Re: Problems with the Spamd Daemon
Hy Matthew, I tried to start the daemon in the way that you said in your e-mail but the result are the same. For some reason, the daemon goes back to the command line /usr/bin/spamd -d -u nobody. Thanks anyway for all the help provided by you and the entire list Jeff =) Obs: I'm still looking for the answer hehehe [EMAIL PROTECTED] wrote: Jeferson Pessoa Santana wrote: /usr/bin/spamd -i -d -u nobody --allowed-ips=200.X.X.X,127.0.0.1 Guys, I think that mey e-mail wasn't clearly, sorry. The IP 200.x.x.x means that I'm using 200.189.68.194 for example. And I put the 127.0.0.1 because I have a exim daemon started to relay the incoming e-mails. That was perfectly clear, and I understood that was what you meant. But spamd didn't. Let's assume the IP address you give above is correct... so this is you... http://lacnic.net/cgi-bin/lacnic/whois?query=200.189.68.194 You almost certainly don't want to open your spamd server to the entire LACNIC world: 200.x.x.x AKA 200.0.0.0 - 200.255.255.255 AKA 200.0.0.0/8 AKA 200. You probably meant to open your spamd server only to Digital Express Ltda 200.189.68.192 - 200.189.68.255 AKA 200.189.68.192/26 So you would call spamd as /usr/bin/spamd -d -u nobody --allowed-ips=200.189.68.192/26,127.0.0.1
submit to spamcop
How does one, if possible, submit a domain/IP address to spamcop? Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
RE: submit to spamcop
Jean-Paul Natola mailto:[EMAIL PROTECTED] said on 06 December 2005 14:36: How does one, if possible, submit a domain/IP address to spamcop? Spamcop lists Ips - SURBL lists URIs You can sign up for a reporting account at spamcop.net HTH Michele Mr Michele Neylon Blacknight Solutions Quality Business Hosting Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239
Re: submit to spamcop
Jean-Paul Natola wrote: How does one, if possible, submit a domain/IP address to spamcop? Did you try this page ? http://www.spamcop.net/fom-serve/cache/125.html -- François Conil Administrateur Systèmes et Réseaux Lenz Oh man... Lenz my mom just asked me to rewind the dvd for her
RE: submit to spamcop
I received another one of those HTML messages about stock quotes Here's the scoring Content analysis details: (4.6 points, 5.0 required) pts rule name description -- -- 0.6 NO_REAL_NAME From: does not include a real name 0.6 HTML_SHORT_LENGTH BODY: HTML is extremely short 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 2.9 HTML_IMAGE_ONLY_04 BODY: HTML: images with 0-400 bytes of words 0.5 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag The previous ones were stopped due to the IP being listed in spamcop, I would like to report the IP this one came from BUT , I would like to make sure its not some innocent person, that was used as a relay vicitm -Original Message- From: Michele Neylon :: Blacknight Solutions [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 06, 2005 9:40 AM To: users@spamassassin.apache.org Subject: RE: submit to spamcop Jean-Paul Natola mailto:[EMAIL PROTECTED] said on 06 December 2005 14:36: How does one, if possible, submit a domain/IP address to spamcop? Spamcop lists Ips - SURBL lists URIs You can sign up for a reporting account at spamcop.net HTH Michele Mr Michele Neylon Blacknight Solutions Quality Business Hosting Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239
New spam/phising
I'm starting to see a lot of bluebottle email come through. They are scoring either right under my limit or really low. Anyone else see this? SpamAssassin version 2.63 RH 8 Qmail + qmail-scanner Here's the header: Microsoft Mail Internet Headers Version 2.0 Received: from mail2.adventureaquarium.com ([10.0.0.2]) by MAIL-I.adventureaquarium.com with Microsoft SMTPSVC(5.0.2195.6713); Mon, 5 Dec 2005 20:30:11 -0500 Received: (qmail 11352 invoked by uid 511); 6 Dec 2005 01:30:23 - Received: from by mail2.adventureaquarium.com by uid 508 with qmail-scanner-1.20 (fileformat: ???. spamassassin: 2.63. Clear:RC:0(209.144.225.73):SA:0(0.8/7.5):. Processed in 3.207068 secs); 06 Dec 2005 01:30:23 - X-Qmail-Scanner-Mail-From: via mail2.adventureaquarium.com X-Qmail-Scanner: 1.20 (Clear:RC:0(209.144.225.73):SA:0(0.8/7.5):. Processed in 3.207068 secs) Received: from unknown (HELO fe4.bluebottle.com) (209.144.225.73) by mail2.adventureaquarium.com with SMTP; 6 Dec 2005 01:30:19 - Received: from fe0.bluebottle.com (fe0.bluebottle.com [209.144.225.92]) by fe4.bluebottle.com (8.13.4/8.13.4) with ESMTP id jB67U6qM030862 for [EMAIL PROTECTED]; Tue, 6 Dec 2005 01:30:07 -0600 Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) (authenticated bits=0) by fe0.bluebottle.com (8.13.4/8.13.4) with ESMTP id jB62U4Hf010705 for [EMAIL PROTECTED]; Mon, 5 Dec 2005 20:30:19 -0600 Date: Mon, 5 Dec 2005 20:30:04 -0600 Message-Id: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: hi, ive a new mail address Content-Type: text/plain; charset=us-ascii X-Bluebottle-Request: b3df34448d77a539e2b9008edf8366bb X-Bluebottle-Address: [EMAIL PROTECTED] X-Bluebottle-Subject: hi, ive a new mail address X-Qmail-Scanner-1.20: added fake MIME-Version header MIME-Version: 1.0 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on mail2.adventureaquarium.com X-Spam-Level: X-Spam-Status: No, hits=0.8 required=7.5 tests=BAYES_01,NO_REAL_NAME autolearn=no version=2.63 Return-Path: X-OriginalArrivalTime: 06 Dec 2005 01:30:11.0981 (UTC) FILETIME=[99F683D0:01C5FA04]
