Re: DK_SIGNED from yahoo

[List]

I upgraded to 3.1.0 (from 3.0.4) and enabled the Domainkeys plugin.
I patched it with the patch in the bugzilla #4623
(http://issues.apache.org/SpamAssassin/attachment.cgi?id=3210) as I am
using Mail::DomainKeys 0.80.


How do I patch DK using that patch? What commands?

Re: OK guys - why did this one get through.

[Chris]

On Monday 31 October 2005 04:22 pm, jdow wrote:
> ===8<---
> Status:  U
> Return-Path: <[EMAIL PROTECTED]>
> Received: from smtp.earthlink.net [209.86.93.209]
>  by localhost with POP3 (fetchmail-6.2.5)
>  for [EMAIL PROTECTED] (single-drop); Mon, 31 Oct 2005 03:55:59
> -0800 (PST) Received: from mail19a.g19.rapidsite.net ([204.202.242.24])
>  by mx-nebolish.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
> 1ewyfT2wu3Nl3490 for <[EMAIL PROTECTED]>; Mon, 31 Oct 2005 06:55:12
> -0500 (EST) Received: from mx15.stngva01.us.mxservers.net
> (204.202.242.101)
>  by mail19a.g19.rapidsite.net (RS ver 1.0.95vs) with SMTP id 2-0924379712
>  for <[EMAIL PROTECTED]>; Mon, 31 Oct 2005 06:55:12 -0500 (EST)
> Received: from www.pattersonbunweb.com [207.56.100.245] (EHLO
> pattersonbunweb.com) by mx15.stngva01.us.mxservers.net
> (mxl_mta-1.3.8-10p4) with ESMTP id
> 02606634.9450.122.mx15.stngva01.us.mxservers.net;
>  Mon, 31 Oct 2005 06:55:12 -0500 (EST)
> Received: (from [EMAIL PROTECTED])
>  by pattersonbunweb.com (8.12.11/8.12.9/Submit) id j9VBtCbU052029;
>  Mon, 31 Oct 2005 06:55:12 -0500 (EST)
>  (envelope-from patt12)
> Date: Mon, 31 Oct 2005 06:55:12 -0500 (EST)
> Message-Id: <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: E-Mail ID #356042  PayPal Security Notification of Limited
> Account Access [28 Oct 2005 15:36:12 +0400]
> Content-Type: text/html; charset=us-ascii
> From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> Reply-to: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> Content-Transfer-Encoding: 7bit
> X-Accept-Language: en-us, en
X-Spam-Flag: YES
X-Spam: [F=0.9837704442; heur=0.746(2900); stat=0.481;
spamtraq-heur=0.956(2005103001)] X-MAIL-FROM:
> <[EMAIL PROTECTED]>
> X-SOURCE-IP: [207.56.100.245]
> X-Loop-Detect:1
> X-DistLoop-Detect:1
> X-ELNK-AV: 0
> X-NKVIR: Scanned
> ===8<---
> (The "X-MAIL-FROM:" header seems like an obvious tool. However some of
> the SARE rules probably should have triggered and didn't. These rule SARE
> sets nominally hit paypal spam:
> 70_sare_genlsubj1.cf
> 70_sare_header.cf
> 70_sare_spoof.cf<-- this one really should have caught it.
>
> {^_^}

Where did the X-Spam-Flag: YES tag come from? I'm not much good on this but 
could it be since it already had a flag that it was skipped by SA?

-- 
Chris
Registered Linux User 283774 http://counter.li.org
20:35:58 up 25 days, 57 min, 3 users, load average: 0.42, 2.08, 2.39
Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
~~
Honi soit la vache qui rit.
~~

Re: Finally upgraded

[Chris]

On Monday 31 October 2005 12:41 pm, [EMAIL PROTECTED] wrote:
> I might add that im not totally opposed to dumping bayes info and
> starting fresh...would that be an easier solution?
>
>
>
> on 10/31/05 1:26 PM, [EMAIL PROTECTED] at
>
The below is from the 3.1 upgrade text. I upgrade via CPAN also, however, I 
also download the source file and read the upgrade docs, etc.. before 
upgrading.

Due to the database format change, you will want to do something like
  this when upgrading:

  - stop running spamassassin/spamd (ie: you don't want it to be running
during the upgrade)
  - run "sa-learn --rebuild", this will sync your journal.  if you skip
this step, any data from the journal will be lost when the DB is
upgraded.
  - upgrade SA to 3.0.0
  - run "sa-learn --sync", which will cause the db format to be upgraded.
if you want to see what is going on, you can add the "-D" option.
  - test the new database by running some sample mails through
SpamAssassin, and/or at least running "sa-learn --dump" to make sure
the data looks valid.
  - start running spamassassin/spamd again

  If, instead of uprading your Bayes database, you want to wipe it and
  start fresh, you can run "sa-learn --clear" to safely remove your
  Bayes database files.  If the --clear command issues an error then
  you can simply delete the Bayes database files ("bayes_*") while SA
  is not running; SpamAssassin will recreate them in the current
  format when it runs.

HTH

-- 
Chris
Registered Linux User 283774 http://counter.li.org
20:27:16 up 25 days, 49 min, 3 users, load average: 5.90, 4.53, 2.65
Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
~~
Every kind action has a not-so-kind reaction
-- Murphy's Love Laws n°8
~~

Re: Problem with 70_sare_header.cf 01.03.16

[Ed Kasky]

At 06:14 PM Monday, 10/31/2005, Doc Schneider wrote -=>

Ed Kasky wrote:

When running rdj, I get the following:
Ruleset for header abuse (sets 0-3) has changed on yoda2.
Version line: # Version:  01.03.16
***WARNING***: spamassassin --lint failed.
Lint output: [25934] warn: config: warning: description exists for 
non-existent rule SARE_HEAD_DATE_LONG1
[25934] warn: config: warning: score set for non-existent rule 
SARE_HEAD_DATE_LONG1

I checked the file and found that there was a slight typo (I think):
header__SARE_HEAD_DATE_L1a Date =~ /.{50}/
header__SARE_HEAD_DATE_L1b Date =~ /added by/
meta  SARE_HEAD_DATE_LONG1a__SARE_HEAD_DATE_L1a && 
!__SARE_HEAD_DATE_L1b

describe  SARE_HEAD_DATE_LONG1 Date header has interesting length
score SARE_HEAD_DATE_LONG1 -0.500
tflagsSARE_HEAD_DATE_LONG1 nice
I changed the meta line to:
meta  SARE_HEAD_DATE_LONG1__SARE_HEAD_DATE_L1a && 
!__SARE_HEAD_DATE_L1b
and it seems to have fixed it.  I sent an email to the current 
maintainer, Bob Menschel but thought I had better post it here as well 
just in case.

Ed Kasky


Ed,

You need to re-download this rule set. I believe this was fixed last 
yesterday.


