Re: Re: Yum & 3.0.5

[Nigel Frankcom]

Thanks Tim,

I'm going to do a yum remove on SA and reinstall if required. At the
time of the original post I didn't have a spare failover box for SA,
that situation is now resolved.

My concern stems from the fact that the original Yum updates done
before 3.1.0 was installed didn't mention 3.0.5; that only showed up
after.

3.1.0 is handling the requests so the 3.0.5 isn't doing any harm other
than to offend my eye. I was hoping someone else had similar
experiences and that a simple yum remove would work out OK since the
3.1.0 was installed from source.

Ah well - we live and learn.

Kind regards

Nigel

On Mon, 13 Mar 2006 17:28:20 +, Tim Jackson <[EMAIL PROTECTED]>
wrote:

>Nigel Frankcom wrote:
>
>> I installed 3.1.1 today on a fresh CentOS install and foolishly
>> neglected to check it hadn't already installed an older version of SA.
>> Now when I run yum update it lists 3.0.5 as an update. I've installed
>> 3.1.1 from source and am wondering if using yum remove for the 3.0.5
>> install will fubar anything else?
>
>It may possibly overwrite some files from 3.1.1 depending on where you
>installed them, although I'm not sure whether RPM will do a hash sanity
>check on the files before removing them. I'm not sure it does for
>non-config files. So you might find the yum remove kills your install
>and you have to reinstall 3.1.1.
>
>Much better is to actually install 3.1.1 as an RPM package (build your
>own based on the CentOS source RPM if nobody else has done one).
>Half-package managing a system (i.e. installing some things from source,
>whilst upgrading others with automated tools) rarely ends up as anything
>but confusing. e.g. if you want to install something from the OS base
>which *is* packaged but depends on SA, it won't work (failed deps) if
>you've installed SA from source, etc.
>
>If you haven't done it before, building your own RPMs is usually fairly
>easy especially if you have recent examples (e.g. the 3.0.5 CentOS one)
>to work from.
>
>Tim

Re: using sa-learn offline

[Robert Menschel]

Hello John,

Monday, March 13, 2006, 2:53:33 PM, you wrote:

JD> I am trying to train spamassassin using spam and ham I've collected.  My
JD> problem is the sa-learn script is using too many resources on the server
JD> (my spam folder had ~1000 messages).

JD> Is there a way I can run sa-learn on my PC and then merge the results with
JD> the server?

As reported, no.  But there is a reasonable solution -- don't feed all
the spam at one shot.  Break up your spam folder into bunches of
200-300 emails, and learn each of those separately.  The more emails
sa-learn tries to learn in one pass, the more resources it will
require.

Re[2]: Fwd: 70_sare_whitelist_rcvd.cf suggestions

[Robert Menschel]

Hello Kelson,

Monday, March 13, 2006, 11:30:07 AM, you wrote:

K> Robert Menschel wrote:
>> I'm not familiar enough with the newsletters below to know ...

>> whitelist_from_rcvd  [EMAIL PROTECTED] 
>> ...

K> I can confirm this one as both legit and a frequent false positive (in
K> part because of the 7 consonants in a row in the domain name, which
K> scores 2.1 points in a network+bayes setup) ...

Thanks.  I'll make sure they get added to the next whitelist.cf
release.

K> On top of the rotating providers, they use at least two different domain
K> names -- this one for their newsletter, and just deepdiscountdvd.com for
K> transactional messages like order confirmations and password reminders.
K>   They really don't make themselves easy to whitelist!  However, I've
K> never seen them do anything black-hat or even grey-hat.

Could you send me an mbx file of a goodly selection of their emails,
so I make sure I cover all their combinations?

Bob Menschel

Re: error after upgraded to 3.11

[Spamassassin List]

You have an older version of the stock rules.  Doc fixed this one a week 
or

two ago, since we knew it was going to come up.


Weird. rules_du_jour did not grab the newer version.

Re: error after upgraded to 3.11

[Loren Wilton]

You have an older version of the stock rules.  Doc fixed this one a week or
two ago, since we knew it was going to come up.

Loren

Re: Spamc child process limit?

[Loren Wilton]

> However after about 2-3 hours mail randomly starts getting returned to the
> sender with 421 BSMTP timeout errors.  It doesn't matter if the sender is
a
> client on my server, or someone using a Yahoo account, about 50-75% of
mail
> that is sent is returned undeliverable with that 421 BSMTP timeout error
> message.  Then on top of that tons of messages start being frozen in the

In general if things work for a while and then start getting timeouts, it
indicates that some SA child is probably doing either a Bayes or Awl
auto-expire (which can take MANY minutes) and the timeout in the driving
program is too short.  As a result, the child doing the auto-expire gets
killed, and the next child up needs to do the auto-expire the first one
wasn't allowed to finish, and it gets killed, and the next child tries to do
the auto-expire and...

Either crank up your timeout to 10 minutes or so (if possible) or turn off
auto-expire and run a cron job every so often to do the expire.

Loren

Re: encoded spam that got thru

[Loren Wilton]

FM_NO_FROM_OR_TO=,FM_NO_TO=,MISSING_SUBJECT=,NO_RECEIVED=,TO_CC_NONE=

Something seems a little odd here.  On my system those rules would add up to
quite a few points, and they don't seem to add up to anything for you.

Loren

Re: URIDNSBL.pm invalid bitwise or?

[Matt Kettler]

Jason Parsons wrote:
>
> I'm using an internal URIBL, configured like so:
>
> urirhssub SAFF_EXAMPLE  rbl.example.com.  A   127.0.0.8
> body  SAFF_EXAMPLE   eval:check_uridnsbl('SAFF_EXAMPLE')
> describe  SAFF_EXAMPLE   Example RBL hit 8
>
> Running with the above configuration causes spamd to log: 

urihssub expects just 8, not 127.0.0.8

Such as the examples in the config files:

urirhssub   URIBL_PH_SURBL  multi.surbl.org.A   8
bodyURIBL_PH_SURBL  eval:check_uridnsbl('URIBL_PH_SURBL')
describeURIBL_PH_SURBL  Contains an URL listed in the PH SURBL blocklist
tflags  URIBL_PH_SURBL  net

Re: error after upgraded to 3.11

[Doc Schneider]

Spamassassin List wrote:

Leading zeros are required for values between (-1,1).


Thanks. After examine all the rules, found out that 70_sare_stocks.cf is 
causing it.


It contains lines like:-

body SARE_MLB_Stock3 /Last[ _](?:Trade|Price)[ :]/i
scoreSARE_MLB_Stock3 .794

bodySARE_LWSAFEH/Safe Harbor Statement:/i
score   SARE_LWSAFEH.688

bodySARE_LWOILCO/(?:oil|gas)\s+company/i
score   SARE_LWOILCO.388

header  SARE_LWSKY  Subject =~ /skyr[o0]cket/i
score   SARE_LWSKY  .750

Removing it and spamassassin --lint not complaining anything else.

Thanks again


You need to just grab the latest 70_sare_stocks.cf I fixed this issue a 
while back.


--

 -Doc

 SA/SARE/URIBL/SURBL -- Ninja
  10:36pm  up 51 days, 19:56, 17 users,  load average: 0.18, 0.17, 0.21

 SARE HQ  http://www.rulesemporium.com/

Re: error after upgraded to 3.11

[M. Lewis]

I believe you're using an old version of 70_sare_stocks.cf. This issue 
was located and corrected a couple of weeks ago if I'm not mistaken.


Current version is # Version: 01.00.14

HTH,
M


Spamassassin List wrote:

Leading zeros are required for values between (-1,1).


Thanks. After examine all the rules, found out that 70_sare_stocks.cf is 
causing it.


It contains lines like:-

body SARE_MLB_Stock3 /Last[ _](?:Trade|Price)[ :]/i
scoreSARE_MLB_Stock3 .794

bodySARE_LWSAFEH/Safe Harbor Statement:/i
score   SARE_LWSAFEH.688

bodySARE_LWOILCO/(?:oil|gas)\s+company/i
score   SARE_LWOILCO.388

header  SARE_LWSKY  Subject =~ /skyr[o0]cket/i
score   SARE_LWSKY  .750

Removing it and spamassassin --lint not complaining anything else.

Thanks again


--

 A)bort, R)etry, I)gnore, V)alium?
  23:35:01 up 9 days,  3:18,  7 users,  load average: 1.13, 1.16, 0.72

 Linux Registered User #241685  http://counter.li.org

Re: error after upgraded to 3.11

[Spamassassin List]

Leading zeros are required for values between (-1,1).


Thanks. After examine all the rules, found out that 70_sare_stocks.cf is 
causing it.


It contains lines like:-

body SARE_MLB_Stock3 /Last[ _](?:Trade|Price)[ :]/i
scoreSARE_MLB_Stock3 .794

bodySARE_LWSAFEH/Safe Harbor Statement:/i
score   SARE_LWSAFEH.688

bodySARE_LWOILCO/(?:oil|gas)\s+company/i
score   SARE_LWOILCO.388

header  SARE_LWSKY  Subject =~ /skyr[o0]cket/i
score   SARE_LWSKY  .750

Removing it and spamassassin --lint not complaining anything else.

Thanks again 

Re: error after upgraded to 3.11

[Daryl C. W. O'Shea]

Leading zeros are required for values between (-1,1).

