RE: RulesDuJour; lint failes

[Thijs Koetsier | Exception]

Hi Bob,

Thanks for this explanation; It solved my problem.
It turned out in /usr/share/spamassassin a translation-file was causing the
problems.

Cheers,
Thijs

 -Oorspronkelijk bericht-
 Van: Robert Menschel [mailto:[EMAIL PROTECTED] 
 Verzonden: zondag 25 september 2005 1:46
 Aan: Thijs Koetsier | Exception
 CC: Fred; users@spamassassin.apache.org
 Onderwerp: Re[2]: RulesDuJour; lint failes
 
 Hello Thijs,
 
 Saturday, September 24, 2005, 12:00:14 AM, you wrote:
 
 TKE To lint spamassassin from the command line has no other 
 effect than 
 TKE through RulesDuJour. The same list of errors/warnings 
 shows up as mentioned below.
 TKE Since I use a standard (clean) installation with only 
 Tripwire in 
 TKE my ruleset for testing, this amount of warnings is a bit 
 big, isn't 
 TKE it?
 
 TKE But fixing the errors is exactly what I want to do; I just don't 
 TKE know how :(
 
 The errors you're getting are from old, prior version, 
 SpamAssassin distribution rules files.
 
 Use spamassassin -D --lint to determine which directories 
 SA is looking into, and then scan all those directories for 
 *.cf files.
 You have some old, prior version *.cf files, in a directory 
 that SA is scanning, and those no longer lint in the current SA.
 Delete them.
 
 Bob Menschel
 
 
 

Re: Hotmail on sorbs?!? (and eliminating false positives)

[Carlos Zottmann]

Hi !!

I am new to postfix and spamassassin, but we are already using
greylist, and I liked a lot what you said here.

How can I greylist messages by means of RBL checking? How should I
setup Postfix to do that?

Regards,
Carlos.

2005/9/24, Herb Martin [EMAIL PROTECTED]:
  From: Kai Schaetzl [mailto:[EMAIL PROTECTED]

  Not sure how you combine that. AFAIR, greylisting is
  tempfailing the first SMTP delivery attempt, correct? Do you
  check the IP with RBLs and then tempfail it? So, you don't
  tempfail *every* connection attempt like traditional
  greylisting does?
 
 

 Exactly -- with the addition that we do this on
 several other criteria than just RBLs.

 This avoids pratically all the complaints/negatives*
 against straight greylisting (i.e., traditional
 greylisting) and avoids practically all false positives
 from things like RBLs.

 * 1) Possible Delay of (new) legitimate email
 * 2) Broken legitimate servers which don't resend


 Note that these supposed problems with greylisting
 are largely handled even by straight greylisting
 through the use of whitelists for broken servers
 and small delays (a small delay stops almost as
 many spambots as will a long delay.)

 Also, if for those not familiar with greylisting
 the idea is you only TEMP_REJECT new mail, that
 is mail for which you don't have a fairly recent
 successful triplet:

 From-IP, From-Sender, To-Recipient

 Once greylisting determines that the sending server
 can meet the resend requirement there isn't much point
 to greylisting that server anyway (since it is going
 to meet the  greylist requirements in all probability.)

 Greylisting lets 10% through, so it isn't the final
 solution but it lets you use a LOT OF AGGRESSIVE
 techniques that would normally be dangerous to good
 mail.

 For one, you can use RBLs that would otherwise be
 a terrible risk, or even (grey) block on things like
 host reverse name/helo name mismatch (which will
 LOSE a lot of email otherwise.)

 Pick any good criteria for rejecting email and
 turn it into a good but safe method by using greylisting.

 Also note that having our SMTP server check RBLs and
 then having SpamAssassin score them AGAIN if the mail
 gets through, costs VERY LITTLE:  we run a local caching
 DNS server so those resolutions are only going on the
 net just once.

 --
 Herb Martin

RE: Joe-jobbed...What are my options?

[Pierre Thomson]

Michael Monnerie wrote:
 On Sonntag, 25. September 2005 01:35 Steve wrote:
 Sorry if this is really simple... any advice would be useful.
 
 Not a lot, but SPF helps for that scenario. See http://spf.pobox.com
 

I agree; SPF is about the only defense.  For the last few days an address in 
one of our low-traffic domains has been joe-jobbed, and our DNS servers show 
hundreds of TXT queries to that domain from all over the world.  Obviously some 
mail servers are checking and (hopefully) rejecting the spam.  And we are 
rejecting bounces to the joe-jobbed address, since it isn't a valid user 
address.

Pierre Thomson
BIC

Re: Bayes_token.myi corrupt

[Theo Van Dinter]

On Mon, Sep 26, 2005 at 08:53:41AM -0400, Matthew Yette wrote:
 Over the last week, I've had to repair the bayes_token table twice. Running
 repair table bayes_token; works just fine, but why is this occuring?
 There are currently 1,357,428 rows in it, so it's quite large. Should I be
 running and expire script on it?

