Re: [SARE] rules file updates
Robert Menschel wrote: Just quick notice that the SARE OBFU rules (70_sare_obfu*.cf) have been updated. Can someone mention whats the difference between: http://www.rulesemporium.com/rules/70_sare_whitelist.cf and http://www.rulesemporium.com/rules/70_sare_whitelist_rcvd.cf Cami
Re: [SARE] rules file updates
From: "Cami" <[EMAIL PROTECTED]>
Robert Menschel wrote:
Just quick notice that the SARE OBFU rules (70_sare_obfu*.cf) have
been updated.
Can someone mention whats the difference between:
http://www.rulesemporium.com/rules/70_sare_whitelist.cf
and
http://www.rulesemporium.com/rules/70_sare_whitelist_rcvd.cf
Whitelist appears to be a newer file regardless of what the headers
say. It includes more sites in its whitelist. It appears whitelist_rcvd
is obsolete. It's not mentioned on the SARE Rules page.
{^_^}
spam file ownership
Hi i have SA3.0 on FC3 with spam delivered to $HOME/mail/spam quota's enabled for /home where users live & /var where users mail lives. problem is the ownership is $uid.$gid of said user which means it eats into the quota of the user if they don't read and delete the spam. normal mail is delivered to mbox under a different quota. /var/spool/mail/$username ($username is the mbox file). is there a way to have spam either the uid.gid of webserver (apache.apache) or some other trick i can perform. Mark
Re: [SARE] rules file updates
> > Robert Menschel wrote: > >> Just quick notice that the SARE OBFU rules (70_sare_obfu*.cf) have > >> been updated. > > > > Can someone mention whats the difference between: > > http://www.rulesemporium.com/rules/70_sare_whitelist.cf > > and > > http://www.rulesemporium.com/rules/70_sare_whitelist_rcvd.cf > > Whitelist appears to be a newer file regardless of what the headers > say. It includes more sites in its whitelist. It appears whitelist_rcvd > is obsolete. It's not mentioned on the SARE Rules page. These were announced on the list about a week ago. Whitelist_from_rcvd.cf is NEW file. Loren
Re: [SARE] rules file updates
Loren Wilton wrote: Robert Menschel wrote: Just quick notice that the SARE OBFU rules (70_sare_obfu*.cf) have been updated. Can someone mention whats the difference between: http://www.rulesemporium.com/rules/70_sare_whitelist.cf and http://www.rulesemporium.com/rules/70_sare_whitelist_rcvd.cf Whitelist appears to be a newer file regardless of what the headers say. It includes more sites in its whitelist. It appears whitelist_rcvd is obsolete. It's not mentioned on the SARE Rules page. These were announced on the list about a week ago. Whitelist_from_rcvd.cf is NEW file. Great. Shouldn't the old one be removed? Cami
Re: [SARE] rules file updates
> >>Whitelist appears to be a newer file regardless of what the headers > >>say. It includes more sites in its whitelist. It appears whitelist_rcvd > >>is obsolete. It's not mentioned on the SARE Rules page. > > > > These were announced on the list about a week ago. Whitelist_from_rcvd.cf > > is NEW file. > > Great. Shouldn't the old one be removed? No. Whitelist_from_rcvd is 3.10 ONLY. It tightens up some of the whitelist rules by using syntax (or maybe a plugin, I forget) that is only avaiable in 3.1. As best I recall, mist of the normal whitelist is still applicable to 3.1 systems, and is the only one useable on 3.0.x and previous. Loren
Re: [SARE] rules file updates
From: "Loren Wilton" <[EMAIL PROTECTED]>
> Robert Menschel wrote:
>> Just quick notice that the SARE OBFU rules (70_sare_obfu*.cf) have
>> been updated.
>
> Can someone mention whats the difference between:
> http://www.rulesemporium.com/rules/70_sare_whitelist.cf
> and
> http://www.rulesemporium.com/rules/70_sare_whitelist_rcvd.cf
Whitelist appears to be a newer file regardless of what the headers
say. It includes more sites in its whitelist. It appears whitelist_rcvd
is obsolete. It's not mentioned on the SARE Rules page.
These were announced on the list about a week ago. Whitelist_from_rcvd.cf
is NEW file.
I see it in the fine print. (That Rules page is getting hard to read.)
===8<---
70_sare_whitelist.cf and derivatives
Description: Whitelist directives used to whitelist newsletters and
mailing lists that are controlled/monitored to be free
of spam, but might occasioanlly be flagged as spam by
SpamAssassin because of "spammy" contents.
Created by: Bob Menschel, [EMAIL PROTECTED]
License Type: Artistic/GPL dual
Status: Active *
Last update: 2005-09-24
Version: 01.00.06
Auto-update: Yes
RDJ usage: add "SARE_WHITELIST", "SARE_WHITELIST_SPF",
"SARE_WHITELIST_RCVD", or "SARE_WHITELIST_PRE30"
to TRUSTED_RULESETS (more info).