Re: Some Perl Modules Not Loading
On Mon, Dec 05, 2005 at 03:44:26PM +, Pete typed : Hello all, If I can just say first of all that I have SpamAssassin working on my system and I'm very happy with it. However, I am curious as to why I can't get every optional module installed as well. I probably don't need them all, but anyway ... OS = Slackware 10.2 (2.4.31) SpamAssassin = 3.1.0 Perl = 5.8.7 [..] On a fresh install of Slackware, I will typically use MCPAN to get SpamAssassin. In the past, this has worked flawlessly. But for some reason now, I cannot obtain and install certain modules. The most annoying of which is Net::DNS. I say 'annoying' as when I start spamd (daemonised), I get the following error : [5742] error: Can't locate Net/DNS.pm in @INC (@INC contains: ../lib /usr/lib/perl5/site_perl/5.8.7/i486-linux /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/5.8.7/i486-linux /usr/lib/perl5/5.8.7 /usr/lib/perl5/site_perl) at /usr/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/DnsResolver.pm line 86. As Net::DNS isn't installed, I'm guessing that's the reason for this error. [..] FWIW, I have installed SpamAssassin 3.0.0 from Mail-SpamAssassin-3.0.0.tar.bz2 (after first uninstalling SpamAssassin 3.1.0) and do not get the above error anymore. Regards, Pete.
Re: New spam/phising
Haven't see those like that. But that subject line is a standard header for the recent run of Sober viruses. So I assume that is probably a virus. Loren
RE: Problems with the Spamd Daemon
Jeferson Pessoa Santana wrote: Hy Matthew, I tried to start the daemon in the way that you said in your e-mail but the result are the same. For some reason, the daemon goes back to the command line /usr/bin/spamd -d -u nobody. Thanks anyway for all the help provided by you and the entire list One last try... you said the command line is /usr/bin/spamd -i -d -u nobody --allowed-ips=200.X.X.X,127.0.0.1 Is it, in fact: /usr/bin/spamd -i -d -u nobody --allowed-ips=200.189.68.248,127.0.0.1 If so..
RE: Problems with the Spamd Daemon
Jeferson Pessoa Santana wrote: Hy Matthew, I tried to start the daemon in the way that you said in your e-mail but the result are the same. For some reason, the daemon goes back to the command line /usr/bin/spamd -d -u nobody. Thanks anyway for all the help provided by you and the entire list One last try... you said the command line is /usr/bin/spamd -i -d -u nobody --allowed-ips=200.X.X.X,127.0.0.1 Is it, in fact: /usr/bin/spamd -i -d -u nobody --allowed-ips=200.189.68.248,127.0.0.1 And furthermore, is the IP of the machine 200.189.68.248? If so, then /usr/bin/spamd -d -u nobody makes sense. Why? Because -i is ignored, as it has no interface IP... And --allowed-ips specifies the default IPs anyway. From the man spamd page: By default, connections are only accepted from local host [127.0.0.1]. And of course, the interface IP addresses are all on the local host. So that --allowed-ips, though it is parsed, is just a fancy way of specifying the default anyway. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
RE: New spam/phising
Huh, I guess some AV is stripping the attachment or they are using a site to distribute. Thanks Jason -Original Message- From: Loren Wilton [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 06, 2005 10:31 AM To: users@spamassassin.apache.org Subject: Re: New spam/phising Haven't see those like that. But that subject line is a standard header for the recent run of Sober viruses. So I assume that is probably a virus. Loren
Re: New spam/phising
Alternative explanaation: bugs in the particular variant of sober caused it to generate a message without the attachment. Broken and missing attachments are both fairly common bugs in mailworms. Sidenote: if you're using SA 2.63 you are vulnerable to a remotely exploitable DoS attack. Upgrade to 2.64 (pretty painless, but you'll have to re-install spamcopURI afterwards if you use it) or 3.1.0 (may require more work, and harder on the CPU, but very much worth it if you can). Jason Staudenmayer wrote: Huh, I guess some AV is stripping the attachment or they are using a site to distribute.