On 3/13/2006 9:27 PM, Spamassassin List wrote:

Hi List,

After upgraded SA from 3.10 to 3.11, ran spamassassin --lint, 
encountered the error as follows:-


[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_MLB_Stock3 .794" is not valid for "score", skipping: score
SARE_MLB_Stock3 .794
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_LWSAFEH__.688" is not valid for "score", skipping: 
score__SARE_LWSAFEH__.688
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_LWOILCO__.388" is not valid for "score", skipping: 
score__SARE_LWOILCO__.388
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_LWSKY__.750" is not valid for "score", skipping: 
score__SARE_LWSKY__.750
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_LWSHORT__.833" is not valid for "score", skipping: 
score__SARE_LWSHORT__.833
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_LWDRIVE__.777" is not valid for "score", skipping: 
score__SARE_LWDRIVE__.777
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_LWSHARES__.672" is not valid for "score", skipping: 
score__SARE_LWSHARES__.672
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_LWSHORTT__.794" is not valid for "score", skipping: 
score__SARE_LWSHORTT__.794
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock1_.325" is not valid for "score", skipping: 
score_SARE_RMML_Stock1_.325
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock2_.744" is not valid for "score", skipping: 
score_SARE_RMML_Stock2_.744
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock3_.027" is not valid for "score", skipping: 
score_SARE_RMML_Stock3_.027
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock4_.667" is not valid for "score", skipping: 
score_SARE_RMML_Stock4_.667
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock5_.055" is not valid for "score", skipping: 
score_SARE_RMML_Stock5_.055
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock7_.750" is not valid for "score", skipping: 
score_SARE_RMML_Stock7_.750
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock8_.444" is not valid for "score", skipping: 
score_SARE_RMML_Stock8_.444
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock9_.416" is not valid for "score", skipping: 
score_SARE_RMML_Stock9_.416
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock10_.027" is not valid for "score", skipping: 
score_SARE_RMML_Stock10_.027
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock11_.622" is not valid for "score", skipping: 
score_SARE_RMML_Stock11_.622
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock13_.064" is not valid for "score", skipping: 
score_SARE_RMML_Stock13_.064
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock14_.444" is not valid for "score", skipping: 
score_SARE_RMML_Stock14_.444
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock15_.027" is not valid for "score", skipping: 
score_SARE_RMML_Stock15_.027
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock16_.027" is not valid for "score", skipping: 
score_SARE_RMML_Stock16_.027
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock17_.083" is not valid for "score", skipping: 
score_SARE_RMML_Stock17_.083
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock18_.222" is not valid for "score", skipping: 
score_SARE_RMML_Stock18_.222
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock19_.816" is not valid for "score", skipping: 
score_SARE_RMML_Stock19_.816
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock20_.111" is not valid for "score", skipping: 
score_SARE_RMML_Stock20_.111
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock21_.222" is not valid for "score", skipping: 
score_SARE_RMML_Stock21_.222
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock22_.444" is not valid for "score", skipping: 
score_SARE_RMML_Stock22_.444
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock23_.325" is not valid for "score", skipping: 
score_SARE_RMML_Stock23_.325
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock25_.950" is not valid for "score", skipping: 
score_SARE_RMML_Stock25_.950
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock27_.166" is not valid for "score", skipping: 
score_SARE_RMML_Stock27_.166
[21824] warn: lint: 31 issues detected, please rerun with debug enabled 
for more information


Please help.

Thanks

error after upgraded to 3.11

[Spamassassin List]

Hi List,

After upgraded SA from 3.10 to 3.11, ran spamassassin --lint, encountered 
the error as follows:-


[21824] warn: config: SpamAssassin failed to parse line, "SARE_MLB_Stock3 
.794" is not valid for "score", skipping: scoreSARE_MLB_Stock3 .794
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_LWSAFEH__.688" is not valid for "score", skipping: 
score__SARE_LWSAFEH__.688
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_LWOILCO__.388" is not valid for "score", skipping: 
score__SARE_LWOILCO__.388
[21824] warn: config: SpamAssassin failed to parse line, "SARE_LWSKY__.750" 
is not valid for "score", skipping: score__SARE_LWSKY__.750
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_LWSHORT__.833" is not valid for "score", skipping: 
score__SARE_LWSHORT__.833
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_LWDRIVE__.777" is not valid for "score", skipping: 
score__SARE_LWDRIVE__.777
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_LWSHARES__.672" is not valid for "score", skipping: 
score__SARE_LWSHARES__.672
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_LWSHORTT__.794" is not valid for "score", skipping: 
score__SARE_LWSHORTT__.794
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock1_.325" is not valid for "score", skipping: 
score_SARE_RMML_Stock1_.325
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock2_.744" is not valid for "score", skipping: 
score_SARE_RMML_Stock2_.744
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock3_.027" is not valid for "score", skipping: 
score_SARE_RMML_Stock3_.027
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock4_.667" is not valid for "score", skipping: 
score_SARE_RMML_Stock4_.667
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock5_.055" is not valid for "score", skipping: 
score_SARE_RMML_Stock5_.055
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock7_.750" is not valid for "score", skipping: 
score_SARE_RMML_Stock7_.750
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock8_.444" is not valid for "score", skipping: 
score_SARE_RMML_Stock8_.444
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock9_.416" is not valid for "score", skipping: 
score_SARE_RMML_Stock9_.416
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock10_.027" is not valid for "score", skipping: 
score_SARE_RMML_Stock10_.027
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock11_.622" is not valid for "score", skipping: 
score_SARE_RMML_Stock11_.622
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock13_.064" is not valid for "score", skipping: 
score_SARE_RMML_Stock13_.064
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock14_.444" is not valid for "score", skipping: 
score_SARE_RMML_Stock14_.444
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock15_.027" is not valid for "score", skipping: 
score_SARE_RMML_Stock15_.027
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock16_.027" is not valid for "score", skipping: 
score_SARE_RMML_Stock16_.027
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock17_.083" is not valid for "score", skipping: 
score_SARE_RMML_Stock17_.083
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock18_.222" is not valid for "score", skipping: 
score_SARE_RMML_Stock18_.222
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock19_.816" is not valid for "score", skipping: 
score_SARE_RMML_Stock19_.816
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock20_.111" is not valid for "score", skipping: 
score_SARE_RMML_Stock20_.111
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock21_.222" is not valid for "score", skipping: 
score_SARE_RMML_Stock21_.222
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock22_.444" is not valid for "score", skipping: 
score_SARE_RMML_Stock22_.444
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock23_.325" is not valid for "score", skipping: 
score_SARE_RMML_Stock23_.325
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock25_.950" is not valid for "score", skipping: 
score_SARE_RMML_Stock25_.950
[21824] warn: config: SpamAssassin failed to parse line, 
"SARE_RMML_Stock27_.166" is not valid for "score", skipping: 
score_SARE_RMML_Stock27_.166
[21824] warn: lint: 31 issues detected, please rerun with debug enabled for 
more information


Please help.

Thanks 

Re: cannot get Envelope-From, cannot use SPF

[Xavier Sudre]

[EMAIL PROTECTED] wrote:

Xavier Sudre wrote:

[EMAIL PROTECTED] wrote:

See http://wiki.apache.org/spamassassin/EnvelopeSenderInHeaders

My postfix version is compatible.


Is there a Return-Path header on the file that spamc is told to scan?


That was the trouble! The transport that I used in master.cf had no 
"flags=R" therefore no Return-Path was present for spamc/spamd to work on.


Problem solved. Thanks.

Xavier.

--
Xavier Sudre
Homepage: http://xavier.sudre.fr/
Email:[EMAIL PROTECTED]
GPG key:  http://xavier.sudre.fr/gpg/xavier.asc

RE: cannot get Envelope-From, cannot use SPF

[Matthew.van.Eerde]

Xavier Sudre wrote:
> [EMAIL PROTECTED] wrote:
>> See http://wiki.apache.org/spamassassin/EnvelopeSenderInHeaders
> 
> My postfix version is compatible.

Is there a Return-Path header on the file that spamc is told to scan?

-- 
Matthew.van.Eerde (at) hbinc.com   805.964.4554 x902
Hispanic Business Inc./HireDiversity.com   Software Engineer

Re: cannot get Envelope-From, cannot use SPF

[Xavier Sudre]

[EMAIL PROTECTED] wrote:

Xavier Sudre wrote:

I am trying to get SPF to work with my spamassassin installation.
So far when I receive an email, SA logs the following:

spamd[874]: spf: cannot get Envelope-From, cannot use SPF

...

The email goes through postfix then spamc then spamd.


What version of postfix?

See http://wiki.apache.org/spamassassin/EnvelopeSenderInHeaders


My postfix version is compatible. I am using the latest version 
available for Debian stable.


Xavier.

--
Xavier Sudre
Homepage: http://xavier.sudre.fr/
Email:[EMAIL PROTECTED]
GPG key:  http://xavier.sudre.fr/gpg/xavier.asc

 Confidentiality NOTICE 

This Communication is ONLY for the person named above. Unless otherwise
indicated, it contains information that is confidential, privileged or
exempt from disclosure under applicable law. If you are not the person
named above, or responsible for delivering it to that person, be aware
that disclosure, copying, distribution or use of this communication is
strictly PROHIBITED.

Re: using sa-learn offline

[Matt Kettler]

John Davis wrote:
> I am trying to train spamassassin using spam and ham I've collected.  My
> problem is the sa-learn script is using too many resources on the server
> (my spam folder had ~1000 messages).
> 
> Is there a way I can run sa-learn on my PC and then merge the results with 
> the server?
> 

Longer answer than before:

No, you cannot run sa-learn on one machine, then later merge the results onto
your server.


HOWEVER, you if you are running SpamAssassin 3.1.0 or higher, and you've started
spamd with --allow-tell, you can use spamc -L on your PC and have it feed to
your server's spamd.

This might lighten your overhead a little bit, because it's not going to have to
invoke a new perl instance, but the grunt-work of analyzing for tokens and
placing them into the bayes db is still going to happen on the server side
within spamd.

Re: using sa-learn offline

[Rick Macdougall]

Matt Kettler wrote:

John Davis wrote:

I am trying to train spamassassin using spam and ham I've collected.  My
problem is the sa-learn script is using too many resources on the server
(my spam folder had ~1000 messages).

Is there a way I can run sa-learn on my PC and then merge the results with 
the server?


No.



No, BUT!  If you are using mysql for your bayes backend, you can use a 
separate server to run sa-learn on.  Might be a solution for you.


(That's what we do here).

