there's no hit on DCC, razor, etc. It's good for the others to report it, so DCC and razor know it's SPAM, and therefore the next one who receives it knows for sure about it. Currently in my setup I have 3-4 diffrent users who move all the spam that got thru into certain folders eg SPAM under IMAP. These folders are scanned, emptied and reported once a night thru a script. If someone has a more effectie way, I'd appreciate a hint in the right direction. I believe it should be done at least once per hour - so DCC and razor have it quickly detected. Otherwise, spammers have time until the night to send to a lot of servers. I currently do it in 10 minute intervals, as it doesn't really create too much load. mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgpvkR51AknVN.pgp Description: PGP signature
Re: Very simple user query...
Michael Monnerie wrote: On Dienstag, 13. September 2005 22:15 Markus Eskola wrote: Just a quick question regarding the reporting... Do you guys report all spam (including the once that SA allready caught) or only the ones that got thru the net? All, with no exceptions made. I believe it should be done at least once per hour - so DCC and razor have it quickly detected. Otherwise, spammers have time until the night to send to a lot of servers. I currently do it in 10 minute intervals, as it doesn't really create too much load. I prefer to send it immediately which makes the updates of DCC and razor even faster. What I am not so sure of is the SpamCop reporting. It seems that its a complete waste since the black list that maintains is not getting updated by any of those reports.
Re: Very simple user query...
On Mittwoch, 14. September 2005 14:40 Lefteris Tsintjelis wrote: I prefer to send it immediately which makes the updates of DCC and razor even faster. How do you do it? Do you report back automatically every detected SPAM? That shouldn't be done, as I read from the homepage. What I am not so sure of is the SpamCop reporting. It seems that its a complete waste since the black list that maintains is not getting updated by any of those reports. AFAIK, spamcop sends e-mail to the admins responsible for that IP, and so it should help that ISPs get reports of zombies, relays, and so on. It fights on another level, but that one should be quite effective. mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgpBLTRnZZjQs.pgp Description: PGP signature
Re: Very simple user query...
On Tuesday 13 Sep 2005 21:15, Markus Eskola wrote: [...] Just a quick question regarding the reporting... Do you guys report all spam (including the once that SA allready caught) or only the ones that got thru the net? Currently in my setup I have 3-4 diffrent users who move all the spam that got thru into certain folders eg SPAM under IMAP. These folders are scanned, emptied and reported once a night thru a script. If someone has a more effectie way, I'd appreciate a hint in the right direction. Most of it (5.0 = score = 30.0) gets LARTed by a java program that goes through the confirmed spam IMAP folder to the contacts.abuse.net addresses for the IP address that sent to my MX, SpamCop and is also posted to NANAS. If it scores over 30 it hits a discard ACL in exim. Anything that sneaks through under 5.0 or went to a role account is also singled out for extra vindictiveness and LARTed manually to anything SpamTool missed and whois data checked very carefully for RFCI whois eligibility (and a WDPRS report). Oh, and I have a patched Mail::SpamAssassin::Plugin::URIDNSBL to pass the domain names scanned over UDP to another listening application that tests for missing entries in RFCI bogusmx and automatically sends the submission by email. It also sends BCCs to postmaster@ and abuse@ so that victims of friendly fire (through inadvertently using a CNAME for their MX rather then deliberately registering 127.0.0.1) can get unlisted. -- Rob Skedgell [EMAIL PROTECTED] pgpY8xMqwqXAW.pgp Description: PGP signature
RE: HTML Spam messages with float tag ?
From: Brian Ipsen The number of messages like below has increased. Unfortunately, they are not reported to SpamCop fast enough for SURBL to handle them Has anyone created some sort of filter to identify this type of messages ?? STYLE/STYLE /HEAD BODY bgColor=#ff DIVnbsp;/DIV DIVA href=linklink to site/A/DIV DIVnbsp;/DIV DIV style=FLOAT: left;FONT face=CourierMeBRXaBRUlBRAmBRSTRONGCi/STRONGBRLe BRSTRONGVa /STRONGBRPrBRSTRONGVi/STRONGBRCe/FONT/DIV DIV style=FLOAT: left;FONT face=CourierriBRnaBRtrBRbiBRSTRONGal/STRONGBRvi BRSTRONGli /STRONGBRopBRSTRONGag/STRONGBRle/FONT/DIV DIV style=FLOAT: left;FONT face=CourierdiBRxBRamBRenBRSTRONGis/STRONGBRtr BRSTRONGum /STRONGBRecBRSTRONGra/STRONGBRbr/FONT/DIV DIV style=FLOAT: left;FONT face=CourieraBRBRBRBRnbsp;1.BRaBRnbsp;3.BRia BRnbsp;3.BR ex/FONT/DIV DIV style=FLOAT: left;FONT face=CourierBRBRBRBR21BRBR75BRBR33BR/FONT/DIV /BODY/HTML I just did this: rawbody BUC_FLOAT /DIV style=FLOAT:/ score BUC_FLOAT 1 I scored it at 1 because I wasn't sure about false positives. The blacklists and SURBL catch most of them now, so I never bothered to up the score. I haven't done any detailed research, but I do notice that all but one of the mails that hit this rule in the last week also hit URIBL_SBL or one of the SURBL rules, so it doesn't seem to produce too many false positives (at least in my environment). Bowie
Re: HTML Spam messages with float tag ?
Hi Brian, Look for the thread about Pharamcudical list of words in a table. See: http://www.gossamer-threads.com/lists/spamassassin/users/59435?page=last All these messages are probably coming from one evil source. Some say it's a guy called Leo Kuvayev and he keeps chaning the messages and trying to fool SA. You really should include SARE_OBFU and SARE_HTML (in http://www.rulesemporium.com/). I see that these rule files score some points on Leo's messages. But most of the points are from all the network checks. I also added my own personal rule to increase the total score on these tables: # This one adopted from sare_html: rawbody IA_HTML_MANY_BR /br.{0,10}br.{0,10}br.{0,10}br.{0,10}br/i describe IA_HTML_MANY_BR Tooo many close br's! score IA_HTML_MANY_BR 0.500 On 9/14/05, Brian Ipsen [EMAIL PROTECTED] wrote:Hi, The number of messages like below has increased. Unfortunately, they are not reported to SpamCop fast enough for SURBL to handle them Has anyonecreated some sort of filter to identify this type of messages ??STYLE/STYLE/HEADBODY bgColor=#ff DIVnbsp;/DIVDIVA href="" to site/A/DIVDIVnbsp;/DIVDIV style=FLOAT: left;FONTface=CourierMeBRXaBRUlBRAmBRSTRONGCi/STRONGBRLeBRSTRONGVa /STRONGBRPrBRSTRONGVi/STRONGBRCe/FONT/DIVDIV style=FLOAT: left;FONTface=CourierriBRnaBRtrBRbiBRSTRONGal/STRONGBRviBRSTRONGli /STRONGBRopBRSTRONGag/STRONGBRle/FONT/DIVDIV style=FLOAT: left;FONTface=CourierdiBRxBRamBRenBRSTRONGis/STRONGBRtrBRSTRONGum /STRONGBRecBRSTRONGra/STRONGBRbr/FONT/DIVDIV style=FLOAT: left;FONTface=CourieraBRBRBRBRnbsp;1.BRaBRnbsp;3.BRiaBRnbsp;3.BR ex/FONT/DIVDIV style=FLOAT: left;FONTface=CourierBRBRBRBR21BRBR75BRBR33BR/FONT/DIV /BODY/HTMLRegards,/Brian-- Ilan AisicRegistered Linux User 8124 http://counter.li.org
Re: Very simple user query...