It depends what you mean by corrupt.  Do you mean the index file itself is
corrupt, or SA gets confused and shows invalid data?  If the former, you'd
need to talk to mysql about why their db is corrupting itself.  If the latter,
you'll need to give us more information.

-- 
Randomly Generated Tagline:
We are used to a deep-rooted Arab tradition of democracy where results
 are first declared, then elections are conducted and votes brought in
 to affirm it. - Talal Salman, editor of the As-Safir newspaper in Lebanon


pgp2gjzgdG0Iv.pgp
Description: PGP signature

Re: [SARE] rules update

[Rolf]

On 26/09/2005, at 3:07 PM, Robert Menschel wrote:


SARE's General Subject rules files and the Whitelist rules files have
been updated.



I get from --lint:

Failed to run header SpamAssassin tests, skipping some: Global symbol  
$C requires explicit package name at  
/etc/spamassassin/70_sare_genlsubj_eng.cf, rule SARE_SUB_ACCENT_CHAR,  
line 1.


and

Failed to run header SpamAssassin tests, skipping some: Unmatched [ in  
regex; marked by -- HERE in m/(?!credit card  
(?:bill|declined))(?:(?: 
bad|poor|less\W*than\W*perfect|fix\W*your)\W*cr[eC)]d[ -- HERE iC/ at  
/etc/spamassassin/70_sare_genlsubj1.cf, rule SARE_SUB_POOR_CREDIT, line  
1.



Serious? Do I disable until fixed?

thanks

rolf.


Tasmania Together 5 Year Review:  Have your say :  
http://www.tasmaniatogether.tas.gov.au.

Re: Joe-jobbed...What are my options?

[Michael Monnerie]

On Montag, 26. September 2005 15:37 Herb Martin wrote:
 2) Some SMTP servers (but not enough) will check this
 and disallow forged email from those authorized
 servers

Where some is becoming bigger each month. I've seen a lot less 
joe-jobbing tries with our domains during the last months (we use SPF 
over a year now). I can remember receiving 3 e-mails of obviously 
joe-jobbing this year. So SPF helps (especially since even big ISPs 
like AOL use it).

 SPF is the right thing to do -- but the benefits have
 not yet reach their potential.

Yes, but if he implements it, another small brick in the wall makes the 
force bigger :-)

 He must also watch out for sneaky users forwarding their
 email  or using other SMTP servers with their email
 address -- probably such (random) forwarding/sending
 by users will be unauthorized as well.

Yes, that can give headaches - I know it now - but it's worth the 
effort.

mfg zmi
-- 
// Michael Monnerie, Ing.BSc  ---   it-management Michael Monnerie
// http://zmi.at   Tel: 0660/4156531  Linux 2.6.11
// PGP Key:   lynx -source http://zmi.at/zmi2.asc | gpg --import
// Fingerprint: EB93 ED8A 1DCD BB6C F952  F7F4 3911 B933 7054 5879
// Keyserver: www.keyserver.net Key-ID: 0x70545879


pgp9OCWRDzsr5.pgp
Description: PGP signature

RE: [SARE] rules update

[Herb Martin]

 -Original Message-
 From: Rolf [mailto:[EMAIL PROTECTED] 
 Sent: Monday, September 26, 2005 9:18 AM
 To: users@spamassassin.apache.org
 Cc: Robert Menschel
 Subject: Re: [SARE] rules update
 
 
 On 26/09/2005, at 3:07 PM, Robert Menschel wrote:
 
  SARE's General Subject rules files and the Whitelist rules 
 files have 
  been updated.
 
 I get from --lint:
 
 Failed to run header SpamAssassin tests, skipping some: 
 
 and
 
 Failed to run header SpamAssassin tests, skipping some: 

 Serious? Do I disable until fixed?

You didn't give your SpamAssassin version nor actually
mention which whitelist file you used...

There are two new files for (near features in) SpamAssassin
3.10, and the old file for previous versions.

Look on the SARE site and see which ones fit your version
of SpamAssassin.


--
Herb Martin

How to invoke Bayes token expiration

[Brian Wong]

I just recently implemented bayes at our site and was wondering how
token expiration works. I thought that since I left the
'bayes_expiry_max_db_size' and 'bayes_auto_expire' to the default
value of 1, that it would automatically expire the tokens. I run
SpamAssassin through amavisd, and found that over the weekend I had
accumulated over 1 million tokens through autolearn. Does auto-expire
only work with the spamd daemon? How would I regularly purge the
database? Cron job with `sa-learn --force-expire`? Thanks.

