RE: best of RBLs without the FPs
But again, since almost no legitimate email is ever greylisted only almost nothing DESIRABLE EVER gets delayed. So you ONLY greylist what the RBLs tell you is on their list? Maybe I need to go back and re-read your original email, which I skimmed perhaps too lightly... because even back in the day before we used greylisting (we use straight), and only had something like four RBLs rejecting mail outright, we still saw a lot of spam getting through (for SA to score). So I just can't imagine that selective greylisting of whatever is on the RBLs will catch nearly as much as you'd want it to. What are your other mechanisms for tempfailing beside RBL? __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
Re: enabable x-spam-report in all emails ham or spam
Fascinating the man page seems to indicate this is not one of the options
for add_header. They mention other headers but not Report. I guess you
found a cheat.
What is not one of the options? 'add_header', 'all', and '_REPORT_' are all
mentioned directly in the perldoc for Conf. How is my suggestion a 'cheat'?
{^_^}
Keith
RE: best of RBLs without the FPs
--- email builder [EMAIL PROTECTED] wrote: But again, since almost no legitimate email is ever greylisted only almost nothing DESIRABLE EVER gets delayed. So you ONLY greylist what the RBLs tell you is on their list? Maybe I need to go back and re-read your original email, which I skimmed perhaps too lightly... because even back in the day before we used greylisting (we use straight), and only had something like four RBLs rejecting mail outright, we still saw a lot of spam getting through (for SA to score). So I just can't imagine that selective greylisting of whatever is on the RBLs will catch nearly as much as you'd want it to. What are your other mechanisms for tempfailing beside RBL? Sorry, your subsequent emails answered this -- SA seems to be the other tool that pushes a message into the greylist zone. With these two (two right? not any more?) tools driving your greylisting, I'm curious how many (suspicious) mails make it to your spam buckets (or even to your inbox)? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Hotmail on sorbs?!? (and eliminating false positives)
On Dienstag, 27. September 2005 07:51 email builder wrote: The above can probably be done in Postfix with one or two restriction classes. http://www.postfix.org/postconf.5.html#smtpd_restriction_classes http://www.postfix.org/RESTRICTION_CLASS_README.html I'd be curious to hear if anyone else is using this kind of strategy. I could also imagine this: http://www.postfix.org/SMTPD_POLICY_README.html But I'm missing something like smtpd_sender_restrictions = mark_rbl_client ... client_marked = greylist currently, we can only smtpd_sender_restrictions = reject_rbl_client ... But that reject we want to NOT do. mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgp38dHvDW37U.pgp Description: PGP signature
Re: Error and slowness
On Montag, 26. September 2005 21:18 jose usoz wrote: Sep 26 21:09:10 delfin spamd[21260]: Can't locate Sys/Hostname/Long.pm Maybe that module is missing? Install with cpan -i Sys::Hostname::Long mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgpSbnOksp8UP.pgp Description: PGP signature
RE: Personal Rule
This is working pretty well so far. Thanks for you help with this. I would like to enhance it to cater for the situations where I am not in the To address (e.g. I am in CC: to Bcc: or the mailing list situation. How would I do a test of the form: If To: email address contains ernstoff.net then check for To: real name contains Mike or Michael or is blank? From: Mike Spamassassin [mailto:[EMAIL PROTECTED] From: Mike Spamassassin [mailto:[EMAIL PROTECTED] I have seen a rule to identify that the From address does not have a real name, which I presume is the description (i.e. in my case Mike Spamassassin). I would like to have a rule which identifies emails where the To address does not contain either Mike or Michael. Has anyone created a similar rule, or can anyone point me in the right direction. As has been pointed out before, this is generally a bad idea. There are lots of newsletters and mailing lists (including this one) that do not put your name in the To field. If you want to try it, you can use a rule such as this: header NOT_MY_NAME To:name !~ /\b(?:Mike|Michael)\b/i score NOT_MY_NAME 0.5 describe NOT_MY_NAME To does not contain Mike or Michael Adjust the score to your liking. Don't put it too high until you are sure it's not going to produce too may false positives. If you do this, you may need to whitelist some of your mailing lists and newsletters. Thanks for your help. I will try this out, and see how it goes. Presumably it could be amended to check for Mike, Michael or blank to avoid the problem you mentioned. I will look up the regular expression syntax and see if I can suss it out. I'm not quite sure how to check for the absence of a real name. I guess I could go find the rule that checks the From line, but I'm too lazy at the moment. :) This might work: header NOT_MY_NAME To:name !~ /\b(?:Mike|Michael)\b|^$/i It is still susceptible to false positives, tho. How about this example: To: Mailing List [EMAIL PROTECTED] Since SA uses Perl regular expressions, these two pages may be useful: Perl Regular Expressions Quick Start http://perldoc.perl.org/perlrequick.html Perl Regular Expressions Tutorial http://perldoc.perl.org/perlretut.html Bowie
Re: Personal Rule
I would like to enhance it to cater for the situations where I am not in the To address (e.g. I am in CC: to Bcc: or the mailing list situation. BCC you aren't going to get, by definition. It isn't there to get. To check in both to and cc, use ToCc instead of To as the header to test. How would I do a test of the form: If To: email address contains ernstoff.net then check for To: real name contains Mike or Michael or is blank? Its pretty gruesome because there are about a dozen different valid email address formats, for instance: Joe Fudge [EMAIL PROTECTED] Joe Fudge [EMAIL PROTECTED] Joe Fudge [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] (Modulo whatever wonderful reformatting OE has decided to do for me on those text lines.) Loren
RE: best of RBLs without the FPs