Available at: http://www.rulesemporium.com/rules/70_sare_whitelist.cf.
This file is suitable for use by SpamAssassin version
3.0.x, or 3.1.0 or higher without network tests.
http://www.rulesemporium.com/rules/70_sare_whitelist_rcvd.cf
and
http://www.rulesemporium.com/rules/70_sare_whitelist_spf.cf.
These two files (new with version 01.00.06) are intended
for SpamAssassin version 3.1.0 or higher, with network and
SPF tests enabled. Any whitelist which can be validated
using SPF will be found in whitelist_spf.cf, and the
remainder are in whitelist_rcvd.cf.
Systems older than 3.1.0 and systems without network tests or
without SPF modules cannot use whitelist_spf.cf, and
therefore should use the primary file above.
http://www.rulesemporium.com/rules/70_sare_whitelist_pre30.cf.
The primary file (listed first above) includes in-line
commenting which is valid in SpamAssassin 3.0.0 and newer,
but wasn't valid in versions 2.5x or 2.6x. Systems with
versions of SpamAssassin older than 3.0.0 should instead
use this version of the file, which has those comment
lines removed.
Note: Please read the internal documentation. Note that since this
file contains whitelist_from_rcvd directives, and not regex-based
rules, this file or extracts from it could be used within an
individual's user_prefs file. Please send recommendations or
complaints to Bob Menschel, [EMAIL PROTECTED]
Sample Results: Not available (have not been able to figure out how to
mass-check whitelist rules).
===8<---
{^_^}
Re: best practise on learning spam
On Freitag, 30. September 2005 23:36 mouss wrote: >>I have an IMAP folder with 1500 spams. I convert it to a mbox format > why? > sa-learn --spam $dir > works sa-learn does not report to the online databases dcc/pyzor/razor. If you refer to sa-learn against IMAP: How to do it with cyrus? How to do it from a remote server? As that script should be running on a lot of servers (with different layout), it should be generic enough to be used very simple. mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: "lynx -source http://zmi.at/zmi2.asc | gpg --import" // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgpDEnXKvz8kE.pgp Description: PGP signature
Some rule files' PGP signatures are reported as "bad"
Hi, first I want to thank you for keeping up all the good work and updating the rule files. Unfortunately, some of the PGP signatures don't seem to match their rule files (i.e. 70_sare_genlsubj.cf.sig, 70_sare_header.cf.sig), and Matt's Key 0x1129F0D3 used for signing evilnumbers.cf has expired. Could you please check/renew the signatures? Thanks. -- Mit freundlichen Grüßen / Sincerely Dipl. Inform. Ralph Seichter
Re: SA tags above header info
On Saturday 01 October 2005 11:34 pm, JamesDR wrote: > Chris wrote: > > On Saturday 01 October 2005 09:34 pm, JamesDR wrote: > >>Chris wrote: > >>>I may have missed a thread on this but is there a reason that SA is > >>> now placing its tags above the headers: > >>> > >>>X-Spam-Virus: No > >>> X-Spam-Seen: Tokens 251 > >>> X-Spam-New: Tokens 446 > >>> X-Spam-Remote: Host localhost.localdomain > >>> X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on > >> > >>[snip] > >> > >>Yes, 3.1.0 now places sa headers on the top, this is a feature for > >>DomainKeys: per thread "ANNOUNCE: SpamAssassin 3.1.0 available!" > >>2005-9-14: > >> > >>- modify header ordering for DomainKeys compatibility, by placing > >> markup headers at the top of the message instead at the bottom of the > >> list. > >> > >>HTH > > > > Thanks James and I've got that msg still in my SATalk folder too. I > > just referred to it and saw also the answer to my other question. > > --lint works fine now. > > > > Thanks > > Glad I could help chris. > > Jdow: > That's the single reason I can't upgrade yet (the mail server adds > headers there and expects them to be there. Will have to mod my tool to > put these other headers that the mail server needs where it expects them > back, not a big deal just time :-D)... I would be nice if there was a > conf switch of sorts that you could turn off that feature with... I > don't have any interest in DomainKeys. Something is very odd then, I have the domainkeys plugin commented out. Tags in ham are placed above the header info while tags for spam are placed in the usual place. One other question, what/where is the --max-clients setting? I've observed an error telling me it needs to be set higher, however, man spamd doesn't seem to contain a setting for that, or, is it somewhere else? Thanks -- Chris Registered Linux User 283774 http://counter.li.org 08:45:03 up 21 days, 20:57, 1 user, load average: 0.41, 0.40, 0.36 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk ~~ Vulcans do not approve of violence. -- Spock, "Journey to Babel", stardate 3842.4 ~~
Other spamd errors
