Re: Rejecting emails in procmailrc?
From: Alex Jalali [EMAIL PROTECTED]
Hello,
How can I reject mails that have a high score along with a reason message
instead of moving them to a folder?
I am using this in procmailrc to send spams to junk mail folder which works
fine.
:0:
* ^X-Spam-Status: Yes
/${HOME}/'Junk E-mail'
Now I need something like this to reject mails with score 16 or more
:0:
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
?? 550 Your email is in our spam list. To be removed, write to us at
xxx
Um, and what makes you think such a message is likely to go any place that
cares? By the time SpamAssassin is in the picture with procmail the smtp
transaction has completed. So you cannot terminate it with a 550. Nor can
you extract enough information to send it back to the real sender. So at
that point the correct path is either is to simply continue to drop it into
a spam folder and get on with life.
{^_^}
Re: Rejecting emails in procmailrc?
Alex Jalali wrote:
Hello,
How can I reject mails that have a high score along with a reason
message instead of moving them to a folder?
I am using this in procmailrc to send spams to junk mail folder which
works fine.
:0:
* ^X-Spam-Status: Yes
/${HOME}/'Junk E-mail'
Now I need something like this to reject mails with score 16 or more
:0:
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
?? 550 Your email is in our spam list. To be removed, write to us
at xxx
I have setup spamassasin 3 with sendmail and procmail on redhat 9
IMHO it is a bad idea to bounce *spam* messages in procmail scripts
because sender adresses are frequntly faked.
For sendmail users much better idea is to integrate spamassassin with
sendmail using milter (e.g. http://mimedefang.org/) and:
* reject spam for (almost) sure in SMTP session [the final dot reply]
It makes sending host responsible for generating bounce message
* mark most likely spam in headers to allow by recipient verification
--
[pl2en Andrew] Andrzej Adam Filip : [EMAIL PROTECTED] : [EMAIL PROTECTED]
http://anfi.homeunix.net/
sa-learn, remote spamd
Hello there, I didn't find a way to make sa-learn training a remote spamassassin installation (TCP). Would it possible to add this feature in sa-learn and spamd? Is there a workaround that I couldn't find yet? Regards, -- wwp signature.asc Description: PGP signature
SORBS unreasonable
One of our email-servers is blacklisted by SORBS and they want us to pay $50 to get the server taken of the list. On enquiry on why we were blacklisted, it came to light that it was blacklisted on false accounts - a valid mailing list related to one of our academic departments on campus. However, no reasoning whith them is possible and they insist that it was spam. Here are quotes from their answers: I am referring this to the SORBS admin who received the spam. It doesn't appear that there is any relationship with the spammer. Where the sender obtained the addresses is not known at this time. As I suspected, the recipient does not know the sender, so it is indeed UBE. Where the sender obtained the address is unknown. It certainly was not sent to a confirmed opt- in list, so it is spam and the listing is not in error. In order to be delisted, follow the instructions on the Spam DB FAQ http://www.dnsbl.sorbs.net/faq/spamdb.shtml Send confirmation of your US$50 donation to [EMAIL PROTECTED] It seems a bit harsh to me to blacklist a server on account of one such incident. We are not in a position to verify the facts because we do not have the email address of the SORBS admin who received the spam. We have three email-gateways and have a very good record as far as fighting spam is concerned. Now some of our email gets refused because one administrator received an email of which he thought that it must be spam! How do the members of this list handle situations like that? Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch All we like sheep have gone astray; we have turned every one to his own way; and the LORD hath laid on him the iniquity of us all. Isaiah 53:6
inconsistent results on dns tests
Hi, I have seen that dns tests for the same mail sent twice ( to different recipients ) give inconsistent results The first mail got hit by RCVD_IN_WHOIS_BOGONS and the second did not ( I use a local caching name server ). I cant figure out why ? Has this occurred to anybody else ? Thanks Ram
RE: SORBS unreasonable
I noticed you did not say your mailing list was a confirmed opt-in. If it does not do a confirmed opt-in, you should fix that. Otherwise you will not stay delisted long. Could get expensive too at $50 a pop. On enquiry on why we were blacklisted, it came to light that it was blacklisted on false accounts - a valid mailing list related to one of our academic departments on campus.
RE: Rejecting emails in procmailrc?
Title: Rejecting emails in procmailrc?
If you
are using Postfix you can do something like this in header_checks
:
/^X-Spam-Level:
\*{20}.*/ REJECT Spam content
rejected.
(Testthe
syntax, but I think the above is correct or very very
close.)
header_checks is
runas a Postfix process AFTER SA is done with the message, so you can use
it to detect SA spam headers and take an action.
Rather than send a
message back (which could make you a spammer) it would be better to just send it
to an admin account for further review or just delete it.
/^X-Spam-Level: \*{20}.*/
REDIRECT [EMAIL PROTECTED]
-Original Message-From: Alex Jalali
[mailto:[EMAIL PROTECTED]Sent: Monday, February 27, 2006 2:49
AMTo: users@spamassassin.apache.orgSubject: Rejecting
emails in procmailrc?
Hello,
How can I reject mails that have a high score along
with a reason message instead of moving them to a folder?
I am using this in procmailrc to send spams to junk
mail folder which works fine.
:0: *
^X-Spam-Status: Yes /${HOME}/'Junk
E-mail'
Now I need something like this to reject mails with
score 16 or more
:0: *
^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\* ?? "550 Your email is in our spam list. To be removed, write to us
at xxx"
I have setup spamassasin 3 with sendmail and
procmail on redhat 9
Mail triggering all rbl while not being listed
Hello, I'm facing a curious problem : for 3-4 days, one of my users have been triggering all rbls each time a mail is sent. It could not be that serious, weren't for the identity of this particular user : the root user on our network filtering smtp gateway. Basically, the daily report triggers the tests like this : BIZ_TLD=2.013, DOMAIN_4U2=1.994, INFO_TLD=1.273, MR_DEPOT_URI=0.3, NORMAL_HTTP_TO_IP=0.175, NO_RELAYS=-0.001, SPOOF_OURI=0.104, URIBL_JP_SURBL=4.087, URIBL_OB_SURBL=3.008, URIBL_WS_SURBL=2.14, URI_4YOU=0.135, URI_NOVOWEL=0.884 (carriage returns added for an easier reading) Do you see why all those tests are triggered ? My first guess was that they are because of all the returned mail sent by the smtp filter, which makes the daily report by itself containing a lot of spammy material, in terms of domain names/ips. Thanks by advance, -- François Conil Administrateur Systèmes et Réseaux Pax I wish my lawn was emo, so it would cut itself.