RE: Problems with the Spamd Daemon
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ... Because -i is ignored, as it has no interface IP... Actually, the documentation says: -i [*ipaddress*], --listen-ip[=*ipaddress*], --ip-address[=*ipaddress*] Tells spamd to listen on the specified IP address (defaults to 127.0.0.1). If you specify no IP address after the switch, spamd will listen on all interfaces. (This is equal to the address 0.0.0.0). You can also use a valid hostname which will make spamd listen on the first address that name resolves to. So if you specify -i without an argument, it is not ignored. It tells spamd to listen on 0.0.0.0 instead of 127.0.0.1. On at least some systems this makes a difference; for example, on Solaris systems if you are trying to connect from a different machine.
Re: Problems with the Spamd Daemon
What I'm triyng to do is to monitor the Spamd port with telnet (Ipmonitor is the software that we are using and it's ip is 200.189.68.194. I didn't read the entire spamd man page =-P Thanks Jeff [EMAIL PROTECTED] wrote: Jeferson Pessoa Santana wrote: Hy Matthew, I tried to start the daemon in the way that you said in your e-mail but the result are the same. For some reason, the daemon goes back to the command line /usr/bin/spamd -d -u nobody. Thanks anyway for all the help provided by you and the entire list One last try... you said the command line is /usr/bin/spamd -i -d -u nobody --allowed-ips=200.X.X.X,127.0.0.1 Is it, in fact: /usr/bin/spamd -i -d -u nobody --allowed-ips=200.189.68.248,127.0.0.1 And furthermore, is the IP of the machine 200.189.68.248? If so, then /usr/bin/spamd -d -u nobody makes sense. Why? Because -i is ignored, as it has no interface IP... And --allowed-ips specifies the default IPs anyway. From the man spamd page: By default, connections are only accepted from local host [127.0.0.1]. And of course, the interface IP addresses are all on the local host. So that --allowed-ips, though it is parsed, is just a fancy way of specifying the default anyway.
RE: seeing a few new spams with low SA scoring
Obantec Support wrote: SA3.0.0 lowest seen 1.5 (virus snipped) That's not spam, it's a virus... -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
RE: seeing a few new spams with low SA scoring
From: Obantec Support [mailto:[EMAIL PROTECTED] [ Example Spam (trimmed to the basics) ] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: You visit illegal websites Dear Sir/Madam, we have logged your IP-address on more than 30 illegal Websites. Important: Please answer our questions! The list of questions are attached. Yours faithfully, Steven Allison Central Intelligence Agency -CIA- Office of Public Affairs Washington, D.C. 20505 phone: (703) 482-0623 7:00 a.m. to 5:00 p.m., US Eastern time That's not a spam. That's a Sober virus with the payload either missing or removed by someone else. Bowie
Re: seeing a few new spams with low SA scoring
ok so its a virus on some else's PC but i see quite a few incoming in the last week. my AV dropped the attached zip. so SA does not trap it, should i be looking at a procmail rule to dump the emails. - Original Message - From: Bowie Bailey [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tuesday, December 06, 2005 5:20 PM Subject: RE: seeing a few new spams with low SA scoring From: Obantec Support [mailto:[EMAIL PROTECTED] [ Example Spam (trimmed to the basics) ] From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: You visit illegal websites Dear Sir/Madam, we have logged your IP-address on more than 30 illegal Websites. Important: Please answer our questions! The list of questions are attached. Yours faithfully, Steven Allison Central Intelligence Agency -CIA- Office of Public Affairs Washington, D.C. 20505 phone: (703) 482-0623 7:00 a.m. to 5:00 p.m., US Eastern time That's not a spam. That's a Sober virus with the payload either missing or removed by someone else. Bowie -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.1.371 / Virus Database: 267.13.12/192 - Release Date: 05/12/2005
Load issue
So a few times a day I end up having to stop my sendmail on my linux mail server. Here is the back story. I was running 2.64, with procmail and recently upgraded to 3.1. I started the 3.1 with /usr/bin/spamd -d -c -m10 Which works great, but I think the old spamassassin is still running because when the 10 children get filled up, I start to get a ton of: /usr/bin/spamc Whats going on here? 2 versions running? What do I do to get rid of the spamc process, and keep it from spawning and then bringing my server to its knees...
