Re: f-secure messaging security gateway x-series??

[Mathias Homann]

Am Mittwoch, 23. November 2005 23:11 schrieb jdow:
> From: "Mathias Homann" <[EMAIL PROTECTED]>
>
> > "the ProofPoint Spam Detection (TM) module uses the ProofPoint
> > MLX(TM) technology for automated learning (pat.pend.)" which in
> > itself doesn't tell
>
>  ^--- Somebody ought to
> check that statement out. Automated learning is something SA has
> been doing for quite a few years now so any prospective patent on
> it in an anti-spam environment should be void. But it might be a
> good idea to make sure the patent examiners are aware of this.

another weak point of that thing is that they say it runs linux... and 
i guess most of the other stuff "in there" is GPL'ed, too and i 
can't for the life of me find the link to download the sources 
anywhere...

bye
MH

-- 
gpg key fingerprint: 5F64 4C92 9B77 DE37 D184  C5F9 B013 44E7 27BD 
763C

Re: Inconsistent Spam scores?

[Matt Kettler]

(Re-post to list. For some reason the post which quoted all of chad's email 
bounced back with a 10.4 score. No clue why, there's no spam quotes here, 
only one URIBL listed domain mentioned in the body report. One domain alone 
shouldn't be >10, even if it's listed in every URIBL in the universe)



Chad, based on the difference in hits on the two scores below, it sounds 
like you're double-scanning the email. Make sure you don't have an MTA 
integration that's scanning the mail before it gets to procmail.


 Also, try temporarily disabling both spamc calls in your procmail.rc, see 
if you still get X-Spam-Status headers.


Order of events:

The first time it's scanned, the message gets tagged a body report is 
added, and the whole thing is encapsulated in a new message with new 
headers, including new Received: headers that show the message as being 
locally generated.


The second time around, the scan will get result because the message 
headers are different. The X-Spam-Status header gets over-written, but 
nothing else.


 Note that in the body (first scan) several RBLs hit (XBL, spamcop and 
NJABL_DUL) but the second time (X-Spam-Status) they don't fire and in their 
place ALL_TRUSTED matches, suggesting a locally generated email (such as 
the encapsulation).




At 09:11 PM 11/23/2005, Chad wrote:

Hello!

I've been googling and searching this list for a little over 2 hours
now and have yet to find this problem, or a fix for it.  If there is
something obvious I'm missing, feel free to point me in that
direction, but here goes:

I recieve Spam from "Doctor" with the subject "Ultimate Online Pharmaceutical"

It's subject gets marked up correctly with my [SPAM] subject_rewrite,
and I have report_safe set to 1, so the message shows the score as:
Content analysis details:   (9.2 points, 5.0 required)

 pts rule name  description
 -- --
 2.3 DATE_IN_FUTURE_12_24   Date: is 12 to 24 hours after Received: date
 0.1 HTML_40_50 BODY: Message is 40% to 50% HTML
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.1 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP address
[217.217.190.99 listed in dnsbl.sorbs.net]
 1.8 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
  [Blocked - see 
]

 2.5 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
[217.217.190.99 listed in sbl-xbl.spamhaus.org]
 1.7 RCVD_IN_NJABL_DUL  RBL: NJABL: dialup sender did non-local SMTP
[217.217.190.99 listed in combined.njabl.org]
 0.6 URIBL_SBL  Contains an URL listed in the SBL blocklist
[URIs: *MUNGED*]

As noted, it's a score of 9.2 points total.

But, when I check the header, it shows:

X-Spam-Level:
X-Spam-Status: No, score=0.5 required=5.0 tests=ALL_TRUSTED,
 DATE_IN_FUTURE_12_24,HTML_40_50,HTML_MESSAGE,MIME_HTML_MOSTLY,
 URIBL_SBL autolearn=no version=3.0.2-gr1

Re: spamcop.net tactics

[List Mail User]

>...
>On Wednesday, November 23, 2005, 3:33:47 AM, Leonard SA wrote:
>> Hello,
>
>> I have had to remove spamcop from my rbl check list. they have had some 
>> legitimate mail servers listed recently. They had the gentoo mail list 
>> listed and some other important servers which i cant see why they were 
>> added.
>
>> Regards ..
>
>> Leonard
>
>If you mean at the MTA level, yes, I don't use bl.spamcop.net in
>my MTAs.  For SpamAssassin, however it's useful as another
>somewhat reliable indicator of spammyness to increment the scores
>a bit, just like SORBLs or SPEWS, which would otherwise be
>largely unusable for outright blocking in an MTA for most
>people.
>
>SpamCop's bl gets IPs that users report.  There's some filtering
>and munging, but it's either less than one would like or more
>than one would like, depending on one's perspective.  IOW some
>SpamCop user (unwisely) reported a gentoo mailing list message as
>spam, and that's why it got onto the blacklist: user error.
>
>Jeff C.
>-- 
>Jeff Chan
>mailto:[EMAIL PROTECTED]
>http://www.surbl.org/
>

It is not an available option to everybody;  I depends on your
MTA and other parts of your environment, but if you can, '"450"'ing on
the SpamCop blacklist catches a lot of zombies, open relays, etc. before
they hit the other lists (XBL, CBL, etc.), and the policy of relatively
rapid auto-delisting makes almost certain that "real" mail isn't lost,
just delayed.  At least for Postfix, this is quite trivial (i.e. directive
"defer_if_reject"); For sendmail, it is more than one line, but not much
harder (I don't know most other MTAs well enough to be the person to say
what the "easiest" method should be, but I can already see an easy equivalent
means for Exim too).

Paul Shupak
[EMAIL PROTECTED]

Re: Blacklists and SA

[List Mail User]

>...
>Quin Parker wrote:
>> Hello
>> 
>> I was wondering if somebody could answer a question I have about SA's use of
>> external blacklists which filter e-mail addresses. 
>> 
>> As I understand it (please correct me if I'm wrong), SA can be configured to
>> look up lists such as those held on rfc-ignorant.org, match the email address
>> and award points accordingly.
>
>Generally speaking, SA doesn't do this based on email addresses. It does it
>based on server names and IPs.
>
>However, RFCI is a bit different, it uses the envelope from address. Currently
>in 3.1.0 there' are only 3 RBLS which use envelope from. RFCI, AHBL, and
>securitysage.
>
>> 
>> If only a fragment of the address is listed on the blacklist, will SA still 
>> add
>> points to the e-mail? eg. '.de' is marked on rfc-ignorant.org as having a 
>> duff
>> WHOIS listing. Will SA award points for any e-mail from Germany?
>
>No, it will never query the fragment ".de" against RFCI. SA queries the whole
>domain following the @ sign. (see EvalTests.pm, sub check_rbl_envfrom)
>
>It also requires at least 1 . in the "domain" part, and at least 1
>non-whitespace character on each side of it. So SA will never query 
>"localhost",
>but it would query "localhost.localdomain" if they appeared in an envelope 
>from.
>
>So RFCI would have to return a positive hit for "domain.de" not ".de".
>
>
>
>> 
>> If, theoretically, 'gov.uk' were listed on a blacklist, would it pickup
>> addresses such as [EMAIL PROTECTED]
>
>This is only possible for blacklists that work on email addresses (ie: RFCI). 
>As
>above, SA does a query of the whole domain, not fragments.
>
Having watched this thread, and being a user/contributer to the
rfci lists, there is a bit of confusion here.  Yes, SA does query the full
domain, but rfci returns all matches on the domain queried *and* all parent
domains, so a query on example.de will indeed return a 127.0.0.7 code because
the TLD ".de" is not RFC compliant.  However SA currently only checks for
whois compliance at the SLD level - i.e. a return code of 127.0.0.5;  RFCI
distinguishes TLDs which are non-conformant with a different code, which by
default SA ignores;  Personally I add at my site 0.166 points for TLDs and
the test and codes work just fine - the shipped rules does not check for this
case (but my thresholds are all higher than the default level of 5 points).

All this said, I know I have said this before, but the RFCI rules
are much more useful when also used as URI rules, not merely as DSN and RCVD
checks.  The same is true for the AHBL too.

Simpy Matt's description is correct, except for the implementation
detail that queries to fulldom.rfc-ignorant.org do include matches on parent
domains (e.g. the example.de case above).

This can easily be demonstrated by hand:

% nslookup -type=any denic.de.fulldom.rfc-ignorant.org rfci.bl.xs4all.nl
Server: rfci.bl.xs4all.nl
Address:194.109.9.6#53

Name:   denic.de.fulldom.rfc-ignorant.org
Address: 127.0.0.7
denic.de.fulldom.rfc-ignorant.org   text = "TLD has no WHOIS server or 
incomplete data in server"

Also a change (I believe) was made in SA a while ago to "relax" the
URI rules to check mainly just URLs - the RFC for URIs specifies not just
URLs, but email addresses, Message IDs and a great many other things that
SA doesn't check (though I'd like it to).  The primary effect of this that I
see there are many others and it was argues on the list and the developer
have their reasons) is that dropbox emails in 419s don't get scored at all.


Paul Shupak
[EMAIL PROTECTED]

Fwd: Inconsistent Spam scores?

[Chad]

Missed including the list on the return ;)

-- Forwarded message --
From: Chad <[EMAIL PROTECTED]>
Date: Nov 23, 2005 7:31 PM
Subject: Re: Inconsistent Spam scores?
To: jdow <[EMAIL PROTECTED]>


On 11/23/05, jdow <[EMAIL PROTECTED]> wrote:
> You need to setup your trusted_networks and internal_networks values
> to get rid of ALL_TRUSTED. These values are usually stored in the
> /etc/mail/spamassassin/local.cf file. Read the wiki regarding the
> trusted_networks setup.
>
> Trusted_networks is merely a short list of mailers from when you
> directly receive email that you can trust not to forge addresses.
> That is the only trust involved. I use fetchmail and with the
> headers it places in mail my trusted_networks value can be a simple
> "127/8". Then I set "internal_networks 192.168/16" as rather large
> overkill for the real setup here.
>
> If you receive directly then your smtp server's IP address that it
> places in the email Received headers would be appropriate for the
> trusted_networks. And if you have a whole Internet block of addresses
> they should probably be in your internal_networks values.
>
> Of course, this is a topic we've been talking about for the last
> couple days already. So you probably didn't think of the right search
> term. {^_-}
>
> {^_^}


I'll check that out, thank you.  And as I just blindly started reading
other threads I did come across a similar instance from yesterday, so
yeah, my search terms were simply not cutting it apparently ;)

Thanks!

