server/user bayes
Hello! In my server config i use per-user config including bayes. With Horde's IMP possible make per-user learn span. All fine, but also i want use system-wide bayes for detect spam based on user and system bayes both. Is this possible with SA 3.1.0?
very few points to spam message
I have received some spam messages and Spamassassin has assigned the tests correctly, for example it found BODY_ENHANCEMENT, BODY_ENHANCEMENT2 and GUARANTEED_100_PERCENT, but still the score that the messages got was 2.2. I don't want to decrease the default level of 5 because sometimes I get non-spam messages with more than 4 points. Is it possible that Spamassassin is considering the messages as local (which gets less points than net)? How can I tell if the message was processed as local, net, with bayes or with bayes+net? I use Spamassassin 3.0.4 under Linux+Postfix I am invoking it from master.cf (i.e. the IntegratedSpamdInPostfix article of the wiki)
Re: rejectlog
On Thu, Nov 10, 2005 at 04:08:56PM +0100, nick wrote: Rejecting the mail after DATA? Spamassassin runs behind my MTA, if the sender passes blacklist checks and any other obvious no-nos, it's then passed to spamassassin which NEVER discards email, but places them in a spam folder. Discarding emails based on a spam score is a bad idea. As you can see quite clearly, the reasons behind the discard/tagging aren't logged, so false positives can't be corrected. It is a bad idea if you set it up so it doesn't log anything, yes. Anything done badly is a bad idea. It is however perfectly possible to set up Exim and sa-exim to use spamassassin to reject mail after DATA giving a full reason why in the log file and the reject message and still keeping a copy on disk. A reject with a useful message combined with keeping the message on disk for a reasonable period of time is in many cases BETTER than accepting and silently filing away in a spam folder, because the entity with the most desire to see the mail delivered -- the sender -- is the one who gets notified via the usual SMTP mechanism that it did not get delivered. Having the spare time to look through my spamassassin thinks this is spam folder for false positives is a thing of the past; I would much rather reject as much as possible and only have to check the borderline stuff. Andy signature.asc Description: Digital signature
Re: First time home made rule not doing what I was thinkin....
On Thu, 10 Nov 2005 20:02:46 -0700 James Lay [EMAIL PROTECTED] wrote: Here's the rule: body GATEWAY_001 /tripod\.com/i score 5 describe match tripod.com Here's the result: Nov 9 13:42:03 gateway spamd[17880]: spamd: result: . -2 -ALL_TRUSTED,AWL,BAYES_00,GATEWAY_001 scantime=0.6,size=1213,user=spamfilter,uid=1004,required_score=3.4,rhost=localhost,raddr=127.0.0.1,rport=/var/spool/spamfilter/spamd,mid=[EMAIL PROTECTED],bayes=0,autolearn=ham Did I totally miss something? Thanks! James Thanks for the help people...was just what I needed =) James
Remove Address from Whitelist - question
I am running Spamassassin version 2.60 on a Redhat 8.0 mail server. I have a couple of addresses that I would like to remove from the AWL but when I have tried: spamassassin --remove-addr-from-whitelist=addr The process appears to run forever, with no effect. Well, almost no effect, I can see that it locks the AWL database, but have let it churn for over 20 minutes with no results. Am I missing something? Thank you, -- Larry G. Starr - [EMAIL PROTECTED] or [EMAIL PROTECTED] Software Engineer: Full Compass Systems LTD. Phone: 608-831-7330 x 1347 FAX: 608-831-6330 === There are only three sports: bullfighting, mountaineering and motor racing, all the rest are merely games! - Ernest Hemmingway
new rules for stock spam?
Does anyone have any rules to squash the recent spate of stock alert spam that I've been seeing? The messages are coming from multiple sources, although some can be traced back to IPs belonging to kornet.net. There are no URLs in the message body. Bayes is probably the best bet, but on my global db it's scoring only BAYES_50. The last batch had scores like this: X-Spam-Status: No, hits=1.518 tagged_above=-99 required=5 tests=BAYES_50, HTML_30_40, HTML_MESSAGE, SPF_FAIL X-Spam-Status: No, hits=2.042 tagged_above=-99 required=5 tests=BAYES_50, HTML_30_40, HTML_MESSAGE, SARE_FROM_BADAOL X-Spam-Status: No, hits=1.1 tagged_above=-99 required=5 tests=BAYES_50, FROM_STARTS_WITH_NUMS, HTML_30_40, HTML_MESSAGE -Bill
Re: new rules for stock spam?