Re: Mail triggering all rbl while not being listed
On Montag, 27. Februar 2006 12:13 François Conil wrote: Basically, the daily report triggers the tests like this : BIZ_TLD=2.013, DOMAIN_4U2=1.994, INFO_TLD=1.273, MR_DEPOT_URI=0.3, NORMAL_HTTP_TO_IP=0.175, NO_RELAYS=-0.001, SPOOF_OURI=0.104, URIBL_JP_SURBL=4.087, URIBL_OB_SURBL=3.008, URIBL_WS_SURBL=2.14, URI_4YOU=0.135, URI_NOVOWEL=0.884 URIBL are hit based on content of the e-mail. As you say it's the daily report, I guess there are a lot of URLs in it, hitting all the rules. mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgpbdllPmnHFi.pgp Description: PGP signature
Re: SPF Error: cannot get HELO, cannot use SPF
Chris Purves a écrit : [snip] What spamc calls EnvelopeFrom is the top header of the message: Return-path: [EMAIL PROTECTED] I am guessing that exim calls spamc before it adds this header so that spamc has less information to work with than when running the tests. I'm sorry for the very long e-mail...I hope someone has a suggestion as to what I can do now. I am using sa-exim inbetween exim and SA. The Return-Path is added by the MTA when handing mail to something external (mostly for delivery). whether it'll give it to SA or not depends on how SA is integrated.
Re: Rejecting emails in procmailrc?
Wel, Greg, I am not an ISP. However, if I was an admin at an ISP
you can bet that *I* would blacklist any source for that kind of automated
email to the admin account. I'd also submit them as spammers to every
list in the world that I could find.
It is best to let spam rejects die on the floor. You virtually NEVER
reject to the right place.
{^_^}
- Original Message -
From: Greg Allen [EMAIL PROTECTED]
Rejecting emails in procmailrc?If you are using Postfix you can do something
like this in header_checks :
/^X-Spam-Level: \*{20}.*/ REJECT Spam content rejected.
(Test the syntax, but I think the above is correct or very very close.)
header_checks is run as a Postfix process AFTER SA is done with the message,
so you can use it to detect SA spam headers and take an action.
Rather than send a message back (which could make you a spammer) it would be
better to just send it to an admin account for further review or just delete
it.
/^X-Spam-Level: \*{20}.*/ REDIRECT [EMAIL PROTECTED]
-Original Message-
From: Alex Jalali [mailto:[EMAIL PROTECTED]
Hello,
How can I reject mails that have a high score along with a reason message
instead of moving them to a folder?
I am using this in procmailrc to send spams to junk mail folder which
works fine.
:0:
* ^X-Spam-Status: Yes
/${HOME}/'Junk E-mail'
Now I need something like this to reject mails with score 16 or more
:0:
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
?? 550 Your email is in our spam list. To be removed, write to us at
xxx
I have setup spamassasin 3 with sendmail and procmail on redhat 9
Re: Mail triggering all rbl while not being listed
Michael Monnerie a écrit : On Montag, 27. Februar 2006 12:13 François Conil wrote: Basically, the daily report triggers the tests like this : BIZ_TLD=2.013, DOMAIN_4U2=1.994, INFO_TLD=1.273, MR_DEPOT_URI=0.3, NORMAL_HTTP_TO_IP=0.175, NO_RELAYS=-0.001, SPOOF_OURI=0.104, URIBL_JP_SURBL=4.087, URIBL_OB_SURBL=3.008, URIBL_WS_SURBL=2.14, URI_4YOU=0.135, URI_NOVOWEL=0.884 URIBL are hit based on content of the e-mail. As you say it's the daily report, I guess there are a lot of URLs in it, hitting all the rules. mfg zmi Looks like my first guess wasn't that far from truth after all :] Thanks for the input. -- François Conil Administrateur Systèmes et Réseaux Pax I wish my lawn was emo, so it would cut itself.
Re: Mail triggering all rbl while not being listed
Well, I'd ask if there is any possibility some activity of the network
filtering smtp gateway is earning it a birth in the spammer's hall of
fame known as black lists. Are you sending wild rejects to forged
senders rather than the real senders, who are never there to receive
it anyway? Is the machine usable as an open relay for spam?
I'd certainly jettison the .biz TLD. It seems only spammers have them.
ut to get on the SURBL lists your system had to spray some unwanted mail
somewhere seriously.
{^_^}
- Original Message -
From: François Conil [EMAIL PROTECTED]
Hello,
I'm facing a curious problem : for 3-4 days, one of my users have been
triggering all rbls each time a mail is sent.
It could not be that serious, weren't for the identity of this
particular user : the root user on our network filtering smtp gateway.
Basically, the daily report triggers the tests like this :
BIZ_TLD=2.013,
DOMAIN_4U2=1.994,
INFO_TLD=1.273,
MR_DEPOT_URI=0.3,
NORMAL_HTTP_TO_IP=0.175,
NO_RELAYS=-0.001,
SPOOF_OURI=0.104,
URIBL_JP_SURBL=4.087,
URIBL_OB_SURBL=3.008,
URIBL_WS_SURBL=2.14,
URI_4YOU=0.135,
URI_NOVOWEL=0.884
(carriage returns added for an easier reading)
Do you see why all those tests are triggered ?
My first guess was that they are because of all the returned mail sent
by the smtp filter, which makes the daily report by itself containing a
lot of spammy material, in terms of domain names/ips.
Thanks by advance,
--
François Conil
Administrateur Systèmes et Réseaux
Pax I wish my lawn was emo, so it would cut itself.
Re: SORBS unreasonable
Johann Spies a écrit : One of our email-servers is blacklisted by SORBS and they want us to pay $50 to get the server taken of the list. In many countries, this is called extorsion. but this isn't the right forum to debate this. [snip] How do the members of this list handle situations like that? Different people have different opinions. I choose not to use sorbs. There are enough safer lists. Now, make sure to have things well configured on your side: - reject invalid addresses at smtp time. don't accept and bounce (because you'll bounce to an innocent). - if you manage lists, make sure to implement confirmed opt-in. Of course, sorbs can still list you if someone tries to subscribe one of their traps. ...
Re: Mail triggering all rbl while not being listed
jdow a écrit : Well, I'd ask if there is any possibility some activity of the network filtering smtp gateway is earning it a birth in the spammer's hall of fame known as black lists. Are you sending wild rejects to forged senders rather than the real senders, who are never there to receive it anyway? Is the machine usable as an open relay for spam? I'd certainly jettison the .biz TLD. It seems only spammers have them. ut to get on the SURBL lists your system had to spray some unwanted mail somewhere seriously. The weird thing is that the server isn't listed on any rbl list. Hence my legitimate interrogation :/ -- François Conil Administrateur Systèmes et Réseaux Pax I wish my lawn was emo, so it would cut itself.
