RE: RulesDuJour; lint failes
Hi Bob, Thanks for this explanation; It solved my problem. It turned out in /usr/share/spamassassin a translation-file was causing the problems. Cheers, Thijs -Oorspronkelijk bericht- Van: Robert Menschel [mailto:[EMAIL PROTECTED] Verzonden: zondag 25 september 2005 1:46 Aan: Thijs Koetsier | Exception CC: Fred; users@spamassassin.apache.org Onderwerp: Re[2]: RulesDuJour; lint failes Hello Thijs, Saturday, September 24, 2005, 12:00:14 AM, you wrote: TKE To lint spamassassin from the command line has no other effect than TKE through RulesDuJour. The same list of errors/warnings shows up as mentioned below. TKE Since I use a standard (clean) installation with only Tripwire in TKE my ruleset for testing, this amount of warnings is a bit big, isn't TKE it? TKE But fixing the errors is exactly what I want to do; I just don't TKE know how :( The errors you're getting are from old, prior version, SpamAssassin distribution rules files. Use spamassassin -D --lint to determine which directories SA is looking into, and then scan all those directories for *.cf files. You have some old, prior version *.cf files, in a directory that SA is scanning, and those no longer lint in the current SA. Delete them. Bob Menschel
Re: Hotmail on sorbs?!? (and eliminating false positives)
Hi !! I am new to postfix and spamassassin, but we are already using greylist, and I liked a lot what you said here. How can I greylist messages by means of RBL checking? How should I setup Postfix to do that? Regards, Carlos. 2005/9/24, Herb Martin [EMAIL PROTECTED]: From: Kai Schaetzl [mailto:[EMAIL PROTECTED] Not sure how you combine that. AFAIR, greylisting is tempfailing the first SMTP delivery attempt, correct? Do you check the IP with RBLs and then tempfail it? So, you don't tempfail *every* connection attempt like traditional greylisting does? Exactly -- with the addition that we do this on several other criteria than just RBLs. This avoids pratically all the complaints/negatives* against straight greylisting (i.e., traditional greylisting) and avoids practically all false positives from things like RBLs. * 1) Possible Delay of (new) legitimate email * 2) Broken legitimate servers which don't resend Note that these supposed problems with greylisting are largely handled even by straight greylisting through the use of whitelists for broken servers and small delays (a small delay stops almost as many spambots as will a long delay.) Also, if for those not familiar with greylisting the idea is you only TEMP_REJECT new mail, that is mail for which you don't have a fairly recent successful triplet: From-IP, From-Sender, To-Recipient Once greylisting determines that the sending server can meet the resend requirement there isn't much point to greylisting that server anyway (since it is going to meet the greylist requirements in all probability.) Greylisting lets 10% through, so it isn't the final solution but it lets you use a LOT OF AGGRESSIVE techniques that would normally be dangerous to good mail. For one, you can use RBLs that would otherwise be a terrible risk, or even (grey) block on things like host reverse name/helo name mismatch (which will LOSE a lot of email otherwise.) Pick any good criteria for rejecting email and turn it into a good but safe method by using greylisting. Also note that having our SMTP server check RBLs and then having SpamAssassin score them AGAIN if the mail gets through, costs VERY LITTLE: we run a local caching DNS server so those resolutions are only going on the net just once. -- Herb Martin
RE: Joe-jobbed...What are my options?