Sorry, your subsequent emails answered this -- SA seems to be the other tool that pushes a message into the greylist zone. With these two (two right? not any more?) tools driving your greylisting, ... Some other things like SPF fail or softfail too. (Too many people try to BLOCK on SPF softfail but at least in theory it is safe to block on SPF softfail.) Most two-letter country codes IF the HELO name doesn't validate, things like that. Anthing that looks like a dial/dynamic address, although many people would just block on these. The point is you can send anything through greylisting and virtually eliminate ANY false positives. But a low false positive rate mechanism through the greylist method means that it makes a good method great in terms of avoiding FPs and let's about 9-10% through. I'm curious how many (suspicious) mails make it to your spam buckets (or even to your inbox)? We are not a big system, a few thousand mails a day and about 60% WERE spam before instituting this method. 90% of the spam never reaches SA so we are down from like 1000-1500 spams (received) per day to about 100 or so that we must review. These are not exact figures and might be off by 50% or so (low probably), but the percenctage is correct. And (I didn't mention) that our users have SpamBayes on their system so if anything gets through it is almost always caught there -- and we have them forward as attachment back to a SPam/Ham reporting address. -- Herb Martin -Original Message- From: email builder [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 27, 2005 1:54 AM To: users@spamassassin.apache.org Subject: RE: best of RBLs without the FPs --- email builder [EMAIL PROTECTED] wrote: But again, since almost no legitimate email is ever greylisted only almost nothing DESIRABLE EVER gets delayed. So you ONLY greylist what the RBLs tell you is on their list? Maybe I need to go back and re-read your original email, which I skimmed perhaps too lightly... because even back in the day before we used greylisting (we use straight), and only had something like four RBLs rejecting mail outright, we still saw a lot of spam getting through (for SA to score). So I just can't imagine that selective greylisting of whatever is on the RBLs will catch nearly as much as you'd want it to. What are your other mechanisms for tempfailing beside RBL? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Problem with autolearn after update
Dear List, I was running SA 3.0.4 with amavisd-new 2.2.1 without any problems. To use SA 3.1.0 I've updated my amavis to 2.3.3 and now (with 3.0.4) I see therse lines in my logs: Sep 27 11:14:38 sns amavis[14103]: (14103-01-11) SPAM, [EMAIL PROTECTED] - [EMAIL PROTECTED], Yes, score=28.285 tag=2.5 tag2=5.5 kill=5.5 test s=[BAYES_99=5.1, FORGED_MUA_OUTLOOK=1, FORGED_OUTLOOK_HTML=0.629, FORGED_OUTLOOK_TAGS=0.074, FROM_ENDS_IN_NUMS=0.2, FROM_ILLEGAL_CHARS=0.008, HEAD_ILLEGAL_CH ARS=2.125, HTML_FONT_BIG=0.142, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.137, MIME_BOUND_DD_DIGITS=4.139, MIME_HTML_ONLY=0.177, MIME_HTML_ONLY_MULTI=2.443 , MIME_QP_LONG_LINE=0.039, MISSING_MIMEOLE=0.012, MPART_ALT_DIFF=0.066, MSGID_SPAM_CAPS=3.791, MSGID_YAHOO_CAPS=3.8, RCVD_NUMERIC_HELO=1.248, SUBJ_ILLEGAL_CH ARS=2.854, X_PRIORITY_HIGH=0.3], autolearn=no, quarantine lIryibYzE0NF (spam-quarantine) I've set in local.cf bayes_auto_learn_threshold_spam 10.0 and now I'm wondering why it says autolearn=no?! With 2.2.1 this value wasn't displayed, so don't know if this behaviour is default. And there's a second point keeps me away from updating to 3.1.0: I've set in local.cf bayes_expiry_max_db_size 20, which should be a size about 10MB. But look at my files: 168148992 Sep 27 11:25 auto-whitelist 14136 Sep 27 11:25 bayes_journal 167034880 Sep 27 11:25 bayes_seen 5324800 Sep 27 11:25 bayes_toks A force-expire doesn't help. (I'm using DB_File 1.75) Any ideas? Thx Michael
Re: Error and slowness
Sep 26 21:09:10 delfin spamd[21260]: Can't locate Sys/Hostname/Long.pm Maybe that module is missing? Install with cpan -i Sys::Hostname::Long Thanks Michael! Installed the module, and until now, one hour running without this error. Thanks and saludos, jose. -- Jose Usoz / Cromosfera http://www.cromosfera.com
Re: enabable x-spam-report in all emails ham or spam
From: Keith Amling [EMAIL PROTECTED]
Fascinating the man page seems to indicate this is not one of the options
for add_header. They mention other headers but not Report. I guess you
found a cheat.
What is not one of the options? 'add_header', 'all', and '_REPORT_' are
all
mentioned directly in the perldoc for Conf. How is my suggestion a
'cheat'?
{^_^}
I was looking for Report in and around add_header on the 3.04 docs
I have here.
{^_^}
Pb with 3.1 and URIDNSBL
Hi,
on a fresh 3.1.0 running under perl 5.8.7, I get
-8
Argument 127.0.0.3 isn't numeric in bitwise or (|) at
/usr/local/perl-5.8.7/lib/site_perl/5.8.7/Mail/SpamAssassin/Plugin/URIDNSBL.pm
line 614
-8
I run my own blacklist, for that reason I have in
/etc/mail/spamassassin/local.cf:
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub INTERSHOP_URI_RBL spam.uri.intershop.de. A 127.0.0.3
body INTERSHOP_URI_RBL eval:check_uridnsbl('INTERSHOP_URI_RBL')
describe INTERSHOP_URI_RBL Contains a host listed in Intershops URI blocklist
score INTERSHOP_URI_RBL 3.2
endif
Linting the rules gives no error.
Does anyone have a hint for me?
Thanks,
Rainer
Re: Rules on the webpage
At 08:34 PM 9/26/2005, Rick Macdougall wrote: Hi, Are the rules on the webpage going to be updated ? Eventualy, yes.. However, I'd never suggest relying on the tests page on the SA website to mean anything. Sometimes it gets updated before a new release, sometimes after. I had a weird problem on one of my 20 or so servers where the scanning time was 4.x seconds vs 0.8 seconds on most others. Turns out it was the completewhois.com dns lookups failing with input/output errors, timeouts, etc but a search on the tests page didn't show any whois tests (I finally tracked them down with a spamassassin -D and a grep through the /usr/local/share/spamassassin rules), Any reason that the completewhois.com dns tests are enabled by default if the lookup almost never works ? (All my servers show timeouts and input/output errors). Really? looks to me like it works, but some of their servers are down. From www.dnsstuff.com I tested it: Searching for 94.141.39.208.combined-HIB.dnsiplists.completewhois.com A record at m.root-servers.net [202.12.27.33]: Got referral to J.GTLD-SERVERS.NET. [took 182 ms] Searching for 94.141.39.208.combined-HIB.dnsiplists.completewhois.com A record at J.GTLD-SERVERS.NET. [192.48.79.30]: Got referral to dns3.elan.net. [took 198 ms] Searching for 94.141.39.208.combined-HIB.dnsiplists.completewhois.com A record at dns3.elan.net. [64.68.0.1]: Timed out. Trying again. Searching for 94.141.39.208.combined-HIB.dnsiplists.completewhois.com A record at dns1.completewhois.com. [216.151.192.222]: Reports that no A records exist. [took 129 ms] Looks to work, although the one server didn't answer, the next one did.