Doc,

Done - thanks

Ed
~
Randomly Generated Quote (145 of 489):
"No man is above the law and no man is below it; nor do we ask any
man's permission when we require him to obey it. Obedience to the
law is demanded as a right; not asked as a favor."
   --Theodore Roosevelt

Re: Problem with 70_sare_header.cf 01.03.16

[Doc Schneider]

Ed Kasky wrote:

When running rdj, I get the following:

Ruleset for header abuse (sets 0-3) has changed on yoda2.
Version line: # Version:  01.03.16

***WARNING***: spamassassin --lint failed.

Lint output: [25934] warn: config: warning: description exists for 
non-existent rule SARE_HEAD_DATE_LONG1
[25934] warn: config: warning: score set for non-existent rule 
SARE_HEAD_DATE_LONG1


I checked the file and found that there was a slight typo (I think):
header__SARE_HEAD_DATE_L1a Date =~ /.{50}/
header__SARE_HEAD_DATE_L1b Date =~ /added by/
meta  SARE_HEAD_DATE_LONG1a__SARE_HEAD_DATE_L1a && 
!__SARE_HEAD_DATE_L1b

describe  SARE_HEAD_DATE_LONG1 Date header has interesting length
score SARE_HEAD_DATE_LONG1 -0.500
tflagsSARE_HEAD_DATE_LONG1 nice

I changed the meta line to:

meta  SARE_HEAD_DATE_LONG1__SARE_HEAD_DATE_L1a && 
!__SARE_HEAD_DATE_L1b


and it seems to have fixed it.  I sent an email to the current 
maintainer, Bob Menschel but thought I had better post it here as well 
just in case.


Ed Kasky


Ed,

You need to re-download this rule set. I believe this was fixed last 
yesterday.


-Doc (SARE -- Ninja)

Re: DK_SIGNED from yahoo

[Chris]

On Monday 31 October 2005 12:04 pm, Raul Dias wrote:
> Hi,
>
> I upgraded to 3.1.0 (from 3.0.4) and enabled the Domainkeys plugin.
> I patched it with the patch in the bugzilla #4623
> (http://issues.apache.org/SpamAssassin/attachment.cgi?id=3210) as I am
> using Mail::DomainKeys 0.80.
>
> Testing against mail from groups.yahoo.com, I get DK_SIGNED, but not
> DK_VERIFIED as I was expecting (even more as yahoo created domain keys).
>
> Can anyone enlight me?
> Is this what you are getting too?
> Are you getting DK_VERIFIED?
> Why?
>
> Here is a sample message that got DK_SIGNED only:
>
Here are the headers of a message I sent myself from my yahoo account, all 
the domain key tests seem to be there or did I misunderstand your problem?

X-Spam-Virus: No
 X-Spam-Seen: Tokens 71
 X-Spam-New: Tokens 94
 X-Spam-Remote: Host localhost.localdomain
 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on 
cpollock.localdomain
 X-Spam-Hammy: Tokens 26
 X-Spam-Status: No, score=1.3 required=5.0 
tests=BAYES_00,DK_POLICY_SIGNSOME,
DK_POLICY_TESTING,DK_SIGNED,DK_VERIFIED,DNS_FROM_RFC_ABUSE,
PYZOR_CHECK autolearn=disabled version=3.1.0
 X-Spam-Spammy: Tokens 1
 X-Spam-Pyzor: Reported 0 times.
 X-Spam-Token: Summary Tokens: new, 23; hammy, 26; neutral, 44; spammy, 1.
 X-Spam-DCC: dcc.uncw.edu cpollock.localdomain 1201; Body=1 Fuz1=1 Fuz2=1
 X-Spam-Untrusted: Relays [ ip=206.190.38.139 rdns=web51008.mail.yahoo.com 
helo=web51008.mail.yahoo.com by=mx-pigeons.atl.sa.earthlink.net 
ident= envfrom= intl=0 id=1ewJEW2sl3Nl34g0 auth= ] 
[ ip=69.68.226.102 
rdns= helo= by=web51008.mail.yahoo.com ident= envfrom= intl=0 id= 
auth= ]
 X-Spam-Level: *
 X-Spam-RBL: Results  [127.0.0.4]
 [66.94.234.13, 216.109.112.135]
 [1 mx1.mail.yahoo.com., 1 
mx2.mail.yahoo.com., 1 mx3.mail.yahoo.com., 5 mx4.mail.yahoo.com.]
 Status: U
 Return-Path: <[EMAIL PROTECTED]>
 Received: from pop.earthlink.net [209.86.93.201]
by localhost with POP3 (fetchmail-6.2.5)
for [EMAIL PROTECTED] (single-drop); Mon, 31 Oct 2005 18:06:00 
-0600 (CST)
 Received: from web51008.mail.yahoo.com ([206.190.38.139])
by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP 
id 1ewJEW2sl3Nl34g0
for <[EMAIL PROTECTED]>; Mon, 31 Oct 2005 19:05:50 -0500 (EST)
 Received: (qmail 44317 invoked by uid 60001); 1 Nov 2005 00:05:49 -
 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;

-- 
Chris
Registered Linux User 283774 http://counter.li.org
19:01:05 up 24 days, 23:23, 1 user, load average: 0.48, 0.36, 0.30
Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk
~~
Love at first sight is one of the greatest labor-saving devices the
world has ever seen.
~~

Problem with 70_sare_header.cf 01.03.16

[Ed Kasky]

When running rdj, I get the following:

Ruleset for header abuse (sets 0-3) has changed on yoda2.
Version line: # Version:  01.03.16

***WARNING***: spamassassin --lint failed.

Lint output: [25934] warn: config: warning: description exists for 
non-existent rule SARE_HEAD_DATE_LONG1
[25934] warn: config: warning: score set for non-existent rule 
SARE_HEAD_DATE_LONG1


I checked the file and found that there was a slight typo (I think):
header__SARE_HEAD_DATE_L1a Date =~ /.{50}/
header__SARE_HEAD_DATE_L1b Date =~ /added by/
meta  SARE_HEAD_DATE_LONG1a__SARE_HEAD_DATE_L1a && 
!__SARE_HEAD_DATE_L1b

describe  SARE_HEAD_DATE_LONG1 Date header has interesting length
score SARE_HEAD_DATE_LONG1 -0.500
tflagsSARE_HEAD_DATE_LONG1 nice

I changed the meta line to:

meta  SARE_HEAD_DATE_LONG1__SARE_HEAD_DATE_L1a && !__SARE_HEAD_DATE_L1b

and it seems to have fixed it.  I sent an email to the current maintainer, 
Bob Menschel but thought I had better post it here as well just in case.


Ed Kasky
~
Randomly Generated Quote (169 of 489):
"Sometimes one pays most for the things one gets for nothing."
-- Albert Einstein

be.surbl.org to be decommissioned

[Jeff Chan]

The data in be.surbl.org, originally from Chris Santerre's
BigEvil SpamAssassin ruleset, is stale and has been superceded by
ws.surbl.org for a long time now, so we will be shutting down DNS
service for it in one month, at the end of November.

Please update your configurations to use multi.surbl.org
(strongly preferred) or ws.surbl.org instead.

  http://www.surbl.org/lists.html

This change should only be necessary for folks who manually
configured their applications to use be.surbl.org.  Default
installations of SpamAssassin and other SURBL-using applications
should be using multi and the appropriately encoded lists
already.