Re: seeing a few new spams with low SA scoring
On Tue, Dec 06, 2005 at 05:27:07PM -, Obantec Support wrote: ok so its a virus on some else's PC but i see quite a few incoming in the last week. my AV dropped the attached zip. I call my anti-virus (ClamAV via clamassassin, BTW) from /etc/procmailrc. If it says it's a virus, it goes straight to /dev/null. SA never sees it. so SA does not trap it, should i be looking at a procmail rule to dump the emails. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Peace at any price is inflationary.
RE: seeing a few new spams with low SA scoring
From: Obantec Support [mailto:[EMAIL PROTECTED] ok so its a virus on some else's PC but i see quite a few incoming in the last week. my AV dropped the attached zip. so SA does not trap it, should i be looking at a procmail rule to dump the emails. SA does not intentionally try to catch viruses. If they look spammy enough, it will get them, but no special effort is made. Ideally, your AV program should reject (or drop) viruses. It is very unusual these days for a virus to hitch along with a valid message. Most of them send out their own messages. If your AV program marks the message somehow to indicate that it cleaned a virus, you can use procmail to detect that marker and dump the message. Alternately, you could have SA detect the AV marker and bump the score if you're paranoid about dropping mail. Bowie
RE: New spam/phising
I was going to update a while ago but I think qmail-scanner would have broken or something, I'll have to look into it again. Thanks again Jason -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 06, 2005 11:53 AM To: Jason Staudenmayer Cc: users@spamassassin.apache.org Subject: Re: New spam/phising Alternative explanaation: bugs in the particular variant of sober caused it to generate a message without the attachment. Broken and missing attachments are both fairly common bugs in mailworms. Sidenote: if you're using SA 2.63 you are vulnerable to a remotely exploitable DoS attack. Upgrade to 2.64 (pretty painless, but you'll have to re-install spamcopURI afterwards if you use it) or 3.1.0 (may require more work, and harder on the CPU, but very much worth it if you can). Jason Staudenmayer wrote: Huh, I guess some AV is stripping the attachment or they are using a site to distribute.
X-Spam headers placement issue
Hi there. After installing the brand new SA 3.1.0 I've spotted one small thing. When mail is processed by SA ( spamc/spamd from procmail in this example), it adds all the X-Spam headers at the beginning of the mail (prepend). I've submitted a bug [ http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4721 ], bit it turns to be not a bug at all, but the new (3.1.0) way of header placement scheme. Still, I'm wondering: Is there a simple way to change the .pm file to switch back to the OLD (pre-3.1.0) method of adding the X-Spam headers (append) ? I'd really like to see all of the X- headers (X-Virus is already there, as you can see in the attachment for the bug - http://issues.apache.org/SpamAssassin/attachment.cgi?id=3294action=view ) at the END of the header space. People with adequate knowledge of perl - please respond ;) -- GreetZ, SickBoy
Re: X-Spam headers placement issue
When mail is processed by SA ( spamc/spamd from procmail in this example), it adds all the X-Spam headers at the beginning of the mail (prepend). I don't want to be one of those jerks who tells you to read the list archives for an answer, but I know this subject has been raised several times since the release of 3.1.0.
Re: X-Spam headers placement issue
I don't want to be one of those jerks who tells you to read the list archives for an answer, but I know this subject has been raised several times since the release of 3.1.0. Well, I've searched thru archives before posting (vide http://www.nabble.com/SA-Headers-Moved-t365404.html#a1011617 as a decent example), and still my question HOW to do it remains unanswered. So ... I know it's just cosmetics in my case, but considering the fact that I will NOT use the DomainKey validation feature,I'd still like to change it back to append behaviour. -- GreetZ, SickBoy
Re: X-Spam headers placement issue
On Tue, Dec 06, 2005 at 08:08:54PM +0100, SickBoy wrote: Well, I've searched thru archives before posting (vide http://www.nabble.com/SA-Headers-Moved-t365404.html#a1011617 as a decent example), and still my question HOW to do it remains unanswered. What you're looking for is a patch, which no one, apparently, has written up yet. Which means you're left at the step before, which is you have to change the code. I believe the answer is to change this line in PerMsgStatus.pm: $new_hdrs_pre .= X-Spam-$header: $line\n; to $new_hdrs_post .= X-Spam-$header: $line\n; I haven't tested it or anything, just reading the code. -- Randomly Generated Tagline: Due to budget cutbacks and the unexpected collapse of the tech sector, we regret to inform you that the next paycheck you receive will be the last one this millenium. - Jim Niemira (last paycheck of 2000) pgpClDedetgfk.pgp Description: PGP signature
RE: OKAY I'am the black man !!!