Re: [SARE] rules update

[Andy Jezierski]

Rolf [EMAIL PROTECTED] wrote on 09/26/2005
09:17:49 AM:

 
 On 26/09/2005, at 3:07 PM, Robert Menschel wrote:
 
  SARE's General Subject rules files and the Whitelist rules files
have
  been updated.
 
 
 I get from --lint:
 
 Failed to run header SpamAssassin tests, skipping some: Global symbol

 $C requires explicit package name at 
 /etc/spamassassin/70_sare_genlsubj_eng.cf, rule SARE_SUB_ACCENT_CHAR,

 line 1.
 
 and
 
 Failed to run header SpamAssassin tests, skipping some: Unmatched
[ in 
 regex; marked by -- HERE in m/(?!credit card 
 (?:bill|declined))(?:(?: 
 bad|poor|less\W*than\W*perfect|fix\W*your)\W*cr[eC)]d[ -- HERE
iC/ at 
 /etc/spamassassin/70_sare_genlsubj1.cf, rule SARE_SUB_POOR_CREDIT,
line 
 1.
 
 
 Serious? Do I disable until fixed?
 
 thanks
 
 rolf.
 

How did you download it? You may want to try it again.
No errors on my system with that file.

Andy

Razor reporting error

[sargon]

I use Theo's excellent handlespam.pl script for reporting spam. Since 
upgrading to SA 3.1 over the weekend, I see this error when I run the 
script:

(razor) Could not report spam to Razor et al!

If I check the Razor log, I see this for the most-recent use of the 
script:

Sep 26 11:01:52.038064 report[62]: [ 5] mail 1.0, eng 4: Server 
accepted report.


It thus appears that the error reported by the script is, in fact, not 
an error. What changed in 3.1 to cause the erroneous reporting error? 
Any ideas on what should be changed in the script to fix it?

Thanks.

Re: Razor reporting error

[Theo Van Dinter]

On Mon, Sep 26, 2005 at 11:10:19AM -0500, sargon wrote:
 I use Theo's excellent handlespam.pl script for reporting spam. Since 
 upgrading to SA 3.1 over the weekend, I see this error when I run the 
 script:
 
 (razor) Could not report spam to Razor et al!
 
 If I check the Razor log, I see this for the most-recent use of the 
 script:
 
 Sep 26 11:01:52.038064 report[62]: [ 5] mail 1.0, eng 4: Server 
 accepted report.
 
 It thus appears that the error reported by the script is, in fact, not 
 an error. What changed in 3.1 to cause the erroneous reporting error? 
 Any ideas on what should be changed in the script to fix it?

1) I'm glad you like the script. :)
2) Razor (along with a bunch of other stuff) was moved to be a plugin in 3.1.
3) The version I'm running works fine with Razor. ;)

Do you see the warning everytime you try to report?  Does spamassassin
-r on a single message work?  Are you sure the entry corresponds to
the handlespam run?  Is your version different than the one I have up
at http://www.kluge.net/~felicity/random/handlespam.txt ?

-- 
Randomly Generated Tagline:
Don't ever make trouble here, I beat you up each time.
  - From Rumble in the Bronx


pgp6rZoZ4jsMW.pgp
Description: PGP signature

Re: Razor reporting error

[sargon]

On Monday, 26-September-2005 13:58, Theo Van Dinter wrote:
 On Mon, Sep 26, 2005 at 11:10:19AM -0500, sargon wrote:
  I use Theo's excellent handlespam.pl script for reporting spam.
  Since upgrading to SA 3.1 over the weekend, I see this error when
  I run the script:
 
  (razor) Could not report spam to Razor et al!
 
  If I check the Razor log, I see this for the most-recent use of
  the script:
 
  Sep 26 11:01:52.038064 report[62]: [ 5] mail 1.0, eng 4: Server
  accepted report.
 
  It thus appears that the error reported by the script is, in
  fact, not an error. What changed in 3.1 to cause the erroneous
  reporting error? Any ideas on what should be changed in the
  script to fix it?

 1) I'm glad you like the script. :)
 2) Razor (along with a bunch of other stuff) was moved to be a
 plugin in 3.1. 3) The version I'm running works fine with Razor. ;)

Hmmm. Razor is working here as well, at least according to the 
Razor log. And spamassassin -r -D shows SA reporting to Razor, Pyzor, 
and SpamCop.

I like the plug-in concept of 3.1. Very nice.

 Do you see the warning everytime you try to report?  

Yes.

 Does spamassassin -r on a single message work?  

Yes.

[28193] info: reporter: spam reported to Razor

 Are you sure the entry corresponds to the handlespam run?

Yes. Just ran it again and immediately checked the Razor log.

 Is your version different than the one I have up at
 http://www.kluge.net/~felicity/random/handlespam.txt ?

Identical.

Thanks.

Error and slowness

[jose usoz]

Hello,

this is my first post to the group. Is the first week i work with
Spamassassin, and i think i have a problem with my performance...