Re: sa-learn, remote spamd
wwp writes: I didn't find a way to make sa-learn training a remote spamassassin installation (TCP). Would it possible to add this feature in sa-learn and spamd? Is there a workaround that I couldn't find yet? This is already present in spamc/spamd. Take a look at the spamc manual page in 3.1.0 iirc. --j.
Re: Mail triggering all rbl while not being listed
On Montag, 27. Februar 2006 12:53 jdow wrote: I'd certainly jettison the .biz TLD. It seems only spammers have them. I have one customer with a legitimate .biz address. There may be a second, somewhere on this planet. Maybe... mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgpzkYIyHJNdI.pgp Description: PGP signature
Re: netware
admin wrote: Hi I have just a simple question and I did not find any exact answer. Is NetWare or is NetWare going to be supported by SpamAssassin? Thanks a lot for an answer. Apparently Novell's perl is sufficiently broken that I highly doubt SpamAssassin will work on it. I found this which was discussing a netmail plugin for SA: http://www.novell.com/coolsolutions/tools/14353.html Unfortunately, per the Perl for NetWare readme, the fork method is not yet implemented on NetWare http://developer.novell.com/ndk/readme/perl5.html#ak4jmuc. Not too big a problem though, I can always use threads. Except scripts that use the 'Thread' and 'threads' modules may not work as desired http://developer.novell.com/ndk/readme/perl5.html#ak4jmgd. Ok, no problem, guess I'll just have to use non-blocking IO. Unfortunately my tests indicate IO::Select does not work on NetWare either. Bottom line, there is no way I can see to do this in Perl on NetWare. While the author was trying to get perl to run his plugin for netmail, the lack of forking, threading, and nonblocking IO under perl is a severe deficiency. I know that SA 3.1.x's DnsResolver.pm uses nonblocking IO to poll sockets..
Re: sa-learn, remote spamd
Hello Justin, On Mon, 27 Feb 2006 13:57:21 + [EMAIL PROTECTED] (Justin Mason) wrote: wwp writes: I didn't find a way to make sa-learn training a remote spamassassin installation (TCP). Would it possible to add this feature in sa-learn and spamd? Is there a workaround that I couldn't find yet? This is already present in spamc/spamd. Take a look at the spamc manual page in 3.1.0 iirc. I see, you're right. For my bad, I was using 3.0.x :-\. Thanks! Regards, -- wwp signature.asc Description: PGP signature
SA running, but not working
Newbie question: I'm using Sendmail on an ES4 server that was built buy our server's host. It originally was set up with Procmail, but because of migration problems from an old server we had to switch it to Sendmail. Anyway, Spamassassin was pre-installed. I just started the service running, but none of our mail is being tagged with a X-Spam header. I've looked for Spamassassin configuration files, and all I could find was /etc/mail/spamassassin/local.cf and all I can do in there is change the threshhold and subject line tag. Is there comething somewhere I need to check/change to get it to work with Sendmail? Just a point in the right direction would be nice. =) Thanks, Liam
Re: Rejecting emails in procmailrc?
You could of course pipe the mail to a script like perl or awk etc. and
do the real work there.
:0fh
* ^X-Spam-Level: \*{20}.*
| /home/myname/mycoolprogram.pl
Another alternative is use mimedefang and write a rule in
mimedefang_filter filter_end() to do the job.
Greg Allen wrote:
If you are using Postfix you can do something like this in header_checks :
/^X-Spam-Level: \*{20}.*/ REJECT Spam content rejected.
(Test the syntax, but I think the above is correct or very very close.)
header_checks is run as a Postfix process AFTER SA is done with the
message, so you can use it to detect SA spam headers and take an action.
Rather than send a message back (which could make you a spammer) it
would be better to just send it to an admin account for further review
or just delete it.
/^X-Spam-Level: \*{20}.*/ REDIRECT [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
-Original Message-
*From:* Alex Jalali [mailto:[EMAIL PROTECTED]
*Sent:* Monday, February 27, 2006 2:49 AM
*To:* users@spamassassin.apache.org
*Subject:* Rejecting emails in procmailrc?
Hello,
How can I reject mails that have a high score along with a reason
message instead of moving them to a folder?
I am using this in procmailrc to send spams to junk mail folder
which works fine.
:0:
* ^X-Spam-Status: Yes
/${HOME}/'Junk E-mail'
Now I need something like this to reject mails with score 16 or more
:0:
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
?? 550 Your email is in our spam list. To be removed, write
to us at xxx
I have setup spamassasin 3 with sendmail and procmail on redhat 9
--
Barton L. Phillips
Applied Technology Resources, Inc.
Tel: (818)652-9850
Web: http://www.applitec.com
Re: Rejecting emails in procmailrc?
[This isn't really an SA question. You might get a *slightly* warmer response on a procmail list, or a sendmail list.] Alex Jalali wrote: How can I reject mails that have a high score along with a reason message instead of moving them to a folder? Please don't. You won't help anyone but yourself, and the behaviour you're asking about setting up *WILL* get you blacklisted by mail admins all around the world. Getting off even the more restrictive RBLs is one thing... getting off of a million seperate local admins' local blacklists is quite another. If you really insist on doing so, read and understand the procmail and procmailrc man pages, and be prepared to not be able to send mail to much of anyone in about six months. -kgd
/etc/shadow access from SA
Our intrusion detection software started picking up thousands of access attempts to /etc/shadow (the UNIX user password store) shortly after installing SpamAssassin on our mail gateway. Could one of the developers comment on why SA might be doing this and/or if this is even an intent? (Running SA 3.1.0) Thanks!
Re: SA-LEARN HANGING when database over 2000 SPAM messages
The first time I encountered this problem is when the spam database has around 3000 SPAM and about 1 HAM, the database seems to become corrupt. I start to receive PERL errors. ... Is there a problem with the database when it reaches a certain size? I can't offer much assistance with your problem, but on the db size, I can say that we were running it with around 25k spams and 25k hams learned, with sa-learn running on shared imap folders every hour adding more. This was with SA 2.70-cvs. We just upgraded to 3.1.0 and converted the bayes and whitelist databases to MySQL. Spamd and MySQL now run on a dedicated server which is accessed by spamc on our smtp/incoming MX and sa-learn on our pop/imap server. Our setup is a little complex, but it works very well. St-
Re: SA running, but not working
Liam-PrintingAutomation wrote: Newbie question: I'm using Sendmail on an ES4 server that was built buy our server's host. It originally was set up with Procmail, but because of migration problems from an old server we had to switch it to Sendmail. Eh? Sendmail isn't a replacement for procmail. Sendmail is a MTA (mail transfer agent) that handles network transfers of mail. Procmail is a MDA (mail delivery agent) that handles putting the mail into mailboxes on the local machine. Most people that use procmail use sendmail as their MTA. Anyway, Spamassassin was pre-installed. I just started the service running, but none of our mail is being tagged with a X-Spam header. Ok.. you need to do more than that.. you need to modify your some part of your mail chain to feed messages to SA. As it is, SA is available on your system, and has the spamd deamon running and ready to be fed mail, but nobody is feeding it. So you have two basic options: 1) tell sendmail to use procmail as a MDA, and add a spamc call to your procmail config. 2) add a milter to sendmail like spamass-milter or mimedefang, and have those funnel mail into spamassassin at the MTA level.