Cheers,

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

SURBL: New SC data live, new data engine also

[Jeff Chan]

We have made the experimental SC2 data into the production SC
list.  The new version has been tested to catch about 10% more
spam than the old version with no significant increase in false
positives.

Along with this change is the use of a new data engine which has
a shorter cycle time of 5 minutes, and a cleaner, more uniform
design and handling of data.  This should reduce the overall
latency of new additions to the lists by many minutes.

Other resulting changes which may be of minor interest:

1.  The list of lists hit for a given TXT record are now in
alphabetical order, e.g.:

  Blocked, a-pill-MUNGED.com on lists [ab][jp][ob][sc][ws], See: 
http://www.surbl.org/lists.html

where before they were in bitmask or historical order.

2.  Everyone should be using multi.surbl.org now and not the
individual lists, but the zone file serial numbers are now
synchronized so that multi will have the same serial number as
the most recently updated lists, e.g.:

  ab.surbl.orgob.surbl.orgsc.surbl.orgws.surbl.org
multi.surbl.org
  1130799782  1130801582  1130799782  1130797982  1130801582

where ob was the only list updated in the most recent cycle
above, so ob and multi have the same serial number.  In a
previous cycle, ab and sc were both updated at Unix (C) time
1130799782 and multi then would have shared that serial number,
etc.

Follow-ups, questions, comments, etc. to discuss@ lists.surbl.org

Cheers,

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Re: aim.com

[Doc Schneider]

jdow wrote:

What's with the unreadable messages that seem to come from this
service. A fellow on the FC4 list is posting messages from his
account at aim.com (AOL) that feature a signature and a walking
man icon but nothing other than quoted content. (I've just given
the entire aim.com host a score of 4.9 (not five for purists
out there) since they just seem to be annoying empty message spam.)

{^_^}


Yeah I'm also on that list and he is annoying, to say the least. But I'm 
using Thunderbird and it is set not to display remote graphics!


I've thought about writing that list-owner and have them remove him for 
spamming! 8*)))


-Doc

aim.com

[jdow]

What's with the unreadable messages that seem to come from this
service. A fellow on the FC4 list is posting messages from his
account at aim.com (AOL) that feature a signature and a walking
man icon but nothing other than quoted content. (I've just given
the entire aim.com host a score of 4.9 (not five for purists
out there) since they just seem to be annoying empty message spam.)

{^_^}

OK guys - why did this one get through.

[jdow]

===8<---
Status:  U
Return-Path: <[EMAIL PROTECTED]>
Received: from smtp.earthlink.net [209.86.93.209]
by localhost with POP3 (fetchmail-6.2.5)
for [EMAIL PROTECTED] (single-drop); Mon, 31 Oct 2005 03:55:59 -0800 (PST)
Received: from mail19a.g19.rapidsite.net ([204.202.242.24])
by mx-nebolish.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 
1ewyfT2wu3Nl3490
for <[EMAIL PROTECTED]>; Mon, 31 Oct 2005 06:55:12 -0500 (EST)
Received: from mx15.stngva01.us.mxservers.net (204.202.242.101)
by mail19a.g19.rapidsite.net (RS ver 1.0.95vs) with SMTP id 2-0924379712
for <[EMAIL PROTECTED]>; Mon, 31 Oct 2005 06:55:12 -0500 (EST)
Received: from www.pattersonbunweb.com [207.56.100.245] (EHLO 
pattersonbunweb.com)
by mx15.stngva01.us.mxservers.net (mxl_mta-1.3.8-10p4) with ESMTP id 
02606634.9450.122.mx15.stngva01.us.mxservers.net;

Mon, 31 Oct 2005 06:55:12 -0500 (EST)
Received: (from [EMAIL PROTECTED])
by pattersonbunweb.com (8.12.11/8.12.9/Submit) id j9VBtCbU052029;
Mon, 31 Oct 2005 06:55:12 -0500 (EST)
(envelope-from patt12)
Date: Mon, 31 Oct 2005 06:55:12 -0500 (EST)
Message-Id: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: E-Mail ID #356042  PayPal Security Notification of Limited Account Access [28 Oct 
2005 15:36:12 +0400]

Content-Type: text/html; charset=us-ascii
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Reply-to: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Content-Transfer-Encoding: 7bit
X-Accept-Language: en-us, en
X-Spam-Flag: YES
X-Spam: [F=0.9837704442; heur=0.746(2900); stat=0.481; 
spamtraq-heur=0.956(2005103001)]
X-MAIL-FROM: <[EMAIL PROTECTED]>
X-SOURCE-IP: [207.56.100.245]
X-Loop-Detect:1
X-DistLoop-Detect:1
X-ELNK-AV: 0
X-NKVIR: Scanned
===8<---
(The "X-MAIL-FROM:" header seems like an obvious tool. However some of the
SARE rules probably should have triggered and didn't. These rule SARE sets
nominally hit paypal spam:
70_sare_genlsubj1.cf
70_sare_header.cf
70_sare_spoof.cf<-- this one really should have caught it.

{^_^} 

RE: Spam being delivered

[Robert Bartlett]

Im using maildrop for that I believe. On a side note would you recommend I
use Amavis instead of maildrop?

Robert

-Original Message-
From: Loren Wilton [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 31, 2005 1:35 PM
To: users@spamassassin.apache.org
Subject: Re: Spam being delivered

> Running SA 3.01 on Fedora Core 2 with Qmail. The problem is recently Im
> showing emails getting delivered to mailbox with the ***SPAM*** in the
> title, yet the rules state if the email is spam it shouldn't be delivered
to

"delivery" isn't SA's business, "scoring" is.  So it is Qmail that isn't
doing the routing right for some reason.

Loren

Re: Integrity checks in URLs for blocking phishers as anti-phishing prevention

[mouss]

Loren Wilton a écrit :


I've written a number of rules to check for this, so have others.  Yes, it
will catch some of the phish.

Unfortunately it also catches just an amazing amount of legit mail.  I think
the last statistics were something like 50/50, or maybe even heavier on the
ham side.  It just doesn't seem to occur to anyone writing html that there
should be an actual relationship between the real url and the displayed url.

Even checking for http://dotquad";>https://mybank.com will get
hits on an amazing quantity of ham.

 


on the other hand, I sometimes see things like:
   You have new mail on href="http://hacker.example";>http://www.free.fr
for one, I don't use webmail, and more importantly, www.free.fr isn't 
the webmail url. the "silly" spammer is just adding www to my email 
domain. now even this may cause FPs I guess.

Re: Spam being delivered

[Loren Wilton]

> Running SA 3.01 on Fedora Core 2 with Qmail. The problem is recently Im
> showing emails getting delivered to mailbox with the ***SPAM*** in the
> title, yet the rules state if the email is spam it shouldn't be delivered
to

"delivery" isn't SA's business, "scoring" is.  So it is Qmail that isn't
doing the routing right for some reason.

