SA 3.1.0 Compil failed ?
Hi when i want compile SA 3.1.0, i have a error in the test : t/reportheader..Not found: msgidnotvalid = Message-Id is not valid, # Failed test 6 in t/SATest.pm at line 592 Not found: spam-report-body = Spam detection software, running on the system " # Failed test 7 in t/SATest.pm at line 592 fail #2 t/reportheader..FAILED tests 6-7 Failed 2/11 tests, 81.82% okay and a lotof test are "Skipped", why ? t/dnsbl.skipped all skipped: no reason given Thanks for your help
Re: Spamassassin and Mailing Lists
On Tuesday 29 November 2005 10:18 pm, Matt Kettler wrote: > At 10:34 PM 11/29/2005, Chris wrote: > >One of the mailing lists I belong to has since the 15th started using > > SA=20 3.0.4 and since then all pgp signatures have been as attachments > > instead of= =20 > >in-line as they were in previous years. Is there a setting in SA > > that=20 could be causing this? > > No. > > The only time SA modifies the body of a message is when it tags it as > spam. Period. > > Now, the list could have also switched a whole lot of other software bits > when they added SA, which is likely the cause. Thanks Matt, appreciate the reply. -- Chris Registered Linux User 283774 http://counter.li.org 22:29:52 up 5 days, 7:09, 1 user, load average: 1.24, 1.31, 2.69 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk ~~ If a program actually fits in memory and has enough disk space, it is guaranteed to crash. -- Murphy's Computer Laws n°5 ~~ pgp0zLPvr7vz9.pgp Description: PGP signature
Re: Antidrug.cf deprecated and no longer maintained.
At 09:36 PM 11/29/2005, mouss wrote: it would be good to make the file empty, only containing this info. this way, even those who miss this message (and the previous one) still have a chance to get the info. Yes, but there are still users out there that aren't using SA 3.0.x due to perl version problems. For them, I still wish to make the file available.
Re: Spamassassin and Mailing Lists
At 10:34 PM 11/29/2005, Chris wrote: One of the mailing lists I belong to has since the 15th started using SA=20 3.0.4 and since then all pgp signatures have been as attachments instead of= =20 in-line as they were in previous years. Is there a setting in SA that=20 could be causing this? No. The only time SA modifies the body of a message is when it tags it as spam. Period. Now, the list could have also switched a whole lot of other software bits when they added SA, which is likely the cause.
Re: OT? Threats from twtelecom over spam reports
On Tue, 29 Nov 2005, Chris wrote: On Tuesday 29 November 2005 8:26 pm, M. Lewis wrote: Chris, My opinion (opinions are like assholes, everyone has one and they all stink). 1. If the person was legit, he would *not* have responded harshly and 'threatened you' that things would get ugly. 2. There isn't squat he can do to you beyond what he already has. 3. Block the IP in postfix or your firewall. DONE. Just my opinion. I'm curious to see what others might say. Thanks Mike, thats been the conseusus of others I've talked to about this guy. I'm continuing to report this ip, I have put his address in my "undeliverable" list but continue to report to [EMAIL PROTECTED] and others. twtelecom is staffed by morons, like most other large providers. -Dan
FetchmailRC and Bayes
I’m running SA v 3.0.2 on Debian Woody. Spamassassin –D –lint returns the following regarding Bayes: debug: bayes: found bayes db version 3 debug: bayes: Not available for scanning, only 1 spam(s) in Bayes DB < 200 I have been running the following fetchmailrc against ham and spam folders. My ham folder has 283 messages and my spam folder has 1014 messages. I can see that the messages are being read, but for some reason Bayes is not activating now that I have the minimums required for spam and ham. Why isn’t Bayes running or even registering that I have more than 1 spam message? In my /etc/spamassassin/local.cf file I have: use_bayes 1 bayes_auto_learn 1 # fetchmailrc file set daemon 3600 set syslog set no bouncemail defaults: antispam -1 batchlimit 100 limit 512000 poll localhost with proto imap user [EMAIL PROTECTED] mda “/usr/bin/sa-learn –spam –single” password secret; folder “\#Public/Spam” keep poll localhost with proto imap user [EMAIL PROTECTED] mda “/usr/bin/sa-learn –ham –single” password secret; folder “\#Public/Ham” keep # End fetchmailrc file
Re: OT? Threats from twtelecom over spam reports
On Tuesday 29 November 2005 8:26 pm, M. Lewis wrote: > Chris, > > My opinion (opinions are like assholes, everyone has one and they all > stink). > > 1. If the person was legit, he would *not* have responded harshly and > 'threatened you' that things would get ugly. > > 2. There isn't squat he can do to you beyond what he already has. > > 3. Block the IP in postfix or your firewall. DONE. > > Just my opinion. I'm curious to see what others might say. > Thanks Mike, thats been the conseusus of others I've talked to about this guy. I'm continuing to report this ip, I have put his address in my "undeliverable" list but continue to report to [EMAIL PROTECTED] and others. -- Chris Registered Linux User 283774 http://counter.li.org 21:43:31 up 5 days, 6:22, 2 users, load average: 1.26, 1.02, 1.06 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk ~~ Today is the first day of the rest of the mess. ~~ pgpo4bqlUdT5P.pgp Description: PGP signature
Spamassassin and Mailing Lists
One of the mailing lists I belong to has since the 15th started using SA 3.0.4 and since then all pgp signatures have been as attachments instead of in-line as they were in previous years. Is there a setting in SA that could be causing this? Today I finally got them to remove the x-no-archive:yes so that the list will again be archived at TheAimsGroup, now I need to get them to do something about the signature as an attachment. Thanks -- Chris Registered Linux User 283774 http://counter.li.org 21:30:07 up 5 days, 6:09, 2 users, load average: 0.99, 1.19, 1.17 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk pgpceTnq8K8NP.pgp Description: PGP signature
Re: Fetchmail and SA?
jdow a écrit : That's pretty much true. Although you can fake it with one master fetchmailrc with all the user accounts. I've not tried that, though. I do poll four accounts from the same .fetchmailrc, though. the netbsd pkgsrc (and I'm sure the freebsd port too) come with a rc script that does just that (it calls fetchmail with -f -, so as to get the conf from the cmd args). one thing to get right here if he is going to post mail to an mta is to make sure not to bounce mail (it has already been accepted, so there is no point in bouncing it).
