Re: pager.icq.com spam storm :(

[Yousef Raffah]

On Sat, 2006-03-25 at 01:09 -0500, Matt Kettler wrote:
> Yousef Raffah wrote:
> > Hello Everyone,
> >
> > I've been under a spam storm for the last two days and most of the
> > message I get are similar to the one below, message for
> > [EMAIL PROTECTED], I really don't understand how come I'm receiving
> > such messages! Can someone help me prevent these messages?
> >   
> 
> Do you have an ICQ account?
> 
No, I don't have an account, plus, I'm not supposed to receive ICQ
messages! I'm not familiar with ICQ these days but does this state that
I have some users using ICQ pagers and should do your "Spam Control"
settings in their ICQ client? On the other hand, how can I block these
messages on the MTA (Postfix 2.3) level?

> If so, fire up ICQ, and go to the "main"->"security and privacy
> permissions"->"Spam Control"
> 
> Turn on "Do not accept World Wide Pager Messages". I'd also suggest
> turning on or considering turning on most things in this dialog.
> 

Sincerely,
Yousef Raffah
Senior Systems Administrator
SSIS - The Savola Group

--
Aren't you using Firefox? Get it at getfirefox.com
yousef.raffah.com


signature.asc
Description: This is a digitally signed message part

Re: pager.icq.com spam storm :(

[Matt Kettler]

Yousef Raffah wrote:
> Hello Everyone,
>
> I've been under a spam storm for the last two days and most of the
> message I get are similar to the one below, message for
> [EMAIL PROTECTED], I really don't understand how come I'm receiving
> such messages! Can someone help me prevent these messages?
>   

Do you have an ICQ account?

If so, fire up ICQ, and go to the "main"->"security and privacy
permissions"->"Spam Control"

Turn on "Do not accept World Wide Pager Messages". I'd also suggest
turning on or considering turning on most things in this dialog.

pager.icq.com spam storm :(

[Yousef Raffah]

Hello Everyone,

I've been under a spam storm for the last two days and most of the
message I get are similar to the one below, message for
[EMAIL PROTECTED], I really don't understand how come I'm receiving
such messages! Can someone help me prevent these messages?

Return-Path: <>
Received: from 10.0.0.4 by ocs.savola.com with ESMTP id
50091021143204306; Fri, 24 Mar 2006 15:45:06 +0300
Received: from kansai.savoladns.com ([10.0.0.3]) by Savola_Proxy2 with
InterScan Messaging Security Suite; Fri, 24 Mar 2006 16:07:03 +0300
X-Envelope-From: <[EMAIL PROTECTED]>
X-Envelope-To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
X-Quarantine-Id: 
Received: from 54156D58 (localhost [127.0.0.1]) by kansai.savoladns.com
(Postfix) with SMTP id 2AE131020D; Fri, 24 Mar 2006 15:56:34 +0300 (AST)
X-Apparently-To: [EMAIL PROTECTED] via dress.prima.com; Fri, 24 Mar
2006 07:55:04 -0500
Received: from skin  (HELO pencil.prima.com) by small.prima.com with
SMTP; Fri, 24 Mar 2006 18:47:04 +0600
Date: Fri, 24 Mar 2006 04:55:04 -0800  (15:55 AST)
From: ALI MATLOCK <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Hey 3701601, tell me what you think?
X-Mailer: Mew version 3.2 on Emacs 21.3 / Mule 5.5 (SAKAKI)
X-Virus-Scanned: by AMaViS perl-14
MIME-Version: 1.0
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Status: Yes, score=16.8 tag=-100 tag2=6.3 kill=6.3
tests=[BAYES_99=3.5, DCC_CHECK=2.17, DIGEST_MULTIPLE=0.765,
DNS_FROM_AHBL_RHSBL=0.231, HTML_MESSAGE=0.001, HTML_TITLE_EMPTY=0.214,
MANY_EXCLAMATIONS=0.775, MIME_HTML_ONLY=0.001, PYZOR_CHECK=3.7,
RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E4_51_100=1.5,
RAZOR2_CF_RANGE_E8_51_100=1.5, RAZOR2_CHECK=0.5,
SARE_HTML_USL_1CHAR2=0.129, SARE_HTML_USL_OBFU=0.7,
SARE_URI_NUM_SUBDOM=0.614]
X-Spam-Score: 16.8
X-Spam-Level: 
X-Spam-Flag: YES


Sincerely,
Yousef Raffah
Senior Systems Administrator
SSIS - The Savola Group

--
Aren't you using Firefox? Get it at getfirefox.com
yousef.raffah.com


signature.asc
Description: This is a digitally signed message part

On RelayCountry, IP::Country, etc.

[Philip Prindeville]

I was looking at IP::Country and trying to figure out how it works
and how it's packaged...

Noticed that the code and data are both part of the same tarball or
RPM...  That's unfortunate.  I suspect the data changes more often
than the code.  In fact, it would be nice if the data were cached on
a mirror and the client checked periodically for a copy of the two
data files and pulled them down when necessary to update them.

I emailed such a suggestion to Nigel, but didn't hear back.

Anyone have better insight as to why this wouldn't be viable, or
have his ear?

I was thinking that since IP::Country is already present, and since
many sites running SA also install MimeDefang, then there might
be a way to leverage IP::Country...  For instance, having filter_helo()
balk at email from countries that aren't well-behaved...

Thanks,

-Philip

Re: trusted networks help

[Matt Kettler]

Jim Knuth wrote:
> Gestern (24.03.2006/22:43 Uhr) schrieb Matt Kettler,
> 
>> Bowie Bailey wrote:
>>> Craig McLean wrote:
 Bowie Bailey wrote:
 [snip]

> You should define all of the IP addresses of your mailserver.
> 
> I don`t know yet how I must determine the trusted network. :(
> 192.168.1/24 127/8 is clear for me. Right?

That should be fine, but it might not be all-inclusive.

Steps to determining your trusted network setting (for ordinary networks that
don't accept mail direct-from-dialup users):

1) identify all mailservers that YOU control that might add a "by" clause to a
Received: header that SA might see.

i.e.:

Received: from server2.xxx.de (server2.xx.de [xx.xx.xx.xx])
by xanadu.evi-inc.com (8.12.8/8.12.8) with ESMTP id ..

In this case "xanadu.evi-inc.com" is my mailserver, and that's the header format
it inserts. I'd need to repeat this for all my mailservers, including internal
servers, secondary MXes, etc.


2) identify what IP address those mailservers will appear as when your system
running SA performs a DNS lookup on their names. Use "host" or "dig" to perform
the lookup on your SA box.

i.e: host xanadu.evi-inc.com
xanadu.evi-inc.com has address 192.168.xx.yy


3) make a trusted networks that encompasses all of those IPs, as well as
127.0.0.1. Being a little over-broad is OK, as long as all of the IPs covered
are hosts you control.

In my example including 192.168.yy.0/24 or even 192.168.0.0/16 would be fine, as
nobody on the Internet could directly route mail to me from these IP addresses
to me anyway.

My real-world trusted_networks contains part of my DMZ subnet where my external
MXes live, and one internal server:

trusted_networks 192.168.yy.0/30 10.xx.yy.zz/32 127.0.0.1/32

(all of my mailservers are static nated, so no public IPs appear here. The
outside world may think of xanadu as 208.39.141.94, but it thinks of itself as
192.168.xx.yy)

Re: Training Bayesian filter

[Rick Macdougall]

Larry wrote:


I sat up and read till about 1:00 this morning all about training 
the bayesin filter. I have a question.


Should I turn spamassassin off while I collect a load of spam so when I
train the filter it doesn't have the spamassassin markup in it??
I wouldn't think you should train the filter with the markup in it that
it can key off of. Is that right


Hi,

It doesn't matter.  sa-learn will strip off any SA markup before 
learning.  Feel free to leave SA running while you collect your corpus 
of spam and ham.


Regards,

Rick

RE: Training Bayesian filter

[Matthew.van.Eerde]

Larry wrote:
> I sat up and read till about 1:00 this morning all about training
> the bayesin filter. I have a question.
> 
> Should I turn spamassassin off while I collect a load of spam so when
> I train the filter it doesn't have the spamassassin markup in it??
> I wouldn't think you should train the filter with the markup in it
> that it can key off of. Is that right

SpamAssassin will ignore its own markup when training Bayes.