Re: Inconsistent Spam scores?

[jdow]

You need to setup your trusted_networks and internal_networks values
to get rid of ALL_TRUSTED. These values are usually stored in the
/etc/mail/spamassassin/local.cf file. Read the wiki regarding the
trusted_networks setup.

Trusted_networks is merely a short list of mailers from when you
directly receive email that you can trust not to forge addresses.
That is the only trust involved. I use fetchmail and with the
headers it places in mail my trusted_networks value can be a simple
"127/8". Then I set "internal_networks 192.168/16" as rather large
overkill for the real setup here.

If you receive directly then your smtp server's IP address that it
places in the email Received headers would be appropriate for the
trusted_networks. And if you have a whole Internet block of addresses
they should probably be in your internal_networks values.

Of course, this is a topic we've been talking about for the last
couple days already. So you probably didn't think of the right search
term. {^_-}

{^_^}
- Original Message - 
From: "Chad" <[EMAIL PROTECTED]>



Hello!

I've been googling and searching this list for a little over 2 hours
now and have yet to find this problem, or a fix for it.  If there is
something obvious I'm missing, feel free to point me in that
direction, but here goes:

I recieve Spam from "Doctor" with the subject "Ultimate Online Pharmaceutical"

It's subject gets marked up correctly with my [SPAM] subject_rewrite,
and I have report_safe set to 1, so the message shows the score as:
Content analysis details:   (9.2 points, 5.0 required)

pts rule name  description
 -- --
2.3 DATE_IN_FUTURE_12_24   Date: is 12 to 24 hours after Received: date
0.1 HTML_40_50 BODY: Message is 40% to 50% HTML
0.0 HTML_MESSAGE   BODY: HTML included in message
0.1 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP address
   [217.217.190.99 listed in dnsbl.sorbs.net]
1.8 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
 [Blocked - see ]
2.5 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
   [217.217.190.99 listed in sbl-xbl.spamhaus.org]
1.7 RCVD_IN_NJABL_DUL  RBL: NJABL: dialup sender did non-local SMTP
   [217.217.190.99 listed in combined.njabl.org]
0.6 URIBL_SBL  Contains an URL listed in the SBL blocklist
   [URIs: asciatini.com]

As noted, it's a score of 9.2 points total.

But, when I check the header, it shows:

X-Spam-Level:
X-Spam-Status: No, score=0.5 required=5.0 tests=ALL_TRUSTED,
DATE_IN_FUTURE_12_24,HTML_40_50,HTML_MESSAGE,MIME_HTML_MOSTLY,
URIBL_SBL autolearn=no version=3.0.2-gr1

Which makes procmail NOT do it's job of sorting this into the correct
Spam folder.

The closest thing I've seen is that a server is underpowered (which I
don't think that's my problem) and a work-around for that to call
Spamassassin twice, which I tried but it didn't work.

So, I really don't know what else to tell you guys, but will include
contents of files and version below for additional help.  Thanks for
any info!

~/.procmailrc:
## Set to yes when debugging
VERBOSE=no

## I'm assuming that you are using pine, which means that your mail is
## stored in "~/mail".  If not, figure out where your mail is stored
## (for example, "~/Mail" or "~/.mail" or "~/.Mail"), and set MAILDIR
## to that directory.
MAILDIR=$HOME/Maildir

## Directory for storing procmail-related files
PMDIR=$HOME/.procmail

## Put '#' before LOGFILE if you want no logging (not recommended)
LOGFILE=$PMDIR/log

## filter spam
INCLUDERC=$PMDIR/spam.rc


~/.procmail/spam.rc:
:0fw: spamassassin.lock
| /usr/bin/spamc

# The following three lines move messages tagged as spam to a folder
# called "spam-folder" If you want mail to stay in your inbox, just
# delete the lines

# Try a second time if SpamC failed

:0fw: spamassassin.lock2
* ! ^X-Spam-Level:.*
| spamc

# Filter Spam with a level of 15 or higher to Trash:
:0:
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
.Trash/

# And finally, filter as noted above:

:0:
* ^X-Spam-Status: Yes
.Spam/

/etc/spam/local.cf:
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
###
#
# Set this to 0 to disable altering the subject line
# rewrite_subject 1
# The above is commented out, and the below was changed from subject_tag to
# rewrite_header Subject in versions above 3.0
# Set this with whatever string wanted to alter subject line with (see above)
rewrite_header Subject [SPAM]
# This setting is to display the email address to contact for assistance
report_contact [EMAIL PROTECTED]
# This setting is to set the des

Re: Do I need these rules?

[jdow]

Adding memory is generally the cheapest and simplest way to handle machine
overload in most cases. One should also carefully trim the maximum number
of children so that SA comfortably fits entirely in RAM without hitting
the swap file. When SA hits the swap file it very suddenly becomes very
very slow. Off hand I'd suspect the sa_blacklist file would be quite
redundant with and stale relative to the various BL tests.

{^_^}
- Original Message - 
From: <[EMAIL PROTECTED]>




Yes server was getting overloaded. So I went through all my old rules and
deleted them. Went from 36 rules down to 15 rules. Apparently there were a
couple that were obsolete. Also I noticed I had a sa-blacklist.cf file
with thousands of email addresses I got from some site awhile back. It was
a huge file. I also noticed the same file was being used for qmail,
badmailfrom file. So when I removed the sa-blacklist.cf file all of a
sudden I had a ton of memory available and the memory spamd used was a
fraction of what it was using originally. Again dont know if it was the
sa-blacklist.cf file. I know it wasnt the other cf files I removed because
after I removed those the spamd processes were still using a lot of
resources.

As you can tell Im not the most knowledgeable when it comes to running SA
so thats why I was asking about these other rules I found.

Thanks
Robert


From: <[EMAIL PROTECTED]>


I been trying to "optimize" SA on my system and decided to look at the
rules I have that SA uses. Im using qmail with SA 3.1 on Fedora Core 2.
I
started SA in debug mode and noticed a bunch of rules running in another
folder on top of what I have in my up to date rules folder. The rules in
this other folder are in /usr/share/spamassassin. Should I delete all of
these rules or do they need to be there?

10_misc.cf
20_drugs.cf
20_phrases.cf
25_body_tests_es.cf
30_text_fr.cf
20_anti_ratware.cf
20_fake_helo_tests.cf
20_porn.cf
25_hashcash.cf
30_text_nl.cf
20_body_tests.cf
20_head_tests.cf
20_ratware.cf
25_spf.cf
30_text_pl.cf
20_compensate.cf
20_html_tests.cf
20_uri_tests.cf
25_uribl.cf
50_scores.cf
20_dnsbl_tests.cf
20_meta_tests.cf
23_bayes.cf
30_text_de.cf
60_whitelist.cf

Sorry if its a lot.


It's not very much compared to what I run.

Only you can define your "should". You know your conditions far better
than any of us. Is your machine overloaded? If not then why "optimize"
when it means it's very likely more spam will leak through? In my case
optimize meant going to over 45 rule sets along with extensive
user_prefs files. The machine spends about 141 seconds per hour filtering
email. This 4% load does not materially affect its performance with
anything else it does. So YMMV takes on a very strong meaning in this
context.

{^_^}





Robert Bartlett
Digital Phoenix iTechnologies

Inconsistent Spam scores?

[Chad]

Hello!

I've been googling and searching this list for a little over 2 hours
now and have yet to find this problem, or a fix for it.  If there is
something obvious I'm missing, feel free to point me in that
direction, but here goes:

I recieve Spam from "Doctor" with the subject "Ultimate Online Pharmaceutical"

It's subject gets marked up correctly with my [SPAM] subject_rewrite,
and I have report_safe set to 1, so the message shows the score as:
Content analysis details:   (9.2 points, 5.0 required)

 pts rule name  description
 -- --
 2.3 DATE_IN_FUTURE_12_24   Date: is 12 to 24 hours after Received: date
 0.1 HTML_40_50 BODY: Message is 40% to 50% HTML
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.1 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP address
[217.217.190.99 listed in dnsbl.sorbs.net]
 1.8 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
  [Blocked - see ]
 2.5 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
[217.217.190.99 listed in sbl-xbl.spamhaus.org]
 1.7 RCVD_IN_NJABL_DUL  RBL: NJABL: dialup sender did non-local SMTP
[217.217.190.99 listed in combined.njabl.org]
 0.6 URIBL_SBL  Contains an URL listed in the SBL blocklist
[URIs: asciatini.com]

As noted, it's a score of 9.2 points total.

But, when I check the header, it shows:

X-Spam-Level:
X-Spam-Status: No, score=0.5 required=5.0 tests=ALL_TRUSTED,
 DATE_IN_FUTURE_12_24,HTML_40_50,HTML_MESSAGE,MIME_HTML_MOSTLY,
 URIBL_SBL autolearn=no version=3.0.2-gr1

Which makes procmail NOT do it's job of sorting this into the correct
Spam folder.

The closest thing I've seen is that a server is underpowered (which I
don't think that's my problem) and a work-around for that to call
Spamassassin twice, which I tried but it didn't work.

So, I really don't know what else to tell you guys, but will include
contents of files and version below for additional help.  Thanks for
any info!

~/.procmailrc:
## Set to yes when debugging
VERBOSE=no

## I'm assuming that you are using pine, which means that your mail is
## stored in "~/mail".  If not, figure out where your mail is stored
## (for example, "~/Mail" or "~/.mail" or "~/.Mail"), and set MAILDIR
## to that directory.
MAILDIR=$HOME/Maildir

## Directory for storing procmail-related files
PMDIR=$HOME/.procmail

## Put '#' before LOGFILE if you want no logging (not recommended)
LOGFILE=$PMDIR/log

## filter spam
INCLUDERC=$PMDIR/spam.rc


~/.procmail/spam.rc:
:0fw: spamassassin.lock
| /usr/bin/spamc

# The following three lines move messages tagged as spam to a folder
# called "spam-folder" If you want mail to stay in your inbox, just
# delete the lines

# Try a second time if SpamC failed

:0fw: spamassassin.lock2
* ! ^X-Spam-Level:.*
| spamc

# Filter Spam with a level of 15 or higher to Trash:
:0:
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
.Trash/

# And finally, filter as noted above:

:0:
* ^X-Spam-Status: Yes
.Spam/

/etc/spam/local.cf:
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
###
#
# Set this to 0 to disable altering the subject line
# rewrite_subject 1
# The above is commented out, and the below was changed from subject_tag to
# rewrite_header Subject in versions above 3.0
# Set this with whatever string wanted to alter subject line with (see above)
rewrite_header Subject [SPAM]
# This setting is to display the email address to contact for assistance
report_contact [EMAIL PROTECTED]
# This setting is to set the desired language allowed
ok_languages en
# report_safe 1
trusted_networks 192.168.1.1

sa version:
spamassassin --version
SpamAssassin version 3.0.2
  running on Perl version 5.8.6

And procmail version:
procmail v3.22

Thanks!