Re: /etc/shadow access from SA
[EMAIL PROTECTED] writes: Our intrusion detection software started picking up thousands of access attempts to /etc/shadow (the UNIX user password store) shortly after installing SpamAssassin on our mail gateway. Could one of the developers comment on why SA might be doing this and/or if this is even an intent? (Running SA 3.1.0) unfortunately, this is just what perl does when getpwuid() etc. are called from perl code; nothing we can do about it from SpamAssassin. can you config the IDS to silently refuse access? --j.
Re: SA-LEARN HANGING when database over 2000 SPAM messages
I can't offer much assistance with your problem, but on the db size, I can say that we were running it with around 25k spams and 25k hams learned, with sa-learn running on shared imap folders every hour adding more. This is from this morning's sa-learn run: Total number of HAM messages : 144335 Total number of SPAM messages: 232633 I doubt if the OP's problem has to do with the number of emails. :) -- A computer lets you make more mistakes faster than any invention in human history, with the possible exceptions of handguns and tequila. -- Dave Pooser
Re: SA running, but not working
Matt Kettler wrote: Liam-PrintingAutomation wrote: Newbie question: I'm using Sendmail on an ES4 server that was built buy our server's host. It originally was set up with Procmail, but because of migration problems from an old server we had to switch it to Sendmail. Eh? Sendmail isn't a replacement for procmail. Sendmail is a MTA (mail transfer agent) that handles network transfers of mail. Procmail is a MDA (mail delivery agent) that handles putting the mail into mailboxes on the local machine. Most people that use procmail use sendmail as their MTA. Er, my bad. POSTFIX is what the server was originally set up with, not Procmail. I got those names confused. =/ Sorry. Anyway, Spamassassin was pre-installed. I just started the service running, but none of our mail is being tagged with a X-Spam header. Ok.. you need to do more than that.. you need to modify your some part of your mail chain to feed messages to SA. As it is, SA is available on your system, and has the spamd deamon running and ready to be fed mail, but nobody is feeding it. So you have two basic options: 1) tell sendmail to use procmail as a MDA, and add a spamc call to your procmail config. 2) add a milter to sendmail like spamass-milter or mimedefang, and have those funnel mail into spamassassin at the MTA level. OK, I'll see if it's already using Procmail since I now realize the difference, and try the first option. Otherwise, based on your suggestion, I found: http://wiki.apache.org/spamassassin/IntegratedInMta and that looks like it has all the info I'll need. Thanks for the clue-by-four! -Liam
prefs directories with ^M in the name
Hi all, Ive read the FAQ and still dont find this issue. Configuration: Spamassassin 3.0.4 OS: Fedora Core 4 SPAMDOPTIONS=-d -u spamassassin -x -P --virtual-config-dir=/usr/share/spamassassin/%u.prefs So, my prefs files are all being stored in /usr/share/spamassassin Everything seems to be running fine. When I cd into /usr/share/spamassassin and do an ls, I see: members.prefs members.prefs^M (control M, not ^ and M) If I remove the ^M version, after some period of time, they come back. What is creating these? And how do I fix it? Thanks! Jon
RE: /etc/shadow access from SA
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, February 27, 2006 11:50
To: [EMAIL PROTECTED]
Cc: SpamAssassin
Subject: Re: /etc/shadow access from SA
[EMAIL PROTECTED] writes:
Our intrusion detection software started picking up thousands of
access attempts to /etc/shadow (the UNIX user password
store) shortly
after installing SpamAssassin on our mail gateway.
Could one of the developers comment on why SA might be doing this
and/or if this is even an intent? (Running SA 3.1.0)
unfortunately, this is just what perl does when getpwuid()
etc. are called from perl code; nothing we can do about it
from SpamAssassin.
can you config the IDS to silently refuse access?
Justin, Are you positive? I don't see getpwnam or getpwuid accessing
/etc/shadow on linux. It hits /etc/passwd for the getpw* calls.
# cat test.pl
my $uid = getpwnam('root');
my $name = getpwuid(0);
print name=$name uid=$uid\n;
# perl test.pl
name=root uid=0
# strace perl test.pl 21 | grep passwd
open(/etc/passwd, O_RDONLY) = 3
open(/etc/passwd, O_RDONLY) = 3
# strace perl test.pl 21 | grep shadow
#
spamassassin clearly hits /etc/shadow.
# strace spamassassin 21 | grep shadow
open(/etc/shadow, O_RDONLY) = 3
Must be something else causing it. Maybe a module that SA requires?
Cya,
D
RE: /etc/shadow access from SA
Dallas,
It does on Solaris. Doesn't do anything other to see if their is a
matching entry in both /etc/passwd and /etc/shadow and it checks to see
if the user is still able to log in. Linux should actually do the same
thing, but Solaris PAM and Linux PAM do operate differently.
Pete
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, February 27, 2006 11:50
To: [EMAIL PROTECTED]
Cc: SpamAssassin
Subject: Re: /etc/shadow access from SA
[EMAIL PROTECTED] writes:
Our intrusion detection software started picking up thousands of
access attempts to /etc/shadow (the UNIX user password
store) shortly
after installing SpamAssassin on our mail gateway.
Could one of the developers comment on why SA might be doing this
and/or if this is even an intent? (Running SA 3.1.0)
unfortunately, this is just what perl does when getpwuid()
etc. are called from perl code; nothing we can do about it
from SpamAssassin.
can you config the IDS to silently refuse access?
Justin, Are you positive? I don't see getpwnam or getpwuid accessing
/etc/shadow on linux. It hits /etc/passwd for the getpw* calls.
# cat test.pl
my $uid = getpwnam('root');
my $name = getpwuid(0);
print name=$name uid=$uid\n;
# perl test.pl
name=root uid=0
# strace perl test.pl 21 | grep passwd
open(/etc/passwd, O_RDONLY) = 3
open(/etc/passwd, O_RDONLY) = 3
# strace perl test.pl 21 | grep shadow
#
spamassassin clearly hits /etc/shadow.