-- 
Matthew.van.Eerde (at) hbinc.com   805.964.4554 x902
Hispanic Business Inc./HireDiversity.com   Software Engineer

Re: Webadmin tool for Spamassassin??

[mouss]

Abel Jeffcoat wrote:

All,

I have gotten a couple of replies, (thank you) but I thought I could be 
more clear.


I'm looking for a tool that will all users to adminstor their blacklist 
and/or whitelist. I use Qmail and have mail delivered to a Spam folder. 
I would like my users to be able to login to a website and view 
messages, delete them, etc.


but SA only scores messages. It doesn't quarantine them nor deliver them.

If using amavisd-new, check mailzu or maya mailguard. other "packages" 
have their tools. google is your friend here.

Training Bayesian filter

[Larry]

I sat up and read till about 1:00 this morning all about training 
the bayesin filter. I have a question.

Should I turn spamassassin off while I collect a load of spam so when I
train the filter it doesn't have the spamassassin markup in it??
I wouldn't think you should train the filter with the markup in it that
it can key off of. Is that right

Thanks



-- 
LINUX is simple. It just takes a genius to understand its simplicity.

Re: trusted networks help

[Jim Knuth]

Gestern (24.03.2006/22:43 Uhr) schrieb Matt Kettler,

> Bowie Bailey wrote:
>> Craig McLean wrote:
>>> Bowie Bailey wrote:
>>> [snip]
>>>
 You should define all of the IP addresses of your mailserver.

I don`t know yet how I must determine the trusted network. :(
192.168.1/24 127/8 is clear for me. Right?


 trusted_networks 192.168.128.4
 trusted_networks 69.27.243.222
>>> (I'm not the OP...)
>>>
>>> Do those addresses need to be CIDR? Or will SA take straight-out IP?
>>>
>>> Not a criticism, just a question...
>> 
>> According to the man page, they can be in any of these formats:
>> 
>> trusted_networks 192.168/16 127/8   # all in 192.168.*.* and 127.*.*.*
>> trusted_networks 212.17.35.15   # just that host
>> trusted_networks 127.   # all in 127.*.*.*
>> 
>> (please keep list traffic on the list for archival purposes)
>>

> Correct. Really old versions of SA didn't support anything but a.b.c.d/xy,
> despite what the docs said, but that's been fixed long ago.

> If you ever run into trouble with SA not accepting one of the above formats, 
> try
> switching to full-cidr notation. If that fixes it, open a bug.

-- 
Viele Gruesse, Kind regards,
 Jim Knuth
 [EMAIL PROTECTED]
 ICQ #277289867
--
Zufalls-Zitat
--
Wenn Du liebst, was Du tust, wirst Du nie wieder in Deinem 
Leben arbeiten (Confucius)
--
Der Text hat nichts mit dem Empfaenger der Mail zu tun
--
Virus free. Checked by NOD32 Version 1.1458 Build 6967  24.03.2006

Re: trusted networks help

[Matt Kettler]

Bowie Bailey wrote:
> Craig McLean wrote:
>> Bowie Bailey wrote:
>> [snip]
>>
>>> You should define all of the IP addresses of your mailserver.
>>>
>>> trusted_networks 192.168.128.4
>>> trusted_networks 69.27.243.222
>> (I'm not the OP...)
>>
>> Do those addresses need to be CIDR? Or will SA take straight-out IP?
>>
>> Not a criticism, just a question...
> 
> According to the man page, they can be in any of these formats:
> 
> trusted_networks 192.168/16 127/8   # all in 192.168.*.* and 127.*.*.*
> trusted_networks 212.17.35.15   # just that host
> trusted_networks 127.   # all in 127.*.*.*
> 
> (please keep list traffic on the list for archival purposes)
> 

Correct. Really old versions of SA didn't support anything but a.b.c.d/xy,
despite what the docs said, but that's been fixed long ago.

If you ever run into trouble with SA not accepting one of the above formats, try
switching to full-cidr notation. If that fixes it, open a bug.

RE: trusted networks help

[Matthew.van.Eerde]

Daryl C. W. O'Shea wrote:
> When automatically set, yes.  When you manually define your
> trusted/internal networks, no -- you really get to define them.

OK, that makes sense.

-- 
Matthew.van.Eerde (at) hbinc.com   805.964.4554 x902
Hispanic Business Inc./HireDiversity.com   Software Engineer

RE: trusted networks help

[Bowie Bailey]

Craig McLean wrote:
> Bowie Bailey wrote:
> [snip]
> 
> > 
> > You should define all of the IP addresses of your mailserver.
> > 
> > trusted_networks 192.168.128.4
> > trusted_networks 69.27.243.222
> 
> (I'm not the OP...)
> 
> Do those addresses need to be CIDR? Or will SA take straight-out IP?
> 
> Not a criticism, just a question...

According to the man page, they can be in any of these formats:

trusted_networks 192.168/16 127/8   # all in 192.168.*.* and 127.*.*.*
trusted_networks 212.17.35.15   # just that host
trusted_networks 127.   # all in 127.*.*.*

(please keep list traffic on the list for archival purposes)

-- 
Bowie

Re: trusted networks help

[Daryl C. W. O'Shea]

[EMAIL PROTECTED] wrote:

Daryl C. W. O'Shea wrote:

You might as well through in  trusted_networks 127.0.0.1


... that's not hardcoded?


When automatically set, yes.  When you manually define your 
trusted/internal networks, no -- you really get to define them.

RE: trusted networks help

[Matthew.van.Eerde]

Daryl C. W. O'Shea wrote:
> You might as well through in  trusted_networks 127.0.0.1

... that's not hardcoded?

-- 
Matthew.van.Eerde (at) hbinc.com   805.964.4554 x902
Hispanic Business Inc./HireDiversity.com   Software Engineer

Re: trusted networks help

[Daryl C. W. O'Shea]

Jim Maul wrote:

Bowie Bailey wrote:


My question is, with this setup, what trusted_networks should i have
defined?


You should define all of the IP addresses of your mailserver.

trusted_networks 192.168.128.4
trusted_networks 69.27.243.222

I see that 167.206.112.76 (mx1.lightpath.net) also accepts mail for your
domain.  If that mail comes through this server, you should add it as
well (along with its private address, if you see it in the headers).



Thanks for the quick response.  mx1.lightpath.net is the server of our 
ISP which provides store and forward backup for us.  I do not believe 
their server has a private address, and if it does, i dont see it.  I'll 
 include its public address in my trusted_networks as well.


You might as well through in  trusted_networks 127.0.0.1  for good 
measure too.  You'll need it if the SA box itself generates any mail 
that ends up going through SA.


Daryl

Re: its not spam

[Sander Holthaus]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
JuNiOx wrote:
> hi all
> my spamassassin is adding "*SPAM*" in some messages witch
> isnt one!!
> how can i fix it?
> i would like configure to "say" it: "hei, the [EMAIL PROTECTED]
>  is not spam, stop to change its subject"
> =)
You should read the manual to set some specific options such as
whitelisting. But, why are they tagged as SPAM? It usually has a
reason :-)

Kind Regards,
Sander Holthaus
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (MingW32)
 
iD8DBQFEJEtOVf373DysOTURAnZCAJ4m3jaok9hVgUyqwC/2sCr6jxIv3gCgpf43
vppkbcZuTGojOAumK/yCjX0=
=zftq
-END PGP SIGNATURE-

Re: exceptions

[List Mail User]

>Larry wrote:
>> 
>> Can I blacklist a domain but make an exception for one person in that
>> domain?
>> 
>> Like; 
>> 
>> blacklist_from [EMAIL PROTECTED]
>> 
>> with the exception of [EMAIL PROTECTED]
>
>blacklist_from [EMAIL PROTECTED] won't blacklist [EMAIL PROTECTED] or 
>[EMAIL PROTECTED]
>
>
>Now blacklist_from [EMAIL PROTECTED] will blacklist [EMAIL PROTECTED]
>
>
>If you want to exclude [EMAIL PROTECTED] from the blacklist, you'd just 
>need to whitelist_from him:
>
>blacklist_from [EMAIL PROTECTED]
>whitelist_from [EMAIL PROTECTED]
>
>
>Of course I think this is an incredibly horrible, and anti-social, idea. 
>  More related to SpamAssassin, though, the chances of getting any help 
>from Matt Kettler are slim to none, if you were to blacklist him.
>
>
>Daryl
>
Or you can block Comcast at the MTA level and make an exception for
Matt.  Due to Comcast's acquisitions, I now have three people I will accept
email from Comcast for.