it is the opposit to the krisskind, hwo visits good children, he wisits the bad children on the scond advent, and hits them ... Who's got the email addy for DCYF? :) Well I just learned something today! --Chris (A lazy american wondering when the heck the second advent is? )
Re: Learning at an MTA
Alan Gutierrez a écrit : Yes, it helps. I'm fortunate in that the Domino mangement will be performed by someone who's particularly good at Notes development. I need to get a fix on what Domino can do, and that's why I ask. Apparently, there's already a Spam box on these Domino clients and a macro to add mail to the Spam box. Using your solution with fetchmail instead of kmail, I can automate training of SA via IMAP or POP. But, Ham is confusing. I'd suspect that a user would want to retain control of folder names, rather than lumping everything of value into a Ham folder. I think he was talking about a ham mailbox (one to post False positives to), not a ham folder. Am I correct in assuming that the user puts mail in the Ham folder only if it has been incorrectly marked as Spam? Then I suppose you're running auto-learn maybe, and the Ham folder corrects? I use 4 IMAP folders: - Junk folder (people can look here for false positives) - Junk/Miss for missed spam (I mean .Junk.Miss but let's use slashes) - Junk/Error for false positives - Junk/Trash for confirmed spam (can be purged quickly) sa-learn is run on Junk/Miss (--spam) and Junk/Error (--ham). after that, the messages may be moved (or whatever you want). if the user didn't copy the FP message (he just moved it to the Junk/Error folder, then it should be redelivered after sa-learn (but one must make sure it is not delivered to the Junk folder again). (Miss, Error and Trash may be shared folders).
RE: submit to spamcop
Jean-Paul Natola [EMAIL PROTECTED] 12/6/2005 10:01 AM I would like to report the IP this one came from BUT , I would like to make sure its not some innocent person, that was used as a relay vicitm You mean some poor innocent person, who has not kept their PC up to date, hasn't installed anti-virus and/or anti-spywware software, does not use a firewall, yet spends the money on a high-speed Internet access, leaves the PC on all the time, and gets turned into a spamming robot? What does it matter? If they're just some schmuck with a PC they probably have no intention of installing a legitimate post office on their PC and your reporting them to SpamCop will have no detrimental effects. If it's a legitimate STMP server, and the schmuck administrator isn't bright enough to keep from getting hijacked, then they deserve to get listed; that's the whole point! Nuke 'em. --- Confidentiality Notice This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential or proprietary information which is legally privileged. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please promptly contact the sender by reply e-mail and destroy all copies of the original message.
URIBL False positive
I'm relatively new to SpamAssassin, but I've managed to get it working well in conjunction with MimeDefang. I'm having a strange problem though, which I hope someone can help me figure out. I'm on a hobby mailing list, and occasionally emails to this list are being tagged as spam by SpamAssassin, based on the website mentioned in the emails being on multiple URIBL lists. Strangely though, when I go to the SURBL checker at rulesemporium.com, the site is NOT shown as being listed on any of these lists. Bayes correctly considers these emails to NOT be spam, but the 4 URIBL positives are enough to put the score over the top. I have included this domain in the whitelist in sa-mimedefang.cf, but that doesn't help. What might cause these lookups to return false positives? Brian Leyton IT Manager Commercial Petroleum Equipment
Re: URIBL False positive
Brian Leyton wrote: I'm relatively new to SpamAssassin, but I've managed to get it working well in conjunction with MimeDefang. I'm having a strange problem though, which I hope someone can help me figure out. I'm on a hobby mailing list, and occasionally emails to this list are being tagged as spam by SpamAssassin, based on the website mentioned in the emails being on multiple URIBL lists. Strangely though, when I go to the SURBL checker at rulesemporium.com, the site is NOT shown as being listed on any of these lists. Are you sure you are checking the right domain at the surbl website? There could be many domains checked, did you check them all? Have you tried pumping the message through the command-line SA? Bayes correctly considers these emails to NOT be spam, but the 4 URIBL positives are enough to put the score over the top. I have included this domain in the whitelist in sa-mimedefang.cf, but that doesn't help. How, exactly, did you do this? whitelist_from? whitelist_from_rcvd? Either of those, if set properly, should cause a -100 point bias to the message, clearly way beyond the reach of URIBL FPs. That suggests to me you used something else, or it's not working due using the wrong second parameter on a whitelist_from_rcvd. What might cause these lookups to return false positives? It could be a short-term listing that got pulled from SURBL shortly after being added. However, if it's persistent, that's unlikely.
