new type of spam
Guys, any way to filter or rules to filter this type of new spam: -- Naughty Kaylani In Lace Dress Pierced nippled babe Short Haired Mature Amateur In Stocking Nice titty blonde Anal action on a boat from Doug http://www.xebomehocafi.info?jZSjYY.bWQSPgfS,hVX,XM http://www.xebomehocafi.info/?jZSjYY.bWQSPgfS,hVX,XM/ A MILF movie from Daniel A woman posing in the kitchen from William --- Any ideas? __ Anton Krall Intruder Consulting www.intruder.com.mx http://www.intruder.com.mx/ Email: [EMAIL PROTECTED] Tel. 5781-5112 ext. 201 FWD Number: 613602 Messenger: [EMAIL PROTECTED]
Use of uninitialized value in scalar chomp.
Hello, I have recently upgraded using CPAN from Spam Assassin v3.0.4 to v3.1.0. Since doing that I have been getting the following error message : Sep 29 14:56:12 HOST spamd[19995]: Use of uninitialized value in scalar chomp at /usr/bin/spamd line 1762, GEN5 line 2. Sep 29 14:56:12 HOST spamd[19995]: Use of uninitialized value in concatenation (.) or string at /usr/bin/spamd line 1764, GEN5 line 2. I am running the following syntax /usr/bin/spamd -m 10 -v -u vpopmail -d --round-robin I am using vpopmail and running the service as vpopmail. I am piping the email into spamc using the following syntax in my .qmail-default files. | spamc | /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox Taking that on board here is my version output. spamd -V SpamAssassin Server version 3.1.0 running on Perl 5.8.6 with SSL support (IO::Socket::SSL 0.97) It all appears to run however I am am not realy sure about these error messages. Any assistance would be greatly appreciated. Regards, Jimmy.
spamd cannot use bayes_path
Hi there, I use spamc -u zmi -L spam to learn spam. In my personal config, I have: bayes_path ~/.spamassassin/bayes and in the site-wide local.cf I tried with a) nothing set b) bayes_path /my_site_path Both way, I get these lines: Sep 30 10:14:27 power2u spamd[25154]: config: not parsing, administrator setting: bayes_path ~/.spamassassin/bayes Sep 30 10:14:27 power2u spamd[25154]: config: failed to parse line, skipping: bayes_path ~/.spamassassin/bayes Is it true I cannot set the bayes_path per user when using spamc/spamd? When using spamassassin -D -r I can see that the user bayes is used correctly. mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgpXcwZcOSIWi.pgp Description: PGP signature
Nigerian scam not catched by 3.10?
I installed 3.10 on my testserver to compare some scores with my current 3.03 version. I only have the default checks. Some spam was not marked in 3.10 because checks like NIGERIAN_BODY* didn't get off. It seems that everything with 'NIGERIAN' in it is removed from /usr/share/spamassassin/*.cf in version 3.10. Any idea why? These checks were really important to me, I get a lot of Nigerian scams especially via hotmail. Regards Menno van Bennekom
best practise on learning spam
Performance question: I have an IMAP folder with 1500 spams. I convert it to a mbox format file, and want to learn this as spam. From what I see spamassassin --mbox is much quicker on learning such big files than formail -n 3 -s spamc -u zmi -L spam from that file (even tried -n 1 to -n 10). Can that be correct? BTW, when I started with a -n value 1, I had up to 650 spamc processes, they seem to have waited for another spamd to become free, who wrote in his log Sep 30 10:10:08 power2u spamd[21192]: prefork: child states: BB Sep 30 10:10:08 power2u spamd[21192]: prefork: server reached --max-clients setting, consider raising it Obviously, there are more than 3 processes started, but why? mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgpdB6ozfrc5G.pgp Description: PGP signature
sa-learn on mailbox or not ?
Hi (I use spamassassin-3.0.4), I have tried this on my account where I send all spam mail then have arrived on other my accounts: #sa-learn --spam --mbox /var/spool/mail/spam-report Learned from 18 message(s) (19 message(s) examined). ..but however also after this operation the same spam mail aren't stopped and delivered to my account!! where I mistake ?? thanks. Salvatore.
I love well maintained web sites..
This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: [EMAIL PROTECTED] Unrouteable address
Re: new type of spam
Looks like a variation on what I suspect may be one of Leo's businesses. I've been lazy and just collecting a handuful of the common phrases to write rules against. Of course, there is probably good stuff in the headers you didn't show. Loren
Re: new type of spam
In an older episode (Friday, 30. September 2005 09:06), Anton Krall wrote: Guys, any way to filter or rules to filter this type of new spam: xebomehocafi dot info is listed in the JP SURBL blocklist and in the URIBL blacklist. are you using URIBL checks in SA? cheers, wolfgang
RE: sa-learn on mailbox or not ?
sasa wrote: Hi (I use spamassassin-3.0.4), I have tried this on my account where I send all spam mail then have arrived on other my accounts: #sa-learn --spam --mbox /var/spool/mail/spam-report Learned from 18 message(s) (19 message(s) examined). ..but however also after this operation the same spam mail aren't stopped and delivered to my account!! where I mistake ?? thanks. Hi Salvatore, sa-learn only feeds the emails to the Bayes training engine. This doesn't guarantee that the same email will be marked as spam in the future. There might have been other copies of the same or similar email that were incorrectly learned as ham, tilting the score towards ham. Also, Bayes score alone will not mark an email as spam in most cases. I wonder if your system of forwarding spams to that mbox might be changing the headers; many mail clients do that, most notoriously Outlook. That would greatly decrease the effectiveness of sa-learn, since Bayes considers both headers and message body. Good luck Pierre Thomson BIC
Re: sa-learn on mailbox or not ?
Pierre Thomson wrote: I wonder if your system of forwarding spams to that mbox might be changing the headers; many mail clients do that, most notoriously Outlook. That would greatly decrease the effectiveness of sa-learn, since Bayes considers both headers and message body. ..thanks for your aid but well how I can do for to obtain the result then I hope ?? ...is useless to do a forward of spam mail to another account for then to run sa-learn?? still thanks. Salvatore.
Re: Nigerian scam not catched by 3.10?