I prefer to send it immediately which makes the updates of DCC and razor even faster. How do you do it? Do you report back automatically every detected SPAM? That shouldn't be done, as I read from the homepage. Not out of the box, I agree with that. I am using 3 threshold levels and tested, trained and fined tuned the whole system for a while before I turn on the auto reporting. Everything above a level, is auto reported with a hit rate of 99.99%. I use a dedicated machine to redirect, report and hold that SPAM for a while for this job only. Everything in the middle I pass it through a couple of scripts, analyze it, and what is left of it (not really much) manually report it or take action against it to not enter the site again, but that depends on the case. Did I also mention the use of quite a few SPAM traps and grey listing (both are very effective). What I am not so sure of is the SpamCop reporting. It seems that its a complete waste since the black list that maintains is not getting updated by any of those reports. AFAIK, spamcop sends e-mail to the admins responsible for that IP, and so it should help that ISPs get reports of zombies, relays, and so on. It fights on another level, but that one should be quite effective. Only if you are a registered (paid) user, then it is definetly worth reporting and things are listed relativly fast (I have a few objections to the exceptions he is making in favor of a large and pretty well known site, SPAM is SPAM no matter where it comes from) but I guess overall, its as you say it is. If you are not a registered user though IMHO then its a waste of resources.
Re: Very simple user query...
On Mittwoch, 14. September 2005 16:12 Lefteris Tsintjelis wrote: Did I also mention the use of quite a few SPAM traps and grey listing (both are very effective). Oh I love those, too *beg* Only if you are a registered (paid) user, then it is definetly worth reporting and things are listed relativly fast (I have a few objections to the exceptions he is making in favor of a large and pretty well known site, SPAM is SPAM no matter where it comes from) but I guess overall, its as you say it is. If you are not a registered user though IMHO then its a waste of resources. I registered, but do not pay. I just changed my script to use spamassin and not sa-learn, now it reports to spamcop too. The problem is, I get a mail per reported mail, where I have to click on a link and press confirm on that page - annoying. Anybody got an idea how to prevent that confirmation? mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgplIxh6b1nxf.pgp Description: PGP signature
Re: OT Spam sources
On Mittwoch, 14. September 2005 16:03 DAve wrote: the robots are just not smart enough to know that our forms don't work the way they suspect. Maybe rename the script? Could be there's a script of that name which is vulnerable... mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgpKFelgLxme3.pgp Description: PGP signature
Re: Very simple user query...
Anybody got an idea how to prevent that confirmation? Use spamcop_to_address quick. instead of submit. but thats something you have to activate. The site has further info about this.
testing spamassassin
I have a corpus of email and have been trying to get good metrics on it. I have run the messages through with spamassassin -t but this only adds stuff onto the ends of all of my messages. is there any way to get a summary of the test. i.e. how many are spam how many are ham average score so on so forth. or ever have it separate my messages into different folders. I know this is a newbie-ish question but I am indeed a newbie. I am running spamassassin version 3.0.4-1.fc4, on redhat fedora core 4 with amavisd-new and clam-av thanks in advance for any help you can provide
Re: testing spamassassin
Steven Lamb wrote: I have a corpus of email and have been trying to get good metrics on it. I have run the messages through with spamassassin -t but this only adds stuff onto the ends of all of my messages. is there any way to get a summary of the test. i.e. how many are spam how many are ham average score so on so forth. or ever have it separate my messages into different folders. I know this is a newbie-ish question but I am indeed a newbie. If you unpack the source tarball, there's a directory called masses. This contains the tools used by the developers to perform mass-checks. You'll want to use mass-check first. http://wiki.apache.org/spamassassin/MassCheck from there, feed the spam.log and ham.log files to hit-frequencies which will generate a table just like the STATISTICS-*.txt files that come with SA (check the rules subdir of the tarball). http://wiki.apache.org/spamassassin/HitFrequencies
Re: OT Spam sources
the robots are just not smart enough to know that our forms don't work the way they suspect. Maybe rename the script? Could be there's a script of that name which is vulnerable... All our forms have odd names, we did that when the first Formmail.pl attacks showed up years ago. This sounds a lot like the spamming attempts I've been seeing. They seem to go something like this: * Attacker finds a form. I'm not sure if they use either a search engine or just random crawls of some sort. I'm thinking the latter; when I first saw it, it was on the servers at work (I'm the admin for a small web development/hosting firm) and the attempts came on sites on the same IP address (consecutive IPs at that, on two different servers; other sites on other IPs in another subnet were unaffected). Later, I saw a similar attempt on my personal site, hosted on my own server somewhere else entirely. I should note than not all of these forms had common mail form names; the one on my personal site was feedback.php, which could've just as easily submitted to the recipient via some other method, not just email. When I looked at the Apache logs for how they got to feedback form, they hit the index of the site first and followed a path almost directly to the feedback form, leading me to think they're crawling and looking for a wider variety of form name possibilities than you might think. * Attacker submits the form with all the fields filled in with random addresses (gibberish usernames followed by the domain of the site), and some fields (that seem to indicate they'd be inserted into From:, To:, or Subject: lines) with additional header lines and MIME message separators. They don't seem to do much with this at first; from what I saw, they supply a drop account email somewhere in there to test if it worked... * If the attacker received one of the messages to the drop account, they start using the form in a more direct spam-like way, supplying Bcc: addresses in the headers that do go to legitimate addresses. The messages still look like crap, depending on the original form and what it does. That's as far as it escalated when I observed it. It was at that point that we caught the vulnerability in the form script used on the sites at work and plugged the holes. (I didn't write it, BTW; the one on my personal site only got a message to me.) Here's a couple things I did from the server side as a first line of defense to stop this: * All the attempts came from proxy servers. Well, I'll assume they were proxy servers and not individuals all around the world collaborating on the attacks! I installed an Apache module that would do RBL lookups (configurable, I use opn.blitzed.org) and deny based on a positive match. I'm sure the attacker's (or attackers') proxy list is fresher than the RBLs, but I just wanted to add enough stumbling blocks to deter the current and future attackers. * All the attempts came in with blank user agent strings. This is more of a stretch (as I discovered), but I started denying requests with blank user agents. PHP's functions that open URLs as files don't send user agent strings either, so be careful with this one if anything on your server will be accessed that way. Attackers could just as easily extend their tools to use random user agent strings. Hope this helps. I'd really love to track down the tool these attackers are using, but my hat isn't black enough for that.
