Re: SUBJ_ILLEGAL_CHARS

[Philip Prindeville]

Милен Панков wrote:
> Matt Kettler написа:
>>Realistically, you have two options:
>>
>>  1) tell the sender their client isn't properly QP encoding Bulgarian 
>> text in
>>the subject headers.
>>  2) accept that many email clients don't properly handle Bulgarian text, 
>> and
>>disable this rule by adding "score SUBJ_ILLEGAL_CHARS 0" to your local.cf.
>>
> 
> 
> Well this happens mostly when we receive mail from some webmails for 
> example Yahoo, so I'm stuck with the second option, which I'm already using.
> 
> Thanks,
> Milen


It's an issue, to be sure.  And people need to be edumacated.

I recently pointed out to the IT department at Dice.com that they were sending
out malformed Date: lines that were causing their emails to trigger against
ILLEGAL_DATE...  which most mailers manage to get right, so it's a fairly good
indicator of spam and can be safely cranked way up.

In fact, I pointed out chapter and verse from RFC-2821 where they were going
wrong, and how to fix it (by padding the hour out with a leading zero before
10am).

They told me they appreciated my "suggestion".

I reminded them that it wasn't a suggestion, it was a conclusive documentation
of where they were failing to conform to a 25 year-old specification that is,
in fact, trivial... all things considered.   I mean it's not X.400, right?  ;-)

Have they fixed it?

Not the last time I checked.

You'd think that given the nature of what they do, they'd have their pick of
the crop for good IT and messaging people.

Guess not.

Kind of makes me think twice about posting my resume with them.  :-(

-Philip

headers creeping into message body after upgrade to 3.1.1

[Carl Brewer]

Hello,

I just upgraded to 3.1.1 on a NetBSD box via pkgsrc, and
am using sendmail 8.13.5 with spamass-milter 0.3.0, and sendmail
is configured to use cyrus imapd as its local delivery agent.

Since I upgraded, I'm seeing bits of the X-Spam-Header message
in my mail bodies, like this :

To: Carl Brewer <[EMAIL PROTECTED]>
Subject: Re: boing 2
References: <[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV version 0.88, clamav-milter version 0.87 on 
rollcage2.bl.echidna.id.au

X-Virus-Status: Clean
X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00

autolearn=ham version=3.1.1
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on
rollcage2.bl.echidna.id.au


It looks like sometimes spamassassin (or spamass-milter?) is
adding a cr/lf in the X-Spam-Status header, which makes it
leak out into the body of the mail. This wasn't happening with 3.0,
and is new behaviour with 3.1.1.

my config dir contains the following rulesets :

-rw-r--r--  1 root  wheel  15311 Mar 15 18:38 72_sare_redirect_post3.0.0.cf
-rw-r--r--  1 root  wheel   1059 Mar 15 00:41 init.pre
-rw-r--r--  1 root  wheel642 Mar 15 18:30 local.cf
-rwxr-xr-x  1 root  wheel   1642 Mar 15 18:37 update.pl
-rw-r--r--  1 root  wheel   1869 Mar 15 00:41 user_prefs.template
-rw-r--r--  1 root  wheel   2398 Jan 11 09:42 v310.pre



spamass-milter and spamd are running as follows :

root 5861  0.0  2.1 21756 21860 ?  I 6:38PM  0:01.81 perl: 
spamd child
root 7658  0.0  2.0 20012 21444 ?  Ss6:38PM  0:01.81 
/usr/pkg/bin/perl -T -w /usr/pkg/bin/spamd -H -c -d -r /var/run/spamd.pid
root13207  0.0  0.0  2272  1132 ?  IWsa  9:54AM  0:02.96 
/usr/pkg/sbin/spamass-milter -u nobody -r -1 -p /var/run/spamass.sock -f
root15359  0.0  0.7 20012  7408 ?  I 6:38PM  0:00.01 perl: 
spamd child



I've tried a number of things in local.cf :

score SPF_HELO_FAIL 10.000
report_safe 0
remove_header all X-Spam-Status

But this hasn't removed the header or fixed the leak into the
message body.