Chad

Re: [Razor-users] false positives with centos-announce list

[Kelson]

Kevin W. Gagel wrote:

Checking the razor2 itself indicated that the message(s)
were in-fact seen and reported as spam. Checking again
later, again with razor-client (not SA) the messages were
never seen at all.

Regardless of the conflicting data that I'm presenting...
The whole problem vanished AFTER I cleared the SA Bayes DB.


Are you sure it wasn't just a coincidence, and someone revoked the 
messages during that time?


Razor doesn't use SpamAssassin's Bayes database.  Razor doesn't *know* 
about SpamAssassin's Bayes database.  Barring filesystem problems (say, 
there's no room left on the partition and razor can't write to its log, 
or something), there's no reason that database should impact Razor at all.


(Pushing this back onto the Razor users' list.)

--
Kelson Vibber
SpeedGate Communications 

Re: Suddenly missing file?

[James Lay]

NewpI installed it when I installed 3.1.0.  Really WEIRD.

On Wed, 23 Nov 2005 13:01:33 -0500
Matt Kettler <[EMAIL PROTECTED]> wrote:

> James Lay wrote:
> > So today I get:
> > 
> > spamd[13532]: Can't locate LMAP/CID2SPF.pm in @INC (@INC
> > contains: ../lib /usr/lib/perl5/site_perl/5.8.6/i486-linux 
> > /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/5.8.6/i486-linux 
> > /usr/lib/perl5/5.8.6 /usr/lib/perl5/site_perl)
> > at /usr/lib/perl5/site_perl/5.8.6/Mail/SPF/Query.pm line 1749,
> >  line 1061.
> > 
> > And so far I can't seem to even find this thing.  Anyone have a clue
> > what happened?
> > 
> Did you "suddenly" change versions of Mail::SPF?
> 
> http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4541

Re: Do I need these rules?

[robert]

Yes server was getting overloaded. So I went through all my old rules and
deleted them. Went from 36 rules down to 15 rules. Apparently there were a
couple that were obsolete. Also I noticed I had a sa-blacklist.cf file
with thousands of email addresses I got from some site awhile back. It was
a huge file. I also noticed the same file was being used for qmail,
badmailfrom file. So when I removed the sa-blacklist.cf file all of a
sudden I had a ton of memory available and the memory spamd used was a
fraction of what it was using originally. Again dont know if it was the
sa-blacklist.cf file. I know it wasnt the other cf files I removed because
after I removed those the spamd processes were still using a lot of
resources.

As you can tell Im not the most knowledgeable when it comes to running SA
so thats why I was asking about these other rules I found.

Thanks
Robert

> From: <[EMAIL PROTECTED]>
>
>>I been trying to "optimize" SA on my system and decided to look at the
>> rules I have that SA uses. Im using qmail with SA 3.1 on Fedora Core 2.
>> I
>> started SA in debug mode and noticed a bunch of rules running in another
>> folder on top of what I have in my up to date rules folder. The rules in
>> this other folder are in /usr/share/spamassassin. Should I delete all of
>> these rules or do they need to be there?
>>
>> 10_misc.cf
>> 20_drugs.cf
>> 20_phrases.cf
>> 25_body_tests_es.cf
>> 30_text_fr.cf
>> 20_anti_ratware.cf
>> 20_fake_helo_tests.cf
>> 20_porn.cf
>> 25_hashcash.cf
>> 30_text_nl.cf
>> 20_body_tests.cf
>> 20_head_tests.cf
>> 20_ratware.cf
>> 25_spf.cf
>> 30_text_pl.cf
>> 20_compensate.cf
>> 20_html_tests.cf
>> 20_uri_tests.cf
>> 25_uribl.cf
>> 50_scores.cf
>> 20_dnsbl_tests.cf
>> 20_meta_tests.cf
>> 23_bayes.cf
>> 30_text_de.cf
>> 60_whitelist.cf
>>
>> Sorry if its a lot.
>
> It's not very much compared to what I run.
>
> Only you can define your "should". You know your conditions far better
> than any of us. Is your machine overloaded? If not then why "optimize"
> when it means it's very likely more spam will leak through? In my case
> optimize meant going to over 45 rule sets along with extensive
> user_prefs files. The machine spends about 141 seconds per hour filtering
> email. This 4% load does not materially affect its performance with
> anything else it does. So YMMV takes on a very strong meaning in this
> context.
>
> {^_^}
>
>


Robert Bartlett
Digital Phoenix iTechnologies

Re: [Razor-users] false positives with centos-announce list

[Kevin W. Gagel]

>Kevin W. Gagel wrote:
>> No, it doesn't as Vipul pointed out. But if your using it
>> via SpamAssassin like I am then look to your Bayes
>> database. Ultimately that was where my problem was. I
>> kept getting accounts from Telus.net that were scoring
>> high on the razor2 tests because - according to SA's
>> bayes db - razor2 had seen the message and it was
>> identified as spam. Clearing out the DB fixed the
>problem.
>
>Huh?  SA's Bayes DB has nothing to do with how SA calls
>Razor.  it's a  completely separate test.  Neither the
>score Razor assigns a message nor  the score SpamAssassin
>assigns to the Razor hit is going to be affected  by the
>contents of SpamAssassin's Bayes database.
>
>Now, both the Razor score and the Bayes score will affect
>the *final*  SpamAssassin score -- possibly enough to push
>it over the threshold --  but that's another issue
>entirely.

Be that as it may... I can only offer the anectodal evidence
I saw. The SA tests that were tripped were Razor2 not an
accumulation of others. SA tagged the messages that I saw
with the Razor2 stats.

Checking the razor2 itself indicated that the message(s)
were in-fact seen and reported as spam. Checking again
later, again with razor-client (not SA) the messages were
never seen at all.

Regardless of the conflicting data that I'm presenting...
The whole problem vanished AFTER I cleared the SA Bayes DB.

Rightly or wrongly. Should it happen again I'll try and work
with Vipul more on it. But my users will only put up with so
much before they scream bloody murder and I have to get it
fixed.

=
Kevin W. Gagel
Network Administrator
Information Technology Services
(250) 562-2131 local 448
My Blog:
http://mail.cnc.bc.ca/blogs/gagel

---
The College of New Caledonia, Visit us at http://www.cnc.bc.ca
Virus scanning is done on all incoming and outgoing email.
Anti-spam information for CNC can be found at http://avas.cnc.bc.ca
---

Re: Do I need these rules?

[jdow]

From: "Bowie Bailey" <[EMAIL PROTECTED]>


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]


I been trying to "optimize" SA on my system and decided to look at
the rules I have that SA uses. Im using qmail with SA 3.1 on Fedora
Core 2. I started SA in debug mode and noticed a bunch of rules
running in another folder on top of what I have in my up to date
rules folder.  The rules in this other folder are in
/usr/share/spamassassin. Should I delete all of these rules or do
they need to be there?

10_misc.cf
20_drugs.cf
20_phrases.cf
25_body_tests_es.cf
30_text_fr.cf
20_anti_ratware.cf
20_fake_helo_tests.cf
20_porn.cf
25_hashcash.cf
30_text_nl.cf
20_body_tests.cf
20_head_tests.cf
20_ratware.cf
25_spf.cf
30_text_pl.cf
20_compensate.cf
20_html_tests.cf
20_uri_tests.cf
25_uribl.cf
50_scores.cf
20_dnsbl_tests.cf
20_meta_tests.cf
23_bayes.cf
30_text_de.cf
60_whitelist.cf


These are the built-in SA rules.  Your spam detection rate will drop
through the floor if you delete them! :)


But it WOULD optimize SA no end. {^_-}

Running a daemonized SA, say spamd, is a worthwhile optimization. And
with no rules to scan SA might not even find anything to do and be VERY
quick. At least it'd be running on its internal defaults which are
pretty basic. And it'd give everything it did tag a score of 1. It might
be amusing to see how bad you can make SA performance if you have that
kind of a turn of mind. (If you do you must be a person who compares
'IX and Windows professionally and always tries to justify picking
Windows.)

{^_-}

RE: [Razor-users] false positives with centos-announce list

[Kevin W. Gagel]

>On Wed, 23 Nov 2005, Kevin W. Gagel announced
>> authoritatively: Ultimately that was where my problem
>was. I kept getting accounts from
>
>> Telus.net that were scoring high on the razor2 tests
>> because -  according to SA's bayes db - razor2 had seen
>the message
>
>This makes no sense, I'm afraid :( SA's Bayes database does
>not identify whether Razor has seen a message!
>
>I think you might mean that SA stated that Razor had seen
>the message and that it was spam according to SA's Bayes
>database, and the scores of the two together pushed the
>message over the spam threshold.
>
>Is that it?
>
>If that is the case, please send me razor-check -H output
>and I will investigate.
>
>Cheers,
>vipul 

Vipul,

Its already fixed and... you and I tried getting to the
bottom of it but could not because every time it happened
razor had no info in it regarding the messages. As I
mentioned previously, empting the SA Bayes DB cleared up the
problem.

=
Kevin W. Gagel
Network Administrator
Information Technology Services
(250) 562-2131 local 448
My Blog:
http://mail.cnc.bc.ca/blogs/gagel

---
The College of New Caledonia, Visit us at http://www.cnc.bc.ca
Virus scanning is done on all incoming and outgoing email.
Anti-spam information for CNC can be found at http://avas.cnc.bc.ca
---

Re: Do I need these rules?

[jdow]

From: <[EMAIL PROTECTED]>


I been trying to "optimize" SA on my system and decided to look at the
rules I have that SA uses. Im using qmail with SA 3.1 on Fedora Core 2. I
started SA in debug mode and noticed a bunch of rules running in another
folder on top of what I have in my up to date rules folder. The rules in
this other folder are in /usr/share/spamassassin. Should I delete all of
these rules or do they need to be there?

10_misc.cf
20_drugs.cf
20_phrases.cf
25_body_tests_es.cf
30_text_fr.cf
20_anti_ratware.cf
20_fake_helo_tests.cf
20_porn.cf
25_hashcash.cf
30_text_nl.cf
20_body_tests.cf
20_head_tests.cf
20_ratware.cf
25_spf.cf
30_text_pl.cf
20_compensate.cf
20_html_tests.cf
20_uri_tests.cf
25_uribl.cf
50_scores.cf
20_dnsbl_tests.cf
20_meta_tests.cf
23_bayes.cf
30_text_de.cf
60_whitelist.cf

Sorry if its a lot.