Regards,

Rick

Re: using sa-learn offline

[Matt Kettler]

John Davis wrote:
> I am trying to train spamassassin using spam and ham I've collected.  My
> problem is the sa-learn script is using too many resources on the server
> (my spam folder had ~1000 messages).
> 
> Is there a way I can run sa-learn on my PC and then merge the results with 
> the server?

No.

RE: cannot get Envelope-From, cannot use SPF

[Matthew.van.Eerde]

Xavier Sudre wrote:
> I am trying to get SPF to work with my spamassassin installation.
> So far when I receive an email, SA logs the following:
> 
> spamd[874]: spf: cannot get Envelope-From, cannot use SPF
...
> The email goes through postfix then spamc then spamd.

What version of postfix?

See http://wiki.apache.org/spamassassin/EnvelopeSenderInHeaders

-- 
Matthew.van.Eerde (at) hbinc.com   805.964.4554 x902
Hispanic Business Inc./HireDiversity.com   Software Engineer

cannot get Envelope-From, cannot use SPF

[Xavier Sudre]

Hi there!

I am trying to get SPF to work with my spamassassin installation.
So far when I receive an email, SA logs the following:

spamd[874]: spf: cannot get Envelope-From, cannot use SPF
spamd[874]: spf: def_spf_whitelist_from: could not find useable envelope 
sender

spamd[874]: spf: spf_whitelist_from: could not find useable envelope sender

It seems pretty clear that SA is missing some input referred to as 
"Envelope-From" in order to work with SPF.


When I try manually to pass the email to spamassassin via
"spamassassin -D < email", I can see that SA works with SPF and adds 
information about the SPF tests he did in the email headers, for 
instance SPF_PASS.


The email goes through postfix then spamc then spamd.

Any good idea?

Thanks,

Xavier.

--
Xavier Sudre
Homepage: http://xavier.sudre.fr/
Email:[EMAIL PROTECTED]
GPG key:  http://xavier.sudre.fr/gpg/xavier.asc

using sa-learn offline

[John Davis]

I am trying to train spamassassin using spam and ham I've collected.  My
problem is the sa-learn script is using too many resources on the server
(my spam folder had ~1000 messages).

Is there a way I can run sa-learn on my PC and then merge the results with 
the server?

-- 
--
[EMAIL PROTECTED]Student: Master, does Emacs have the Buddha Nature?
   Master:  Why not? It has damn near everything else!

URIDNSBL.pm invalid bitwise or?

[Jason Parsons]

I'm using an internal URIBL, configured like so:

urirhssub SAFF_EXAMPLE  rbl.example.com.  A   127.0.0.8
body  SAFF_EXAMPLE   eval:check_uridnsbl('SAFF_EXAMPLE')
describe  SAFF_EXAMPLE   Example RBL hit 8

Running with the above configuration causes spamd to log:

warn: Argument "127.0.0.8" isn't numeric in bitwise or (|) at /usr/ 
lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/URIDNSBL.pm line  
614,  line 39.


My configuration appears legal based on the docs:

urirhssub NAME_OF_RULE rhsbl_zone lookuptype subtest
[ ... ]

subtest is the sub-test to run against the returned data. The sub- 
test may either be an IPv4 dotted address for RHSBLs that return  
multiple A records, a non-negative decimal number to specify a  
bitmask for RHSBLs that return a single A record containing a bitmask  
of results, or (if none of the preceding options seem to fit) a  
regular expression.


However, URIDNSBL.pm, on line 614, does this:

  $uridnsbl_subs_bits |= $_ for keys %{$uridnsbl_subs};

If I'm reading the code correctly, this bitwise or will break when  
the subtest is an IP address or a regular expression.


The code in question was introduced here:

  http://issues.apache.org/SpamAssassin/attachment.cgi? 
id=2611&action=view


... in response to bug ID 3997.

Thoughts?

Thank you.
 - Jason Parsons

Re: Whitelist_from_rcvd misfire!!

[jdow]

From: "Matt Kettler" <[EMAIL PROTECTED]>


jdow wrote:

===8<---
Return-Path: <[EMAIL PROTECTED]>
Received: from smtp.earthlink.net [209.86.93.205]
by localhost with POP3 (fetchmail-6.2.5.5)
for [EMAIL PROTECTED] (single-drop); Mon, 13 Mar 2006 05:36:39
-0800 (PST)
Received: from amazon.com ([80.33.31.58])
by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
1fiNda4KB3Nl34g0
for <[EMAIL PROTECTED]>; Mon, 13 Mar 2006 08:35:48 -0500 (EST)
From: LARISA SOSNITSKAYA <[EMAIL PROTECTED]>
To: jdow <[EMAIL PROTECTED]>
Subject: PLEASE RESPOND ASAP
X-Priority: 3
X-MSMail-Priority: Normal
Reply-To: LARISA SOSNITSKAYA <[EMAIL PROTECTED]>
mime-version: 1.0
content-type: multipart/mixed;
boundary="qzsoft_directmail_seperator"
Message-Id: <[EMAIL PROTECTED]>
Date: Mon, 13 Mar 2006 08:35:48 -0500 (EST)
X-ELNK-AV: 0
X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=000;
X-Spam-Virus: No
===8<---

Now, just why a FORGED amazon.com Received header should cause this set of
rule hits I don't know:



From the looks of it, earthlink is claiming that 80.33.31.58 RDNS'ed as

amazon.com. So apparently this guy managed to forge his RDNS, or earthlink's
header format is weird.

This:

from amazon.com ([80.33.31.58])

Matches the typical behavior of postgress when the RDNS matches the HELO.. I'm
not sure if Earthlink's server does the same.


This does also outline reason why whitelist_from_spf is better than
whitelist_from_rcvd.. Forging RDNS is difficult, but if your ISP gives you
sub-delegation of your RDNS then you can change it to be whatever you want.


58.Red-80-33-31.staticIP.rima-tde.net.

So it's not a forged rdns. Theo got it in one. I commented out the QMAIL
 in Received.pm and the user_whitelist hit went away. I just
entered my confirmation of that "not really a solution" to the bugzilla
site.

(For a long time now I've thought qmail was more a problem than a solution
based on comments and problems with it recounted on this list.)

{^_^}

autolearn=failed ---- after upgrade to 3.11

[Steven Manross]

X-Spam-Status: No, score=-2.6 required=5.0
tests=AWL=0.023,BAYES_00=-2.599 
 autolearn=failed version=3.1.1
 
It seems that since upgrading to 3.11 last night, the
autolearn=yes|no|failed always shows up as failed (on all messages).
 
Did I miss something?
 
As well, the headers added by SA (and me [through SA] for MsgID) are now
showing at the top of the headers from the original message as opposed
to near (or at) the bottom (on all messages)..
 
The upgrade seemed to work fine (previous version was 3.02)..  all tests
came back good...  Spam tagging still works great.  The following
headers are from a mail from this list.

I used the InstallingOnWindows WIKI as a guide for the upgrade.

I am using SA 3.11 running on W2K/Exchange 2000 via a PerlScript tied
into Exchange's SMTP engine.

Steven
 

 
Microsoft Mail Internet Headers Version 2.0
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on 
 xxx.xxx.xxx
X-Spam-MsgId: 1142265031.319183
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=5.0
tests=AWL=-1.200,BAYES_00=-2.599,
 RCVD_NUMERIC_HELO=1.5,STOCK_ALERT=2.2,UPPERCASE_25_50=0 autolearn=no 
 version=3.1.1
thread-index: AcZGtdsYoUOdErI8Rl6JuDuKQc06bA==
Received: from mail.apache.org ([209.237.227.199]) by
xxx.xx.xxx with Microsoft SMTPSVC(5.0.2195.6713); Mon, 13
Mar 2006 08:50:30 -0700
Received: (qmail 86421 invoked by uid 500); 13 Mar 2006 15:50:20 -
Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
Precedence: bulk
List-Help: 
List-Unsubscribe: 
List-Post: 
List-Id: 
Content-Class: urn:content-classes:message
Delivered-To: mailing list users@spamassassin.apache.org
Importance: normal
Priority: normal
Received: (qmail 86412 invoked by uid 99); 13 Mar 2006 15:50:20 -
Received: from xxx.xxx.org (HELO x.x.org)
(nnn.nnn.nnn.nn)by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 Mar
2006 07:50:20 -0800
X-ASF-Spam-Status: No, hits=3.6
required=10.0tests=FORGED_HOTMAIL_RCVD2,RCVD_NUMERIC_HELO,SPF_HELO_PASS,
SPF_PASS,STOCK_ALERT,UPPERCASE_25_50
Received-SPF: pass (xx..org: domain of
[EMAIL PROTECTED] designates nn.nn.nnn.n as permitted sender)
Received: from [nn.nn.nnn.n] (HELO .x.org) (nn.nn.nnn.n)by
apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 Mar 2006 07:50:18 -0800
Received: from list by x.xxx.org with local (Exim 4.43) id
1FIpHi-0007S0-07 for users@spamassassin.apache.org; Mon, 13 Mar 2006
16:48:40 +0100
Received: from 15.198.28.205 ([nn.nnn.nn.nnn])by main.gmane.org
with esmtp (Gmexim 0.1 (Debian))id 1AlnuQ-0007hv-00for
; Mon, 13 Mar 2006 16:48:37 +0100
Received: from  by nn.nnn.nnn.nnn with local (Gmexim 0.1
(Debian))id 1AlnuQ-0007hv-00for
; Mon, 13 Mar 2006 16:48:37 +0100
X-Injected-Via-Gmane: http://gmane.org/
To: 
From: "x " <[EMAIL PROTECTED]>
Subject:  Re: encoded spam that got thru
Date:  Mon, 13 Mar 2006 16:47:23 +0100
Lines: 81
Message-ID: <[EMAIL PROTECTED]>
References:  <[EMAIL PROTECTED]>
X-Complaints-To: [EMAIL PROTECTED]
X-Gmane-NNTP-Posting-Host: 15.198.28.205
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
X-RFC2646: Format=Flowed; Original
Sender: "news" <[EMAIL PROTECTED]>
X-Virus-Checked: Checked by ClamAV on apache.org
Return-Path:
<[EMAIL PROTECTED]>
X-OriginalArrivalTime: 13 Mar 2006 15:50:30.0389 (UTC)
FILETIME=[DB004250:01C646B5]
 

 

Whitelist_from_rcvd misfire!!