Any suggestions?

Thanks!

Carl

Re: SUBJ_ILLEGAL_CHARS

[Милен Панков]

Matt Kettler написа:


Милен Панков wrote:

Hi to all,

I'm using spamassassin for years without any serious problems.


First: In my answer's I'm assuming you are running 3.1.0 or higher. If you
aren't please specify your version.


Yes, it's 3.1.0, sorry




Except for one. My users write messages mostly in bulgarian and the
'SUBJ_ILLEGAL_CHARS' rule very often stops good mail.
I have put in my local.cf the line 'ok_languages bg en', but it doesn't
fix the problem. 


No, if anything that will make your problem WORSE. The default here is "all". By
declaring an ok_languages you're limiting the number of acceptable languages.

Also note: this won't do anything at all unless you've got the textcat plugin
loaded in your v310.pre



Ok. I'll have that in mind.


For now I made this rule not giving any scores and this

temporary fixes the problem. My question is how can I make it work
without disabling it. I may be need to say to spamassassin not to check
for specific encodings. For example there are at least 4 encodings my
users use for writing/receiving mail (Windows-1251, KOI8-R, KOI8-U,
UTF-8). How can I do that?


Note that SUBJ_ILLEGAL_CHARS is NOT concerned with what language or character
set is used. It is concerned about it not being encoded properly.

Per RFC specifications, all characters in email-headers that aren't in the
normal ascii ranges must be QP encoded. This rule is essentially detecting that
the sender used extended range character sets, but their email client neglected
to properly QP encode it.

Realistically, you have two options:

1) tell the sender their client isn't properly QP encoding Bulgarian 
text in
the subject headers.
2) accept that many email clients don't properly handle Bulgarian text, 
and
disable this rule by adding "score SUBJ_ILLEGAL_CHARS 0" to your local.cf.



Well this happens mostly when we receive mail from some webmails for 
example Yahoo, so I'm stuck with the second option, which I'm already using.


Thanks,
Milen

Re: Is this header stuff right? Ver 3.1.1

[[EMAIL PROTECTED]]

Thank you Theo!
 
 I will put it online and sleep somewhat better tonight. :)

Theo Van Dinter wrote:

  On Tue, Mar 14, 2006 at 08:01:53PM -0700, [EMAIL PROTECTED] wrote:
  
  
I have noticed that the headers in the non-spam messages seem different 
from what I remember.  In short, it seems that the spam stuff inserted 
from SA are at the top of the header in non-spam messages, but where I 
remember them being in the ones found as spam.

***  This is a non spam message with Spam stuff at top.

Return-Path: <[EMAIL PROTECTED]>
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on as3.allspeed.us
X-Spam-Level:
X-Spam-Status: No, score=-2.3 required=9.0 tests=AWL,BAYES_00
autolearn=unavailable version=3.1.1

  
  
headers get added to the top (as of 3.1.0), so that's fine.

  
  
*** This is a spam with the header stuff more in line with what I remember.

Received: from localhost by as3.allspeed.us
with SpamAssassin (version 3.1.1);
Tue, 14 Mar 2006 19:44:48 -0700

  
  
you're using report_safe so the entire message is generated, including
the original as an attachment.  since SA is generating the headers of
this new message, it just puts the X-Spam-* bits wherever it feels like.


hope this helps. :)

  

Re: Is this header stuff right? Ver 3.1.1

[Theo Van Dinter]

On Tue, Mar 14, 2006 at 08:01:53PM -0700, [EMAIL PROTECTED] wrote:
> I have noticed that the headers in the non-spam messages seem different 
> from what I remember.  In short, it seems that the spam stuff inserted 
> from SA are at the top of the header in non-spam messages, but where I 
> remember them being in the ones found as spam.
> 
> ***  This is a non spam message with Spam stuff at top.
> 
> Return-Path: <[EMAIL PROTECTED]>
> X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on as3.allspeed.us
> X-Spam-Level:
> X-Spam-Status: No, score=-2.3 required=9.0 tests=AWL,BAYES_00
> autolearn=unavailable version=3.1.1

headers get added to the top (as of 3.1.0), so that's fine.