Michael Monnerie wrote: On Sonntag, 25. September 2005 01:35 Steve wrote: Sorry if this is really simple... any advice would be useful. Not a lot, but SPF helps for that scenario. See http://spf.pobox.com I agree; SPF is about the only defense. For the last few days an address in one of our low-traffic domains has been joe-jobbed, and our DNS servers show hundreds of TXT queries to that domain from all over the world. Obviously some mail servers are checking and (hopefully) rejecting the spam. And we are rejecting bounces to the joe-jobbed address, since it isn't a valid user address. Pierre Thomson BIC
Re: Bayes_token.myi corrupt
On Mon, Sep 26, 2005 at 08:53:41AM -0400, Matthew Yette wrote: Over the last week, I've had to repair the bayes_token table twice. Running repair table bayes_token; works just fine, but why is this occuring? There are currently 1,357,428 rows in it, so it's quite large. Should I be running and expire script on it? It depends what you mean by corrupt. Do you mean the index file itself is corrupt, or SA gets confused and shows invalid data? If the former, you'd need to talk to mysql about why their db is corrupting itself. If the latter, you'll need to give us more information. -- Randomly Generated Tagline: We are used to a deep-rooted Arab tradition of democracy where results are first declared, then elections are conducted and votes brought in to affirm it. - Talal Salman, editor of the As-Safir newspaper in Lebanon pgp2gjzgdG0Iv.pgp Description: PGP signature
Re: [SARE] rules update
On 26/09/2005, at 3:07 PM, Robert Menschel wrote: SARE's General Subject rules files and the Whitelist rules files have been updated. I get from --lint: Failed to run header SpamAssassin tests, skipping some: Global symbol $C requires explicit package name at /etc/spamassassin/70_sare_genlsubj_eng.cf, rule SARE_SUB_ACCENT_CHAR, line 1. and Failed to run header SpamAssassin tests, skipping some: Unmatched [ in regex; marked by -- HERE in m/(?!credit card (?:bill|declined))(?:(?: bad|poor|less\W*than\W*perfect|fix\W*your)\W*cr[eC)]d[ -- HERE iC/ at /etc/spamassassin/70_sare_genlsubj1.cf, rule SARE_SUB_POOR_CREDIT, line 1. Serious? Do I disable until fixed? thanks rolf. Tasmania Together 5 Year Review: Have your say : http://www.tasmaniatogether.tas.gov.au.
Re: Joe-jobbed...What are my options?
On Montag, 26. September 2005 15:37 Herb Martin wrote: 2) Some SMTP servers (but not enough) will check this and disallow forged email from those authorized servers Where some is becoming bigger each month. I've seen a lot less joe-jobbing tries with our domains during the last months (we use SPF over a year now). I can remember receiving 3 e-mails of obviously joe-jobbing this year. So SPF helps (especially since even big ISPs like AOL use it). SPF is the right thing to do -- but the benefits have not yet reach their potential. Yes, but if he implements it, another small brick in the wall makes the force bigger :-) He must also watch out for sneaky users forwarding their email or using other SMTP servers with their email address -- probably such (random) forwarding/sending by users will be unauthorized as well. Yes, that can give headaches - I know it now - but it's worth the effort. mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgp9OCWRDzsr5.pgp Description: PGP signature
RE: [SARE] rules update
-Original Message- From: Rolf [mailto:[EMAIL PROTECTED] Sent: Monday, September 26, 2005 9:18 AM To: users@spamassassin.apache.org Cc: Robert Menschel Subject: Re: [SARE] rules update On 26/09/2005, at 3:07 PM, Robert Menschel wrote: SARE's General Subject rules files and the Whitelist rules files have been updated. I get from --lint: Failed to run header SpamAssassin tests, skipping some: and Failed to run header SpamAssassin tests, skipping some: Serious? Do I disable until fixed? You didn't give your SpamAssassin version nor actually mention which whitelist file you used... There are two new files for (near features in) SpamAssassin 3.10, and the old file for previous versions. Look on the SARE site and see which ones fit your version of SpamAssassin. -- Herb Martin
How to invoke Bayes token expiration
I just recently implemented bayes at our site and was wondering how token expiration works. I thought that since I left the 'bayes_expiry_max_db_size' and 'bayes_auto_expire' to the default value of 1, that it would automatically expire the tokens. I run SpamAssassin through amavisd, and found that over the weekend I had accumulated over 1 million tokens through autolearn. Does auto-expire only work with the spamd daemon? How would I regularly purge the database? Cron job with `sa-learn --force-expire`? Thanks.