Bill Randle wrote: Does anyone have any rules to squash the recent spate of stock alert spam that I've been seeing? The messages are coming from multiple sources, although some can be traced back to IPs belonging to kornet.net. There are no URLs in the message body. Bayes is probably the best bet, but on my global db it's scoring only BAYES_50. The last batch had scores like this: X-Spam-Status: No, hits=1.518 tagged_above=-99 required=5 tests=BAYES_50, HTML_30_40, HTML_MESSAGE, SPF_FAIL X-Spam-Status: No, hits=2.042 tagged_above=-99 required=5 tests=BAYES_50, HTML_30_40, HTML_MESSAGE, SARE_FROM_BADAOL X-Spam-Status: No, hits=1.1 tagged_above=-99 required=5 tests=BAYES_50, FROM_STARTS_WITH_NUMS, HTML_30_40, HTML_MESSAGE The FSR_MASKED_FINANCIAL rule (from here http://www.wormbytes.ca/software/spamassassin/rules.cf) and a well trained bayes takes care of most stock spams. You could expand the rule to include pr*fit, auth*rity and l*w. Also see the 72_sare_bml_post25x.cf rule from SARE. Also since you have a lot of these spams, use them train the bayes db. - dhawal
Re: new rules for stock spam?
Bill Randle wrote: Does anyone have any rules to squash the recent spate of stock alert spam that I've been seeing? The messages are coming from multiple sources, although some can be traced back to IPs belonging to kornet.net. There are no URLs in the message body. Bayes is probably the best bet, but on my global db it's scoring only BAYES_50. The last batch had scores like this: X-Spam-Status: No, hits=1.518 tagged_above=-99 required=5 tests=BAYES_50, HTML_30_40, HTML_MESSAGE, SPF_FAIL X-Spam-Status: No, hits=2.042 tagged_above=-99 required=5 tests=BAYES_50, HTML_30_40, HTML_MESSAGE, SARE_FROM_BADAOL X-Spam-Status: No, hits=1.1 tagged_above=-99 required=5 tests=BAYES_50, FROM_STARTS_WITH_NUMS, HTML_30_40, HTML_MESSAGE The FSR_MASKED_FINANCIAL rule (from here http://www.wormbytes.ca/software/spamassassin/rules.cf) and a well trained bayes takes care of most stock spams. You could expand the rule to include pr*fit, auth*rity and l*w. Also see the 72_sare_bml_post25x.cf rule from SARE. Also since you have a lot of these spams, use them train the bayes db. Thanks for the pointer to FSR_MASKED_FINANCIAL. I do use 72_sare_bml_post25x.cf, but it doesn't seem to hit very many of them. -Bill --
What countries to block ? and detectng Trojan attachments?
We are getting a lot of spam mail from countries outside of the US. Anyone have a list of what country domain extensions are fairly Ok to block? We don't have a lot of users whoreceive mail from outside the US. We'd like to cut down onspam/spoof/virus messages. Currently I am blocking all mails from = *.nl *.br *.ch etc.. Also, Is there a special rule to detect messages like the one below? Thanks - Original Message - Dear user sam, You have successfully = updatedthe password of your Mybloo account. If you did not authorize = this change or if you need assistance with your account, please contact Mybloo customer service at: [EMAIL PROTECTED] Thank = you for=20 using Mybloo! The Mybloo Support Team = +++=20 Attachment: No Virus (Clean) +++ Mybloo Antivirus - www.mybloo.com=20
RE: What countries to block ? and detectng Trojan attachments?
Jerry wrote: Anyone have a list of what country domain extensions are fairly Ok to block? There's a politically charged question. FWIW, most spam still comes from the US. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Re: What countries to block ? and detectng Trojan attachments?