> *** This is a spam with the header stuff more in line with what I remember.
> 
> Received: from localhost by as3.allspeed.us
> with SpamAssassin (version 3.1.1);
> Tue, 14 Mar 2006 19:44:48 -0700

you're using report_safe so the entire message is generated, including
the original as an attachment.  since SA is generating the headers of
this new message, it just puts the X-Spam-* bits wherever it feels like.


hope this helps. :)

-- 
Randomly Generated Tagline:
Crime is merely politics without the excuses.


pgpe6CTOWvm3K.pgp
Description: PGP signature

Is this header stuff right? Ver 3.1.1

[[EMAIL PROTECTED]]

Hi All,

I just upgraded to ver 3.1.1 and after the CRLF problems I had with 
3.1.0 I am somewhat paranoid.


I have noticed that the headers in the non-spam messages seem different 
from what I remember.  In short, it seems that the spam stuff inserted 
from SA are at the top of the header in non-spam messages, but where I 
remember them being in the ones found as spam.


Is this a problem, and can anyone tell me why they would be different? 
P.S.  This is running under Windows 2000 and Perl 5.8.8.


I have copied the header info from the test messages included in the 
distribution.  Thank you in advance for any insight.  - John Winters




***  This is a non spam message with Spam stuff at top.

Return-Path: <[EMAIL PROTECTED]>
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on as3.allspeed.us
X-Spam-Level:
X-Spam-Status: No, score=-2.3 required=9.0 tests=AWL,BAYES_00
autolearn=unavailable version=3.1.1
Delivered-To: [EMAIL PROTECTED]
Received: from europe.std.com (europe.std.com [199.172.62.20])
by mail.netnoteinc.com (Postfix) with ESMTP id 392E1114061
   for <[EMAIL PROTECTED]>; Fri, 20 Apr 2001 21:34:46 + (Eire)
  *** snip more received ***
Mime-Version: 1.0
Message-Id: <[EMAIL PROTECTED]>
Date: Fri, 20 Apr 2001 16:59:58 -0400
To: [EMAIL PROTECTED]
From: Keith Dawson <[EMAIL PROTECTED]>
Subject: TBTF ping for 2001-04-20: Reviving
Content-Type: text/plain; charset="us-ascii"

*** This is a spam with the header stuff more in line with what I remember.

Received: from localhost by as3.allspeed.us
with SpamAssassin (version 3.1.1);
Tue, 14 Mar 2006 19:44:48 -0700
From: Sender <[EMAIL PROTECTED]>
To: Recipient <[EMAIL PROTECTED]>
Subject: Test spam mail (GTUBE)
Date: Wed, 23 Jul 2003 23:30:00 +0200
Message-Id: <[EMAIL PROTECTED]>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on as3.allspeed.us
X-Spam-Level: **
X-Spam-Status: Yes, score=998.0 required=9.0 tests=AWL,BAYES_00,GTUBE,
NO_RECEIVED,NO_RELAYS autolearn=no version=3.1.1
MIME-Version: 1.0

Re: Tasks run as root in SpamAssassin 3.1.0

[Theo Van Dinter]

On Tue, Mar 14, 2006 at 05:45:44PM -0500, Brett Smith wrote:
> I found the rationale for this at
> , and it makes
> plenty of sense.  I was wondering if it'd be possible to get a rough
> outline of what tasks spamd runs as root, however, so I can look for areas
> where we might want to look at hardening security.  I'd appreciate any
> information you can provide about this.

Here's the things I can think of off-hand.  I'm sure others will chip in with
their thoughts.

spamd is designed to really not do a lot in the parent (which runs as
root), and farm processing and such out to the children (which setuid()
to the appropriate user).