I run SA 3.1 (upgraded from 3.0.4) with Sylpheed-Claws 1.9.14. Each
message take around 12 sec. to be processed. I have dissabled DCC,
Razor2 and Pyzor. The spamd is running.

In /var/log/mail/errors i have this error: 

Sep 26 21:09:10 delfin spamd[21260]: Can't locate Sys/Hostname/Long.pm
in @INC (@INC
contains: ../lib /usr/lib/perl5/site_perl/5.8.6/i386-linux 
/usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/5.8.6/i386-linux 
/usr/lib/perl5/5.8.6 /usr/lib/perl5/site_perl/5.8.5 
/usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl 
/usr/lib/perl5/vendor_perl/5.8.6/i386-linux /usr/lib/perl5/vendor_perl/5.8.6 
/usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 
/usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 
/usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl)
at /usr/lib/perl5/vendor_perl/5.8.6/Mail/SPF/Query.pm line 328, GEN82
line 83


This error is repetead, with changes in the lasts words: GEN24 line
159... etc.

I think this is the cause of the slowness. ¿Maybe?

Thanks, and saludos,
jose.

-- 
Jose Usoz / Cromosfera
http://www.cromosfera.com

Re: trusted_networks use

[NFN Smith]

Following up on my own post.  I'm still thrashing, and not getting any 
difference in results.


NFN Smith wrote:





You really do HAVE to trust all your own mail relays. Anything else is 
just broken.





Agreed.

OK, I've expanded my settings, but I'm still not making any progress.



trusted_networks64.65.180.91
trusted_networks10.10.10.141 
trusted_networks68.99.120.79

trusted_networks24.249.175.230




internal_networks   64.65.180.91
internal_networks   10.10.10.141




whitelist_from_rcvd  [EMAIL PROTECTED]pulsar.lfa.com
whitelist_from_rcvd  [EMAIL PROTECTED]lakecmmtao05.coxmail.com
whitelist_from_rcvd  [EMAIL PROTECTED]wsip-24-249-175-230.ph.ph.cox.net



- pulsar.lfa.com has a public address of 64.65.180.141, and its internal 
IP address is 10.10.10.91


- lacecmmtao05.coxmail.com is 68.99.120.79

- 24.249.175.230 (wsip-24-249-175-230.ph.ph.cox.net) is the network that 
the message is originating from


What else am I missing?


Any chance that I'm missing something different, such as DNS checks not 
running, or some sort of blockage (i.e., firewall)?


Smith

Re: [SARE] rules update

[Chris Thielen]

Robert Menschel wrote:


SARE's General Subject rules files and the Whitelist rules files have
been updated.
 




snip
 




Note that RDJ has not yet been updated for these two new files.
 




RDJ is now updated.  The new ruleset names are: SARE_WHITELIST_SPF and 
SARE_WHITELIST_RCVD


Chris Thielen


signature.asc
Description: OpenPGP digital signature

Re: Razor reporting error

[Ed Kasky]

At 11:58 AM Monday, 9/26/2005, Theo Van Dinter wrote -=

On Mon, Sep 26, 2005 at 11:10:19AM -0500, sargon wrote:
 I use Theo's excellent handlespam.pl script for reporting spam. Since
 upgrading to SA 3.1 over the weekend, I see this error when I run the
 script:

 (razor) Could not report spam to Razor et al!


Same here...


 It thus appears that the error reported by the script is, in fact, not
 an error. What changed in 3.1 to cause the erroneous reporting error?
 Any ideas on what should be changed in the script to fix it?

1) I'm glad you like the script. :)
2) Razor (along with a bunch of other stuff) was moved to be a plugin in 3.1.
3) The version I'm running works fine with Razor. ;)

Do you see the warning everytime you try to report?  Does spamassassin
-r on a single message work?  Are you sure the entry corresponds to
the handlespam run?  Is your version different than the one I have up
at http://www.kluge.net/~felicity/random/handlespam.txt ?


FWIW, from here, I see the error in the results from handlespam on every 
message processed.


Here's a sample:

Mail From: Jimmy Downey [EMAIL PROTECTED]
Subject  : Buy popular drugs online
SA Status: Yes, score=40.6 required=6.9
Spamtrap?: No
Autorept?: No
(razor) Could not report spam to Razor et al!
(relay) Already did a relay check for 204.60.203.69, skipping
(scopy) Sending spam copies
(archi) Message archived to /home/ed/mail/spammers.


spamassassin -D -r  results:

[17450] info: reporter: spam reported to DCC
[17450] info: reporter: spam reported to Razor
[17450] info: reporter: spam reported to Pyzor
[17540] info: reporter: spam reported to SpamCop

Ed
. . . . . . . . . . . . . . . . . .