Re: Rules on the webpage
Matt Kettler wrote: At 08:34 PM 9/26/2005, Rick Macdougall wrote: Turns out it was the completewhois.com dns lookups failing with input/output errors, timeouts, etc but a search on the tests page didn't show any whois tests (I finally tracked them down with a spamassassin -D and a grep through the /usr/local/share/spamassassin rules), Any reason that the completewhois.com dns tests are enabled by default if the lookup almost never works ? (All my servers show timeouts and input/output errors). Really? looks to me like it works, but some of their servers are down. From www.dnsstuff.com I tested it: Searching for 94.141.39.208.combined-HIB.dnsiplists.completewhois.com A record at m.root-servers.net [202.12.27.33]: Got referral to J.GTLD-SERVERS.NET. [took 182 ms] Searching for 94.141.39.208.combined-HIB.dnsiplists.completewhois.com A record at J.GTLD-SERVERS.NET. [192.48.79.30]: Got referral to dns3.elan.net. [took 198 ms] Searching for 94.141.39.208.combined-HIB.dnsiplists.completewhois.com A record at dns3.elan.net. [64.68.0.1]: Timed out. Trying again. Searching for 94.141.39.208.combined-HIB.dnsiplists.completewhois.com A record at dns1.completewhois.com. [216.151.192.222]: Reports that no A records exist. [took 129 ms] Looks to work, although the one server didn't answer, the next one did. Interesting, on all of my servers I see Input/Output errors. Maybe related to dnscache rather than using bind ? I'll run some internal tests and see. Rick
Spamassassin 2.63/dcc-1.3.15 issue
I have installed dcc-1.3.15 and added public servers to the map, opened
the firewall udp port and tested dccproc and it works fine,
reporting back the server id, and body amd fuz scores.
I added the following to /etc/mail/spamassassin/local.cf
add_header all DCC _DCCB_: _DCCR_
use_dcc 1
dcc_add_header 1
dcc_timeout 20
dcc_home /var/dcc
dcc_path /usr/local/bin/dccproc
I have tested using
spamassassin -D /tmp/spam/spam_message
but spamassassin does not call or have any references to DCC anything
in the output.
debug: Final PATH set to:
/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin
debug: using /usr/share/spamassassin for default rules dir
debug: using /etc/mail/spamassassin for site rules dir
debug: using /root/.spamassassin for user state dir
debug: using /root/.spamassassin/user_prefs for user prefs file
dccproc is in /usr/local/bin
Did I miss something? How can I test or debug the use of DCC with
spamassassin?
{ Shelley Waltz;
Center for Advanced Biotechnology and Medicine;
Rutgers University/UMDNJ;
679 Hoes Lane;
Piscataway, NJ 08854;
732 235 3346 }
Re: Problem with autolearn after update
Because autolearning as spam is not as simple as 28.2 10. 1) Autolearning is NOT determined by the normal message score. It's determined by the score it would have gotten if bayes was disabled. This includes changing the scoreset, so you have to re-add everything. The difference can be really huge. Oh .. ok .. thanks. Now it's clear. I think I'm ready to update to 3.1.0, but last question: I want to update from DB_File 1.75 to 1.811. Will there be any problem with the current bayes db? Will I have to backup and restore it manually? I don't want to loose the db ... Thx Michael
Re: Problem with autolearn after update
On Dienstag, 27. September 2005 17:00 Muenz, Michael wrote: Will I have to backup and restore it manually? I don't want to loose the db ... Should be no problem, but always make a backup anyway :-) db_dump -f where_to_store1 bayes_db_seen db_dump -f where_to_store2 bayes_db_toks mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgpbOqKjp92os.pgp Description: PGP signature
Re: Spamassassin 2.63/dcc-1.3.15 issue
At 11:01 AM 9/27/2005, Shelley Waltz wrote: and it now works. I set it low for testing. DCC is not called at all if this is set to zero. Correct. *Any* rule with an explicit 0 score will not be evaluated at all by SA. This winds up being a quick and easy way to disable a DNSBL if it becomes unresponsive, without having to turn off all the other RBLs.
Re: tests = none
On Tue, Sep 27, 2005 at 05:45:04PM +0200, Jim Knuth wrote: The headers shown the follow X-Spam-Status: No, score=0 tagged_above=-.9 required=4 tests=[none] X-Spam-Score: 0 Or should I arrange the question of the amavis list? It depends, is that every message (then yes, ask the amavis list,) or is it only a certain type of message? There are messages that come in that don't hit rules, but all messages without hits generally means a programatic/config error. -- Randomly Generated Tagline: Inoculatte: To take coffee intravenously when you are running late. - Washington Post pgpPNGDjUDsmz.pgp Description: PGP signature
Re: RDJ newbie prob
Thanks, Chris. I'm sure this is something trivial - I've had it working in the past! Here's my /etc/rulesdujour/config TRUSTED_RULESETS= TRIPWIRE ANTIDRUG SARE_EVILNUMBERS0 SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 BLACKLIST BLACKLIST_URI RANDOMVAL BOGUSVIRUS SARE_ADULT SARE_FRAUD SARE_BML SARE_RATWARE SARE_SPOOF SARE_BAYES_POISON_NXM SARE_OEM SARE_RANDOM SARE_HEADER SARE_HEADER0 SARE_HEADER1 SARE_HEADER2 SARE_HEADER3 SARE_HEADER_ENG SARE_HTML SARE_HTML0 SARE_HTML1 SARE_HTML2 SARE_HTML3 SARE_HTML4 SARE_HTML_ENG SARE_SPECIFIC SARE_OBFU SARE_OBFU0 SARE_OBFU1 SARE_OBFU2 SARE_OBFU3 SARE_REDIRECT SARE_REDIRECT_POST300 SARE_SPAMCOP_TOP200 SARE_GENLSUBJ SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_GENLSUBJ2 SARE_GENLSUBJ3 SARE_GENLSUBJ_ENG SARE_HIGHRISK SARE_UNSUB SARE_URI0 SARE_URI1 SARE_URI2 SARE_URI3 SARE_URI_ENG SARE_WHITELIST; I didn't change anything in the script itself, as those directories etc were appropriate. I assume the config settings override what's in the script. Thanks - John
Re: RDJ newbie prob
John Fleming wrote: Thanks, Chris. I'm sure this is something trivial - I've had it working in the past! Here's my /etc/rulesdujour/config John, I think this is simply due to the TRUSTED_RULESETS= being on a separate line. You have: TRUSTED_RULESETS= TRIPWIRE ANTIDRUG SARE_EVILNUMBERS0 ... Try it like this: TRUSTED_RULESETS=TRIPWIRE ANTIDRUG SARE_EVILNUMBERS0 Chris Thielen signature.asc Description: OpenPGP digital signature
RE: Personal Rule
From: Mike Spamassassin [mailto:[EMAIL PROTECTED] This is working pretty well so far. Thanks for you help with this. I would like to enhance it to cater for the situations where I am not in the To address (e.g. I am in CC: to Bcc: or the mailing list situation. How would I do a test of the form: If To: email address contains ernstoff.net then check for To: real name contains Mike or Michael or is blank? That is a bit more complex. Meta rules may be the best way to go here. header _TO_MYEMAIL To:addr =~ /ernstoff\.net/i header _CC_MYEMAIL Cc:addr =~ /ernstoff\.net/i header _TO_MYNAME To:name =~ /\b(?:Mike|Michael)\b|^$/i header _CC_MYNAME Cc:name =~ /\b(?:Mike|Michael)\b|^$/i meta NOT_MY_NAME (_TO_MYEMAIL ! _TO_MYNAME) || (_CC_EMAIL ! _CC_MYNAME) describe NOT_MY_NAME My email address, but not my name score NOT_MY_NAME 1 (Note that the meta command should be all on one line) The rule names that start with an underscore are defined as sub-rules and are not scored separately. Also, keep in mind that the :addr and :name modifiers only grab the first address or real name on the line. If there are multiple addresses or real names, they are ignored. You may have better results just leaving off the :addr and :name modifiers and accepting that it will miss a few by matching the name inside the email address ([EMAIL PROTECTED], for example). header _TO_MYEMAIL To =~ /ernstoff\.net/i header _CC_MYEMAIL Cc =~ /ernstoff\.net/i header _TO_MYNAME To =~ /\b(?:Mike|Michael)\b(?!\@)|^$/i header _CC_MYNAME Cc =~ /\b(?:Mike|Michael)\b(?!\@)|^$/i meta NOT_MY_NAME ( _TO_MYEMAIL ! _TO_MYNAME ) || ( _CC_EMAIL ! _CC_MYNAME ) describe NOT_MY_NAME My email address, but not my name score NOT_MY_NAME 1 The extra stuff on the name regex ensures that the name is not immediately followed by an @ to try to avoid matching on obvious email addresses. It is possible to parse it all out, but as there are quite a few valid formats, this would be far more trouble than it is worth. Bowie
Whitelisted, but marked as spam
Hi all,
I'm having messages marked as spam, for users who are in my whitelist.