Comcast still calls me weekly - I tell them when they have an abuse
department, I'll consider using their service;  There is little surprise that
~ 50% of all zombie boxes in the US are on Comcast (they won't disconnect
compromised machines).  In fact some 'bot creators specifically target Comcast
subscribers knowing that their zombie will live for weeks (or even months) on
a Comcast connected machine instead of days on most ISP's networks.

Also Comcast's business division's support of known spammers is a
ridiculous situation -  spammers booted from a dozen other places are left
alone and spamming on Comcast for months (e.g. Brian Kramer/Expedite).

Paul Shupak
[EMAIL PROTECTED]

Re: Training SA with Thunderbird Junk folder

[mouss]

Mike Pepe wrote:
If your mail server and users are using IMAP, the "Junk E-mail" folder 
is on the server already.


I've got a script that runs from cron that will learn from that folder 
and then delete its contents several times a day.




My issue is when spam is missed, I'd like to "J" it so it goes to the 
Junk folder. This way, the server script will pick it.


Unfortunately, if you don't enable TB "adaptive filter", TB won't move 
the message to the Junk folder. This is a bug, but I don't know if it 
will ever be fixed (it dates back...). Now, I don't want the TB 
"adaptive filter".

Re: trusted networks help

[Jim Maul]

Bowie Bailey wrote:


My question is, with this setup, what trusted_networks should i have
defined?


You should define all of the IP addresses of your mailserver.

trusted_networks 192.168.128.4
trusted_networks 69.27.243.222

I see that 167.206.112.76 (mx1.lightpath.net) also accepts mail for your
domain.  If that mail comes through this server, you should add it as
well (along with its private address, if you see it in the headers).



Thanks for the quick response.  mx1.lightpath.net is the server of our 
ISP which provides store and forward backup for us.  I do not believe 
their server has a private address, and if it does, i dont see it.  I'll 
 include its public address in my trusted_networks as well.


Thanks again,

Jim

RE: trusted networks help

[Bowie Bailey]

Jim Maul wrote:
> I believe i am having an issue with my trusted networks and am hoping
> someone can help me figure out what to do.  I currently do not have
> any defined and am running a nat'ed server which from what i read will
> pretty much always have problems with trusted networks.  The thing is,
> im not entirely sure what hosts i should trust.
> 
> My setup is as follows:
> 
> 69.27.243.222 (firewall) -> 192.168.128.4 (IP of mail server)
> 
> Now we have remote offices that are on cable modems that trigger:
> 
> X-Spam-Status: No, hits=3.4 required=5.0 tests=BAYES_40,HTML_50_60,
>   HTML_MESSAGE,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL autolearn=no
>   version=2.64
> 
> when they try to send us mail.  They ARE using the ISP's mail server
> and not connecting directly to ours so i would think that:
> 
>   1.5 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP
> address
>  [24.190.87.205 listed in dnsbl.sorbs.net]
>   1.7 RCVD_IN_NJABL_DUL  RBL: NJABL: dialup sender did non-local
>  SMTP [24.190.87.205 listed in
> combined.njabl.org] 
> 
> shouldn't be hitting.  24.whatever is the IP of the cable modem at the
> remote site.
> 
> My question is, with this setup, what trusted_networks should i have
> defined?

You should define all of the IP addresses of your mailserver.

trusted_networks 192.168.128.4
trusted_networks 69.27.243.222

I see that 167.206.112.76 (mx1.lightpath.net) also accepts mail for your
domain.  If that mail comes through this server, you should add it as
well (along with its private address, if you see it in the headers).

-- 
Bowie

trusted networks help

[Jim Maul]

I believe i am having an issue with my trusted networks and am hoping 
someone can help me figure out what to do.  I currently do not have any 
defined and am running a nat'ed server which from what i read will 
pretty much always have problems with trusted networks.  The thing is, 
im not entirely sure what hosts i should trust.


My setup is as follows:

69.27.243.222 (firewall) -> 192.168.128.4 (IP of mail server)

Now we have remote offices that are on cable modems that trigger:

X-Spam-Status: No, hits=3.4 required=5.0 tests=BAYES_40,HTML_50_60,
HTML_MESSAGE,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL autolearn=no
version=2.64

when they try to send us mail.  They ARE using the ISP's mail server and 
not connecting directly to ours so i would think that:


 1.5 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP
address
[24.190.87.205 listed in dnsbl.sorbs.net]
 1.7 RCVD_IN_NJABL_DUL  RBL: NJABL: dialup sender did non-local SMTP
[24.190.87.205 listed in combined.njabl.org]

shouldn't be hitting.  24.whatever is the IP of the cable modem at the 
remote site.


My question is, with this setup, what trusted_networks should i have 
defined?


Thanks,

Jim

Re: rulesdujour, lint, and whitelist_spf

[Theo Van Dinter]

On Fri, Mar 24, 2006 at 09:26:25AM +0100, Michael Monnerie wrote:
> As I use SPF on MTA level, I wanted to disable SPF. So I have to disable 
> the SPF list from RDJ also, thank you.

FWIW, rules that require plugins should be wrapped in "ifplugin/endif"
containers.  Especially if those rules are being distributed out to
other people -- you never know who has what plugins enabled.

-- 
Randomly Generated Tagline:
"Go, banana!"
 
--Ralph Wiggum
  Das Bus (Episode 5F11)


pgphJxJ7uAnjN.pgp
Description: PGP signature

Re: its not spam

[JamesDR]

JuNiOx wrote:

right... i saw something about that..
but... in my spamassassin there isnt "whitelist" or "blacklist"

how do i create them?

- Original Message - 
From: "JamesDR" <[EMAIL PROTECTED]>

To: 
Sent: Friday, March 24, 2006 11:58 AM
Subject: Re: its not spam



JuNiOx wrote:

hi all
my spamassassin is adding "*SPAM*" in some messages witch isnt

one!!

how can i fix it?
i would like configure to "say" it: "hei, the [EMAIL PROTECTED]
 is not spam, stop to change its subject"
=)

Whitelist them.

--
Thanks,
James








Watch for wrap:
http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Conf.html#whitelist_and_blacklist_options
that will go in either local.cf or the userpref table (if you are using 
sql user prefs.)

--
Thanks,
James

Re: Razor2

[Matt Kettler]

Rick Macdougall wrote:
> Wess wrote:
>> Hello,
>>
>> I am trying to use Razor2 with Spamassassin 3 on Gentoo.  I have
>> Razor2 installed, but Spamassassin will not use it.  If I enable the
>> "use_razor2 1" in my config, I get a warning when I lint/debug that
>> it failed to parse the line.  I have this same problem with DCC,
>> which is also installed.  Razor is set up, registered and ready to
>> go.  Also, Pyzor is installed, and spamassasin IS using it.
>>
>> Thanks guys.
>
> Hi,
>
> It gets loaded in init.pre now.
>
> Add the following to your init.pre (in /etc/mail/spamassassin) and
> restart spamd.
>
> loadplugin Mail::SpamAssassin::Plugin::Razor2
Actually, there's already a commented-out version of this statement in
v310.pre. It would be easier to just un-comment that and restart.

RE: Add Rules From SARE and/or SA for Spamassassin

[Bowie Bailey]

Num ber wrote:
> > the last question,
> > What rules i need to take ? all ? or only somes (but what ...)
> 
> Nobody ??

I answered your question the first time you asked...

> They have to many rules on the SARE website...
> And i don't know what rules i need to take .. ALL ?