Re: OT? Threats from twtelecom over spam reports
Ultimately twtelecom.net should be responsible. It's their customer they've allocated IP space for. Here is where the IP space was allocated to according to ARIN: http://ws.arin.net/whois/?queryinput=!%20NET-66-162-83-176-1 On Wednesday, November 30, 2005 at 2:09:20 AM, [EMAIL PROTECTED] confabulated: > Since about the 22nd or 23nd I've been getting virus laden (Sober.U) spam > from an address at twtelecom.net (66.162.83.190). All my spam reporting is > done via two scripts, one is reporter.pl which runs sa-learn and reports to > Razor, Pyzor and DCC. The other script, which was written by Karsten Self, > called Spam Tools, actually reports the spam to the abuse addresses(s) and > to NANAS. After getting a couple of hundred infected message I wrote a > nice email to one of the contacts, he replied: > Please note that the propagation of this address is spoofed. The address you > are questioning is a global IP for a firewall and is not sending or passing > the virus. > I've continued reporting the spam using Spam Tools. I also advised him that > that ip is now blacklisted at Spamhaus.org. It was listed in the composite > blacklist but was removed today. This afternoon I got the following email: > I can assure you that it is indeed a mistake. These need to be removed > at once or this will get very ugly! > Below are complete headers from one of the messages from this ip, are these > in fact from the ip I mentioned? > Status: U > Return-Path: <[EMAIL PROTECTED]> > Received: from pop.earthlink.net [209.86.93.201] > by localhost with POP3 (fetchmail-6.2.5) > for [EMAIL PROTECTED] (single-drop); Tue, 29 Nov 2005 00:50:16 > -0600 (CST) > Received: from picpba.com ([66.162.83.190]) > by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP > id 1eGZi22e13Nl34g0 > Tue, 29 Nov 2005 01:48:26 -0500 (EST) > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Date: Tue, 29 Nov 2005 06:37:15 UTC > Subject: Registration Confirmation > Importance: Normal > X-Priority: 3 (Normal) > Message-ID: <[EMAIL PROTECTED]> > MIME-Version: 1.0 > Content-Type: multipart/mixed; boundary="=1bba52a03.f0cb" > Content-Transfer-Encoding: 7bit > X-SenderIP: 66.162.83.190 > X-ASN: ASN-4323 > X-CIDR: 66.162.83.0/24 > I've received another 18 infected messages from this ip again today. I'm > almost afraid to run my scripts. Can this guy do anything. I mean its not > my fault that this ip is being blacklisted. I'll hold off running the > scripts hoping I'll get some advice from some of you more knowledgable on > this stuff. > Thanks > Chris -- "This message is made of 100% recycled electrons."
Re: Antidrug.cf deprecated and no longer maintained.
Matt Kettler a écrit : Since a lot of people are still using antidrug.cf, I'm making a public announcement here to clarify. Antidrug.cf is deprecated and obsolete for all users of SpamAssassin 3.0.0 or higher. These rules are now a part of the standard SA distribution, and any improvements will likely happen directly in the SA project and not on the .cf file. I may at some point in the future, if I ever have spare time again, make a new ruleset, but it will be a separate file (ie: antidrug_post31.cf). Unless you're using SA 2.64, remove the ruleset, as it will cover-up any future improvements that may be contributed to the SA distribution. If you're using a version older than 2.64, you almost certainly have a remotely exploitable DoS vulnerability, and need to upgrade. it would be good to make the file empty, only containing this info. this way, even those who miss this message (and the previous one) still have a chance to get the info.
OT? Threats from twtelecom over spam reports
Since about the 22nd or 23nd I've been getting virus laden (Sober.U) spam from an address at twtelecom.net (66.162.83.190). All my spam reporting is done via two scripts, one is reporter.pl which runs sa-learn and reports to Razor, Pyzor and DCC. The other script, which was written by Karsten Self, called Spam Tools, actually reports the spam to the abuse addresses(s) and to NANAS. After getting a couple of hundred infected message I wrote a nice email to one of the contacts, he replied: Please note that the propagation of this address is spoofed. The address you are questioning is a global IP for a firewall and is not sending or passing the virus. I've continued reporting the spam using Spam Tools. I also advised him that that ip is now blacklisted at Spamhaus.org. It was listed in the composite blacklist but was removed today. This afternoon I got the following email: I can assure you that it is indeed a mistake. These need to be removed at once or this will get very ugly! Below are complete headers from one of the messages from this ip, are these in fact from the ip I mentioned? Status: U Return-Path: <[EMAIL PROTECTED]> Received: from pop.earthlink.net [209.86.93.201] by localhost with POP3 (fetchmail-6.2.5) for [EMAIL PROTECTED] (single-drop); Tue, 29 Nov 2005 00:50:16 -0600 (CST) Received: from picpba.com ([66.162.83.190]) by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1eGZi22e13Nl34g0 Tue, 29 Nov 2005 01:48:26 -0500 (EST) From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Tue, 29 Nov 2005 06:37:15 UTC Subject: Registration Confirmation Importance: Normal X-Priority: 3 (Normal) Message-ID: <[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=1bba52a03.f0cb" Content-Transfer-Encoding: 7bit X-SenderIP: 66.162.83.190 X-ASN: ASN-4323 X-CIDR: 66.162.83.0/24 I've received another 18 infected messages from this ip again today. I'm almost afraid to run my scripts. Can this guy do anything. I mean its not my fault that this ip is being blacklisted. I'll hold off running the scripts hoping I'll get some advice from some of you more knowledgable on this stuff. Thanks Chris -- Chris Registered Linux User 283774 http://counter.li.org 19:46:59 up 5 days, 4:26, 1 user, load average: 2.18, 2.10, 1.54 Mandriva Linux 10.1 Official, kernel 2.6.8.1-12mdk pgpweCSdXm6Bj.pgp Description: PGP signature
Re: Spamd inscrutability. Does it ever look at a user_prefs file?