Menno van Bennekom wrote: I installed 3.10 on my testserver to compare some scores with my current 3.03 version. I only have the default checks. Some spam was not marked in 3.10 because checks like NIGERIAN_BODY* didn't get off. It seems that everything with 'NIGERIAN' in it is removed from /usr/share/spamassassin/*.cf in version 3.10. Any idea why? These checks were really important to me, I get a lot of Nigerian scams especially via hotmail. They're there, names just changed. Look for ADVANCE_FEE_ rules. These still hit Nigerian style scams for me regular as well as more generic scams. I did bump the scores for these rules up somewhat to help them along... Jay -- Jay Lee Network / Systems Administrator Information Technology Dept. Philadelphia Biblical University --
Re: OT = sendmail + winbind
Hi all. nss_lpdap installed was previously installed, and I recently installed padl's pam_ldap. I really have no idea how to set up what I'm looking for. What do I do from here? Many thanks. Dimitri On Wednesday September 28 2005 3:32 pm, Ben Lentz wrote: Use 'authconfig' and setup nss_ldap and pam_ldap to work directly with Active Directory. I do it here, and it works great. You may need to manually edit /etc/ldap.conf in order to get everything 100% (unless you use Services for Unix in your Active Directory). See http://www.padl.com/OSS/nss_ldap.html - Original Message - *From:* Mike Jackson [EMAIL PROTECTED] *Sent:* 09/28/2005 03:24:40 PM *To:* users@spamassassin.apache.org *Subject:* OT = Sendmail + winbind That sounds more like an issue with your POP3/IMAP daemon than with Sendmail (unless you're talking about authenticated SMTP). Perhaps you should see about getting them to authenticate via LDAP or SMB. - Original Message - From: Dimitri Yioulos [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Wednesday, September 28, 2005 12:11 Subject: OT = Sendmail + winbind Hello to all. I apologize for this off-topic post, but I'm getting no feed-back from the sendmail news group: I have sendmail-9.12.11-4.RHEL3.1 installed on a box in out DMZ. Our internal Linux boxes have samba installed, authenticate users against Win2k3 Active Directory, and file- and print-share great. But, I find that I have to create a new user account on the mail server every time a new emplyee comes aboard, in addition to the network account I create on the Win2k3 box. I'd like to be able to authenticate sendmail accounts through samba, too. I've added samba to the mail server, am running winbind, and wbinfo -u, wbinfo -g and getent passwd all return the values I expect. However, When I try to create access o winbind-provied account via Outlook 2003, I'm repeated prompted for uname and password, and no connectivity. Gentlepeople, can anyone instruct me in what to do to make this work? Many, many thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Nigerian scam not catched by 3.10?
Menno van Bennekom wrote: I installed 3.10 on my testserver to compare some scores with my current 3.03 version. I only have the default checks. Some spam was not marked in 3.10 because checks like NIGERIAN_BODY* didn't get off. It seems that everything with 'NIGERIAN' in it is removed from /usr/share/spamassassin/*.cf in version 3.10. Any idea why? These checks were really important to me, I get a lot of Nigerian scams especially via hotmail. They're there, names just changed. Look for ADVANCE_FEE_ rules. These still hit Nigerian style scams for me regular as well as more generic scams. I did bump the scores for these rules up somewhat to help them along... I saw these rules but I don't think they are the same, for example I get this spamassassin -D result on the spam-mail with 3.1.0 (NIGERIA is in my local.cf): X-Spam-Status: No, score=4.0 required=5.0 tests=BAYES_50,NEXT_OF_KIN,NIGERIA autolearn=no version=3.1.0 and this with the exact same mail in 3.0.3: X-Spam-Status: Yes, score=8.4 required=5.0 tests=BAYES_50,NEXT_OF_KIN, NIGERIA,NIGERIAN_BODY1,NIGERIAN_BODY2 autolearn=no version=3.0.3 Regards Menno
spamd shutdown (3.1.0)
Folks: This morning spamd shutdown for some reason ... I can't determine what it might be. The log showed this ... Sep 30 07:28:54 linux spamd[15172]: Can't locate LMAP/CID2SPF.pm in @INC (@INC contains: lib ../lib /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl) at /usr/lib/perl5/site_perl/5.8.0/Mail/SPF/Query.pm line 1749, GEN1430 line 105. and then this ... Sep 30 07:29:57 linux spamd[14373]: prefork: child states: II Sep 30 07:30:09 linux spamd[14373]: tcp timeout at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/SpamdForkScaling.pm line 195. Sep 30 07:30:11 linux spamd[14373]: tcp timeout at /usr/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/SpamdForkScaling.pm line 195. Sep 30 07:30:34 linux spamc[31170]: connect(AF_INET) to spamd at 127.0.0.1 failed, retrying (#1 of 3): Connection refused The first error I fixed by installing CID2SPF.pm using bug http://bugzilla.spamassassin.org/show_bug.cgi?id=4541 as a reference (it's shown up in the log a number of times, now that I've noticed it). Is the other error related? Thanks! david
Re: spamd dies with
On Thu, 29 Sep 2005, A J Thew wrote: From: A J Thew [EMAIL PROTECTED] To: users@spamassassin.apache.org Date: Thu, 29 Sep 2005 11:33:42 +0100 Subject: spamd dies with It appears that this (or similar) has been see by others but I'll give my 2p worth http://bugzilla.spamassassin.org/show_bug.cgi?id=4594 ... at this point spamd stops responding complely until shutdiwn and re-started. I've reverted to --round-robin It'll be cold comfort to you, but note that this doesn't affect everyone. I've been happily using the Apache httpd server model of hot child processes for spamd since Justin Mason produced the patch for SpamAssassin-3.0.1. Currently running with that patch applied to SpamAssassin-3.0.4 and I don't anticipate any problems with SpamAssassin-3.1.0. Especially as I've got SpamAssassin-3.1.0 running on a dual-procesor OpenBSD box OK. My production machines are single-processor OpenBSD boxes. The last time I restarted spamd on the production boxes was 4th July[1]. So they've been running happily for nearly three months. The permanent spamds managing the child processes have all clocked up 26 or 27 minutes of CPU time. Seems a bit pointless that I'm runnning spamd under the control of daemontools to ensure it does keep running. [1] Yes this does mean I'm running with some slightly outdated rules from the SpamAssassin Rules Emporium. The rules have been updated, I just need to restart spamd to pick them up. Seems such a shame when it's been performing so well :-) -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101
