Re: Messages Not detected as Spam
Ok, I added what you said. I think things may be back on the up and in operation. Some spam however is still not detected, which brings me to my next question. I have one other question about razor checks. They do not appear to be working. If I do a manual check (with the amavis user) it logs the message as a spam message in the razor-agent.log file. Yet running the same thing through spamassassin does not show any razor checks picking it up and also it does not log anything in the razor-agent.log file either way. In local.cf I have the following 3 lines related to razor: loadplugin Mail::SpamAssassin::Plugin::Razor2 use_razor2 1 razor_config /pathtoconfig/.razor/razor-agent.conf Am I missing something? Is this correct? From what I see my SpamAssassin install is not doing the razor checks. Thanks in advance. -Paul - Original Message - From: Matt Kettler [EMAIL PROTECTED] To: Paul Wetter [EMAIL PROTECTED] Cc: Matt Kettler [EMAIL PROTECTED]; users@spamassassin.apache.org Sent: Tuesday, April 25, 2006 2:14 PM Subject: Re: Messages Not detected as Spam Paul Wetter wrote: To answer your questions: 1. I ran spamassassin -t as root. amavis runs as a different user. I do have bayes_path in the local.cf file. The line should read as follows correct? bayes_path /firstpartofpath/.spamassassin/bayes Yes. If /firstpartofpath/ doesn't start with ~/ then you'll also need to add bayes_file_mode 0777. Otherwise the bayes DB will change ownership when you run sa-learn and may not be R/W to the amavis process. 2. I have $sa_local_tests_only = 0and I get other spam reports that show several RCVD_IN_ checks that hit. Also when I do sa-learn with the spam I use the path from above to learn the spam.
Re: Advanced regex question - backtracking vs. negative lookaheads
Good point, you're completely right! Thanks for pointing that out... :) Cheers, Jeremy John Rudd [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Apr 25, 2006, at 6:33 AM, Jeremy Fairbrass wrote: /style=[^]+color:blue/ span style=color:blue; font-size:small; border:0px Just a small note, which may be mostly a digression but: I don't think the above regex will match that string at all. The regex, because it has a + instead of a *, requires at least one character between the and color:blue ... your string doesn't have that.
Re: Messages Not detected as Spam
Probably would also like this output, i think: [EMAIL PROTECTED] ~]# spamassassin -D --lint 21 | grep -i razor [4398] dbg: diag: module installed: Razor2::Client::Agent, version 2.75 [4398] dbg: config: read file /usr/share/spamassassin/25_razor2.cf [4398] dbg: plugin: fixed relative path: /usr/share/spamassassin/updates_spamassassin_org/25_razor2.cf [4398] dbg: config: using /usr/share/spamassassin/updates_spamassassin_org/25_razor2.cf for included file [4398] dbg: config: read file /usr/share/spamassassin/updates_spamassassin_org/25_razor2.cf [4398] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [4398] dbg: razor2: razor2 is available, version 2.75 [4398] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH(0x912f2c0) Ok, I added what you said. I think things may be back on the up and in operation. Some spam however is still not detected, which brings me to my next question. I have one other question about razor checks. They do not appear to be working. If I do a manual check (with the amavis user) it logs the message as a spam message in the razor-agent.log file. Yet running the same thing through spamassassin does not show any razor checks picking it up and also it does not log anything in the razor-agent.log file either way. In local.cf I have the following 3 lines related to razor: loadplugin Mail::SpamAssassin::Plugin::Razor2 use_razor2 1 razor_config /pathtoconfig/.razor/razor-agent.conf Am I missing something? Is this correct? From what I see my SpamAssassin install is not doing the razor checks. Thanks in advance. -Paul - Original Message - From: Matt Kettler [EMAIL PROTECTED] To: Paul Wetter [EMAIL PROTECTED] Cc: Matt Kettler [EMAIL PROTECTED]; users@spamassassin.apache.org Sent: Tuesday, April 25, 2006 2:14 PM Subject: Re: Messages Not detected as Spam Paul Wetter wrote: To answer your questions: 1. I ran spamassassin -t as root. amavis runs as a different user. I do have bayes_path in the local.cf file. The line should read as follows correct? bayes_path /firstpartofpath/.spamassassin/bayes Yes. If /firstpartofpath/ doesn't start with ~/ then you'll also need to add bayes_file_mode 0777. Otherwise the bayes DB will change ownership when you run sa-learn and may not be R/W to the amavis process. 2. I have $sa_local_tests_only = 0and I get other spam reports that show several RCVD_IN_ checks that hit. Also when I do sa-learn with the spam I use the path from above to learn the spam.