[jdow]

===8<---
Return-Path: <[EMAIL PROTECTED]>
Received: from smtp.earthlink.net [209.86.93.205]
by localhost with POP3 (fetchmail-6.2.5.5)
for [EMAIL PROTECTED] (single-drop); Mon, 13 Mar 2006 05:36:39 -0800 (PST)
Received: from amazon.com ([80.33.31.58])
by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 
1fiNda4KB3Nl34g0
for <[EMAIL PROTECTED]>; Mon, 13 Mar 2006 08:35:48 -0500 (EST)
From: LARISA SOSNITSKAYA <[EMAIL PROTECTED]>
To: jdow <[EMAIL PROTECTED]>
Subject: PLEASE RESPOND ASAP
X-Priority: 3
X-MSMail-Priority: Normal
Reply-To: LARISA SOSNITSKAYA <[EMAIL PROTECTED]>
mime-version: 1.0
content-type: multipart/mixed;
boundary="qzsoft_directmail_seperator"
Message-Id: <[EMAIL PROTECTED]>
Date: Mon, 13 Mar 2006 08:35:48 -0500 (EST)
X-ELNK-AV: 0
X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=000;
X-Spam-Virus: No
===8<---

Now, just why a FORGED amazon.com Received header should cause this set of
rule hits I don't know:

===8<---
X-Spam-Checker-Version: SpamAssassin 3.0.5 (2005-06-05) on
   morticia.wizardess.wiz
X-Spam-Level:
X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_99,DEAR_FRIEND,
   JD_MY_NAME,JD_TO_EARTHLINK,JD_USDOLLARS,MIME_BASE64_TEXT,
   MISSING_MIMEOLE,MSGID_FROM_MTA_ID,PRIORITY_NO_NAME,RCVD_IN_XBL,
   SARE_BOUNDARY_QZSOFT,SARE_LWOILCO,SARE_SXLIFE,SUBJ_ALL_CAPS,
   USER_IN_DEF_WHITELIST autolearn=disabled version=3.0.5
===8<---
   ^ That rule let it sail on through with it's
-15 score.

{o.o}

RE: X-Spam-Status settings

[Steven Manross]

_TESTSSCORES(,)_




From: Shane Mullins [mailto:[EMAIL PROTECTED] 
Sent: Monday, March 13, 2006 1:22 PM
To: users@spamassassin.apache.org
Subject: X-Spam-Status settings


I have forgotten the setting that tells SA to include the point
value for each of the hits the incoming message was flagged on.  I
searched the web and looked in my book, but can't seem to find it.
Could someone please jog my memory?
 
 
Thanks 
Shane

RE: autolearn=failed ---- after upgrade to 3.11

[Steven Manross]

> > It seems that since upgrading to 3.11 last night, the 
> > autolearn=yes|no|failed always shows up as failed (on all messages).
> >  
> > Did I miss something?
> 
> Generally "Failed" means that SA somehow can't access the 
> bayes database to write to it.
> 
> Have you tried sa-learn --sync and then sa-learn --dump magic 
> to see if those tools find the bayes database correctly?
> 
I had run the --sync last night...

I just ran the --dump (no issues)

C:\Perl\bin>sa-learn --dump
0.000  0  3  0  non-token data: bayes db version
0.000  0  74899  0  non-token data: nspam
0.000  0  36273  0  non-token data: nham
0.000  0 122147  0  non-token data: ntokens
0.000  0 1140696522  0  non-token data: oldest atime
0.000  0 1142280376  0  non-token data: newest atime
0.000  0  0  0  non-token data: last journal
sync atime
0.000  0 1142162419  0  non-token data: last expiry
atime
0.000  01466085  0  non-token data: last expire
atime delta
0.000  0  31761  0  non-token data: last expire
reduction co
unt

> What about spamassassin --lint to check for config-file errors?
> 
Good suggestion..  I forgot to do that.

It found 2 lint issues:
use_razor 0
use_dcc 0 

Which I removed after remembering about those getting moved to plugins.

And I ran --lint again just for sanity sake -- without error.

It looks like the autolearn is working now.

Does anyone have any ideas on the "misplaced" headers?  Or is that a new
de facto standard?

Steven

Re: CID2SPF

[Matthias Fuhrmann]

On Mon, 13 Mar 2006, Eric W. Bates wrote:

> Sorry to rehash what must be an old question...
>
> I can't find LMAP/CID2SPF on CPAN or FreeBSD ports. I found an old list
> item suggesting that there was a download link at:
> http://www.openspf.org/downloads.html
> This link appears to be gone at the moment.
>
> Should I just ignore the errors in the log; or is there someplace to
> grab the module?

you can d/l it here: http://www.baschny.de/spf/LMAP-CID2SPF-0.9.tar.gz

regards,
Matthias

RE: autolearn=failed ---- after upgrade to 3.11

[Steven Manross]

> -Original Message-
> From: Matt Kettler [mailto:[EMAIL PROTECTED] 
> Sent: Monday, March 13, 2006 1:35 PM
> To: Steven Manross
> Cc: users@spamassassin.apache.org
> Subject: Re: autolearn=failed  after upgrade to 3.11
> 
> Steven Manross wrote:
> 
> > It looks like the autolearn is working now.
> > 
> > Does anyone have any ideas on the "misplaced" headers?  Or 
> is that a 
> > new de facto standard?
> 
> You mean this:
> > As well, the headers added by SA (and me [through SA] for 
> MsgID) are 
> > now showing at the top of the headers from the original message as 
> > opposed to near (or at) the bottom (on all messages)..
> 
> That's a new standard. It is *required* to avoid breaking the 
> signature of any messages that are signed with domainkeys. 
> (ie: all of yahoo.com)

Correct..  Thank you..  I didn't know.  

I appreciate all the help.

> 
> 

Re: autolearn=failed ---- after upgrade to 3.11

[Matt Kettler]

Steven Manross wrote:

> It looks like the autolearn is working now.
> 
> Does anyone have any ideas on the "misplaced" headers?  Or is that a new
> de facto standard?

You mean this:
> As well, the headers added by SA (and me [through SA] for MsgID) are now
> showing at the top of the headers from the original message as opposed
> to near (or at) the bottom (on all messages)..

That's a new standard. It is *required* to avoid breaking the signature of any
messages that are signed with domainkeys. (ie: all of yahoo.com)

Re: Whitelist_from_rcvd misfire!!

[Matt Kettler]

jdow wrote:
> ===8<---
> Return-Path: <[EMAIL PROTECTED]>
> Received: from smtp.earthlink.net [209.86.93.205]
> by localhost with POP3 (fetchmail-6.2.5.5)
> for [EMAIL PROTECTED] (single-drop); Mon, 13 Mar 2006 05:36:39
> -0800 (PST)
> Received: from amazon.com ([80.33.31.58])
> by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
> 1fiNda4KB3Nl34g0
> for <[EMAIL PROTECTED]>; Mon, 13 Mar 2006 08:35:48 -0500 (EST)
> From: LARISA SOSNITSKAYA <[EMAIL PROTECTED]>
> To: jdow <[EMAIL PROTECTED]>
> Subject: PLEASE RESPOND ASAP
> X-Priority: 3
> X-MSMail-Priority: Normal
> Reply-To: LARISA SOSNITSKAYA <[EMAIL PROTECTED]>
> mime-version: 1.0
> content-type: multipart/mixed;
> boundary="qzsoft_directmail_seperator"
> Message-Id: <[EMAIL PROTECTED]>
> Date: Mon, 13 Mar 2006 08:35:48 -0500 (EST)
> X-ELNK-AV: 0
> X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=000;
> X-Spam-Virus: No
> ===8<---
> 
> Now, just why a FORGED amazon.com Received header should cause this set of
> rule hits I don't know:

>From the looks of it, earthlink is claiming that 80.33.31.58 RDNS'ed as
amazon.com. So apparently this guy managed to forge his RDNS, or earthlink's
header format is weird.

This:

 from amazon.com ([80.33.31.58])

Matches the typical behavior of postgress when the RDNS matches the HELO.. I'm
not sure if Earthlink's server does the same.


This does also outline reason why whitelist_from_spf is better than
whitelist_from_rcvd.. Forging RDNS is difficult, but if your ISP gives you
sub-delegation of your RDNS then you can change it to be whatever you want.

RE: Spamc child process limit?

[Bradley Walker]

Actually my server logs don't show "server reached" messages.  Rather I'm
still fighting a nasty battle of getting SpamAssassin to work in conjunction
with Exim.  I've posted numerous times on this issue only to get no
resolution.  The whole problem lies with SpamAssassin it seems.  As soon as
I run the command in question, SpamAssassin begins to work normally.  

However after about 2-3 hours mail randomly starts getting returned to the
sender with 421 BSMTP timeout errors.  It doesn't matter if the sender is a
client on my server, or someone using a Yahoo account, about 50-75% of mail
that is sent is returned undeliverable with that 421 BSMTP timeout error
message.  Then on top of that tons of messages start being frozen in the
Exim queue list.   As soon as I kill any spamd/spamc processes everything
goes right back to normal with 100% delivery success on the part of Exim.

I was wondering if having 5 child processes was too little and causing
SpamAssassin to be overloaded thus causing Exim to time out the messages
because SpamAssassin hadn't yet scanned them.  That’s just a theory, but
Exim has worked flawlessly for 3 months now without SpamAssassin since the
orginial problem developed.  Inside of my WebMin control panel it's showing
that I'm having around 14,000 messages being delivered per hour (I think
that is incorrect as my /var/log/maillog is at 1.6gb and hasn't been flushed
in 6 months) but I'm wondering if increasing the child processes would help?

