RE: why does this mail get 0 hits?
Hi, I might be getting old, but I don't see any SpamAssassin in the headers of that message. this is because I'm amavisd is calling spamassassin and if the SA score is below 0 I don't get any spamassassin headers inserted. Only this line... X-GMX-Antispam: 0 (Mail was not recognized as spam) Do you have email coming in from different servers, maybe not hitting SA? I get this email forwarded from my old email account to my new one. and the provider of my old email account (GMX) does spamscanning aswell. But if they say 0 this doesn't mean it really is 0. A lot of mails getting forwarded from my old account which score 0 at gmx, score more then 10 at my server. so it seems to be a email specific thing. andreas
Re: why does this mail get 0 hits?
I'm getting this kind of email like once a day and it seems like it scores 0 everytime. I'm using spamasssin 3.1 and feeding them to sa-learn as spam aswell. Well, some obvious questions: 1.Is bayes really working for you normally? 2Do you have any local german-language spam rules? Now, I don't speak german, but a quick glance makes me think this is a typical english spam translated to german by someone that doesn't know the language well. To me, it looks like it is just full of things that would be easy to catch. But then, since I don't speak the language and can't congugate a verb or noun or whatever declines in German, I can't guess what trivial one-letter changes would render any rules I wrote useless. I also don't know what phrases or words that look like good catches might be just common German phrases. I ran this thru SA here and got about 7 points. But 1.1 points was from a rule that was English based and inapplicable to German, and 3 points were from local rules that are inapplicable. That leaves 3.2 points from SURBL, which isn't enough by itself to make this spam. Now I could knock out a handful of body rules to catch this for you, but they would all be guesses, and probably some pretty bad guesses at that. I would suggest that a simple thing to try would be to look through this and stick some spammy-sounding phrases into a stock rule form, and then stick those rules in your local.cf and see how they do. This isn't the apex of rule writing, but it should certainly be good enough for this kind of spam. Use this basic form: bodyMY_RULE_NAME1/words I don't like/is scoreMY_RULE_NAME11 describe MY_RULE_NAME1I don't like these words For example, from that spam and making wild guesses: bodyMY_10_MIN_FREE/10 Minuten for free/is bodyMY_ALWAYS_HARDCORE/Hardcore rund um die Uhr/is bodyMY_ANY_TIME/Sex [\w\s]+wann Du es willst/is bodyMY_LOTS_OF_FILM/Über [\d\.]+ verschiedene Filme/is bodyMY_TASTY_CATEGORIES /Kategorien treffen garantiert jeden Geschmack/is bodyMY_HUH_1/Feuchte Fotzen/is bodyMY_EXTREME_ACTION/extrem geile Sexaction/is bodyMY_TRUE_LIES/das ist unglaublich und dennoch wahr/is Add a score and a description if you want to each of those lines (they will get 1 point scores by default if you don't give a score) and see how much of your normal mail you can manage to turn into spam! ;-) Loren PS: Blame Google translator and my sense of 'humor' for those rule names.
Re: why does this mail get 0 hits?