Re: SA 3.1.0-rc1 and rc2: Extra LF in headers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'd suggest opening a bug, and *attaching* some samples, without munging them. It's quite hard to figure out what's going on when half of the key parts of the messages have been obfuscated. - --j. M. Lucas writes: On Wed, 2005-09-14 at 03:17 -0400, Daryl C. W. O'Shea wrote: Maurice Lucas wrote: Hello, I have a problem with both 3.1.0-rc1 and 3.1.0-rc2. Some off my mail is checked by SA and marked as spam but gets an extra LF causing the rest of my tools to ignore the X-Spam-Status header field. That's weird, X-Spam headers from 3.1 should be above a received header. Does all of your mail have its X-Spam headers appended to the end of the existing headers? No and yes below is your message and some other spam of yesterday The main difference is in the lines ham: X-Spam-Checker-Version: SpamAssassin 3.1.0-rc2 (2005-08-27) on MUNGLED X-Spam-Level: Spam: Received: from localhost by MUNGLED with SpamAssassin (version 3.1.0-rc2); Wed, 14 Sep 2005 03:38:25 +0200 The spam mail is received by SA while the ham is only checked by -- Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 19001 invoked by alias); 14 Sep 2005 07:16:58 - Delivered-To: [EMAIL PROTECTED] Received: (qmail 18998 invoked from network); 14 Sep 2005 07:16:58 - Received: from unknown (HELO MUNGLED) (MUNGLED) by MUNGLED with SMTP; 14 Sep 2005 07:16:58 - Received: (qmail 8858 invoked from network); 14 Sep 2005 07:17:22 - X-Spam-Checker-Version: SpamAssassin 3.1.0-rc2 (2005-08-27) on MUNGLED X-Spam-Level: X-Spam-Status: No, hits=0.0 required=7.0 tests=none autolearn=no version=3.1.0-rc2 Received: from MUNLED (MUNGLED [MUNGLED]) by MUNGLED ([MUNGLED]) with ESMTP via TCP; 14 Sep 2005 07:17:22 - Received: from MUNGLED (MUNGLED [MUNGLED]) (authenticated user MUNGLED) by MUNGLED (MUNGLED [MUNGLED]) (Cipher TLSv1:RC4-MD5:128) (MDaemon.PRO.v6.8.5.R) with ESMTP id 63-md5000118.tmp for [EMAIL PROTECTED]; Wed, 14 Sep 2005 02:17:16 -0500 Received: from [MUNGLED] ([MUNGLED]) (authenticated bits=0) by MUNGLED (8.12.8/8.12.8) with ESMTP id j8E7HEKK014456 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits%6 verify=NO); Wed, 14 Sep 2005 03:17:14 -0400 Message-ID: [EMAIL PROTECTED] Date: Wed, 14 Sep 2005 03:17:13 -0400 From: Daryl C. W. O'Shea [EMAIL PROTECTED] User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Maurice Lucas CC: Spamassassin Subject: Re: SA 3.1.0-rc1 and rc2: Extra LF in headers Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Authenticated-Sender: [EMAIL PROTECTED] X-MDRemoteIP: MUNGLED X-Return-Path: MUNGLED X-MDaemon-Deliver-To: MUNGLED - SPAM message - Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 9032 invoked by alias); 14 Sep 2005 01:38:01 - Delivered-To: [EMAIL PROTECTED] Received: (qmail 9029 invoked from network); 14 Sep 2005 01:38:01 - Received: from unknown (HELO MUNGLED) (MUNGLED) by MUNGLED with SMTP; 14 Sep 2005 01:38:01 - Received: (qmail 23704 invoked from network); 14 Sep 2005 01:38:25 - Received: from localhost by MUNGLED with SpamAssassin (version 3.1.0-rc2); Wed, 14 Sep 2005 03:38:25 +0200 From: Earline Aguilar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: SPAM(11.5) Become an employee of our company. Date: Tue, 13 Sep 2005 10:42:16 -0700 Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.0-rc2 (2005-08-27) on capella.taos-it.nl X-Spam-Level: *** X-Spam-Status: Yes, hits.5 required=7.0 testsºYES_00=-2.599, RCVD_IN_BL_SPAMCOP_NET=1.558,RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SORBS_DUL=2.046,RCVD_IN_WHOIS_BOGONS=2.43, RCVD_IN_WHOIS_INVALID=2.234,RCVD_IN_XBL=3.897,UNPARSEABLE_RELAY=0.001 autolearn=no version=3.1.0-rc2 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_43277F11.58AE5373 With kind regards, Maurice Lucas -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFDKE3oMJF5cimLx9ARAgyrAJ0RBa/RLoTVUgJUFKvLYle7UWZaAACfXfUK j1vnBhLxYAtrCoqULhUPMJE= =Dn1O -END PGP SIGNATURE-
RE: Scanning outgoing email
We're in the need of checking parts of our outgoing email for spam (read: we've got unknown webmail users.. hugs lots of them, actually.. and some of them have this annoying habit of sending nigeria spam) My question is how to get SpamAssassin to identify the spam, as the network tests will be quite useless (all the email will be originating in a standard format, from our own servers). Bayes will probably be quite efficient, and so will various other local checks - but I have this nagging feeling that the standard weighting of the rules will be too lax in this use-case (due to nothing but content-checks triggering). How do we re-weight the rules, and does anyone have any good suggestions on which checks to use? Also, checking for certain blacklisted URLs in the messages will probably help (Someone recommended SURBL for this) .. but I think a re-weighting will still be in order. Suggestions? I'd be inclined to try the SARE fraud rules (see www.rulesemporium.com) in addition to the SA internal and bayes tests. If you find that doesn't give you a high enough score, pushing the BAYES_99 score a little higher might be in order. Bret
spamc connection refused
We recently needed to downgrade an underpowered solaris host to SA2.64 I start spamd with a max of 32 processes and some people get lots of mail. Users fire off spamc via their .procmailrc I'm now seeing a lot of [ID 702911 mail.error] connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#3 of 3): Connection refused Can I presume these are just an indication of resource limits? Thanks =-=-=-=-=-=-=-=-=-=- generated by /dev/dave -=-=-=-=-=-=-=-=-=-=-=-= David SternUniversity of Maryland Institute for Advanced Computer Studies
Re: Very simple user query...