Re: [SARE] rules update
Rolf [EMAIL PROTECTED] wrote on 09/26/2005 09:17:49 AM: On 26/09/2005, at 3:07 PM, Robert Menschel wrote: SARE's General Subject rules files and the Whitelist rules files have been updated. I get from --lint: Failed to run header SpamAssassin tests, skipping some: Global symbol $C requires explicit package name at /etc/spamassassin/70_sare_genlsubj_eng.cf, rule SARE_SUB_ACCENT_CHAR, line 1. and Failed to run header SpamAssassin tests, skipping some: Unmatched [ in regex; marked by -- HERE in m/(?!credit card (?:bill|declined))(?:(?: bad|poor|less\W*than\W*perfect|fix\W*your)\W*cr[eC)]d[ -- HERE iC/ at /etc/spamassassin/70_sare_genlsubj1.cf, rule SARE_SUB_POOR_CREDIT, line 1. Serious? Do I disable until fixed? thanks rolf. How did you download it? You may want to try it again. No errors on my system with that file. Andy
Razor reporting error
I use Theo's excellent handlespam.pl script for reporting spam. Since upgrading to SA 3.1 over the weekend, I see this error when I run the script: (razor) Could not report spam to Razor et al! If I check the Razor log, I see this for the most-recent use of the script: Sep 26 11:01:52.038064 report[62]: [ 5] mail 1.0, eng 4: Server accepted report. It thus appears that the error reported by the script is, in fact, not an error. What changed in 3.1 to cause the erroneous reporting error? Any ideas on what should be changed in the script to fix it? Thanks.
Re: Razor reporting error
On Mon, Sep 26, 2005 at 11:10:19AM -0500, sargon wrote: I use Theo's excellent handlespam.pl script for reporting spam. Since upgrading to SA 3.1 over the weekend, I see this error when I run the script: (razor) Could not report spam to Razor et al! If I check the Razor log, I see this for the most-recent use of the script: Sep 26 11:01:52.038064 report[62]: [ 5] mail 1.0, eng 4: Server accepted report. It thus appears that the error reported by the script is, in fact, not an error. What changed in 3.1 to cause the erroneous reporting error? Any ideas on what should be changed in the script to fix it? 1) I'm glad you like the script. :) 2) Razor (along with a bunch of other stuff) was moved to be a plugin in 3.1. 3) The version I'm running works fine with Razor. ;) Do you see the warning everytime you try to report? Does spamassassin -r on a single message work? Are you sure the entry corresponds to the handlespam run? Is your version different than the one I have up at http://www.kluge.net/~felicity/random/handlespam.txt ? -- Randomly Generated Tagline: Don't ever make trouble here, I beat you up each time. - From Rumble in the Bronx pgp6rZoZ4jsMW.pgp Description: PGP signature
Re: Razor reporting error
On Monday, 26-September-2005 13:58, Theo Van Dinter wrote: On Mon, Sep 26, 2005 at 11:10:19AM -0500, sargon wrote: I use Theo's excellent handlespam.pl script for reporting spam. Since upgrading to SA 3.1 over the weekend, I see this error when I run the script: (razor) Could not report spam to Razor et al! If I check the Razor log, I see this for the most-recent use of the script: Sep 26 11:01:52.038064 report[62]: [ 5] mail 1.0, eng 4: Server accepted report. It thus appears that the error reported by the script is, in fact, not an error. What changed in 3.1 to cause the erroneous reporting error? Any ideas on what should be changed in the script to fix it? 1) I'm glad you like the script. :) 2) Razor (along with a bunch of other stuff) was moved to be a plugin in 3.1. 3) The version I'm running works fine with Razor. ;) Hmmm. Razor is working here as well, at least according to the Razor log. And spamassassin -r -D shows SA reporting to Razor, Pyzor, and SpamCop. I like the plug-in concept of 3.1. Very nice. Do you see the warning everytime you try to report? Yes. Does spamassassin -r on a single message work? Yes. [28193] info: reporter: spam reported to Razor Are you sure the entry corresponds to the handlespam run? Yes. Just ran it again and immediately checked the Razor log. Is your version different than the one I have up at http://www.kluge.net/~felicity/random/handlespam.txt ? Identical. Thanks.