It's not very much compared to what I run.

Only you can define your "should". You know your conditions far better
than any of us. Is your machine overloaded? If not then why "optimize"
when it means it's very likely more spam will leak through? In my case
optimize meant going to over 45 rule sets along with extensive
user_prefs files. The machine spends about 141 seconds per hour filtering
email. This 4% load does not materially affect its performance with
anything else it does. So YMMV takes on a very strong meaning in this
context.

{^_^}

Re: OT: senderbase

[DAve]

Matt Kettler wrote:

DAve wrote:


Good afternoon,

I take a look each week at senderbase to check and see what others think
my network is sending out in terms of mail volume. I generally find it
helpful.

http://senderbase.org

Anyone else using that report? I ask because I have two IPs showing up
there as having excessively high mail volumes, yet the IPs they list
have port 25 blocked at the client router.



Are you sure? And bear in mind, you need to be considering outbound access, not
inbound.


Yes, we blocked them at their Cisco because they had been compromised 
(Motel with free internet access). Blocked in and out and forced the sue 
fo webmail and smtp-auth.



DAve



ie:
: to :25

not:

: to :25

You might try logging into a box with one of those IPs and trying to telnet to
an outside mailserver. (you can use xanadu.evi-inc.com for this if you wish, but
do be nice and merely issue a quit command if you connect.)

telnet xanadu.evi-inc.com 25
220 xanadu.evi-inc.com ESMTP Unsolicited Commercial Email prohibited
quit
221 2.0.0 xanadu.evi-inc.com closing connection
Connection closed by foreign host.



I have send two emails to [EMAIL PROTECTED] and received no replys
so far. Am I spinning my wheels here?

Re: [Razor-users] false positives with centos-announce list

[Kevin W. Gagel]

>On Wed, 23 Nov 2005, Kevin W. Gagel announced
>> authoritatively: Ultimately that was where my problem
>> was. I kept getting accounts from Telus.net that were
>> scoring high on the razor2 tests because - according to
>> SA's bayes db - razor2 had seen the message
>
>This makes no sense, I'm afraid :( SA's Bayes database does
>not identify whether Razor has seen a message!
>
>I think you might mean that SA stated that Razor had seen
>the message and that it was spam according to SA's Bayes
>database, and the scores of the two together pushed the
>message over the spam threshold.
>
>Is that it?

That would be a more accurate way of putting it. Thanks for
clarifing me.

=
Kevin W. Gagel
Network Administrator
Information Technology Services
(250) 562-2131 local 448
My Blog:
http://mail.cnc.bc.ca/blogs/gagel

---
The College of New Caledonia, Visit us at http://www.cnc.bc.ca
Virus scanning is done on all incoming and outgoing email.
Anti-spam information for CNC can be found at http://avas.cnc.bc.ca
---

Re: f-secure messaging security gateway x-series??

[jdow]

From: "Mathias Homann" <[EMAIL PROTECTED]>
"the ProofPoint Spam Detection (TM) module uses the ProofPoint MLX(TM) 
technology for automated learning (pat.pend.)" which in itself doesn't tell 

^--- Somebody ought to check
that statement out. Automated learning is something SA has been doing for
quite a few years now so any prospective patent on it in an anti-spam
environment should be void. But it might be a good idea to make sure the
patent examiners are aware of this.

{^_^}

Re: OT: senderbase

[Matt Kettler]

DAve wrote:
> Good afternoon,
> 
> I take a look each week at senderbase to check and see what others think
> my network is sending out in terms of mail volume. I generally find it
> helpful.
> 
> http://senderbase.org
> 
> Anyone else using that report? I ask because I have two IPs showing up
> there as having excessively high mail volumes, yet the IPs they list
> have port 25 blocked at the client router.

Are you sure? And bear in mind, you need to be considering outbound access, not
inbound.

ie:
: to :25

not:

: to :25

You might try logging into a box with one of those IPs and trying to telnet to
an outside mailserver. (you can use xanadu.evi-inc.com for this if you wish, but
do be nice and merely issue a quit command if you connect.)

telnet xanadu.evi-inc.com 25
220 xanadu.evi-inc.com ESMTP Unsolicited Commercial Email prohibited
quit
221 2.0.0 xanadu.evi-inc.com closing connection
Connection closed by foreign host.

> 
> I have send two emails to [EMAIL PROTECTED] and received no replys
> so far. Am I spinning my wheels here?
> 

OT: senderbase

[DAve]

Good afternoon,

I take a look each week at senderbase to check and see what others think 
my network is sending out in terms of mail volume. I generally find it 
helpful.


http://senderbase.org

Anyone else using that report? I ask because I have two IPs showing up 
there as having excessively high mail volumes, yet the IPs they list 
have port 25 blocked at the client router.


I have send two emails to [EMAIL PROTECTED] and received no replys 
so far. Am I spinning my wheels here?


DAve

Anti-virus strategy

[Kenneth Porter]

--On Wednesday, November 23, 2005 10:07 AM -0500 Bowie Bailey 
<[EMAIL PROTECTED]> wrote:



It's always good to have multiple layers.  We have ClamAV on the mail
server and Symantec Corporate Edition on the desktops.  I haven't had
any problems with Clam.  We had a few Sober.U get through before the
definitions updated, but that's expected with a new virus on any AV
program (unfortunately).


Agreed. I use ClamAV on the mail server (under MIMEDefang) and Trend Micro 
Small Business on my Win2003 and WinXP clients. (No Exchange here.)



I have Clam installed with all the default options and I run freshclam
a few times a day to keep it updated.  It just works.


If you use the Clam DNS feature to check for new data files, you can set 
freshclam to check every 15 minutes (when the DNS record expires). This is 
a very light load (a single UDP packet in each direction to the Clam DB 
server), esp. if you forward that domain to your ISP so that the ISP caches 
it for other users. This lets you update your DB file very rapidly when a 
new threat is identified. If you look at the white papers and testimonials 
on Clam's site, you can see that they often have an update before 
commercial vendors, and have responded as fast as 20 minutes from the first 
report. That reduces your exposure window to the maximum of the time it 
takes the DNS record to expire plus the response time of the data file 
generator.

RE: Filter not working

[Matthew.van.Eerde]

[EMAIL PROTECTED] wrote:
>Matthew van Eerde wrote:
>> [EMAIL PROTECTED] wrote:
>>> Here is the header of an email that was marked as spam and was moved
>>> to the proper folder. (File attached)
>> 
>> I notice the one that worked was not multipart, and the one that
>> didn't work was multipart.  Is this true in general?
>> 
> If your asking if this is the pattern, I never noticed it so I dont
> know. At this point I would assume this is true in general.

Well, SpamAssassin is clearly tagging the message correctly.  If the maildrop 
script isn't sorting correctly then it's a maildrop problem.

-- 
Matthew.van.Eerde (at) hbinc.com   805.964.4554 x902
Hispanic Business Inc./HireDiversity.com   Software Engineer

RE: Filter not working

[robert]

If your asking if this is the pattern, I never noticed it so I dont know.
At this point I would assume this is true in general.

Thanks
Robert
> [EMAIL PROTECTED] wrote:
>> Here is the header of an email that was marked as spam and was moved
>> to the proper folder. (File attached)
>
> I notice the one that worked was not multipart, and the one that didn't
> work was multipart.  Is this true in general?
>
> --
> Matthew.van.Eerde (at) hbinc.com   805.964.4554 x902
> Hispanic Business Inc./HireDiversity.com   Software Engineer
>


Robert Bartlett
Digital Phoenix iTechnologies

RE: Filter not working

[Matthew.van.Eerde]

[EMAIL PROTECTED] wrote:
> Here is the header of an email that was marked as spam and was moved
> to the proper folder. (File attached)

I notice the one that worked was not multipart, and the one that didn't work 
was multipart.  Is this true in general?

-- 
Matthew.van.Eerde (at) hbinc.com   805.964.4554 x902
Hispanic Business Inc./HireDiversity.com   Software Engineer

Re: Checking outgoing email?

[Jason Haar]

[EMAIL PROTECTED] wrote:
> I believe Im using qmail-scanner.
>
>   
That's weird. By default Qmail-Scanner only calls SA on *incoming* mail
- never outgoing! This is defined by whether or not Qmail has decided
the SMTP client is a relayable address or not.

You must have reconfigured Qmail-Scanner to allow SA to be called on
outgoing mail as well... Anyway, read the Qmail-Scanner documentation on
http://qmail-scanner.sf.net/ for details

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

RE: Filter not working

[robert]

Here is the header of an email that was marked as spam and was moved to
the proper folder. (File attached)

Thanks
Robert
> [EMAIL PROTECTED] wrote:
>>> [EMAIL PROTECTED] wrote:
 if (/^X-Spam-Status: *Yes/)
>>
>> Attached is the header from one of the emails with the issue
>
> Header contains:
> X-Spam-Status: Yes, hits=7.0 required=3.0
>
> Well, that line matches the regex.
>
> Can you post a header from an email that does not have the issue?  Maybe
> it has to do with the order of the headers... maybe the line is not always
> tested.
>
> --
> Matthew.van.Eerde (at) hbinc.com   805.964.4554 x902
> Hispanic Business Inc./HireDiversity.com   Software Engineer
>


Robert Bartlett
Digital Phoenix iTechnologiesReturn-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 23775 invoked by uid 507); 23 Nov 2005 18:57:16 -
Received: from 63.236.7.231 by milkyway.digitalphx.com (envelope-from <[EMAIL 
PROTECTED]>, uid 92) with qmail-scanner-1.23st 
 (clamscan: 0.80. spamassassin: 3.0.1. perlscan: 1.23st. 
 Clear:RC:0(63.236.7.231):SA:1(5.7/3.0):. 
 Processed in 7.934202 secs); 23 Nov 2005 18:57:16 -
X-Spam-Status: Yes, hits=5.7 required=3.0
X-Spam-Level: +
X-Qmail-Scanner-Mail-From: [EMAIL PROTECTED] via milkyway.digitalphx.com
X-Qmail-Scanner: 1.23st (Clear:RC:0(63.236.7.231):SA:1(5.7/3.0):. Processed in 
7.934202 secs Process 23749)
Received: from mail.pcintranet.com (HELO pcintranet.com) (63.236.7.231)
 by mail.digitalphx.com with SMTP; 23 Nov 2005 18:57:08 -
Received: from SMTP32-FWD by dcranchnet.com
 (SMTP32) id ABB5404D100825780; Wed, 23 Nov 2005 10:56:20 -0800
Received: from bonusdealz4u.com [63.80.24.165] by pcintranet.com
 (SMTPD32-8.13) id AB544D10082; Wed, 23 Nov 2005 10:56:20 -0800
Message-Id: <[EMAIL PROTECTED]>
From: "Portable Computer" <[EMAIL PROTECTED]>
To: "Subscribers02" <[EMAIL PROTECTED]>
Subject: *SPAM* Want a laptop? Get an Apple iBook for free!
Date: Wed, 23 Nov 2005 10:56:22 -0800
MIME-Version: 1.0
Content-Type: text/html; 
 charset="iso-8859-1" 
Content-Transfer-Encoding: 7bit 

Re: Blacklists and SA

[Matt Kettler]

Quin Parker wrote:
> Hello
> 
> I was wondering if somebody could answer a question I have about SA's use of
> external blacklists which filter e-mail addresses. 
> 
> As I understand it (please correct me if I'm wrong), SA can be configured to
> look up lists such as those held on rfc-ignorant.org, match the email address
> and award points accordingly.