On Sun, 2005-09-18 at 01:34 -0700, Loren Wilton wrote: I'm getting this kind of email like once a day and it seems like it scores 0 everytime. I'm using spamasssin 3.1 and feeding them to sa-learn as spam aswell. Well, some obvious questions: 1.Is bayes really working for you normally? yes it does - for all emails except this one. 2Do you have any local german-language spam rules? no, I don't Now, I don't speak german, but a quick glance makes me think this is a typical english spam translated to german by someone that doesn't know the language well. sorry but I have to tell you that this emails are actually written in very good german - blame google for the translation. To me, it looks like it is just full of things that would be easy to catch. But then, since I don't speak the language and can't congugate a verb or noun or whatever declines in German, I can't guess what trivial one-letter changes would render any rules I wrote useless. I also don't know what phrases or words that look like good catches might be just common German phrases. I ran this thru SA here and got about 7 points. But 1.1 points was from a rule that was English based and inapplicable to German, and 3 points were from local rules that are inapplicable. That leaves 3.2 points from SURBL, which isn't enough by itself to make this spam. Now I could knock out a handful of body rules to catch this for you, but they would all be guesses, and probably some pretty bad guesses at that. I would suggest that a simple thing to try would be to look through this and stick some spammy-sounding phrases into a stock rule form, and then stick those rules in your local.cf and see how they do. This isn't the apex of rule writing, but it should certainly be good enough for this kind of spam. I know that I could write custom rules but I thought that maybe spamassassin is mature enough to detect this german crap without any additional rules. for testing purposes I also do forward this emails to my gmail account and guess what - there they get detected as spam. So it seems like these guys are doing something different because I can't imagine that they really do write custom rules. thanks anyway for your help, andreas
Re: why does this mail get 0 hits?
In an older episode (Sunday, 18. September 2005 10:34), Loren Wilton wrote: bodyMY_RULE_NAME1/words I don't like/is what does the trailing s do? cheers, wolfgang
Re: why does this mail get 0 hits?
I know that I could write custom rules but I thought that maybe spamassassin is mature enough to detect this german crap without any additional rules. SA isn't magic, quite. It largely depends on having rules to catch spams. We have lots of people writing rules for English spams, but so far nobody has volunteered to write many German rules. Without rules, all you have basically is bayes and net tests. That will catch a lot of things, but it won't catch the initial flow of a new spam. Loren
Re: why does this mail get 0 hits?
bodyMY_RULE_NAME1/words I don't like/is what does the trailing s do? Treats newlines like spaces when matching against a . character. Not really applicable to most of those example rules. Loren
Re: why does this mail get 0 hits?
On Sun, 2005-09-18 at 02:38 -0700, Loren Wilton wrote: I know that I could write custom rules but I thought that maybe spamassassin is mature enough to detect this german crap without any additional rules. SA isn't magic, quite. It largely depends on having rules to catch spams. We have lots of people writing rules for English spams, but so far nobody has volunteered to write many German rules. Without rules, all you have basically is bayes and net tests. That will catch a lot of things, but it won't catch the initial flow of a new spam. sure I know. But I think I know now where the problems is: all mail being forwarded from my old account to my new one is usually seen as ham. Bayes and AWL have assigned it a score of maybe -100. so case of an spam mail being delivered to that address it will rise to score to maybe -80 - which is obviously still not enough. so maybe bayes and awl should handle forwarded emails differently. andreas
Re: Rule puzzlement
M.Lewis a écrit : I've written a rule that *should* be catching a fair amount of spam. I've ran spamassassin --lint and it shows no errors. I purposefully created an error in this set of rules and did spamassassin --lint again and it shows the error. So I know my set of rules is being parsed. The perms are the same as other rulesets that are generating hits. SA has been restarted several times along with Amavisd-New, and ClamAV. I wrote a perl script and put the regex from the rules in the perl script. The script runs against one of my spam mbox files. There are plenty of hits. If I save a sample spam (that should hit on these rules) and do 'spamassassin spam.txt', I get no mention of this set of rules. Instead I get hits from other sets of rules. I'm at a loss why this rule is not working. It's simply a match on a phrase in email. Nothing fancy at all. Any clues or thoughts would be appreciated. possibly because it does not match the phrase you want. unless you provide the phrase and the rule, it's hard to guess...