I can think of nothing more boring for the American people than to
have to sit in their living rooms for a whole half hour looking at
my face on their television screens.   --Dwight D. Eisenhower

RE: trusted_networks use

[Bowie Bailey]

From: NFN Smith [mailto:[EMAIL PROTECTED]
 
 Following up on my own post.  I'm still thrashing, and not 
 getting any 
 difference in results.
 
 NFN Smith wrote:
  
  OK, I've expanded my settings, but I'm still not making any 
  progress.
  
  
  trusted_networks64.65.180.91
  trusted_networks10.10.10.141 
  trusted_networks68.99.120.79
  trusted_networks24.249.175.230
  
  
  internal_networks   64.65.180.91
  internal_networks   10.10.10.141
  
  
  whitelist_from_rcvd  [EMAIL PROTECTED]pulsar.lfa.com
  whitelist_from_rcvd  [EMAIL PROTECTED]lakecmmtao05.coxmail.com
  whitelist_from_rcvd  [EMAIL PROTECTED]
wsip-24-249-175-230.ph.ph.cox.net
  
  
  - pulsar.lfa.com has a public address of 64.65.180.141, and its
  internal IP address is 10.10.10.91
  
  - lacecmmtao05.coxmail.com is 68.99.120.79
  
  - 24.249.175.230 (wsip-24-249-175-230.ph.ph.cox.net) is the
  network that the message is originating from
  
  What else am I missing?
 
 Any chance that I'm missing something different, such as DNS checks
 not running, or some sort of blockage (i.e., firewall)?

Oops.  I was going to reply to you this morning and things just got a
bit busy...

Now that you've made those changes, post the headers from another
example email so we can see if anything changed.

Also, you may want to save your email into a file and manually run it
through SA to see what happens.  Just add '-t -D' to the option list
to get debugging output and force a spam report to be added.  This
should let you know if there are any problems running the network
checks.  This will generate quite a bit of output, just scan through
it for anything that looks like an error.

The command line would look like this:
spamassassin -t -D  message.txt

Bowie

Postfix-Procmail-Spamassassin duplicate messages

[Jacob Cord]

Hi everyone,

I've had an awful time trying to figure this one out on my own, and have
been scouring the 'net for someone with a similar problem, but can't
find anything.

I'm converting an existing Postfix (2.0.6)/Procmail setup to use
SpamAssassin.  I installed SpamAssassin via CPAN.

I followed Greg Webster's howto at
http://www.geekly.com/entries/archives/0155.htm and got things up
and running.

Then I noticed that for messages tagged as spam, I get two messages
delivered for every one received by the system.  The headers are
identical, I just get two copies of the spam in my inbox.  This happens
system-wide.

Here are my configuration details:

/etc/mail/spamassassin/local.cf:
rewrite_header Subject [SPAM]
report_safe 2
trusted_networks my.ip.addrs.
lock_method flock
required_score 8.0
use_bayes 1
bayes_auto_learn 1
ok_languagesen
ok_locales  en

/etc/postfix/master.cf
#services:
smtp inet n - n - - smtpd
  -o content_filter=spamfilter:
#interfaces:
spamfilter unix - n n - - pipe
  flags=Rq user=spamfilter argv=/usr/local/bin/spamfilter.sh -f
${sender} -- ${recipient}

/etc/postfix/main.cf
mailbox_command = /usr/bin/procmail -Y -a $DOMAIN

/usr/local/bin/spamfilter.sh:
#!/bin/bash
/usr/bin/spamc | /usr/sbin/sendmail -i $@
exit $?

I can provide the full files if necessary, I removed what I thought was
irrelevant to keep this message short.

Any ideas?

Thanks,
Jacob Cord

Re: Postfix-Procmail-Spamassassin duplicate messages

[jdow]

From: Jacob Cord [EMAIL PROTECTED]


Hi everyone,

I've had an awful time trying to figure this one out on my own, and have
been scouring the 'net for someone with a similar problem, but can't
find anything.

I'm converting an existing Postfix (2.0.6)/Procmail setup to use
SpamAssassin.  I installed SpamAssassin via CPAN.

I followed Greg Webster's howto at
http://www.geekly.com/entries/archives/0155.htm and got things up
and running.

Then I noticed that for messages tagged as spam, I get two messages
delivered for every one received by the system.  The headers are
identical, I just get two copies of the spam in my inbox.  This happens
system-wide.

Here are my configuration details:

/etc/mail/spamassassin/local.cf:
rewrite_header Subject [SPAM]
report_safe 2
trusted_networks my.ip.addrs.
lock_method flock
required_score 8.0
use_bayes 1
bayes_auto_learn 1
ok_languagesen
ok_locales  en

/etc/postfix/master.cf
#services:
smtp inet n - n - - smtpd
 -o content_filter=spamfilter:
#interfaces:
spamfilter unix - n n - - pipe
 flags=Rq user=spamfilter argv=/usr/local/bin/spamfilter.sh -f
${sender} -- ${recipient}

/etc/postfix/main.cf
mailbox_command = /usr/bin/procmail -Y -a $DOMAIN

/usr/local/bin/spamfilter.sh:
#!/bin/bash
/usr/bin/spamc | /usr/sbin/sendmail -i $@
exit $?