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 hi, Anyone have a list of what country domain extensions are fairly Ok to block? There's a politically charged question. FWIW, most spam still comes from the US. imho, it's not an issue of where most spam comes from, nor is it a politically charged question. rather it's a pragmatic one: what % of email you rec'v/expect from any given country is spam? e.g., as one of my clients (a) does no business with CN/KR, and (b) noted that ~100% of email rec'd from servers there was spam, adding: cn-kr.blackholes.us, before their usual RBL list of: sbl-xbl.spamhaus.org, relays.ordb.org, relays.mail-abuse.org, list.dsbl.org has had a huge effect on reducing spam ... even though the total volume orig'ing in the US may be higher, the % of legit email is much higher, and the 'other' RBL do well enuf ... so, to your question: ... fairly OK ... ? is simply an operational issue. cheers, richard - -- /\ \ / ASCII Ribbon Campaign X against HTML email, vCards / \ micro$oft attachments [GPG] OpenMacNews at gmail dot com fingerprint: 780A 5C81 D446 C616 B113 AA3A 9BF4 3736 88A5 678E -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (Darwin) iEYEAREDAAYFAkN01doACgkQm/Q3NoilZ44jLQCghC3stzCDjPBziZXEPdm9IhSo MDEAoJQjen+q3e9Dn5kG4T+AtUPiaNAR =TZp3 -END PGP SIGNATURE-
Re: What countries to block ? and detectng Trojan attachments?
Jerry wrote: We are getting a lot of spam mail from countries outside of the US. Anyone have a list of what country domain extensions are fairly Ok to block? We don't have a lot of users whoreceive mail from outside the US. We'd like to cut down onspam/spoof/virus messages. Currently I am blocking all mails from = *.nl *.br *.ch etc.. Personally, I find it unreasonable to outright block any country. The problem being if you post on a list like say, users@spamassassin.apache.org an off-list reply can come to you with help from *anywhere* in the world. For example you might think it safe to block Ireland, not knowing anyone from there. However, if Justin Mason emailed you off-list about a SA problem you'd be blocking him. Unless you can prove you strictly don't ever communicate with anyone from a given country (including mailing lists), and never want to use any OSS with any developers in that country, you're pretty much not-safe blocking it. That said, I do use ACLs in milter-greylist to greylist all of apnic and lacnic, as well as a variety of DUL networks in the US and EU, as well as any host with no RDNS. The greylist takes care of a lot of the spam without blocking legitimate mail, although there are a couple of legitimate messages hit each week, they only get delayed not dropped. Thus far this week 10,181 messages were greylisted by my setup. Of those 376 retried and were delivered. Of those, 316 were tagged as spam by SA, and 51 were not. A few of the 51 were SA FNs, but none of the 316 appear to be SA FPs. Also, Is there a special rule to detect messages like the one below? Yeah, it's called a virus scanner. That's a mytob variant virus message.
Re: What countries to block ? and detectng Trojan attachments?
Also, Is there a special rule to detect messages like the one below? Yeah, it's called a virus scanner. That's a mytob variant virus message. My virus scanner cleans the attachment, but still get people emailing and calling about their accounts when they receive these messages.
Re: Is this a Spamassassin generated message?
Marc Perkel wrote: Getting messages like this. Just upgraded to 3.10. Is this coming from SA? Spam detection software, running on the system pascal.ctyme.com, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Yes. That's the standard SA report if you have report_safe set to anything other than 0. That's been the default report template since SA 2.60.
Re: What countries to block ? and detectng Trojan attachments?
We are getting a lot of spam mail from countries outside of the US. Anyone have a list of what country domain extensions are fairly Ok to block? We don't have a lot of users whoreceive mail from outside the US. We'd like to cut down onspam/spoof/virus messages. Currently I am blocking all mails from = *.nl *.br *.ch etc.. Living in a country outside the US (realistically, all countries inthe world, with just one exception, are outside the US) I must say that I get spam from many places ... including said united states. Why wouldn't just everybody - in every country - block mails from anywhere else? Wolfgang Hamann
Re: What countries to block ? and detectng Trojan attachments?
Jerry wrote: Also, Is there a special rule to detect messages like the one below? Yeah, it's called a virus scanner. That's a mytob variant virus message. My virus scanner cleans the attachment, but still get people emailing and calling about their accounts when they receive these messages. Well, then that's a problem with your virus scanner setup.. Mine tags the subject line with {VIRUS} so my users never bother me about them...