Re: Messages Not detected as Spam
Paul Wetter wrote: Ok, I added what you said. I think things may be back on the up and in operation. Some spam however is still not detected, which brings me to my next question. I have one other question about razor checks. They do not appear to be working. If I do a manual check (with the amavis user) it logs the message as a spam message in the razor-agent.log file. Yet running the same thing through spamassassin does not show any razor checks picking it up and also it does not log anything in the razor-agent.log file either way. In local.cf I have the following 3 lines related to razor: loadplugin Mail::SpamAssassin::Plugin::Razor2 use_razor2 1 razor_config /pathtoconfig/.razor/razor-agent.conf Am I missing something? Is this correct? From what I see my SpamAssassin install is not doing the razor checks. Thanks in advance. -Paul Dont loadplugin statements go in init.pre not local.cf? Im still on 2.64 so i could be completely wrong on this one... -Jim
Re: Charity spam - is this a new kind of 419?
On Monday, April 24, 2006, 5:42:16 AM, Craig McLean wrote: Smells like 419 to me, given (among other things) the level of literacy displayed. If you have no objections I'll drop the sender a line and see what the scam is... Or better, ask savethechildren.org to comment: [DOMAIN whois information for SAVETHECHILDREN.ORG ] Domain Name: SAVETHECHILDREN.ORG Namespace: ICANN Unsponsored Generic TLD - http://www.icann.org TLD Info: See IANA Whois - http://www.iana.org/root-whois/org.htm Registry: Public Interest Registry - http://www.pir.org Registrar: Network Solutions LLC - http://www.networksolutions.com Whois Server: whois.publicinterestregistry.net Name Server[whois+dns with ip] NS1.SAVETHECHILDREN.ORG 12.111.50.20 Name Server[whois+dns with ip] NS2.SAVETHECHILDREN.ORG 204.13.30.3 Updated Date: 19-Dec-2005 16:29:27 UTC Creation Date: 28-Dec-1995 05:00:00 UTC Expiration Date: 27-Dec-2010 05:00:00 UTC Status: CLIENT TRANSFER PROHIBITED [whois.publicinterestregistry.net] Domain ID: D3577760-LROR Domain Name: SAVETHECHILDREN.ORG Created On: 28-Dec-1995 05:00:00 UTC Last Updated On: 19-Dec-2005 16:29:27 UTC Expiration Date: 27-Dec-2010 05:00:00 UTC Sponsoring Registrar: Network Solutions LLC (R63-LROR) Status: CLIENT TRANSFER PROHIBITED Registrant ID: 34052617-NSI Registrant Name: Save the Children Registrant Organization: Save the Children Registrant Street1: 54 Wilton Road Registrant Street2: Registrant Street3: Registrant City: Westport Registrant State/Province: CT Registrant Postal Code: 06880 Registrant Country: US Registrant Phone: +1.2032214149 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email: [EMAIL PROTECTED] Admin ID: 25113985-NSI Admin Name: Alesia Soltanpanah Admin Organization: Alesia Soltanpanah Admin Street1: 54 Wilton Road Admin Street2: Admin Street3: Admin City: Wesport Admin State/Province: CT Admin Postal Code: 06880 Admin Country: US Admin Phone: +1.99 Admin Phone Ext.: Admin FAX: Admin FAX Ext.: Admin Email: [EMAIL PROTECTED] Tech ID: 5978870-NSI Tech Name: NRG Networks, Inc. Tech Organization: NRG Networks, Inc. Tech Street1: 611 West Johnson Avenue Tech Street2: Tech Street3: Tech City: Cheshire Tech State/Province: CT Tech Postal Code: 06410 Tech Country: US Tech Phone: +1.2036991144 Tech Phone Ext.: Tech FAX: Tech FAX Ext.: Tech Email: [EMAIL PROTECTED] Name Server: NS1.SAVETHECHILDREN.ORG Name Server: NS2.SAVETHECHILDREN.ORG Seems to be a real org. Scammers are probably just borrowing their name. Note the original scam spam had: Reply-To: [EMAIL PROTECTED] which is probably a bad guy drop box. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
scores
hi all i recently install spamassassin in freebsd but i can't find the file that contain the scores i need to chage for example NO_RDNS rule to give 3.0 but i can't find the file 0.5 NO_RDNSSending MTA has no reverse DNS (Postfix variant) 0.8 BR_REMOVER_QUOTE BODY: Inclui texto para remover email (quote) 0.1 TW_LB BODY: Odd Letter Triples with LB 0.6 J_CHICKENPOX_42BODY: 4alpha-pock-2alpha 0.6 J_CHICKENPOX_33BODY: 3alpha-pock-3alpha 0.6 J_CHICKENPOX_62BODY: 6alpha-pock-2alpha 2.0 BR_SPAMMER_URI URI: Texto suspeito 2.6 NO_DNS_FOR_FROMDNS: Envelope sender has no MX or A DNS records 0.5 MIME_BAD_LINEBREAK Message body with fishy line breaks -1.6 AWLAWL: From: address is in the auto white-list --