There are only 21 SARE rule sets (and another 14 in their "other
rules" section).  Which rules you want depends on your situation.
Read the descriptions for each one and see if you think it would be
useful.

Things to watch for:

- Some of the rule sets have different versions depending on your SA
  version.  (SARE_REDIRECT vs SARE_REDIRECT_POST300, for example)
  Only get the one that applies to your version.
- Some of the rule sets have different files depending on your
  tolerance of false positives.  If you get the individual files, you
  don't need the main file.  (So get SARE_HTML0 - SARE_HTML4, or
  SARE_HTML but not both)
- antidrug.cf and backhair.cf are not needed for SA 3.0 or higher
- Some of the rules are not appropriate for non-english text.

As a starting point, this is my RDJ list (for SA 3.1):

SARE_ADULT
SARE_EVILNUMBERS0
SARE_FRAUD
SARE_HTML0
SARE_HEADER0
SARE_GENLSUBJ0
SARE_OBFU0
SARE_OEM
SARE_RANDOM
SARE_REDIRECT_POST300
SARE_SPECIFIC
SARE_SPOOF
SARE_STOCKS
SARE_UNSUB
SARE_URI0
SARE_WHITELIST_SPF
SARE_WHITELIST_RCVD

And I've also got these static rule sets:

chickenpox.cf
uribl.cf
weeds.cf

Note that I only have the "0" files (such as SARE_HTML0) for some of
those rules.  You can include the "1" files (SARE_HTML1) as well to
catch more spam, but your risk of false positives will go up slightly.

> (Can i test if the new rules was installed ?? )

spamassassin -D --lint

The config lines will show you all of the rule files that are loaded.

If you are using spamd or amavis, you will need to restart them so
that they see the new rules.

-- 
Bowie

Re: Training SA with Thunderbird Junk folder

[Mike Pepe]

mouss wrote:

Edward Diener a écrit :

Does anybody know the instructions for training SA with the contents of
the Thunderbird Junk folder ?

My web host, where SA is tunning, suggests I do this in order to reduce
the amount of spam I get, and I can login to my web host, transfer files
from my local machine to my web host, and run SA commands.



so the messages are accessible on your SA system? if so, then run
spamassassin or spamc with the right option.

what I would like to see is a plugin to "J" a message...


If your mail server and users are using IMAP, the "Junk E-mail" folder 
is on the server already.


I've got a script that runs from cron that will learn from that folder 
and then delete its contents several times a day.


looks like this:

#!/bin/bash

sa-learn --spam --mbox "./mail/Junk E-mail"
rm "./mail/Junk E-mail"
touch "./mail/Junk E-mail"

you could probably adapt the concept to work system-wide, though I'm not 
sure how your hosting people would take to it.


-Mike

Re: Razor2

[Rick Macdougall]

Wess wrote:

Hello,

I am trying to use Razor2 with Spamassassin 3 on Gentoo.  I have Razor2 
installed, but Spamassassin will not use it.  If I enable the 
"use_razor2 1" in my config, I get a warning when I lint/debug that it 
failed to parse the line.  I have this same problem with DCC, which is 
also installed.  Razor is set up, registered and ready to go.  Also, 
Pyzor is installed, and spamassasin IS using it.


Thanks guys.


Hi,

It gets loaded in init.pre now.

Add the following to your init.pre (in /etc/mail/spamassassin) and 
restart spamd.


loadplugin Mail::SpamAssassin::Plugin::Razor2


Regards,

Rick

Re: 2nd mail server problem

[John Hall]

"Bowie Bailey" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]

> 1) Get rid of the secondary
> 2) Make the secondary capable of rejecting messages based on spam,
>   virus, unknown user, etc the same way the primary does.
> 3) Find a way to have the secondary only accept mail when the primary
>   is down.

Maybe the best solution is to have the secondary ready on standby. If for 
some reason your primary is down for more than a day you can then switch it 
on to temporarily accept e-mail until the primary is back up.

John 

Razor2

[Wess]

Hello,

I am trying to use Razor2 with Spamassassin 3 on Gentoo.  I have Razor2 
installed, but Spamassassin will not use it.  If I enable the 
"use_razor2 1" in my config, I get a warning when I lint/debug that it 
failed to parse the line.  I have this same problem with DCC, which is 
also installed.  Razor is set up, registered and ready to go.  Also, 
Pyzor is installed, and spamassasin IS using it.


Thanks guys.

Re: Training SA with Thunderbird Junk folder

[Michael Parker]

Sander Holthaus wrote:
> The problem with using that approach is that you can't authenticate
> users. In small, closed, trusted environments it can be useful, but in
> most situations, I don't think it will be usable. The nice thing about
> using an IMAP-based sollution is that the user is authenticated
> (provided you set it up correctly).

Actually, there exists a plugin and a patch for a new plugin hook at
implements a password for spamd protocol transactions.  It never really
went anywhere but could probably be picked up and fixed up a bit if
there was enough interest.

Michael

Re: its not spam

[JamesDR]

JuNiOx wrote:

hi all
my spamassassin is adding "*SPAM*" in some messages witch isnt one!!
how can i fix it?
i would like configure to "say" it: "hei, the [EMAIL PROTECTED] 
 is not spam, stop to change its subject"

=)


Whitelist them.

--
Thanks,
James

Re: Add Rules From SARE and/or SA for Spamassassin

[Dimitri Yioulos]

On Friday March 24 2006 6:47 am, Num ber wrote:
> >the last question,
> >What rules i need to take ? all ? or only somes (but what ...)
>
> Nobody ??
> They have to many rules on the SARE website...
> And i don't know what rules i need to take .. ALL ?
>
> (Can i test if the new rules was installed ?? )
>
> Thanks and goodbye :-)
>

Well, the rules are pretty well commented, so you should have a good idea of 
what they'll tag.  I would say the testing is in actual use.  You could feed 
spam messages into your MTA and see how they're tagged.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: SQL Bayes

[Jim C. Nasby]

Peraps a better option would be to have a users table and setup
referential integrity. Of course that would do no good for MyISAM, but
using that isn't really any better than using BDB, so...

On Tue, Mar 21, 2006 at 09:26:30AM -0800, [EMAIL PROTECTED] wrote:
> Duane Hill wrote:
> > delete from bayes_token where id = (select id from bayes_vars
> > where username = '[EMAIL PROTECTED]');
> ...
> > delete from bayes_seen where id = (select id from bayes_vars where
> > username = '[EMAIL PROTECTED]');
> > 
> > delete from bayes_expire where id = (select id from bayes_vars
> > where username = '[EMAIL PROTECTED]');
> > 
> > delete from awl where username = (select username from bayes_vars
> > where username = '[EMAIL PROTECTED]');
> > 
> > Then, finally removing the account from bayes_vars:
> > 
> > delete from bayes_vars where username = '[EMAIL PROTECTED]';
> > 
> 
> Nitpick mode on:
> 
> Changing "id =" to "id in" will save you some errors in corner cases where 
> the username is no longer in bayes_vars...
> 
> delete from bayes_(token|seen|expire) where id in
> (select id from bayes_vars where username = '[EMAIL PROTECTED]');
> 
> The awl deletion can be simplified too:
> delete from awl where username = '[EMAIL PROTECTED]';
> 
> -- 
> Matthew.van.Eerde (at) hbinc.com   805.964.4554 x902
> Hispanic Business Inc./HireDiversity.com   Software Engineer
> 

-- 
Jim C. Nasby, Database Architect[EMAIL PROTECTED] 
Give your computer some brain candy! www.distributed.net Team #1828

Windows: "Where do you want to go today?"
Linux: "Where do you want to go tomorrow?"
FreeBSD: "Are you guys coming, or what?"