- setup for listening to incoming connections (get the port, etc.)
- spawn and kill children as appropriate
- contact children to accept incoming connections
- accept connection and figure out enough to setuid to appropriate user
  (assuming -u isn't used)
- write PID file
- setup logging
- send an internally generated message through the modules to prep
  everything pre-fork() of children.
- handle SIGHUP to restart

-- 
Randomly Generated Tagline:
"CS...  You guys are hopeless anyway..."  - Prof. Farr


pgpvxtUi80B9w.pgp
Description: PGP signature

Re: Tasks run as root in SpamAssassin 3.1.0

[Matt Kettler]

Brett Smith wrote:
> Hello,
> 
> I run a SpamAssassin installation where we run spamd system-wide under a
> dedicated account, and users filter their mail with spamc.  When we
> upgraded to 3.1.0, we noticed that a spamd process always runs as root
> now.

The should only be root when idle. They should setuid when the go to scan mail.

Tasks run as root in SpamAssassin 3.1.0

[Brett Smith]

Hello,

I run a SpamAssassin installation where we run spamd system-wide under a
dedicated account, and users filter their mail with spamc.  When we
upgraded to 3.1.0, we noticed that a spamd process always runs as root
now.

I found the rationale for this at
, and it makes
plenty of sense.  I was wondering if it'd be possible to get a rough
outline of what tasks spamd runs as root, however, so I can look for areas
where we might want to look at hardening security.  I'd appreciate any
information you can provide about this.

Thanks in advance,

-- Brett Smith

RE: Received-SPF header.

[Matthew.van.Eerde]

Xavier Sudre wrote:
> I read that an SPF aware smtp server should introduce the Received-SPF
> header in the email headers.

There are patches for Postfix to support SPF... for example:
http://www.ipnet6.org/postfix/spf/

-- 
Matthew.van.Eerde (at) hbinc.com   805.964.4554 x902
Hispanic Business Inc./HireDiversity.com   Software Engineer

RE: Received-SPF header.

[Matthew.van.Eerde]

Xavier Sudre wrote:
> Is there a way to get spamassassin record a Recevied-SPF header in the
> email headers?

Only MTAs can add headers.

Received-SPF header.

[Xavier Sudre]

Hi there!

I have spamassassin running on a server and I added SPF at that level.
I read that an SPF aware smtp server should introduce the Received-SPF 
header in the email headers. As I said I have implemented SPF at 
spamassassin level only, not at the MTA level and this mainly for the 
simple reason that I do not want to check the same thing twice.


Is there a way to get spamassassin record a Recevied-SPF header in the 
email headers?


Thanks,

Xavier.

--
Xavier Sudre
Homepage: http://xavier.sudre.fr/
Email:[EMAIL PROTECTED]
GPG key:  http://xavier.sudre.fr/gpg/xavier.asc

 Confidentiality NOTICE 

This Communication is ONLY for the person named above. Unless otherwise
indicated, it contains information that is confidential, privileged or
exempt from disclosure under applicable law. If you are not the person
named above, or responsible for delivering it to that person, be aware
that disclosure, copying, distribution or use of this communication is
strictly PROHIBITED.

Any windows users try the new Active Perl with SA?

[[EMAIL PROTECTED]]

Hi,

I am wondering if anyone running Windows and SA has tried the new 
ActivePerl with 3.1.1?

Re: SUBJ_ILLEGAL_CHARS

[Matt Kettler]

Милен Панков wrote:
> Hi to all,
> 
> I'm using spamassassin for years without any serious problems.

First: In my answer's I'm assuming you are running 3.1.0 or higher. If you
aren't please specify your version.

> Except for one. My users write messages mostly in bulgarian and the
> 'SUBJ_ILLEGAL_CHARS' rule very often stops good mail.
> I have put in my local.cf the line 'ok_languages bg en', but it doesn't
> fix the problem. 