RE: scores
Pablo Allietti wrote: hi all i recently install spamassassin in freebsd but i can't find the file that contain the scores i need to chage for example NO_RDNS rule to give 3.0 but i can't find the file 0.5 NO_RDNSSending MTA has no reverse DNS (Postfix variant) 0.8 BR_REMOVER_QUOTE BODY: Inclui texto para remover email (quote) 0.1 TW_LB BODY: Odd Letter Triples with LB 0.6 J_CHICKENPOX_42BODY: 4alpha-pock-2alpha 0.6 J_CHICKENPOX_33BODY: 3alpha-pock-3alpha 0.6 J_CHICKENPOX_62BODY: 6alpha-pock-2alpha 2.0 BR_SPAMMER_URI URI: Texto suspeito 2.6 NO_DNS_FOR_FROMDNS: Envelope sender has no MX or A DNS records 0.5 MIME_BAD_LINEBREAK Message body with fishy line breaks -1.6 AWLAWL: From: address is in the auto white-list The file that has scores for the default rules is /usr/share/spamassassin/50_scores.cf. However, you do not want to make changes to that file, because they will be overwritten every time you upgrade. Instead, put your changes in your local.cf file. This file is read after the default rule files and will override the default rule and score definitions. for your example, just add this line to your local.cf file: score NO_RDNS 3.0 Also, you should always be careful when creating high-scoring rules. Frequently, rules that sound like really good spam-sign turn out to have lots of false positives in practice. Since NO_RNDS has a default score of just 0.5, I would suspect that this might be the case here as well. So if you make this change, be sure to keep a close eye out for false positives. -- Bowie
Re: Messages Not detected as Spam
Paul Wetter wrote: Ok, I added what you said. I think things may be back on the up and in operation. Some spam however is still not detected, which brings me to my next question. I have one other question about razor checks. They do not appear to be working. If I do a manual check (with the amavis user) it logs the message as a spam message in the razor-agent.log file. Yet running the same thing through spamassassin does not show any razor checks picking it up and also it does not log anything in the razor-agent.log file either way. In local.cf I have the following 3 lines related to razor: loadplugin Mail::SpamAssassin::Plugin::Razor2 DO NOT put ANY loadplugin statements in your local.cf, or any other .cf file for that matter, unless you intentionally want to suppress any rules that go with the plugin. loadplugin statements belong in .pre files. In this case, edit v310.pre and uncomment the existing line for this. This is VERY important, as .pre files get parsed before the default rules, but .cf files are parsed after them. If the plugin is not present when the default rules are parsed, the razor rules will be omitted.
Domain Keys
Hello List, It's me again with another doubt =P I'm stuck in this Domain Keys thing because I don't know how to create a public and a private key for my server. I already read the http://antispam.yahoo.com/domainkeys to understand how Domain Keys work but I can't go on with only this argument. Thanks again,, Jeff
Re: Domain Keys
Jeferson Pessoa Santana wrote: Hello List, It's me again with another doubt =P I'm stuck in this Domain Keys thing because I don't know how to create a public and a private key for my server. I already read the http://antispam.yahoo.com/domainkeys to understand how Domain Keys work but I can't go on with only this argument. Thanks again, You can use the openssl tools to generate a key pair. It's just an ordinary RSA key.. You can find out how to generate a key with openssl at: http://domainkeys.sourceforge.net/keygen.html Note: They have a link to a CPAN utility set to make this easier, however, I don't see how that file can help you at all. 1) for some stupid reason they've decided to call their tarball CPAN-0.2.tar.gz. This might imply it contains the perl CPAN tools.. It doesn't. The contents aren't even CPAN compatible yet, but they are perl tools that they intend to make CPAN compatible. 2) They claim there are command-line tools in there, but I've only been able to find perl libraries.