RE: Personal Rule
From: Bowie Bailey After some experimentation, I came up with this simpler rule. It should match if your domain shows up in the TO or CC headers and it is matched to a realname that does not include mike or michael. Try it and see what happens header __TOCC_MYEMAIL ToCc =~ /[EMAIL PROTECTED]/i header __TOCC_NOT_MYNAME ToCc !~ /(?:^|,)[,\s]{0,10}(?:\b(?:mike|michael)\b)?[\s]{0,10}[^@[EMAIL PROTECTED] et/i meta NOT_MY_NAME ( __TOCC_MYEMAIL __TOCC_NOT_MYNAME ) score NOT_MY_NAME 1 I just realized that this is not quite right. Try this instead: header __TOCC_NOT_MYNAME ToCc !~ /(?:^|,)[\s]{0,10}(?:\b(?:mike|michael)\b)?[^]{0,10}[^@]{1,[EMAIL PROTECTED] \.net/i This one specifies that the real name must start with mike or michael, but there may be more text after it. You may even want to specify it a bit more closely by specifying that your first name may only be followed by your last name. That would look like this: header __TOCC_NOT_MYNAME ToCc !~ /(?:^|,)[\s]{0,10}(?:\b(?:(?:mike|michael)(?: smith)?)\b)?[\s]{0,10}[^@]{1,[EMAIL PROTECTED]/i Once again, make sure it is all on one line. The only space is before 'smith' (which you should replace with your last name if this is not correct). This regex isn't perfect. It doesn't attempt to pair the quotes and it can be confused by commas inside quoted strings, but it is probably the best you can do without the regex getting hugely complicated. Explanation of the second regex: (?:^|,) Start at the beginning of the line, or at a comma [\s]{0,10} Zero to ten quotes or whitespace characters (?:\b(?:mike|michael)(?: smith)?\b)? Optionally, Mike or Michael as a single word. If it is there, it can be followed by Smith. You can expand this section to match all common variations of your name. [\s]{0,10} Zero to ten quotes or whitespace characters [^@]{1,30)[EMAIL PROTECTED] An email address ending with @ernstoff.net in angle brackets /i Make it a case-insensitive match Bowie
RE: Personal Rule
From: Herb Martin [mailto:[EMAIL PROTECTED] Bowie That will match a name in quotes, but the real name is not required to be quoted if there are no spaces or odd characters. To: Herb [EMAIL PROTECTED] ... is a perfectly good header and will not match your pattern. It will also not match a missing real name field, which the OP wanted. Useful criticism -- thanks. ...and yet I have never seen one of these fake real names without the quotes, probably because these are always in this format: Firstname Lastname [EMAIL PROTECTED] Removing the quotes will however simplify the whole thing though. I was speaking hypothetically until I examined my inbox at home and found that my wife's emails do not have quotes around my name. She is using the current version of Thunderbird, so this probably happens enough to cause problems if you don't allow for it. Bowie
Re: Use of uninitialized value in scalar chomp.
Because of the following part of /usr/bin/spamd... It tries to set the $dir variable to the virtual homedir, but it can't, so it sets $dir to an undefined value. Then comp and '.' (string concatenation) complain when they try to operate on an undefined value. You'll see these warnings since the first line of /usr/bin/spamd '#!/usr/bin/perl -T -w' says to show warnings. # If vpopmail config enabled then set $dir to virtual homedir # if ( $opt{'vpopmail'} ) { my $vpopdir = $dir; $dir = `$vpopdir/bin/vuserinfo -d $username`; if ($? != 0) { # # If vuserinfo failed $username could be an alias # $dir = `$vpopdir/bin/valias $username`; if ($? == 0 $dir !~ /.+ - /) { $dir =~ s,.+ - (/.+)/Maildir/,$1,; } else { undef($dir); } } chomp($dir); } my $cf_file = $dir . /.spamassassin/user_prefs; On Friday 30 September 2005 03:59, Jimmy wrote: Hello, I have recently upgraded using CPAN from Spam Assassin v3.0.4 to v3.1.0. Since doing that I have been getting the following error message : Sep 29 14:56:12 HOST spamd[19995]: Use of uninitialized value in scalar chomp at /usr/bin/spamd line 1762, GEN5 line 2. Sep 29 14:56:12 HOST spamd[19995]: Use of uninitialized value in concatenation (.) or string at /usr/bin/spamd line 1764, GEN5 line 2. I am running the following syntax /usr/bin/spamd -m 10 -v -u vpopmail -d --round-robin I am using vpopmail and running the service as vpopmail. I am piping the email into spamc using the following syntax in my .qmail-default files. | spamc | /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox Taking that on board here is my version output. spamd -V SpamAssassin Server version 3.1.0 running on Perl 5.8.6 with SSL support (IO::Socket::SSL 0.97) It all appears to run however I am am not realy sure about these error messages. Any assistance would be greatly appreciated. Regards, Jimmy.
Re: sa-learn on mailbox or not ?
At 06:44 AM 9/30/2005, sasa wrote: Hi (I use spamassassin-3.0.4), I have tried this on my account where I send all spam mail then have arrived on other my accounts: #sa-learn --spam --mbox /var/spool/mail/spam-report Learned from 18 message(s) (19 message(s) examined). ..but however also after this operation the same spam mail aren't stopped and delivered to my account!! where I mistake ?? What rules did it hit? There are dozens of possible problems, many of which will show up if you post an X-Spam-Status header from one of the messages.