No, if anything that will make your problem WORSE. The default here is "all". By
declaring an ok_languages you're limiting the number of acceptable languages.

Also note: this won't do anything at all unless you've got the textcat plugin
loaded in your v310.pre

For now I made this rule not giving any scores and this
> temporary fixes the problem. My question is how can I make it work
> without disabling it. I may be need to say to spamassassin not to check
> for specific encodings. For example there are at least 4 encodings my
> users use for writing/receiving mail (Windows-1251, KOI8-R, KOI8-U,
> UTF-8). How can I do that?

Note that SUBJ_ILLEGAL_CHARS is NOT concerned with what language or character
set is used. It is concerned about it not being encoded properly.

Per RFC specifications, all characters in email-headers that aren't in the
normal ascii ranges must be QP encoded. This rule is essentially detecting that
the sender used extended range character sets, but their email client neglected
to properly QP encode it.

Realistically, you have two options:

1) tell the sender their client isn't properly QP encoding Bulgarian 
text in
the subject headers.
2) accept that many email clients don't properly handle Bulgarian text, 
and
disable this rule by adding "score SUBJ_ILLEGAL_CHARS 0" to your local.cf.

Re: Can SA tag addresses seen for the first time?

[Theo Van Dinter]

On Tue, Mar 14, 2006 at 11:22:55AM -0500, [EMAIL PROTECTED] wrote:
> based on MySQL-stored preferences.  For each email coming in, I would like
> SpamAssassin to check the database for $WHITELISTED or $BLACKLISTED email
> addresses and tag the email as ${UNSEEN} if it is a newly seen address.
> 
> Is SA able to perform this task?  Are there any other known projects that
> would be able to perform this job?

You could pretty easily write a plugin for it.

-- 
Randomly Generated Tagline:
I am Beldar of Borg. We will assimilate mass quantities.


pgpw1MXOFTh2o.pgp
Description: PGP signature

Can SA tag addresses seen for the first time?

[spamassassin]

Hello list:

This is the challenge I face.  I would like to be able to filter emails
based on MySQL-stored preferences.  For each email coming in, I would like
SpamAssassin to check the database for $WHITELISTED or $BLACKLISTED email
addresses and tag the email as ${UNSEEN} if it is a newly seen address.

Is SA able to perform this task?  Are there any other known projects that
would be able to perform this job?

Thanks,
Ron

Re: CheapTickets newsletter triggering SARE_BAYES plus others

[David Landgren]

Chris Purves wrote:

Loren Wilton wrote:


The other rule is looking for a really standard spammer trick:
.


Interesting.  How is this helpful to spammers?


Indeed. This used to crop up regularly in MS-Frontpage circa 1998 when 
people added and then removed markup. Dunno if that is still the case. I 
suspect many HTML editing tools will leave cruft like this lying around.


So some legitimate HTML e-mail (I know, contradiction in terms) is 
likely to suffer.


David
--
"It's overkill of course, but you can never have too much overkill."

RE: Drug email keeps getting thru

[Tracey Gates]

I have URIBL lookups enabled.  I have also increased my score in
mangled.cf.  I have posted the email that I'm receiving at
www.yoursummit.com/pharmNews.html if you'd like to view the actual email
content.  Below is the header of the latest email that I've gotten.  The
names of the drugs are in blue and the dollar amounts are in red along.
I'm still at a loss as to what I need to do to get these stopped.