Re: Training SA with Thunderbird Junk folder

[Sander Holthaus]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
Matt Kettler wrote:
> Forrest Aldrich wrote:
>> Such a mechanism would still depend upon some organization on the
>> server side... as far as I can tell, it's very much to the local
>> sysadmin (ie: aliases to send to, forward or attach properly,
>> etc). Would this even work well potentially?
>
> You don't need any of that in modern SA.
>
> Spamd allows clients to connect and perform a learn operation if
> you start it with the "--allow-tell" command. All you'd need to do
> is set up spamd that way and have the t-bird plugin speak the same
> protocol as spamc does.
>
> (possibly not suited to all environments, but if you trust your
> users..)
>
>
>> Might be interesting if there were somehow a way to collect data
>> on the client side (ie: thunderbird/windows or whichever
>> platform) and have a mechanism to contribute that data to your
>> account (or database entry, if it's MySQL backend), to your
>> bayes.
>
> Like spamd --allow-tell ? :)
>
The problem with using that approach is that you can't authenticate
users. In small, closed, trusted environments it can be useful, but in
most situations, I don't think it will be usable. The nice thing about
using an IMAP-based sollution is that the user is authenticated
(provided you set it up correctly).

Kind Regards,
Sander Holthaus
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (MingW32)
 
iD8DBQFEJAP6Vf373DysOTURArOVAJ91dXwfG1puzqTP/qXhWk848Ca3JACggnea
qA2JXSGsngZmr3rsNHMJ8WQ=
=ZHDo
-END PGP SIGNATURE-

RE: 2nd mail server problem

[Bowie Bailey]

Joshua, C.S. Chen wrote:
> Hi folks,
> I am using spamassassin 3.1.0 and it works well. Now in my institute,
> we have 2 mx (mail servers) see it's dns record
> 
> myinstitute.edu.tw. 300 IN MX 100 mail2.myinstitute.edu.tw.
> myinstitute.edu.tw. 300 IN MX 2 mail1.myinstitute.edu.tw.
> 
> 
> 
> Now in most cases, spam goes to mail1 and got dropped. This is great.
> But then the spam tries to go ahead for mail2, and I did not enable
> mail2 for spamassassin (because it is mainly for redundancy, and not
> powerful enough). This makes mail2 extremely busy to send reply to the
> spammer of user unknown or other reporting messages.
> 
> My question is, if I don't want mail2 to run spamassassin, just for
> relaying messages to mail1 (as it's main purpose--redundancy), how
> can I configure mail2 "NOT TO" reply the spammer for the undelivery?

If you are going to have a secondary, it should have the same
spam/virus checking abilities as the primary.  Quite a bit of spam
these days will be sent to the secondary servers first to exploit this
exact problem.

If mail2 just accepts mail and then forwards it to mail1, you may want
to consider dropping mail2 entirely.  If mail1 goes down, incoming mail
should still be held for at least a couple of days on the sending
server.  So unless mail2 is also capable of servicing your local users
while mail1 is down, you are not getting all that much benefit from
it.  Especially considering the spam and DSN headaches.

Consider this...

With a secondary:

- Secondary accepts incoming mail
- Primary rejects the mail as spam/virus/no such user/etc
- It is now the Secondary's responsibility to send a bounce back to
  the sender
- Secondary's mail queue fills up with DSN messages
- And since you cannot be sure of the reply address in the email,
  all of those messages may not even be going to the proper place.

or

- Secondary accepts incoming mail
- Primary is down
- Secondary holds the mail until the Primary comes up
- See above for the results

Without a secondary:

- Primary rejects the mail as spam/virus/no such user/etc
- It is now the sending server's responsibility to deal with the
  bounce

or

- Primary is down
- Sending server will hold the mail (generally 3-7 days)
- When the Primary comes back up, see above

Granted, you have more control over holding the mail with a secondary,
but realistically, how often and for how long do you expect your main
mailserver to be down?  If it is down frequently, or for more than a
day or so, then you have more to worry about than a mail queue clogged
with spam DSN's.

I would suggest that you either:
1) Get rid of the secondary
2) Make the secondary capable of rejecting messages based on spam,
   virus, unknown user, etc the same way the primary does.
3) Find a way to have the secondary only accept mail when the primary
   is down.

-- 
Bowie

Re: SA just stopped working

[Liam-PrintingAutomation]

mouss wrote:

  Liam-PrintingAutomation a écrit :
  
  
I uhm, er, have no idea
How do I find out? I can't find anything in the Sendmail settings to indicate.
I use Webmin for server management, and since you mentioned Procmail I took a 
look at the Webmin GUI for that, and found this:
Set variable DROPPRIVS to yes 
 
 
 

Feed to progam /usr/bin/spamc 
 	Always execute action

So, Procmail is supposed to feed to Spamassassin. So the question remains, is it 
using Procmail.
How do I know? If not, what else COULD it be using on the server?
And how could it have mysteriously changed at some point without my doing 
anything? =/


  
  
given what you posted, you sa seems to be ok. you now need to make sure
your sendmail is actually calling procmail. try putting an error in your
procmail and see if that shouts.

I'm sorry, I really don't understand what you mean.
How do I put an error in Procmail?
Thanks,
Liam

sa-learn --backup and --restore issue: duplicate key violations

[C. Bensend]

Hey folks,

   I'm going to be upgrading my mailserver in a month or two,
so I'm running through some different configurations for
SpamAssassin, IMAP, and anti-virus.  I'm working on testing the
SQL stuff for user configs and Bayes right now.

   So, here are the stats:


Old mailserver  New mailserver
=   
OpenBSD 3.6 on AMD64OpenBSD 3.9 on AMD64
SpamAssassin 3.0.4 using files  SpamAssassin 3.1.1 using SQL


   To begin testing, I did a 'sa-learn --backup > outfile' on
the existing mailserver, and 'sa-learn --restore outfile' on
a POS test box I have installed with a recent snapshot of
OpenBSD 3.9.  I used the native SpamAssassin's version of
sa-learn (ie, I used 3.0.4's sa-learn on the old box, and
3.1.1's version of sa-learn on the new).

   The dump is significant - over a half a million lines and
around 28MB.  I should mention that I believe I have
SpamAssassin properly configured to talk to the database on
the POS testing box, everything seems fine there.

   The restore starts fine, and runs and runs.  I see the
tokens being stuffed into the bytea columns, and finally when
it comes to the bayes_seen stuff, I see the INSERTs flying
past.  Yay!

   But after a while (I know it got over 270,000 rows INSERTed,
but I don't know how many more after that), it starts throwing
unique contraint violations:

[21458] dbg: bayes: error inserting msgid in seen table for line:
[EMAIL PROTECTED]
[21458] dbg: bayes: seen_put: SQL error: ERROR:  duplicate key violates
unique constraint "bayes_seen_pkey"
[21458] dbg: bayes: error inserting msgid in seen table for line:
[EMAIL PROTECTED]
[21458] dbg: bayes: seen_put: SQL error: ERROR:  duplicate key violates
unique constraint "bayes_seen_pkey"

   After a number of these, it dies with:

bayes: encountered too many errors (20) while parsing seen lines,
reverting to empty database and exiting

ERROR: Bayes restore returned an error, please re-run with -D for more
information

   .. which makes me sad.  So, my question - is there a way to
fix this?  Or will I have to end up dumping my Bayes and starting
over?  I really hope I don't have to do that, because my Bayes
database is huge and really quite accurate.

Thanks, folks!

Benny


-- 
"A computer lets you make more mistakes faster than any invention
in human history, with the possible exceptions of handguns and
tequila."  -- Found on usenet

its not spam

[JuNiOx]

hi all
my spamassassin is adding "*SPAM*" in some 
messages witch isnt one!!
how can i fix it?
i would like configure to "say" it: "hei, the [EMAIL PROTECTED] is not spam, stop to 
change its subject"
=)

Re: Spamassassin Appliances?

[Paolo Cravero as2594]

Hi,
this is a copy'n'paste from a message I wrote in December 2005 to the 
AMaViS list.




Hi,
I thought you might like to know how much a commercial solution _very_ 
similar to amavisd-new+ClamAV+SA+MySQL+mailzu costs.


Something with AV+AS and webQuarantine to be installed on your own 
hardware, and a nice web interface for management (configuration).


For 10k mailboxes it is about 12 USD/mailbox/year. But for 200 mailboxes 
the cost increases to 50 USD/mbx/year. There are of course reductions if 
the license coves 2 or 3 years.


How much money is your setup worth? :-)

.