Loren

Re: Spam being delivered

[Andy Jezierski]

"Robert Bartlett" <[EMAIL PROTECTED]>
wrote on 10/31/2005 02:20:43 PM:

> Running SA 3.01 on Fedora Core 2 with Qmail. The problem is recently
Im
> showing emails getting delivered to mailbox with the ***SPAM*** in
the
> title, yet the rules state if the email is spam it shouldn't be delivered
to
> the persons mailbox. The headers even show the score is over the spam
count:
> 6.0/3.0. Any reason why this would be happening? Im running the rules
via a
> MySQL database.
> 
> Thanks
> Robert
> 

Check your QMail setup. Has anything changed there?
 SA has nothing to do with delivery, it just classifies the message
as spam or not spam.

Andy

Re: Integrity checks in URLs for blocking phishers as anti-phishing prevention

[Loren Wilton]

> > > http://hacker.com";>http://legit-bank.com
> > >
> > > On top of my mind, I never saw a situation like this in real
> > > life, except in phish emails.
> >
> to be precise, the rule should only trigger if the text between the  href=> and  parts of the url has a hostname at all, so that an
> url like http://www.spamassassin.org";>click here to ged rid
> of it doesnt trigger it.

I've written a number of rules to check for this, so have others.  Yes, it
will catch some of the phish.

Unfortunately it also catches just an amazing amount of legit mail.  I think
the last statistics were something like 50/50, or maybe even heavier on the
ham side.  It just doesn't seem to occur to anyone writing html that there
should be an actual relationship between the real url and the displayed url.

Even checking for http://dotquad";>https://mybank.com will get
hits on an amazing quantity of ham.

Loren

Spam being delivered

[Robert Bartlett]

Running SA 3.01 on Fedora Core 2 with Qmail. The problem is recently Im
showing emails getting delivered to mailbox with the ***SPAM*** in the
title, yet the rules state if the email is spam it shouldn't be delivered to
the persons mailbox. The headers even show the score is over the spam count:
6.0/3.0. Any reason why this would be happening? Im running the rules via a
MySQL database.

Thanks
Robert

Re: Integrity checks in URLs for blocking phishers as anti-phishing prevention

[mouss]

Mathias Homann a écrit :


and increasing the score on spams hurts WHY?

to be precise, the rule should only trigger if the text between the href=> and  parts of the url has a hostname at all, so that an 
url like http://www.spamassassin.org";>click here to ged rid 
of it doesnt trigger it.
 


doesn't seem easy. The rule should not trigger on these:
   http://www.spamassassin.org";> spamassassin.org
   a url is something like http://en.wikipedia.org/wiki/Url";> 
http://www.domain.example

   http://www.foo.example";>foo.example
   http://www.foo.example";>color=blue>http://www.foo.example

...
but should catch
   http://www.hacker.example";>color=blue>http://www.foo.example


I guess redirectors and tinyurl should be handled by redir rules?

Re: Integrity checks in URLs for blocking phishers as anti-phishing prevention

[Kelson]

[EMAIL PROTECTED] wrote:

http://hacker.com";>http://legit-bank.com

On top of my mind, I never saw a situation like this in real life,
except in phish emails.


I see this all the time in promotional emails (spam, not phish) to track

> clickthrough.

I see it on legit mail too, including a couple of newsletters and, in 
one case, an "item not won" notice from eBay.  Yes, it was legit.  This 
has caused a number of legit messages to trip Thunderbird's new phishing 
filter.


It's a poor practice, and in the case of eBay they seem to do the right 
thing on their other notices (either matching the URL to the text or 
using descriptive link text instead of a hostname), but sad to say there 
*is* legit mail that uses redirectors in this fashion.


So it's worth scoring, but not safe to score too highly or use as 
rejection criteria unless you whitelist the legit senders (or convince 
them to change their ways).


--
Kelson Vibber
SpeedGate Communications 

Re: 3.1.0 upgrade

[Matt Kettler]

Mark Merchant wrote:
> upgraded 3.0.4 to 3.1.0, spamassassin --lint produces:
> 
> [EMAIL PROTECTED] spamassassin]# spamassassin --lint
> [1257] warn: config: SpamAssassin failed to parse line, "/home/bayes/"
> is not valid for "bayes_path", skipping: bayes_path _/home/bayes/

SA is correct, your bayes_path statement is invalid, and always has been.

Read man Mail::SpamAssassin::Conf on bayes_path VERY CAREFULLY.

This MUST NOT end in a directory name.

you probably want /home/bayes/bayes

> [1257] warn: config: failed to parse line, skipping: use_razor2
> 1
> [1257] warn: config: failed to parse line, skipping: use_dcc
> 0

Read the UPGRADE file that came with SA 3.1.0. Razor and DCC are now plugins and
off by default.

> [1257] warn: config: failed to parse, now a plugin, skipping:
> ok_languages   bs bg hr en fr de it ja ru sr es

Ditto, this is textcat.

> [1257] warn: config: warning: score set for non-existent rule
> RAZOR2_CHECK

Again with the razor2 bit.
> [1257] warn: lint: 4 issues detected, please rerun with debug enabled
> for more information
> 
> 
> something has changed with bayes and razor, file permissions maybe???
> 

Re: 3.1.0 upgrade

[JamesDR]

Mark Merchant wrote:

upgraded 3.0.4 to 3.1.0, spamassassin --lint produces:

[EMAIL PROTECTED] spamassassin]# spamassassin --lint
[1257] warn: config: SpamAssassin failed to parse line, "/home/bayes/"
is not valid for "bayes_path", skipping: bayes_path _/home/bayes/
[1257] warn: config: failed to parse line, skipping: use_razor2
1
[1257] warn: config: failed to parse line, skipping: use_dcc
0
[1257] warn: config: failed to parse, now a plugin, skipping:
ok_languages   bs bg hr en fr de it ja ru sr es
[1257] warn: config: warning: score set for non-existent rule
RAZOR2_CHECK
[1257] warn: lint: 4 issues detected, please rerun with debug enabled
for more information


something has changed with bayes and razor, file permissions maybe???




See the docs...
There were changes to where and what some of the config options are.


--
Thanks,
James

3.1.0 upgrade

[Mark Merchant]

upgraded 3.0.4 to 3.1.0, spamassassin --lint produces:

[EMAIL PROTECTED] spamassassin]# spamassassin --lint
[1257] warn: config: SpamAssassin failed to parse line, "/home/bayes/"
is not valid for "bayes_path", skipping: bayes_path _/home/bayes/
[1257] warn: config: failed to parse line, skipping: use_razor2
1
[1257] warn: config: failed to parse line, skipping: use_dcc
0
[1257] warn: config: failed to parse, now a plugin, skipping:
ok_languages   bs bg hr en fr de it ja ru sr es
[1257] warn: config: warning: score set for non-existent rule
RAZOR2_CHECK
[1257] warn: lint: 4 issues detected, please rerun with debug enabled
for more information


something has changed with bayes and razor, file permissions maybe???

Re: Wiki 3.1.0 upgrade page, strange commentary...