Generally speaking, SA doesn't do this based on email addresses. It does it
based on server names and IPs.

However, RFCI is a bit different, it uses the envelope from address. Currently
in 3.1.0 there' are only 3 RBLS which use envelope from. RFCI, AHBL, and
securitysage.

> 
> If only a fragment of the address is listed on the blacklist, will SA still 
> add
> points to the e-mail? eg. '.de' is marked on rfc-ignorant.org as having a duff
> WHOIS listing. Will SA award points for any e-mail from Germany?

No, it will never query the fragment ".de" against RFCI. SA queries the whole
domain following the @ sign. (see EvalTests.pm, sub check_rbl_envfrom)

It also requires at least 1 . in the "domain" part, and at least 1
non-whitespace character on each side of it. So SA will never query "localhost",
but it would query "localhost.localdomain" if they appeared in an envelope from.

So RFCI would have to return a positive hit for "domain.de" not ".de".



> 
> If, theoretically, 'gov.uk' were listed on a blacklist, would it pickup
> addresses such as [EMAIL PROTECTED]

This is only possible for blacklists that work on email addresses (ie: RFCI). As
above, SA does a query of the whole domain, not fragments.

Re: whitelisting by "rcpt to:"

[Russ Ringer]

>One thing to be wary of is if you're integrating at the MTA layer, there may be
>one message with multiple different recipients. If one is whitelisted but not
>the others, your tool will have to jump a few hoops to split the message into
>two copies to scan one and not the other.

Yes, I warned my boss about "unintended consequences" for multiple
different recipients.

RE: Filter not working

[Matthew.van.Eerde]

[EMAIL PROTECTED] wrote:
>> [EMAIL PROTECTED] wrote:
>>> if (/^X-Spam-Status: *Yes/)
> 
> Attached is the header from one of the emails with the issue

Header contains:
X-Spam-Status: Yes, hits=7.0 required=3.0

Well, that line matches the regex.

Can you post a header from an email that does not have the issue?  Maybe it has 
to do with the order of the headers... maybe the line is not always tested.

-- 
Matthew.van.Eerde (at) hbinc.com   805.964.4554 x902
Hispanic Business Inc./HireDiversity.com   Software Engineer

Re: whitelisting by "rcpt to:"

[Russ Ringer]

On Wed, 23 Nov 2005 09:32:38 -0800, you wrote:

>Russ Ringer wrote:
>> Is it possible to whitelist by "rcpt to:" when there is nothing in the
>> header to indicate the recipient? i.e. no To:, bcc:, cc:, etc.
>
>No.
>
>But you may be able to tell your MTA to put something in the header to 
>indicate the recipient(s) (X-Apparently-To: [EMAIL PROTECTED], for example)
>
>This may break BCC, though, if you're not careful.

I didn't think you could, but I had to ask.

We're using qmail-scanner/spam control which gets the "rcpt to" in a
variable so I made a simple mod to bypass SA on certain recips.

We have a irrational marketing VP who is convinced he will miss a
million dollar order if *anything* is blocked so I want to insure he
gets all the spam he deserves (evil grin). 

Everyone else (including my boss) is grateful to not ever see all the
crap that come in.

->Russ

RE: Filter not working

[robert]

> [EMAIL PROTECTED] wrote:
>> if (/^X-Spam-Status: *Yes/)
>> {
>>
>> to "$VHOME/Maildir/.Spam"
>>
>> }
>> else
>> {
>> to "$VPOP"
>>
>> }
>>
>> Now 9 out of 10 times this works. But an email here and there gets
>> tagged as spam but still gets delivered to the mailbox. Any
>> suggestions? If you need the header from the email with this issue
>> then let me know. I will send it to the list.
>
> We need the header from the email with this issue.  Please send it to the
> list.
>
> The space-star " *" in the regex concerns me somewhat.  Maybe \s+ is
> called for instead.
>
> --
> Matthew.van.Eerde (at) hbinc.com   805.964.4554 x902
> Hispanic Business Inc./HireDiversity.com   Software Engineer
>


Attached is the header from one of the emails with the issue

Thanks
RobertReturn-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 6551 invoked by uid 98); 23 Nov 2005 17:02:53 -
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 6548 invoked by uid 507); 23 Nov 2005 17:02:53 -
Received: from 67.173.39.33 by milkyway.digitalphx.com (envelope-from <[EMAIL 
PROTECTED]>, uid 92) with qmail-scanner-1.23st 
 (clamscan: 0.80. spamassassin: 3.0.1. perlscan: 1.23st. 
 Clear:RC:0(67.173.39.33):SA:1(7.0/3.0):. 
 Processed in 9.396782 secs); 23 Nov 2005 17:02:53 -
X-Spam-Status: Yes, hits=7.0 required=3.0
X-Spam-Level: +++
X-Qmail-Scanner-Mail-From: [EMAIL PROTECTED] via milkyway.digitalphx.com
X-Qmail-Scanner: 1.23st (Clear:RC:0(67.173.39.33):SA:1(7.0/3.0):. Processed in 
9.396782 secs Process 6533)
Received: from c-67-173-39-33.hsd1.il.comcast.net (HELO localhost) 
(67.173.39.33)
 by mail.digitalphx.com with SMTP; 23 Nov 2005 17:02:44 -
Received: from [205.248.102.79] (port=25 helo=mailc.microsoft.com)
 by mailc.microsoft.com with smtp 
 for [EMAIL PROTECTED]; Wed, 23 Nov 2005 17:01:39 -0800
Received: from [32.97.182.141] (port=25 helo=e1.ny.us.ibm.com)
 by e1.ny.us.ibm.com with smtp 
 for [EMAIL PROTECTED]; Wed, 23 Nov 2005 17:01:39 -0800
Message-ID: <[EMAIL PROTECTED]>
From: "Sebastian Scott" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: *SPAM* Don't get left behind! 
Date: Wed, 23 Nov 2005 17:01:39 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="=_NextPart_000_0001_01C5F04E.A10C9980"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

Re: Suddenly missing file?

[Matt Kettler]

James Lay wrote:
> So today I get:
> 
> spamd[13532]: Can't locate LMAP/CID2SPF.pm in @INC (@INC
> contains: ../lib /usr/lib/perl5/site_perl/5.8.6/i486-linux 
> /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/5.8.6/i486-linux 
> /usr/lib/perl5/5.8.6 /usr/lib/perl5/site_perl)
> at /usr/lib/perl5/site_perl/5.8.6/Mail/SPF/Query.pm line 1749, 
> line 1061.
> 
> And so far I can't seem to even find this thing.  Anyone have a clue
> what happened?
> 
Did you "suddenly" change versions of Mail::SPF?

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4541

Re: whitelisting by "rcpt to:"

[Matt Kettler]

Russ Ringer wrote:
> Hi,
> 
> Is it possible to whitelist by "rcpt to:" when there is nothing in the
> header to indicate the recipient? i.e. no To:, bcc:, cc:, etc.

Not in SA.. SA only receives the message. It does not receive the envelope.

SA will try hard to guess from the headers (to:, bcc, cc, as well as the "for"
clause of Received: headers), but if the information isn't there, SA can't
possibly know.

However, the tool that calls SA generally does have access to that information,
and can bypass calling SA entirely for those cases.

One thing to be wary of is if you're integrating at the MTA layer, there may be
one message with multiple different recipients. If one is whitelisted but not
the others, your tool will have to jump a few hoops to split the message into
two copies to scan one and not the other.

RE: Filter not working

[Matthew.van.Eerde]

[EMAIL PROTECTED] wrote:
> if (/^X-Spam-Status: *Yes/)
> {
> 
> to "$VHOME/Maildir/.Spam"
> 
> }
> else
> {
> to "$VPOP"
> 
> }
> 
> Now 9 out of 10 times this works. But an email here and there gets
> tagged as spam but still gets delivered to the mailbox. Any
> suggestions? If you need the header from the email with this issue
> then let me know. I will send it to the list.

We need the header from the email with this issue.  Please send it to the list.

The space-star " *" in the regex concerns me somewhat.  Maybe \s+ is called for 
instead.

-- 
Matthew.van.Eerde (at) hbinc.com   805.964.4554 x902
Hispanic Business Inc./HireDiversity.com   Software Engineer

Filter not working

[robert]

I sent an email to this list about this issue last week. I was told it was
the MA and not SA that is causing the issue. Now the same issue just
happened and I need some help.

Whats happening is an email is getting tagged as spam and according to the
maildrop script Im using if the email is tagged as spam then send it to a
different folder. Well I just received an email that was tagged as spam
and it went directly to my box. It scored a 7 and my settings is at 3. So
what am I doing wrong that is causing the email to still get through even
if marked as spam?

Im using SA 3.0.1 with qmail, qmail-scanner and maildrop. Here is the
maildrop script:

if (/^X-Spam-Status: *Yes/)
{

to "$VHOME/Maildir/.Spam"

}
else
{
to "$VPOP"

}

Now 9 out of 10 times this works. But an email here and there gets tagged
as spam but still gets delivered to the mailbox. Any suggestions? If you
need the header from the email with this issue then let me know. I will
send it to the list.

Thanks
Robert

Suddenly missing file?