Ray Klassen wrote: > Spamassassin 3.04 with SQL support. > > I'm trying to set up a global textbased or MYSQL based whitelist. I want > to be able to support *wildcards* I am able to add specific addresses > to the AWL using spamassassin --add-addr-to-whitelist but when I've used > wildcards for some of our desired senders, they seemed to have been > ignored. > > I'd like to keep it simple with > whitelist_from_rcvd [EMAIL PROTECTED]somedomain.com > > in the local.cf file. > > spamd is running with 1) did you re-start spamd after editing local.cf? 2) are you sure that you have the correct second-half for the rcvd part? 3) are you sure your trusted_networks is set (or auto-guessed by SA) correctly? You can check 2 and 3 by switching to a whitelist_from temporarily. If it starts matching you either don't have the right rcvd part, or your trusted_networks might need changing.
Spamd inscrutability. Does it ever look at a user_prefs file?
Spamassassin 3.04 with SQL support. I'm trying to set up a global textbased or MYSQL based whitelist. I want to be able to support *wildcards* I am able to add specific addresses to the AWL using spamassassin --add-addr-to-whitelist but when I've used wildcards for some of our desired senders, they seemed to have been ignored. I'd like to keep it simple with whitelist_from_rcvd [EMAIL PROTECTED]somedomain.com in the local.cf file. spamd is running with SPAMD_OPTS="-x -q -Q -H /var/lib/spamassassin/nobody --max-children 5" and exim is calling spamc with the user nobody. so I edited the table user_prefs in the mysql database, adding a record that says username nobody preference whitelist_from_rcvd value [EMAIL PROTECTED]somedomain.com I ran spamd with -D and it seems to have connected with the MYSQL server for user prefs as it certainly did for AWL entries and Bayes tokens, but the spam score on the mail message should certainly go down if the email address is really whitelisted. If I use the AWL it goes down to -50 when I use the --add-addr-to-whitelist flag. So I expect a good healthy minus quantity on a wildcard whitelisting but It never seems to happen. I recently migrated from a spamd config as follows. This one had no MYSQL server -u Debian-exim -x --virtual-config-dir /var/lib/spamassassin/%u --create-prefs --max-children 5 --helper-home-dir I put whitelist_from_rcvd in all kinds of files and they all seemed to be ignored, too. Is it a function of running spamd with -x? if so why did it never read local.cf? -Q is supposed to give you mysql user_prefs functionality with -x Any pointers?
Re: Bayes feeding
Joe Zitnik wrote: > I apologize if this has been addressed before, but is there a consensus > on feeding bayes ham that is outbound from your organization? It seems > to make sense to me. You can almost guarantee the words bayes will be > "learning" are related to your organizations business function. Even if > they are personal e-mail, it seems to be an excellent source of ham. Is > there a problem with this, or a flaw in my reasoning? No, I don't see any general flaw, but you need to be sure your internal systems won't be sending any spam/viruses. This may be more difficult than you think, even if you trust all your users. All it takes is one good trojan with a backdoor. Even if you trust your users to not open email attachments, what about one that loads via an unpatched browser vulnerability (such as the current one for IE that has no patch) that gets exploited by a malicious server after a user mis-types a domain name? It takes a highly security savvy user to be protected against such things. Do any of your users use IE today? Have they disabled javascript entirely? A properly constructed backdoor is rather difficult to detect until it starts sending spam or doing other misdeeds at the behest of it's controller. It's also damn near impossible to prevent an outsider from controlling a good backdoor once it's infected a PC with any kind of Internet access. And before you mention your firewall protecting you from backdoor, will it protect you against a reverse-shell backdoor? (For reference, here's a paper on a reverse-shell backdoor over http: http://www.thc.org/papers/fw-backd.htm. Not an uncommon trick, and will get past most stateful inspection and application layer firewalls. ) > Part of the > reason this is so attractive is that I am having problems matching the > amount of ham I feed bayes with the amount of spam I have access to. Although 1:1 is a good ideal, the use of chi-squared combining makes SA's bayes very resistant to considerable deviation. Don't kill yourself trying to get a 1:1 ratio. My current spam:ham ratio is 8.3:1, but I've had ratios as high as 30:1 with no problem. > Right now, about 80% of my inbound mail is spam.