RE: Personal Rule
Bowie Bailey wrote: ...and yet I have never seen one of these fake real names without the quotes, probably because these are always in this format: Firstname Lastname [EMAIL PROTECTED] Removing the quotes will however simplify the whole thing though. I was speaking hypothetically until I examined my inbox at home and found that my wife's emails do not have quotes around my name. She is using the current version of Thunderbird, so this probably happens enough to cause problems if you don't allow for it. My point was that (presumably) your wife is NOT spamming you (or me) with forged emails and so would be included when I say, 'I have never seen a FAKE [one] without the quotes.' We aren't checking for FAILURE to find the quotes but rather only checking those WHICH HAVE the quotes and then do NOT ALSO have (a version of) the real name. If you wish to check for forgeries without the quotes that may be useful (thus legitimate criticism) but so far no forgeries without the quotes and conservative filtering is my usual method. -- Herb
problem with ok_laguages option?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I'm getting some warning about the ok_languages config option. Did this parameter has changed? I couldn't find it in the notes for upgrading to SA 3.1.0 This is the output of spamassassin -D --lint: [27255] warn: config: failed to parse, now a plugin, skipping: ok_languagesall [27255] warn: config: failed to parse, now a plugin, skipping: ok_languagesen es fr de This option is not working anymore?? BR, Matias. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDPVe5RB0HKLRQp/gRAuapAKCO/YyACM3w2w3LVw7hxbGeVVgHQgCeJOoL 6py0gQpPltOjG+RnmkruuqM= =xDsV -END PGP SIGNATURE-
Re: problem with ok_laguages option?
Matias Lopez Bergero wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, I'm getting some warning about the ok_languages config option. Did this parameter has changed? I couldn't find it in the notes for upgrading to SA 3.1.0 This is the output of spamassassin -D --lint: [27255] warn: config: failed to parse, now a plugin, skipping: ok_languagesall [27255] warn: config: failed to parse, now a plugin, skipping: ok_languagesen es fr de This option is not working anymore?? BR, Matias. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDPVe5RB0HKLRQp/gRAuapAKCO/YyACM3w2w3LVw7hxbGeVVgHQgCeJOoL 6py0gQpPltOjG+RnmkruuqM= =xDsV -END PGP SIGNATURE- Yes, it did change. See the UPGRADE doc for more info. -- Thanks, James Rallo Trusswood Inc. [EMAIL PROTECTED] www.Trusswood.Net Tele: (321) 383-0366 Fax: (321) 383-0362
Re: sa-learn on mailbox or not ?
Matt Kettler wrote: What rules did it hit? There are dozens of possible problems, many of which will show up if you post an X-Spam-Status header from one of the messages. ..I use SA across amavisd-new, in my header mail I have only X-Virus-Scanned: amavisd-new at mydomain.it and then in log file I have same score 2.923. still thanks. Salvatore.
RE: Personal Rule
From: Herb Martin [mailto:[EMAIL PROTECTED] Bowie Bailey wrote: ...and yet I have never seen one of these fake real names without the quotes, probably because these are always in this format: Firstname Lastname [EMAIL PROTECTED] Removing the quotes will however simplify the whole thing though. I was speaking hypothetically until I examined my inbox at home and found that my wife's emails do not have quotes around my name. She is using the current version of Thunderbird, so this probably happens enough to cause problems if you don't allow for it. My point was that (presumably) your wife is NOT spamming you (or me) with forged emails and so would be included when I say, 'I have never seen a FAKE [one] without the quotes.' We aren't checking for FAILURE to find the quotes but rather only checking those WHICH HAVE the quotes and then do NOT ALSO have (a version of) the real name. If you wish to check for forgeries without the quotes that may be useful (thus legitimate criticism) but so far no forgeries without the quotes and conservative filtering is my usual method. This last message wasn't meant as a further criticism, just to point out that there are real emails being sent in this format. I wasn't sure of that previously, I just knew that the RFC allows it. Looking back at your patterns, you required quotes in both sub-matches, so your meta would never match if the real name did not have quotes. Thus, it's not a problem for false positives as you said. It would, however, fail to match a spam that is sent without the quotes. You said you have never seen one like that and I don't see any in my current spam folders either, so it may be a moot point. Regardless, there are always multiple ways of doing anything. And there are usually problems with all of them. As I pointed out in the last version of my pattern attempt, mine has the problem of not pairing the quotes and so can get confused by embedded commas. The OP can pick whichever one works best for him. Hmmm Maybe I could capture an optional match for a quote and then use that match later to pair the quote (or lack thereof). I may attempt that later today. Bowie
Re: spamd cannot use bayes_path
Michael Monnerie wrote: Is it true I cannot set the bayes_path per user when using spamc/spamd? No, you cannot, other than by using ~/ to direct it into their home directory at a site-wide level. The same goes for any path setting. This has to do with security concerns. Spamd is a mixed privilege application (started as root, setuid'ed later), and giving the user power to dictate directories could cause a security hole if something went awry in spamd's setuid process. By default user's also can't create any rule statements which might have regular expressions in them, for the same reasons. When using spamassassin -D -r I can see that the user bayes is used correctly. Yes, the spamassassin script doesn't enforce any security rules, and will accept any parameter in user_prefs, even admin settings. This is because spamassassin always runs as the current user, it never starts as one user then setuid's to another. No mixed-privilege security problems possible.
RE: Personal Rule
Bowie Hmmm Maybe I could capture an optional match for a quote and then use that match later to pair the quote (or lack thereof). I may attempt that later today. Good idea but perhaps easier (maybe even faster) would be to just write an extra META rule and 'or' them. -- Herb Martin
errors during sa-learn
As part of a nightly cron job that deletes accumulated spam and runs the messages through sa-learn, I see the following error relatively frequently: Use of uninitialized value in pattern match (m//) at /usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/Message/Node.pm line 119 The cron script looks for messages older than seven days, runs them through sa-learn, then deletes them. On the last run, it processed over 300 messages, and the error appeared about 200 times (I can't be more specific about the messages that triggered, since this is just the script output as captured by cron and mailed to me). I'm running SA 3.1.0, perl 5.8.7 (as you can see above), on FreeBSD 5.4-STABLE. The Bayes data is stored in MySQL (version 4.1.12, if that matters). I looked through the bug database and didn't see anything that stuck out as related to this. Any ideas?