[James Lay]

So today I get:

spamd[13532]: Can't locate LMAP/CID2SPF.pm in @INC (@INC
contains: ../lib /usr/lib/perl5/site_perl/5.8.6/i486-linux 
/usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/5.8.6/i486-linux 
/usr/lib/perl5/5.8.6 /usr/lib/perl5/site_perl)
at /usr/lib/perl5/site_perl/5.8.6/Mail/SPF/Query.pm line 1749, 
line 1061.

And so far I can't seem to even find this thing.  Anyone have a clue
what happened?

James

RE: whitelisting by "rcpt to:"

[Matthew.van.Eerde]

Russ Ringer wrote:
> Is it possible to whitelist by "rcpt to:" when there is nothing in the
> header to indicate the recipient? i.e. no To:, bcc:, cc:, etc.

No.

But you may be able to tell your MTA to put something in the header to indicate 
the recipient(s) (X-Apparently-To: [EMAIL PROTECTED], for example)

This may break BCC, though, if you're not careful.

-- 
Matthew.van.Eerde (at) hbinc.com   805.964.4554 x902
Hispanic Business Inc./HireDiversity.com   Software Engineer

whitelisting by "rcpt to:"

[Russ Ringer]

Hi,

Is it possible to whitelist by "rcpt to:" when there is nothing in the
header to indicate the recipient? i.e. no To:, bcc:, cc:, etc.

->Russ

Re: Blacklists and SA

[Kevin W. Gagel]

>I was wondering if somebody could answer a question I have
>about SA's use of external blacklists which filter e-mail
>addresses. 

SpamAssassin does not filter. It rates and optionally
provides a tagged copy of a message. You chose software to
do the filtering.

>As I understand it (please correct me if I'm wrong), SA can
>be configured to look up lists such as those held on
>rfc-ignorant.org, match the email address and award points
>accordingly.

Blacklists are for IP addresses, I'm not aware of any that
work on email addresses.

>If only a fragment of the address is listed on the
>blacklist, will SA still add points to the e-mail? eg.
>'.de' is marked on rfc-ignorant.org as having a duff WHOIS
>listing. Will SA award points for any e-mail from Germany?

Blacklists work on the full IP address of a computer.


=
Kevin W. Gagel
Network Administrator
Information Technology Services
(250) 562-2131 local 448
My Blog:
http://mail.cnc.bc.ca/blogs/gagel

---
The College of New Caledonia, Visit us at http://www.cnc.bc.ca
Virus scanning is done on all incoming and outgoing email.
Anti-spam information for CNC can be found at http://avas.cnc.bc.ca
---

Blacklists and SA

[Quin Parker]

Hello

I was wondering if somebody could answer a question I have about SA's use of
external blacklists which filter e-mail addresses. 

As I understand it (please correct me if I'm wrong), SA can be configured to
look up lists such as those held on rfc-ignorant.org, match the email address
and award points accordingly.

If only a fragment of the address is listed on the blacklist, will SA still add
points to the e-mail? eg. '.de' is marked on rfc-ignorant.org as having a duff
WHOIS listing. Will SA award points for any e-mail from Germany?

If, theoretically, 'gov.uk' were listed on a blacklist, would it pickup
addresses such as [EMAIL PROTECTED]

Many thanks for any help you can give, hope this isn't a dumb question. Full
disclosure: I am an IT hack.

Quin

RE: New Spammer?

[Bowie Bailey]

From: Duncan Hill [mailto:[EMAIL PROTECTED]
> 
> On Wednesday 23 Nov 2005 15:07, Bowie Bailey wrote:
> > It's always good to have multiple layers.  We have ClamAV on the mail
> > server and Symantec Corporate Edition on the desktops.  I haven't had
> > any problems with Clam.  We had a few Sober.U get through before the
> > definitions updated, but that's expected with a new virus on any AV
> > program (unfortunately).
> 
> A minor counter-point.
> 
> $dayjob involves scanning the mail for quite a few people for
> viruses and spam.  We have 4 commercial AV engines, acting as
> defense in depth.  Viruses still make it past.
> 
> I just tested an early copy of Sober-Z/U/whatever-it-is that made it
> past all 4 against an out-of-date (over 2 weeks) copy of NOD32, with
> only heuristics engaged.  It caught it.  Granted, it's the same
> family of virus, but it's still somewhat impressive.
> 
> Heuristics aren't everything, but they do work damn well some times :)

Agreed.  Our desktops with SAV have heuristics enabled.  None of the
Sober viruses made it onto a desktop where they could have been
scanned, so I don't know if SAV would have caught it or not.

My points in the previous email were just:

1) ClamAV works very well here, so if it's missing a whole group of
   viruses for someone, there's probably something else going on.

2) It's normal for any AV program to miss a few at the beginning of an
   outbreak.

Heuristics can help with point 2, but you can't depend on them.

Bowie

Re: Do I need these rules?

[Matt Kettler]

[EMAIL PROTECTED] wrote:
> I been trying to "optimize" SA on my system and decided to look at the
> rules I have that SA uses. Im using qmail with SA 3.1 on Fedora Core 2. I
> started SA in debug mode and noticed a bunch of rules running in another
> folder on top of what I have in my up to date rules folder. The rules in
> this other folder are in /usr/share/spamassassin. Should I delete all of
> these rules or do they need to be there?

They need to be there unless you REALLY know what you're doing.

Those files in /usr/share/spamassassin/ ARE the SA rules.. They contain all of
the rules that officially come with SA, and are the rules listed on the "tests"
web-page ( http://spamassassin.apache.org/tests.html)

Your 'up to date' rules in /etc/mail/spamassassin that you fetch with RDJ are
add-ons. They are not the official spamassassin ruleset, but 3rd party rulesets
written by community members who want to write fast-changing rulesets to keep
abreast of the latest spam trends. However, every 3rd party rule writer intends
these to be used as a supplement to the basic rules that come with SA.

Re: why does this ONLY score "5.2"?

[Matt Kettler]

OpenMacNews wrote:
> hi,
> 
> why do these:
> 
>   http://paste.lisp.org/display/13918
> 
> score so low? (using SA r348087 ...)

Are you using URIBLS? I got 2 surbl hits from the URL in that message

esepykivikr.org.multi.surbl.org. 2100 IN TXT"Blocked, esepykivikr.org on
lists [jp][ws], See: http://www.surbl.org/lists.html";


> 
> given the content, i'd assume (naiively?) that the 'adult' language 
> would/should send it off the
> charts ...

*shrug* why should it? SA is a spam filter, not a porn filter. Admittedly, this
is probably a good question about how well SARE_ADULT works..



> 
> is there a better set of rules to use?
> 
> 
> fyi, my RDJ -->
> 
> TRUSTED_RULESETS="TRIPWIRE SARE_REDIRECT_POST300 SARE_EVILNUMBERS0 
> SARE_EVILNUMBERS1
> SARE_BAYES_POISON_NXM SARE_HEADER SARE_HEADER_ENG SARE_SPECIFIC SARE_ADULT 
> SARE_BML SARE_FRAUD
> SARE_SPOOF SARE_RANDOM SARE_SPAMCOP_TOP200 SARE_OEM SARE_GENLSUBJ 
> SARE_GENLSUBJ_ENG SARE_UNSUB
> SARE_URI_ENG BOGUSVIRUS ANTIDRUG SARE_OBFU SARE_HTML"
> 
>

Remove antidrug from that list ASAP.. antidrug is ONLY for users of SA 2.64 and
lower. SA 3.0.0 and higher have antidrug built-in, and by loading the
antidrug.cf file you will clobber any rule tuning that the SA devs may have 
done.

Re: f-secure messaging security gateway x-series??

[Paolo Cravero as2594]

Mathias Homann wrote:


So, has anyone here seen/touched this thing before?


Not that one, but touched two other vendors' appliances.

For me, the only strong point with it seems to be the combined 
firewall/AV/spam scanner thing (waitaminute... single point of failure??), 
and the web admin frontend which can generate colorful pie charts about 
spam/virus statistics (which, of course, can be printed on overhead films and 
used to increase the IT budget...).


Anyone ever seen one of those?


Lately they *all* look like an amavisd-new wrapper with a commercial AV, 
SA- or DSPAM-based AS analysis plus all those colorful niceties that 
impress managers but don't actually improve performance.


One big issue with these appliances is how they decide a content is spam 
or not, and how you can adapt the appliance to your needs. Many of them 
keep a sort-of centralized "rules" (Bayes? heuristic? ...) that spreads 
to each appliance, so you really don't know what is behind the 
decisional process. That makes it hard to explain your customer why his 
favourite Ikea newsletter was blocked. Same goes for non-English spam/ham.


There might be other issues, but they're OT for this list.

SA rulez! :)
Paolo

PS: I asked one of those vendors (the one I sent an idea of pricings a 
few weeks ago) how they deal with DNS-based lists. I wanted to know if 
they use vendor-based DNS replicas or query public nameservers, since 
they advertise +100kmsgs/day. They haven't answered yet...

f-secure messaging security gateway x-series??

[Mathias Homann]

Hi,


at work, someone dropped a flyer about the product mentioned in the subject on 
my desk...

seems to be one of those linux-based "appliances", meaning, 1U rackmount box 
running linux, a smtpd of unknown brand, a spam filter, and some f-prot based 
mail scanner...

the leaflet itself is full of hot air, and almost totally devoid of any 
substance, for example sentences like his (translated from german):
"the ProofPoint Spam Detection (TM) module uses the ProofPoint MLX(TM) 
technology for automated learning (pat.pend.)" which in itself doesn't tell 
me that much about why/how this would be better than a bayes-based filter in 
combination with the usual blacklists...

So, has anyone here seen/touched this thing before?

For me, the only strong point with it seems to be the combined 
firewall/AV/spam scanner thing (waitaminute... single point of failure??), 
and the web admin frontend which can generate colorful pie charts about 
spam/virus statistics (which, of course, can be printed on overhead films and 
used to increase the IT budget...).

Anyone ever seen one of those?


bye,
MH

why does this ONLY score "5.2"?