# strace spamassassin 21 | grep shadow
open(/etc/shadow, O_RDONLY) = 3
Must be something else causing it. Maybe a module that SA requires?
Cya,
D
Peter P. Benac, CCNA
Emacolet Networking Services, Inc
Providing Network and Systems Project Management and Installation and
Web Hosting.
Phone: 919-618-2557
Web: http://www.emacolet.com
Need quick reliable Systems or Network Management advice visit
http://www.nmsusers.org
To have principles...
First have courage.. With principles comes integrity!!!
RE: /etc/shadow access from SA
-Original Message-
From: Peter P. Benac [mailto:[EMAIL PROTECTED]
Dallas,
It does on Solaris. Doesn't do anything other to see if
their is a matching entry in both /etc/passwd and /etc/shadow
and it checks to see if the user is still able to log in.
Linux should actually do the same thing, but Solaris PAM and
Linux PAM do operate differently.
Pete
Peter,
I show it on linux below. getpw* calls on my box below do not access
/etc/shadow, yet running spamassassin on the same box accesses
/etc/shadow. SA uses getpwnam() and getpwuid(), but it cant be either
of those causing it. So it has to be something else. I just don't have
the time right now to trace it down any further to provide an answer.
D
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, February 27, 2006 11:50
To: [EMAIL PROTECTED]
Cc: SpamAssassin
Subject: Re: /etc/shadow access from SA
[EMAIL PROTECTED] writes:
Our intrusion detection software started picking up thousands of
access attempts to /etc/shadow (the UNIX user password
store) shortly
after installing SpamAssassin on our mail gateway.
Could one of the developers comment on why SA might be
doing this
and/or if this is even an intent? (Running SA 3.1.0)
unfortunately, this is just what perl does when getpwuid()
etc. are
called from perl code; nothing we can do about it from
SpamAssassin.
can you config the IDS to silently refuse access?
Justin, Are you positive? I don't see getpwnam or getpwuid
accessing
/etc/shadow on linux. It hits /etc/passwd for the getpw* calls.
# cat test.pl
my $uid = getpwnam('root');
my $name = getpwuid(0);
print name=$name uid=$uid\n;
# perl test.pl
name=root uid=0
# strace perl test.pl 21 | grep passwd
open(/etc/passwd, O_RDONLY) = 3
open(/etc/passwd, O_RDONLY) = 3
# strace perl test.pl 21 | grep shadow #
spamassassin clearly hits /etc/shadow.
# strace spamassassin 21 | grep shadow
open(/etc/shadow, O_RDONLY) = 3
Must be something else causing it. Maybe a module that SA requires?
Cya,
D
Peter P. Benac, CCNA
Emacolet Networking Services, Inc
Providing Network and Systems Project Management and
Installation and Web Hosting.
Phone: 919-618-2557
Web: http://www.emacolet.com
Need quick reliable Systems or Network Management advice
visit http://www.nmsusers.org
To have principles...
First have courage.. With principles comes integrity!!!
FP on URIBL_JP_SURBL + URIBL_SBL
So I noticed some messages from one of my mailing lists landed in the ol' spambucket; there was a URI in there for 4dquiz-com (dot instead of dash) and it hit on URIBL_JP_SURBL and URIBL_SBL which scored enough to override BAYES_00. Problem is, as best I can tell it's not on the SBL: [dave:~] bubbadv% dig +short 4dquiz[-]com 83.104.129.88 [dave:~] bubbadv% dig +short 88.129.104.83.sbl.spamhaus.org [dave:~] bubbadv% (I'll take up the jp.surbl.org FP separately, as it's at least a listing, albeit IMHO unwarranted.) I'm running SA 3.1.on Mac OS X 10.3.9 with Perl 5.8.1-RC3; I know there was a URI bug with SA 3.0 but I should be safe from that. Any thoughts? -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com I don't think there's a problem you CAN'T solve with murder!
Re: Mail triggering all rbl while not being listed
François Conil a écrit : Hello, I'm facing a curious problem : for 3-4 days, one of my users have been triggering all rbls each time a mail is sent. It could not be that serious, weren't for the identity of this particular user : the root user on our network filtering smtp gateway. Basically, the daily report triggers the tests like this : BIZ_TLD=2.013, DOMAIN_4U2=1.994, INFO_TLD=1.273, MR_DEPOT_URI=0.3, NORMAL_HTTP_TO_IP=0.175, NO_RELAYS=-0.001, SPOOF_OURI=0.104, URIBL_JP_SURBL=4.087, URIBL_OB_SURBL=3.008, URIBL_WS_SURBL=2.14, URI_4YOU=0.135, URI_NOVOWEL=0.884 I see no RBLs here. These got hit because of the mail content. your reports contain URIs that hit these. your should not filter mail from your system account (unless this account is also used to send normal mail).
RE: prefs directories with ^M in the name
Jon, Typically, it's the difference between UNIX and Windows. If you edited a conf file in Windows and used binary mode to transfer it to the SA machine, the ^M would be in the conf file. There are a couple of ways around it. The first is to transfer in ASCII mode, the second is to run dos2unix on the file and the third is to edit the conf file in vi on the SA machine. If you choose the third option, open the file in vi and you should see ^M at the end of each line. Type :1,$ s/^v^m// what you will actually see is :1,$ s/^M// and press enter. The ^V won't actually appear, but it will force vi to look for ^M vice the ^ character followed by M. Hope this helps. Giff -Original Message- From: Jon D. Slater [mailto:[EMAIL PROTECTED] Sent: Monday, February 27, 2006 1:01 PM To: users@spamassassin.apache.org Subject: prefs directories with ^M in the name Hi all, Ive read the FAQ and still dont find this issue. Configuration: Spamassassin 3.0.4 OS: Fedora Core 4 SPAMDOPTIONS=-d -u spamassassin -x -P --virtual-config-dir=/usr/share/spamassassin/%u.prefs So, my prefs files are all being stored in /usr/share/spamassassin Everything seems to be running fine. When I cd into /usr/share/spamassassin and do an ls, I see: members.prefs members.prefs^M (control M, not ^ and M) If I remove the ^M version, after some period of time, they come back. What is creating these? And how do I fix it? Thanks! Jon
question on training spamassassin
A large number of our clients are using POP. If I were to ask them to send false negatives to [EMAIL PROTECTED] and false positives to [EMAIL PROTECTED] so I can place them in a folder and train, does that hinder the training process in anyway knowing that the header info is changed with the forwarding process. Thanks.