Error and slowness
Hello, this is my first post to the group. Is the first week i work with Spamassassin, and i think i have a problem with my performance... I run SA 3.1 (upgraded from 3.0.4) with Sylpheed-Claws 1.9.14. Each message take around 12 sec. to be processed. I have dissabled DCC, Razor2 and Pyzor. The spamd is running. In /var/log/mail/errors i have this error: Sep 26 21:09:10 delfin spamd[21260]: Can't locate Sys/Hostname/Long.pm in @INC (@INC contains: ../lib /usr/lib/perl5/site_perl/5.8.6/i386-linux /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/5.8.6/i386-linux /usr/lib/perl5/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.6/i386-linux /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl) at /usr/lib/perl5/vendor_perl/5.8.6/Mail/SPF/Query.pm line 328, GEN82 line 83 This error is repetead, with changes in the lasts words: GEN24 line 159... etc. I think this is the cause of the slowness. ¿Maybe? Thanks, and saludos, jose. -- Jose Usoz / Cromosfera http://www.cromosfera.com
Re: trusted_networks use
Following up on my own post. I'm still thrashing, and not getting any difference in results. NFN Smith wrote: You really do HAVE to trust all your own mail relays. Anything else is just broken. Agreed. OK, I've expanded my settings, but I'm still not making any progress. trusted_networks64.65.180.91 trusted_networks10.10.10.141 trusted_networks68.99.120.79 trusted_networks24.249.175.230 internal_networks 64.65.180.91 internal_networks 10.10.10.141 whitelist_from_rcvd [EMAIL PROTECTED]pulsar.lfa.com whitelist_from_rcvd [EMAIL PROTECTED]lakecmmtao05.coxmail.com whitelist_from_rcvd [EMAIL PROTECTED]wsip-24-249-175-230.ph.ph.cox.net - pulsar.lfa.com has a public address of 64.65.180.141, and its internal IP address is 10.10.10.91 - lacecmmtao05.coxmail.com is 68.99.120.79 - 24.249.175.230 (wsip-24-249-175-230.ph.ph.cox.net) is the network that the message is originating from What else am I missing? Any chance that I'm missing something different, such as DNS checks not running, or some sort of blockage (i.e., firewall)? Smith
Re: [SARE] rules update
Robert Menschel wrote: SARE's General Subject rules files and the Whitelist rules files have been updated. snip Note that RDJ has not yet been updated for these two new files. RDJ is now updated. The new ruleset names are: SARE_WHITELIST_SPF and SARE_WHITELIST_RCVD Chris Thielen signature.asc Description: OpenPGP digital signature
Re: Razor reporting error
At 11:58 AM Monday, 9/26/2005, Theo Van Dinter wrote -= On Mon, Sep 26, 2005 at 11:10:19AM -0500, sargon wrote: I use Theo's excellent handlespam.pl script for reporting spam. Since upgrading to SA 3.1 over the weekend, I see this error when I run the script: (razor) Could not report spam to Razor et al! Same here... It thus appears that the error reported by the script is, in fact, not an error. What changed in 3.1 to cause the erroneous reporting error? Any ideas on what should be changed in the script to fix it? 1) I'm glad you like the script. :) 2) Razor (along with a bunch of other stuff) was moved to be a plugin in 3.1. 3) The version I'm running works fine with Razor. ;) Do you see the warning everytime you try to report? Does spamassassin -r on a single message work? Are you sure the entry corresponds to the handlespam run? Is your version different than the one I have up at http://www.kluge.net/~felicity/random/handlespam.txt ? FWIW, from here, I see the error in the results from handlespam on every message processed. Here's a sample: Mail From: Jimmy Downey [EMAIL PROTECTED] Subject : Buy popular drugs online SA Status: Yes, score=40.6 required=6.9 Spamtrap?: No Autorept?: No (razor) Could not report spam to Razor et al! (relay) Already did a relay check for 204.60.203.69, skipping (scopy) Sending spam copies (archi) Message archived to /home/ed/mail/spammers. spamassassin -D -r results: [17450] info: reporter: spam reported to DCC [17450] info: reporter: spam reported to Razor [17450] info: reporter: spam reported to Pyzor [17540] info: reporter: spam reported to SpamCop Ed . . . . . . . . . . . . . . . . . . I can think of nothing more boring for the American people than to have to sit in their living rooms for a whole half hour looking at my face on their television screens. --Dwight D. Eisenhower