In /etc/mail/spamassasin/whitelist.cf are these lines (among others):
all_spam_to [EMAIL PROTECTED]
whitelist_to[EMAIL PROTECTED]
whitelist_to[EMAIL PROTECTED]
Whitelist_from [EMAIL PROTECTED]
(it is this thourough because I didn't get this to work)
However, the user is still getting messages marked as spam, as is show in
the header below.
As you can see, the subject is rewritten with {Spam}, the spam status is
5.4, but below that also is marked as being in the all_spam, whitelist_from
and whitelist_to.
Return-path: [EMAIL PROTECTED]
Envelope-to: [EMAIL PROTECTED]
Delivery-date: Tue, 27 Sep 2005 19:17:11 +0200
Received: from Debian-exim by zoltar.exception.nl with spam-scanned (Exim
4.52)
id 1EKJ4o-0001TP-Rn
for [EMAIL PROTECTED]; Tue, 27 Sep 2005 19:17:11 +0200
Received: from localhost by zoltar.exception.nl
with SpamAssassin (version 3.0.4);
Tue, 27 Sep 2005 19:17:11 +0200
From: User1 [EMAIL PROTECTED]
To: User1 [EMAIL PROTECTED]
Subject: {Spam} ANB5Mail Maillog 27-09-2005
Date: Tue, 27 Sep 2005 19:17:07 +0200
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on
zoltar.exception.nl
X-Spam-Level: *
X-Spam-Status: Yes, score=5.4 required=5.0 tests=AWL,BAYES_00,HTML_60_70,
HTML_BADTAG_00_10,HTML_MESSAGE,HTML_NONELEMENT_00_10,
HTML_TAG_EXIST_MARQUEE,HTML_TAG_EXIST_TBODY,MIME_BOUND_NEXTPART,
MIME_BOUND_RKFINDY,MIME_HTML_MOSTLY,MPART_ALT_DIFF,
USER_IN_ALL_SPAM_TO,USER_IN_WHITELIST,USER_IN_WHITELIST_TO,X_LIBRARY
autolearn=no version=3.0.4
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=--=_43397E97.410A444D
Message-Id: [EMAIL PROTECTED]
If anyone can enlighten this for me, it would be greatly appreciated!
Cheers,
Thijs
Re: Whitelisted, but marked as spam
Thijs Koetsier | Exception IT wrote: X-Spam-Status: Yes, score=5.4 required=5.0 tests=AWL,BAYES_00,HTML_60_70, HTML_BADTAG_00_10,HTML_MESSAGE,HTML_NONELEMENT_00_10, HTML_TAG_EXIST_MARQUEE,HTML_TAG_EXIST_TBODY,MIME_BOUND_NEXTPART, MIME_BOUND_RKFINDY,MIME_HTML_MOSTLY,MPART_ALT_DIFF, USER_IN_ALL_SPAM_TO,USER_IN_WHITELIST,USER_IN_WHITELIST_TO,X_LIBRARY Since you have AWL in there, I would check to see what AWL is scoring this message.
RE: Whitelisted, but marked as spam
In addition to my mail just send;
This is the e-mail recieved by the user. Shouldn't user_in_whitelist to
score -100 and user_in_all_spam_to be also at least more than -1.0?
Spam detection software, running on the system zoltar.exception.nl, has
identified this incoming email as possible spam. The original message has
been attached to this so you can view it (if it isn't spam) or label similar
future email. If you have any questions, see the administrator of that
system for details.
Content preview: ASCI Technologies maillog 27-09-2005 ASCI Technologies
Filialen in -Assen -Emmen -Enschede -Groningen -Tilburg -en Winschoten
[...]
Content analysis details: (5.4 points, 5.0 required)
pts rule name description
--
--
1.0 MIME_BOUND_RKFINDY Spam tool pattern in MIME boundary (rfkindy)
1.0 X_LIBRARY Message has X-Library header
-1.0 USER_IN_WHITELIST From: address is in the user's white-list
-1.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to'
-1.0 USER_IN_ALL_SPAM_TOUser is listed in 'all_spam_to'
1.0 HTML_60_70 BODY: Message is 60% to 70% HTML
1.0 HTML_BADTAG_00_10 BODY: HTML message is 0% to 10% bad tags
1.0 HTML_TAG_EXIST_TBODY BODY: HTML has tbody tag
-1.0 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.] 1.0 HTML_TAG_EXIST_MARQUEE
BODY: HTML has marquee tag
1.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
1.0 HTML_MESSAGE BODY: HTML included in message
1.0 MPART_ALT_DIFF BODY: HTML and text parts are different
1.0 HTML_NONELEMENT_00_10 BODY: 0% to 10% of HTML elements are
non-standard
1.0 MIME_BOUND_NEXTPARTSpam tool pattern in MIME boundary
-1.6 AWLAWL: From: address is in the auto white-list
The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus, or
confirm that your address can receive spam. If you wish to view it, it may
be safer to save it to a file and open it with an editor.
Cheers,
Thijs
-Oorspronkelijk bericht-
Van: Thijs Koetsier | Exception IT [mailto:[EMAIL PROTECTED]
Verzonden: dinsdag 27 september 2005 20:33
Aan: users@spamassassin.apache.org
Onderwerp: Whitelisted, but marked as spam
Hi all,
I'm having messages marked as spam, for users who are in my whitelist.