Bayes feeding
I apologize if this has been addressed before, but is there a consensus on feeding bayes ham that is outbound from your organization? It seems to make sense to me. You can almost guarantee the words bayes will be "learning" are related to your organizations business function. Even if they are personal e-mail, it seems to be an excellent source of ham. Is there a problem with this, or a flaw in my reasoning? Part of the reason this is so attractive is that I am having problems matching the amount of ham I feed bayes with the amount of spam I have access to. Right now, about 80% of my inbound mail is spam.
Re: spamassassin --D lint failing?
Leonard SA wrote: > Hello, > > Thats the funny thing.. i dont have any spaces.. but since i went into > v310.pre .. i dont get the errors anymore and the test is now error free .. > > Thanks.. > > BTW .. how can i check to see if DCC and razor are working? You can run a spamassassin --lint -D.. you should see a bunch of DCC and razor output. > i thought > they were.. but now since i got bayes to start working today; im > wondering if its whacked razor and dcc .. Why would bayes starting have anything to do with razor or dcc?? If anything, I'd suspect they were not working up until you edited v310.pre. Also if you use spamd, better restart it so init.pre gets reloaded.
Re: spamassassin --D lint failing?
Hello, Thats the funny thing.. i dont have any spaces.. but since i went into v310.pre .. i dont get the errors anymore and the test is now error free .. Thanks.. BTW .. how can i check to see if DCC and razor are working? i thought they were.. but now since i got bayes to start working today; im wondering if its whacked razor and dcc .. ## 0.9 URI_NOVOWELURI: URI hostname has long non-vowel sequence 0.0 HTML_MESSAGE BODY: HTML included in message 1.4 HTML_10_20 BODY: Message is 10% to 20% HTML 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts -0.7 BAYES_20 BODY: Bayesian spam probability is 5 to 20% [score: 0.0997] 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [80.219.232.76 listed in dnsbl.sorbs.net] 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [80.219.232.76 listed in combined.njabl.org] ### Regards .. Leonard - Original Message - From: "Matt Kettler" <[EMAIL PROTECTED]> To: "Leonard SA" <[EMAIL PROTECTED]> Cc: Sent: Tuesday, November 29, 2005 4:05 PM Subject: Re: spamassassin --D lint failing? Leonard SA wrote: Hello List .. For some odd reason everytime I restart spamd or run spamassassin --D lint ; I get some odd parse errors. ### [25084] warn: config: failed to parse, now a plugin, skipping: ok_languages_all [25084] warn: config: failed to parse line, skipping: use_dcc_1 [25084] warn: config: failed to parse line, skipping: use_razor2_1 [25084] dbg: config: allowing user rules! [25084] warn: config: failed to parse, now a plugin, skipping: ok_languages_all [25084] warn: config: failed to parse line, skipping: use_dcc_1 [25084] warn: config: failed to parse line, skipping: use_razor2_1 From what i can see.. these are all that are failing.. i do have razor2 Ditch the extra underscores at the end. They should be spaces. "ok_languages all" not "ok_languages_all" "use_dcc 1" not "use_dcc_1" "use_razor2 1" not "use_razor2_1" Also, if you're using SA 3.1.0 you must edit v310.pre to load the appropriate plugins. Due to license restrictions on free use of the DCC and razor servers, the code for these addons is not loaded by default.
Re: spamassassin --D lint failing?
Leonard SA wrote: > Hello List .. > > For some odd reason everytime I restart spamd or run spamassassin --D > lint ; I get some odd parse errors. > > ### > [25084] warn: config: failed to parse, now a plugin, skipping: > ok_languages_all > [25084] warn: config: failed to parse line, skipping: use_dcc_1 > [25084] warn: config: failed to parse line, skipping: use_razor2_1 > [25084] dbg: config: allowing user rules! > [25084] warn: config: failed to parse, now a plugin, skipping: > ok_languages_all > [25084] warn: config: failed to parse line, skipping: use_dcc_1 > [25084] warn: config: failed to parse line, skipping: use_razor2_1 > > >> From what i can see.. these are all that are failing.. i do have razor2 > Ditch the extra underscores at the end. They should be spaces. "ok_languages all" not "ok_languages_all" "use_dcc 1" not "use_dcc_1" "use_razor2 1" not "use_razor2_1" Also, if you're using SA 3.1.0 you must edit v310.pre to load the appropriate plugins. Due to license restrictions on free use of the DCC and razor servers, the code for these addons is not loaded by default.
spamassassin --D lint failing?