[Justin Mason]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Raul Dias writes:
> On Mon, 2005-10-31 at 11:14 -0500, Matt Kettler wrote:
> > In the 3.1.0 upgrade page on the wiki:
> > http://wiki.apache.org/spamassassin/UpgradeTo310
> [...]
> > Is it true that 3.1.0 is broken as the wiki indicates, or has someone been
> > posting mis-information to the wiki?
> 
> misinformation.
> 
> I checked the archieves and docs, for any reference of this and found
> none before I upgraded.
> 
> The X-Spam.* headers are always present.

I think it's someone using Amavis.  Either way, that page is NOT the 
right place for that commentary, so it's gone.

- --j.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFDZmpxMJF5cimLx9ARAvuJAJ9x4auPuhXvWpe/Q8Kz6FMUhD1sSACgu4G6
QiTTYD/Jzqf7ZmrXBm4t0D0=
=IVLu
-END PGP SIGNATURE-

RE: MySQL server resolution

[Gary W. Smith]

You are thinking to hard on this problem.

You create a MySQL cluster and point local.cf to that.  Restart SA and
it works.  If you pull the plug on the first clustered node the other
one will automatically take over.  That's the purpose of the cluster...
automating the failover.  

host files, crontabs, time.  These are all things that Murphy keeps in
his pocket.

Gary Smith

-Original Message-
From: Marc Perkel [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 31, 2005 10:09 AM
To: users@spamassassin.apache.org
Subject: MySQL server resolution

ok - here's what I'm thinking. I want to be able to switch MySWL servers

should the main server go down.

In my local.cf file I have this:

user_awl_dsn DBI:mysql:spamassassin:bayes

The server "bayes" is defined in my /etc/hosts file. What I'm thinking 
is if that server goes down that I gave a cron job that will redefine 
the bayes entry to point to localhost. So - my question. If I change the

IP address of "bayes" in /etc/hosts do I have to restart spamd or will 
it just start talking to the other server because bayes changed?

Re: Integrity checks in URLs for blocking phishers as anti-phishing prevention

[Mathias Homann]

Am Montag, 31. Oktober 2005 19:33 schrieb [EMAIL PROTECTED]:
> > http://hacker.com";>http://legit-bank.com
> >
> > On top of my mind, I never saw a situation like this in real
> > life, except in phish emails.
>
> I see this all the time in promotional emails (spam, not phish) to
> track clickthrough.

and increasing the score on spams hurts WHY?

to be precise, the rule should only trigger if the text between the  and  parts of the url has a hostname at all, so that an 
url like http://www.spamassassin.org";>click here to ged rid 
of it doesnt trigger it.

bye,
MH
 
-- 
gpg key fingerprint: 5F64 4C92 9B77 DE37 D184  C5F9 B013 44E7 27BD 
763C

Re: Finally upgraded

[[EMAIL PROTECTED]]

I might add that im not totally opposed to dumping bayes info and starting
fresh...would that be an easier solution?



on 10/31/05 1:26 PM, [EMAIL PROTECTED] at
[EMAIL PROTECTED] wrote:

> [EMAIL PROTECTED] wrote:
>> Did that, didn't help though.  I only have the one version of
>> sa-learn. 
> 
> You can download the 2.64 version of sa-learn here:
> http://search.cpan.org/~jmason/Mail-SpamAssassin-2.64/


The Help Guy
Nantucket.net
[EMAIL PROTECTED]
www.nantucket.net/help
508-228-6777

Re: Would like to rewrite arbitrary headers

[mouss]

[EMAIL PROTECTED] a écrit :


Greetings, battlers.

I would like to rewrite headers on incoming spam without having SA
prepend "X-Spam-" to them.  Two reasons:

First, I want to get rid of "Disposition-Notification-To" because many
of my users configure their Outlook to automatically honour delivery
notifications.  That creates an outgoing email when they read or
delete a spam message.

Second, I have a set of GroupWise users.  They cannot write rules on
arbitrary headers, such as "X-Spam-Flag".  Instead, they can only
write rules based on a list of headers that Novell have chosen, none
of which begins with "X-Spam-".

Sadly both of these reasons sound lame: daft Outlook users and a daft
Novell application.  However there's nothing I can do about that so
I'm going to hack SA instead.

Does anyone else have similar needs?  Is such a feature already in the
works?

 


you can do this in many places:
- MTA. with postfix, you can use header_checks (after the content filter 
for the x-spam header) and REPLACE or IGNORE

- content filter. you can hack amavisd if you're using it.
- MDA. this is easy with either procmail or maildrop

RE: Integrity checks in URLs for blocking phishers as anti-phishing prevention

[Matthew.van.Eerde]

> http://hacker.com";>http://legit-bank.com
> 
> On top of my mind, I never saw a situation like this in real life,
> except in phish emails.

I see this all the time in promotional emails (spam, not phish) to track 
clickthrough.

-- 
Matthew.van.Eerde (at) hbinc.com   805.964.4554 x902
Hispanic Business Inc./HireDiversity.com   Software Engineer

Re: Wiki 3.1.0 upgrade page, strange commentary...

[Raul Dias]

On Mon, 2005-10-31 at 11:14 -0500, Matt Kettler wrote:
> In the 3.1.0 upgrade page on the wiki:
> http://wiki.apache.org/spamassassin/UpgradeTo310
[...]
> Is it true that 3.1.0 is broken as the wiki indicates, or has someone been
> posting mis-information to the wiki?

misinformation.

I checked the archieves and docs, for any reference of this and found
none before I upgraded.

The X-Spam.* headers are always present.

[]'s
Raul Dias

Integrity checks in URLs for blocking phishers as anti-phishing prevention

[Richard Leroy]

Hi list,

I want to know if there is some sort of integrity checks for a situation
where a URL would be different from the "CAPTION" url, example:

http://hacker.com";>http://legit-bank.com

On top of my mind, I never saw a situation like this in real life,
except in phish emails.

I have also checked the list and I have found a post related to this
question, here at
http://marc.theaimsgroup.com/?l=spamassassin-users&m=109523766204334&w=2
.  But it looks like nobody produced a rule for this.

I also saw a white paper at
www.stanford.edu/~amo/sa-spoofguard/saspoofguard.pdf and it looks like
the check is already included in their plugin, but I want to know if
there is something more mainstream at the moment in the current version
of SpamAssassin.  If not, would it be possible for someone familiar with
SA to include this check?

I use SA 3.0.4, redhat 8.0 and I'm calling spamassassin through amavisd-new.

Thanks.

--
Richard Leroy
[EMAIL PROTECTED]

RE: Finally upgraded

[Matthew.van.Eerde]

[EMAIL PROTECTED] wrote:
> Did that, didn't help though.  I only have the one version of
> sa-learn. 