Re: OKAY I'am the black man !!!
Am Dienstag, 6. Dezember 2005 20:27 schrieb Chris Santerre: --Chris (A lazy american wondering when the heck the second advent is? ) last sunday. advent: the four last sundays before christmas eve. so, coming sunday will be 3rd advent. bye, MH -- gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C
Re: Load issue
[EMAIL PROTECTED] wrote: So a few times a day I end up having to stop my sendmail on my linux mail server. Here is the back story. I was running 2.64, with procmail and recently upgraded to 3.1. I started the 3.1 with /usr/bin/spamd -d -c -m10 Which works great, but I think the old spamassassin is still running because when the 10 children get filled up, I start to get a ton of: /usr/bin/spamc Whats going on here? 2 versions running? What do I do to get rid of the spamc process, and keep it from spawning and then bringing my server to its knees... Well, if in fact, your spamd is really busy, and it can't accept more connections, spamc may be waiting around to try again. I'm not 100% positive on the behavior of spamc (I use my own app to connect to spamd from 'doze.) The way mine works, is it will try again after a few seconds of waiting. This may be the cause here. One way to find out if you have more than one version is to search the system for all references to any spamd/c/assassin and check the versions. This is very tedious, but it gets the end result. If when you do /usr/bin/spamc -V what do you get? Along with /usr/bin/spamd -V and the same for spamassassin (where you have that installed also.) The do spamc -V, spamd -V, spamassassin -V and see what the system 'thinks' the path is to the programs. What you describe, to me, seems a normal action when all the connections are filled. Then again, I could be completely wrong :-D -- Thanks, JamesDR
Re: Load issue
I think I figured it out already. Another helpful user explained that spamc passes the info to spamd. So it would stand to reason that if I have 10 spamd children (each sucking resources) then spamc is going to accept more mail, and queue more mail and suck mor resources as you mention. I lowered the children to 5, and my problem has gone away. I guess I will just ignore the maillog warning about children and let it do its job like it should! on 12/6/05 6:16 PM, JamesDR at [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: So a few times a day I end up having to stop my sendmail on my linux mail server. Here is the back story. I was running 2.64, with procmail and recently upgraded to 3.1. I started the 3.1 with /usr/bin/spamd -d -c -m10 Which works great, but I think the old spamassassin is still running because when the 10 children get filled up, I start to get a ton of: /usr/bin/spamc Whats going on here? 2 versions running? What do I do to get rid of the spamc process, and keep it from spawning and then bringing my server to its knees... Well, if in fact, your spamd is really busy, and it can't accept more connections, spamc may be waiting around to try again. I'm not 100% positive on the behavior of spamc (I use my own app to connect to spamd from 'doze.) The way mine works, is it will try again after a few seconds of waiting. This may be the cause here. One way to find out if you have more than one version is to search the system for all references to any spamd/c/assassin and check the versions. This is very tedious, but it gets the end result. If when you do /usr/bin/spamc -V what do you get? Along with /usr/bin/spamd -V and the same for spamassassin (where you have that installed also.) The do spamc -V, spamd -V, spamassassin -V and see what the system 'thinks' the path is to the programs. What you describe, to me, seems a normal action when all the connections are filled. Then again, I could be completely wrong :-D The Help Guy Nantucket.net [EMAIL PROTECTED] www.nantucket.net/help 508-228-6777
Re: X-Spam headers placement issue
I believe the answer is to change this line in PerMsgStatus.pm: $new_hdrs_pre .= X-Spam-$header: $line\n; to $new_hdrs_post .= X-Spam-$header: $line\n; I haven't tested it or anything, just reading the code. Well Theo, thank God there are people like you around. ;) That's exactly what I needed :) I hereby announce this thread [SOLVED] :D (yeah). Thank you very much for yer help. -- GreetZ, SickBoy
ISP relay /whitelist question
I have a user in Mexico that uses prodigy broadband, she claims that if she tries to send email with her outlook using our SMTP they wont let her, I she tried using their SMTP but then I get this in the log 2005-12-05 13:48:59 H=dsl-201-128-150-16.prod-infinitum.com.mx (acerL1) [201.128.150.16] F=[EMAIL PROTECTED] rejected RCPT [EMAIL PROTECTED]: relay not permitted If I whitelist her will it work, what aproach should I take? Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
SpamAssassin 3.0.5 RELEASED