Hello List .. For some odd reason everytime I restart spamd or run spamassassin --D lint ; I get some odd parse errors. ### [25084] warn: config: failed to parse, now a plugin, skipping: ok_languages_all [25084] warn: config: failed to parse line, skipping: use_dcc_1 [25084] warn: config: failed to parse line, skipping: use_razor2_1 [25084] dbg: config: allowing user rules! [25084] warn: config: failed to parse, now a plugin, skipping: ok_languages_all [25084] warn: config: failed to parse line, skipping: use_dcc_1 [25084] warn: config: failed to parse line, skipping: use_razor2_1 From what i can see.. these are all that are failing.. i do have razor2 install and dcc .. I also get these errors.. spf: cannot get Envelope-From, cannot use SPF [25084] dbg: spf: def_spf_whitelist_from: could not find useable envelope sender [25084] dbg: plugin: registering glue method for check_for_spf_fail (Mail::SpamAssassin::Plugin::SPF=HASH(0x8ff16a8)) [25084] dbg: rules: ran eval rule __UNUSABLE_MSGID ==> got hit [25084] dbg: plugin: registering glue method for check_subject_in_whitelist (Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0x903aa0c)) [25084] dbg: plugin: registering glue method for check_for_spf_whitelist_from (Mail::SpamAssassin::Plugin::SPF=HASH(0x8ff16a8)) [25084] dbg: spf: spf_whitelist_from: could not find useable envelope sender ### Even considering those errors.. i still get DCC and RAZOR scoring in my headers.. so all is well, but id just like to know where the problem is at.. Any suggestions? Thanks in advance! Regards .. Leonard
Re: sa-update
On Tue, Nov 29, 2005 at 11:24:28AM -0800, Mike Jackson wrote: > Thanks to another thread today, I discovered the sa-update script (which > must be new, or I haven't noticed it in 3+ years of using SA). However, It's new with 3.1. > when I try to run it on two separate boxes, I get debug output similar to > this (when invoked with no command line options other than -D): > > [8348] dbg: dns: query failed: 0.1.3.updates.spamassassin.org => NXDOMAIN > [8348] dbg: channel: no updates available, skipping channel > [8348] dbg: diag: updates complete, exiting with code 0 > > The pertinent error seems to be the NXDOMAIN for > 0.1.3.updates.spamassassin.org. Is that normal? It is for now. We have not, as of yet, published any updates via the default channel, therefore there are no updates available, therefore NXDOMAIN for the "latest update version" request. Basically the plan was to make the script available such that when we actually do updates, it'll be easier for people to do updates since the script will have been out there for a while. -- Randomly Generated Tagline: "see, you field a lot of questions that are unimportant enough to me that I don't bother to look them up if you're not there to answer them for me." "excellent. I'm like Clippy." - Lukas Karlsson and Theo pgp1lvmlndgCh.pgp Description: PGP signature
sa-update
Thanks to another thread today, I discovered the sa-update script (which must be new, or I haven't noticed it in 3+ years of using SA). However, when I try to run it on two separate boxes, I get debug output similar to this (when invoked with no command line options other than -D): [8348] dbg: logger: adding facilities: all [8348] dbg: logger: logging level is DBG [8348] dbg: generic: SpamAssassin version 3.1.0 [8348] dbg: config: score set 0 chosen. [8348] dbg: dns: is Net::DNS::Resolver available? yes [8348] dbg: dns: Net::DNS version: 0.53 [8348] dbg: dns: name server: 72.3.128.240, family: 2, ipv6: 0 [8348] dbg: generic: sa-update version svn231362 [8348] dbg: generic: using update directory: /etc/mail/spamassassin [8348] dbg: diag: perl platform: 5.008005 linux [8348] dbg: diag: module installed: Digest::SHA1, version 2.10 [8348] dbg: diag: module installed: Getopt::Long, version 2.34 [8348] dbg: diag: module installed: LWP::UserAgent, version 2.033 [8348] dbg: diag: module installed: HTTP::Date, version 1.46 [8348] dbg: diag: module installed: Archive::Tar, version 1.26 [8348] dbg: diag: module installed: IO::Zlib, version 1.04 [8348] dbg: diag: module installed: DB_File, version 1.809 [8348] dbg: diag: module installed: HTML::Parser, version 3.46 [8348] dbg: diag: module installed: MIME::Base64, version 3.05 [8348] dbg: diag: module installed: Net::DNS, version 0.53 [8348] dbg: diag: module installed: Net::SMTP, version 2.29 [8348] dbg: diag: module installed: Mail::SPF::Query, version 1.997 [8348] dbg: diag: module installed: IP::Country::Fast, version 309.002 [8348] dbg: diag: module installed: Razor2::Client::Agent, version 2.75 [8348] dbg: diag: module not installed: Net::Ident ('require' failed) [8348] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [8348] dbg: diag: module not installed: IO::Socket::SSL ('require' failed) [8348] dbg: diag: module installed: Time::HiRes, version 1.82 [8348] dbg: diag: module installed: DBI, version 1.48 [8348] dbg: channel: attempting channel updates.spamassassin.org [8348] dbg: channel: update directory /etc/mail/spamassassin/updates_spamassassin_org [8348] dbg: channel: channel cf file /etc/mail/spamassassin/updates_spamassassin_org.cf [8348] dbg: dns: query failed: 0.1.3.updates.spamassassin.org => NXDOMAIN [8348] dbg: channel: no updates available, skipping channel [8348] dbg: diag: updates complete, exiting with code 0 The pertinent error seems to be the NXDOMAIN for 0.1.3.updates.spamassassin.org. Is that normal?
Re: 3.1: config: not parsing, administrator setting: loadplugin Mail::SpamAssassin::Plugin::SPF
Thomas Mueller wrote: > Matt Kettler wrote: > >>At 02:39 AM 11/29/2005, Thomas Mueller wrote: >> >> >>>I don't have any user_prefs files, only the global one. >> >>eh? What "global one"? > > > I don't have any local user, because of that I was sure there is no > $HOME/.spamassassin/user_prefs and all configuration is done in > /etc/spamassassin/*.cf - but I was wrong. I use a spamd that is running > as non root user, and that user had a user_prefs file. I'm sorry, I > forgot that. No problem. Just remember that in general it's impossible to execute any process without having the process owned by some userid. Even root has a home directory, so there's always a "user" as far as SA is concerned. The user may or may not be able to write their own homedir (the "nobody" user generally can't write its own homedir), but there is always one somewhere.