In /etc/mail/spamassasin/whitelist.cf are these lines (among others):
all_spam_to [EMAIL PROTECTED]
whitelist_to[EMAIL PROTECTED]
whitelist_to[EMAIL PROTECTED]
Whitelist_from [EMAIL PROTECTED]
(it is this thourough because I didn't get this to work)
However, the user is still getting messages marked as spam, as is show in
the header below.
As you can see, the subject is rewritten with {Spam}, the spam status is
5.4, but below that also is marked as being in the all_spam, whitelist_from
and whitelist_to.
Return-path: [EMAIL PROTECTED]
Envelope-to: [EMAIL PROTECTED]
Delivery-date: Tue, 27 Sep 2005 19:17:11 +0200
Received: from Debian-exim by zoltar.exception.nl with spam-scanned (Exim
4.52)
id 1EKJ4o-0001TP-Rn
for [EMAIL PROTECTED]; Tue, 27 Sep 2005 19:17:11 +0200
Received: from localhost by zoltar.exception.nl
with SpamAssassin (version 3.0.4);
Tue, 27 Sep 2005 19:17:11 +0200
From: User1 [EMAIL PROTECTED]
To: User1 [EMAIL PROTECTED]
Subject: {Spam} ANB5Mail Maillog 27-09-2005
Date: Tue, 27 Sep 2005 19:17:07 +0200
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on
zoltar.exception.nl
X-Spam-Level: *
X-Spam-Status: Yes, score=5.4 required=5.0 tests=AWL,BAYES_00,HTML_60_70,
HTML_BADTAG_00_10,HTML_MESSAGE,HTML_NONELEMENT_00_10,
HTML_TAG_EXIST_MARQUEE,HTML_TAG_EXIST_TBODY,MIME_BOUND_NEXTPART,
MIME_BOUND_RKFINDY,MIME_HTML_MOSTLY,MPART_ALT_DIFF,
USER_IN_ALL_SPAM_TO,USER_IN_WHITELIST,USER_IN_WHITELIST_TO,X_LIBRARY
autolearn=no version=3.0.4
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=--=_43397E97.410A444D
Message-Id: [EMAIL PROTECTED]
If anyone can enlighten this for me, it would be greatly appreciated!
Cheers,
Thijs
RE: Whitelisted, but marked as spam
Ehrm, yeah... Do you remember my thread some days earlier where Bob mentioned to remove any old .cf files who gave troubles linting? I guess you found the solution for my problem... Thanks! Sorry; I'm kinda new to this... Cheers, Thijs -Oorspronkelijk bericht- Van: Fred [mailto:[EMAIL PROTECTED] Verzonden: dinsdag 27 september 2005 20:49 Aan: [EMAIL PROTECTED] Onderwerp: Re: Whitelisted, but marked as spam It appears all of the rules are being scored 1.0, did you by chance remove the 50_scores.cf file? Fred
RE: Whitelisted, but marked as spam
You would think that whitelist should be given a lower number than -1.0.
Otherwise, how does it counteract the many other rule additons.
How about adding:
score USER_IN_WHITELIST -20
score USER_IN_WHITELIST_TO -20
to your local.cf so that it does actually whitelist.
Bret
-Original Message-
From: Thijs Koetsier | Exception IT
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 27, 2005 11:44 AM
To: users@spamassassin.apache.org
Subject: RE: Whitelisted, but marked as spam
In addition to my mail just send;
This is the e-mail recieved by the user. Shouldn't
user_in_whitelist to
score -100 and user_in_all_spam_to be also at least more than -1.0?
Spam detection software, running on the system
zoltar.exception.nl, has
identified this incoming email as possible spam. The
original message has
been attached to this so you can view it (if it isn't spam)
or label similar
future email. If you have any questions, see the
administrator of that
system for details.
Content preview: ASCI Technologies maillog 27-09-2005 ASCI
Technologies
Filialen in -Assen -Emmen -Enschede -Groningen -Tilburg -en
Winschoten
[...]
Content analysis details: (5.4 points, 5.0 required)
pts rule name description
--
--
1.0 MIME_BOUND_RKFINDY Spam tool pattern in MIME
boundary (rfkindy)
1.0 X_LIBRARY Message has X-Library header
-1.0 USER_IN_WHITELIST From: address is in the user's white-list
-1.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to'
-1.0 USER_IN_ALL_SPAM_TOUser is listed in 'all_spam_to'
1.0 HTML_60_70 BODY: Message is 60% to 70% HTML
1.0 HTML_BADTAG_00_10 BODY: HTML message is 0% to 10% bad tags
1.0 HTML_TAG_EXIST_TBODY BODY: HTML has tbody tag
-1.0 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
[score: 0.] 1.0
HTML_TAG_EXIST_MARQUEE
BODY: HTML has marquee tag
1.0 MIME_HTML_MOSTLY BODY: Multipart message mostly
text/html MIME
1.0 HTML_MESSAGE BODY: HTML included in message
1.0 MPART_ALT_DIFF BODY: HTML and text parts are different
1.0 HTML_NONELEMENT_00_10 BODY: 0% to 10% of HTML elements are
non-standard
1.0 MIME_BOUND_NEXTPARTSpam tool pattern in MIME boundary
-1.6 AWLAWL: From: address is in the auto
white-list
The original message was not completely plain text, and may
be unsafe to
open with some email clients; in particular, it may contain a
virus, or
confirm that your address can receive spam. If you wish to
view it, it may
be safer to save it to a file and open it with an editor.
Cheers,
Thijs
-Oorspronkelijk bericht-
Van: Thijs Koetsier | Exception IT
[mailto:[EMAIL PROTECTED]
Verzonden: dinsdag 27 september 2005 20:33
Aan: users@spamassassin.apache.org
Onderwerp: Whitelisted, but marked as spam
Hi all,
I'm having messages marked as spam, for users who are in my whitelist.
In /etc/mail/spamassasin/whitelist.cf are these lines (among others):
all_spam_to [EMAIL PROTECTED]
whitelist_to [EMAIL PROTECTED]
whitelist_to [EMAIL PROTECTED]
Whitelist_from[EMAIL PROTECTED]
(it is this thourough because I didn't get this to work)
However, the user is still getting messages marked as spam,
as is show in
the header below.
As you can see, the subject is rewritten with {Spam}, the
spam status is
5.4, but below that also is marked as being in the all_spam,
whitelist_from
and whitelist_to.