RE: trusted_networks use
From: NFN Smith [mailto:[EMAIL PROTECTED] Following up on my own post. I'm still thrashing, and not getting any difference in results. NFN Smith wrote: OK, I've expanded my settings, but I'm still not making any progress. trusted_networks64.65.180.91 trusted_networks10.10.10.141 trusted_networks68.99.120.79 trusted_networks24.249.175.230 internal_networks 64.65.180.91 internal_networks 10.10.10.141 whitelist_from_rcvd [EMAIL PROTECTED]pulsar.lfa.com whitelist_from_rcvd [EMAIL PROTECTED]lakecmmtao05.coxmail.com whitelist_from_rcvd [EMAIL PROTECTED] wsip-24-249-175-230.ph.ph.cox.net - pulsar.lfa.com has a public address of 64.65.180.141, and its internal IP address is 10.10.10.91 - lacecmmtao05.coxmail.com is 68.99.120.79 - 24.249.175.230 (wsip-24-249-175-230.ph.ph.cox.net) is the network that the message is originating from What else am I missing? Any chance that I'm missing something different, such as DNS checks not running, or some sort of blockage (i.e., firewall)? Oops. I was going to reply to you this morning and things just got a bit busy... Now that you've made those changes, post the headers from another example email so we can see if anything changed. Also, you may want to save your email into a file and manually run it through SA to see what happens. Just add '-t -D' to the option list to get debugging output and force a spam report to be added. This should let you know if there are any problems running the network checks. This will generate quite a bit of output, just scan through it for anything that looks like an error. The command line would look like this: spamassassin -t -D message.txt Bowie
Postfix-Procmail-Spamassassin duplicate messages
Hi everyone, I've had an awful time trying to figure this one out on my own, and have been scouring the 'net for someone with a similar problem, but can't find anything. I'm converting an existing Postfix (2.0.6)/Procmail setup to use SpamAssassin. I installed SpamAssassin via CPAN. I followed Greg Webster's howto at http://www.geekly.com/entries/archives/0155.htm and got things up and running. Then I noticed that for messages tagged as spam, I get two messages delivered for every one received by the system. The headers are identical, I just get two copies of the spam in my inbox. This happens system-wide. Here are my configuration details: /etc/mail/spamassassin/local.cf: rewrite_header Subject [SPAM] report_safe 2 trusted_networks my.ip.addrs. lock_method flock required_score 8.0 use_bayes 1 bayes_auto_learn 1 ok_languagesen ok_locales en /etc/postfix/master.cf #services: smtp inet n - n - - smtpd -o content_filter=spamfilter: #interfaces: spamfilter unix - n n - - pipe flags=Rq user=spamfilter argv=/usr/local/bin/spamfilter.sh -f ${sender} -- ${recipient} /etc/postfix/main.cf mailbox_command = /usr/bin/procmail -Y -a $DOMAIN /usr/local/bin/spamfilter.sh: #!/bin/bash /usr/bin/spamc | /usr/sbin/sendmail -i $@ exit $? I can provide the full files if necessary, I removed what I thought was irrelevant to keep this message short. Any ideas? Thanks, Jacob Cord
Re: Postfix-Procmail-Spamassassin duplicate messages