Here is the output of doing the "spamassassin --lint -D":

debug: config: read file /etc/mail/spamassassin/25_uribl.cf

debug: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC
debug: plugin: registered
Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa96f558)
debug: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC
debug: plugin: registered
Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa95afa4)
debug: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC
debug: plugin: registered
Mail::SpamAssassin::Plugin::SPF=HASH(0xa95c66c)
debug: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xa96f558)
implements '
parse_config'
debug: plugin: Mail::SpamAssassin::Plugin::Hashcash=HASH(0xa95afa4)
implements '
parse_config'


Here is the Header info:

Received: by yoursummit.com (CommuniGate Pro PIPE 4.3.8)
 with PIPE id 2829044; Tue, 14 Mar 2006 04:05:46 -0600
Received: from [81.104.204.233] (HELO gcsincorp.com)
 by yoursummit.com (CommuniGate Pro SMTP 4.3.8)
 with SMTP id 2829043
 for [EMAIL PROTECTED]; Tue, 14 Mar 2006 04:05:38 -0600
Subject: Re: PhaPOramacy news
Date: Tue, 14 Mar 2006 04:04:55 -0600
Message-Id: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Thread-Topic: PhaPOramacy news
Priority: Normal
Importance: normal
X-MSMail-Priority: normal
X-Priority: 3
Sensitivity: Normal
From: "Kanta Bramblett" <[EMAIL PROTECTED]>
To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
X-Real-To: "Tracey Gates" <[EMAIL PROTECTED]>
X-Mailer: CommuniGate Pro MAPI Connector 1.1.22
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
yoursummit.com
X-Spam-Level:
X-Spam-Status: No, score=-0.0 required=3.5 tests=BAYES_40,FM_NO_STYLE,
HTML_80_90,HTML_MESSAGE autolearn=no version=3.0.2
X-TFF-CGPSA-Version: 1.4
X-TFF-CGPSA-Filter: Scanned
Content-Type: multipart/alternative;
boundary="_=_NextPart_11254_00012994.4466"




Tracey Gates
Lead Developer
[EMAIL PROTECTED]

1350 South Boulder, Third Floor / Tulsa, OK 74119-3203
Phone 918-663-0991 / Fax 918-663-0840

This communication is intended only for the recipient(s) named above;
may be confidential and/or legally privileged; and, must be treated as
such in accordance with state and federal laws. If you are not the
intended recipient, you are hereby notified that any use of this
communication, or any of its contents, is prohibited. If you have
received this communication in error, please reply to the sender and
then delete the message from your computer system immediately.



-Original Message-
From: Theo Van Dinter [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 08, 2006 12:01 PM
To: Tracey Gates
Cc: users@spamassassin.apache.org
Subject: Re: Drug email keeps getting thru


On Wed, Mar 08, 2006 at 11:47:49AM -0600, Tracey Gates wrote:
> Here is a list of the rulesets that I'm using:
>
> 70_sare_adult.cf 70_sare_unsub.cf
> 70_sare_bayes_poison_nxm.cf  70_sare_uri0.cf
[...]
>
> How do I tell if I have URIBL lookups enabled?

Those are the third party rules that you have enabled, URIBL is part of
the standard (assuming 3.0 or later) set of rules.  They are enabled by
default if you allow network tests to be run (ie: not local-only mode),
and you'd see rule results similar to URIBL_JP_SURBL or URIBL_BLACK (if
you added in rules to use the uribl.com lists).

In general, if you run in debug mode (ala: spamassassin --lint -D),
you'll see a list of all the config files in use as well as which
plugins are loading.  Make sure that 25_uribl.cf is being read and that
the URIDNSBL plugin is loaded, ala:

[21549] dbg: config: read file /usr/share/spamassassin/25_uribl.cf
[...]
[21549] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from
@INC [21549] dbg: plugin: registered
Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x845f20)

--
Randomly Generated Tagline:
Monday is a bad way to spend 1/7 of your life.

Re: error after upgraded to 3.11

[Mike Jackson]

> You have an older version of the stock rules.  Doc fixed this
> one a week or two ago, since we knew it was going to come up.

Weird. rules_du_jour did not grab the newer version.


I had the same issue. I deleted the stock ruleset, ran rules_du_jour again, 
and everything was fine.



Obvious things to check are:

(1) Is "SARE_STOCKS" included as a trusted ruleset in
   /etc/rulesdujour/config ?


Yes.