Re: OT: Thunderbird 1.5 integratgion
Marco van den Bovenkamp wrote: Tim Litwiller wrote: You can configure Thunderbird to check for the SpamAssassin headers and automatically flag the message as Junk. So the Thunderbird client-side filtering will work in conjunction with the server-side filtering. And then you use imap to put your junk folder back on the server so you can run sa-learn on it - so you just click the junk button and sa-learn learns your preferences and also relearns if needed on ones that spamassasin caught as well as the ones that it didn't. But what's new about that? All that takes is a filter rule on a custom header, which I've been doing for ages. As I read the setting -- just installed 1.5 -- it seems to suggest that if you are getting SA headers, Tbird will trust them. So if you are *also* using Tbird's Junk features (bayes), they will not override SA's headers. I've previously not used any of Tbird's Junk features because I too use SA and server rules to handle that stuff. But this could make them work together a little more nicely, or give people w/o the possibility of setting server-side rules to having routing of junk automatically to the appropriate place. I'm at least going to see how they play together, but might still revert to turning the client stuff off again. Bill
Re: spamd shutdown (3.1.0)
On Fri, Sep 30, 2005 at 08:55:22AM -0500, David Gibbs wrote: Sep 30 07:28:54 linux spamd[15172]: Can't locate LMAP/CID2SPF.pm in @INC /usr/lib/perl5/site_perl/5.8.0/Mail/SPF/Query.pm line 1749, GEN1430 Mail::SPF::Query wants to use LMAP::CID2SPF, but you don't have it installed. -- Randomly Generated Tagline: Real Programmers Practice Safe HEX. pgpmQKDAC0xQw.pgp Description: PGP signature
Re: Disabled code section in README
Adrian Daminato wrote: I'm also wondering if anyone has been able to find any more specific information around Cloudmark's policies for their publicly available servers that Razor2 uses. Even though we have been using Razor for over a year, after this recent change in Spamassassin, it's made us wary as to whether we can/should continue using this service (i.e. what exactly does not always free mean to us?). Yep. Way back in the razor-users mailing list archives... http://thread.gmane.org/gmane.mail.spam.razor.user/2409 Vipul himself stated: As long as ISP does not publish commercial software that embeds Razor, it's covered under personal usage. and The restrictions only apply to those who are selling commercial systems that integrate Razor agents. This is two years old (it's from the thread announcing the policy), but AFAIK it's still valid. So it should still be free for a business or ISP to use Razor on its email server. As for volume, the last number I remember seeing is 100,000+ checks/day, but that pre-dates the August 2003 policy. If you're near or above that, you might want to ask over at razor-users or contact Cloudmark, but I'd guess that if they haven't blocked queries from your IP, you're probably OK. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Disabled code section in README
I'm also wondering if anyone has been able to find any more specific information around Cloudmark's policies for their publicly available servers that Razor2 uses. Even though we have been using Razor for over a year, after this recent change in Spamassassin, it's made us wary as to whether we can/should continue using this service (i.e. what exactly does not always free mean to us?). Not that I want to threadjack, but this prompts the questions: Is there an advantage to running Razor over Pyzor? And, do you gain anything by running both simultaneously? (Other than increased system load, that is.)
SA 304/spamc milter question
We want to do some testing of our email system with, and without, SA intercepting the mails. Currently, we have SA 304 installed and running with sendmail, using the milter-spamc hook. I just want to verify that if one manually shuts down the spamd daemon, that the emails would be eventually passed along as unchecked email after any appropriate timeouts are encountered ? I basically want to avoid having to recompile sendmail to remove the milter lines currently in the system.
Re: SA 304/spamc milter question
Dr Robert Young wrote: We want to do some testing of our email system with, and without, SA intercepting the mails. Currently, we have SA 304 installed and running with sendmail, using the milter-spamc hook. I just want to verify that if one manually shuts down the spamd daemon, that the emails would be eventually passed along as unchecked email after any appropriate timeouts are encountered ? I basically want to avoid having to recompile sendmail to remove the milter lines currently in the system. I'm not sure where you question is. To test this out, disable spamd... Jay -- Jay Lee Network / Systems Administrator Information Technology Dept. Philadelphia Biblical University --
Re: SA not workin
Jim, I must thank you and all the others for your valuable help... I installed qmail-scanner-1.25 yday... and configured it with SA as one of the scanners... and it worked!!! Thank you so much... hate to think that just this small piece was missin and I didnt get it. Just one question... I have setup the rules and other config settings and spam is quite controlled... But... how do I stop spam that is realyed to everyone when the user is not present at mydomain.com? For ex. suppose an email is sent to [EMAIL PROTECTED] which is obviously spam as the user xyz doesnt exist... this mail gets realyed to everyone at mydomain.com... how do I stop these? I can blacklist them but there are infinite no of permutations that spammers could come up with... Sent from the SpamAssassin - Users forum at Nabble.com.
Re: Disabled code section in README
Mike Jackson wrote: Not that I want to threadjack, but this prompts the questions: Is there an advantage to running Razor over Pyzor? And, do you gain anything by running both simultaneously? (Other than increased system load, that is.) Well, Razor's implemented in Perl, so SA can just call the code via the Perl module. It uses several different engines to generate hashes, so it's better at catching polymorphic spam, including one that focuses on embedded URLs (which makes it somewhat SURBL-like). It's more robust than Pyzor, and currently maintained. The client uses the Artistic License, but there are some limitations on using the service (though most people probably won't run into them), and the server design is closed. (I believe there was some talk about developing a caching server, which would have been a commercial product, but I don't remember whether it went anywhere.) Pyzor's implemented in Python, so SA has to actually call out to the pyzor script. So there's the two levels of overhead (calling an executable and firing up Python). The Pyzor client hasn't been updated in several years, and includes some long-standing known bugs with message handling such that it can crash on certain types of malformed input. (A bad transfer encoding header is all it takes.) It only has one engine, and I believe the user base is smaller. (Of course, that cuts both ways -- less spam gets submitted, but fewer false positives get submitted too.) However, both the client and server are 100% free, and you can run your own Pyzor server if you want to. I haven't run the numbers in at least a year, but the last time I compared results there was a significant difference in which spam was caught by each service. There was a large overlap, of course, but there were enough messages that were only caught by Pyzor or only caught by Razor that it was worth calling both if you could afford the increased load. -- Kelson Vibber SpeedGate Communications www.speed.net
RE: SA 304/spamc milter question
Dr Robert Young wrote: I just want to verify that if one manually shuts down the spamd daemon, that the emails would be eventually passed along as unchecked email after any appropriate timeouts are encountered ? That's dependent on the milter line in your sendmail.mc file. If the milter line says tempfail if the milter doesn't respond, or even permfail if the milter doesn't respond, then you'll have a problem. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
RE: new type of spam
Sorry Loren. Ill post the headers next time I get one.. |-Original Message- |From: Loren Wilton [mailto:[EMAIL PROTECTED] |Sent: Friday, September 30, 2005 6:23 AM |To: users@spamassassin.apache.org |Subject: Re: new type of spam | |Looks like a variation on what I suspect may be one of Leo's |businesses. |I've been lazy and just collecting a handuful of the common |phrases to write rules against. |Of course, there is probably good stuff in the headers you didn't show. | |Loren | | |
RE: new type of spam
Yep, Im using URIBL lists but not all mails are been caught. |-Original Message- |From: wolfgang [mailto:[EMAIL PROTECTED] |Sent: Friday, September 30, 2005 6:32 AM |To: users@spamassassin.apache.org |Subject: Re: new type of spam | |In an older episode (Friday, 30. September 2005 09:06), Anton |Krall wrote: | Guys, any way to filter or rules to filter this type of new spam: | |xebomehocafi dot info | |is listed in the JP SURBL blocklist and in the URIBL blacklist. | |are you using URIBL checks in SA? | | |cheers, | |wolfgang | |
RE: new type of spam
Hi! Yep, Im using URIBL lists but not all mails are been caught. |is listed in the JP SURBL blocklist and in the URIBL blacklist. | |are you using URIBL checks in SA? Combine this with some SARE rules and you will see not much comming in. ;) Bye, Raymond.