Re: /etc/shadow access from SA
On Mon, Feb 27, 2006 at 12:01:31PM -0600, Dallas L. Engelken wrote:
Justin, Are you positive? I don't see getpwnam or getpwuid accessing
/etc/shadow on linux. It hits /etc/passwd for the getpw* calls.
# cat test.pl
my $uid = getpwnam('root');
my $name = getpwuid(0);
print name=$name uid=$uid\n;
That's because you're not asking for information found in shadow... :)
# strace perl test.pl 21 | grep passwd
open(/etc/passwd, O_RDONLY) = 3
open(/etc/passwd, O_RDONLY) = 3
Here's my version:
# cat t
my @info = getpwnam(root);
my @info2 = getpwuid(0);
# strace perl t
[...]
open(/etc/passwd, O_RDONLY) = 3
[...]
read(3, ...\n..., 4096) = 2737
close(3)= 0
open(/etc/shadow, O_RDONLY) = 3
[...]
read(3, .., 4096) = 2030
close(3)= 0
open(/etc/passwd, O_RDONLY) = 3
[...]
read(3, ...\n..., 4096) = 2737
close(3)= 0
open(/etc/shadow, O_RDONLY) = 3
[...]
read(3, .., 4096) = 2030
close(3)= 0
I would assume this is implementation dependent, but it appears that
the linux glibc version of getpwnam(), etc, is smart enough to figure
out that you're only asking for information that comes from passwd,
so that's all it reads. If you're like spamassassin though, and want a
user's home directory, the call asks for all available information, which
will include the password field which may need to come out of shadow.
If I run that script as non-root, I see 2 of these calls:
open(/etc/shadow, O_RDONLY) = -1 EACCES (Permission denied)
which is what you expect, but the function still tries to open up the
file. Since shadow isn't available, the x is left in the password
field for non-root users.
:)
--
Randomly Generated Tagline:
There are two major products to come out of Berkeley: LSD and UNIX. We
don't believe this to be a coincidence. - Unknown
pgpD6YUoqmbnd.pgp
Description: PGP signature
Re: FP on URIBL_JP_SURBL + URIBL_SBL
Dave Pooser wrote: So I noticed some messages from one of my mailing lists landed in the ol' spambucket; there was a URI in there for 4dquiz-com (dot instead of dash) and it hit on URIBL_JP_SURBL and URIBL_SBL which scored enough to override BAYES_00. Problem is, as best I can tell it's not on the SBL: [dave:~] bubbadv% dig +short 4dquiz[-]com 83.104.129.88 [dave:~] bubbadv% dig +short 88.129.104.83.sbl.spamhaus.org [dave:~] bubbadv% SA doesn't look up the host's IP against SBL.. it looks up the IPs of the nameservers. In this case, the nameserver 66.249.5.25 is listed in the SBL.
Re: prefs directories with ^M in the name
Giff Hammar a écrit : Jon, Typically, it's the difference between UNIX and Windows. If you edited a conf file in Windows and used binary mode to transfer it to the SA machine, the ^M would be in the conf file. There are a couple of ways around it. The first is to transfer in ASCII mode, the second is to run dos2unix on the file and the third is to edit the conf file in vi on the SA machine. If you choose the third option, open the file in vi and you should see ^M at the end of each line. Type :1,$ s/^v^m// what you will actually see is :1,$ s/^M// and press enter. The ^V won't actually appear, but it will force vi to look for ^M vice the ^ character followed by M. Hope this helps. The OP's issue is that something creates these as _files_.
Re: FP on URIBL_JP_SURBL + URIBL_SBL
Dave Pooser wrote: So I noticed some messages from one of my mailing lists landed in the ol' spambucket; there was a URI in there for 4dquiz-com (dot instead of dash) and it hit on URIBL_JP_SURBL and URIBL_SBL which scored enough to override BAYES_00. Also, for what it's worth, in SA 3.1.0, URIBL_JP_SURBL + URIBL_SBL + BAYES_00 is less than 5.0. score BAYES_00 0.0001 0.0001 -2.312 -2.599 score URIBL_JP_SURBL 0 3.360 0 4.087 score URIBL_SBL 0 1.094 0 1.639 Adding up the set 3 scores, we get 3.127 points. Clearly well below 5.0. So you statement that BAYES_00 could not over-ride the two URIBLs is a bit untrue.
Re: question on training spamassassin
I'm a SA newbie myself, but I believe I've read that all the headers, etc, are stripped before the learning takes place, so it should work fine for you to have your users go ahead and do that for training. Somebody here will correct me if i'm wrong... -Jeff - Original Message - From: Webmaster [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Monday, February 27, 2006 1:45 PM Subject: question on training spamassassin A large number of our clients are using POP. If I were to ask them to send false negatives to [EMAIL PROTECTED] and false positives to [EMAIL PROTECTED] so I can place them in a folder and train, does that hinder the training process in anyway knowing that the header info is changed with the forwarding process. Thanks.
Re: question on training spamassassin
On Mon, Feb 27, 2006 at 02:14:22PM -0500, Jeff Portwine wrote: I'm a SA newbie myself, but I believe I've read that all the headers, etc, are stripped before the learning takes place, so it should work fine for you to have your users go ahead and do that for training. Somebody here will correct me if i'm wrong... The SpamAssassin headers are stripped, but the other headers are definitely not stripped! Bayes takes tokens from the headers all the time. http://wiki.apache.org/spamassassin/BayesFaq may be of use. :) -- Randomly Generated Tagline: If I were here more often, I wouldn't be gone so much. pgp54ffUeKbp7.pgp Description: PGP signature
RE: prefs directories with ^M in the name [SOLVED]
Thank you Giff! You are exactly right! Doing a file /etc/sysconfig/spamassassin tells me the file is CRLF terminated. Doing a dos2unix /etc/sysconfig/spamassassin has resolved the issue. -Original Message- From: Giff Hammar [mailto:[EMAIL PROTECTED] Sent: Monday, February 27, 2006 11:44 AM To: 'Jon D. Slater'; users@spamassassin.apache.org Subject: RE: prefs directories with ^M in the name Jon, Typically, it's the difference between UNIX and Windows. If you edited a conf file in Windows and used binary mode to transfer it to the SA machine, the ^M would be in the conf file. There are a couple of ways around it. The first is to transfer in ASCII mode, the second is to run dos2unix on the file and the third is to edit the conf file in vi on the SA machine. If you choose the third option, open the file in vi and you should see ^M at the end of each line. Type :1,$ s/^v^m// what you will actually see is :1,$ s/^M// and press enter. The ^V won't actually appear, but it will force vi to look for ^M vice the ^ character followed by M. Hope this helps. Giff -Original Message- From: Jon D. Slater [mailto:[EMAIL PROTECTED] Sent: Monday, February 27, 2006 1:01 PM To: users@spamassassin.apache.org Subject: prefs directories with ^M in the name Hi all, Ive read the FAQ and still dont find this issue. Configuration: Spamassassin 3.0.4 OS: Fedora Core 4 SPAMDOPTIONS=-d -u spamassassin -x -P --virtual-config-dir=/usr/share/spamassassin/%u.prefs So, my prefs files are all being stored in /usr/share/spamassassin Everything seems to be running fine. When I cd into /usr/share/spamassassin and do an ls, I see: members.prefs members.prefs^M (control M, not ^ and M) If I remove the ^M version, after some period of time, they come back. What is creating these? And how do I fix it? Thanks! Jon -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 268.1.0/269 - Release Date: 2/24/2006
Re: question on training spamassassin
Webmaster wrote: A large number of our clients are using POP. If I were to ask them to send false negatives to [EMAIL PROTECTED] and false positives to [EMAIL PROTECTED] so I can place them in a folder and train, does that hinder the training process in anyway knowing that the header info is changed with the forwarding process. Yes...Forwards are more-or-less completely unusable for training purposes. However, you might be able to get forward as attachment to work, if your mail client supports it. The problem with forwards is twofold. First, the headers are completely destroyed. This is a major problem for SpamAssassin's bayes engine, which studies headers. Second, not only the header info is changed.. The body gets completely redone. Mail clients typically add text to the top, and then re-encode the body text all over. If the orignal was base-64 encoded, the forward may not be. If the original was multipart/alternative with text/plain and a text/html, the forward might drop the text/plain, and create a new one based on the content of the text/html section. As far as spam tools are concerned, these messages bear little resemblance to one another.