From: Jacob Cord [EMAIL PROTECTED] Hi everyone, I've had an awful time trying to figure this one out on my own, and have been scouring the 'net for someone with a similar problem, but can't find anything. I'm converting an existing Postfix (2.0.6)/Procmail setup to use SpamAssassin. I installed SpamAssassin via CPAN. I followed Greg Webster's howto at http://www.geekly.com/entries/archives/0155.htm and got things up and running. Then I noticed that for messages tagged as spam, I get two messages delivered for every one received by the system. The headers are identical, I just get two copies of the spam in my inbox. This happens system-wide. Here are my configuration details: /etc/mail/spamassassin/local.cf: rewrite_header Subject [SPAM] report_safe 2 trusted_networks my.ip.addrs. lock_method flock required_score 8.0 use_bayes 1 bayes_auto_learn 1 ok_languagesen ok_locales en /etc/postfix/master.cf #services: smtp inet n - n - - smtpd -o content_filter=spamfilter: #interfaces: spamfilter unix - n n - - pipe flags=Rq user=spamfilter argv=/usr/local/bin/spamfilter.sh -f ${sender} -- ${recipient} /etc/postfix/main.cf mailbox_command = /usr/bin/procmail -Y -a $DOMAIN /usr/local/bin/spamfilter.sh: #!/bin/bash /usr/bin/spamc | /usr/sbin/sendmail -i $@ exit $? Why are you not simply running spamc from procmail? {o.o}
RDJ newbie prob
I've had such good results with SA that I haven't worried about rulesets, updating rulesets etc. Lately I've had a few getting through and decided it must be time to update my rulesets. I've decided to use RDJ, but below is what I get when I run the bash script. Would someone kindly tell me what's probably wrong? I might not really use all the rules below - This was just a trial run of the script. Tnx! - John # ./rules_du_jour ./rules_du_jour: line 54: TRIPWIRE ANTIDRUG SARE_EVILNUMBERS0 SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 BLACKLIST BLACKLIST_URI RANDOMVAL BOGUSVIRUS SARE_ADULT SARE_FRAUD SARE_BML SARE_RATWARE SARE_SPOOF SARE_BAYES_POISON_NXM SARE_OEM SARE_RANDOM SARE_HEADER SARE_HEADER0 SARE_HEADER1 SARE_HEADER2 SARE_HEADER3 SARE_HEADER_ENG SARE_HTML SARE_HTML0 SARE_HTML1 SARE_HTML2 SARE_HTML3 SARE_HTML4 SARE_HTML_ENG SARE_SPECIFIC SARE_OBFU SARE_OBFU0 SARE_OBFU1 SARE_OBFU2 SARE_OBFU3 SARE_REDIRECT SARE_REDIRECT_POST300 SARE_SPAMCOP_TOP200 SARE_GENLSUBJ SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_GENLSUBJ2 SARE_GENLSUBJ3 SARE_GENLSUBJ_ENG SARE_HIGHRISK SARE_UNSUB SARE_URI0 SARE_URI1 SARE_URI2 SARE_URI3 SARE_URI_ENG SARE_WHITELIST: command not found ./rules_du_jour: line 54: TRIPWIRE ANTIDRUG SARE_EVILNUMBERS0 SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 BLACKLIST BLACKLIST_URI RANDOMVAL BOGUSVIRUS SARE_ADULT SARE_FRAUD SARE_BML SARE_RATWARE SARE_SPOOF SARE_BAYES_POISON_NXM SARE_OEM SARE_RANDOM SARE_HEADER SARE_HEADER0 SARE_HEADER1 SARE_HEADER2 SARE_HEADER3 SARE_HEADER_ENG SARE_HTML SARE_HTML0 SARE_HTML1 SARE_HTML2 SARE_HTML3 SARE_HTML4 SARE_HTML_ENG SARE_SPECIFIC SARE_OBFU SARE_OBFU0 SARE_OBFU1 SARE_OBFU2 SARE_OBFU3 SARE_REDIRECT SARE_REDIRECT_POST300 SARE_SPAMCOP_TOP200 SARE_GENLSUBJ SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_GENLSUBJ2 SARE_GENLSUBJ3 SARE_GENLSUBJ_ENG SARE_HIGHRISK SARE_UNSUB SARE_URI0 SARE_URI1 SARE_URI2 SARE_URI3 SARE_URI_ENG SARE_WHITELIST: command not found exec: curl -w %{http_code} --compressed -O -R -s -S -z /etc/spamassassin/RulesDuJour/rules_du_jour http://sandgnat.com/rdj/rules_du_jour 21 curl_output: 304 No files updated; No restart required. Rules Du Jour Run Summary:RulesDuJour Run Summary on [snip] #
Re: Razor reporting error
On Mon, Sep 26, 2005 at 01:15:36PM -0700, Ed Kasky wrote: FWIW, from here, I see the error in the results from handlespam on every message processed. Ok, I did some more digging. Apparently in 3.1, we reversed the return code for report_as_spam() to be correct, ie: 1 is ok, 0 is error, which makes things like 'report_as_spam() || die foo' do the right thing. Feh. Who writes this crap? ;) Anyway, I put in a few 3.1-related changes into handlespam, which includes a fix for this problem. http://www.kluge.net/~felicity/random/handlespam.txt -- Randomly Generated Tagline: Getting impressive titles isn't hard if you work for people without a clue. - Theo about misleading Senior Administrator titles pgp5nkDyB7aFY.pgp Description: PGP signature