SA script to get bayes score
I want to run just the bayes test on several files and get bayes scores I tried writing my own script using Mail::SpamAssassin but thats seems to not give any score at all. Is there any ready script available Or can I get any pointers Thanks Ram
Re: Spam that is nothing but one large image
Unfortunately this is what I may be forced to do. I hate to let one item give a high score, but when the message is nothing but an IMAGE... no HTML... no link... and the blacklists have not yet picked it up.. and Pyzor doesn't see it yet... what else can you do? On 4/22/06, John D. Hardin [EMAIL PROTECTED] wrote: On Fri, 21 Apr 2006, Matt wrote: We have received a large quantity of spam that is nothing but a large image. Spamassassin is tagging it a little because it is an image, and only an image, however I'm wondering how other people are handeling this type of spam?I don't want to score mail that is just an image with a very high score, since that could render a legit mail with a picture in it or something as spam. Any thoughts? Many of them are HTML-only (no plain-text parts). I give HTML-only + image-only a high score. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Senator, when you took your oath of office, you placed your hand on the Bible and swore to uphold the Constitution. You didn't place your hand on the Constitution and swear to uphold the Bible. -- Jamie Raskin, Professor of Law at American University, testifying before the Maryland Senate ---
RE: scores
Pablo Allietti wrote: On Wed, Apr 26, 2006 at 10:20:22AM -0400, Bowie Bailey wrote: The file that has scores for the default rules is /usr/share/spamassassin/50_scores.cf. However, you do not want to make changes to that file, because they will be overwritten every time you upgrade. Instead, put your changes in your local.cf file. This file is read after the default rule files and will override the default rule and score definitions. ok perfect. when i modify the local.cf i need to restart spamassassin? Depends on how you are calling SA. If you are using spamc/spamd, you will need to restart spamd. If you are using Amavisd-new, you will need to restart Amavisd-new. If you are calling spamassassin directly, you don't need to do anything as it reads the rules and scores every time it is called (which is why it is usually better to run spamc/spamd). -- Bowie
Spam coming thru w/high score different SA version
Title: Message I got this email with a high score of 101.6 and the version as 3.0.2. I have my score limit set to 3.5 in my local.cf file. Why wasn't this detected as spam? Also when I run spamassassin -v on my server I get the version as 3.1.1 but the email header has 3.0.2 as the version? Did I miss something in my upgrade last week? I'm running on a RedHat ES 3.0 using CommuniGatePro and CGPSA. The CGPSA.conf file points to the correct directories for my SA installation. Any suggestions would be a great help. HEADER OF PROBLEM EMAIL: Return-Path: [EMAIL PROTECTED]Received: bymydomain.com (CommuniGate Pro PIPE 4.3.8) with PIPE id 3130662; Wed, 26 Apr 2006 13:38:30 -0500Received: from [88.0.181.15] (HELO dpra.com) by mydomain.com (CommuniGate Pro SMTP 4.3.8) with SMTP id 3130660 for tgates@mydomain.com; Wed, 26 Apr 2006 13:38:24 -0500Received-SPF: nonereceiver=yoursummit.com; client-ip=88.0.181.15; [EMAIL PROTECTED]Message-ID: [EMAIL PROTECTED]Reply-To: "Ezra Defeo" [EMAIL PROTECTED]From: "Ezra Defeo" [EMAIL PROTECTED]To: tgates@mydomain.comSubject: Re: good AMBvtENDate: Wed, 26 Apr 2006 11:38:03 -0700MIME-Version: 1.0Content-Type: multipart/alternative;boundary="=_NextPart_000_0001_01C66925.E0D8AA40"X-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express 6.00.2800.1106X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on mydomain.comX-Spam-Level: X-Spam-Status: No, score=-101.6 required=3.5 tests=BAYES_00,FM_NO_STYLE,HTML_80_90,HTML_MESSAGE,USER_IN_WHITELIST autolearn=no version=3.0.2X-TFF-CGPSA-Version: 1.4X-TFF-CGPSA-Filter: Scanned Tracey GatesLead Developer[EMAIL PROTECTED] 1350 South Boulder, Third Floor / Tulsa, OK 74119-3203Phone 918-663-0991 / Fax 918-663-0840 This communication is intended only for the recipient(s) named above; may be confidential and/or legally privileged; and, must be treated as such in accordance with state and federal laws. If you are not the intended recipient, you are hereby notified that any use of this communication, or any of its contents, is prohibited. If you have received this communication in error, please reply to the sender and then delete the message from your computer system immediately.
Spam coming thru w/high score different SA version
Title: Message I got this email with a high score of 101.6 and the version as 3.0.2. I have my score limit set to 3.5 in my local.cf file. Why wasn't this detected as spam? Also when I run spamassassin -v on my server I get the version as 3.1.1 but the email header has 3.0.2 as the version? Did I miss something in my upgrade last week? HEADER OF PROBLEM EMAIL: Return-Path: [EMAIL PROTECTED]Received: by yoursummit.com (CommuniGate Pro PIPE 4.3.8) with PIPE id 3130662; Wed, 26 Apr 2006 13:38:30 -0500Received: from [88.0.181.15] (HELO dpra.com) by yoursummit.com (CommuniGate Pro SMTP 4.3.8) with SMTP id 3130660 for [EMAIL PROTECTED]; Wed, 26 Apr 2006 13:38:24 -0500Received-SPF: nonereceiver=yoursummit.com; client-ip=88.0.181.15; [EMAIL PROTECTED]Message-ID: [EMAIL PROTECTED]Reply-To: "Ezra Defeo" [EMAIL PROTECTED]From: "Ezra Defeo" [EMAIL PROTECTED]To: [EMAIL PROTECTED]Subject: Re: good AMBvtENDate: Wed, 26 Apr 2006 11:38:03 -0700MIME-Version: 1.0Content-Type: multipart/alternative;boundary="=_NextPart_000_0001_01C66925.E0D8AA40"X-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft Outlook Express 6.00.2800.1106X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on yoursummit.comX-Spam-Level: X-Spam-Status: No, score=-101.6 required=3.5 tests=BAYES_00,FM_NO_STYLE,HTML_80_90,HTML_MESSAGE,USER_IN_WHITELIST autolearn=no version=3.0.2X-TFF-CGPSA-Version: 1.4X-TFF-CGPSA-Filter: Scanned Tracey GatesLead Developer[EMAIL PROTECTED] 1350 South Boulder, Third Floor / Tulsa, OK 74119-3203Phone 918-663-0991 / Fax 918-663-0840 This communication is intended only for the recipient(s) named above; may be confidential and/or legally privileged; and, must be treated as such in accordance with state and federal laws. If you are not the intended recipient, you are hereby notified that any use of this communication, or any of its contents, is prohibited. If you have received this communication in error, please reply to the sender and then delete the message from your computer system immediately.