Re: FP on URIBL_JP_SURBL + URIBL_SBL
SA doesn't look up the host's IP against SBL.. it looks up the IPs of the nameservers. Ah. Okay, then, I have been laboring under a misapprehension. Also, for what it's worth, in SA 3.1.0, URIBL_JP_SURBL + URIBL_SBL + BAYES_00 is less than 5.0. score BAYES_00 0.0001 0.0001 -2.312 -2.599 score URIBL_JP_SURBL 0 3.360 0 4.087 score URIBL_SBL 0 1.094 0 1.639 Adding up the set 3 scores, we get 3.127 points. Clearly well below 5.0. True. I'd increased the SBL score because I misunderstood how URIBL_SBL works; I thought it was flagging sites that were hosted on SBL-listed addresses, and I trust the SBL far more than other blacklists so I was willing to score it higher. Gilda Radner Never mind! /Gilda Radner -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com ...Life is not a journey to the grave with the intention of arriving safely in one pretty and well-preserved piece, but to slide across the finish line broadside, thoroughly used up, worn out, leaking oil, and shouting GERONIMO!!! -- Bill McKenna
Re: question on training spamassassin
Hmm.. I don't quite understand this.At my company, we forward any spam that gets through to [EMAIL PROTECTED] and any ham marked as spam to [EMAIL PROTECTED] ... this was set up long ago before I even started working here and the spam filter worked really well. Recently our bayes database was broken and I ended up clearing it and retraining it with old spam and ham. Since that time a lot of spams that were getting through STOPPED getting through after a couple of days of forwarding them to the spam address... and I haven't seen any false spams.So it seems like it does work for us, but you're saying it shouldn't ? - Original Message - From: Matt Kettler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Sent: Monday, February 27, 2006 2:29 PM Subject: Re: question on training spamassassin Webmaster wrote: A large number of our clients are using POP. If I were to ask them to send false negatives to [EMAIL PROTECTED] and false positives to [EMAIL PROTECTED] so I can place them in a folder and train, does that hinder the training process in anyway knowing that the header info is changed with the forwarding process. Yes...Forwards are more-or-less completely unusable for training purposes. However, you might be able to get forward as attachment to work, if your mail client supports it. The problem with forwards is twofold. First, the headers are completely destroyed. This is a major problem for SpamAssassin's bayes engine, which studies headers. Second, not only the header info is changed.. The body gets completely redone. Mail clients typically add text to the top, and then re-encode the body text all over. If the orignal was base-64 encoded, the forward may not be. If the original was multipart/alternative with text/plain and a text/html, the forward might drop the text/plain, and create a new one based on the content of the text/html section. As far as spam tools are concerned, these messages bear little resemblance to one another.
Re: SORBS unreasonable
On 2/27/2006 3:47 AM, Johann Spies wrote: One of our email-servers is blacklisted by SORBS and they want us to pay $50 to get the server taken of the list. I had an entire /16 blocked by sorbs a small while ago. How do the members of this list handle situations like that? Three ways (only the first was productive): 1. I voiced my concerns to nanog: http://www.cctec.com/maillists/nanog/historical/0404/msg00353.html 2. on every domain you can, put: a href=http://www.sorbs.net;Worthless Project/a (a href=http://www.google.com/search?q=Worthless%20Project;SORBS/a) 3. I created a SORBS RBL server for folks to run on their own machine, which actually got quite popular at one point: http://jeremy.kister.net/code/perl/sorbs.pl -- Jeremy Kister http://jeremy.kister.net./
RE: /etc/shadow access from SA
-Original Message-
From: Theo Van Dinter [mailto:[EMAIL PROTECTED]
Sent: Monday, February 27, 2006 12:51
To: SpamAssassin
Subject: Re: /etc/shadow access from SA
On Mon, Feb 27, 2006 at 12:01:31PM -0600, Dallas L. Engelken wrote:
Justin, Are you positive? I don't see getpwnam or getpwuid
accessing
/etc/shadow on linux. It hits /etc/passwd for the getpw* calls.
# cat test.pl
my $uid = getpwnam('root');
my $name = getpwuid(0);
print name=$name uid=$uid\n;
That's because you're not asking for information found in shadow... :)
# strace perl test.pl 21 | grep passwd
open(/etc/passwd, O_RDONLY) = 3
open(/etc/passwd, O_RDONLY) = 3
Here's my version:
# cat t
my @info = getpwnam(root);
my @info2 = getpwuid(0);
Gotcha. Thanks for the clarification :)
D
Re: FP on URIBL_JP_SURBL + URIBL_SBL
4dquiz-com (dot instead of dash) is getting DNS service from
orderbox-dns_com ('_' instead of '.') - This makes them immediately
suspect; Some of the subdomains and servers in that domain are strictly
black, others are grey - They have been widely discussed in some non-public
forums recently. Unfortunately there are quite a few DirectI customers
being used as human shields by the orderbox-dns_com domains and there
seems to be some sort of close relationship between DirectI and orderbox.