Also for whatever it's worth, I'm seeing these SpamAssassin related error
messages:

(2) × advertising@.com F= R=spamcheck_director T=spamcheck:
Child process of spamcheck transport returned 2 from command: /usr/sbin/exim
(preceded by transport filter timeout while writing to pipe)



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Mike Jackson
Sent: Monday, March 13, 2006 3:06 PM
To: [EMAIL PROTECTED]; users@spamassassin.apache.org
Subject: Re: Spamc child process limit?

> I'm still working on my server that is having problems with running 
> spamassassin 3.10 and exim 4.60.  Currently the command I run is spamd 
> -d -c -m 5 to have it use 5 child processes.  Is there some sort of 
> recommended ratio to amount of processed email to how many max child 
> processes I should run?  Currently my server load is less than 0.01 - 
> 0.01 - 0.01 each day.

It's probably going to depend on your mail volume. You could probably figure
it out based on how long it takes to process an average message to find out
how many messages (theoretically) you'd be processing at any given time. Or,
just look in your logs for how often this occurs:

prefork: server reached --max-clients setting, consider raising it

If you don't see it, then you're probably fine. If you do see it, turn up
your -m option until you don't, or you run out of server resources,
whichever comes first.  :) 

Re: X-Spam-Status settings

[Matthias Fuhrmann]

On Mon, 13 Mar 2006, Shane Mullins wrote:

hI,

> I have forgotten the setting that tells SA to include the point value
> for each of the hits the incoming message was flagged on.  I searched
> the web and looked in my book, but can't seem to find it.  Could someone
> please jog my memory?

"add_header all Report _REPORT_"
or
"add_header all Summary _SUMMARY_"

regards,
Matthias

CID2SPF

[Eric W. Bates]

Sorry to rehash what must be an old question...

I can't find LMAP/CID2SPF on CPAN or FreeBSD ports. I found an old list
item suggesting that there was a download link at:
http://www.openspf.org/downloads.html
This link appears to be gone at the moment.

Should I just ignore the errors in the log; or is there someplace to
grab the module?

Thanks for your time.

RE: X-Spam-Status settings

[Bowie Bailey]

Steven Manross wrote:
> _TESTSSCORES(,)_
> 
> From: Shane Mullins [mailto:[EMAIL PROTECTED]
> 
> > I have forgotten the setting that tells SA to include the point
> > value for each of the hits the incoming message was flagged on.  I
> > searched the web and looked in my book, but can't seem to find it.
> > Could someone please jog my memory?

Or were you looking for the X-Spam-Report header?

add_header all Report _REPORT_

-- 
Bowie

Re: Whitelist_from_rcvd misfire!!

[Theo Van Dinter]

On Mon, Mar 13, 2006 at 12:29:49PM -0800, jdow wrote:
> Received: from smtp.earthlink.net [209.86.93.205]
> by localhost with POP3 (fetchmail-6.2.5.5)
> for [EMAIL PROTECTED] (single-drop); Mon, 13 Mar 2006 05:36:39 
> -0800 (PST)
> Received: from amazon.com ([80.33.31.58])
> by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 
> 1fiNda4KB3Nl34g0
> for <[EMAIL PROTECTED]>; Mon, 13 Mar 2006 08:35:48 -0500 (EST)

I haven't looked into it, but it looks like this may be related to
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4813

-- 
Randomly Generated Tagline:
"I don't get the army: they kick you out for being gay, but their big plan to
 improve moral is a make-over." - Bill Maher


pgpwBsWk6kBET.pgp
Description: PGP signature

Re: [sa-list] Re: Spamd keeps getting hung up!

[Dan Mahoney, System Admin]

On Fri, 10 Mar 2006, Dan Mahoney, System Admin wrote:

Okay.  SpamAssassin 3.1.1 -- same problems.  Uninitialized values, bad 
match strings, and the ever popular "spamd uses all its children and the 
spam keeps flowing".


http://www.gushi.org/maillogAGAIN.txt  (warning, 20 megs)

The user in question this time would be "cww"...I believe it was around 
2:17 AM.


Any other ideas would be GREATLY appreciated.  If you want a shell so you 
can run an strace or can give me a good line that I can use to capture all 
the messages (a debug module would be great for this)...


-Dan

--

"She's been getting attacked by these leeches, they're leaving these marks
all over her neck. You gotta keep her out of those woods.  If one more
leech gets her, she's gonna get a smack."

-Someone's Mother, December 18th, 1998

Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---

X-Spam-Status settings

[Shane Mullins]

I have forgotten the setting that tells SA to 
include the point value for each of the hits the incoming message was flagged 
on.  I searched the web and looked in my book, but can't seem to find 
it.  Could someone please jog my memory?
 
 
Thanks 
Shane
 

Re: Spamc child process limit?

[Mike Jackson]

I'm still working on my server that is having problems with running
spamassassin 3.10 and exim 4.60.  Currently the command I run is 
spamd -d -c

-m 5 to have it use 5 child processes.  Is there some sort of recommended
ratio to amount of processed email to how many max child processes I 
should

run?  Currently my server load is less than 0.01 - 0.01 - 0.01 each day.


It's probably going to depend on your mail volume. You could probably figure 
it out based on how long it takes to process an average message to find out 
how many messages (theoretically) you'd be processing at any given time. Or, 
just look in your logs for how often this occurs:


prefork: server reached --max-clients setting, consider raising it

If you don't see it, then you're probably fine. If you do see it, turn up 
your -m option until you don't, or you run out of server resources, 
whichever comes first.  :) 

Spamc child process limit?

[Bradley Walker]

I'm still working on 
my server that is having problems with running spamassassin 3.10 and exim 
4.60.  Currently the command I run is spamd -d -c -m 5 to have it use 5 
child processes.  Is there some sort of recommended ratio to amount of 
processed email to how many max child processes I should run?  Currently my 
server load is less than 0.01 - 0.01 - 0.01 each day.
 
Thoughts?
 
Brad

Re: autolearn=failed ---- after upgrade to 3.11

[Matt Kettler]

Steven Manross wrote:
> X-Spam-Status: No, score=-2.6 required=5.0
> tests=AWL=0.023,BAYES_00=-2.599 
>  autolearn=failed version=3.1.1
>  
> It seems that since upgrading to 3.11 last night, the
> autolearn=yes|no|failed always shows up as failed (on all messages).
>  
> Did I miss something?

Generally "Failed" means that SA somehow can't access the bayes database to
write to it.

Have you tried sa-learn --sync and then sa-learn --dump magic to see if those
tools find the bayes database correctly?

What about spamassassin --lint to check for config-file errors?

Re: X-Spam-Relay-Country header always empty

[Matthias Fuhrmann]

On Mon, 13 Mar 2006, Scott Russell wrote:

hI,

> I've seen this under both SA 3.1.0 and 3.1.1 and I have IP::Country 2.20
> installed. If I enable debug mode in spamd I see
> Mail::SpamAssassin::Plugin::RelayCountry load. When processing a message
> through spamd I also see metadata: X-Relay-Countries: US ** US US ** US
> US US DE SK SK SK GB EU
>
> This to me says that the plugin is working as expected. I wanted to add
> this information to the headers so I add_header all Relay-Country
> _RELAYCOUNTRY_ however the X-Spam-Relay-Country header is always empty.
>
> Any clues?

it depends on your configuration, on how you invoke spamd/spamc. on my
system we are using sendmail and a milter application. so these header
additions using "add_header" wont work, since all header information were
delivered by the milter application to sendmail, which builds the final
header.
tell something more about your configuration and i guess, the list might
help you.

regards,
Matthias

RE: autolearn=failed ---- after upgrade to 3.11

[Steven Manross]

> -Original Message-
> From: Steven Manross 
> Sent: Monday, March 13, 2006 12:46 PM
> To: users@spamassassin.apache.org
> Subject: autolearn=failed  after upgrade to 3.11
> 
> X-Spam-Status: No, score=-2.6 required=5.0
> tests=AWL=0.023,BAYES_00=-2.599
>  autolearn=failed version=3.1.1
>  
> It seems that since upgrading to 3.11 last night, the 
> autolearn=yes|no|failed always shows up as failed (on all messages).

Hmmm..  See below (but it's apparently not always)

>  
> Did I miss something?
>  
> As well, the headers added by SA (and me [through SA] for 
> MsgID) are now showing at the top of the headers from the 
> original message as opposed to near (or at) the bottom (on 
> all messages)..
>  
> The upgrade seemed to work fine (previous version was 3.02).. 
>  all tests came back good...  Spam tagging still works great. 
>  The following headers are from a mail from this list.
> 
> I used the InstallingOnWindows WIKI as a guide for the upgrade.
> 
> I am using SA 3.11 running on W2K/Exchange 2000 via a 
> PerlScript tied into Exchange's SMTP engine.
> 
> Steven
>  
> 
>  
> Microsoft Mail Internet Headers Version 2.0
> X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on  
> xxx.xxx.xxx
> X-Spam-MsgId: 1142265031.319183
> X-Spam-Level: 
> X-Spam-Status: No, score=-0.1 required=5.0 
> tests=AWL=-1.200,BAYES_00=-2.599,  
> RCVD_NUMERIC_HELO=1.5,STOCK_ALERT=2.2,UPPERCASE_25_50=0 autolearn=no
>  version=3.1.1

Ok...  Apparently it's not always...  LOL..  But until I doublechecked
these headers just now, every message that I was looking at had failed.

> thread-index: AcZGtdsYoUOdErI8Rl6JuDuKQc06bA==
> Received: from mail.apache.org ([209.237.227.199]) by 
> xxx.xx.xxx with Microsoft SMTPSVC(5.0.2195.6713); 

Re: Fwd: 70_sare_whitelist_rcvd.cf suggestions

[Kelson]

Robert Menschel wrote:

I'm not familiar enough with the newsletters below to know whether
they should be whitelisted.  Can anyone confirm that these newsletters
(which apparently do get flagged as spam, at least from time to time)
should be whitelisted?  Does anyone have any objections to
whitelisting them?