Re: Spam coming thru w/high score different SA version
I got this email with a high score of 101.6 and the version as 3.0.2. I have my score limit set to 3.5 in my local.cf file. Why wasn't this detected as spam? HEADER OF PROBLEM EMAIL: X-Spam-Status: No, score=-101.6 required=3.5 tests=BAYES_00,FM_NO_STYLE, HTML_80_90,HTML_MESSAGE,USER_IN_WHITELIST autolearn=no version=3.0.2 Sorry, Tracey, the score is a MINUS 101.6. The USER_IN_WHITELIST probably subtracted 100 from the score. -- Dale Morin, Mustang Internet Services, Inc. Support Without Compromise email: [EMAIL PROTECTED]
Re: scores
On Wed, Apr 26, 2006 at 10:20:22AM -0400, Bowie Bailey wrote: Pablo Allietti wrote: hi all i recently install spamassassin in freebsd but i can't find the file that contain the scores i need to chage for example NO_RDNS rule to give 3.0 but i can't find the file 0.5 NO_RDNSSending MTA has no reverse DNS (Postfix variant) 0.8 BR_REMOVER_QUOTE BODY: Inclui texto para remover email (quote) 0.1 TW_LB BODY: Odd Letter Triples with LB 0.6 J_CHICKENPOX_42BODY: 4alpha-pock-2alpha 0.6 J_CHICKENPOX_33BODY: 3alpha-pock-3alpha 0.6 J_CHICKENPOX_62BODY: 6alpha-pock-2alpha 2.0 BR_SPAMMER_URI URI: Texto suspeito 2.6 NO_DNS_FOR_FROMDNS: Envelope sender has no MX or A DNS records 0.5 MIME_BAD_LINEBREAK Message body with fishy line breaks -1.6 AWLAWL: From: address is in the auto white-list The file that has scores for the default rules is /usr/share/spamassassin/50_scores.cf. However, you do not want to make changes to that file, because they will be overwritten every time you upgrade. ok and i need to restart spamass after modify the local.cf? Instead, put your changes in your local.cf file. This file is read after the default rule files and will override the default rule and score definitions. for your example, just add this line to your local.cf file: score NO_RDNS 3.0 Also, you should always be careful when creating high-scoring rules. Frequently, rules that sound like really good spam-sign turn out to have lots of false positives in practice. Since NO_RNDS has a default score of just 0.5, I would suspect that this might be the case here as well. So if you make this change, be sure to keep a close eye out for false positives. -- Bowie ---end quoted text--- -- .- Pablo Allietti E-mail: [EMAIL PROTECTED] | LACNIC Phone : +598 2 604 | http://LACNIC.NET
RE: Spam coming thru w/high score different SA version
DOH! Thanks Dale for pointing that out. Of course I didn't see the negative sign. Tracey Gates Lead Developer [EMAIL PROTECTED] 1350 South Boulder, Third Floor / Tulsa, OK 74119-3203 Phone 918-663-0991 / Fax 918-663-0840 This communication is intended only for the recipient(s) named above; may be confidential and/or legally privileged; and, must be treated as such in accordance with state and federal laws. If you are not the intended recipient, you are hereby notified that any use of this communication, or any of its contents, is prohibited. If you have received this communication in error, please reply to the sender and then delete the message from your computer system immediately. -Original Message- From: Dale Morin [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 26, 2006 2:31 PM To: Tracey Gates Cc: users@spamassassin.apache.org Subject: Re: Spam coming thru w/high score different SA version I got this email with a high score of 101.6 and the version as 3.0.2. I have my score limit set to 3.5 in my local.cf file. Why wasn't this detected as spam? HEADER OF PROBLEM EMAIL: X-Spam-Status: No, score=-101.6 required=3.5 tests=BAYES_00,FM_NO_STYLE, HTML_80_90,HTML_MESSAGE,USER_IN_WHITELIST autolearn=no version=3.0.2 Sorry, Tracey, the score is a MINUS 101.6. The USER_IN_WHITELIST probably subtracted 100 from the score. -- Dale Morin, Mustang Internet Services, Inc. Support Without Compromise email: [EMAIL PROTECTED]
RE: scores
Pablo Allietti wrote: ok and i need to restart spamass after modify the local.cf? Yes. -- Bowie
RE: Spam coming thru w/high score different SA version