On Mon, 12 Sep 2005, Steve whispered secretively: Genius answer! For some reason it had completely escaped my notice that all of the spams missed by SA over the past month had a uk.geocities.com address! I've opted for a score of 4 for any mail mentioning a uk.geocities.com URL - which is hopefully good enough For me, Bayes catches them all, so a score of 1.1 for stuff mentioning geocities is sufficient to push the evil emails over the 5.0 threshold. -- `One cannot, after all, be expected to read every single word of a book whose author one wishes to insult.' --- Richard Dawkins
Re: HTML Spam messages with float tag ?
The ones that get through here do so with a very low score. Around 1.00 or below. I already have both the SARE_OBFU SARE_HTML rules in place. I'm filtering on domains, but that is not extremely sucessful as he/she adds about 3-4 new ones every day. Current count is now 85. If you wish a list, mail me privately. Thanks, Mike Ilan Aisic wrote: Hi Brian, Look for the thread about Pharamcudical list of words in a table.* *See:* *http://www.gossamer-threads.com/lists/spamassassin/users/59435?page=last* *All these messages are probably coming from one evil source. Some say it's a guy called Leo Kuvayev and he keeps chaning the messages and trying to fool SA. You really should include SARE_OBFU and SARE_HTML (in http://www.rulesemporium.com/). I see that these rule files score some points on Leo's messages. But most of the points are from all the network checks. I also added my own personal rule to increase the total score on these tables: # This one adopted from sare_html: rawbody IA_HTML_MANY_BR /br.{0,10}br.{0,10}br.{0,10}br.{0,10}br/i describe IA_HTML_MANY_BR Tooo many close br's! score IA_HTML_MANY_BR 0.500 * * On 9/14/05, *Brian Ipsen* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi, The number of messages like below has increased. Unfortunately, they are not reported to SpamCop fast enough for SURBL to handle them Has anyone created some sort of filter to identify this type of messages ?? STYLE/STYLE /HEAD BODY bgColor=#ff DIVnbsp;/DIV DIVA href=linklink to site/A/DIV DIVnbsp;/DIV DIV style=FLOAT: left;FONT face=CourierMeBRXaBRUlBRAmBRSTRONGCi/STRONGBRLeBRSTRONGVa /STRONGBRPrBRSTRONGVi/STRONGBRCe/FONT/DIV DIV style=FLOAT: left;FONT face=CourierriBRnaBRtrBRbiBRSTRONGal/STRONGBRviBRSTRONGli /STRONGBRopBRSTRONGag/STRONGBRle/FONT/DIV DIV style=FLOAT: left;FONT face=CourierdiBRxBRamBRenBRSTRONGis/STRONGBRtrBRSTRONGum /STRONGBRecBRSTRONGra/STRONGBRbr/FONT/DIV DIV style=FLOAT: left;FONT face=CourieraBRBRBRBRnbsp;1.BRaBRnbsp;3.BRiaBRnbsp;3.BR ex/FONT/DIV DIV style=FLOAT: left;FONT face=CourierBRBRBRBR21BRBR75BRBR33BR/FONT/DIV /BODY/HTML Regards, /Brian -- Ilan Aisic Registered Linux User 8124 http://counter.li.org
Re: OT Spam sources
On Wed, 14 Sep 2005, DAve wrote: Just curious if anyone else was seeing this besides me. I suspect the spammers are making a new attempt to find web forms they can abuse and possibly the robots are just not smart enough to know that our forms don't work the way they suspect. Seeing it too, others have described it in detail. At this point it's just anoying, with users receiving many forms with this garbage. Since the requests seem to come in rapid succession, I've thought about an IP cache, and limiting the number of times an IP can submit the form per unit time. It hasn't gone past the idea stage. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Turning On/Off SpamCop reporting for SpamAssassin 3.0.4
The following patches apply to SA 3.0.4 only. Adds a new parameter to local.cf: use_spamcop ( 0 | 1 ) *** Conf.pm.origMon Jun 6 04:31:23 2005 --- Conf.pm Wed Sep 14 23:27:06 2005 *** *** 1108,1113 --- 1108,1125 } }); + =item use_spamcop ( 0 | 1 ) (default: 1) + + Whether to use SpamCop, if it is available. + + =cut + + push (@cmds, { + setting = 'use_spamcop', + default = 1, + type = $CONF_TYPE_BOOL + }); + =item spamcop_from_address [EMAIL PROTECTED] (default: none) This address is used during manual reports to SpamCop as the From: *** Reporter.pm.origSat Mar 19 02:06:27 2005 --- Reporter.pm Wed Sep 14 23:19:51 2005 *** *** 394,399 --- 394,401 sub spamcop_report { my ($self, $original) = @_; + if (!$self-{conf}-{use_spamcop}) { return 0; } + # check date my $header = $original; $header =~ s/\r?\n\r?\n.*//s; Regards, Lefteris
spamd maillog problem
I have set up spamassassin 3.0.4-1.el4 on a RedHat Enterprise 4 with sendmail. This is the RPM supplied by RedHat. The setup works properly and is able to detect SPAM and HAM. However, I have not been able to configure spamd properly to get the usual Clean Message and identified spam lines to be added to my /var/log/maillog file. I need these line to do the usual stat analysis. I have tried all combination of the following: - Turn off firewall - xinetd service on - -s /var/log/maillog spamd options - older spamassassin 2.55 on RedHat EL 3 - download and recompiled SA 3.0.4 from source Given the fact that I have tried all the above options, I think I am doing something wrong and/or missing something. I would appreciate any help/suggestions regarding this. Thanks, Boris Alemi __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
URIBL_SBL not being used?