...
whitelist_from_rcvd  [EMAIL PROTECTED] 
bluehornet.com  # Deep Discount DVD newsletter

Note:  My system's emails from deepdiscountdvdpromotions.com seem to
come through multiple servers, digitalriver.com, outblaze.com,
bluehornet.com, etc. If the newsletter moves from server to server
(perhaps to get the cheapest mass emailing deal), it can be very hard
to whitelist them.


I can confirm this one as both legit and a frequent false positive (in 
part because of the 7 consonants in a row in the domain name, which 
scores 2.1 points in a network+bayes setup)  Actually, it hasn't been 
too bad the last month or so, but it was hitting the filters quite a bit 
in January when their outgoing server had a bad HELO config.  Feeding a 
bunch of 'em into Bayes probably helped, too.


On top of the rotating providers, they use at least two different domain 
names -- this one for their newsletter, and just deepdiscountdvd.com for 
transactional messages like order confirmations and password reminders. 
 They really don't make themselves easy to whitelist!  However, I've 
never seen them do anything black-hat or even grey-hat.


--
Kelson Vibber
SpeedGate Communications 

Re: sa-learn in 3.1.1

[Theo Van Dinter]

On Mon, Mar 13, 2006 at 07:45:47PM +0100, Cedric Foll wrote:
> So by default, spamassassin read /usr/share/spamassassin and next /var/lib.
> And rules of /var/lib overwright the ones of /usr/share/spamassassin.
> 
> I'm right ?

Not really.  For rules, /var/lib/spamassassin overrides the use of
/usr/share/spamassassin completely if it exists.  There can possibly
be other files which are used from either (things like "languages",
etc,) fyi.

-- 
Randomly Generated Tagline:
"90% of this game is half mental."  - Yogi Berra


pgpvWezulpfcF.pgp
Description: PGP signature

Re: sa-learn in 3.1.1

[Cedric Foll]

> sa-learn doesn't install any rules.  Perhaps you mean sa-update?  There's
>   
yes sorry.

> Nope.  Once the files are installed in the /var/lib area, you're fine.
> When you next run "spamassassin" (or restart spamd, etc,) it will use
> the new rule files.
>   
So by default, spamassassin read /usr/share/spamassassin and next /var/lib.
And rules of /var/lib overwright the ones of /usr/share/spamassassin.

I'm right ?

Regards.

Re: sa-learn in 3.1.1

[Matthias Fuhrmann]

On Mon, 13 Mar 2006, Theo Van Dinter wrote:

> On Mon, Mar 13, 2006 at 07:45:47PM +0100, Cedric Foll wrote:
> > So by default, spamassassin read /usr/share/spamassassin and next /var/lib.
> > And rules of /var/lib overwright the ones of /usr/share/spamassassin.
> >
> > I'm right ?
>
> Not really.  For rules, /var/lib/spamassassin overrides the use of
> /usr/share/spamassassin completely if it exists.  There can possibly
> be other files which are used from either (things like "languages",
> etc,) fyi.

i was about copying the updates over the default install
(/opt/gnu/share/spamassassin on my machine). but your mail
arrived just in time.
guess there is a need to update the manpage for sa-update!
couldnt find any information on how to handle the updates.

regards,
Matthias

Re: No report Template Found

[Theo Van Dinter]

On Mon, Mar 13, 2006 at 11:14:43AM -0300, Pablo Allietti wrote:
> hi all, i upgrade my version of spamassassin in freebsd from 2.x to 3.x
> and now when a e-mail has detected like spam in body of message i have
> this 
> (no report template found)
>  and no scores show me. 
> i miss any file?

It sounds like the default rules files (includes the default report template)
weren't installed or detected.  I'd suggest trying a reinstall and see if that
fixes things.  If you're using a package as opposed to the source, perhaps
there's another package you need or a bug in the packaging?

-- 
Randomly Generated Tagline:
Wizard's Guild parking only.  Violators will be toad.


pgpfi3NjEEmbB.pgp
Description: PGP signature

Re: sa-learn in 3.1.1

[Theo Van Dinter]

On Mon, Mar 13, 2006 at 12:01:01PM +0100, Cedric Foll wrote:
> sa-learn by default install rules in
> /var/lib/spamassassin/3.001001/updates_spamassassin_org/.
> I wonder why it doesn't copy them in /usr/share/spamassassin/ ?
> Is it for safety reason (ie avoid automaticly use of new rules).

sa-learn doesn't install any rules.  Perhaps you mean sa-update?  There's
several reasons, but they generally all come down to two things.  First,
/usr/share/spamassassin is the location for SpamAssassin releases to put
the rules and related files, but sa-update isn't a SpamAssassin release
so it puts the files elsewhere.  Second, it was generally felt that /var
was the correct place to put updates, following things like the Filesystem
Hierarchy Standard (http://www.pathname.com/fhs/pub/fhs-2.3.html).

> Are we supposed to do a
> "cp /var/lib/spamassassin/3.001001/updates_spamassassin_org/
> /usr/share/spamassassin/" after update ?

Nope.  Once the files are installed in the /var/lib area, you're fine.
When you next run "spamassassin" (or restart spamd, etc,) it will use
the new rule files.

> /var/lib seem to be the content of the "__local_state_dir__".
> What's that ?

Sort of, local_state_dir is /var/lib which turns into
/var/lib/spamassassin/version internally.  As for what it is ... the
local state dir is the directory where updates go. ;)

-- 
Randomly Generated Tagline:
"Hoping the problem magically goes away by ignoring it is the 'Microsoft
 approach to programming' and should never be allowed."  - Linus Torvalds


pgpKyXW7H2ZxW.pgp
Description: PGP signature

X-Spam-Relay-Country header always empty

[Scott Russell]

Greets.

I've seen this under both SA 3.1.0 and 3.1.1 and I have IP::Country 2.20 
installed. If I enable debug mode in spamd I see 
Mail::SpamAssassin::Plugin::RelayCountry load. When processing a message 
through spamd I also see metadata: X-Relay-Countries: US ** US US ** US 
US US DE SK SK SK GB EU


This to me says that the plugin is working as expected. I wanted to add 
this information to the headers so I add_header all Relay-Country 
_RELAYCOUNTRY_ however the X-Spam-Relay-Country header is always empty.


Any clues?

--
Scott Russell <[EMAIL PROTECTED]>
IBM Linux Technology Center System Admin

Re: Yum & 3.0.5

[Tim Jackson]

Nigel Frankcom wrote:

> I installed 3.1.1 today on a fresh CentOS install and foolishly
> neglected to check it hadn't already installed an older version of SA.
> Now when I run yum update it lists 3.0.5 as an update. I've installed
> 3.1.1 from source and am wondering if using yum remove for the 3.0.5
> install will fubar anything else?

It may possibly overwrite some files from 3.1.1 depending on where you
installed them, although I'm not sure whether RPM will do a hash sanity
check on the files before removing them. I'm not sure it does for
non-config files. So you might find the yum remove kills your install
and you have to reinstall 3.1.1.

Much better is to actually install 3.1.1 as an RPM package (build your
own based on the CentOS source RPM if nobody else has done one).
Half-package managing a system (i.e. installing some things from source,
whilst upgrading others with automated tools) rarely ends up as anything
but confusing. e.g. if you want to install something from the OS base
which *is* packaged but depends on SA, it won't work (failed deps) if
you've installed SA from source, etc.

If you haven't done it before, building your own RPMs is usually fairly
easy especially if you have recent examples (e.g. the 3.0.5 CentOS one)
to work from.

Tim

Re: encoded spam that got thru

[Eric W. Bates]

Jeremy Fairbrass wrote:
> Hi Eric,
> The text there is encoded with base64, which is decoded into the "proper" 
> text by the mail client. SpamAssassin will also decode it before running its 
> rules against it, for "body" or "rawbody" rules, which means SpamAssassin 
> will be able to filter it out whether the text was encoded with base64 or 
> was sent as plain text.
> 
> Without being able to decode that block of stuff myself and thus see what it 
> says, I'd suggest firstly making sure you're using the URIBL/SURBL network 
> checks (in case this spam had any web links in it), and also use the SARE 
> stock rules at http://www.rulesemporium.com/rules.htm#stocks (you might find 
> the other rules on that page useful in general too).
> 
> Cheers,
> Jeremy

That's helpful, thank you.

Running the message thru SA by hand, it comes up with a score of 30+.