Rules on the webpage
Hi, Are the rules on the webpage going to be updated ? I had a weird problem on one of my 20 or so servers where the scanning time was 4.x seconds vs 0.8 seconds on most others. Turns out it was the completewhois.com dns lookups failing with input/output errors, timeouts, etc but a search on the tests page didn't show any whois tests (I finally tracked them down with a spamassassin -D and a grep through the /usr/local/share/spamassassin rules), Any reason that the completewhois.com dns tests are enabled by default if the lookup almost never works ? (All my servers show timeouts and input/output errors). Regards, Rick
Re: trusted_networks use
NFN Smith wrote: Following up on my own post. I'm still thrashing, and not getting any difference in results. ...snip... Sorry, I just have to ask. Since you're using MIMEDefang... you are remembering to restart (or reload) mimedefang after making your changes, right? and you're making changes to the sa-mimedefang.cf file, right? alan
Re: Razor reporting error
At 05:32 PM Monday, 9/26/2005, Theo Van Dinter wrote -= On Mon, Sep 26, 2005 at 01:15:36PM -0700, Ed Kasky wrote: FWIW, from here, I see the error in the results from handlespam on every message processed. Ok, I did some more digging. Apparently in 3.1, we reversed the return code for report_as_spam() to be correct, ie: 1 is ok, 0 is error, which makes things like 'report_as_spam() || die foo' do the right thing. Feh. Who writes this crap? ;) I dare not touch that one... Anyway, I put in a few 3.1-related changes into handlespam, which includes a fix for this problem. http://www.kluge.net/~felicity/random/handlespam.txt Seems to report fine now: (razor) Submitted message to Razor et al Thanks once again for your contributions... Ed . . . . . . . . . . . . . . . . . . Randomly Generated Quote (335 of 1006): A woman drove me to drink and I never even had the courtesy to thank her.
Re: RDJ newbie prob
Hi John, First off, did you modify the rules_du_jour script in any way? It appears that it is trying to execute the names of the rulesets as commands. May I see your config file? Are you by chance using this on cygwin? John Fleming wrote: I've had such good results with SA that I haven't worried about rulesets, updating rulesets etc. Lately I've had a few getting through and decided it must be time to update my rulesets. I've decided to use RDJ, but below is what I get when I run the bash script. Would someone kindly tell me what's probably wrong? I might not really use all the rules below - This was just a trial run of the script. Tnx! - John # ./rules_du_jour ./rules_du_jour: line 54: TRIPWIRE ANTIDRUG SARE_EVILNUMBERS0 SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 BLACKLIST BLACKLIST_URI RANDOMVAL BOGUSVIRUS SARE_ADULT SARE_FRAUD SARE_BML SARE_RATWARE SARE_SPOOF SARE_BAYES_POISON_NXM SARE_OEM SARE_RANDOM SARE_HEADER SARE_HEADER0 SARE_HEADER1 SARE_HEADER2 SARE_HEADER3 SARE_HEADER_ENG SARE_HTML SARE_HTML0 SARE_HTML1 SARE_HTML2 SARE_HTML3 SARE_HTML4 SARE_HTML_ENG SARE_SPECIFIC SARE_OBFU SARE_OBFU0 SARE_OBFU1 SARE_OBFU2 SARE_OBFU3 SARE_REDIRECT SARE_REDIRECT_POST300 SARE_SPAMCOP_TOP200 SARE_GENLSUBJ SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_GENLSUBJ2 SARE_GENLSUBJ3 SARE_GENLSUBJ_ENG SARE_HIGHRISK SARE_UNSUB SARE_URI0 SARE_URI1 SARE_URI2 SARE_URI3 SARE_URI_ENG SARE_WHITELIST: command not found ./rules_du_jour: line 54: TRIPWIRE ANTIDRUG SARE_EVILNUMBERS0 SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 BLACKLIST BLACKLIST_URI RANDOMVAL BOGUSVIRUS SARE_ADULT SARE_FRAUD SARE_BML SARE_RATWARE SARE_SPOOF SARE_BAYES_POISON_NXM SARE_OEM SARE_RANDOM SARE_HEADER SARE_HEADER0 SARE_HEADER1 SARE_HEADER2 SARE_HEADER3 SARE_HEADER_ENG SARE_HTML SARE_HTML0 SARE_HTML1 SARE_HTML2 SARE_HTML3 SARE_HTML4 SARE_HTML_ENG SARE_SPECIFIC SARE_OBFU SARE_OBFU0 