Why are you not simply running spamc from procmail?
{o.o}

RDJ newbie prob

[John Fleming]

I've had such good results with SA that I haven't worried about rulesets, 
updating rulesets etc.  Lately I've had a few getting through and decided it 
must be time to update my rulesets.  I've decided to use RDJ, but below is 
what I get when I run the bash script.  Would someone kindly tell me what's 
probably wrong?  I might not really use all the rules below - This was just 
a trial run of the script.  Tnx!  - John


# ./rules_du_jour
./rules_du_jour: line 54: TRIPWIRE
ANTIDRUG
SARE_EVILNUMBERS0
SARE_EVILNUMBERS1
SARE_EVILNUMBERS2
BLACKLIST
BLACKLIST_URI
RANDOMVAL
BOGUSVIRUS
SARE_ADULT
SARE_FRAUD
SARE_BML
SARE_RATWARE
SARE_SPOOF
SARE_BAYES_POISON_NXM
SARE_OEM
SARE_RANDOM
SARE_HEADER
SARE_HEADER0
SARE_HEADER1
SARE_HEADER2
SARE_HEADER3
SARE_HEADER_ENG
SARE_HTML
SARE_HTML0
SARE_HTML1
SARE_HTML2
SARE_HTML3
SARE_HTML4
SARE_HTML_ENG
SARE_SPECIFIC
SARE_OBFU
SARE_OBFU0
SARE_OBFU1
SARE_OBFU2
SARE_OBFU3
SARE_REDIRECT
SARE_REDIRECT_POST300
SARE_SPAMCOP_TOP200
SARE_GENLSUBJ
SARE_GENLSUBJ0
SARE_GENLSUBJ1
SARE_GENLSUBJ2
SARE_GENLSUBJ3
SARE_GENLSUBJ_ENG
SARE_HIGHRISK
SARE_UNSUB
SARE_URI0
SARE_URI1
SARE_URI2
SARE_URI3
SARE_URI_ENG
SARE_WHITELIST: command not found
./rules_du_jour: line 54: TRIPWIRE
ANTIDRUG
SARE_EVILNUMBERS0
SARE_EVILNUMBERS1
SARE_EVILNUMBERS2
BLACKLIST
BLACKLIST_URI
RANDOMVAL
BOGUSVIRUS
SARE_ADULT
SARE_FRAUD
SARE_BML
SARE_RATWARE
SARE_SPOOF
SARE_BAYES_POISON_NXM
SARE_OEM
SARE_RANDOM
SARE_HEADER
SARE_HEADER0
SARE_HEADER1
SARE_HEADER2
SARE_HEADER3
SARE_HEADER_ENG
SARE_HTML
SARE_HTML0
SARE_HTML1
SARE_HTML2
SARE_HTML3
SARE_HTML4
SARE_HTML_ENG
SARE_SPECIFIC
SARE_OBFU
SARE_OBFU0
SARE_OBFU1
SARE_OBFU2
SARE_OBFU3
SARE_REDIRECT
SARE_REDIRECT_POST300
SARE_SPAMCOP_TOP200
SARE_GENLSUBJ
SARE_GENLSUBJ0
SARE_GENLSUBJ1
SARE_GENLSUBJ2
SARE_GENLSUBJ3
SARE_GENLSUBJ_ENG
SARE_HIGHRISK
SARE_UNSUB
SARE_URI0
SARE_URI1
SARE_URI2
SARE_URI3
SARE_URI_ENG
SARE_WHITELIST: command not found
exec: curl -w %{http_code} --compressed -O -R -s -S -z 
/etc/spamassassin/RulesDuJour/rules_du_jour 
http://sandgnat.com/rdj/rules_du_jour 21

curl_output: 304
No files updated; No restart required.





Rules Du Jour Run Summary:RulesDuJour Run Summary on [snip]
#

Re: Razor reporting error

[Theo Van Dinter]

On Mon, Sep 26, 2005 at 01:15:36PM -0700, Ed Kasky wrote:
 FWIW, from here, I see the error in the results from handlespam on every 
 message processed.

Ok, I did some more digging.  Apparently in 3.1, we reversed the return code
for report_as_spam() to be correct, ie: 1 is ok, 0 is error, which
makes things like 'report_as_spam() || die foo' do the right thing.