> "Eric W. Bates" <[EMAIL PROTECTED]> wrote in message 
> news:[EMAIL PROTECTED]
> 
>>I don't even understand how the following message works (let alone how
>>to block it).
>>
>>It simply has a chunk of what looks like encoded binary; and yet,
>>thunderbird renders it as a stock announcement (as I write this, I
>>wonder whether the good readers of this list are likely to the ascii
>>block, or the rendered version?  view source for me please).  The
>>header: "Content-Transfer-Encoding: base64" should probably give me a 
>>clue.
>>
>>How do we filter out spam like this?  This got 0 hits.
>>
>>Thanks for your time.
>>
>>[snip]
>>X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on 
>>ace1.vineyard.net
>>X-Spam-Level:
>>X-Spam-Status: No, hits=0.0 required=5.0 tests=EMPTY_MESSAGE=,
>>FM_NO_FROM_OR_TO=,FM_NO_TO=,MISSING_SUBJECT=,NO_RECEIVED=,TO_CC_NONE=
>>bayes=0.5 autolearn=failed version=3.1.0
>>
>>[snip]
>>
>>From: "Roxie F. Hankins" <[EMAIL PROTECTED]>
>>To: [EMAIL PROTECTED], [EMAIL PROTECTED]
>>Subject: Focus Stock Alert
>>Date: Sat, 11 Mar 2006 23:33:30 +
>>MIME-Version: 1.0
>>Content-Type: text/plain
>>Content-Transfer-Encoding: base64
>>X-Virus-Scanned: by AMaViS-ace1 at Vineyard.NET
>>
>>SW4gdGhlIGN1cnJlbnQgb2lsIG1hcmtldCwgc2VsZWN0IHNtYWxsIGVuZXJn
>>eSBkZWFscyBhcmUgZmx5aW5nLiAgDQpXaXRoIGdyb3dpbmcgZGVtYW5kLCBz
>>aHJpbmtpbmcgc3VwcGxpZXMsIGFuZCBnb3Zlcm5tZW50IHN1cHBvcnQgDQpm
>>b3IgZG9tZXN0aWMgZW5lcmd5IHByb2plY3RzLCBpcyB0aGVyZSBhIGJldHRl
>>ciBzZWN0b3IgdG8gaW52ZXN0IGluPyANCkhlcmUncyBvdXIgbmV4dCB3aW5u
>>ZXI6DQoNCkNvOiBQcmVtaXVtIFBldHJvfF9ldW0gSW5jLg0KU3ltOiBQIFAg
>>VCB8XyAgDQpDdXJyZW50bHkgVHJhZGluZyBhdDogJDAuMDIgICAgDQoxIFdl
>>ZWtfVGFyZ2V0X1ByaWNlOiAgJDAuMTANCg0KQSBNYXNzaXZlIFBSIENhbXBh
>>aWduIGlzIFVuZGVyd2F5IGZvciBGcmlkYXkgaW50byBuZXh0IHdlZWshIQ0K
>>U3RhcnRpbmcgYXQgb25seSAyIGNlbnRzIHRoZSBHYWlucyB3aWxsIGJlIHRy
>>ZW1lbmRvdXMhIQ0KDQpIVUdFIG5ld3MgY29taW5nIG91dCBmb3IgUCBQIFQg
>>fF8uIERpZCB0aGV5IHN0cmlrZSBvaWw/DQpQbGVhc2UgcmVhZCBhbGwgdGhl
>>IGxhdGVzdCBQcmVzcyBSZWxlYXNlcyBvbiB0aGUgY29tcGFueS4NCldlIGFk
>>dmlzZSBvdXIgcmVhZGVycyB0byBnZXQgaW4gZWFybHkhIFRoaXMgb25lIGlz
>>IGdvaW5nIHVwIGZhc3QhDQoNClByZW1pdW0gUGV0cm9sZXVtLCBJbmMuIGlz
>>IGEgZGl2ZXJzaWZpZWQgZW5lcmd5IGNvbXBhbnkgZm9jdXNlZCBvbiANCmV4
>>cGxvaXRpbmcgdGhlIHZhc3Qgb2lsIGFuZCBnYXMgcmVzZXJ2ZXMgb2YgTm9y
>>dGhlcm4gQ2FuYWRhLiBXaXRoIGEgDQpzdHJvbmcgbWFuYWdlbWVudCBhbmQg
>>dGVjaG5pY2FsIHRlYW0sIFByZW1pdW0gUGV0cm9sZXVtIHdpbGwgYXBwbHkg
>>DQppbm5vdmF0aXZlIHRlY2hub2xvZ2llcyB0b3dhcmRzIHRoZSBkaXNjb3Zl
>>cnkgYW5kIGRldmVsb3BtZW50IG9mIGEgDQpkaXZlcnNlIHBvcnRmb2xpbyBv
>>ZiBoaWdoIHZhbHVlLCBsb3cgcmlzayBlbmVyZ3kgcHJvamVjdHMuICANCiAg
>>ICAgICAgICAgICANCiAgICAgICAgICAqIEdPT0QgTFVDSyAmIFRSQURFIE9V
>>VCBUSEUgVE9QICo=
>>
>>
>>
> 
> 
> 
> 
> 

Re: SA rule for userid in subject?

[Jonathan Engbrecht]

Thanks all.  I'm test driving the below-listed rule and it seems to be
good and fast as you suggest.

I'm a bit jittery on the multi-line rules right now due to an
"incident" with what I thought was a brilliant RE that ended up gumming
up our system really bad a few weeks back.

Thanks again.
Jonathan.

Ruben Cardenal wrote:

  That doesn't kill performance, sorry. I get average times of 0.1-0.3
seconds/mail using that rule (and a lot of other ones) while the cpu lives
happily. In several servers. You don't need a plugin for that.

Ruben

  
  
-Mensaje original-
De: Matt Kettler [mailto:[EMAIL PROTECTED]]
Enviado el: viernes, 10 de marzo de 2006 21:57
Para: Ruben Cardenal
CC: users@spamassassin.apache.org
Asunto: Re: SA rule for userid in subject?

Ruben Cardenal wrote:


  Hi,

  Loren answered that a month ago. Is in the archives. You may use:

header RULE_NAME ALL =~ /\nTo: ([EMAIL PROTECTED]).+\nSubject:\s*Fw:
  

.{0,30}\s*\1\b/i


That covers "Fw: userid" and "Fw: (some word[s]) userid".

  

True, but that's using () and \1, which is exactly what Jonathan said he
did not
want to use.

So you can do it that way, but you'll suffer the performance penalty of a
multi-line regex with backreferences.

The only *efficient* way to do it is to write a plugin.

  
  

  

Re: encoded spam that got thru

[Steve Thomas]

> Without being able to decode that block of stuff myself and thus see what
> it says

It's a stock spam for some oil company.

Decoding anything base64 encoded is pretty easy if you have perl installed
somewhere:

cut
#!/usr/bin/perl

use MIME::Base64;
print decode_base64("");
cut

Re: encoded spam that got thru

[Jeremy Fairbrass]

Hi Eric,
The text there is encoded with base64, which is decoded into the "proper" 
text by the mail client. SpamAssassin will also decode it before running its 
rules against it, for "body" or "rawbody" rules, which means SpamAssassin 
will be able to filter it out whether the text was encoded with base64 or 
was sent as plain text.

Without being able to decode that block of stuff myself and thus see what it 
says, I'd suggest firstly making sure you're using the URIBL/SURBL network 
checks (in case this spam had any web links in it), and also use the SARE 
stock rules at http://www.rulesemporium.com/rules.htm#stocks (you might find 
the other rules on that page useful in general too).

Cheers,
Jeremy


"Eric W. Bates" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]
>I don't even understand how the following message works (let alone how
> to block it).
>
> It simply has a chunk of what looks like encoded binary; and yet,
> thunderbird renders it as a stock announcement (as I write this, I
> wonder whether the good readers of this list are likely to the ascii
> block, or the rendered version?  view source for me please).  The
> header: "Content-Transfer-Encoding: base64" should probably give me a 
> clue.
>
> How do we filter out spam like this?  This got 0 hits.
>
> Thanks for your time.
>
> [snip]
> X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on 
> ace1.vineyard.net
> X-Spam-Level:
> X-Spam-Status: No, hits=0.0 required=5.0 tests=EMPTY_MESSAGE=,
> FM_NO_FROM_OR_TO=,FM_NO_TO=,MISSING_SUBJECT=,NO_RECEIVED=,TO_CC_NONE=
> bayes=0.5 autolearn=failed version=3.1.0
>
> [snip]
>
> From: "Roxie F. Hankins" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED], [EMAIL PROTECTED]
> Subject: Focus Stock Alert
> Date: Sat, 11 Mar 2006 23:33:30 +
> MIME-Version: 1.0
> Content-Type: text/plain
> Content-Transfer-Encoding: base64
> X-Virus-Scanned: by AMaViS-ace1 at Vineyard.NET
>
> SW4gdGhlIGN1cnJlbnQgb2lsIG1hcmtldCwgc2VsZWN0IHNtYWxsIGVuZXJn
> eSBkZWFscyBhcmUgZmx5aW5nLiAgDQpXaXRoIGdyb3dpbmcgZGVtYW5kLCBz
> aHJpbmtpbmcgc3VwcGxpZXMsIGFuZCBnb3Zlcm5tZW50IHN1cHBvcnQgDQpm
> b3IgZG9tZXN0aWMgZW5lcmd5IHByb2plY3RzLCBpcyB0aGVyZSBhIGJldHRl
> ciBzZWN0b3IgdG8gaW52ZXN0IGluPyANCkhlcmUncyBvdXIgbmV4dCB3aW5u
> ZXI6DQoNCkNvOiBQcmVtaXVtIFBldHJvfF9ldW0gSW5jLg0KU3ltOiBQIFAg
> VCB8XyAgDQpDdXJyZW50bHkgVHJhZGluZyBhdDogJDAuMDIgICAgDQoxIFdl
> ZWtfVGFyZ2V0X1ByaWNlOiAgJDAuMTANCg0KQSBNYXNzaXZlIFBSIENhbXBh
> aWduIGlzIFVuZGVyd2F5IGZvciBGcmlkYXkgaW50byBuZXh0IHdlZWshIQ0K
> U3RhcnRpbmcgYXQgb25seSAyIGNlbnRzIHRoZSBHYWlucyB3aWxsIGJlIHRy
> ZW1lbmRvdXMhIQ0KDQpIVUdFIG5ld3MgY29taW5nIG91dCBmb3IgUCBQIFQg
> fF8uIERpZCB0aGV5IHN0cmlrZSBvaWw/DQpQbGVhc2UgcmVhZCBhbGwgdGhl
> IGxhdGVzdCBQcmVzcyBSZWxlYXNlcyBvbiB0aGUgY29tcGFueS4NCldlIGFk
> dmlzZSBvdXIgcmVhZGVycyB0byBnZXQgaW4gZWFybHkhIFRoaXMgb25lIGlz
> IGdvaW5nIHVwIGZhc3QhDQoNClByZW1pdW0gUGV0cm9sZXVtLCBJbmMuIGlz
> IGEgZGl2ZXJzaWZpZWQgZW5lcmd5IGNvbXBhbnkgZm9jdXNlZCBvbiANCmV4
> cGxvaXRpbmcgdGhlIHZhc3Qgb2lsIGFuZCBnYXMgcmVzZXJ2ZXMgb2YgTm9y
> dGhlcm4gQ2FuYWRhLiBXaXRoIGEgDQpzdHJvbmcgbWFuYWdlbWVudCBhbmQg
> dGVjaG5pY2FsIHRlYW0sIFByZW1pdW0gUGV0cm9sZXVtIHdpbGwgYXBwbHkg
> DQppbm5vdmF0aXZlIHRlY2hub2xvZ2llcyB0b3dhcmRzIHRoZSBkaXNjb3Zl
> cnkgYW5kIGRldmVsb3BtZW50IG9mIGEgDQpkaXZlcnNlIHBvcnRmb2xpbyBv
> ZiBoaWdoIHZhbHVlLCBsb3cgcmlzayBlbmVyZ3kgcHJvamVjdHMuICANCiAg
> ICAgICAgICAgICANCiAgICAgICAgICAqIEdPT0QgTFVDSyAmIFRSQURFIE9V
> VCBUSEUgVE9QICo=
>
>
> 

Re: whitelist_from_rcvd not working for me

[JamesDR]

James Long wrote:

James Long wrote:
In my SpamAssassin-3.1.0 (p5-Mail-SpamAssassin-3.1.0_6) local.cf, I 
use:



...
trusted_networks 127.0.0.0/8 65.75.198.48/28 63.105.30.37/32

^^

	Your IP for the ns.museum.rain.com comes back as 65.75.198.49, are you 
sure this is correct?