You can download the 2.64 version of sa-learn here:
http://search.cpan.org/~jmason/Mail-SpamAssassin-2.64/

-- 
Matthew.van.Eerde (at) hbinc.com   805.964.4554 x902
Hispanic Business Inc./HireDiversity.com   Software Engineer

Re: Finally upgraded

[[EMAIL PROTECTED]]

Did that, didn't help though.  I only have the one version of sa-learn.



on 10/31/05 1:14 PM, [EMAIL PROTECTED] at
[EMAIL PROTECTED] wrote:

> [EMAIL PROTECTED] wrote:
>> I finally upgraded from 2.64 to 3.01 using CPAN.
> ...
>> I ran sa-learn --sync
> ...
>> However, I still have the " bayes db  version 2 is not able to be used,
>> aborting" in my logs.  Ive been
> 
> I believe for an upgrade from 2.* to 3.* a simple sa-learn --sync is not
> enough.
> 
> Try:
> 
> sa-learn --backup > some-file
> sa-learn --clear
> sa-learn --restore some-file
> 
> FWIW, when I upgraded, I had to run sa-learn --backup with the 2.* version of
> sa-learn.


The Help Guy
Nantucket.net
[EMAIL PROTECTED]
www.nantucket.net/help
508-228-6777

RE: Finally upgraded

[Matthew.van.Eerde]

[EMAIL PROTECTED] wrote:
> I finally upgraded from 2.64 to 3.01 using CPAN.
...
> I ran sa-learn --sync
...
> However, I still have the " bayes db  version 2 is not able to be used,
> aborting" in my logs.  Ive been

I believe for an upgrade from 2.* to 3.* a simple sa-learn --sync is not enough.

Try:

sa-learn --backup > some-file
sa-learn --clear
sa-learn --restore some-file

FWIW, when I upgraded, I had to run sa-learn --backup with the 2.* version of 
sa-learn.

-- 
Matthew.van.Eerde (at) hbinc.com   805.964.4554 x902
Hispanic Business Inc./HireDiversity.com   Software Engineer

Finally upgraded

[[EMAIL PROTECTED]]

Hello all:

I finally upgraded from 2.64 to 3.01 using CPAN.  I ready the UPGRADE file,
of course.  I made the tweaks of the necessary items using CPAN and my local
conf file.

I ran sa-learn --sync and after removing some old .cf files (like spamcop) I
got it to run clean.  However, I still have the " bayes db version 2 is not
able to be used, aborting" in my logs.  Ive been digging through the list
archives and cant seem to find any more info than ive got

Thanks


[6552] dbg: logger: adding facilities: all
[6552] dbg: logger: logging level is DBG
[6552] dbg: generic: SpamAssassin version 3.1.0
[6552] dbg: config: score set 0 chosen.
[6552] dbg: util: running in taint mode? yes
[6552] dbg: util: taint mode: deleting unsafe environment variables,
resetting PATH
[6552] dbg: util: PATH included '/usr/kerberos/sbin', keeping
[6552] dbg: util: PATH included '/usr/kerberos/bin', keeping
[6552] dbg: util: PATH included '/usr/local/bin', keeping
[6552] dbg: util: PATH included '/bin', keeping
[6552] dbg: util: PATH included '/usr/bin', keeping
[6552] dbg: util: PATH included '/usr/X11R6/bin', keeping
[6552] dbg: util: PATH included '/home/jody/bin', which doesn't exist,
dropping
[6552] dbg: util: final PATH set to:
/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6
/bin
[6552] dbg: dns: is Net::DNS::Resolver available? yes
[6552] dbg: dns: Net::DNS version: 0.53
[6552] dbg: dns: name server: 204.249.164.1, family: 2, ipv6: 0
[6552] dbg: config: using "/etc/mail/spamassassin" for site rules pre files
[6552] dbg: config: read file /etc/mail/spamassassin/init.pre
[6552] dbg: config: read file /etc/mail/spamassassin/v310.pre
[6552] dbg: config: using "/usr/share/spamassassin" for sys rules pre files
[6552] dbg: config: using "/usr/share/spamassassin" for default rules dir
[6552] dbg: config: read file /usr/share/spamassassin/10_misc.cf
[6552] dbg: config: read file /usr/share/spamassassin/20_advance_fee.cf
[6552] dbg: config: read file /usr/share/spamassassin/20_anti_ratware.cf
[6552] dbg: config: read file /usr/share/spamassassin/20_body_tests.cf
[6552] dbg: config: read file /usr/share/spamassassin/20_compensate.cf
[6552] dbg: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf
[6552] dbg: config: read file /usr/share/spamassassin/20_drugs.cf
[6552] dbg: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf
[6552] dbg: config: read file /usr/share/spamassassin/20_head_tests.cf
[6552] dbg: config: read file /usr/share/spamassassin/20_html_tests.cf
[6552] dbg: config: read file /usr/share/spamassassin/20_meta_tests.cf
[6552] dbg: config: read file /usr/share/spamassassin/20_net_tests.cf
[6552] dbg: config: read file /usr/share/spamassassin/20_phrases.cf
[6552] dbg: config: read file /usr/share/spamassassin/20_porn.cf
[6552] dbg: config: read file /usr/share/spamassassin/20_ratware.cf
[6552] dbg: config: read file /usr/share/spamassassin/20_uri_tests.cf
[6552] dbg: config: read file /usr/share/spamassassin/23_bayes.cf
[6552] dbg: config: read file /usr/share/spamassassin/25_accessdb.cf
[6552] dbg: config: read file /usr/share/spamassassin/25_antivirus.cf
[6552] dbg: config: read file /usr/share/spamassassin/25_body_tests_es.cf
[6552] dbg: config: read file /usr/share/spamassassin/25_body_tests_pl.cf
[6552] dbg: config: read file /usr/share/spamassassin/25_dcc.cf
[6552] dbg: config: read file /usr/share/spamassassin/25_domainkeys.cf
[6552] dbg: config: read file /usr/share/spamassassin/25_hashcash.cf
[6552] dbg: config: read file /usr/share/spamassassin/25_pyzor.cf
[6552] dbg: config: read file /usr/share/spamassassin/25_razor2.cf
[6552] dbg: config: read file /usr/share/spamassassin/25_replace.cf
[6552] dbg: config: read file /usr/share/spamassassin/25_spf.cf
[6552] dbg: config: read file /usr/share/spamassassin/25_textcat.cf
[6552] dbg: config: read file /usr/share/spamassassin/25_uribl.cf
[6552] dbg: config: read file /usr/share/spamassassin/30_text_de.cf
[6552] dbg: config: read file /usr/share/spamassassin/30_text_fr.cf
[6552] dbg: config: read file /usr/share/spamassassin/30_text_it.cf
[6552] dbg: config: read file /usr/share/spamassassin/30_text_nl.cf
[6552] dbg: config: read file /usr/share/spamassassin/30_text_pl.cf
[6552] dbg: config: read file /usr/share/spamassassin/30_text_pt_br.cf
[6552] dbg: config: read file /usr/share/spamassassin/50_scores.cf
[6552] dbg: config: read file /usr/share/spamassassin/60_awl.cf
[6552] dbg: config: read file /usr/share/spamassassin/60_whitelist.cf
[6552] dbg: config: read file /usr/share/spamassassin/60_whitelist_spf.cf
[6552] dbg: config: read file
/usr/share/spamassassin/60_whitelist_subject.cf
[6552] dbg: config: using "/etc/mail/spamassassin" for site rules dir
[6552] dbg: config: read file /etc/mail/spamassassin/70_sare_adult.cf
[6552] dbg: config: read file /etc/mail/spamassassin/70_sare_evilnum0.cf
[6552] dbg: config: read file /etc/mail/spamassassin/70_sare_genlsubj0.cf
[6552] dbg: config: read file /etc/mail/spamassas

MySQL server resolution

[Marc Perkel]

ok - here's what I'm thinking. I want to be able to switch MySWL servers 
should the main server go down.