OK. Now I understand the high (actually negative) score but what about the version difference? Anyone have any idea about that issue? Tracey Gates Lead Developer [EMAIL PROTECTED] 1350 South Boulder, Third Floor / Tulsa, OK 74119-3203 Phone 918-663-0991 / Fax 918-663-0840 This communication is intended only for the recipient(s) named above; may be confidential and/or legally privileged; and, must be treated as such in accordance with state and federal laws. If you are not the intended recipient, you are hereby notified that any use of this communication, or any of its contents, is prohibited. If you have received this communication in error, please reply to the sender and then delete the message from your computer system immediately. -Original Message- From: Dale Morin [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 26, 2006 2:31 PM To: Tracey Gates Cc: users@spamassassin.apache.org Subject: Re: Spam coming thru w/high score different SA version I got this email with a high score of 101.6 and the version as 3.0.2. I have my score limit set to 3.5 in my local.cf file. Why wasn't this detected as spam? HEADER OF PROBLEM EMAIL: X-Spam-Status: No, score=-101.6 required=3.5 tests=BAYES_00,FM_NO_STYLE, HTML_80_90,HTML_MESSAGE,USER_IN_WHITELIST autolearn=no version=3.0.2 Sorry, Tracey, the score is a MINUS 101.6. The USER_IN_WHITELIST probably subtracted 100 from the score. -- Dale Morin, Mustang Internet Services, Inc. Support Without Compromise email: [EMAIL PROTECTED]
RE: Virtual user config and auto-whitelist
From: Bart Schaefer [mailto:[EMAIL PROTECTED] ... (Someone remind me why the spamd option to disable the auto-whitelist was dropped? I could instead chmod 0 the auto-whitelist file, I suppose, but then the maillog is cluttered with extra warning output, and it's still not scalable.) It hasn't been dropped; they just moved the documentation into Plugin/AWL.pm.
Re: Spam coming thru w/high score different SA version
Tracey Gates wrote: OK. Now I understand the high (actually negative) score but what about the version difference? Anyone have any idea about that issue? Possible double-install. One in /usr/ and one in /usr/local?
Re: Virtual user config and auto-whitelist
On 4/26/06, Rosenbaum, Larry M. [EMAIL PROTECTED] wrote: From: Bart Schaefer [mailto:[EMAIL PROTECTED] ... (Someone remind me why the spamd option to disable the auto-whitelist was dropped?) It hasn't been dropped; they just moved the documentation into Plugin/AWL.pm. Ah, right, duh. So the answer to my question is that the -a option was dropped because it doesn't make sense to have an option to en/disable a plugin.
Re: scores
On Mittwoch, 26. April 2006 16:09 Pablo Allietti wrote: i need to chage for example NO_RDNS rule to give 3.0 Don't do that, it's not required for a mail server to have an RDNS. At least, it used to be the last time I looked into the RFCs. mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660/4156531 .network.your.ideas. // PGP Key: lynx -source http://zmi.at/zmi3.asc | gpg --import // Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE // Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE pgpjAmP4k5NxZ.pgp Description: PGP signature
Rule to select sender starting with string
We are getting a lot of spam where the sender domain name changes, but the sender always starts with a specific string. We've only done a little bit of custom rule writing. How do we do a rule to get the sender starting with a specific string? Thanks, Al
Re: Rule to select sender starting with string
We are getting a lot of spam where the sender domain name changes, but the sender always starts with a specific string. We've only done a little bit of custom rule writing. How do we do a rule to get the sender starting with a specific string? You could probably just do something like this: blacklist_from [EMAIL PROTECTED]
RE: Spam that is nothing but one large image
-Original Message- From: Matt [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 26, 2006 8:51 PM Unfortunately this is what I may be forced to do. I hate to let one item give a high score, but when the message is nothing but an IMAGE... no HTML... no link... and the blacklists have not yet picked it up.. and Pyzor doesn't see it yet... what else can you do? On 4/22/06, John D. Hardin [EMAIL PROTECTED] wrote: Many of them are HTML-only (no plain-text parts). I give HTML-only + image-only a high score. Matt/Johnn: Does this mean you have simple way to specify rule A is 1.0, rule B is 1.0, but if A+B matches, give it 4.0? If so, how? Med vennleg helsing / Best regards Gaute Lund IT consultant iDrift AS Phone: (+47) 53 47 22 00 Fax: (+47) 53 47 22 01 Mobile: (+47) 97 00 82 00
Re: Rule to select sender starting with string
Al Danks wrote: We are getting a lot of spam where the sender domain name changes, but the sender always starts with a specific string. We've only done a little bit of custom rule writing. How do we do a rule to get the sender starting with a specific string? Try a rule something like this: L_FROM_STRING header From =~ /$string/