	I think what is happening here is sa isn't finding a local server, and 
gives up. My guess is that adding/changing that to .49 will help.


The first Received by statement is this (last server)
"by ns.museum.rain.com (8.13.4/8.13.4) with ESMTP id"

When doing a lookup this is what I get (your internal DNS may be diff.):
Name:ns.museum.rain.com
Address:  65.75.198.49

HTH
--
Thanks,
JamesDR


Thanks for your reply.

My understanding is that "65.75.198.48/28" means that all IPs in that subnet
will be trusted.  Your DNS server returns the correct IP for ns.museum.rain.com.
The /32 is another server at a colo site.  I trust that server.

Are you saying that ns.museum.rain.com's own IP should not be listed as a 
trusted
server?  Earlier advice I received from this list suggested that it should be.

Clarification appreciated.

Jim




Yeah, I missed the /28 ... Long weekend, need to reply to email's after 
plenty of sleep :-D


Sorry for the confusion.

--
Thanks,
James

encoded spam that got thru

[Eric W. Bates]

I don't even understand how the following message works (let alone how
to block it).

It simply has a chunk of what looks like encoded binary; and yet,
thunderbird renders it as a stock announcement (as I write this, I
wonder whether the good readers of this list are likely to the ascii
block, or the rendered version?  view source for me please).  The
header: "Content-Transfer-Encoding: base64" should probably give me a clue.

How do we filter out spam like this?  This got 0 hits.

Thanks for your time.

[snip]
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on ace1.vineyard.net
X-Spam-Level:
X-Spam-Status: No, hits=0.0 required=5.0 tests=EMPTY_MESSAGE=,
FM_NO_FROM_OR_TO=,FM_NO_TO=,MISSING_SUBJECT=,NO_RECEIVED=,TO_CC_NONE=
bayes=0.5 autolearn=failed version=3.1.0

[snip]

From: "Roxie F. Hankins" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Focus Stock Alert
Date: Sat, 11 Mar 2006 23:33:30 +
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: base64
X-Virus-Scanned: by AMaViS-ace1 at Vineyard.NET

SW4gdGhlIGN1cnJlbnQgb2lsIG1hcmtldCwgc2VsZWN0IHNtYWxsIGVuZXJn
eSBkZWFscyBhcmUgZmx5aW5nLiAgDQpXaXRoIGdyb3dpbmcgZGVtYW5kLCBz
aHJpbmtpbmcgc3VwcGxpZXMsIGFuZCBnb3Zlcm5tZW50IHN1cHBvcnQgDQpm
b3IgZG9tZXN0aWMgZW5lcmd5IHByb2plY3RzLCBpcyB0aGVyZSBhIGJldHRl
ciBzZWN0b3IgdG8gaW52ZXN0IGluPyANCkhlcmUncyBvdXIgbmV4dCB3aW5u
ZXI6DQoNCkNvOiBQcmVtaXVtIFBldHJvfF9ldW0gSW5jLg0KU3ltOiBQIFAg
VCB8XyAgDQpDdXJyZW50bHkgVHJhZGluZyBhdDogJDAuMDIgICAgDQoxIFdl
ZWtfVGFyZ2V0X1ByaWNlOiAgJDAuMTANCg0KQSBNYXNzaXZlIFBSIENhbXBh
aWduIGlzIFVuZGVyd2F5IGZvciBGcmlkYXkgaW50byBuZXh0IHdlZWshIQ0K
U3RhcnRpbmcgYXQgb25seSAyIGNlbnRzIHRoZSBHYWlucyB3aWxsIGJlIHRy
ZW1lbmRvdXMhIQ0KDQpIVUdFIG5ld3MgY29taW5nIG91dCBmb3IgUCBQIFQg
fF8uIERpZCB0aGV5IHN0cmlrZSBvaWw/DQpQbGVhc2UgcmVhZCBhbGwgdGhl
IGxhdGVzdCBQcmVzcyBSZWxlYXNlcyBvbiB0aGUgY29tcGFueS4NCldlIGFk
dmlzZSBvdXIgcmVhZGVycyB0byBnZXQgaW4gZWFybHkhIFRoaXMgb25lIGlz
IGdvaW5nIHVwIGZhc3QhDQoNClByZW1pdW0gUGV0cm9sZXVtLCBJbmMuIGlz
IGEgZGl2ZXJzaWZpZWQgZW5lcmd5IGNvbXBhbnkgZm9jdXNlZCBvbiANCmV4
cGxvaXRpbmcgdGhlIHZhc3Qgb2lsIGFuZCBnYXMgcmVzZXJ2ZXMgb2YgTm9y
dGhlcm4gQ2FuYWRhLiBXaXRoIGEgDQpzdHJvbmcgbWFuYWdlbWVudCBhbmQg
dGVjaG5pY2FsIHRlYW0sIFByZW1pdW0gUGV0cm9sZXVtIHdpbGwgYXBwbHkg
DQppbm5vdmF0aXZlIHRlY2hub2xvZ2llcyB0b3dhcmRzIHRoZSBkaXNjb3Zl
cnkgYW5kIGRldmVsb3BtZW50IG9mIGEgDQpkaXZlcnNlIHBvcnRmb2xpbyBv
ZiBoaWdoIHZhbHVlLCBsb3cgcmlzayBlbmVyZ3kgcHJvamVjdHMuICANCiAg
ICAgICAgICAgICANCiAgICAgICAgICAqIEdPT0QgTFVDSyAmIFRSQURFIE9V
VCBUSEUgVE9QICo=

No report Template Found

[Pablo Allietti]

hi all, i upgrade my version of spamassassin in freebsd from 2.x to 3.x
and now when a e-mail has detected like spam in body of message i have
this 


[-- Attachment #1 --]   
  
[-- Type: text/plain, Encoding: 8bit, Size: 0.1K --]
  

(no report template found)


 and no scores show me. 

i miss any file?


-- 


.-
Pablo Allietti

FP with MSGID_DOLLARS_RANDOM

[Dhawal Doshy]

Hello,

The following Message ID causes a '+3.78' (bayes+network) score for 
hitting a meta rule MSGID_DOLLARS_RANDOM, SA Version 3.1.x


 Message-ID: <[EMAIL PROTECTED]>
 X-Mailer: Intrapop 1.4 SMTP Component 1.0

It is a regular mail and the sender appears to be using a mailserver 
developed by cyberoam.com


Should i be raising an issue with bugzilla? i could provide more details 
as required..


thanks,
- dhawal

--
 CAUTION - Disclaimer *
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
for the use of the addressee(s). If you are not the intended recipient, please
notify the sender by e-mail and delete the original message. Further, you are
not to copy, disclose, or distribute this e-mail or its contents to any other
person and any such actions are unlawful. This e-mail may contain viruses.
NetMagic Solutions Pvt. Ltd. has taken every reasonable precaution to minimize
this risk, but is not liable for any damage you may sustain as a result of any
virus in this e-mail. You should carry out your own virus checks before
opening the e-mail or attachment. NetMagic Solutions Pvt. Ltd. reserves the
right to monitor and review the content of all messages sent to or from this
e-mail address.

Messages sent to or from this e-mail address may be stored on the NetMagic
Solutions Pvt. Ltd.'s e-mail system.
* End of Disclaimer ***

sa-learn in 3.1.1

[Cedric Foll]

Hi,

I've a question about sa-learn which has been included in 3.1.1.

sa-learn by default install rules in
/var/lib/spamassassin/3.001001/updates_spamassassin_org/.
I wonder why it doesn't copy them in /usr/share/spamassassin/ ?
Is it for safety reason (ie avoid automaticly use of new rules).

Are we supposed to do a
"cp /var/lib/spamassassin/3.001001/updates_spamassassin_org/
/usr/share/spamassassin/" after update ?

/var/lib seem to be the content of the "__local_state_dir__".
What's that ?


Cdt.

-- 
Cedric Foll
Ingénieur Sécurité & Réseaux
Division Informatique, Rectorat de Rouen

"If you think technology can solve your security problems,
then you don't understand the problems
and you don't understand the technology."
Bruce Schneier

Re: Via HTTP??

[Duncan Hill]

On Saturday 11 March 2006 04:25, NW7US, Tomas wrote:

> My scripts are really buttoned down, those that I have written myself.
> The perl scripts do use the CGI code, latest.  And I do my own regex
> stuff.  I'll double-check my tests.  I just don't yet see how the messages
> are getting through.  If I could figure out what script... I've got to
> figure out some way to audit...

If you've got hosted domains,   grep -r 'mail(' /path/to/webroots   :)  It'll 
at least give you a starting list of scripts that use mail().

Then, using that list of scripts, build a script that can check your web 
server access logs - either in real time or post-mortem.  Cross reference the 
header injection times with the results from the log search and you'll have a 
rough idea of which scripts were responsible.