Re: Best choice for more stop spams ? I wait your return
Noc Phibee wrote: > very Thanks all for answer ... > > they have a big difference from 3.1.0 with 3.0.4 ? RBLs are more efficient in 3.1.0 and higher. There's also been some rule tweaking. Also, from reviewing the STATISTICS-*.txt files I feel that 3.1.0 had a cleaner mass-check than 3.0.0 did, yielding a better scoreset. (personal opinion) See the release announcement: http://marc.theaimsgroup.com/?l=spamassassin-announce&m=112674318914008&w=2 > > No "specifique" problems when we upgrade 3.0.4 to 3.1.0 ? Some people have had problems with 3.1.0's new "hot child" forking algorithm. However, there's an option to change spamd to the old "round robin" style. The rest is in the docs: http://svn.apache.org/repos/asf/spamassassin/branches/3.1/UPGRADE http://wiki.apache.org/spamassassin/UpgradeTo310
Re: 3.1: config: not parsing, administrator setting: loadplugin Mail::SpamAssassin::Plugin::SPF
Matt Kettler wrote: > At 02:39 AM 11/29/2005, Thomas Mueller wrote: > >> I don't have any user_prefs files, only the global one. > > eh? What "global one"? I don't have any local user, because of that I was sure there is no $HOME/.spamassassin/user_prefs and all configuration is done in /etc/spamassassin/*.cf - but I was wrong. I use a spamd that is running as non root user, and that user had a user_prefs file. I'm sorry, I forgot that. > I'd still strongly suggest removing them from *.pre and see if you still > get the warning. That's a sure-fire way to prove those statements exist > somewhere else, somewhere they don't belong. You are absolutely right, that did the trick. I think I can do all configuration in /etc/spamassassin/local.cf and delete the user_prefs of the spamd user? /etc/spamassassin/local.cf is the master file and user_prefs can overwrite or extent that? Thanks a lot for your help! Thomas
Re: Installing SpamAssassin on OS X 10.3.9 Server
At 09:05 AM 11/29/2005, you wrote: Hi I have been trying to install SA on an OS X 10.3.9 Server using CPAN. I am following instructions from http://developer.apple.com/server/ fighting_spam.html I have SA running on my OS/X box (10.4). From what I recall, I compiled from source, so that may be worth trying. Evan
Installing SpamAssassin on OS X 10.3.9 Server
Hi I have been trying to install SA on an OS X 10.3.9 Server using CPAN. I am following instructions from http://developer.apple.com/server/ fighting_spam.html In CPAN I have typed install Mail::SpamAssassin It goes through a bunch of things, and then asks me for the psotmaster address, which I give it, and then gets hung up on Digest::SHA1, claiming that I do not have the current version. I try to install Digest::SHA1 in CPAN but it claims that my version is up to date. From a couple of google searches it seems that some folks who were trying to install SA on FreeBSD had a similar issue, but I don't see any solution. I am at a loss as to where to go from here. Any Ideas?? Below is the output of my attempt to install SA Thanks... Bill Wellington checking module dependencies and their versions... ** * ERROR: the required Digest::SHA1 module is installed, but is not an up-to-date version. The Digest::SHA1 module is used as a cryptographic hash for some tests and the Bayes subsystem. It is also used by Razor2. ** * NOTE: the optional Net::DNS (version 0.34) module is installed, but is not an up-to-date version. Used for all DNS-based tests (SBL, XBL, SpamCop, DSBL, etc.), perform MX checks, and is also used when manually reporting spam to SpamCop. Recommended. If this is installed and you are using network tests of any variety (which is the default), then you need to make sure the Net::DNS version is sufficiently up-to-date: - version 0.34 or higher on Unix systems - version 0.46 or higher on Windows systems ** * NOTE: the optional Mail::SPF::Query module is not installed. Used to check DNS Sender Policy Framework (SPF) records to fight email address forgery and make it easier to identify spams. ** * NOTE: the optional IP::Country module is not installed. Used by the RelayCountry plugin (not enabled by default) to determine the domain country codes of each relay in the path of an email. ** * NOTE: the optional Net::Ident module is not installed. If you plan to use the --auth-ident option to spamd, you will need to install this module. ** * NOTE: the optional IO::Socket::INET6 module is not installed. This is required if the first nameserver listed in your IP configuration or /etc/resolv.conf file is available only via an IPv6 address. ** * NOTE: the optional IO::Socket::SSL module is not installed. If you wish to use SSL encryption to communicate between spamc and spamd (the --ssl option to spamd), you need to install this module. (You will need the OpenSSL libraries and use the ENABLE_SSL="yes" argument to Makefile.PL to build and run an SSL compatibile spamc.) ** * NOTE: the optional LWP::UserAgent module is not installed. The "sa-update" script requires this module to make HTTP requests. ** * NOTE: the optional HTTP::Date module is not installed. The "sa-update" script requires this module to make HTTP If-Modified-Since GET requests. REQUIRED module out of date: Digest::SHA1 optional module out of date: Net::DNS optional module missing: Mail::SPF::Query optional module missing: IP::Country optional module missing: Net::Ident optional module missing: IO::Socket::INET6 optional module missing: IO::Socket::SSL optional module missing: LWP::UserAgent optional module missing: HTTP::Date warning: some functionality may not be available, please read the above report before continuing! Running make test Make had some problems, maybe interrupted? Won't test Running make install Make had some problems, maybe interrupted? Won't install
Re: Best choice for more stop spams ? I wait your return