Re: Spam that is nothing but one large image
Gaute Lund wrote: -Original Message- From: Matt [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 26, 2006 8:51 PM Unfortunately this is what I may be forced to do. I hate to let one item give a high score, but when the message is nothing but an IMAGE... no HTML... no link... and the blacklists have not yet picked it up.. and Pyzor doesn't see it yet... what else can you do? On 4/22/06, John D. Hardin [EMAIL PROTECTED] wrote: Many of them are HTML-only (no plain-text parts). I give HTML-only + image-only a high score. Matt/Johnn: Does this mean you have simple way to specify rule A is 1.0, rule B is 1.0, but if A+B matches, give it 4.0? Create rule A, and score it 1.0, Create rule B, and score it 1.0 meta L_A_AND_B (A B) score L_A_AND_B 2.0 if both A and B match, it will total 4.0 (1.0 + 1.0 + 2.0)
Re: Spam that is nothing but one large image
Matt [EMAIL PROTECTED] writes: Hi, We have received a large quantity of spam that is nothing but a large image. Spamassassin is tagging it a little because it is an image, and only an image, however I'm wondering how other people are handeling this type of spam?I don't want to score mail that is just an image with a very high score, since that could render a legit mail with a picture in it or something as spam. Any thoughts? I receive a lot of stock spam. It consist of a little bit of cloaking html and all content is contained in attached image. -- [pl2en Andrew] Andrzej Adam Filip : [EMAIL PROTECTED] : [EMAIL PROTECTED] http://anfi.homeunix.net/
Re: Spam that is nothing but one large image
Andrzej Adam Filip wrote: Matt [EMAIL PROTECTED] writes: Hi, We have received a large quantity of spam that is nothing but a large image. Spamassassin is tagging it a little because it is an image, and only an image, however I'm wondering how other people are handeling this type of spam?I don't want to score mail that is just an image with a very high score, since that could render a legit mail with a picture in it or something as spam. Any thoughts? I receive a lot of stock spam. It consist of a little bit of cloaking html and all content is contained in attached image. The SARE stocks ruleset covers this. It has rules specific to this kind of image spam www.rulesemporium.com
Re: Rule to select sender starting with string
Al Danks wrote: Matt Kettler mkettler at evi-inc.com writes: Try a rule something like this: L_FROM_STRING header From =~ /$string/ It appears that the rule is also hitting senders with the string following a . I.e. From =~ /$com/ hits comalksdfl.net aksafjdla.com Interesting.. that shouldn't happen with the $ there.. I'll have to test that, unless Theo or one of the other devs can offer an explanation as to why..
Re: scores
From: Pablo Allietti [EMAIL PROTECTED]
hi all i recently install spamassassin in freebsd but i can't find the
file that contain the scores i need to chage for example NO_RDNS rule to
give 3.0 but i can't find the file
0.5 NO_RDNSSending MTA has no reverse DNS (Postfix
variant)
0.8 BR_REMOVER_QUOTE BODY: Inclui texto para remover email
(quote)
0.1 TW_LB BODY: Odd Letter Triples with LB
0.6 J_CHICKENPOX_42BODY: 4alpha-pock-2alpha
0.6 J_CHICKENPOX_33BODY: 3alpha-pock-3alpha
0.6 J_CHICKENPOX_62BODY: 6alpha-pock-2alpha
2.0 BR_SPAMMER_URI URI: Texto suspeito
2.6 NO_DNS_FOR_FROMDNS: Envelope sender has no MX or A DNS
records
0.5 MIME_BAD_LINEBREAK Message body with fishy line breaks
-1.6 AWLAWL: From: address is in the auto white-list
If you want to override rules then there are two correct things you
can do and a whole lot of incorrect ways. It sounds like you are
hunting for an incorrect way. I can't help with that and keep my
conscience from bugging me. The two correct ways are correct for
different circumstances.
The first is to make a change in the global behavior not just a
specific user's behavior. Make a new rule set and name the file
something like ZZ_FinalThoughts.cf. Put your score overrides
in that file: score NO_DNS_FOR_FROM 3.0. Then place that file
in the /etc/mail/spamassassin (usually.) (Look for a similar
directory in the /etc directory that contains local.cf.) I
picked the name so that it will ALWAYS override EVERY other
likely configuration file.
If you have allowed individual user preferences then each user
can add that line from above to their ~/user_prefs file. That
will override even the ZZ_FinalThoughts.cf file.
Do NOT change the scores in the default spamassassin directory.
Any edits there are overwritten even for the smallest of updates.