Return-path: [EMAIL PROTECTED]
Envelope-to: [EMAIL PROTECTED]
Delivery-date: Tue, 27 Sep 2005 19:17:11 +0200
Received: from Debian-exim by zoltar.exception.nl with
spam-scanned (Exim
4.52)
id 1EKJ4o-0001TP-Rn
for [EMAIL PROTECTED]; Tue, 27 Sep 2005 19:17:11 +0200
Received: from localhost by zoltar.exception.nl
with SpamAssassin (version 3.0.4);
Tue, 27 Sep 2005 19:17:11 +0200
From: User1 [EMAIL PROTECTED]
To: User1 [EMAIL PROTECTED]
Subject: {Spam} ANB5Mail Maillog 27-09-2005
Date: Tue, 27 Sep 2005 19:17:07 +0200
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on
zoltar.exception.nl
X-Spam-Level: *
X-Spam-Status: Yes, score=5.4 required=5.0
tests=AWL,BAYES_00,HTML_60_70,
HTML_BADTAG_00_10,HTML_MESSAGE,HTML_NONELEMENT_00_10,
HTML_TAG_EXIST_MARQUEE,HTML_TAG_EXIST_TBODY,MIME_BOUND_NEXTPART,
MIME_BOUND_RKFINDY,MIME_HTML_MOSTLY,MPART_ALT_DIFF,
USER_IN_ALL_SPAM_TO,USER_IN_WHITELIST,USER_IN_WHITELIST_TO,X_LIBRARY
autolearn=no version=3.0.4
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=--=_43397E97.410A444D
Message-Id: [EMAIL PROTECTED]
If anyone can enlighten this for me, it would be greatly appreciated!
Cheers,
Thijs
Re: Whitelisted, but marked as spam
Bret Miller wrote: You would think that whitelist should be given a lower number than -1.0. Otherwise, how does it counteract the many other rule additons. How about adding: score USER_IN_WHITELIST -20 score USER_IN_WHITELIST_TO -20 to your local.cf so that it does actually whitelist. Bret Normally it would but the 50_scores.cf where this score is defined was removed.
Re: 50_scores.cf warnings (was: Whitelisted, but marked as spam)
Thijs Koetsier | Exception IT wrote: So, now that I've replaced by 50_scores.cf (thanks Fred), I'm getting the 150 warnings back. They're all of the type: Redownload the spamassassin package and extract that file again. It sounds like you have an older version of that file.
RE: 50_scores.cf warnings (was: Whitelisted, but marked as spam)
As a matter of fact I _really_ deleted the file a few days ago, so I just downloaded the spamassassin .zip again and uploaded the extracted 50_scores.cf to my server. -Oorspronkelijk bericht- Van: Fred [mailto:[EMAIL PROTECTED] Verzonden: dinsdag 27 september 2005 21:12 Aan: [EMAIL PROTECTED]; users@spamassassin.apache.org Onderwerp: Re: 50_scores.cf warnings (was: Whitelisted, but marked as spam) Thijs Koetsier | Exception IT wrote: So, now that I've replaced by 50_scores.cf (thanks Fred), I'm getting the 150 warnings back. They're all of the type: Redownload the spamassassin package and extract that file again. It sounds like you have an older version of that file.
Spamd dies after tcp timeout
Since a few days, I been having more serious problems with SpamAssassin 3.10. It just dies after the following two messages in the error-log: Sep 27 15:16:32 OrangeXL4 spamd[63730]: prefork: child states: IISep 27 15:18:12 OrangeXL4 spamd[63730]: tcp timeout at /usr/local/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/SpamdForkScaling.pm line 195.Sep 27 15:18:12 OrangeXL4 spamd[63730]: tcp timeout at /usr/local/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/SpamdForkScaling.pm line 195. Next to that, I get quite a few Pyzor / Alarm erros (for about 5% of all mail). Never had any of such problems with SpamAssassin 3.0.x or 2.xx I'm using SpamAssassin on FreeBSD 4.10 with Perl 5.8.5 installed. Kind Regards, Sander Holthaus
RE: 50_scores.cf warnings (was: Whitelisted, but marked as spam)
From: Thijs Koetsier | Exception IT [mailto:[EMAIL PROTECTED] As a matter of fact I _really_ deleted the file a few days ago, so I just downloaded the spamassassin .zip again and uploaded the extracted 50_scores.cf to my server. ... X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on zoltar.exception.nl ... warning: score set for non-existent rule ADVANCE_FEE_4 You are using the v3.1.0 version of 50_scores.cf with SpamAssassin 3.0.4. Find a 3.0.4 package and extract the 50_scores.cf from there. The ADVANCE_FEE rules had a different name in 3.0.4.
Suspected-Spam URL
The URL (or email address) that you input right when you start to install SA (perl Makefile.PL): What email address or URL should be used in the suspected-spam report text for users who want more information on your filter installation? (In particular, ISPs should change this to a local Postmaster contact) default text: [the administrator of that system] we put a link to our website here explaining the rejection We've been using this under the assumption that it has been working as it should...in the past (SA 2.64 and 3.0.4) we have gotten users following the link in the bounce email saying that it has been tagged as spam. However, I just recently tested this to make sure it was working by sending a message from an external account that would get rejected. The threshold is 5.0, and the message scored 17.4 (I was monitoring qmail-queue.log as the message came in). However, I never received a message stating that my message was rejected. Is this bounce message only sent if my message scores between the threshold and the sa_delete variables? (In our case, 5 and 7) thanks -- Matthew Yette Senior Engineer (NOC/Operations) M.A. Polce Consulting 315-838-1644
RE: 50_scores.cf warnings (was: Whitelisted, but marked as spam)
From: Thijs Koetsier | Exception IT [mailto:[EMAIL PROTECTED] As a matter of fact I _really_ deleted the file a few days ago, so I just downloaded the spamassassin .zip again and uploaded the extracted 50_scores.cf to my server. ... X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on zoltar.exception.nl ... warning: score set for non-existent rule ADVANCE_FEE_4 You are using the v3.1.0 version of 50_scores.cf with SpamAssassin 3.0.4. Find a 3.0.4 package and extract the 50_scores.cf from there. The ADVANCE_FEE rules had a different name in 3.0.4. Or if you really want v3.1.0, delete all the spamassassin files from your server except your local config files and then install. Sometimes things don't get overwritten properly if permissions are messed up or if some got marked r/o for some reason. Modifying SA base files is never a good idea unless you plan to carefully do it for every new release. Adjusting scores and disabling tests can be done easily in local.cf or other .cf files in the same folder as local.cf. Bret
Re: Suspected-Spam URL
On Tue, Sep 27, 2005 at 03:34:41PM -0400, Matthew Yette wrote: What email address or URL should be used in the suspected-spam report text for users who want more information on your filter installation? (In particular, ISPs should change this to a local Postmaster contact) default text: [the administrator of that system] we put a link to our website here explaining the rejection Is this bounce message only sent if my message scores between the threshold and the sa_delete variables? (In our case, 5 and 7) What bounce message? As the prompt indicates, the text you put in is put into the report markup (basically it sets the report_contact config option). SA does not generate bounce messages or anything. -- Randomly Generated Tagline: [handing an apple to a doctor] Here you go. This should keep you away from yourself for at least a day. How do you like them apples? - Alton Brown, Good Eats, Apple Family Values pgpDQhgGS4GdY.pgp Description: PGP signature
RE: 50_scores.cf warnings (was: Whitelisted, but marked as spam)
Thanks for all the help. I got it working again with a 3.0.3 package 50_scores.cf, which was the latest 3.0 version I could find on apache.org's archives. It lints without problems, so I guess this one is okay? Cheers, Thijs -Oorspronkelijk bericht- Van: Rosenbaum, Larry M. [mailto:[EMAIL PROTECTED] Verzonden: dinsdag 27 september 2005 21:34 Aan: users@spamassassin.apache.org Onderwerp: RE: 50_scores.cf warnings (was: Whitelisted, but marked as spam) From: Thijs Koetsier | Exception IT [mailto:[EMAIL PROTECTED] As a matter of fact I _really_ deleted the file a few days ago, so I just downloaded the spamassassin .zip again and uploaded the extracted 50_scores.cf to my server. ... X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on zoltar.exception.nl ... warning: score set for non-existent rule ADVANCE_FEE_4 You are using the v3.1.0 version of 50_scores.cf with SpamAssassin 3.0.4. Find a 3.0.4 package and extract the 50_scores.cf from there. The ADVANCE_FEE rules had a different name in 3.0.4.