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 (NOTE: this is a maintainance release of the 3.0.x branch. If you are already running the more up-to-date, stable 3.1.0, pay no attention! This is only for people who are stuck on 3.0.x for some reason.) We got enough votes for those tarballs we voted on last week, so it's an official release now. Here are the checksums: md5sum of archive files: 0d6066561db3e4efff73f00c34584cb8 Mail-SpamAssassin-3.0.5.tar.bz2 12c9f14ffaeb5cb3b5801cc5b5231cdd Mail-SpamAssassin-3.0.5.tar.gz e0d0e556d5929bb209aedc91ccdb2358 Mail-SpamAssassin-3.0.5.zip sha1sum of archive files: 30dcfce390a311dfff9430c1b00ae4f7e4357ca8 Mail-SpamAssassin-3.0.5.tar.bz2 99051775deb4566077fdca57a274531bade19bc8 Mail-SpamAssassin-3.0.5.tar.gz 7632e774d111764f041efb9e42453fc38885a1c2 Mail-SpamAssassin-3.0.5.zip And they're available at http://www.apache.org/dist/spamassassin/ . Abbreviated changelog: - - bug 4464: Trivial doco change - - bug 4346: Skip large messages in sa-learn - - bug 4570: Optimize a regexp that was blowing perl stack trying to parse very long headers - - Bug 4275: Fix some incorrectly case-insensitive URL parsing regexps - - bug 3712: more efficient parsing of messages with lots of newlines in header - - bug 4065: Recognize new outlook express msgid format - - bug 4390: Recognize URLs obfuscated using backslashes - - bug 4439: Fix removal of markup when there are DOS newlines - - bug 4565: new Yahoo server naming is causing FORGED_YAHOO_RCVD false positives - - bug 4522: URI parsing with JIS encoding - - bug 4655: fix redhat init script for spamd to be smarter about stopping processes - - bug 4190: race condition in round-robin forking algorithm - - bug 4535: parse mime content boundary with -- correctly - - bug 3949: fix ALL_TRUSTED misfires - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Exmh CVS iD8DBQFDllKcMJF5cimLx9ARAicsAJ9scH3eWPq7rf3g2usGIPjZnf5cQQCglK8g WdqjzNMaHzszmTI5xT8nHjk= =aU+H -END PGP SIGNATURE-
Re: ISP relay /whitelist question
At 09:06 PM 12/6/2005, Jean-Paul Natola wrote: I have a user in Mexico that uses prodigy broadband, she claims that if she tries to send email with her outlook using our SMTP they wont let her, I she tried using their SMTP but then I get this in the log 2005-12-05 13:48:59 H=dsl-201-128-150-16.prod-infinitum.com.mx (acerL1) [201.128.150.16] F=[EMAIL PROTECTED] rejected RCPT [EMAIL PROTECTED]: relay not permitted If I whitelist her will it work, what aproach should I take? No, whitelisting won't help. This has nothing to do with spamassassin, and is occuring before SA even has a shot at the message. Your MTA (Mail Transport Agent, aka SMTP server software) itself is refusing to allow her to use it as a relay point for mail. Generally speaking mailservers allow a restricted list of machines to relay (send mail out) and anybody to deliver (send mail in for local delivery). What's happening here is your user is trying to relay from a machine that isn't a part of your network, thus is not privileged to relay. ideally, she should not be using your server for relay, she should be using the prodigy provided SMTP server. If for some absurd reason she has to use your MTA, you'll probably want to set up SMTP AUTH support and have her outlook client authenticate when sending mail. What ever you do, don't make your server a blind open-relay that allows the whole world to use it as a relay. You'll end up in every blacklist in the world in a matter of hours doing this, because every spammer in the world will start using you as a site to relay spam through.
Re: seeing a few new spams with low SA scoring
so SA does not trap it, should i be looking at a procmail rule to dump the emails. Not a bad idea. If for some reason you really want to keep them around but detect them, sare_specific or one of the similar files should catch these. Loren
Re: OKAY I'am the black man !!!
* Duncan Findlay [EMAIL PROTECTED] [2005-12-06 02:27]: On Mon, Dec 05, 2005 at 01:20:28PM +0100, Christian Eichert wrote: Duncan Findlay wrote: I guess the moral of the story is don't use national cultural references on international mailing lists. ;-) What a dreadfully boring community we would become. -- Alan Gutierrez - [EMAIL PROTECTED] - http://engrm.com/blogometer/
Re: OKAY I'am the black man !!!
Alan Gutierrez wrote: * Duncan Findlay [EMAIL PROTECTED] [2005-12-06 02:27]: On Mon, Dec 05, 2005 at 01:20:28PM +0100, Christian Eichert wrote: Duncan Findlay wrote: I guess the moral of the story is don't use national cultural references on international mailing lists. ;-) What a dreadfully boring community we would become. -- Alan Gutierrez - [EMAIL PROTECTED] - http://engrm.com/blogometer/ I don't mean to assume the moderator's role here but would appreciate taking this topic off line or ending it as it no longer has any relevance to the purpose of this list. Thanks.