Re: Is this a Spamassassin generated message?
Matt Kettler wrote: Marc Perkel wrote: Getting messages like this. Just upgraded to 3.10. Is this coming from SA? Spam detection software, running on the system "pascal.ctyme.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Yes. That's the standard SA report if you have report_safe set to anything other than 0. That's been the default report template since SA 2.60. Right - the last upgrade I did last night overwrote my local.cf file. -- Marc Perkel - [EMAIL PROTECTED] Spam Filter: http://www.junkemailfilter.com My Blog: http://marc.perkel.com
Re: Apparently Recieved by my server...
[EMAIL PROTECTED] wrote: The following email to me gets through by their spoofing my IP even though it clearly comes from somewhere else. I remember someone mentioning a trusted_networks-like setting that used something like a apparently_received_from name or something similar. How do I set it up? Just a pointer to a DOC will suffice, unless you've had trouble setting it up... I've searched google and have found some cryptic stuff but am new enough to this to ask for help. I hope this isn't so elementary that I'm annoying. start email header Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on moroni.ourldsfamily.com X-Spam-Status: No, score=-89.8 required=0.8 tests=AWL,INVALID_TZ_EST, MIME_BOUND_DD_DIGITS,MSGID_DOLLARS_RANDOM,RCVD_HELO_IP_MISMATCH, RCVD_IN_SORBS_SOCKS,RCVD_IN_WHOIS_BOGONS,RCVD_NUMERIC_HELO, UNPARSEABLE_RELAY,USER_IN_WHITELIST,X_MESSAGE_INFO autolearn=no Hi, You want to look at USER_IN_WHITELIST_TO or USER_IN_WHITELIST_FROM, not your current setting of USER_IN_WHITELIST in you rlocal.cf or user_prefs. Regards, Rick I've run across a similar issue and believe it to be a bug in the way Spamassassin handles WHITELIST_FROM_RCVD. According to the docs, whitelist_from_rcvd matches what you've specified as an ok rDNS location against the reverse DNS lookup used during the handover from the internet to your internal network's mail exchangers. . However, if you look at the received header Karl posted: Received: from 198.60.114.90 ([200.167.92.14]) ^^^ by moroni.ourldsfamily.com (8.12.5/8.12.5) with SMTP id jAAHFTBO030068 for [EMAIL PROTECTED]; Thu, 10 Nov 2005 10:15:31 -0700 and check the IP address this message came from, no PTR records exist for this IP so his system can't do a reverse DNS lookup. For some reason, in this case Spamassassin seems to trust the from 198.60.114.90 part of the header as the source of the message, which if I understand my mail headers properly comes from the easily forged HELO exchange. (Of course, I could be wrong about this.) My guess is that Karl's config file has something like WHITELIST_FROM_RCVD [EMAIL PROTECTED] 198.60.114.90 causing Spamassassin to trigger the USER_IN_WHITELIST rule, even though this message was not really received from his trusted IP. Someone correct me if I'm wrong about the way I'm reading my headers; otherwise I probably will file the bugzilla! Sandy
User_Scores SQL database not working??
I currently am using SA 3.1.0 with ClamAV 0.87.1 and Qmail-scanner 1.25st. I use SQL for my bayes as well as my user scores preferences databases. When testing the whitelist_from preference, mail comes through just fine and is recognized to be part of that preference and is scored accordingly. However, when I enter a blacklist_from preference, mail blacklisted seemingly is ignored? Running it thought spamassasssin -D msg.msg doesn't seem to work, as it apparently isnt testing against the scores preferences database- as even the whitelist_from senders aren't getting tagged as in the whitelist - I only see that when sending actual mail through the server. Any thoughts as to what might be going wrong?? Matt -- Matthew Yette Senior Engineer (NOC/Operations) M.A. Polce Consulting 315-838-1644
RE: What countries to block ? and detectng Trojan attachments?