very Thanks all for answer ... they have a big difference from 3.1.0 with 3.0.4 ? No "specifique" problems when we upgrade 3.0.4 to 3.1.0 ? Thanks Matt Kettler a écrit : At 07:48 AM 11/29/2005, Noc Phibee wrote: Hi, I want post you my config ;=) i have a small problems: I am thinks that i don't have a good result in scoring. a big quantity of spams are not detected. My server is not a mail server, but only a relay. He run on Qmail with Qmail-scanner and spamassassin 3.0.4. What do you thinks of my spamassassin -D --lint ? I see three problems : 1- "debug: bayes: no dbs present, cannot tie DB R/O: /root/.spamassassin/bayes_toks" Bayes don't work ? The way your configuration is set up, the bayes database lives in the home directory of the user calling SA. For qmail-scanner, that user is probably not root, therefore no bayes DB exists in root's homedir. If you wanted a site-wide bayes db that all users will share, you'll need "bayes_path /var/spool/spamassassin/bayes" and "bayes_file_mode 0777" (not 0666!) 2- "debug: Pyzor is not available: pyzor not found" "debug: DCCifd is not available: no r/w dccifd socket found." "debug: DCC is not available: no executable dccproc found." It's a good solution for stop more spams that active this products ? I like dcc and razor myself, but you'll have to check the licenses. Most people can use these for free, but there are some exceptions for free access to the dcc and razor servers. Pyzor is all-free AFAIK but I've never used it. 3- He have other solution for best detect ? addin a solution of: spamcop, SORBS and other (what is the best ?) How install it ? SA uses spamcop and sorbs among several other RBLs if you have a recent version of Net::DNS. Very thanks for all return that you post. == My local.cf: == required_hits 4.9 auto_whitelist_path/var/spool/spamassassin/auto-whitelist auto_whitelist_file_mode 0666 Broken: fix that to 0777. (Note the default for this is 0700, not 0600. SA "file modes" are really masks and can be used as a mask for dir creation, thus need the X bit) == My spamassassin -D --lint : == Much of that looks relatively normal. SA 3.0.x introduced warnings for long descriptions, but nobody updated the non-english description sets. 3.1.0 has since relaxed the description length and is free of these warnings. warning: score set for non-existent rule CHARSET_FARAWAY_BODY warning: score set for non-existent rule CHARSET_FARAWAY_HEADERS That looks bad.. Those rules should be declared in your /usr/share/spamassassin/20_body_tests.cf. I'd be wondering if your install is goofed up. Check the files in /usr/share/spamassassin and make sure they match the ones in the 3.0.4 tarball.
Antidrug.cf deprecated and no longer maintained.
Since a lot of people are still using antidrug.cf, I'm making a public announcement here to clarify. Antidrug.cf is deprecated and obsolete for all users of SpamAssassin 3.0.0 or higher. These rules are now a part of the standard SA distribution, and any improvements will likely happen directly in the SA project and not on the .cf file. I may at some point in the future, if I ever have spare time again, make a new ruleset, but it will be a separate file (ie: antidrug_post31.cf). Unless you're using SA 2.64, remove the ruleset, as it will cover-up any future improvements that may be contributed to the SA distribution. If you're using a version older than 2.64, you almost certainly have a remotely exploitable DoS vulnerability, and need to upgrade.
Re: 3.1: config: not parsing, administrator setting: loadplugin Mail::SpamAssassin::Plugin::SPF
At 02:39 AM 11/29/2005, Thomas Mueller wrote: I don't have any user_prefs files, only the global one. eh? What "global one"? I'd still strongly suggest removing them from *.pre and see if you still get the warning. That's a sure-fire way to prove those statements exist somewhere else, somewhere they don't belong.
Re: Best choice for more stop spams ? I wait your return
At 07:48 AM 11/29/2005, Noc Phibee wrote: Hi, I want post you my config ;=) i have a small problems: I am thinks that i don't have a good result in scoring. a big quantity of spams are not detected. My server is not a mail server, but only a relay. He run on Qmail with Qmail-scanner and spamassassin 3.0.4. What do you thinks of my spamassassin -D --lint ? I see three problems : 1- "debug: bayes: no dbs present, cannot tie DB R/O: /root/.spamassassin/bayes_toks" Bayes don't work ? The way your configuration is set up, the bayes database lives in the home directory of the user calling SA. For qmail-scanner, that user is probably not root, therefore no bayes DB exists in root's homedir. If you wanted a site-wide bayes db that all users will share, you'll need "bayes_path /var/spool/spamassassin/bayes" and "bayes_file_mode 0777" (not 0666!) 2- "debug: Pyzor is not available: pyzor not found" "debug: DCCifd is not available: no r/w dccifd socket found." "debug: DCC is not available: no executable dccproc found." It's a good solution for stop more spams that active this products ? I like dcc and razor myself, but you'll have to check the licenses. Most people can use these for free, but there are some exceptions for free access to the dcc and razor servers. Pyzor is all-free AFAIK but I've never used it. 3- He have other solution for best detect ? addin a solution of: spamcop, SORBS and other (what is the best ?) How install it ? SA uses spamcop and sorbs among several other RBLs if you have a recent version of Net::DNS. Very thanks for all return that you post. == My local.cf: == required_hits 4.9 auto_whitelist_path/var/spool/spamassassin/auto-whitelist auto_whitelist_file_mode 0666 Broken: fix that to 0777. (Note the default for this is 0700, not 0600. SA "file modes" are really masks and can be used as a mask for dir creation, thus need the X bit) == My spamassassin -D --lint : == Much of that looks relatively normal. SA 3.0.x introduced warnings for long descriptions, but nobody updated the non-english description sets. 3.1.0 has since relaxed the description length and is free of these warnings. warning: score set for non-existent rule CHARSET_FARAWAY_BODY warning: score set for non-existent rule CHARSET_FARAWAY_HEADERS That looks bad.. Those rules should be declared in your /usr/share/spamassassin/20_body_tests.cf. I'd be wondering if your install is goofed up. Check the files in /usr/share/spamassassin and make sure they match the ones in the 3.0.4 tarball.