In my local.cf file I have this:

user_awl_dsn DBI:mysql:spamassassin:bayes

The server "bayes" is defined in my /etc/hosts file. What I'm thinking 
is if that server goes down that I gave a cron job that will redefine 
the bayes entry to point to localhost. So - my question. If I change the 
IP address of "bayes" in /etc/hosts do I have to restart spamd or will 
it just start talking to the other server because bayes changed?

DK_SIGNED from yahoo

[Raul Dias]

Hi,

I upgraded to 3.1.0 (from 3.0.4) and enabled the Domainkeys plugin.
I patched it with the patch in the bugzilla #4623
(http://issues.apache.org/SpamAssassin/attachment.cgi?id=3210) as I am
using Mail::DomainKeys 0.80.

Testing against mail from groups.yahoo.com, I get DK_SIGNED, but not
DK_VERIFIED as I was expecting (even more as yahoo created domain keys).

Can anyone enlight me?  
Is this what you are getting too?
Are you getting DK_VERIFIED?
Why?

Here is a sample message that got DK_SIGNED only:

8<
Return-Path:
<[EMAIL PROTECTED]>
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=lima;
d=yahoogroups.com;
b=d0ybEeUuQlB70F8dpDvIWUeCOTgc0coLU4UV
+KQoiJxqVGnWDNIhdy8lY6//sud0sk
+JPoWiMIuL9Np6oziRwiP3h/ZgDmeoLRaRlmgp6McoTNH5pApjTFHUn9OFOiTh;
Received: from [66.218.69.4] by n10.bulk.scd.yahoo.com with NNFMP; 31
Oct
2005 14:53:48 -
Received: from [66.218.66.61] by mailer4.bulk.scd.yahoo.com with NNFMP;
31
Oct 2005 14:53:46 -
X-Yahoo-Newman-Property: groups-email
X-Sender: [EMAIL PROTECTED]
X-Apparently-To: [EMAIL PROTECTED]
Received: (qmail 75674 invoked from network); 31 Oct 2005 14:53:45 -
Received: from unknown (66.218.66.166) by m35.grp.scd.yahoo.com with
QMQP;
31 Oct 2005 14:53:45 -
Received: from unknown (HELO ameno.mahoroba.org) (218.45.22.175) by
mta5.grp.scd.yahoo.com with SMTP; 31 Oct 2005 14:53:44 -
Received: from kasuga.mahoroba.org
(IDENT:[EMAIL PROTECTED]
[IPv6:3ffe:501:185b:8010:212:f0ff:fe52:6ac]) (user=ume
mech=CRAM-MD5
bits=0) by ameno.mahoroba.org (8.13.4/8.13.4) with ESMTP/inet6
id
j9VErPhb062622 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA
bits=256
verify=NO) for <[EMAIL PROTECTED]>; Mon, 31 Oct
2005 23:53:28
+0900 (JST) (envelope-from [EMAIL PROTECTED])
Message-ID: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
In-Reply-To:
<[EMAIL PROTECTED]>
References:
<[EMAIL PROTECTED]>
User-Agent: xcite1.38> Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka)
FLIM/1.14.7 (=?ISO-8859-4?Q?Sanj=F2?=) APEL/10.6 Emacs/22.0.50
(i386-unknown-freebsd6.0) MULE/5.0 (SAKAKI)
X-Operating-System: FreeBSD 6.0-RC1
X-PGP-Key: http://www.imasy.or.jp/~ume/publickey.asc
X-PGP-Fingerprint: 1F00 0B9E 2164 70FC 6DC5  BF5F 04E9 F086 BF90 71FE
Organization: Internet Mutual Aid Society, YOKOHAMA
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.1
(stratus.swi.com.br [200.203.204.140]); Mon, 31 Oct 2005
12:54:01 -0200
(BRDT)
X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by
milter-greylist-2.0.2 (ameno.mahoroba.org
[IPv6:3ffe:501:185b:8010::1]);
Mon, 31 Oct 2005 23:53:29 +0900 (JST)
X-Virus-Scanned: by amavisd-new
X-Virus-Status: Clean
X-Originating-IP: 218.45.22.175
X-eGroups-Msg-Info: 1:12:0:0
From: Hajimu UMEMOTO <[EMAIL PROTECTED]>
Sender: [EMAIL PROTECTED]
MIME-Version: 1.0
Mailing-List: list [EMAIL PROTECTED]; contact
[EMAIL PROTECTED]
Delivered-To: mailing list [EMAIL PROTECTED]
List-Id: 
Precedence: bulk
List-Unsubscribe: 
Date: Mon, 31 Oct 2005 23:53:25 +0900
Subject: Re: [milter-greylist] milter-greylist 2.0.2 released
Reply-To: [EMAIL PROTECTED]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Envelope-To: 
Resent-To: 
X-SWI-Mailbox: cwer
Status:   

Hi,

> On Mon, 31 Oct 2005 14:33:03 +0100
> <[EMAIL PROTECTED]> said:

attila> And there is a place in MX sync.

Ah, yes.  I forgot this, thanks.

attila> More precisely it is used in pending_del() for address
comparison.
attila> Of course, it may be replaced via comparing the content of the
sockaddr structs.

Yes, this comparison is replaced to use ip_equal() in my patch.

Sincerely,

--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
[EMAIL PROTECTED]  [EMAIL PROTECTED],jp.}FreeBSD.org
http://www.imasy.org/~ume/


 Yahoo! Groups Sponsor ~--> 
Fair play? Video games influencing politics. Click and talk back!
http://us.click.yahoo.com/T8sf5C/tzNLAA/TtwFAA/W4wwlB/TM
~-> 

 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/milter-greylist/

<*> To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]

<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
 

>8




Thanks,
Raul Dias

AW: AW: Report in english after reboot

[Christoph Petersen]

Hi folks,

so after I've setup the config files from the source archive and setting
LC_MESSAGES to de_DE.ISO8859-1 it works. Thanks for help.

Regards
Christoph

> 
> I've changed my settings with dpkg-reconfigure locales. Which 
> changes on
> debian the locales systemwide. After that I've restarted the 
> spamd. But even
> with this there is no change.
> 
> Regards
> Christoph
> 
> 
> 
> 

Wiki 3.1.0 upgrade page, strange commentary...

[Matt Kettler]

In the 3.1.0 upgrade page on the wiki:
http://wiki.apache.org/spamassassin/UpgradeTo310

One will find this text:
-

The SA headers X-Spam-Flag, X-Spam-Checker-Version, X-Spam-Level, and
X-Spam-Status are only added to messages that have been flagged as spam. I have
been unable to find a way to override this and the always_add_headers configure
option is no longer supported. This may be a result of SA no longer rewriting
messages. As I understand it messages are left unaltered unless they are flagged
as spam in which case a new message is created and the original one is attached
to it so that it can be more easily used for bayes training and the like.