[EMAIL PROTECTED] wrote: Living in a country outside the US (realistically, all countries inthe world, with just one exception, are outside the US) I must say that I get spam from many places ... including said united states. Why wouldn't just everybody - in every country - block mails from anywhere else? I live in the US, and I'm philosophically opposed to blocking emails from a particular country. Gr(a|e)ylisting I'm fine with. But even if (say) Ptomania was barred by the UN from ever doing business with any other country; if logs going back ten years conclusively showed that every email ever received from Ptomania was demonstratibly spam or viral; if there was evidence that a team of virus writers was developing new viruses every day and seeding them from Ptomanian mail servers; if ICANN dedicated a class A IP network solely for Ptomanian use in perpetuity; yes, even if all these things were true, I would /still/ refuse to block mail from that IP network. Why? Because it's wrong. I cannot prove this... but it /is/... in the same sense that Mt. Everest /is/, or that Elmer Kogan /isn't/. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Rule for this ??
Heres an intelligent html coder I viewed the source of the code because I was curious as to how these words flew right through my SA , You will note that if turned into plain text , he used a bunch of tables and cells to produce the following; From: Firoz Granger [mailto:[EMAIL PROTECTED] Sent: Friday, November 11, 2005 4:49 AM To: Jean-Paul Natola Subject: Glen: interesting information Hi, Qui ing f ications - vis aExpres op t overpay or your Medd it our Pharm s Sh P V C X V A r I I a A m o A A n L b z G L a I i a R I x U e c A S M n 69,95 99,95 85,45 What rule, if any , can combat this?
RE: What countries to block ? and detectng Trojan attachments?
Matthew.van.Eerde wrote: Elmer Kogan /isn't/ s/Elmer Kogan/Alma Cogan/ (sorry) -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
RE: What countries to block ? and detectng Trojan attachments?
On Fri, 11 Nov 2005, [EMAIL PROTECTED] wrote: But even if (say) Ptomania was barred by the UN from ever doing business with any other country; if logs going back ten years conclusively showed that every email ever received from Ptomania was demonstratibly spam or viral; if there was evidence that a team of virus writers was developing new viruses every day and seeding them from Ptomanian mail servers; if ICANN dedicated a class A IP network solely for Ptomanian use in perpetuity; yes, even if all these things were true, I would /still/ refuse to block mail from that IP network. Why? Because it's wrong. Who are you to dictate to an end user what mail they _must_ receive? Their hardware. Their network. Their equipment. Their property. Not yours. What's next, mandating people _must_ answer all phone calls, any time of the day or night, telemarketer or not, because one of them _might_ be a legitimate call? FWIW it's simpler for me to block on encodings. I don't read chinese or korean or russian, there is no reason for me to ever receive chinese or korean or russian language emails, so anything BIG5 or EUC-KR or KOI8 encoding with high-ascii chars in the body is instantly binned. -Dan
Re: Rule for this ??
Jean-Paul Natola wrote: Here’s an intelligent html coder I viewed the source of the code because I was curious as to how these words flew right through my SA , You will note that if turned into plain text , he used a bunch of tables and cells to produce the following; Try this on for size: body L_COLUMN_VIAG /\bv(?:\s\w){4,6}\si(?:\s\w){4,6}\sa(?:\s\w){4,6}\sg(?:\s\w){4,6}\sr(?:\s\w){4,6}\sa\b/i describe L_COLUMN_VIAG looks like a column-obfuscated v-pill ad score L_COLUMN_VIAG 0.1 Warning: new rule, not well tested, hence the limited score. I just placed this on my live server to see how it behaves. Of course, there are some limitations to this rule that a spammer can use to get around it, but the general concept of the new gap clause of (?:\s\w){4,6}\s can be adapted to catch future variants with different table attributes.
Re: What countries to block ? and detectng Trojan attachments?