I'm seeing this spamd error now in my syslog and I haven't a clue as to what it means. Could someone possibly assist? Oct 2 13:08:47 cpollock spamd[28098]: prefork: child states: BI Oct 2 13:08:48 cpollock spamd[28098]: spamd: handled cleanup of child pid 30717 due to SIGCHLD Oct 2 13:08:48 cpollock spamd[28098]: prefork: select returned error on server filehandle: Oct 2 13:08:48 cpollock spamd[28098]: spamd: server successfully spawned child process, pid 712 Oct 2 13:08:48 cpollock spamd[28098]: prefork: child states: II -- Chris Registered Linux User 283774 http://counter.li.org 14:55:08 up 22 days, 3:07, 1 user, load average: 0.49, 0.26, 0.19 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk ~~ Because we don't think about future generations, they will never forget us. -- Henrik Tikkanen ~~
Re: SA tags above header info
Chris wrote: [snip] Something is very odd then, I have the domainkeys plugin commented out. Tags in ham are placed above the header info while tags for spam are placed in the usual place. One other question, what/where is the --max-clients setting? I've observed an error telling me it needs to be set higher, however, man spamd doesn't seem to contain a setting for that, or, is it somewhere else? Thanks I have the same thing (DK plugin is commented out.) Hmm, I don't see anything either about --max-clients, you might try increasing --max-spare or -m (--max-children), this should give you more available 'connections', but watch mem usage etc. These are all in the man spamd page. HTH -- Thanks, JamesDR
Re: SA tags above header info
Chris wrote: Something is very odd then, I have the domainkeys plugin commented out. Whether or not you're using the DomainKeys plugin makes no difference regarding header placement. Tags in ham are placed above the header info while tags for spam are placed in the usual place. It'll appear this way when using report safe since the only received header present is the one generated by SpamAssassin. When not using report safe the X-Spam headers will be in the same place for both ham and spam. One other question, what/where is the --max-clients setting? I've observed an error telling me it needs to be set higher, however, man spamd doesn't seem to contain a setting for that, or, is it somewhere else? The option was renamed in 3.1 to reflect what it actually controls. It's now called --max-children. You can use -m for --max-children (just like you could use -m for --max-clients before). We missed updating the debug message. It'll be fixed in 3.1.1. Daryl
Re: Other spamd errors
Chris wrote: I'm seeing this spamd error now in my syslog and I haven't a clue as to what it means. Could someone possibly assist? Oct 2 13:08:47 cpollock spamd[28098]: prefork: child states: BI Oct 2 13:08:48 cpollock spamd[28098]: spamd: handled cleanup of child pid 30717 due to SIGCHLD Oct 2 13:08:48 cpollock spamd[28098]: prefork: select returned error on server filehandle: Oct 2 13:08:48 cpollock spamd[28098]: spamd: server successfully spawned child process, pid 712 Oct 2 13:08:48 cpollock spamd[28098]: prefork: child states: II You'll see this every 200 messages per child (or whatever # you've set --max-con-per-child to) when a child is respawned. It's normal. Daryl
Re: Other spamd errors
On Sunday 02 October 2005 04:30 pm, Daryl C. W. O'Shea wrote: > Chris wrote: > > Oct 2 13:08:48 cpollock spamd[28098]: prefork: select returned error > > on server filehandle: > > Oct 2 13:08:48 cpollock spamd[28098]: spamd: server successfully > > spawned child process, pid 712 > > Oct 2 13:08:48 cpollock spamd[28098]: prefork: child states: II > > You'll see this every 200 messages per child (or whatever # you've set > --max-con-per-child to) when a child is respawned. It's normal. > > Daryl Thanks Daryl for this and the info on the tags placement. I hate being a PITA but I've another question regarding Razor checks: 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50% [cf: 100] 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] Why are there so many Razor tags? I can see that there are two different engines being used, but if I remember correctly in 3.0.4 there would only be one tag for Razor. I'd imagine that since I have this in my local.cf use_razor2 1 that would account for one of the tags? I assume that this can be removed or commented out, since its now a plugin? If so, would that also apply to the use pyzor and DCC in my local.cf? -- Chris Registered Linux User 283774 http://counter.li.org 17:44:45 up 22 days, 5:57, 1 user, load average: 0.39, 0.42, 0.31 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
Re: Some rule files' PGP signatures are reported as "bad"
Hello Ralph, Sunday, October 2, 2005, 5:37:59 AM, you wrote: RS> first I want to thank you for keeping up all the good work and RS> updating the rule files. Unfortunately, some of the PGP signatures RS> don't seem to match their rule files (i.e. 70_sare_genlsubj.cf.sig, RS> 70_sare_header.cf.sig), and Matt's Key 0x1129F0D3 used for signing RS> evilnumbers.cf has expired. RS> Could you please check/renew the signatures? Thanks. Done. New signature files should be in distribution within the hour. Bob Menschel