[OpenMacNews]

-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160

hi,

why do these:

http://paste.lisp.org/display/13918

score so low? (using SA r348087 ...)

given the content, i'd assume (naiively?) that the 'adult' language 
would/should send it off the
charts ...

is there a better set of rules to use?


fyi, my RDJ -->

TRUSTED_RULESETS="TRIPWIRE SARE_REDIRECT_POST300 SARE_EVILNUMBERS0 
SARE_EVILNUMBERS1
SARE_BAYES_POISON_NXM SARE_HEADER SARE_HEADER_ENG SARE_SPECIFIC SARE_ADULT 
SARE_BML SARE_FRAUD
SARE_SPOOF SARE_RANDOM SARE_SPAMCOP_TOP200 SARE_OEM SARE_GENLSUBJ 
SARE_GENLSUBJ_ENG SARE_UNSUB
SARE_URI_ENG BOGUSVIRUS ANTIDRUG SARE_OBFU SARE_HTML"

thx! & happy holidays all!

richard


- --

/"\
\ /  ASCII Ribbon Campaign
 X   against HTML email, vCards
/ \  & micro$oft attachments

[GPG] OpenMacNews at gmail dot com
fingerprint: 50C9 1C46 2F8F DE42 2EDB  D460 95F7 DDBD 3671 08C6
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (Darwin)

iEYEAREDAAYFAkOElAAACgkQlffdvTZxCMbBtACeK5gDuNjBqtab/uE7IabphZcm
Y5MAmgMDMVIim5JFO4TtAhuCBcGJIJjT
=2g5u
-END PGP SIGNATURE-

Re: New Spammer?

[Duncan Hill]

On Wednesday 23 Nov 2005 15:07, Bowie Bailey wrote:
> It's always good to have multiple layers.  We have ClamAV on the mail
> server and Symantec Corporate Edition on the desktops.  I haven't had
> any problems with Clam.  We had a few Sober.U get through before the
> definitions updated, but that's expected with a new virus on any AV
> program (unfortunately).

A minor counter-point.

$dayjob involves scanning the mail for quite a few people for viruses and 
spam.  We have 4 commercial AV engines, acting as defense in depth.  Viruses 
still make it past.

I just tested an early copy of Sober-Z/U/whatever-it-is that made it past all 
4 against an out-of-date (over 2 weeks) copy of NOD32, with only heuristics 
engaged.  It caught it.  Granted, it's the same family of virus, but it's 
still somewhat impressive.

Heuristics aren't everything, but they do work damn well some times :)

RE: New Spammer?

[Bowie Bailey]

From: Menno van Bennekom [mailto:[EMAIL PROTECTED]
> 
> >
> > Heh, I use the ClamAV plugin for SA and give it a hefty score.
> > That way I get the best of both worlds. Creative use of BLs also
> > helps.
> 
> Very pleased with ClamAV too, but just ClamAV is not enough for us.
> The last hours some virus-types were not recognized by ClamAV, even
> not with the most recent database (just submitted the samples to
> clamav). Luckily they were catched because we allow only
> password-protected zip files if they contain executable files. And
> we have 4 other virus-scanners on our exchange-server.  The
> virus-types change so fast now that ClamAV has difficulty to keep
> up.

It's always good to have multiple layers.  We have ClamAV on the mail
server and Symantec Corporate Edition on the desktops.  I haven't had
any problems with Clam.  We had a few Sober.U get through before the
definitions updated, but that's expected with a new virus on any AV
program (unfortunately).

I have Clam installed with all the default options and I run freshclam
a few times a day to keep it updated.  It just works.

Bowie

Re: New Spammer?

[Menno van Bennekom]

>
> Heh, I use the ClamAV plugin for SA and give it a hefty score. That way
> I get the best of both worlds. Creative use of BLs also helps.
>
Very pleased with ClamAV too, but just ClamAV is not enough for us. The
last hours some virus-types were not recognized by ClamAV, even not with
the most recent database (just submitted the samples to clamav). Luckily
they were catched because we allow only password-protected zip files if
they contain executable files. And we have 4 other virus-scanners on our
exchange-server.
The virus-types change so fast now that ClamAV has difficulty to keep up.

Regards
Menno van Bennekom

Re: spamcop.net tactics

[Leonard SA]

BTW list ..

Can I use the whitelisting feature eventhough I use qmail-scanner? Where 
would this be configured?


Regards ..

Leonard
- Original Message - 
From: "Jeff Chan" <[EMAIL PROTECTED]>

To: "Leonard SA" <[EMAIL PROTECTED]>
Sent: Wednesday, November 23, 2005 9:13 AM
Subject: Re: spamcop.net tactics



On Wednesday, November 23, 2005, 5:39:05 AM, Leonard SA wrote:

Jeff,



I found this out yesterday after enabling the RBL lookups in the local.cf
config file. Its great to get a high score slash because they are listed 
in

the rbl list, but not rejected in case there are errors..



As being a cautious user; I still glance over my spam folders, so I would
still catch these messages marked as spam as a result. Its not the best
solution, but better then blockage at the MTA level.


I still don't know how whitelisting works and where to configure this.. 
so

until this time; I have to handle it this way.



Thanks again for your insight Jeff.



Regards ..



Leonard


Hi Leonard,
Glad to help!  Definitely check out the whitelisting feature.
The SA Wiki may help, etc.

Cheers,

Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Re: spamcop.net tactics

[Christopher X. Candreva]

On Wed, 23 Nov 2005, Ed Kasky wrote:

> I for one would be interested to know how you implement a filter like this.
> It's one of the things that keeps me from using it sometimes...

procmail does wonders, just don't call vacation for anything marked as spam. 
We use that plus some other checks:

:0 c
* !^Return-Path: 
<(www|nobody|apache|httpd|bounce|no-?reply|devnul|root|notify|owner-)
* !^X-Spam-Status: Yes
* !^List-
* !^X-Mailer: Accucast
* !^X-Campaignid:
|/usr/local/bin/vacation $VACATIONOPT

As for not accepting then bouncing -- do virus checking in a milter (we use 
ClamAV), and push a list of valid users to your secondaries. This sort of 
this in access.db:

To:westnet.com  ERROR:5.1.1:"550 User unknown"
To:[EMAIL PROTECTED]OK
To:[EMAIL PROTECTED]OK
To:[EMAIL PROTECTED]OK
To:... etc


==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/

Re: spamcop.net tactics

[Leonard SA]

Jeff,

Thanks again ..

Regards ..

Leonard
- Original Message - 
From: "Jeff Chan" <[EMAIL PROTECTED]>

To: "Leonard SA" <[EMAIL PROTECTED]>
Sent: Wednesday, November 23, 2005 9:13 AM
Subject: Re: spamcop.net tactics



On Wednesday, November 23, 2005, 5:39:05 AM, Leonard SA wrote:

Jeff,



I found this out yesterday after enabling the RBL lookups in the local.cf
config file. Its great to get a high score slash because they are listed 
in

the rbl list, but not rejected in case there are errors..



As being a cautious user; I still glance over my spam folders, so I would
still catch these messages marked as spam as a result. Its not the best
solution, but better then blockage at the MTA level.


I still don't know how whitelisting works and where to configure this.. 
so

until this time; I have to handle it this way.



Thanks again for your insight Jeff.



Regards ..



Leonard


Hi Leonard,
Glad to help!  Definitely check out the whitelisting feature.
The SA Wiki may help, etc.

Cheers,

Jeff C.
--
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

RE: Urgent pleqse --- Change rewrite_header Subject ofr one domai n

[Bowie Bailey]

From: Michael Parker [mailto:[EMAIL PROTECTED]
> 
> Noc Phibee wrote:
> > Hi
> > 
> > please a small question but urgent ! :
> > 
> > Actually, all spams are Tagged into the subject :
> >rewrite_header Subject *SPAM*
> > It's on a relay server ..
> > 
> > Can i pat a different "rewrite_header Subject" speicifed for one
> > domain ?
> > 
> > Exemple:
> > 
> > * => rewrite_header Subject *SPAM*
> > domain.com => rewrite_header Subject *PUB*
> 
> See sql/README or http://people.apache.org/~parker/presentations/ for 
> information on doing domain based preferences.

Or, if there are not too many users, you can put the rewrite_header
command in each of their user_prefs files.

Bowie

Re: Best way to convert MySQL bayes DB to InnoDB?

[Magnus Holmgren]

Jason Levine wrote:
> Howdy -- I have a question I've been hunting for the answer to for a
> while, but haven't found anything definitive.  I've been running
> SpamAssassin for about two years now, with Sendmail as my MTA and
> spamass-milter funneling all the mail into SpamAssassin, and with a MySQL
> database for user prefs, bayes, and aut-owhitelisting.  As my setup has
> slowed a bit, I went looking for ways to make my life happier, and noticed
> a lot of lock contention on the database -- as it turns out, all the
> tables are MyISAM tables, and that means that there are locks galore on
> the table as things update.  This led me to the desire to move my tables
> to InnoDB, to take care of the more robust row-level locking.  However, I
> appear to have nearly 17 million records in my bayes_token table, and
> another 750K in my bayes_seen table, and converting those to InnoDB might
> take a LONG LONG TIME... so I'm looking for the best way to do this.

Oh, 17 million records isn't that much ... I think. I can't se how your
other methods could be faster (but I don't have 10 years of work
experience with databases). However, you might want to drop the indices
before converting, and recreate them afterwards (I don't know how ALTER
TABLE works internally in this case but if it's as you suspect, it can
make a massive impact).

-- 
Magnus Holmgren


signature.asc
Description: OpenPGP digital signature

RE: Do I need these rules?

[Bowie Bailey]

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> 
> I been trying to "optimize" SA on my system and decided to look at
> the rules I have that SA uses. Im using qmail with SA 3.1 on Fedora
> Core 2. I started SA in debug mode and noticed a bunch of rules
> running in another folder on top of what I have in my up to date
> rules folder.  The rules in this other folder are in
> /usr/share/spamassassin. Should I delete all of these rules or do
> they need to be there?
> 
> 10_misc.cf
> 20_drugs.cf
> 20_phrases.cf
> 25_body_tests_es.cf
> 30_text_fr.cf
> 20_anti_ratware.cf
> 20_fake_helo_tests.cf
> 20_porn.cf
> 25_hashcash.cf
> 30_text_nl.cf
> 20_body_tests.cf
> 20_head_tests.cf
> 20_ratware.cf
> 25_spf.cf
> 30_text_pl.cf
> 20_compensate.cf
> 20_html_tests.cf
> 20_uri_tests.cf
> 25_uribl.cf
> 50_scores.cf
> 20_dnsbl_tests.cf
> 20_meta_tests.cf
> 23_bayes.cf
> 30_text_de.cf
> 60_whitelist.cf

These are the built-in SA rules.  Your spam detection rate will drop
through the floor if you delete them! :)

Bowie

Re: Urgent pleqse --- Change rewrite_header Subject ofr one domain

[Michael Parker]

Noc Phibee wrote:

Hi

please a small question but urgent ! :

Actually, all spams are Tagged into the subject :
   rewrite_header Subject *SPAM*
It's on a relay server ..