[OT] Looking for a cartoon for a proposal cover
This is almost completely off topic, but someone here might know where I can find something like what I'm looking for. I'm doing a proposal on flattening out an incredibly hierarchical architecture to make it more efficient. I'm looking for a cartoon I can put on the front page that has some Donald-Duck like character with a HUGE mallet SMASHING it down onto something that is now completely flat. Maybe with steams of 1s and 0s coming out from under the mallet. Or maybe just smash type lines coming out from the mallet, I can add my own binary streams. I'm absolutely positive I've seen any number of cartoons of this general sort over the years, but I'm not having a lot of luck finding something like that at the moment. Suggestions appreciated. Loren
Perl errors for SA 3.1.0 (Perl 5.6.1)
Hello, I still run a Debian 3.0 (Woody) distribution on some servers and have not yet managed to switch to 3.1. SpamAssassin 3.0.x runs just fine, and now I wanted to upgrade to 3.1.0. It compiles and installs smoothly, however, when starting it, I receive Starting SpamAssassin Mail Filter Daemon: Digest::SHA1 object version 2.10 does not match bootstrap parameter 2.01 at /usr/lib/perl/5.6.1/DynaLoader.pm line 221. Compilation failed in require at /usr/local/share/perl/5.6.1/Mail/SpamAssassin/EvalTests.pm line 33. BEGIN failed--compilation aborted at /usr/local/share/perl/5.6.1/Mail/SpamAssassin/EvalTests.pm line 33. Compilation failed in require at /usr/local/share/perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm line 55. BEGIN failed--compilation aborted at /usr/local/share/perl/5.6.1/Mail/SpamAssassin/PerMsgStatus.pm line 55. Compilation failed in require at /usr/local/share/perl/5.6.1/Mail/SpamAssassin.pm line 71. BEGIN failed--compilation aborted at /usr/local/share/perl/5.6.1/Mail/SpamAssassin.pm line 71. Compilation failed in require at /usr/local/bin/spamd line 43. BEGIN failed--compilation aborted at /usr/local/bin/spamd line 43. I tried installing the 2.10 version of Digest::SHA1 by manually compiling it from CPAN with: perl Makefile.PL make make test make install It installs, but I still receive the same error. Setting PERL5LIB to export PERL5LIB=/usr/local/lib/perl/5.6.1 or export PERL5LIB=/usr/local/lib/perl/5.6.1/Digest/ doesn't seem to cure the problem either, I still receive the same message. Do you know of any idea on pointing SA to the new module, or is the error message due to some other problem? Or have I given the wrong PERL5LIB path? Thanks! Florian
Re: 3.1.0 X-headers
Mike Bostock wrote: In your message regarding Re: 3.1.0 X-headers dated Thu, 15 Sep 2005 13:29:33 -0400, Daryl C. W. O'Shea said that ... DCWO- Bowie Bailey wrote: From: Mike Bostock [EMAIL PROTECTED] Just gone from 3.1.0.rc1 - 3.1.0 (14/9/05) Sendmail/Procmail MTAs The X-headers for SpamAssassin are now appearing at the top of the header instead of the bottom It's a feature. DCWO- One that was in rc1 too (and I believe all of the pre-releases). You are right of course - I just hadn't looked. I'll get back in my box now. Anyway to turn this feature off? I didn't see anything in man or in the upgrade notes. -- Thanks, JamesDR smime.p7s Description: S/MIME Cryptographic Signature
Re: SA 3.1.0 freezing
Rick Macdougall wrote: I'm having an issue with SA 3.1.0 freezing, it will run through a couple of users (3 - 10) and then lockup. ... and it just stops there. ... Any one with any ideas ? BTW, a reboot fixed it but I still don't know what caused it. We have seen this with a RHEL 3.5 server SMP kernel as well, but the problem was not specific to spamassassin, but something on the OS/kernel level that not only caused spamd to hang up, but clamav, and even trying to send an attachment locally from pine, mail, etc... A reboot would clear up the problem, but it would return 3-5 days later. The hangups would only be for emails with attachments. If you see the problem again, let me know, as we are trying to find the cause as well. We will be going to a non SMP kernel if the problem appears again. You can grep your /var/log/maillog looking for: grep timeout /var/log/maillog|grep -i local If you see a lot of timeouts during draining input, this will signal the problem re-occuring. Rob