Hello, This morning after having upgraded all installed ports on a FreeBSD mail gateway machine running postfix, amavisd-new, clamav and spamassassin, it appears that spamassassin is no longer working the way it had been. Specifically it seems that the URIBL_SBL test isn't being applied, though I do have score URIBL_SBL 4 in /usr/local/etc/mail/spamassassin/local.cf. I don't know for sure that this is the failure, however, looking at the headers of the spam messages getting through none of them mention that test at all where normally most of them would have tripped it. SpamAssassin 3.0.4 was installed from the ports (/usr/ports/mail/p5-Mail-SpamAssassin) and is invoked from amavisd-new. Perl was upgraded from 5.8.6 to 5.8.7 I haven't any idea why this test should be failing now, nor what to do to fix it. If any one has any guidance to offer I would very much appreciate it, and whetever more information is needed do please let me know and I'ld be happy to provide it. Cheers, Sean
Re: OT Spam sources
From: DAve [EMAIL PROTECTED] Michael Monnerie wrote: On Mittwoch, 14. September 2005 16:03 DAve wrote: the robots are just not smart enough to know that our forms don't work the way they suspect. Maybe rename the script? Could be there's a script of that name which is vulnerable... mfg zmi All our forms have odd names, we did that when the first Formmail.pl attacks showed up years ago. I could come up with a rule or two to stop the message from being delivered, but I much prefer the image verification test in the form so the message never gets sent. All one mail at a time does is slow them down. How many parallel connections can they make at any one time? {^_^}
Re: URIBL_SBL not being used?
Sean Greene wrote: Hello, This morning after having upgraded all installed ports on a FreeBSD mail gateway machine running postfix, amavisd-new, clamav and spamassassin, it appears that spamassassin is no longer working the way it had been. Specifically it seems that the URIBL_SBL test isn't being applied, though I do have score URIBL_SBL 4 in /usr/local/etc/mail/spamassassin/local.cf. Are other URIBL tests still being used?
Re: OT Spam sources
From: Christopher X. Candreva [EMAIL PROTECTED] On Wed, 14 Sep 2005, DAve wrote: Just curious if anyone else was seeing this besides me. I suspect the spammers are making a new attempt to find web forms they can abuse and possibly the robots are just not smart enough to know that our forms don't work the way they suspect. Seeing it too, others have described it in detail. At this point it's just anoying, with users receiving many forms with this garbage. Since the requests seem to come in rapid succession, I've thought about an IP cache, and limiting the number of times an IP can submit the form per unit time. It hasn't gone past the idea stage. Has anybody observed the odd things you must go through to establish or edit accounts with many larger forms based servers like e-bay or yahoo? The read the text from an image and type it in forms are about the only thing that slow down the spammers. Although there is something to be said for requiring a user ID and a password that cannot be automatically signed up for when using forms that can send to addresses other than one that is hard wired in and immutable. (If that is possible in all possible cases.) {^_^}
Re: Scanning outgoing email
From: Bret Miller [EMAIL PROTECTED] We're in the need of checking parts of our outgoing email for spam (read: we've got unknown webmail users.. hugs lots of them, actually.. and some of them have this annoying habit of sending nigeria spam) My question is how to get SpamAssassin to identify the spam, as the network tests will be quite useless (all the email will be originating in a standard format, from our own servers). Bayes will probably be quite efficient, and so will various other local checks - but I have this nagging feeling that the standard weighting of the rules will be too lax in this use-case (due to nothing but content-checks triggering). How do we re-weight the rules, and does anyone have any good suggestions on which checks to use? Also, checking for certain blacklisted URLs in the messages will probably help (Someone recommended SURBL for this) .. but I think a re-weighting will still be in order. Suggestions? I'd be inclined to try the SARE fraud rules (see www.rulesemporium.com) in addition to the SA internal and bayes tests. If you find that doesn't give you a high enough score, pushing the BAYES_99 score a little higher might be in order. Bret + Another good technique is to count the number of addresses for message receipt or the number of messages the user has sent and throttle based on too many. For Way Too Many throttle back to one message every five minutes. {^_^}
Re: Very simple user query...
From: Rob Skedgell [EMAIL PROTECTED] On Tuesday 13 Sep 2005 21:15, Markus Eskola wrote: [...] Just a quick question regarding the reporting... Do you guys report all spam (including the once that SA allready caught) or only the ones that got thru the net? Currently in my setup I have 3-4 diffrent users who move all the spam that got thru into certain folders eg SPAM under IMAP. These folders are scanned, emptied and reported once a night thru a script. If someone has a more effectie way, I'd appreciate a hint in the right direction. Most of it (5.0 = score = 30.0) gets LARTed by a java program that goes through the confirmed spam IMAP folder to the contacts.abuse.net addresses for the IP address that sent to my MX, SpamCop and is also posted to NANAS. If it scores over 30 it hits a discard ACL in exim. Anything that sneaks through under 5.0 or went to a role account is also singled out for extra vindictiveness and LARTed manually to anything SpamTool missed and whois data checked very carefully for RFCI whois eligibility (and a WDPRS report). Oh, and I have a patched Mail::SpamAssassin::Plugin::URIDNSBL to pass the domain names scanned over UDP to another listening application that tests for missing entries in RFCI bogusmx and automatically sends the submission by email. It also sends BCCs to postmaster@ and abuse@ so that victims of friendly fire (through inadvertently using a CNAME for their MX rather then deliberately registering 127.0.0.1) can get unlisted. ++ Ah, you are one of the people polluting the BLs. Thanks not. Why not be a little saner and adopt a score higher than 5.0, a very marginal spam score, for reporting. That way you are not reporting false alarms and injuring innocent people. {^_^}
Questions about sa-learn and report_safe encapsulation
Hi there. I'm trying to set up an IMAP based bayesian learner using the instructions in the SA wiki for RemoteIMAPFolder, etc. I'm diverting messages to the IMAP mailstore from MIMEDefang, and I'm trying to set up MIMEDefang to replicate SA's report_safe encapsulation format so that sa-learn only learns the encapsulated message while ignoring the included SA report, etc. I appear to have done something wrong, however. Following the instructions in the wiki, I have fetchmail snagging messages from the appropriate IMAP folder and feeding them to sa-learn, but sa-learn doesn't appear to be properly detecting the message encapsulation. As far as I can tell from looking at the code, sa-learn does a check for the existence of the X-Spam-Checker-Version header to decide whether or not to call remove_spamassassin_markup(). Within that subroutine it checks for a Content-Type header matching a regexp which includes multipart/mixed; and some other things I don't quite follow. :-) As far as I can tell, though, the messages aren't being detected as encapsulated--I'm using the -D flag with sa-learn and Removing Markup never shows up in the dbg messages I expect from the code in remove_spamassassin_markup(), and the debug messages show URLs being parsed which are only present in the spamassassin report included in the body text, but not in the encapsulated message itself. Is there some other trick that I'm missing while generating a message that sa-learn will recognize as report_safe encapsulated? Thanks! Working with SA 3.10rc1, by the way. Nels Lindquist * Information Systems Manager Morningstar Air Express Inc.