I'd go for spare lower-level machines that can just be turned on until 
the main one is fixed. Anyway, unless someone has shell access to your 
SA installation, it shouldn't software-break. Over here it hasn't in 
over 3 years of uninterrupted >100kmsgs/day/server. Mind disk occupation 
if you quarantine to disk, though!


Depending on your traffic, Postix+SA could be handled by a P4 1GB RAM 
machine without slowdowns.


Paolo

Re: some messages does not seem to get to spamassassin

[Craig McLean]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Sipos Gabor wrote:
> Hello everyone,
> 

Hi!

[snip SA not marking some mail]

> Where  to  start looking?
> 
> thanks everyone
> Gabor Sipos
> 

I had a similar problem here, with only a couple of mail accounts and no
real load to speak of.
I added a global procmail rule to check that SA had seen and marked
every message, and pass the mail through spamc again if it didn't. Then
it checks again, and passes the mail through 'spamassassin' proper if
needed. If it still doesn't get the SA headers, it gets an
"X-Everthing-Missed" header which I can grep for.

C.

- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED]   Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEI/dKMDDagS2VwJ4RAgkRAKDeJ3kq2NOTIU502gTewxho1xIXkwCgr8wg
4m/x+7dkHHjy4U4pNuQKLdI=
=ir88
-END PGP SIGNATURE-

Re: INVALID_DATE

[Craig McLean]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

David Lee wrote:
> On Fri, 24 Mar 2006, mouss wrote:
> 
>> Daryl C. W. O'Shea a écrit :
>>> David Lee wrote:
>>>
 If, conversely, it is not in breach, then SA has a problem: it shouldn't
 be marking it "INVALID_DATE".  Incidentally, it is this aspect (rather
 than any other)  of the date that is triggering this SA rule, isn't it?
>>>
>>> I guess we could fix it by renaming the rule "STUPIDLY_FORMATTED_DATE".

Heh. Never a truer word spoken, than in jest.

>>> Anyone writing their own mail application, such as this mobile
>>> providers, should really stick to formatting as seen in well established
>>> MTAs.
>>>
>> sure, but if we take it the rfc way,
>>  FROM_ENDS_IN_NUMS, NO_REAL_NAME
>> are pure abuse. and they do cause FPs (dunno about FROM_LOCAL_HEX).

That's certainly my opinion.

> 1. INVALID_DATE:  I think we all agree that the ISP (mobile provider O2;
> mmail) are almost certainly in breach of 822/2822.  (Being as generous as
> possible, we would agree (I think) that they are way, way out of step with
> good practice.)

No disagreement here.

> (We now shift discussion from the "Date:" field to the "From:" field.)
> 
> 2. FROM_ENDS_IN_NUMS:  Here, I actually find myself in some sympathy with
> the ISP.  Their service is about email on a cellphone, with a "From:" that
> is, by definition, that cellphone number:
>From: [EMAIL PROTECTED]
> 
> (I have "x"d some of the real number).  It does seem to make sense, for
> their service, in their context.
> 
> 3. NO_REAL_NAME:  It would be nice if the ISP could adjust this to be
> something like (in my own case):
>From: David Lee <[EMAIL PROTECTED]>
> 
> But with a block-booking from a customer (my own number above is part of
> such a thing from my employer) they might not have enough information for
> this.  So again, I find myself in some sympathy with them.
> 
> 4. FROM_LOCAL_HEX: presumably this is because the "local" part is, by
> definition of their service, a cellphone number.  There seems little that
> can be done about this.
> 
> 
> For those final three items (those concerning "From:") this is a judgement
> call, and a reasonable case can be made that we (the receiving customer,
> having this service for our people on the road checking back in) might
> need to adjust our SA scores slightly downwards, and/or have supplementary
> rules that add a small negative score for "@mmail.co.uk".  That's not the
> main issue at discussion on this thread.  (But advice and suggestions
> would be welcome.)

As mentioned, NO_REAL_NAME hits way to much ham to be viable IMNSHO. It
doesn't score here.
In any case, I'm sure the rules could be tweaked to create metas whereby
FROM_LOCAL_HEX or FROM_ENDS_IN_NUMS won't fire if (say) FROM_IS_MOBILE
or FROM_MMAIL is true. You'll need to write those rules, but they are
trivial.

> The real issue is being able to demonstrate to the ISP that their 17-char,
> space-separated (therefore non-alphabetic) "GMT Standard Time" in their
> "Date:" is (or isn't) in clear technical breach of 822/2822.
> 

How big is your contract with the cellphone provider? Do you have the
clout to get them to re-write bits of their MTA?

C.

- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED]   Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEI/U+MDDagS2VwJ4RAn70AKCxt2V5bynwdFXFsITQxg4JaekaKACfUwvU
dXCq17JFAoKP5maGlgWK7eg=
=XEcW
-END PGP SIGNATURE-

Re: some messages does not seem to get to spamassassin

[Will Nordmeyer]

I've seen this as well... it appears (to me) to be related to bayes 
token expiring timeouts.

Whenever one of my clients has a timeout on their token expire, the 
headers don't get written to the SPAM and the message gets sent on 
without headers.

--Will

> Hello everyone,
> 
> I'm  a  newbie here, so please forgive me for asking n00b questions, 
and
> also,  I'm  not  sure whether this is a SA question, but I have to 
start
> somewhere.
> 
> My   setup is: debian/sarge 3.1, amavisd-new, spamassassin 3.03 (I 
think
> so)  and ClamAV. The system is a relay-only server which relays all 
mail
> defined as relay_domains in postfix to my 'real' messaging server.
> 
> The  problem  is:  some  of  the  messages (actually spams) seems to 
get
> through  without  even  been  touched by spamassassin. Most of these 
are
> text-only  spams,  and  they don't  even get scored. If I copy the 
whole
> message  to a text file on the server, and then run spamc < 
messagefile,
> it   DOES  get  a score (bayes_99, actually the score is 7.0 or 
higher).
> The  same  effect  when I run spamassassin and copy the whole message 
to
> stdin  (score  is  pretty  much  the  same).  Also, I've noticed that 
in
> amavisd's  reports  there  is  nothing  about  the bayes score, only 
the
> standard spamassassin scores are listed.
> 
> Where  to  start looking?
> 
> thanks everyone
> Gabor Sipos
> 
> 
> 
> 
> 
> 
> 
> 
> 

Re: some messages does not seem to get to spamassassin

[Will Nordmeyer]

I've seen this as well... it appears (to me) to be related to bayes 
token expiring timeouts.

Whenever one of my clients has a timeout on their token expire, the 
headers don't get written to the SPAM and the message gets sent on 
without headers.

--Will

> Hello everyone,
> 
> I'm  a  newbie here, so please forgive me for asking n00b questions, 
and
> also,  I'm  not  sure whether this is a SA question, but I have to 
start
> somewhere.
> 
> My   setup is: debian/sarge 3.1, amavisd-new, spamassassin 3.03 (I 
think
> so)  and ClamAV. The system is a relay-only server which relays all 
mail
> defined as relay_domains in postfix to my 'real' messaging server.
> 
> The  problem  is:  some  of  the  messages (actually spams) seems to 
get
> through  without  even  been  touched by spamassassin. Most of these 
are
> text-only  spams,  and  they don't  even get scored. If I copy the 
whole
> message  to a text file on the server, and then run spamc < 
messagefile,
> it   DOES  get  a score (bayes_99, actually the score is 7.0 or 
higher).
> The  same  effect  when I run spamassassin and copy the whole message 
to
> stdin  (score  is  pretty  much  the  same).  Also, I've noticed that 
in
> amavisd's  reports  there  is  nothing  about  the bayes score, only 
the
> standard spamassassin scores are listed.
> 
> Where  to  start looking?
> 
> thanks everyone
> Gabor Sipos
> 
> 
> 
> 
> 
> 
> 
> 
> 

RE: Spamassassin Appliances?

[Paul Hutchings]

They look a little pricey, which I suppose is to be expected as you're
paying for integration and support I suppose.

I wonder if anything is available that would run on, say, a Mac Mini?

Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378
mailto:[EMAIL PROTECTED]
 

> -Original Message-
> From: Martin Hepworth [mailto:[EMAIL PROTECTED] 
> Sent: 24 March 2006 11:43
> To: Paul Hutchings; users@spamassassin.apache.org
> Subject: RE: Spamassassin Appliances?
> 
> Paul
> 
> The defenderMX product from fsl.com is good. No idea of 
> prices, based on
> number of CPUs I believe. You provide the hardware and they manage the
> software once it's installed.
> 
> It's basically a commercial vesrion of MailScanner with a 
> more feature-full
> interface.
> 
> 
> --
> Martin Hepworth 
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
> 
> > -Original Message-
> > From: Paul Hutchings [mailto:[EMAIL PROTECTED]
> > Sent: 24 March 2006 11:35
> > To: users@spamassassin.apache.org
> > Subject: Spamassassin Appliances?
> > 
> > I currently run a Linux relay based around Postfix and Spamassassin.
> > 
> > The hardware is getting old so I'm considering replacing it with an
> > entry level rack mount server.
> > 
> > I wondered if anyone had any suggestions on appliances that might be
> > worth looking at that are based around Spamassassin (and preferably
> > Postfix as the underlying MTA) so I can do a cost comparison?
> > 
> > Basically if I'm not around, if it breaks and it's not 
> hardware nobody
> > would have much idea where to begin, so I'm wondering what 
> might be out
> > there that gives the benefits and flexibility of 
> Spamassassin but with a
> > friendly front-end etc.
> > 
> > Basically what I have now but without the "home brew" factor?
> > 
> > TIA,
> > Paul
> > --
> > Paul Hutchings
> > Network Administrator, MIRA Ltd.
> > Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378
> > mailto:[EMAIL PROTECTED]
> 
> 
> **
> 
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
> 
> This footnote confirms that this email message has been swept
> for the presence of computer viruses and is believed to be clean. 
> 
> **
> 
> 

Re: Add Rules From SARE and/or SA for Spamassassin

[Num ber]

the last question,
What rules i need to take ? all ? or only somes (but what ...)


Nobody ??
They have to many rules on the SARE website...
And i don't know what rules i need to take .. ALL ?

(Can i test if the new rules was installed ?? )

Thanks and goodbye :-)

_
Protégez votre boîte de réception: Phishing : comment l'identifier, le 
signaler et l'empêcher   http://www.fr.msn.be/security/phishing/

Re: Spamassassin Appliances?

[Dhawal Doshy]

Paul Hutchings writes: 

I currently run a Linux relay based around Postfix and Spamassassin. 


The hardware is getting old so I'm considering replacing it with an
entry level rack mount server.   


I wondered if anyone had any suggestions on appliances that might be
worth looking at that are based around Spamassassin (and preferably
Postfix as the underlying MTA) so I can do a cost comparison? 


Basically if I'm not around, if it breaks and it's not hardware nobody
would have much idea where to begin, so I'm wondering what might be out
there that gives the benefits and flexibility of Spamassassin but with a
friendly front-end etc. 


Basically what I have now but without the "home brew" factor?


See if this helps..
http://www.fsl.com/defender5.html 

Sendmail (and not postfix though) along with spamassassin and mailscanner, 
the software edition worked like a charm in my test runs.. 

- dhawal 


TIA,
Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378
mailto:[EMAIL PROTECTED]




 CAUTION - Disclaimer *
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
for the use of the addressee(s). If you are not the intended recipient, 
please

notify the sender by e-mail requesting deletion of the original message.
Further, you are not to copy, disclose, or distribute this e-mail or its
contents to any other person and any such actions are unlawful. NetMagic
Solutions Pvt. Ltd. has taken every reasonable precaution to minimize the 
risk

of virus infection & spam, but is not liable for any damage, you may sustain
as a result of any virus in this e-mail. You should carry out your own virus
checks before opening the e-mail or attachment. NetMagic Solutions Pvt. Ltd.
reserves the right to monitor and review the content of all messages sent to
or from this e-mail address. 


Messages sent to or from this e-mail address may be stored on the NetMagic
Solutions Pvt. Ltd.'s e-mail system.
* End of Disclaimer ***

RE: Spamassassin Appliances?

[Martin Hepworth]

Paul

The defenderMX product from fsl.com is good. No idea of prices, based on
number of CPUs I believe. You provide the hardware and they manage the
software once it's installed.

It's basically a commercial vesrion of MailScanner with a more feature-full
interface.


--
Martin Hepworth 
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

> -Original Message-
> From: Paul Hutchings [mailto:[EMAIL PROTECTED]
> Sent: 24 March 2006 11:35
> To: users@spamassassin.apache.org
> Subject: Spamassassin Appliances?
> 
> I currently run a Linux relay based around Postfix and Spamassassin.
> 
> The hardware is getting old so I'm considering replacing it with an
> entry level rack mount server.
> 
> I wondered if anyone had any suggestions on appliances that might be
> worth looking at that are based around Spamassassin (and preferably
> Postfix as the underlying MTA) so I can do a cost comparison?
> 
> Basically if I'm not around, if it breaks and it's not hardware nobody
> would have much idea where to begin, so I'm wondering what might be out
> there that gives the benefits and flexibility of Spamassassin but with a
> friendly front-end etc.
> 
> Basically what I have now but without the "home brew" factor?
> 
> TIA,
> Paul
> --
> Paul Hutchings
> Network Administrator, MIRA Ltd.
> Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378
> mailto:[EMAIL PROTECTED]


**

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.   

**

Spamassassin Appliances?

[Paul Hutchings]

I currently run a Linux relay based around Postfix and Spamassassin.

The hardware is getting old so I'm considering replacing it with an
entry level rack mount server.  

I wondered if anyone had any suggestions on appliances that might be
worth looking at that are based around Spamassassin (and preferably
Postfix as the underlying MTA) so I can do a cost comparison?

Basically if I'm not around, if it breaks and it's not hardware nobody
would have much idea where to begin, so I'm wondering what might be out
there that gives the benefits and flexibility of Spamassassin but with a
friendly front-end etc.

Basically what I have now but without the "home brew" factor?

TIA,
Paul
--
Paul Hutchings
Network Administrator, MIRA Ltd.
Tel: 44 (0)24 7635 5378, Fax: 44 (0)24 7635 8378
mailto:[EMAIL PROTECTED]

Re: 2nd mail server problem

[hamann . w]

Hi,

I changed my first mailserver to not accept mail for non-existant accounts (so 
these mails do not take SA resources either),
but a lot of spam seems to be sent to the 2nd MX anyway.
So the consequence was to make an account list available to the 2nd server, so 
it can reject non-existent recipients as well.
In my particular case the accounts are held in a mysql database, and it is 
replicated to the spare server

Wolfgang Hamann

== Joshua Chen wrote 
Hi folks,
I am using spamassassin 3.1.0 and it works well. Now in my institute, we
have 2 mx (mail servers) see it's dns record

myinstitute.edu.tw. 300 IN MX 100 mail2.myinstitute.edu.tw.
myinstitute.edu.tw. 300 IN MX 2 mail1.myinstitute.edu.tw.



Now in most cases, spam goes to mail1 and got dropped. This is great.
But then the spam tries to go ahead for mail2, and I did not enable
mail2 for spamassassin (because it is mainly for redundancy, and not
powerful enough). This makes mail2 extremely busy to send reply to the
spammer of user unknown or other reporting messages.

My question is, if I don't want mail2 to run spamassassin, just for
relaying messages to mail1 (as it's main purpose--redundancy), how can I
configure mail2 "NOT TO" reply the spammer for the undelivery?

Re: INVALID_DATE

[David Lee]

On Fri, 24 Mar 2006, mouss wrote:

> Daryl C. W. O'Shea a écrit :
> > David Lee wrote:
> >
> >> If, conversely, it is not in breach, then SA has a problem: it shouldn't
> >> be marking it "INVALID_DATE".  Incidentally, it is this aspect (rather
> >> than any other)  of the date that is triggering this SA rule, isn't it?
> >
> >
> > I guess we could fix it by renaming the rule "STUPIDLY_FORMATTED_DATE".
> >
> > Anyone writing their own mail application, such as this mobile
> > providers, should really stick to formatting as seen in well established
> > MTAs.
> >
>
> sure, but if we take it the rfc way,
>   FROM_ENDS_IN_NUMS, NO_REAL_NAME
> are pure abuse. and they do cause FPs (dunno about FROM_LOCAL_HEX).