Re: Suspected-Spam URL
From: Matthew Yette [EMAIL PROTECTED]
The URL (or email address) that you input right when you start to install
SA
(perl Makefile.PL):
What email address or URL should be used in the suspected-spam report
text for users who want more information on your filter installation?
(In particular, ISPs should change this to a local Postmaster contact)
default text: [the administrator of that system] we put a link to our
website here explaining the rejection
We've been using this under the assumption that it has been working as it
should...in the past (SA 2.64 and 3.0.4) we have gotten users following
the
link in the bounce email saying that it has been tagged as spam. However,
I
just recently tested this to make sure it was working by sending a message
from an external account that would get rejected. The threshold is 5.0,
and
the message scored 17.4 (I was monitoring qmail-queue.log as the message
came in). However, I never received a message stating that my message was
rejected.
Is this bounce message only sent if my message scores between the
threshold
and the sa_delete variables? (In our case, 5 and 7)
Please do not do this Matthew. It is a sign of VERY poor network
management. It is also an excellent tool for spammers executing joe
jobs. When I find myself joe jobbed the ISP that is bouncing goes into
my procmailrc file with a redirect to /dev/null. I *NEVER* see anything
from them again. People running real sendmail servers tend to place
your address into their blacklists and drop all mails from your site.
This is a feature that should be taken right out of SpamAssassin
completely if it really bounces spam back to the purported (and
virtually always forged) sender or postmaster.
{O.O} Joanne said that rather more politely than she is thinking
about it in her head. I've been joe jobbed this way. It is
frustrating beyond belief.
Re: RDJ newbie prob
- Original Message - From: Chris Thielen [EMAIL PROTECTED] To: John Fleming [EMAIL PROTECTED] Cc: Spamassassin users@spamassassin.apache.org Sent: Tuesday, September 27, 2005 11:23 AM Subject: Re: RDJ newbie prob John Fleming wrote: Thanks, Chris. I'm sure this is something trivial - I've had it working in the past! Here's my /etc/rulesdujour/config John, I think this is simply due to the TRUSTED_RULESETS= being on a separate line. You have: TRUSTED_RULESETS= TRIPWIRE ANTIDRUG SARE_EVILNUMBERS0 ... Try it like this: TRUSTED_RULESETS=TRIPWIRE ANTIDRUG SARE_EVILNUMBERS0 Chris Thielen --- That was it - I knew it was simple! Thanks! - John
Re: trusted_networks use
Alan Premselaar wrote: NFN Smith wrote: Following up on my own post. I'm still thrashing, and not getting any difference in results. ...snip... Sorry, I just have to ask. Since you're using MIMEDefang... you are remembering to restart (or reload) mimedefang after making your changes, right? and you're making changes to the sa-mimedefang.cf file, right? A question worth asking. Yes, I'm making sure I'm restarting MIMEDefang. That's an easy thing to miss, and I've gotten bitten on things of that nature before. Thanks for the suggestion. Smith
Re: trusted_networks use
Thanks for the ongoing feedback Bowie Bailey wrote: Now that you've made those changes, post the headers from another example email so we can see if anything changed. See below. Also, you may want to save your email into a file and manually run it through SA to see what happens. Just add '-t -D' to the option list I did that, and found a couple of things. I'm closer, but not there yet. In reading the debugging output, I realized that I was putting my work in /etc/mail/sa-mimedefang.cf, and all my other local config settings are in /etc/mail/spamassassin/local.cf. When I moved this work to local.cf, debug showed me getting further. I also found that Net::DNS wasn't installed -- up until now, I haven't needed it, because I haven't been doing stuff that requires DNS queries. I installed that, and am making further progress. With the two changes, I'm getting correct designation of which hosts are trusted or not (which I wasn't getting before), but still not getting the ALL_TRUSTED rule. By the way, I've also made sure that the $HOME/.spamassassin/user_prefs doesn't have any user-specific settings that may be interfering. Debug output shows: debug: using /usr/share/spamassassin for default rules dir debug: using /etc/mail/spamassassin for site rules dir debug: using /home/test-user/.spamassassin for user state dir debug: using /home/test-user/.spamassassin/user_prefs for user prefs file debug: Failed to parse line in SpamAssassin configuration, skipping: internal_networks 64.65.180.91 debug: Failed to parse line in SpamAssassin configuration, skipping: internal_networks 10.10.10.141 debug: Score set 1 chosen. debug: Initialising learner debug: received-header: parsed as [ ip=68.99.120.79 rdns=lakecmmtao05.coxmail.com helo=lakecmmtao05.coxmail.com by=pulsar.lfa.com ident= ] debug: received-header: parsed as [ ip=24.249.175.20 rdns=really helo=!192.168.1.100! by=lakecmmtao05.coxmail.com ident= ] debug: received-header: relay 68.99.120.79 trusted? yes debug: received-header: relay 24.249.175.20 trusted? no debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: running raw-body-text per-line regexp tests; score so far=5.733 debug: running uri tests; score so far=6.536 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=6.573 debug: Current PATH is: /usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin debug: all '*From' addrs: [EMAIL PROTECTED] debug: all '*To' addrs: [EMAIL PROTECTED] [EMAIL PROTECTED] debug: is Net::DNS::Resolver available? yes debug: trying (3) kernel.org... debug: looking up MX for 'kernel.org' debug: MX for 'kernel.org' exists? 1 debug: MX lookup of kernel.org succeeded = Dns available (set dns_available to hardcode) debug: is DNS available? 1 debug: DNS MX records found: 1 debug: forged-HELO: from=really helo=!192.168.1.100! by=coxmail.com debug: running meta tests; score so far=6.573 debug: is spam? score=7.673 required=4 tests=CLICK_BELOW,EXCUSE_3,FREE_CONSULTATION,MAILTO_TO_REMOVE,MIME_MISSING_BOUNDARY,NO_OBLIGATION,ONE_TIME_MAILING,REMOVE_IN_QUOTES,REMOVE_SUBJ,RISK_FREE From [EMAIL PROTECTED] Tue Sep 27 15:22:19 2005 Received: from localhost by pulsar.lfa.com with SpamAssassin (2.64 2004-01-11); Tue, 27 Sep 2005 15:24:16 -0700 From: NFN Smith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: *SPAM* Sequential test #12a Date: Tue, 27 Sep 2005 15:21:15 -0700 Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on pulsar.lfa.com X-Spam-Level: *** X-Spam-Status: Yes, hits=7.7 required=4.0 tests=CLICK_BELOW,EXCUSE_3, FREE_CONSULTATION,MAILTO_TO_REMOVE,MIME_MISSING_BOUNDARY, NO_OBLIGATION,ONE_TIME_MAILING,REMOVE_IN_QUOTES,REMOVE_SUBJ,RISK_FREE autolearn=no version=2.64 MIME-Version: 1.0 Anything else obvious that I might be missing? I think I'm close Smith