Re: SA not workin
Shwetar (sent by Nabble.com) wrote: Jim, I must thank you and all the others for your valuable help... I installed qmail-scanner-1.25 yday... and configured it with SA as one of the scanners... and it worked!!! Thank you so much... hate to think that just this small piece was missin and I didnt get it. Not a problem..most of the time the fixes arent very involved..you just have to know where to look and what to do once you find the right place. Just one question... I have setup the rules and other config settings and spam is quite controlled... But... how do I stop spam that is realyed to everyone when the user is not present at mydomain.com? For ex. suppose an email is sent to [EMAIL PROTECTED] which is obviously spam as the user xyz doesnt exist... this mail gets realyed to everyone at mydomain.com... how do I stop these? I can blacklist them but there are infinite no of permutations that spammers could come up with... Im not really sure what you are asking here. If someone sends mail to a nonexistent address, how is it relayed to everyone else at that domain? If the address doesnt exist, it shouldnt be delivered to anyone at all..except maybe a catchall account. -Jim
{SPAM} Re: new type of spam
Raymond Dijkxhoorn wrote: Hi! Yep, Im using URIBL lists but not all mails are been caught. |is listed in the JP SURBL blocklist and in the URIBL blacklist. | |are you using URIBL checks in SA? Combine this with some SARE rules and you will see not much comming in. I use URIBL's and many SARE rules, including SARE's adult rules, and a lot of this latest wave got missed. Attached is a subset of some porn rules I've been working on. They're experimental, but the seem to work pretty well with fairly low FP rate. They might have some FP cases I haven't noticed yet, so be careful with them, but you might want to try them out. #people body __L_BOYS /\bb[o0]y[sz]\b/i body __L_GIRLS /\b(?:school)?girl(?:ie)?[sz]?\b/i body __L_VIRGIN /\bvirgin[sz]?\b/i body __L_TEEN /\bteen(?:ager)?[sz]?\b/i body __L_YOUNG /\by[o0]ung\b/i body __L_YOUTH /\by[o0]uth(?:ful)?\b/i body __L_LESB /\blesbian[sz]?\b/i body __L_GAY /\bgay[sz]?\b/i body __L_DAUGHTER /\b(?:grand)?daughters?\b/i body __L_SON/\b(?:grand)?sons?\b/i body __L_INOC /\binn?ocent\b/i body __L_HOTB /\bhot(?:tie| babe)s?\b/i #body parts body __L_COCK /\bc[o0]ck\b/i body __L_PUS/\bpuss(?:y|ies)\b/i body __L_TI /\btit(?:ie)?[sz]?\b/i body __L_ASS/\bass(?:hole)?e?[sz]?\b/i #acts and states related to porn body __L_MAST /\bmasturbat(?:e|ed|ing|tion)\b/i body __L_FCK/\bfuck(?:ed|ing)?/i body __L_BLO/\bblowjobs?\b/i body __L_NUDE /\bnude[sz]?\b/i body __L_EROTIC /\berotic\b/i body __L_NAKED /\bnaked\b/i body __L_EXPLICIT /\b[e3]xpl[i1]c[i1]t\b/i body __L_HARDCORE /\bhardc[o0]r[e3]\b/i body __L_INCEST /\b[i1]nc[e3][sz]t\b/i body __L_ANAL /\baa?nn?aa?ll?\b/i body __L_JIZZ /bjizz\b/i body __L_FAC/\bfacial(?:ed)?\b/i body __L_BACK /\bbackdoor (?:action|penetration|pounding)\b/i body __L_THROB /\bthrobbing\b/i #media body __L_PHOTO /\bph[o0]t[o0][sz]?\b/i body __L_VIDEO /\bvid[e3][o0][sz]?\b/i body __L_MOVIE /\bm[o0]vi[e3][sz]?\b/i uri L_PORN_GEOURI /(?:www|uk|de|sk)\.geocities\.com\/[a-z0-9]{1,20}_[a-z0-9]{1,20}_[0-9]{1,6}\// describe L_PORN_GEOURI contains a suspect geocities weblink score L_PORN_GEOURI 2.0 meta L_P_GEODOUBLE (L_PORN_GEOURI (__L_GIRLS || __L_VIRGIN || __L_TEEN || __L_FCK)) score L_P_GEODOUBLE 1.5 body L_P_MEMBERS_AREA /\bmembers area\b/i score L_P_MEMBERS_AREA 0.5 body L_P_PICS /\bPics\b/i score L_P_PICS 0.1 body L_P_VIDS /\bVids\b/i score L_P_VIDS 0.1 body L_P_CLIPS /\bClips\b/i score L_P_CLIPS 0.1 body L_P_AVI/\bAVIs?