Re[2]: spam with 'Re:[]'
Hello James, Saturday, September 17, 2005, 6:33:43 PM, you wrote: JL Re[any single digit or number ie a-z or 0-9] email is discarded JL Re[more then one digit or letter] email is allowed through JL As I see it, this rule matches perfectly. The chance that someone will JL send or receive a legit email with Re[just one letter or number] is JL highly unlikely. Check the subject header of this email, generated automatically by my email software. It's *because* several common email clients put sequential numbers into RE[n] that spammers have adopted this as a means to entice people into opening their emails (thinking it might actually be a response to something). Bob Menschel
Re: Perl errors for SA 3.1.0 (Perl 5.6.1)
On Sun, Sep 18, 2005 at 03:28:49PM +0200, Florian Effenberger wrote: It compiles and installs smoothly, however, when starting it, I receive Starting SpamAssassin Mail Filter Daemon: Digest::SHA1 object version 2.10 does not match bootstrap parameter 2.01 at /usr/lib/perl/5.6.1/DynaLoader.pm line 221. Your install of Digest::SHA1 is messed up. Go through and delete all traces of the module (or at least the 2.01 XS files), then reinstall. http://wiki.apache.org/spamassassin/RazorCantLocateNew has some info. -- Randomly Generated Tagline: You can't build a reputation on what you are going to do. - Henry Ford pgpO8KRvLvPFz.pgp Description: PGP signature
How is this an effective spam message?
I've obviously seen the trend of just sending a URL with random text on top. But how is this spam message useful when it doesn't even include a URL? My best guess is that they are trying to poision my Bayes or my auto-whitelist, so that their next message might get through. Either that, or they are just really incompetent spammers. From - Sun Sep 18 14:37:15 2005 X-Mozilla-Status: 0001 X-Mozilla-Status2: Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on emlis.pair.com X-Spam-Level: ** X-Spam-Status: No, score=2.5 required=5.0 tests=BAYES_60,RCVD_NUMERIC_HELO autolearn=no version=3.1.0 Delivered-To: dankohn-dankohn:[EMAIL PROTECTED] X-Envelope-To: [EMAIL PROTECTED] Received: (qmail 68250 invoked from network); 18 Sep 2005 21:27:06 - Received: from localhost.pair.com (HELO emlis.pair.com) (127.0.0.1) by localhost.pair.com with SMTP; 18 Sep 2005 21:27:06 - Received: from 84.77.75.209 (unknown [84.77.75.209]) by emlis.pair.com (Postfix) with SMTP id 25FE0658BB for [EMAIL PROTECTED]; Sun, 18 Sep 2005 17:27:05 -0400 (EDT) Received: from [222.81.184.198] (port=3201 helo=[Randy]) by 84.77.75.209 with esmtp id 9781374373Kristopher37846 for [EMAIL PROTECTED]; Sun, 18 Sep 2005 23:27:00 +0200 Mime-Version: 1.0 (Apple Message framework v728) Content-Transfer-Encoding: 7bit Message-Id: [EMAIL PROTECTED] Content-Type: text/plain; charset=US-ASCII; format=flowed To: [EMAIL PROTECTED] From: Antwon [EMAIL PROTECTED] Subject: they are just ripening up Date: Sun, 18 Sep 2005 23:26:59 +0200 X-Mailer: Apple Mail (2.728) plenty of beauties who've just reached the legal age of consent of doing very very bad things come and watch and enjoy Forgive your enemies...but REMEMBER THEIR NAMES! If you want to make an apple pie from scratch, you must first create the universe. Most people would sooner die than think; in fact, they do so. The wisdom of the wise, and the experience of ages, may be preserved by quotations. Forgive your enemies, but never forget their names. - dan -- Dan Kohn mailto:[EMAIL PROTECTED] http://www.dankohn.com/ tel:+1-415-233-1000
DCC and spamassassin -r
The DCC checkers, dccproc and dccifd, not only check the mail but also increment the 'bulkiness' counts at the server. Spamassassin and spamd use one of these (if dcc checking is enabled) when scoring the mail. So is it correct for spamassassin -r to re-submit the mail to the DCC servers? My reading of the DCC documentation indicates that it should not being so as the mail would have already be counted when scanned.