Questions about sa-learn and
Hi there. I'm trying to set up an IMAP based bayesian learner using the instructions in the SA wiki for RemoteIMAPFolder, etc. I'm diverting messages to the IMAP mailstore from MIMEDefang, and I'm trying to set up MIMEDefang to replicate SA's report_safe encapsulation format so that sa-learn only learns the encapsulated message while ignoring the included SA report, etc. I appear to have done something wrong, however. Following the instructions in the wiki, I have fetchmail snagging messages from the appropriate IMAP folder and feeding them to sa-learn, but sa-learn doesn't appear to be properly detecting the message encapsulation. As far as I can tell from looking at the code, sa-learn does a check for the existence of the X-Spam-Checker-Version header to decide whether or not to call remove_spamassassin_markup(). Within that subroutine it checks for a Content-Type header matching a regexp which includes multipart/mixed; and some other things I don't quite follow. :-) As far as I can tell, though, the messages aren't being detected as encapsulated--I'm using the -D flag with sa-learn and Removing Markup never shows up in the dbg messages I expect from the code in remove_spamassassin_markup(), and the debug messages show URLs being parsed which are only present in the spamassassin report included in the body text, but not in the encapsulated message itself. Is there some other trick that I'm missing while generating a message that sa-learn will recognize as report_safe encapsulated? Thanks! Working with SA 3.10rc1, by the way. Nels Lindquist * Information Systems Manager Morningstar Air Express Inc.
Further clarification RE: URIBL_SBL not being used?
Hello, This morning after having upgraded all installed ports on a FreeBSD mail gateway machine running postfix, amavisd-new, clamav and spamassassin, it appears that spamassassin is no longer working the way it had been. Specifically it seems that the URIBL_SBL test isn't being applied, Sorry, upon closer examination it appears that only local tests are being applied, despite amavisd-new being configured to allow network tests: $sa_local_tests_only = 0; I'll be posting my question now to the amavisd-new list as well, but if anyone here has any suggestions or advice I'ld very much like to hear them. Cheers, Sean
Re: Very simple user query...
On Wednesday 14 Sep 2005 22:44, jdow wrote: From: Rob Skedgell [EMAIL PROTECTED] On Tuesday 13 Sep 2005 21:15, Markus Eskola wrote: [...] Just a quick question regarding the reporting... Do you guys report all spam (including the once that SA allready caught) or only the ones that got thru the net? Currently in my setup I have 3-4 diffrent users who move all the spam that got thru into certain folders eg SPAM under IMAP. These folders are scanned, emptied and reported once a night thru a script. If someone has a more effectie way, I'd appreciate a hint in the right direction. Most of it (5.0 = score = 30.0) gets LARTed by a java program that goes through the confirmed spam IMAP folder to the ^ e.g. *manually* confirmed as spam, not just scored/flagged as such [...] Ah, you are one of the people polluting the BLs. Thanks not. No. It was entirely my fault for not making it clearer that I do check the confirmed spam folder very carefully first, before running the reporting tool. It most certainly doesn't do anything like running from cron, nor will it ever do that. If the IMAP seen flag isn't set on a mail in that folder, it gets skipped as a safeguard against carelessness on my part - the last thing I want is a mail that's just been delivered to be reported without checking. Why not be a little saner and adopt a score higher than 5.0, a very marginal spam score, for reporting. That way you are not reporting false alarms and injuring innocent people. See above. It's actually (score=5.0 manually_confirmed_as_spam) I should stress that any mails I report are checked manually *first*. False positives do *not* go to NANAS, SpamCop, the originating ISP etc. False positives get dragged out of the spam folder, my whitelists fixed (sometimes via whitelist_from_rcvd, sometimes in the PostgreSQL database used by a couple of ACLs, depending on the context). You can check the NANAS posts here http://groups.google.co.uk/groups?q=group:[EMAIL PROTECTED]start=0scoring=d if you like. See many false positives? No, nor me. I very rarely mis-identify a false positive as spam, and on those rare occasions the abuse contact who just got the LART in error gets a grovelling apology from me for wasting their time. -- Rob Skedgell [EMAIL PROTECTED] pgp6PTjZDTQMD.pgp Description: PGP signature
Re: Scanning outgoing email
On Wed, 14 Sep 2005, Rune Kristian Viken wrote: We're in the need of checking parts of our outgoing email for spam (read: we've got unknown webmail users.. hugs lots of them, actually.. and some of them have this annoying habit of sending nigeria spam) My question is how to get SpamAssassin to identify the spam, as the network tests will be quite useless (all the email will be originating in a standard format, from our own servers). Bayes will probably be quite efficient, and so will various other local checks - but I have this nagging feeling that the standard weighting of the rules will be too lax in this use-case (due to nothing but content-checks triggering). How do we re-weight the rules, and does anyone have any good suggestions on which checks to use? Also, checking for certain blacklisted URLs in the messages will probably help (Someone recommended SURBL for this) .. but I think a re-weighting will still be in order. Suggestions? Set up a separate instance of spamd that will be used just for scanning your outgoing mail (obviously this will have to be done with your local system configuration). Run that spamd with the '-L' option to disable network checks. One effect of doing that is to cause SA to choose an alternative scoring set that has been weighted for use in a no-networks-test environment. See the discussion of the 4-part 'score' values in Mail::SpamAssassin::Conf. Dave -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
ANNOUNCE: SpamAssassin 3.1.0 available!