Re: X-Spam headers placement issue
From: SickBoy [EMAIL PROTECTED] I believe the answer is to change this line in PerMsgStatus.pm: $new_hdrs_pre .= X-Spam-$header: $line\n; to $new_hdrs_post .= X-Spam-$header: $line\n; I haven't tested it or anything, just reading the code. Well Theo, thank God there are people like you around. ;) That's exactly what I needed :) I hereby announce this thread [SOLVED] :D (yeah). Thank you very much for yer help. Don't bother to try to report spam with that header placement if you expect outfits that use DCC to respond. Placing the headers at the bottom that way will screw up the DCC hash they can use to identify the message details as truth. {^_^}
Re: ISP relay /whitelist question
Send the email through Prodigy's smarthost according to Prodigy's rules. The log line quoted indicates a rejection of a dialup ID without proper authentication. Most properly setup email systems prohibit the relaying. Note that what you see there is not a SpamAssassin issue. Expertise may exist here at some level. But you should ask in a more appropriate list. {^_^} - Original Message - From: Jean-Paul Natola [EMAIL PROTECTED] I have a user in Mexico that uses prodigy broadband, she claims that if she tries to send email with her outlook using our SMTP they wont let her, I she tried using their SMTP but then I get this in the log 2005-12-05 13:48:59 H=dsl-201-128-150-16.prod-infinitum.com.mx (acerL1) [201.128.150.16] F=[EMAIL PROTECTED] rejected RCPT [EMAIL PROTECTED]: relay not permitted If I whitelist her will it work, what aproach should I take?
Re: seeing a few new spams with low SA scoring
From: Loren Wilton [EMAIL PROTECTED] so SA does not trap it, should i be looking at a procmail rule to dump the emails. Not a bad idea. If for some reason you really want to keep them around but detect them, sare_specific or one of the similar files should catch these. I forget what I did here to catch them. They don't get through the huge bundle of rules I run. They generally score fairly high. It MIGHT be that I put in a rule to detect the clamav markup and use it. {^_^}
Re: OKAY I'am the black man !!!
From: saurabh.bhasin [EMAIL PROTECTED] Alan Gutierrez wrote: * Duncan Findlay [EMAIL PROTECTED] [2005-12-06 02:27]: On Mon, Dec 05, 2005 at 01:20:28PM +0100, Christian Eichert wrote: Duncan Findlay wrote: I guess the moral of the story is don't use national cultural references on international mailing lists. ;-) What a dreadfully boring community we would become. -- Alan Gutierrez - [EMAIL PROTECTED] - http://engrm.com/blogometer/ I don't mean to assume the moderator's role here but would appreciate taking this topic off line or ending it as it no longer has any relevance to the purpose of this list. Thanks. And without people to complain we'd not be an Internet Mailing List. {O,o} (Didn't take my 100,000 units of Thorazine today.)
Re: Learning at an MTA
* mouss [EMAIL PROTECTED] [2005-12-06 14:32]: Alan Gutierrez a écrit : Am I correct in assuming that the user puts mail in the Ham folder only if it has been incorrectly marked as Spam? Then I suppose you're running auto-learn maybe, and the Ham folder corrects? I use 4 IMAP folders: - Junk folder (people can look here for false positives) - Junk/Miss for missed spam (I mean .Junk.Miss but let's use slashes) - Junk/Error for false positives - Junk/Trash for confirmed spam (can be purged quickly) sa-learn is run on Junk/Miss (--spam) and Junk/Error (--ham). after that, the messages may be moved (or whatever you want). if the user didn't copy the FP message (he just moved it to the Junk/Error folder, then it should be redelivered after sa-learn (but one must make sure it is not delivered to the Junk folder again). I hope this is the final piece of the puzzle, but, how do you resend? I've tried... formail -s /usr/sbin/sendmail -t alan redeliver ...but I'm getting a forwarding loop bounce message. -- Alan Gutierrez - [EMAIL PROTECTED] - http://engrm.com/blogometer/
Re: X-Spam headers placement issue
jdow [EMAIL PROTECTED] writes: Don't bother to try to report spam with that header placement if you expect outfits that use DCC to respond. Placing the headers at the bottom that way will screw up the DCC hash they can use to identify the message details as truth. But does spamassassin -r not strip all the headers it inserted before reporting to DCC, Pyzor, spamcop etc? So the header placement should make no difference to DCC.