Good afternoon, all, On Fri, 11 Nov 2005, OpenMacNews wrote: Anyone have a list of what country domain extensions are fairly Ok to block? There's a politically charged question. FWIW, most spam still comes from the US. imho, it's not an issue of where most spam comes from, nor is it a politically charged question. rather it's a pragmatic one: what % of email you rec'v/expect from any given country is spam? e.g., as one of my clients (a) does no business with CN/KR, and (b) noted that ~100% of email rec'd from servers there was spam, adding: I heard that same argument from a respected coworker; he asked the company owner whether we could _possibly_ do business with Country S now or in the future. Given an answer of no and the fact that we were receiving sustained attacks from Country S, he blocked the entire country. A few years later I found myself teaching a perimeter security course _in the capital of Country S_, explaining to a classroom full of paying students that we banned the entire country for a number of months because - *gulp* - there was no possible way we'd ever do business with that country. Here's another way to look at the issue. Lets say that you knew that a state/county/province in your own country had an inordinately low signal/attack ratio. Would you ban that region? Can you ever be sure enough that you'll _never_ get a legitimate mail from that region? I've got one counter-example above If you really do believe you've got some political area with a sufficiently low signal/noise ratio, I'd suggest making an SA rule to _raise the score_, instead of an unconditional block. One last note, Jerry. If you unconditionally blocked mail from .nl and .br, you'd have respectively blocked 688 and 258 (out of 56,910) posts from this list alone. One of which might someday have an answer you need. :-) Cheers, - Bill --- Boucher's Observation: He who blows his own horn always plays the music several octaves higher than originally written. (Courtesy of Brett W. McCoy [EMAIL PROTECTED]) -- William Stearns ([EMAIL PROTECTED]). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org --
Re: What countries to block ? and detectng Trojan attachments?
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Here's another way to look at the issue. Lets say that you knew that a state/county/province in your own country had an inordinately low signal/attack ratio. Would you ban that region? 1st, afaik, there are no IP block lists by state/county/province in your own country. 2nd, it would not meet stated business criteria. client does business in the US .. all of it. not in CN-KR. in ~10 years, not a single email to/from CN-KR. any/all clients that HAVE been in/through CN-KR have communicated via legit providers in the US. problem solved for them. 3rd, entire IP block bans ARE in place for known, seriously offending blocks, due specifically to inordinately low signal/attack ratio. Can you ever be sure enough that you'll _never_ get a legitimate mail from that region? NOTHING is ever for certain. especially managing business risk. If you unconditionally blocked mail from .nl and .br, you'd have respectively blocked 688 and 258 (out of 56,910) posts from this list alone. hence, searchable mailing list archives are a 'good thing' ... -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (Darwin) iEYEAREDAAYFAkN08soACgkQm/Q3NoilZ44nHQCfdwxSmqIcawavzy7NAVrveljf Ic0An2brSl9vAYiEtbRmKwQOXihdrSi2 =hoVD -END PGP SIGNATURE-
Change Temp Directory
Hello, I've looked around and could not find this answer. How does one change the temp directory that spamd uses? I see it using /tmp on our debian sarge server using a debian spamassassin 3.0.3-2 version. I would like to change it to /var/tmp which on our system is a much faster SCSI raid disk. Thanks for your help, Ken Rea
RE: Change Temp Directory
User for SpamAssassin Mail List wrote: I've looked around and could not find this answer. How does one change the temp directory that spamd uses? I see it using /tmp on our debian sarge server using a debian spamassassin 3.0.3-2 version. I would like to change it to /var/tmp which on our system is a much faster SCSI raid disk. From USAGE: - SpamAssassin now uses a temporary file in /tmp (or $TMPDIR, if that's set in the environment) for Pyzor and DCC checks. Make sure that this directory is either (a) not writable by other users, or (b) not shared over NFS, for security. So, if you set $TMPDIR in the spamd user's environment to /var/tmp, that should do it. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
RE: Change Temp Directory
But spamd changes users id each time it's used this would not work to well would it? Ken On Fri, 11 Nov 2005 [EMAIL PROTECTED] wrote: User for SpamAssassin Mail List wrote: I've looked around and could not find this answer. How does one change the temp directory that spamd uses? I see it using /tmp on our debian sarge server using a debian spamassassin 3.0.3-2 version. I would like to change it to /var/tmp which on our system is a much faster SCSI raid disk. From USAGE: - SpamAssassin now uses a temporary file in /tmp (or $TMPDIR, if that's set in the environment) for Pyzor and DCC checks. Make sure that this directory is either (a) not writable by other users, or (b) not shared over NFS, for security. So, if you set $TMPDIR in the spamd user's environment to /var/tmp, that should do it. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
RE: Change Temp Directory
User for SpamAssassin Mail List wrote: But spamd changes users id each time it's used this would not work to well would it? I don't know if $ENV{TMPDIR} is queried once on startup, or at every user change... maybe the source would reveal that information... Could you symlink /tmp to /var/tmp and have everybody use the faster disk? On my own servers, I mount /tmp as a RAM disk. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Re: Change Temp Directory
[EMAIL PROTECTED] wrote: User for SpamAssassin Mail List wrote: I've looked around and could not find this answer. How does one change the temp directory that spamd uses? I see it using /tmp on our debian sarge server using a debian spamassassin 3.0.3-2 version. I would like to change it to /var/tmp which on our system is a much faster SCSI raid disk. From USAGE: - SpamAssassin now uses a temporary file in /tmp (or $TMPDIR, if that's set in the environment) for Pyzor and DCC checks. Make sure that this directory is either (a) not writable by other users, or (b) not shared over NFS, for security. So, if you set $TMPDIR in the spamd user's environment to /var/tmp, that should do it. Also note this will affect every perl package that uses File::Spec-tmpdir too.