SpamAssassin 3.1.0 is released! SpamAssassin 3.1.0 is a major update. SpamAssassin is a mail filter which uses advanced statistical and heuristic tests to identify spam (also known as unsolicited bulk email). Highlights of the release - - Apache preforking algorithm adopted; number of spamd child processes is now scaled, according to demand. This provides better VM behaviour when not under peak load. - added PostgreSQL, MySQL 4.1+, and local SDBM file Bayes storage modules. SQL storage is now recommended for Bayes, instead of DB_File. NDBM_File support has been dropped due to a major bug in that module. - detect legitimate SMTP AUTH submission, to avoid false positives on Dynablock-style rules. - new plugins: DomainKeys (off by default), MIMEHeader: a new plugin to perform tests against header in internal MIME structure, ReplaceTags: plugin by Felix Bauer to support fuzzy text matching, WhiteListSubject: plugin added to support user whitelists by Subject header. - Razor: disable Razor2 support by default per our policy, since the service is not free for non-personal use. It's trivial to reenable (by editing '/etc/mail/spamassassin/v310.pre'). - DCC: disable DCC for similar reasons, due to new license terms. - Net::DNS bug: high load caused answer packets to be mixed up and delivered as answers to the wrong request, causing false positives. worked around. - DNSBL lookups and other DNS operations are now more efficient, by using a custom single-socket event-based model instead of Net::DNS. Downloading --- Pick it up from: http://SpamAssassin.apache.org/ Note, it may take up to two hours from now for that mirror to update. md5sum: d28bd7e83d01b234144e336bbfde0caa Mail-SpamAssassin-3.1.0.tar.bz2 f70c1fcab3d9563731bbc307eda7d69e Mail-SpamAssassin-3.1.0.tar.gz 65e9629ce255244fe3cb3d9772cdf239 Mail-SpamAssassin-3.1.0.zip sha1sum: 0185f076f619dd9e64e94b453017f9b08d4b0f04 Mail-SpamAssassin-3.1.0.tar.bz2 d887cbae5962cb03e45aaf71cd93881a2799 Mail-SpamAssassin-3.1.0.tar.gz 8b9494448782f910e573377bf226a8072f24bb3f Mail-SpamAssassin-3.1.0.zip The release files also have a .asc accompanying them. The file serves as an external GPG signature for the given release file. The signing key is available via the wwwkeys.pgp.net key server, as well as http://spamassassin.apache.org/released/GPG-SIGNING-KEY The key information is: pub 1024D/265FA05B 2003-06-09 SpamAssassin Signing Key [EMAIL PROTECTED] Key fingerprint =3D 26C9 00A4 6DD4 0CD5 AD24 F6D7 DEE0 1987 265F A05B Important installation notes - see the INSTALL and UPGRADE files in the distribution. Summary of major changes since 3.0.x - Apache preforking algorithm adopted; number of spamd child processes is now scaled, according to demand. This provides better VM behaviour when not under peak load. - Inclusion of sa-update script which will allow for updates of rules and scores in between code releases. - added PostgreSQL, MySQL 4.1+, and local SDBM file Bayes storage modules. SQL storage is now recommended for Bayes, instead of DB_File. NDBM_File support has been dropped due to a major bug in that module. - detect legitimate SMTP AUTH submission, to avoid false positives on Dynablock-style rules. - new Advance Fee Fraud (419 scam) rules. - removed use of the Storable module, due to several reported hangs on SMP Linux machines. - Converted several rule/engine components into Plugins such as: AccessDB, AWL, Pyzor, Razor2, DCC, Bayes AutoLearn Determination, etc. - new plugins: DomainKeys (off by default), MIMEHeader: a new plugin to perform tests against header in internal MIME structure, ReplaceTags: plugin by Felix Bauer to support fuzzy text matching, WhiteListSubject: plugin added to support user whitelists by Subject header. - TextCat language guesser moved to a plugin. (This means ok_languages is no longer part of the core engine by default.) - Razor: disable Razor2 support by default per our policy, since the service is not free for non-personal use. It's trivial to reenable. - DCC: disable DCC for similar reasons, due to new license terms. - Net::DNS bug: high load caused answer packets to be mixed up and delivered as answers to the wrong request, causing false positives. worked around. - DNSBL lookups and other DNS operations are now more efficient, by using a custom single-socket event-based model instead of Net::DNS. - add support for accreditation services, including Habeas v2. - better URI parsing -- many evasion tricks now caught. - URIBL lookups are prioritized based on the location in the message the URI was found. - mass-check now supports reusing realtime DNSBL hit results, and sample-based Bayes autolearning emulation, to reduce complexity. - sa-learn, spamassassin and mass-check now have optional progress bars. -
Re: Further clarification RE: URIBL_SBL not being used?
From: mouss [EMAIL PROTECTED] jdow a écrit : Am I alone in having a perception that using mimedefang and amavis-new is its own punishment? why do you say so? (I should have said or instead of and. And is REAL punishment even if or is not. It may not even be possible.) The short story: I've been watching this list. The long story: I decided long ago that I was seeing too many people having problems with auto-learning spam and ham back with 2.mumble. That led me to decide never to use that abomination. This decision seems to have served me very well. (I also never expire. I train sparingly and carefully.) Now the number of annoyances people report, not getting markups they thought the should and the like, has me wondering the same thing about these particular filters. At the time I started using SA what I had available was procmail. My .procmailrc is still fairly small, although my personal one is used to feed pests, chiefly list pests, to their own dungeons. In theory if a dungeon is not updating from time to time the rule is obsolete. But with only 6 or 10 of them, who cares? As it is I get all my markup and I can even do custom tweaks in procmail so that if spamd hits one of the perl eval bugs triggered by PerMsgStatus.pm I can feed the message direct through spamassassin itself. {^_^} I guess Joanne is a bare metal type at heart.
Re: Further clarification RE: URIBL_SBL not being used?
On Sep 14, 2005, at 5:12 PM, jdow wrote: jdow a écrit : Am I alone in having a perception that using mimedefang and amavis-new is its own punishment? At the time I started using SA what I had available was procmail. Procmail works if your users have access to the right things for invoking procmail, or if you're using mail software for which procmail can be used as a local delivery agent, or something along those lines. That doesn't include every mail server arrangement and software package out there. Plus, if you're on a non-trivial mail server (you know, more than a few thousand active users), procmail is just an insane way to invoke spam assassin. Further, mimedefang isn't all about invoking Spam Assassin. It really seems to be more about protection against viruses, bad attachments, and other exploits. It's ability to also deal with spam assassin seems to be frosting on the cake, not the cake itself (if I am digesting the history of mimedefang correctly). And, last, some of us postmasters would rather not accept these types of messages in the first place. Then we don't have to worry about idiot users replying to them, sending bounces back, or if their vacation implementation will reply to a virus or spam message (inevitably leaving large numbers of these replies stranded in our mail queues). Relying upon users, even intelligent ones, to do the sensible thing is an exercise even less productive than masturbation. Instead, we would rather reject the message during the SMTP transaction. Try that with procmail (unless, of course someone writes a procmail-milter, in which case it's no different than using mimedefang or amavis).
New mail not being logged anywhere but /var/spool/qmailscan/mailstats.csv?