\b/i score L_P_AVI 0.1 body L_P_MPEG /\bMPEGs?\b/i score L_P_MPEG 0.1 body L_P_DP /\bdouble (?:penetrat(?:ion|ed)|plugged)\b/i score L_P_DP0.5 #youth or erotica coupled with pics, vids, etc. meta L_P_COMBO1 ((__L_INCEST || __L_FAC || __L_NUDE || __L_EROTIC|| __L_GIRLS || __L_VIRGIN || __L_TEEN || __L_FCK || __L_HARDCORE || __L_ANAL || __L_JIZZ) (L_P_PICS || L_P_VIDS ||L_P_CLIPS || L_P_AVI ||L_P_MPEG)) score L_P_COMBO11.8 #erotica coupled with movie, photo, pictures, etc meta L_P_COMBO4 ((__L_INCEST || __L_FAC || __L_EROTIC || __L_FCK || __L_HARDCORE || __L_ANAL || __L_JIZZ || __L_COCK) (__L_VIDEO || __L_PHOTO || __L_MOVIE)) score L_P_COMBO41.5 #young person coupled with dirty act/nudity meta L_P_COMBO2 ((__L_TEEN || __L_GIRLS || __L_BOYS || __L_VIRGIN) (__L_BACK || __L_NUDE || __L_NAKED || __L_EROTIC || __L_FCK || __L_EXPLICIT || __L_INCEST || __L_COCK || __L_ANAL || __L_JIZZ || __L_PUS || __L_TI || __L_MAST || L_P_DP)) score L_P_COMBO22.0 #youth coupled with dirty act/nudity meta L_P_COMBO3 ((__L_YOUNG || __L_YOUTH || __L_INOC) (__L_BACK || __L_EROTIC || __L_EXPLICIT || __L_HARDCORE || __L_INCEST || __L_FCK || __L_COCK || __L_ANAL || __L_JIZZ || __L_PUS || __L_TI || __L_MAST || L_P_DP)) score L_P_COMBO32.0 #gay/lesbian with dirty act - note, I removed some words to reduce FPs (nude/tits) # as these might be adults who are legitamately nude at a protest, etc. meta L_P_COMBO4 ((__L_GAYS || __L_LESB) ( __L_EROTIC || __L_FCK || __L_EXPLICIT || __L_INCEST || __L_COCK || __L_ANAL || __L_JIZZ || __L_PUS || __L_MAST)) score L_P_COMBO41.0 meta L_P_DAUGHT1(__L_DAUGHTER ( __L_EROTIC || __L_EXPLICIT || __L_INCEST || __L_COCK || __L_ANAL || __L_PUS || __L_TI || L_P_DP)) score L_P_DAUGHT1 2.0 #removed hardcore.. my son is a hardcore football fan ec meta L_P_SON1 (__L_SON ( __L_EROTIC || __L_EXPLICIT || __L_INCEST || __L_COCK || __L_ANAL || __L_PUS || __L_TI || L_P_DP) ) score L_P_SON1 1.0 meta L_P_MULTI3 ((__L_HOTB + __L_THROB + __L_BACK + __L_FAC + __L_BLO +__L_MAST + __L_ANAL + __L_JIZZ + __L_COCK + __L_TEEN + __L_GIRLS + L_P_DP + __L_VIRGIN + __L_NUDE + __L_EROTIC + __L_NAKED + __L_FCK + __L_YOUNG + __L_NUDE + __L_EXPLICIT + __L_INCEST) 3) score L_P_MULTI31.8 #note: this rule
Recommended setup..
I recently upgraded to SpamAssassin's latest rev.. I noticed that a lot of the old rules I had have been either integrated or removed.. And there are now a lot of uri's and such being used natively... Has anybody come up with a list that, short of 'custom' rules, works well with the latest SA? I don't feel certain I'm not running duplicates or missing things that perhaps I should have.. I'm running RDJ with most rules being used.. Which rules are now plugins? I thought I saw spamcop in the RDJ setup, but also see it in the plugins that SA uses.. I realize what is my best setup may be different than any of yours, but a SA default would be a nice list to see.. Then I could add to that as I need to.. Thanks!
Re: {SPAM} Re: new type of spam
Hi! |are you using URIBL checks in SA? Combine this with some SARE rules and you will see not much comming in. I use URIBL's and many SARE rules, including SARE's adult rules, and a lot of this latest wave got missed. Attached is a subset of some porn rules I've been working on. They're experimental, but the seem to work pretty well with fairly low FP rate. They might have some FP cases I haven't noticed yet, so be careful with them, but you might want to try them out. You could try: http://www.rulesemporium.com/rules/70_sare_specific.cf Caches a lot of the ph*rm spams out there. Bye, Raymond.