Re: [OT] Looking for a cartoon for a proposal cover
On Sun, 2005-09-18 at 04:31 -0700, Loren Wilton wrote: This is almost completely off topic, but someone here might know where I can find something like what I'm looking for. I'm doing a proposal on flattening out an incredibly hierarchical architecture to make it more efficient. I'm looking for a cartoon I can put on the front page that has some Donald-Duck like character with a HUGE mallet SMASHING it down onto something that is now completely flat. Maybe with steams of 1s and 0s coming out from under the mallet. Or maybe just smash type lines coming out from the mallet, I can add my own binary streams. I'm absolutely positive I've seen any number of cartoons of this general sort over the years, but I'm not having a lot of luck finding something like that at the moment. Suggestions appreciated. Loren Is this what you are looking for? http://simpler-solutions.net/jansdiary/images/pressanykey.jpg Thomas
Re: How is this an effective spam message?
Dan Kohn a écrit : I've obviously seen the trend of just sending a URL with random text on top. But how is this spam message useful when it doesn't even include a URL? My best guess is that they are trying to poision my Bayes or my auto-whitelist, so that their next message might get through. Either that, or they are just really incompetent spammers. Or they expect some people to reply.
Re: why does this mail get 0 hits?
From: Andreas Kotowicz [EMAIL PROTECTED] On Sun, 2005-09-18 at 02:38 -0700, Loren Wilton wrote: I know that I could write custom rules but I thought that maybe spamassassin is mature enough to detect this german crap without any additional rules. SA isn't magic, quite. It largely depends on having rules to catch spams. We have lots of people writing rules for English spams, but so far nobody has volunteered to write many German rules. Without rules, all you have basically is bayes and net tests. That will catch a lot of things, but it won't catch the initial flow of a new spam. sure I know. But I think I know now where the problems is: all mail being forwarded from my old account to my new one is usually seen as ham. Bayes and AWL have assigned it a score of maybe -100. so case of an spam mail being delivered to that address it will rise to score to maybe -80 - which is obviously still not enough. so maybe bayes and awl should handle forwarded emails differently. I'd say Bayes was working correctly but AWL has your old account marked as whitelisted. Get it off your whitelist and keep it off. That may mean you need to turn off AWL and do your whitelisting manually. {^_^}
Re: SA 3.04: high fail rate; X-SA-no-reject?; more details.
From: Linda Walsh [EMAIL PROTECTED] Loren Wilton wrote: If you are only correctly classifying 50% of the spam (you said 100 caught to 100 missed, I htink) then you have SERIOUS problems of some sort. Yeah, well, I try not to be too reactionary on computer things like this -- especially when it could just be a matter of flipping a config switch somewhere and things get instantly better. While the number of spams getting through are significantly higher, probably 75-80% of them are duplicate emails sent to multiple email addresses -- including some blacklisting To-Addresses. Apparently, the spammer isn't being kind enough to send the spam to the black-listed To-Add'ies first and with the new spamc client, sendmail notices the lower load average and likely allows more parallel incoming instances to process incoming email before a given spam gets locked out. I suppose this could be a downside of this efficiency, but previous to this I never saw multiple instances of these simple spams get through **undetected**. This makes me think it isn't just the increased efficiency causing problems as I would have expected at least one or two duplicate spams that wouldn't have been caught by other means (than being sent to a blacklisted To-addr). Linda, looking at your score for Bayes 99 I think you can safely raise it if you are running a very small mail service with well known customers. I run with it at a full 5 here. I get very few escaped spams, perhaps 0.1% within a factor of two either way. I do have some slightly negative scoring rules when I can determine a message is likely