I've been running SA 3.04 / ClamAV 0.86.2 /qmail-scanner 1.25st for about 2 months now. Things have been working perfectly. I wrote my own stats parsing script to dump things into a database so I can break down stats based on domains, spammers, etc...(I have two mail servers acting as load balancing...a 3rd server is where the SQL db sits) Today, we added a new client to our filtering system, and this client is receiving email from one address that seemed like a duplicate mysql insert at first to me, but after investigating further, the mails were actually listed in /var/spool/qmailscan/mailstats.csv. These are the lines in question in mailstats.csv: 8357:Wed, 14 Sep 2005 14:06:54 EDT Clear:RC:0(207.198.18.5):SA:1(5.6/5.0): 5.68333810027 [EMAIL PROTECTED] [EMAIL PROTECTED] Utica Homeowners will soon offer Identity Theft Coverage! [EMAIL PROTECTED] unig45.gif:5863 1126721210.30212-0.MAILER-02:1109 8358:Wed, 14 Sep 2005 14:06:54 EDT Clear:RC:0(207.198.18.5):SA:1(5.6/5.0): 5.68333810027 [EMAIL PROTECTED] [EMAIL PROTECTED] Utica Homeowners will soon offer Identity Theft Coverage! [EMAIL PROTECTED] unig45.gif:5863 1126721210.30212-0.MAILER-02:1109 8359:Wed, 14 Sep 2005 14:06:54 EDT Clear:RC:0(207.198.18.5):SA:1(5.6/5.0): 5.68333810027 [EMAIL PROTECTED] [EMAIL PROTECTED] Utica Homeowners will soon offer Identity Theft Coverage! [EMAIL PROTECTED] unig45.gif:5863 1126721210.30212-0.MAILER-02:1109 8360:Wed, 14 Sep 2005 14:06:54 EDT Clear:RC:0(207.198.18.5):SA:1(5.6/5.0): 5.68333810027 [EMAIL PROTECTED] [EMAIL PROTECTED] Utica Homeowners will soon offer Identity Theft Coverage! [EMAIL PROTECTED] unig45.gif:5863 1126721210.30212-0.MAILER-02:1109 8361:Wed, 14 Sep 2005 14:06:54 EDT Clear:RC:0(207.198.18.5):SA:1(5.6/5.0): 5.68333810027 [EMAIL PROTECTED] [EMAIL PROTECTED] Utica Homeowners will soon offer Identity Theft Coverage! [EMAIL PROTECTED] unig45.gif:5863 1126721210.30212-0.MAILER-02:1109 8362:Wed, 14 Sep 2005 14:06:54 EDT Clear:RC:0(207.198.18.5):SA:1(5.6/5.0): 5.68333810027 [EMAIL PROTECTED] [EMAIL PROTECTED] Utica Homeowners will soon offer Identity Theft Coverage! [EMAIL PROTECTED] unig45.gif:5863 1126721210.30212-0.MAILER-02:1109 8363:Wed, 14 Sep 2005 14:06:54 EDT Clear:RC:0(207.198.18.5):SA:1(5.6/5.0): 5.68333810027 [EMAIL PROTECTED] [EMAIL PROTECTED] Utica Homeowners will soon offer Identity Theft Coverage! [EMAIL PROTECTED] unig45.gif:5863 1126721210.30212-0.MAILER-02:1109 That's just an sample from mailstats.csv. As it says, SA deems it spam at 5.6 points, and tags it and passes it along (I think). However, a few things confuse me with this. First of all, multiple entries under the same exact timestamp seems odd to me. Every piece of data in each line is identical. This doesn't seem normal, or correct. Secondly, there is NO record of the sender's email address in /var/spool/qmailscan/qmail-queue.log OR /var/log/maillog. It only appears in mailstats.csv. Furthermore, when adding the blacklist_from preference for this domain in my SQL database, I still see entries from this user in mailstats.csv with the score of 5.6, obviously ignoring my blacklist. Also, the 5.0 is telling as well, as I have a required_hits preference for this domain set to 4.0. Scanning through mailstats.csv shows that I have even more entries which set 5.0 as the bar for spam, incorrectly: 4278:Wed, 14 Sep 2005 09:41:25 EDT SA:SPAM-DELETE:RC:0(222.108.160.49):SA:1(21.1/5.0): 0 1385[EMAIL PROTECTED] [EMAIL PROTECTED] Solid Funding hassle free [EMAIL PROTECTED] MAILER-02112670527972228950-unpacked:1385 4279:Wed, 14 Sep 2005 09:41:25 EDT SA:SPAM-DELETE:RC:0(222.108.160.49):SA:1(21.1/5.0): 0 1385[EMAIL PROTECTED] [EMAIL PROTECTED]Solid Funding hassle free [EMAIL PROTECTED] MAILER-02112670527972228950-unpacked:1385 However, there ARE lines that display correct information: 4298:Wed, 14 Sep 2005 09:41:58 EDT SA:SPAM-DELETE:RC:0(216.195.74.34):SA:1(10.8/4.0): 0 3658[EMAIL PROTECTED] [EMAIL PROTECTED]Undeliverable Mail [EMAIL PROTECTED] MAILER-02112670531272229114-unpacked:3658 4309:Wed, 14 Sep 2005 09:42:16 EDT Clear:RC:0(209.51.158.242):SA:0(-0.6/4.0): 5.5095053384[EMAIL PROTECTED] [EMAIL PROTECTED] Automatic message from SafestMail (c2FmZXN0bWFpbF9yZXBseQ==-OTkzMDE4MDE1) [EMAIL PROTECTED] 1126705331.29238-0.MAILER-02:2226 Note the 4.0. I'm so confused...I can't seem to find the reason why it isn't logging to qmail-queue.log for certain messages. There IS a correlation, however, between when it doesn't log to qmail-queue.log, and when it uses a base score of 5.0 instead of the sql-deemed 4.0. IT seems
Re: HTML Spam messages with float tag ?
Hello Brian, Wednesday, September 14, 2005, 5:31:34 AM, you wrote: BI Hi, BI The number of messages like below has increased. Unfortunately, they are BI not reported to SpamCop fast enough for SURBL to handle them Has anyone BI created some sort of filter to identify this type of messages ?? SARE rules under development. Some will be published by this weekend, come hell or ... well, I'm not in New Orleans. Other rules we're less sure of may wait a few more days. Sample hit rates of the most promising rules: #counts LW_LEO_MAILER1 2332s/0h of 679260 corpus (323056s/356204h RM) 09/13/05 #counts LW_LEO_DOLLARS1 1451s/0h of 679260 corpus (323056s/356204h RM) 09/13/05 #counts LW_LEO_COST 1014s/0h of 679260 corpus (323056s/356204h RM) 09/13/05 #counts LW_LEO_DRUGS_DOWN2563s/0h of 679260 corpus (323056s/356204h RM) 09/13/05 #counts SARE_LEO_SUB_MEDS1107s/0h of 614805 corpus (315596s/299209h RM) 09/11/05 #counts SARE_LEO_SUB_PHARM 487s/0h of 614805 corpus (315596s/299209h RM) 09/11/05 #counts SARE_LEO_SUB_PHARM2 877s/0h of 614805 corpus (315596s/299209h RM) 09/11/05 #counts SARE_LEO_LINE02 2028s/0h of 614805 corpus (315596s/299209h RM) 09/11/05 #counts SARE_LEO_LINE03 59s/0h of 614805 corpus (315596s/299209h RM) 09/11/05 Bob Menschel