.cf Files in /etc/mail/spamassassin are left alone as a general
rule. They may be obsoleted and ignored, though. Note that the
J_CHICKENPOX_xx rules are overwritten every time the chickenpox
rule set is updated. So making changes in that file will also
result in their being updated away. That is why a final score
override configuration file is best. (And even THAT may not be
completely idiot proof. No matter how idiot proof we make software
God will produce better idiots.)
{^_^}
Re: scores
From: Bowie Bailey [EMAIL PROTECTED]
Pablo Allietti wrote:
hi all i recently install spamassassin in freebsd but i can't find
the file that contain the scores i need to chage for example
NO_RDNS rule to give 3.0 but i can't find the file
0.5 NO_RDNSSending MTA has no reverse DNS (Postfix
variant)
0.8 BR_REMOVER_QUOTE BODY: Inclui texto para remover email
(quote)
0.1 TW_LB BODY: Odd Letter Triples with LB
0.6 J_CHICKENPOX_42BODY: 4alpha-pock-2alpha
0.6 J_CHICKENPOX_33BODY: 3alpha-pock-3alpha
0.6 J_CHICKENPOX_62BODY: 6alpha-pock-2alpha
2.0 BR_SPAMMER_URI URI: Texto suspeito
2.6 NO_DNS_FOR_FROMDNS: Envelope sender has no MX or A DNS
records
0.5 MIME_BAD_LINEBREAK Message body with fishy line breaks
-1.6 AWLAWL: From: address is in the auto
white-list
The file that has scores for the default rules is
/usr/share/spamassassin/50_scores.cf.
However, you do not want to make changes to that file, because they
will be overwritten every time you upgrade.
Instead, put your changes in your local.cf file. This file is read
after the default rule files and will override the default rule and
score definitions.
for your example, just add this line to your local.cf file:
score NO_RDNS 3.0
Also, you should always be careful when creating high-scoring rules.
Frequently, rules that sound like really good spam-sign turn out to
have lots of false positives in practice. Since NO_RNDS has a default
score of just 0.5, I would suspect that this might be the case here as
well. So if you make this change, be sure to keep a close eye out for
false positives.
Actually for that specific rule the 3.05 rules give something like:
score NO_DNS_FOR_FROM 0 1.1 0 1.6
That suggests it's a useless rule in some circumstances. A blanket 3.0
may not be at all a good idea. It also hints he has doctored the rule
sets already and should remember where it was doctored the last time.
(Of course, the scores all morph with updates so perhaps he has not made
any changes to some other version's install.)
{^_-}
bayes stuck at nspam 2165
I am using Freebsd 5.4 with Mailscanner-4.52.2-1. I have always encountered this when bayes approaches nspam of arounf 2500. It just locks. I have had this problem on numerous occassions. My bayes database will not learn anymore than 2165 nspam. It seems to be stuck there. My tokens increase, but nspam doesn't. If I try and feed it more spam by executing sa-learn --no-sync --spam --mbox /var/spool/spam It just hangs. I can't even run sa-learn --force-expire or sa-learn --sync It just hangs forever. Help would be appreciated. Marc Dufresne, Corporate IT Officer St. Lawrence Parks Commission 13740 County Road 2 Morrisburg, ON K0C 1X0 E-mail: [EMAIL PROTECTED] Voice: 613-543-3704 Ext#2455 Fax: 613-543-2847 Corporate website: www.parks.on.ca BEGIN:VCARD VERSION:2.1 X-GWTYPE:USER FN:Marc Dufresne TEL;WORK:613-543-3704 ORG:;Information Technology TEL;PREF;FAX:613-543-2847 EMAIL;WORK;PREF;NGW:[EMAIL PROTECTED] N:Dufresne;Marc TITLE:Corporate IT Officer END:VCARD
Re: Messages Not detected as Spam
Paul Wetter wrote: Ok, I added what you said. I think things may be back on the up and in operation. Some spam however is still not detected, which brings me to my next question. I have one other question about razor checks. They do not appear to be working. If I do a manual check (with the amavis user) it logs the message as a spam message in the razor-agent.log file. Yet running the same thing through spamassassin does not show any razor checks picking it up and also it does not log anything in the razor-agent.log file either way. In local.cf I have the following 3 lines related to razor: loadplugin Mail::SpamAssassin::Plugin::Razor2 DO NOT put ANY loadplugin statements in your local.cf, or any other .cf file for that matter, unless you intentionally want to suppress any rules that go with the plugin. loadplugin statements belong in .pre files. In this case, edit v310.pre and uncomment the existing line for this. This is VERY important, as .pre files get parsed before the default rules, but .cf files are parsed after them. If the plugin is not present when the default rules are parsed, the razor rules will be omitted. You rock man! Everything is working great now! I must have gotten my wires crossed when reading the docs. I really appreciate the wonderful resources of these mailing lists. Have a good one, Paul