Can i pat a different "rewrite_header Subject" speicifed for one domain ?

Exemple:

* => rewrite_header Subject *SPAM*
domain.com => rewrite_header Subject *PUB*

Thanks for your help





See sql/README or http://people.apache.org/~parker/presentations/ for 
information on doing domain based preferences.


Michael

Do I need these rules?

[robert]

I been trying to "optimize" SA on my system and decided to look at the
rules I have that SA uses. Im using qmail with SA 3.1 on Fedora Core 2. I
started SA in debug mode and noticed a bunch of rules running in another
folder on top of what I have in my up to date rules folder. The rules in
this other folder are in /usr/share/spamassassin. Should I delete all of
these rules or do they need to be there?

10_misc.cf
20_drugs.cf
20_phrases.cf
25_body_tests_es.cf
30_text_fr.cf
20_anti_ratware.cf
20_fake_helo_tests.cf
20_porn.cf
25_hashcash.cf
30_text_nl.cf
20_body_tests.cf
20_head_tests.cf
20_ratware.cf
25_spf.cf
30_text_pl.cf
20_compensate.cf
20_html_tests.cf
20_uri_tests.cf
25_uribl.cf
50_scores.cf
20_dnsbl_tests.cf
20_meta_tests.cf
23_bayes.cf
30_text_de.cf
60_whitelist.cf

Sorry if its a lot.

Thanks
Robert

Urgent pleqse --- Change rewrite_header Subject ofr one domain

[Noc Phibee]

Hi

please a small question but urgent ! :

Actually, all spams are Tagged into the subject :
   rewrite_header Subject *SPAM*
It's on a relay server ..

Can i pat a different "rewrite_header Subject" speicifed for one domain ?

Exemple:

* => rewrite_header Subject *SPAM*
domain.com => rewrite_header Subject *PUB*

Thanks for your help

Re: Rules for all these "wrist watch" sales?

[Jeff Chan]

On Tuesday, November 22, 2005, 1:17:25 PM, Anders Norrbring wrote:
> Is there any effective rule set for blocking off all these "chronometer" 
> and "wrist watch" spams?
> Preferably one that I can add into my rules_du_jour..

If they are advertising web sites, make sure you have network
tests and SURBLs enabled and they will mostly get blocked.

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Re: spamcop.net tactics

[Jeff Chan]

On Wednesday, November 23, 2005, 3:33:47 AM, Leonard SA wrote:
> Hello,

> I have had to remove spamcop from my rbl check list. they have had some 
> legitimate mail servers listed recently. They had the gentoo mail list 
> listed and some other important servers which i cant see why they were 
> added.

> Regards ..

> Leonard

If you mean at the MTA level, yes, I don't use bl.spamcop.net in
my MTAs.  For SpamAssassin, however it's useful as another
somewhat reliable indicator of spammyness to increment the scores
a bit, just like SORBLs or SPEWS, which would otherwise be
largely unusable for outright blocking in an MTA for most
people.

SpamCop's bl gets IPs that users report.  There's some filtering
and munging, but it's either less than one would like or more
than one would like, depending on one's perspective.  IOW some
SpamCop user (unwisely) reported a gentoo mailing list message as
spam, and that's why it got onto the blacklist: user error.

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Re: Spamassassin + Exchange 2k3 + Antivirus Recommendations

[Steven Dickenson]

"Christopher Brower" <[EMAIL PROTECTED]> 11/22/2005  
12:03:40 am >>>

Can anyone recommend a good setup for running Sapmassassin and an open
source antivirus solution on a SMTP gateway infront of an Exchange  
box?

Also could you point me to some guides? It's been awhile since I setup
spam assassin and last time I did I think it was version 2.0. Is it
possible now to allow users to setup their own whitelists and spam
filter levels through something like mysql?


I prefer Exim, SA, and ClamAV doing SMTP-time rejection.  However,  
this does not offer you any easy way to do per-user settings or  
whitelists.


You might want to check out something like Maia Mailguard.

Steven
---
Steven Dickenson <[EMAIL PROTECTED]>
http://www.mrchuckles.net

Re: Using sa-learn with Notes/Domino Servers via agents

[Paolo Cravero as2594]

Not a solution but a few thoughts since we have LN here as well.

Domino servers add a hell of headers to email messages that might 
confuse the Bayesian engine.


Forwarding internet mail from one LN account to another DESTROYS RFC2822 
headers. Copying preserves.


LN clients can access IMAP mailboxes (sort-of undocumented hidden 
feature). sa-learn can be fed through a call from fetchmail accessing an 
IMAP mailbox+folder. (I think the latter is documented in the Wiki.)


You may widen the autolearn thresholds so that fewer messages are fed 
automatically to the Bayes DB.


Another issue I have is that we have 2 loadbalanced exim servers for 
tagging spam,
yet I would like to keep the bayes DB the same on both hosts. Did anyone 
ever come

up with a solution to this problem?


Yes, a RDBMS backend for the Bayes database (MySQL here). Otherwise you 
might elect one server as "master" and align DBs nightly (spamd 
restart!). Or stay with mis-aligned Bayes DBs: if your servers route a 
lot of msgs/day (n*10k) and are round-robin balanced, they'll be 
statistically identical. Same goes for AWL, if used.


HTH,
Paolo

--
|QRPp-I #707  + www.paolocravero.tk +  I QRP #476   |
| SpamAssassin-based email antispam/antivirus solutions |
 \Italian/English-to/from-Croatian translations/
  \   Skype: pcravero /

Re: spamcop.net tactics

[Leonard SA]

Hello,

I have had to remove spamcop from my rbl check list. they have had some 
legitimate mail servers listed recently. They had the gentoo mail list 
listed and some other important servers which i cant see why they were 
added.


Regards ..

Leonard
- Original Message - 
From: "Christopher X. Candreva" <[EMAIL PROTECTED]>

To: 
Sent: Wednesday, November 23, 2005 2:29 AM
Subject: Re: spamcop.net tactics



On Tue, 22 Nov 2005, Chr. v. Stuckrad wrote:


So simply by having users use 'vacation' or viruses/worms
sending themselves from faked spam-trap-addresses and bouncing
at your site, you can be blacklisted for 24 hours (for each?).


By having users use vacation without a filter to stop it from replying to
spam, or accepting virus mail then generating a new error, you are engaged
in a DDOS against the people who's address is forged into the mail. We 
have

users getting 3-6 THOUSAND such bounces a day.

So yes, I'm glad SpamCop is blocking sites that do this.

==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/

Using sa-learn with Notes/Domino Servers via agents

[srunschke]

Hi list,

I have the following setup:

2 Exim servers as incoming and outgoing relay in the DMZ using SA to tag 
messages.
They deliver messages to 2 Domino servers in the DMZ, which then route the 
messages
to the central Domino server for further routing.

I recently had to delete the Bayes DB because autolearn made a lot of 
wrong Bayes
entries which led to many Spams getting more and more negative Bayes 
scores - not
tagging them anymore. Now I want to disable autolearn and feed the Bayes 
DB
manually, sadly it's not that easy in my current setup as Users cannot 
reach the SA servers
in any way.

What I want is to use the collected Spam and especially wrongly tagged Ham 
from a
Notes DB to feed it into sa-learn. Most likely by using an agent to 
automatically sort
mail in the DB and sending it to a special email-account on the Exim 
relays which then
pipes the Mail to sa-learn.

Before I start re-inventing the wheel - did anyone ever do something like 
that before?
What I basically need is a Notes agent that is capable of mailing DB 
entries (aka Mails)
in the correct format to another email-account for piping them into 
sa-learn.

If nothing is known about that particular problem, I'd take any hints 
about how to get
it to work - as in: what's the best way to set up the mail sent to 
sa-learn? I read in the
docs that you can attach the spam/ham mail in the mail when sending to a 
sa-learn
pipe - but sadly it isn't mentioned how such an attached mail should look 
like?
Should the attachement have a special name?
Does the mail need to have a special markup to be recognized by sa-learn 
so it knows
it needs to look into the attachement for the actual spam/ham?


Another issue I have is that we have 2 loadbalanced exim servers for 
tagging spam,
yet I would like to keep the bayes DB the same on both hosts. Did anyone 
ever come
up with a solution to this problem?

Any help would be appreciated,

regards
sash

Re: problem with DCC and SA 3.1.0

[Matthias Keller]

Valery V. Bobrov wrote:


Hi!
I have upgraded SA up to 3.1.0
 
I noticed that DCC probably does not work

I hope somebody help me.


Have you enabled
loadplugin Mail::SpamAssassin::Plugin::DCC
in v310.pre ?

you might also want to enable some other plugins there. They have been 
disabled by default because of licensing problems. It's in the UPGRADE 
doc...


Matt

bayes/awl and not filtering outbound mail

[mouss]

It is tempting to avoid filtering outbound mail (with SA or other). I am 
 assuming that outbound mail is legitimate (users are honest, and logs 
can be used to look for abnormal behaviour and punish the guilty).


Now my question. Wouldn't that weaken Bayes filtering?  I see two views:

- no: after all, The Bayes engine needs to learn inbound mail since 
that's what it will be filtering.


- yes: if it checks outbound mail, the Bayes engine will learn 
words/tokens that are legitimate, and will thus be less FP-prone.


In the latter view, one can still feed outbound mail to SA for learning 
only. However, would there be any benefit in this compared to just 
filtering the mail?



Similarly, what would be the effect on AWL?

problem with DCC and SA 3.1.0

[Valery V. Bobrov]

Hi!
I have upgraded SA up to 3.1.0
 
I noticed that DCC probably does not 
work
I hope somebody help me.
The problem is
Before
X-Spam-Status: No, score=-2.6 required=5.0 
tests=BAYES_00 autolearn=ham  version=3.0.4 date=Sat, 19 Nov 2005 
16:14:50 +0300 bayes=0.  host=mx.uvttk.ru dccbbrand=EATSERVER 
dccresult=mx.uvttk.ru 1166; Body=4  Fuz1=4 Fuz2=4
 
after upgrading
 
X-Spam-Status: No, score=-0.1 required=5.0 
tests=AWL,HTML_MESSAGE, NO_REAL_NAME autolearn=no version=3.1.0 
date=Wed, 23 Nov 2005 11:24:45  +0300 bayes=0.5 host=mx.uvttk.ru 
dccbbrand= dccresult=
 
 
The field "dccresult=" is empty.
 
What's wrong?
 
Thank you in advance
 
Yours faithfully,    
Valery