Re: Change Temp Directory
User for SpamAssassin Mail List wrote: But spamd changes users id each time it's used this would not work to well would it? spamd changes userid's with setuid, not logon. It shouldn't get a whole new environment, just new privileges and mapping for ~. Thus the TMPDIR from the original launch of spamd should carry over.
RE: What countries to block ?
Backing up about a light year here, and ignoring all philosophical arguments, I'll offer my list of _scored_ (not blocked) countries. This is, of course, specific to our situation: CN TW RU UA BR I use the RelayCountry plugin for this, and assign it a rather low score. It DOES help. Pierre -Original Message- From: Jerry [mailto:[EMAIL PROTECTED] Sent: Friday, November 11, 2005 12:11 PM To: spam Subject: What countries to block ? and detectng Trojan attachments? We are getting a lot of spam mail from countries outside of the US. Anyone have a list of what country domain extensions are fairly Ok to block? We don't have a lot of users whoreceive mail from outside the US. We'd like to cut down onspam/spoof/virus messages. Currently I am blocking all mails from = *.nl *.br *.ch etc.. Also, Is there a special rule to detect messages like the one below? Thanks
3.1.0 headers appearing before Received: lines? How to change?
I upgraded to 3.1.0, and now spamassasin is putting its headers before all others, even Received: lines... X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on sasami.anime.net X-Spam-Status: No, score=0.0 required=5.0 tests=AWL autolearn=disabled version=3.1.0 X-Spam-Level: Received: from ms-dienst.rz.rwth-aachen.de (ms-2.rz.RWTH-Aachen.DE [134.130.3.131]) Is there any way to change it back to 3.0.4 behavior? There is nothing mentioned in http://svn.apache.org/repos/asf/spamassassin/branches/3.1/UPGRADE or http://wiki.apache.org/spamassassin/UpgradeTo310 -Dan
RE: 3.1.0 headers appearing before Received: lines? How to change?
Dan Hollis wrote: I upgraded to 3.1.0, and now spamassasin is putting its headers before all others, even Received: lines... X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on sasami.anime.net X-Spam-Status: No, score=0.0 required=5.0 tests=AWL autolearn=disabled version=3.1.0 X-Spam-Level: Received: from ms-dienst.rz.rwth-aachen.de (ms-2.rz.RWTH-Aachen.DE [134.130.3.131]) Is there any way to change it back to 3.0.4 behavior? There is nothing mentioned in http://svn.apache.org/repos/asf/spamassassin/branches/3.1/UPGRADE or http://wiki.apache.org/spamassassin/UpgradeTo310 Short answer: the change was made to be nice to Yahoo!'s DomainKeys. See this excerpt from 3.1.0's Mail::SpamAssassin::PerMsgStatus... # Break the pristine header set up into two blocks; pre is the stuff that # we want to ensure comes before any SpamAssassin markup headers, like the # Return-Path header (see bug 3409). # # post is all the rest of the message headers, placed after the # SpamAssassin markup hdrs. Once one of those headers is seen, all further # headers go into that set; it's assumed that it's an old copy of the # header, or attempted spoofing, if it crops up halfway through the # headers. And bug 3409: http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3409 -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Re: spamd / isn't numeric in subroutine
Herb Martin HerbM at learnquick.com writes: Clarification: .49 is Ok in every report I have seen about problems with .50-52 -- it is the recommended retreat position, and that (0.49) is working for me after trouble with a later version. Loren -- Herb I found same problem. downgrading net:dns to .49 everythink works. I am finding what's wrong in .53 code. Regards, Pongo
report_safe 0