(2) Is your copy of rules_du_jour up to date ?  rules_du_jour will
   update to later versions but *won't* install the new version as
   the production version.


Yes - same file in the RDJ download directory and in /usr/local/bin. The 
only thing I can think of is that it's not really running from cron for some 
reason - I don't recall seeing the report messages, but there's no 
indication of problems in the logs. Hmm. 

Re: X-Spam-Status settings

[Shane Mullins]

Yes,

   That is what I was looking for.  


Thanks

Shane

- Original Message - 
From: "Bowie Bailey" <[EMAIL PROTECTED]>

To: 
Sent: Monday, March 13, 2006 3:44 PM
Subject: RE: X-Spam-Status settings



Steven Manross wrote:

_TESTSSCORES(,)_

From: Shane Mullins [mailto:[EMAIL PROTECTED]

> I have forgotten the setting that tells SA to include the point
> value for each of the hits the incoming message was flagged on.  I
> searched the web and looked in my book, but can't seem to find it.
> Could someone please jog my memory?


Or were you looking for the X-Spam-Report header?

   add_header all Report _REPORT_

--
Bowie

SUBJ_ILLEGAL_CHARS

[Милен Панков]

Hi to all,

I'm using spamassassin for years without any serious problems.
Except for one. My users write messages mostly in bulgarian and the 
'SUBJ_ILLEGAL_CHARS' rule very often stops good mail.
I have put in my local.cf the line 'ok_languages bg en', but it doesn't fix 
the problem. For now I made this rule not giving any scores and this 
temporary fixes the problem. My question is how can I make it work without 
disabling it. I may be need to say to spamassassin not to check for 
specific encodings. For example there are at least 4 encodings my users use 
for writing/receiving mail (Windows-1251, KOI8-R, KOI8-U, UTF-8). How can I 
do that?


Milen

Re: more pharmacy woes

[Payal Rathod]

On Sat, Mar 11, 2006 at 06:40:35PM +0530, Dhawal Doshy wrote:
> For URIBL, see http://www.uribl.com/usage.shtml OR add this to your 
> local.cf

I am getting an error which say,
2006-03-14_10:47:27.97266 2006-03-14 10:47:27 [17977] i: server killed 
by SIGTERM, shutting down
2006-03-14_10:47:35.61742 Failed to run URIBL_GREY SpamAssassin test, 
skipping:
2006-03-14_10:47:35.61747   (Can't locate object method 
"check_uridnsbl" via package "Mail::SpamAssassin::PerMsgStatus" at 
/usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 
2312.
2006-03-14_10:47:35.61748 )
2006-03-14_10:47:35.61775 Failed to run URIBL_BLACK SpamAssassin test, 
skipping:
2006-03-14_10:47:35.61776   (Can't locate object method 
"check_uridnsbl" via package "Mail::SpamAssassin::PerMsgStatus" at 
/usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 
2312.

We are trying it on a friend's server at,
# spamassassin --version
SpamAssassin version 3.0.2
  running on Perl version 5.8.5