SARE_OBFU1 SARE_OBFU2 SARE_OBFU3 SARE_REDIRECT SARE_REDIRECT_POST300 SARE_SPAMCOP_TOP200 SARE_GENLSUBJ SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_GENLSUBJ2 SARE_GENLSUBJ3 SARE_GENLSUBJ_ENG SARE_HIGHRISK SARE_UNSUB SARE_URI0 SARE_URI1 SARE_URI2 SARE_URI3 SARE_URI_ENG SARE_WHITELIST: command not found exec: curl -w %{http_code} --compressed -O -R -s -S -z /etc/spamassassin/RulesDuJour/rules_du_jour http://sandgnat.com/rdj/rules_du_jour 21 curl_output: 304 No files updated; No restart required. Rules Du Jour Run Summary:RulesDuJour Run Summary on [snip] # signature.asc Description: OpenPGP digital signature
Surveys
To all, I am running SA 3.0.4 and it has done a great job of blocking most spam. The one thing I still see getting through a lot are survey spam messages. Does anyone else see this problem and if so what rules are you using to combat them. I have most of the SARE Rules on my system. Thanks. Adam
Re: Re[2]: [SARE] rules update
SARE's General Subject rules files and the Whitelist rules files have been updated. R I get from --lint: R Failed to run header SpamAssassin tests, skipping some: Global symbol R $C requires explicit package name at R /etc/spamassassin/70_sare_genlsubj_eng.cf, rule SARE_SUB_ACCENT_CHAR, R line 1. R and R Failed to run header SpamAssassin tests, skipping some: Unmatched [ in R regex; marked by -- HERE in m/(?!credit card R (?:bill|declined))(?:(?: R bad|poor|less\W*than\W*perfect|fix\W*your)\W*cr[eC)]d[ -- HERE iC/ at R /etc/spamassassin/70_sare_genlsubj1.cf, rule SARE_SUB_POOR_CREDIT, line R 1. R Serious? Do I disable until fixed? Serious, yes, but I cannot reproduce these problems. --lint works fine on the files I uploaded from here. How did you retrieve the files? Is it possible you had a line break where none was intended? That was the problem yes. Thanks very much for the suggestion. The strangeness was that I used identical retrieval methods for about 4 files and only the two mentioned had any issue. In future I shall stick to downloading the files to a local file first rather than display them in a browser window and edit from there to their destination directory. Attached are my originals. If you compare these rules with what you have in your download, do you see a difference in line breaks? Not a line break difference but a slight text difference. Bit strange, but I'll be more rigorous about my download methods now. thanks again. r. Tasmania Together 5 Year Review: Have your say : http://www.tasmaniatogether.tas.gov.au.
RE: Hotmail on sorbs?!? (and eliminating false positives)
--- Herb Martin [EMAIL PROTECTED] wrote: I am new to postfix and spamassassin, but we are already using greylist, and I liked a lot what you said here. How can I greylist messages by means of RBL checking? How should I setup Postfix to do that? Regards, Carlos. I am not a Postfix expert, and cannot really call myself an Exim expert either but the strategy goes something like this: During (various) SMTP ACL (Access Control Lists) run the checks for things like RBL etc (this is easy in Exim) and mark the results (in either an ACL variable or by adding a header.*) * Header had the disadvantage of requiring the Greylist check to wait until SMTP DATA time where the headers are available when all we really need is SenderIP-FromName-RCPT which are all available by RCPT ACL time. When you have made all of your checks, and before checking SpamAssassin, run the Greylist on any message that was flagged above -- if the greylist returns true this is where we tempfail (Defer in Exim) the message. The above can probably be done in Postfix with one or two restriction classes. http://www.postfix.org/postconf.5.html#smtpd_restriction_classes http://www.postfix.org/RESTRICTION_CLASS_README.html I'd be curious to hear if anyone else is using this kind of strategy. Thanks __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com