but still getting this: Spam detection software, running on the system pascal.ctyme.com, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. How do I get rid of it? -- Marc Perkel - [EMAIL PROTECTED] Spam Filter: http://www.junkemailfilter.com My Blog: http://marc.perkel.com
Re: report_safe 0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marc Perkel writes: but still getting this: Spam detection software, running on the system pascal.ctyme.com, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. How do I get rid of it? set report_safe 1 in the local.cf . - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Exmh CVS iD8DBQFDdVLZMJF5cimLx9ARAhiOAJ9NTgJYeBcNEMMJO361/owPiTMAaQCgt2NX Qj13u9untf5hvvd9M/Bj/1w= =SuEw -END PGP SIGNATURE-
Re: report_safe 0
Justin Mason wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marc Perkel writes: but still getting this: Spam detection software, running on the system pascal.ctyme.com, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. How do I get rid of it? set report_safe 1 in the local.cf . Nope, you want 0, not 1. Make sure you've restarted the daemon and checked your config files with spamassassin --lint. Daryl
Re: report_safe 0
Marc Perkel wrote: but still getting this: Spam detection software, running on the system pascal.ctyme.com, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. How do I get rid of it? Never mind - I figured it out. -- Marc Perkel - [EMAIL PROTECTED] Spam Filter: http://www.junkemailfilter.com My Blog: http://marc.perkel.com
RE: More spam getting through
On Wed, 2005-11-09 at 23:47 +0100, Raymond Dijkxhoorn wrote: Hi! A slightly earlier one got a much lower score with: Umm... I don't see any SARE rules in there. The fact is, SARE isn't terribly effective against these 1-column drug spams. The only SARE hit I got was SARE_SPEC_LEO_LINE03f with a whopping 0.18 points, or occasionally SARE_SPEC_LEO_MEDS with 1.67 points. SARE rules will be updates shortly. Sure, with every possible network test enabled you will catch most everything. But some of us don't have unlimited resources. ;) bodyPROLO_LEO1 /85\,45|1\,21/ bodyPROLO_LEO2 /69\,95|3\,33/ bodyPROLO_LEO3 /99\,95|3\,75/ uri PROLO_LEO4 /http:\/\/.*\.tripod\.com/ metaPROLO_LEO_M1 (PROLO_LEO1 PROLO_LEO2 PROLO_LEO3 PROLO_LEO4) score PROLO_LEO1 0.1 score PROLO_LEO2 0.1 score PROLO_LEO3 0.1 score PROLO_LEO4 0.1 score PROLO_LEO_M1 8 describePROLO_LEO1 Meta Catches all Leo drug variations so far describePROLO_LEO2 Meta Catches all Leo drug variations so far describePROLO_LEO3 Meta Catches all Leo drug variations so far describePROLO_LEO4 Meta to catch Leo now using Tripod describePROLO_LEO_M1 Catches all Leo drug variations so far Meanwhile you could use something like this. We have some other ones, since Leo likes to morph, but this ons is pretty effective on the current ones. Update to catch latest variations: bodyPROLO_LEO1 /85\,45|1\,21|1\,22/ bodyPROLO_LEO2 /69\,95|3\,33|3\,32/ -Bill
Spamassassin Distro
Hi, I am looking at setting up a new linux box dedicated to spamassassin via amavisd. I am wondering what the best distro is to do this on, is there a particular distro you guys can recommend? I am not looking for an out-of-the-box solution, but one that spam cleaning is almost native to! Regards,Tony
GERMAN ruleset updated
Hello list, http://zmi.at/x/70_zmi_german.cf contains the newest rules to catch german SPAM. Also available automagically via rules du jour name ZMI_GERMAN Also documented here: http://wiki.apache.org/spamassassin/CustomRulesets Please report your german SPAM with full headers to [EMAIL PROTECTED] mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgpsMYy6SsBOW.pgp Description: PGP signature