How to go about reviewing/re-scoring
My SA 3.10 is working very well and now I am looking to tune some of the rules, especially those 'acquired' from SARE and others who publish. The only tools I am using are sa-stats (and I believe there are several programs with this name): # file: sa-stats.pl # date: 2005-07-27 # version: 0.9 # author: Dallas Engelken [EMAIL PROTECTED] # desc: SA 3.x log parser ...along with greping for various patterns in both log messages and in the sa-stats output.* I can begin modifying this script (e.g., include scores from the .cf files) or perhaps there are good suggestions for managing and re-scoring (especially add-on) rules? Example: grep to find rules that hit EITHER no Spam or no Ham and decide if they are scoring on the correct side, and at the correct level: The following are Ham hits that have 0.00 patterns: (from the 2000 most recent spamd log entries): 9USER_IN_WHITELIST_TO 202 1.87 10.100.000 12.16867 10USER_IN_WHITELIST159 1.477.950.000 9.57831 12DK_SIGNED154 1.437.700.000 9.27711 24RCVD_IN_BSP_TRUSTED 47 0.432.350.000 2.83133 49Y_GAPPY_DASHES5 18 0.170.900.000 1.08434 50TW_YG 18 0.170.900.000 1.08434 52FU_QUE_NO_SLASH 18 0.170.900.000 1.08434 58FR_DIV_CLEAR 16 0.150.800.000 0.96386 67HTML_TINY_FONT15 0.140.750.000 0.90361 70DK_VERIFIED 14 0.130.700.000 0.84337 71TW_DH 14 0.130.700.000 0.84337 73J_CHICKENPOX_53 14 0.130.700.000 0.84337 77SARE_MSGID_LONG40 13 0.120.650.000 0.78313 78FH_MSGID_HUGE_40 13 0.120.650.000 0.78313 79J_CHICKENPOX_75 13 0.120.650.000 0.78313 82SARE_HTML_HEAD_EMPTY 12 0.110.600.000 0.72289 84FR_HEAD_EMPTY 12 0.110.600.000 0.72289 85FS_OBFU_Q112 0.110.600.000 0.72289 89J_CHICKENPOX_19 11 0.100.550.000 0.66265 92Y_BEST_UPPERCASE 11 0.100.550.000 0.66265 95J_CHICKENPOX_43 10 0.090.500.000 0.60241 96HTML_TITLE_SUBJ_DIFF 10 0.090.500.000 0.60241 100RCVD_DOUBLE_IP_LOOSE 10 0.090.500.000 0.60241 E.g., most of those J_ (chickenpos etc.) rules are scored positively (0.6) and this subset is hitting strictly ham (and no spam). Reducing (or eliminating) those and considering a boost for things that score correctly like DK_SIGNED All of my mail is (currently) scoring correctly overall but this seems like a good place to get ahead of false results Who would have thought HTML_TINY_FONT would hit all HAM for anyone? Ideas? -- Herb Martin
Re: new type of spam
Raymond Dijkxhoorn wrote: Hi! You could try: http://www.rulesemporium.com/rules/70_sare_specific.cf 1) I do use that ruleset, it helps a little, but not that much. Caches a lot of the ph*rm spams out there. 2) ph*rm spams aren't the problem. It's porn, not pills we are talking about here. 3) sare's adult ruleset targets porn spam and helps too. 4) URIBL has been working great, but a lot of the first wave goes undetected by it. I've been combining all of the above with the posted ruleset and bayes. With all of them together I've gotten fairly good results for picking up Leo's latest variants of porn spam. However, just 1-4 combined with bayes have been rather lackluster at detecting them, with a less than 50% hit rate here at my network. Of course, later re-exams uribl always hits, but it seems to miss a good number of them when they come in.
Re: SA uses all my cpu
Thanks for the advice. I tried using spamd/spamc changing /etc/maildroprc if ( $SIZE 26144 ) { exception { xfilter /usr/bin/spamc } } and in /etc/init.d/spamassassin [ -f /usr/bin/spamd -o -f /usr/local/bin/spamd ] || exit 0 But, nothing new happens. What am I doing wrong? thanks Matt Kettler wrote: Alvaro Graves wrote: Hi, I have a postfix+courier+mysql configuration. Now I'm trying to install spamassassin, but when I start it, uses almost all the cpu. What files should I look ? SA can be very CPU intensive. If you're seeing excessive CPU load you can take one of several measures. 1) if you're using spamassassin use spamc/spamd instead. This saves a LOT of per-message overhead. 2) change your spamd -m parameter to have fewer children. 3) disable bayes (this has accuracy drawbacks, but does save a lot of cpu)
Re: {SPAM} Re: new type of spam
In an older episode (Friday, 30. September 2005 20:56), Matt Kettler wrote: Attached is a subset of some porn rules I've been working on. They're experimental, but the seem to work pretty well with fairly low FP rate. They might have some FP cases I haven't noticed yet, so be careful with them, but you might want to try them out. Thanks, they look promising, one problem tho: after adding them, --lint gives me: Failed to run meta SpamAssassin tests, skipping some: syntax error at (eval 64) line 547, near ) { syntax error at (eval 64) line 634, near ; } in two different 3.0.4 installations. Maybe you find the problem faster than i could (and want to :) cheers, wolfgang
Re: {SPAM} Re: new type of spam
wolfgang wrote: In an older episode (Friday, 30. September 2005 20:56), Matt Kettler wrote: Attached is a subset of some porn rules I've been working on. They're experimental, but the seem to work pretty well with fairly low FP rate. They might have some FP cases I haven't noticed yet, so be careful with them, but you might want to try them out. Thanks, they look promising, one problem tho: after adding them, --lint gives me: Failed to run meta SpamAssassin tests, skipping some: syntax error at (eval 64) line 547, near ) { syntax error at (eval 64) line 634, near ; } in two different 3.0.4 installations. Maybe you find the problem faster than i could (and want to :) cheers, Failed to run meta SpamAssassin tests, skipping some: syntax error at (eval 62) line 830, near ) { syntax error at (eval 62) line 1288, near ; } make that 2 of us getting the same error on SA 3.0.4 - dhawal
Re: {SPAM} Re: new type of spam
In an older episode (Friday, 30. September 2005 22:52), wolfgang wrote: In an older episode (Friday, 30. September 2005 20:56), Matt Kettler wrote: Attached is a subset of some porn rules I've been working on. They're experimental, but the seem to work pretty well with fairly low FP rate. They might have some FP cases I haven't noticed yet, so be careful with them, but you might want to try them out. Thanks, they look promising, one problem tho: after adding them, --lint gives me: Failed to run meta SpamAssassin tests, skipping some: syntax error at (eval 64) line 547, near ) { syntax error at (eval 64) line 634, near ; } in two different 3.0.4 installations. Maybe you find the problem faster than i could (and want to :) I guess i found it: in meta L_P_SON1 there is an additional linebreak before the last ). I removed it and --lint works fine. cheers, wolfgang
Re: sa-learn on mailbox or not ?
sasa a écrit : Matt Kettler wrote: What rules did it hit? There are dozens of possible problems, many of which will show up if you post an X-Spam-Status header from one of the messages. ..I use SA across amavisd-new, in my header mail I have only X-Virus-Scanned: amavisd-new at mydomain.it and then in log file I have same score 2.923. still thanks. run the message through spamassassin -t (under the same uid as amavisd) and look at which rules were hit. also, put the message on a web page and post the url, so that we check it on our configs. you may be missing some custom rules.
Re: SA uses all my cpu
if ( $SIZE 26144 ) { exception { xfilter /usr/bin/spamc } } I think you may have dropped a digit there. 26K is a little small for the filter limit. You probably meant 262K, but there is no particular reason to pick a binary number. 25 would work fine. Loren