1. INVALID_DATE:  I think we all agree that the ISP (mobile provider O2;
mmail) are almost certainly in breach of 822/2822.  (Being as generous as
possible, we would agree (I think) that they are way, way out of step with
good practice.)

(We now shift discussion from the "Date:" field to the "From:" field.)

2. FROM_ENDS_IN_NUMS:  Here, I actually find myself in some sympathy with
the ISP.  Their service is about email on a cellphone, with a "From:" that
is, by definition, that cellphone number:
   From: [EMAIL PROTECTED]

(I have "x"d some of the real number).  It does seem to make sense, for
their service, in their context.

3. NO_REAL_NAME:  It would be nice if the ISP could adjust this to be
something like (in my own case):
   From: David Lee <[EMAIL PROTECTED]>

But with a block-booking from a customer (my own number above is part of
such a thing from my employer) they might not have enough information for
this.  So again, I find myself in some sympathy with them.

4. FROM_LOCAL_HEX: presumably this is because the "local" part is, by
definition of their service, a cellphone number.  There seems little that
can be done about this.


For those final three items (those concerning "From:") this is a judgement
call, and a reasonable case can be made that we (the receiving customer,
having this service for our people on the road checking back in) might
need to adjust our SA scores slightly downwards, and/or have supplementary
rules that add a small negative score for "@mmail.co.uk".  That's not the
main issue at discussion on this thread.  (But advice and suggestions
would be welcome.)

The real issue is being able to demonstrate to the ISP that their 17-char,
space-separated (therefore non-alphabetic) "GMT Standard Time" in their
"Date:" is (or isn't) in clear technical breach of 822/2822.


-- 

:  David LeeI.T. Service  :
:  Senior Systems ProgrammerComputer Centre   :
:   Durham University :
:  http://www.dur.ac.uk/t.d.lee/South Road:
:   Durham DH1 3LE:
:  Phone: +44 191 334 2752  U.K.  :

some messages does not seem to get to spamassassin

[Sipos Gabor]

Hello everyone,

I'm  a  newbie here, so please forgive me for asking n00b questions, and
also,  I'm  not  sure whether this is a SA question, but I have to start
somewhere.

My   setup is: debian/sarge 3.1, amavisd-new, spamassassin 3.03 (I think
so)  and ClamAV. The system is a relay-only server which relays all mail
defined as relay_domains in postfix to my 'real' messaging server.

The  problem  is:  some  of  the  messages (actually spams) seems to get
through  without  even  been  touched by spamassassin. Most of these are
text-only  spams,  and  they don't  even get scored. If I copy the whole
message  to a text file on the server, and then run spamc < messagefile,
it   DOES  get  a score (bayes_99, actually the score is 7.0 or higher).
The  same  effect  when I run spamassassin and copy the whole message to
stdin  (score  is  pretty  much  the  same).  Also, I've noticed that in
amavisd's  reports  there  is  nothing  about  the bayes score, only the
standard spamassassin scores are listed.

Where  to  start looking?

thanks everyone
Gabor Sipos

Re: rulesdujour, lint, and whitelist_spf

[Daryl C. W. O'Shea]

Michael Monnerie wrote:

On Freitag, 24. März 2006 09:01 Daryl C. W. O'Shea wrote:

Is the SPF plugin enabled?  The syntax looks fine, but it can't be
parsed if the plugin isn't loaded.


ARghl. I should not work late night... Thanks.

As I use SPF on MTA level, I wanted to disable SPF. So I have to disable 
the SPF list from RDJ also, thank you.


But I guess I'll let SPF on even in SA, as it can set points on soft SPF 
errors which could help.


As long as both your MTA's resolver and SpamAssassin's resolver are 
using the same DNS cache, you'll get SPF results in SpamAssassin for 
close to free.


Daryl

Re: rulesdujour, lint, and whitelist_spf

[Michael Monnerie]

On Freitag, 24. März 2006 09:01 Daryl C. W. O'Shea wrote:
> Is the SPF plugin enabled?  The syntax looks fine, but it can't be
> parsed if the plugin isn't loaded.

ARghl. I should not work late night... Thanks.

As I use SPF on MTA level, I wanted to disable SPF. So I have to disable 
the SPF list from RDJ also, thank you.

But I guess I'll let SPF on even in SA, as it can set points on soft SPF 
errors which could help.

mfg zmi
-- 
// Michael Monnerie, Ing.BSc  ---   it-management Michael Monnerie
// http://zmi.at   Tel: 0660/4156531  Linux 2.6.11
// PGP Key:   "lynx -source http://zmi.at/zmi2.asc | gpg --import"
// Fingerprint: EB93 ED8A 1DCD BB6C F952  F7F4 3911 B933 7054 5879
// Keyserver: www.keyserver.net Key-ID: 0x70545879


pgp0c3PzRdHor.pgp
Description: PGP signature

2nd mail server problem

[Joshua, C.S. Chen]

Hi folks,
I am using spamassassin 3.1.0 and it works well. Now in my institute, we
have 2 mx (mail servers) see it's dns record

myinstitute.edu.tw. 300 IN MX 100 mail2.myinstitute.edu.tw.
myinstitute.edu.tw. 300 IN MX 2 mail1.myinstitute.edu.tw.



Now in most cases, spam goes to mail1 and got dropped. This is great.
But then the spam tries to go ahead for mail2, and I did not enable
mail2 for spamassassin (because it is mainly for redundancy, and not
powerful enough). This makes mail2 extremely busy to send reply to the
spammer of user unknown or other reporting messages.

My question is, if I don't want mail2 to run spamassassin, just for
relaying messages to mail1 (as it's main purpose--redundancy), how can I
configure mail2 "NOT TO" reply the spammer for the undelivery?


Thanks in advance
Joshua C.S. Chen

Re: Uninstalling SA on OS-X

[Patrick Sneyers]

(This applies to OSX "client", not Server)
CPAN doesn't have an "uninstall". I use Webmin to install/remove  
modules.

Install Webin http://www.webmin.com/osx.html
Remove SA in Webmin

In Terminal
Upgrade CPAN with
perl -MCPAN -e shell
install Bundle::CPAN

Then install (you can use webmin):
Test::Pod
File::Spec
Digest::SHA1
HTML::Parser
HTTP::Date
Time::HiRes
Net::DNS
Net::SMTP
MIME::Base64
IP::Country
IO::Socket::INET6
IO::Socket::SSL
LWP::UserAgent
IP::Country
Mail::SPF::Query
DBI
Net::Ident
IO::Zlib
Archive::Tar
LWP
Mail::SpamAssassin

note: some of these fail testing on OSX. If so, use "Make and  
install" instead of "Make, test and install" in WebMin.


Optional:
install Razor2
(requires manual install - not on cpan)
http://razor.sourceforge.net/



Patrick Sneyers

Op 23-mrt-06, om 04:57 heeft BMWrider het volgende geschreven:


OS-X 10.4.5
SA 3.1.1

I've got some problem with spamd loading that have got me puzzled.  
What I would like to do is uninstall SA and start fresh.
Some of the post that I've read may indicate that there modules  
that were not installed properly.


Richard






"The advantage of a bad memory is that one enjoys several times the  
same good things for the first time."

Friedrich Nietzsche

Re: rulesdujour, lint, and whitelist_spf

[Daryl C. W. O'Shea]

Michael Monnerie wrote:

Anybody else got this problem? Lots of warnings suddenly.
mfg zmi




[31721] warn: config: failed to parse line, skipping:
 whitelist_from_spf[EMAIL PROTECTED] [31721] warn: config:
 failed to parse line, skipping: whitelist_from_spf   


Is the SPF plugin enabled?  The syntax looks fine, but it can't be 
parsed if the plugin isn't loaded.


Daryl