With warm regards,
-Payal


> 
> urirhssub   URIBL_BLACK  multi.uribl.com.A   2
> bodyURIBL_BLACK  eval:check_uridnsbl('URIBL_BLACK')
> describeURIBL_BLACK  Contains an URL listed in the URIBL blacklist
> tflags  URIBL_BLACK  net
> score   URIBL_BLACK  3.0
> 
> urirhssub   URIBL_GREY  multi.uribl.com.A   4
> bodyURIBL_GREY  eval:check_uridnsbl('URIBL_GREY')
> describeURIBL_GREY  Contains an URL listed in the URIBL greylist
> tflags  URIBL_GREY  net
> score   URIBL_GREY  0.25
> 
> >>Also the pasted spam originates from a korean IP address.. you could 
> >>try scoring mails from korea a bit more.. using either 
> >>countries.nerds.dk OR korea.services.net
> >
> >Which file do I put it exactly?
> 
> Add something like this to your local.cf
> # This part will add +2.0 for mail from korea
> headerX_KOREAN_RELAY  eval:check_rbl('relay','korea.services.net.')
> describe  X_KOREAN_RELAY  Received via a relay in Korea
> score X_KOREAN_RELAY  2.0
> 
> >>Finally, get around to training your bayesian database to 200 or more 
> >>spam and ham mails each..
> >
> >We have trained 40,000+  of each.
> 
> That ought to be good enough for a start..
> 
> Do a lint test 'spamassassin -D --lint' before you make your changes 
> production.
> 
> Hope that helps,
> - dhawal
> 
> >With warm regards,
> >-Payal
> 
> -- 
>  CAUTION - Disclaimer *
> This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
> for the use of the addressee(s). If you are not the intended recipient, 
> please
> notify the sender by e-mail and delete the original message. Further, you 
> are
> not to copy, disclose, or distribute this e-mail or its contents to any 
> other
> person and any such actions are unlawful. This e-mail may contain viruses.
> NetMagic Solutions Pvt. Ltd. has taken every reasonable precaution to 
> minimize
> this risk, but is not liable for any damage you may sustain as a result of 
> any
> virus in this e-mail. You should carry out your own virus checks before
> opening the e-mail or attachment. NetMagic Solutions Pvt. Ltd. reserves the
> right to monitor and review the content of all messages sent to or from this
> e-mail address.
> 
> Messages sent to or from this e-mail address may be stored on the NetMagic
> Solutions Pvt. Ltd.'s e-mail system.
> * End of Disclaimer ***
> 

Re: FP with MSGID_DOLLARS_RANDOM

[Dhawal Doshy]

Dhawal Doshy wrote:

Hello,

The following Message ID causes a '+3.78' (bayes+network) score for 
hitting a meta rule MSGID_DOLLARS_RANDOM, SA Version 3.1.x


 Message-ID: <[EMAIL PROTECTED]>
 X-Mailer: Intrapop 1.4 SMTP Component 1.0

It is a regular mail and the sender appears to be using a mailserver 
developed by cyberoam.com


Should i be raising an issue with bugzilla? i could provide more details 
as required..


How do i take this forward?

- dhawal

--
 CAUTION - Disclaimer *
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
for the use of the addressee(s). If you are not the intended recipient, please
notify the sender by e-mail and delete the original message. Further, you are
not to copy, disclose, or distribute this e-mail or its contents to any other
person and any such actions are unlawful. This e-mail may contain viruses.
NetMagic Solutions Pvt. Ltd. has taken every reasonable precaution to minimize
this risk, but is not liable for any damage you may sustain as a result of any
virus in this e-mail. You should carry out your own virus checks before
opening the e-mail or attachment. NetMagic Solutions Pvt. Ltd. reserves the
right to monitor and review the content of all messages sent to or from this
e-mail address.

Messages sent to or from this e-mail address may be stored on the NetMagic
Solutions Pvt. Ltd.'s e-mail system.
* End of Disclaimer ***

Re: error after upgraded to 3.11

[Dennis Davis]

On Tue, 14 Mar 2006, Spamassassin List wrote:

> From: Spamassassin List <[EMAIL PROTECTED]>
> To: Loren Wilton <[EMAIL PROTECTED]>, users@spamassassin.apache.org
> Date: Tue, 14 Mar 2006 14:21:12 +0800
> Subject: Re: error after upgraded to 3.11
> 
> > You have an older version of the stock rules.  Doc fixed this
> > one a week or two ago, since we knew it was going to come up.
>
> Weird. rules_du_jour did not grab the newer version.

Obvious things to check are:

(1) Is "SARE_STOCKS" included as a trusted ruleset in
/etc/rulesdujour/config ?

(2) Is your copy of rules_du_jour up to date ?  rules_du_jour will
update to later versions but *won't* install the new version as
the production version.
-- 
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
[EMAIL PROTECTED]   Phone: +44 1225 386101