legitimate by specific for me rules. So if ham marked as BAYES_99 only about 1 in 16000 got through recently. And I very seldom have ham coming through as spam, except from the kernel mailing list and the FC4 list when someone posts oddly formatted messages, usually patches or debug logs. Perhaps I might get two of those a week out of 5000 ham emails. So this works at this site with two people. A quick trick would be to go to the SARE site and get their version of sa-stats.pl. Rename it to something distinguishable from the mostly useless sa-stats.pl that comes with spamassassin itself. Then run it something like this: /etc/mail/spamassassin/mysa-stats.pl -f maillog* Once you've run it look at the BAYES_99 rule. It SHOULD sit right at the top of your top spam rules ranking: TOP SPAM RULES FIRED RANKRULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM 1BAYES_99 6630 4.41 27.24 85.98 0.01 If it does not look something like this with numbers near 2 or more emails incoming over the duration of all your saved logs then BAYES may need more careful training. Note how much ham was marked with BAYES_99. I use that to justify setting the score for BAYES_99 up to a full 5 after the careful inclusion of some small negative scoring rules that can off set it slightly in special cases. In any case you might find you can justify a nearly perfect rule, high spam catch and very low or no ham catch (this was a bad month for ham caught by BAYES_99), being scored high enough to mark a message as spam all by itself or nearly high enough. One other serious hint, do NOT run this list through SpamAssassin. That may help protect your BAYES scores from subtle shifts such as might come if you merely have it white listed. {^_^}
Re: Bayes rocks
On 9/16/05, jdow [EMAIL PROTECTED] wrote: You are better off to use a normal SpamAssassin meta rule. How so? SA doesn't know how to interpret not to me (unless I write a plugin) -- it has no built-in knowledge of, for example, all possible sendmail aliases for my personal account -- and individual users can't add their own rules, so the only way I can code a custom expression to match all my personal addresses is to do it outside of SA. I suppose it would be possible to write a blacklist_not_to rule as a plugin, but procmail is doing it just fine, thanks.
Re: Bayes rocks
The nasty part is that you pretty much have to generate a per user rule for this. I don't think a rule can expand things like $USER. I have a rule for somebody at earthlink. I have a rule for me at earthlink. I have a rule for several generic people at earthlink. If it is to me and has fewer than N earthlink recipients listed the rule does not trigger. (And given the realities of life on the Internet as I experience it this is not a rule scored high enough to kick out spam all by itself.) {^_^} - Original Message - From: Bart Schaefer [EMAIL PROTECTED] On 9/16/05, jdow [EMAIL PROTECTED] wrote: You are better off to use a normal SpamAssassin meta rule. How so? SA doesn't know how to interpret not to me (unless I write a plugin) -- it has no built-in knowledge of, for example, all possible sendmail aliases for my personal account -- and individual users can't add their own rules, so the only way I can code a custom expression to match all my personal addresses is to do it outside of SA. I suppose it would be possible to write a blacklist_not_to rule as a plugin, but procmail is doing it just fine, thanks.
Re: How is this an effective spam message?
Ratware misfire, almost certainly. I suspect that some of these things are menu-driven fill-in forms, and the apprentice spammer that bought the spam kit forgot to fill in one rather important field in the form. I've obviously seen the trend of just sending a URL with random text on top. But how is this spam message useful when it doesn't even include a URL? Loren
Re: Perl errors for SA 3.1.0 (Perl 5.6.1)
Hi Theo, Your install of Digest::SHA1 is messed up. Go through and delete all traces of the module (or at least the 2.01 XS files), then reinstall. http://wiki.apache.org/spamassassin/RazorCantLocateNew has some info. thanks for this one, I will check it out. Has something in SA 3.1 changed regarding the handling of Digest::SHA1? It works flawlessly with 3.0... Thanks Florian