-


What's up with the grossly obsolete reference to "always_add_headers" no longer
being supported? Did we time-warp in from 2003 or something?

>From the 2.64 mapage:

"This option is deprecated in version 2.60 and later." (2.60 was released in
Sept, 2003)


And, if I read the config correctly, SA 3.1.0 should be default add
Checker-Version and Status to all messages.

Is it true that 3.1.0 is broken as the wiki indicates, or has someone been
posting mis-information to the wiki?

AW: AW: Report in english after reboot

[Christoph Petersen]

Hi Matt,

Christoph Petersen wrote:
> Hi,
> 
> even when I change the LANG setting to de_DE.ISO-8859-1 I get an english
> report. What else could I do?
> 

> How did you do this? Are you sure this change applies to the spamassassin
> instance that generated the English report?

I've changed my settings with dpkg-reconfigure locales. Which changes on
debian the locales systemwide. After that I've restarted the spamd. But even
with this there is no change.

> (ie: merely setting this from a user login shell won't help if you use
spamd
> started at boot time)

Regards
Christoph

Re: AW: Report in english after reboot

[Matt Kettler]

Christoph Petersen wrote:
> Hi,
> 
> even when I change the LANG setting to de_DE.ISO-8859-1 I get an english
> report. What else could I do?
> 

How did you do this? Are you sure this change applies to the spamassassin
instance that generated the English report?

(ie: merely setting this from a user login shell won't help if you use spamd
started at boot time)

AW: Report in english after reboot

[Christoph Petersen]

Hi,

nobody any idea. It's very silly that the report is on english even when I
have the german 30_text_de.cf in my /usr/share/spamassassin directory.

Regards
Christoph

Re: How to include rule files?

[Matt Kettler]

Daniel Watts wrote:

> 
> Matt,
> 
> Many thanks for this heads up! Any reason you are avoiding going to the
> 3.x branch?

Well, generally I hold off on new major releases for at least a month unless
there's a security reason to upgrade ASAP.

However, in this case I've just been too busy to upgrade.

Re: How to include rule files?

[Daniel Watts]

*MANY* things in the 3.x documentation aren't supported in 2.55. The 
include directive is new as of 3.0.0. Since I run 2.64, I was unaware 
it had been added. However, the option is only really useful for 
user_prefs files. Adding it to local.cf is pointless unless you have 
your .cf files in a different directly.


Also, beware.. SpamAssassin 2.55 has a remotely exploitable DoS 
vulnerability. All an attacker needs to do is send you a malformed 
message.


http://www.securityfocus.com/bid/10957

Currently the only versions released of SA newer than 2.40 that are 
not vulnerable to any known security issues are:

2.64
3.0.0
3.0.4
3.1.0


Matt,

Many thanks for this heads up! Any reason you are avoiding going to the 
3.x branch?


Yours,
Danie

Re: How to include rule files?

[Matt Kettler]

At 06:17 AM 10/31/2005, Daniel Watts wrote:

Daniel Watts wrote:


Really simple question -
Where's the documentation to find out how to link other rule files into 
my local.cf file?


Dan



Hmm spoke too soon:

[EMAIL PROTECTED] spamassassin]# spamassassin --lint
Failed to parse line in SpamAssassin configuration, skipping: include 
"/etc/mail/spamassassin/rules/SOFTWARE_SPAM.cf"


is this only supported in 3.x? I'm on 2.55


*MANY* things in the 3.x documentation aren't supported in 2.55. The 
include directive is new as of 3.0.0. Since I run 2.64, I was unaware it 
had been added. However, the option is only really useful for user_prefs 
files. Adding it to local.cf is pointless unless you have your .cf files in 
a different directly.


Also, beware.. SpamAssassin 2.55 has a remotely exploitable DoS 
vulnerability. All an attacker needs to do is send you a malformed message.


http://www.securityfocus.com/bid/10957

Currently the only versions released of SA newer than 2.40 that are not 
vulnerable to any known security issues are:

2.64
3.0.0
3.0.4
3.1.0

Re: How to include rule files?

[Daniel Watts]

Matt Kettler wrote:


At 05:54 AM 10/31/2005, Daniel Watts wrote:


Really simple question -
Where's the documentation to find out how to link other rule files 
into my local.cf file?



You can't.. 


Really? It's in the documentation (but admittedly doesn't work...)

but you don't need to. Spamassassin will parse  
/etc/mail/spamassassin/*.cf, not just local.cf


yep - someone told me this just now and it works a charm. means for a 
cluttered spamassassin directory though...but i can live with it =)


So, all you need to do is copy the rule files into the same directory 
as local.cf and SA will automatically use them with no configuration.

Re: How to include rule files?

[Daniel Watts]

Daniel Watts wrote:


Really simple question -
Where's the documentation to find out how to link other rule files 
into my local.cf file?


Dan



Hmm spoke too soon:

[EMAIL PROTECTED] spamassassin]# spamassassin --lint
Failed to parse line in SpamAssassin configuration, skipping: include 
"/etc/mail/spamassassin/rules/SOFTWARE_SPAM.cf"


is this only supported in 3.x? I'm on 2.55

Re: How to include rule files?

[Matt Kettler]

At 05:54 AM 10/31/2005, Daniel Watts wrote:

Really simple question -
Where's the documentation to find out how to link other rule files into my 
local.cf file?


You can't.. but you don't need to. Spamassassin will 
parse  /etc/mail/spamassassin/*.cf, not just local.cf


So, all you need to do is copy the rule files into the same directory as 
local.cf and SA will automatically use them with no configuration.

Re: How to include rule files?

[Daniel Watts]

Daniel Watts wrote:


Really simple question -
Where's the documentation to find out how to link other rule files 
into my local.cf file?


Dan



Answered this myself:
http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Conf.html

just use "include FILENAME"

How to include rule files?

[Daniel Watts]

Really simple question -
Where's the documentation to find out how to link other rule files into 
my local.cf file?


Dan

Re: Would like to rewrite arbitrary headers

[Alan Premselaar]

[EMAIL PROTECTED] wrote:

Greetings, battlers.

I would like to rewrite headers on incoming spam without having SA
prepend "X-Spam-" to them.  Two reasons:

First, I want to get rid of "Disposition-Notification-To" because many
of my users configure their Outlook to automatically honour delivery
notifications.  That creates an outgoing email when they read or
delete a spam message.

Second, I have a set of GroupWise users.  They cannot write rules on
arbitrary headers, such as "X-Spam-Flag".  Instead, they can only
write rules based on a list of headers that Novell have chosen, none
of which begins with "X-Spam-".

Sadly both of these reasons sound lame: daft Outlook users and a daft
Novell application.  However there's nothing I can do about that so
I'm going to hack SA instead.

Does anyone else have similar needs?  Is such a feature already in the
works?

Thanks in advance.



If you're using Sendmail as your MTA, you could use MIMEDefang (a 
milter) to do that very easily.


alan