Feh.  Who writes this crap?  ;)

Anyway, I put in a few 3.1-related changes into handlespam, which includes
a fix for this problem.  http://www.kluge.net/~felicity/random/handlespam.txt

-- 
Randomly Generated Tagline:
Getting impressive titles isn't hard if you work for people without a clue.
 - Theo about misleading Senior Administrator titles


pgp5nkDyB7aFY.pgp
Description: PGP signature

Rules on the webpage

[Rick Macdougall]

Hi,

Are the rules on the webpage going to be updated ?

I had a weird problem on one of my 20 or so servers where the scanning 
time was 4.x seconds vs 0.8 seconds on most others.


Turns out it was the completewhois.com dns lookups failing with 
input/output errors, timeouts, etc but a search on the tests page didn't 
show any whois tests (I finally tracked them down with a spamassassin -D 
and a grep through the /usr/local/share/spamassassin rules),


Any reason that the completewhois.com dns tests are enabled by default 
if the lookup almost never works ?  (All my servers show timeouts and 
input/output errors).


Regards,

Rick

Re: trusted_networks use

[Alan Premselaar]

NFN Smith wrote:
Following up on my own post.  I'm still thrashing, and not getting any 
difference in results.



...snip...

Sorry, I just have to ask.  Since you're using MIMEDefang... you are 
remembering to restart (or reload) mimedefang after making your changes, 
right?  and you're making changes to the sa-mimedefang.cf file, right?


alan

Re: Razor reporting error

[Ed Kasky]

At 05:32 PM Monday, 9/26/2005, Theo Van Dinter wrote -=

On Mon, Sep 26, 2005 at 01:15:36PM -0700, Ed Kasky wrote:
 FWIW, from here, I see the error in the results from handlespam on every
 message processed.

Ok, I did some more digging.  Apparently in 3.1, we reversed the return code
for report_as_spam() to be correct, ie: 1 is ok, 0 is error, which
makes things like 'report_as_spam() || die foo' do the right thing.

Feh.  Who writes this crap?  ;)


I dare not touch that one...


Anyway, I put in a few 3.1-related changes into handlespam, which includes
a fix for this problem.  http://www.kluge.net/~felicity/random/handlespam.txt


Seems to report fine now:

(razor) Submitted message to Razor et al

Thanks once again for your contributions...

Ed

. . . . . . . . . . . . . . . . . .
Randomly Generated Quote (335 of 1006):
A woman drove me to drink and I never even had
the courtesy to thank her.

Re: RDJ newbie prob

[Chris Thielen]

Hi John,

First off, did you modify the rules_du_jour script in any way?  It 
appears that it is trying to execute the names of the rulesets as 
commands.  May I see your config file?  Are you by chance using this on 
cygwin?


John Fleming wrote:

I've had such good results with SA that I haven't worried about 
rulesets, updating rulesets etc.  Lately I've had a few getting 
through and decided it must be time to update my rulesets.  I've 
decided to use RDJ, but below is what I get when I run the bash 
script.  Would someone kindly tell me what's probably wrong?  I might 
not really use all the rules below - This was just a trial run of the 
script.  Tnx!  - John


# ./rules_du_jour
./rules_du_jour: line 54: TRIPWIRE
ANTIDRUG
SARE_EVILNUMBERS0
SARE_EVILNUMBERS1
SARE_EVILNUMBERS2
BLACKLIST
BLACKLIST_URI
RANDOMVAL
BOGUSVIRUS
SARE_ADULT
SARE_FRAUD
SARE_BML
SARE_RATWARE
SARE_SPOOF
SARE_BAYES_POISON_NXM
SARE_OEM
SARE_RANDOM
SARE_HEADER
SARE_HEADER0
SARE_HEADER1
SARE_HEADER2
SARE_HEADER3
SARE_HEADER_ENG
SARE_HTML
SARE_HTML0
SARE_HTML1
SARE_HTML2
SARE_HTML3
SARE_HTML4
SARE_HTML_ENG
SARE_SPECIFIC
SARE_OBFU
SARE_OBFU0
SARE_OBFU1
SARE_OBFU2
SARE_OBFU3
SARE_REDIRECT
SARE_REDIRECT_POST300
SARE_SPAMCOP_TOP200
SARE_GENLSUBJ
SARE_GENLSUBJ0
SARE_GENLSUBJ1
SARE_GENLSUBJ2
SARE_GENLSUBJ3
SARE_GENLSUBJ_ENG
SARE_HIGHRISK
SARE_UNSUB
SARE_URI0
SARE_URI1
SARE_URI2
SARE_URI3
SARE_URI_ENG
SARE_WHITELIST: command not found
./rules_du_jour: line 54: TRIPWIRE
ANTIDRUG
SARE_EVILNUMBERS0
SARE_EVILNUMBERS1
SARE_EVILNUMBERS2
BLACKLIST
BLACKLIST_URI
RANDOMVAL
BOGUSVIRUS
SARE_ADULT
SARE_FRAUD
SARE_BML
SARE_RATWARE
SARE_SPOOF
SARE_BAYES_POISON_NXM
SARE_OEM
SARE_RANDOM
SARE_HEADER
SARE_HEADER0
SARE_HEADER1
SARE_HEADER2
SARE_HEADER3
SARE_HEADER_ENG
SARE_HTML
SARE_HTML0
SARE_HTML1
SARE_HTML2
SARE_HTML3
SARE_HTML4
SARE_HTML_ENG
SARE_SPECIFIC
SARE_OBFU
SARE_OBFU0
SARE_OBFU1
SARE_OBFU2
SARE_OBFU3
SARE_REDIRECT
SARE_REDIRECT_POST300
SARE_SPAMCOP_TOP200
SARE_GENLSUBJ
SARE_GENLSUBJ0
SARE_GENLSUBJ1
SARE_GENLSUBJ2
SARE_GENLSUBJ3
SARE_GENLSUBJ_ENG
SARE_HIGHRISK
SARE_UNSUB
SARE_URI0
SARE_URI1
SARE_URI2
SARE_URI3
SARE_URI_ENG
SARE_WHITELIST: command not found
exec: curl -w %{http_code} --compressed -O -R -s -S -z 
/etc/spamassassin/RulesDuJour/rules_du_jour 
http://sandgnat.com/rdj/rules_du_jour 21