Re: trusted_networks use
NFN Smith wrote: Thanks for the ongoing feedback Bowie Bailey wrote: Now that you've made those changes, post the headers from another example email so we can see if anything changed. See below. Also, you may want to save your email into a file and manually run it through SA to see what happens. Just add '-t -D' to the option list I did that, and found a couple of things. I'm closer, but not there yet. In reading the debugging output, I realized that I was putting my work in /etc/mail/sa-mimedefang.cf, and all my other local config settings are in /etc/mail/spamassassin/local.cf. When I moved this work to local.cf, debug showed me getting further. I also found that Net::DNS wasn't installed -- up until now, I haven't needed it, because I haven't been doing stuff that requires DNS queries. I installed that, and am making further progress. With the two changes, I'm getting correct designation of which hosts are trusted or not (which I wasn't getting before), but still not getting the ALL_TRUSTED rule. By the way, I've also made sure that the $HOME/.spamassassin/user_prefs doesn't have any user-specific settings that may be interfering. Debug output shows: debug: using /usr/share/spamassassin for default rules dir debug: using /etc/mail/spamassassin for site rules dir debug: using /home/test-user/.spamassassin for user state dir debug: using /home/test-user/.spamassassin/user_prefs for user prefs file debug: Failed to parse line in SpamAssassin configuration, skipping: internal_networks 64.65.180.91 debug: Failed to parse line in SpamAssassin configuration, skipping: internal_networks 10.10.10.141 debug: Score set 1 chosen. debug: Initialising learner debug: received-header: parsed as [ ip=68.99.120.79 rdns=lakecmmtao05.coxmail.com helo=lakecmmtao05.coxmail.com by=pulsar.lfa.com ident= ] debug: received-header: parsed as [ ip=24.249.175.20 rdns=really helo=!192.168.1.100! by=lakecmmtao05.coxmail.com ident= ] debug: received-header: relay 68.99.120.79 trusted? yes debug: received-header: relay 24.249.175.20 trusted? no debug: running header regexp tests; score so far=0 debug: running body-text per-line regexp tests; score so far=0 debug: running raw-body-text per-line regexp tests; score so far=5.733 debug: running uri tests; score so far=6.536 debug: uri tests: Done uriRE debug: running full-text regexp tests; score so far=6.573 debug: Current PATH is: /usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin debug: all '*From' addrs: [EMAIL PROTECTED] debug: all '*To' addrs: [EMAIL PROTECTED] [EMAIL PROTECTED] debug: is Net::DNS::Resolver available? yes debug: trying (3) kernel.org... debug: looking up MX for 'kernel.org' debug: MX for 'kernel.org' exists? 1 debug: MX lookup of kernel.org succeeded = Dns available (set dns_available to hardcode) debug: is DNS available? 1 debug: DNS MX records found: 1 debug: forged-HELO: from=really helo=!192.168.1.100! by=coxmail.com debug: running meta tests; score so far=6.573 debug: is spam? score=7.673 required=4 tests=CLICK_BELOW,EXCUSE_3,FREE_CONSULTATION,MAILTO_TO_REMOVE,MIME_MISSING_BOUNDARY,NO_OBLIGATION,ONE_TIME_MAILING,REMOVE_IN_QUOTES,REMOVE_SUBJ,RISK_FREE From [EMAIL PROTECTED] Tue Sep 27 15:22:19 2005 Received: from localhost by pulsar.lfa.com with SpamAssassin (2.64 2004-01-11); Tue, 27 Sep 2005 15:24:16 -0700 From: NFN Smith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: *SPAM* Sequential test #12a Date: Tue, 27 Sep 2005 15:21:15 -0700 Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on pulsar.lfa.com X-Spam-Level: *** X-Spam-Status: Yes, hits=7.7 required=4.0 tests=CLICK_BELOW,EXCUSE_3, FREE_CONSULTATION,MAILTO_TO_REMOVE,MIME_MISSING_BOUNDARY, NO_OBLIGATION,ONE_TIME_MAILING,REMOVE_IN_QUOTES,REMOVE_SUBJ,RISK_FREE autolearn=no version=2.64 MIME-Version: 1.0 Anything else obvious that I might be missing? I think I'm close Smith If I'm not mistaken (and I could be, it's been awhile since I've used the 2.6x series), the ALL_TRUSTED rule wasn't introduced until the 3.0x series. your headers show you're using 2.64. also your debug output shows that spamassassin wasn't able to parse the internal_network settings (which also weren't introduced until the 3.0x series). So, you either have some misconceptions about 2.64's capabilities, or you have 2 copies of spamassassin running in 2 different locations on your machine and the one in your path is 2.64, and causing you headaches. HTH alan
Re: Spamd dies after tcp timeout
Sander Holthaus - Orange XL wrote: Next to that, I get quite a few Pyzor / Alarm erros (for about 5% of all mail). Never had any of such problems with SpamAssassin 3.0.x or 2.xx The error has actually always been present. We just didn't report it before. If you were to call Pyzor independently you'd see the same error just as often. There's a third party patch for Pyzor available: Patches (you need all three): http://antispam.imp.ch/08-opensource.html?lng=0 Discussion: http://bugzilla.spamassassin.org/show_bug.cgi?id=4580 Daryl
How to check if content is spam or not?
hi Users on a site submit content [resumes, classifieds etc]. The data needs to be checked for Spam. Data is stored in mysql. When the user submits the data, how can I route it thru Spamassassin and accept the data only if it is clean? This has nothing to do with email. regards, -- B.G. Mahesh -- __ IndiaInfo Mail - the free e-mail service with a difference! www.indiainfo.com Check out our value-added Premium features, such as an extra 20MB for mail storage, POP3, e-mail forwarding, and ads-free mailboxes!