(DirectI are definitely now in the good guy category.)
It is likely due to the name server check that the SBL rule was
triggered. As to the SURBL [ws], you'd have to ask (or someone from SURBL
volunteer an answer), but there is probably some reason (it still might be
a FP).
Finally, what threshold are you trying to use that a score near 3
is marked as spam? (My addition of the rules you say were hit, estimated
independent of SA version.)
Paul Shupak
[EMAIL PROTECTED]
Re: FP on URIBL_JP_SURBL + URIBL_SBL
Dave Pooser wrote: True. I'd increased the SBL score because I misunderstood how URIBL_SBL works; I thought it was flagging sites that were hosted on SBL-listed addresses, and I trust the SBL far more than other blacklists so I was willing to score it higher. Lesson to learn: Don't increase the scores without reading STATISTICS-set*.txt From STATISTICS-set3.txt: OVERALL% SPAM% HAM% S/ORANK SCORE NAME 22.415 31.8425 0.43700.986 0.491.64 URIBL_SBL The S/O is 0.986, which means that 1.4% of messages matching the rule were not spam. Generally speaking, SA's perceptron knows what it's doing... If you think a score needs adjusting, check the stats to see what's going on..
Re: FP on URIBL_JP_SURBL + URIBL_SBL
OVERALL% SPAM% HAM% S/ORANK SCORE NAME 22.415 31.8425 0.43700.986 0.491.64 URIBL_SBL The S/O is 0.986, which means that 1.4% of messages matching the rule were not spam. Yep. But in my environment, that's my first-ever case (out of roughly 300,000 messages scanned in the past year) when URIBL_SBL hit a ham. Running a corporate email server makes for a significantly different corpus than the universe as a whole, and thus makes some different scoring sensible. (But that's still no excuse for tweaking a rule score without realizing what it's doing, and I have flogged myself appropriately for it.) -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com ...Life is not a journey to the grave with the intention of arriving safely in one pretty and well-preserved piece, but to slide across the finish line broadside, thoroughly used up, worn out, leaking oil, and shouting GERONIMO!!! -- Bill McKenna
RE: question on training spamassassin
-Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: February 27, 2006 11:30 AM To: [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Subject: Re: question on training spamassassin Webmaster wrote: A large number of our clients are using POP. If I were to ask them to send false negatives to [EMAIL PROTECTED] and false positives to [EMAIL PROTECTED] so I can place them in a folder and train, does that hinder the training process in anyway knowing that the header info is changed with the forwarding process. Yes...Forwards are more-or-less completely unusable for training purposes. However, you might be able to get forward as attachment to work, if your mail client supports it. The problem with forwards is twofold. First, the headers are completely destroyed. This is a major problem for SpamAssassin's bayes engine, which studies headers. Second, not only the header info is changed.. The body gets completely redone. Mail clients typically add text to the top, and then re-encode the body text all over. If the orignal was base-64 encoded, the forward may not be. If the original was multipart/alternative with text/plain and a text/html, the forward might drop the text/plain, and create a new one based on the content of the text/html section. As far as spam tools are concerned, these messages bear little resemblance to one another. Yes, I thought that may be the case. Thanks.
RE: question on training spamassassin
-Original Message- From: Theo Van Dinter [mailto:[EMAIL PROTECTED] Sent: February 27, 2006 11:18 AM To: users@spamassassin.apache.org Subject: Re: question on training spamassassin On Mon, Feb 27, 2006 at 02:14:22PM -0500, Jeff Portwine wrote: I'm a SA newbie myself, but I believe I've read that all the headers, etc, are stripped before the learning takes place, so it should work fine for you to have your users go ahead and do that for training. Somebody here will correct me if i'm wrong... The SpamAssassin headers are stripped, but the other headers are definitely not stripped! Bayes takes tokens from the headers all the time. http://wiki.apache.org/spamassassin/BayesFaq may be of use. :) Thanks. I read the wiki. This is unfortunate because many clients are still using this client: Microsoft Outlook Express: It does not appear to have a redirect option
Re: question on training spamassassin
Jeff Portwine wrote: Hmm.. I don't quite understand this.At my company, we forward any spam that gets through to [EMAIL PROTECTED] and any ham marked as spam to [EMAIL PROTECTED] ... this was set up long ago before I even started working here and the spam filter worked really well. Recently our bayes database was broken and I ended up clearing it and retraining it with old spam and ham. Since that time a lot of spams that were getting through STOPPED getting through after a couple of days of forwarding them to the spam address... and I haven't seen any false spams.So it seems like it does work for us, but you're saying it shouldn't ? Correct. It shouldn't work very well. Also if your users are only or mostly forwarding spam, SA's bayes is going to have a bayes bias that all messages forwarded by your mail clients are spam, regardless of content.
Re: netware
On 2/27/2006 10:28 AM, Matt Kettler wrote: admin wrote: Hi I have just a simple question and I did not find any exact answer. Is NetWare or is NetWare going to be supported by SpamAssassin? Thanks a lot for an answer. Apparently Novell's perl is sufficiently broken that I highly doubt SpamAssassin will work on it. I still have nightmares from when I last did any major Perl stuff on a Novell BorderManager server in the late 90s. You'd probably be best off integrating spamc on the Novell server, getting it to pass off connections to a machine running the *nix platform of your choosing. Daryl
Re: SA running, but not working
At 08:49 AM 2/27/2006, you wrote: Newbie question: I'm using Sendmail on an ES4 server that was built buy our server's host. It originally was set up with Procmail, but because of migration problems from an old server we had to switch it to Sendmail. Anyway, Spamassassin was pre-installed. I just started the service running, but none of our mail is being tagged with a X-Spam header. I've looked for Spamassassin configuration files, and all I could find was /etc/mail/spamassassin/local.cf and all I can do in there is change the threshhold and subject line tag. Is there comething somewhere I need to check/change to get it to work with Sendmail? Just a point in the right direction would be nice. =) Just a hint, but you need to somehow call SpamAssassin. Not sure how you'd do that with sendmail, as I run postfix. But maybe someone else can help you out. But basically you call spamassassin - it's not automatic.
Re: SORBS unreasonable: Accusation retracted
On Mon, 27 Feb 2006, Johann Spies wrote:
New information came to light and I retract my insinuation that SORBS
was unreasonable: Apparently the owner(s) of the spesific mailing
list populated the list with names harvested from the internet.
Apologies to SORBS.
Regards
Johann
That would explain why one of my spamtrap addresses recently started
getting announcment type messages from your institution.
Would you please beat those list owners with a 'clue-stick' ;)
and then remove the address [EMAIL PROTECTED]
Thanks,
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