curl_output: 304
No files updated; No restart required.





Rules Du Jour Run Summary:RulesDuJour Run Summary on [snip]
#







signature.asc
Description: OpenPGP digital signature

Surveys

[Adam Osterholt]

To all,

I am running SA 3.0.4 and it has done a great job of blocking most spam. The one thing I still see getting through a lot are survey spam messages. Does anyone else see this problem and if so what rules are you using to combat them. I have most of the SARE Rules on my system. Thanks.

Adam

Re: Re[2]: [SARE] rules update

[Rolf]

SARE's General Subject rules files and the Whitelist rules files have
been updated.


R I get from --lint:

R Failed to run header SpamAssassin tests, skipping some: Global 
symbol

R $C requires explicit package name at
R /etc/spamassassin/70_sare_genlsubj_eng.cf, rule 
SARE_SUB_ACCENT_CHAR,

R line 1.

R and

R Failed to run header SpamAssassin tests, skipping some: Unmatched [ 
in

R regex; marked by -- HERE in m/(?!credit card
R (?:bill|declined))(?:(?:
R bad|poor|less\W*than\W*perfect|fix\W*your)\W*cr[eC)]d[ -- HERE iC/ 
at
R /etc/spamassassin/70_sare_genlsubj1.cf, rule SARE_SUB_POOR_CREDIT, 
line

R 1.

R Serious? Do I disable until fixed?

Serious, yes, but I cannot reproduce these problems.  --lint works
fine on the files I uploaded from here.

How did you retrieve the files?  Is it possible you had a line break
where none was intended?


That was the problem yes.  Thanks very much for the suggestion. The 
strangeness was that I used identical retrieval methods for about 4 
files and only the two mentioned had any issue.  In future I shall 
stick to downloading the files to a local file first rather than 
display them in a browser window and edit from there to their 
destination directory.



Attached are my originals. If you compare these rules with what you
have in your download, do you see a difference in line breaks?


Not a line break difference but a slight text difference.  Bit strange, 
but I'll be more rigorous about my download methods now.


thanks again.

r.


Tasmania Together 5 Year Review:  Have your say :  
http://www.tasmaniatogether.tas.gov.au.

RE: Hotmail on sorbs?!? (and eliminating false positives)

[email builder]

--- Herb Martin [EMAIL PROTECTED] wrote:

  I am new to postfix and spamassassin, but we are already 
  using greylist, and I liked a lot what you said here.
  
  How can I greylist messages by means of RBL checking? How 
  should I setup Postfix to do that?
  
  Regards,
  Carlos.
 
 I am not a Postfix expert, and cannot really call myself
 an Exim expert either but the strategy goes something like
 this:
 
 During (various) SMTP ACL (Access Control Lists) run the
 checks for things like RBL etc (this is easy in Exim) and
 mark the results (in either an ACL variable or by adding
 a header.*)
 
 * Header had the disadvantage of requiring the Greylist
 check to wait until SMTP DATA time where the headers
 are available when all we really need is 
 SenderIP-FromName-RCPT which are all available by 
 RCPT ACL time.
 
 When you have made all of your checks, and before checking
 SpamAssassin, run the Greylist on any message that was
 flagged above -- if the greylist returns true this is
 where we tempfail (Defer in Exim) the message.

The above can probably be done in Postfix with one or two restriction
classes. 

http://www.postfix.org/postconf.5.html#smtpd_restriction_classes
http://www.postfix.org/RESTRICTION_CLASS_README.html

I'd be curious to hear if anyone else is using this kind of strategy.

Thanks

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com