Re: Spamassassin learning
At 04:31 AM 11/29/2005, Kryol wrote: I have a following strings in a local.cf: use_bayes 1 bayes_path /usr/local/mail/spamassassin/bayes bayes_auto_learn 0 I used: sa-learn --spam --showdots --mbox - about 1200 spam messages sa-learn --ham --showdots --mbox - about 300 ham messages I see: $ ls -l /usr/local/mail/spamassassin total 2440 -rw-rw-rw- 1 spamd spamd 7644 Nov 29 10:02 bayes.mutex -rw--- 1 root wheel 196608 Nov 29 10:02 bayes_seen -rw--- 1 root wheel 2703360 Nov 29 10:02 bayes_toks $ But after spamd restart I don't see any bayes marks in a spaam messages. Where is my mistake? you did bayes_path without doing bayes_file_mode. As a result you created a site-wide bayes database, but only root can read it. add this to your local.cf: bayes_file_mode 0777 then stop spamd and do: chmod 666 /usr/local/mail/spamassassin/bayes_seen chmod 666 /usr/local/mail/spamassassin/bayes_toks Then restart spamd. (note: yes I do mean 0777 above, and 666 below. The bayes_file_mode can be used for directory creation thus needs the "x" bit. SA will not apply more than 666 to your bayes_seen and toks files)
Re: Fetchmail and SA?
Thanks! So I notice a fetchmailrc file is required in each persons "home directory". But their maildir is in their vpopmail folder in the home folder. I will keep reading to see if they explain that. I just want a person to login and be able to setup fetchmail files for each external account. I now understand what the file should be, now just need to figure out how to create it via a GUI interface. That's pretty much true. Although you can fake it with one master fetchmailrc with all the user accounts. I've not tried that, though. I do poll four accounts from the same .fetchmailrc, though. Along similar lines, fetchmail has the ability to read configuration from standard input with the -f switch, meaning you can store your fetchmail data in a MySQL database and invoke fetchmail with something like this, which turns your database into fetchmail config statements on the fly. #!/bin/sh MYSQL_SERVER="127.0.0.1" MYSQL_USER="user" MYSQL_PASS="pass" MYSQL_DB="database" mysql -B -s -h $MYSQL_SERVER -u $MYSQL_USER $MYSQL_DB --password=$MYSQL_PASS -e "SELECT * FROM fetchmail" \ | awk {'print "poll "$2" with proto "$3" user "$4" there has pass "$5" and is "$6" here"'} \ | fetchmail --syslog -t30 -f - 2>&1 The script is owned by and run as root, so at least it's not world readable. I have a squirrelmail plugin which maintains this database (hacked together last week, available on request, but with the warning that it stores passwords in clear text). Contact me off-list if you want a copy, I am not convinced it is yet fit for public release or commercial implementation. Works for me and not a fetchmail rc in sight. The MySQL table is simply id, server, proto, user, pass, username (which assumes that squirrelmail username == local delivery address). Regards, Keith Dunnett
Spamassassin learning
Hi all, I have a problem with a Bayes. I have a following strings in a local.cf: use_bayes 1 bayes_path /usr/local/mail/spamassassin/bayes bayes_auto_learn 0 I used: sa-learn --spam --showdots --mbox - about 1200 spam messages sa-learn --ham --showdots --mbox - about 300 ham messages I see: $ ls -l /usr/local/mail/spamassassin total 2440 -rw-rw-rw- 1 spamd spamd 7644 Nov 29 10:02 bayes.mutex -rw--- 1 root wheel 196608 Nov 29 10:02 bayes_seen -rw--- 1 root wheel 2703360 Nov 29 10:02 bayes_toks $ But after spamd restart I don't see any bayes marks in a spaam messages. Where is my mistake? Thanks, Kryol
Re: 3.1: config: not parsing, administrator setting: loadplugin Mail::SpamAssassin::Plugin::SPF
Matt Kettler wrote: > At 05:14 PM 11/28/2005, Thomas Mueller wrote: >> The failing plugins are: >> Mail::SpamAssassin::Plugin::URIDNSBL >> Mail::SpamAssassin::Plugin::Hashcash >> Mail::SpamAssassin::Plugin::SPF > > Note that these messages don't by themselves mean the plugin isn't > loading. They could already be loaded when SA encounters a duplicate > loadplugin statement in a user_prefs file. > > I'd try commenting out one of those loadplugin statements entirely, and > see if you still get the error. If you do, look at your user_prefs files. I don't have any user_prefs files, only the global one. Thomas
Re: some messages bypassing spamassasin
From: "Toni Casueps" <[EMAIL PROTECTED]> There are a few messages that don't have the X-Spam... headers. Is there any conditions under which a message doesn't get checked? I use Spamassassin 3.0.4 under Linux+Postfix I am invoking it from master.cf (i.e. the IntegratedSpamdInPostfix article of the wiki) Yes, there is. You have an "all" or "full" rule in your user_prefs and you are using spamc/spamd, I bet. The solution is to run through SpamAssassin if the run through spamc fails. That is what I do and so far I have not found any messages getting through both runs. It happens randomly and originates in eval's within PerMsgStatus.pm. {^_^}
some messages bypassing spamassasin
There are a few messages that don't have the X-Spam... headers. Is there any conditions under which a message doesn't get checked? I use Spamassassin 3.0.4 under Linux+Postfix I am invoking it from master.cf (i.e. the IntegratedSpamdInPostfix article of the wiki)