Re[2]: problem with using SARE rules, names longer than 22 chars

2006-05-17 Thread Robert Menschel 
Hello James,

Wednesday, May 17, 2006, 6:09:51 AM, you wrote:

JEP> I had the same probllem with sa 3.04

JEP> Anyhow, i solved it by changing the trusted ruleset entry
JEP> "SARE_HEADER_0" to "SARE_HEADER_X31" as advised on rulesemporium.com,
JEP> and all works fine now.

Either you misread the web page, or we really weren't clear about
that.

If you use any of the HEADER rules at all, you should be using
HEADER0.  HEADER0 is designed to hit spam and only spam -- never hit
any ham (a single ham hit removes the rule from that file).

Header X31 contains those rules which have been incorporated into SA
3.1.x; if you're on 3.0, then you ALSO want header X31, but you should
not be removing Header0.

The invalid (overly long) rule name lint error has been fixed.

Bob Menschel

Re: Delete spam or move to a folder?

2006-05-17 Thread Joseph Green 

> Couldn't find a thread like this hence this new one. Just
> wondering what strategy people are using when it comes to
> dealing with email that gets enough points to be considered
> as spam. Eg. being deleted and quarantined, or delivered and
> quarantined etc.

In trying to find the a good combination between convenience and also
not missing any FPs, we came up with this:

- Messages with scores over 20 are thrown away before even reaching the
  user.

- Messages above the threshold but below 20 are filtered into a "spam"
  folder.

- On a daily basis (or weekly, the user can choose), a script goes
  through the spam folder and summarizes all messages there that
  arrived since the last summary.  It puts them all into one
  message, it lists the FROM and SUBJECTs and sends it
  to the user.
  That way the user can see everything that was filtered out in
  one single compact list.  They are sorted by score, lowest
  first, thus any FP would be right near the top.

- The same script also automatically deletes messages that have
  been there for over X (user determined) days.  This keeps it
  from growing out of control if a user never does anything, but
  it also gives the user a chance to retrieve an FP if necessary.

- Included in the summary, with each message listing, are also two
  magic links: "whitelist [EMAIL PROTECTED]" and "redeliver".
  The whitelist link does the obvious. The redeliver link
  fetches that message out of the spam box and puts it into
  the inbox.

  (the links have special MD5 tokens built out of
   the relevant message parts, which only the target cgi can
   decipher, thus preventing any possible abuse.)

Combining the auto-summary, auto-purge, and redeliver links means that
users never have to deal with their spam folder directly if they don't
want to.

Re: Minimizing spamd's memory footprint

2006-05-17 Thread jdow 

From: "Matt Kettler" <[EMAIL PROTECTED]>


jdow wrote:

70_sare_evilnum0.cf # snap
70_sare_evilnum1.cf # snap
70_sare_evilnum2.cf # snap

If you can in ANY WAY use the DNS based tests do so. Those sets
are HUGE and lead to incredibly large memory footprints.


Erm, J.. evilnum is NOT replaced by a DNS test.. you're thinking of bigevil.

evilnum works on phone numbers, not URIs.


Thanks - I should really remember not to post while I am fighting a
migraine.  They seem to drop my IQ into the bit bucket as the
brains leak out of the hole in my head the migraine opens up.

{o.o}

Re: Minimizing spamd's memory footprint

2006-05-17 Thread Matt Kettler 
jdow wrote:
> 70_sare_evilnum0.cf # snap
> 70_sare_evilnum1.cf # snap
> 70_sare_evilnum2.cf # snap
> 
> If you can in ANY WAY use the DNS based tests do so. Those sets
> are HUGE and lead to incredibly large memory footprints.

Erm, J.. evilnum is NOT replaced by a DNS test.. you're thinking of bigevil.

evilnum works on phone numbers, not URIs.

Re: Minimizing spamd's memory footprint

2006-05-17 Thread Kai Schaetzl 
James Lay wrote on Wed, 17 May 2006 07:27:13 -0600:

> yesterday I decided to get gutsy and use just about all the 
> rules from SARE.

Be careful with any rulesets that are larger than 100 KB. And you use 
rulesets that are not intended to be used with SA 3 at all because there 
are better alternatives.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: Minimizing spamd's memory footprint

2006-05-17 Thread Kai Schaetzl 
Chris Santerre wrote on Wed, 17 May 2006 13:30:13 -0400:

> That list would most definetly ... get your cat pregnant!

Hm, quite powerful medicine then, hm? ;-)

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: Delete spam or move to a folder?

2006-05-17 Thread aaron 
"Yusuf Ahmed" <[EMAIL PROTECTED]> wrote on 17/05/2006 04:28:36 PM:

> Hi Guys,
>
> Couldn't find a thread like this hence this new one. Just wondering
> what strategy people are using when it comes to dealing with email
> that gets enough points to be considered as spam. Eg. being deleted
> and quarantined, or delivered and quarantined etc.
>
> I'm using store and deliver - is that the general concept out there
> with everyone?
>
> Regards,
> Yusuf.

As a business we take copies of all emails received by the mail gateway.
Messages determined to be Spam are not delivered to the end user.

Using MimeDefang, the message is pulled apart and all of the bits that
we find important are logged to a database so that we can use our
web applications for inquiry and recovery of false positives etc. Other
web applications have been written for administration purposes and to
track down emails when there is a complaint or query.

So by default we keep everything and provide mechanisms for our staff
to recover an email if required.

The ability to customise SpamAssassin and Mimedefang has been invaluable
for us.

Cheers,
Aaron

Re: Minimizing spamd's memory footprint

2006-05-17 Thread jdow 

70_sare_evilnum0.cf # snap
70_sare_evilnum1.cf # snap
70_sare_evilnum2.cf # snap

If you can in ANY WAY use the DNS based tests do so. Those sets
are HUGE and lead to incredibly large memory footprints.
{^_^}
- Original Message - 
From: "Dermot Paikkos" <[EMAIL PROTECTED]>

To: "James Lay" <[EMAIL PROTECTED]>; "Spamassassin" 

Sent: Wednesday, May 17, 2006 07:30
Subject: Re: Minimizing spamd's memory footprint



I am on V3.02.

I certainly would be interesting to know which one of these is
causing the problem.
Dp.


On 17 May 2006 at 8:19, James Lay wrote:


On Wed, 17 May 2006 15:10:45 +0100
"Dermot Paikkos" <[EMAIL PROTECTED]> wrote:

> I wrote about this yesterday.
>
> USER   PID %CPU %MEM   VSZ  RSS TTY  STAT START   TIME
> COMMAND
>
> nobody   17140  1.3 13.1 194984 169432 ? S09:49   3:58 spamd
> child nobody   18656  1.3 10.4 159208 134328 ? R10:08   3:43
> spamd child nobody   21371  1.1 12.7 191072 164440 ? S10:38
>  2:51 spamd child nobody   21372  1.4 15.1 243424 195616 ? S
> 10:38   3:34 spamd child nobody   22331  1.4 22.7 327064 293176 ?
>  S10:47   3:32 spamd child nobody   22481  1.2 15.6 242200
> 201256 ? S10:49   3:10 spamd child
>
> I am averaging 200MB per child.
>
> Here are my other rules:
> 70_sare_bayes_poison_nxm.cf # snap
> 70_sare_evilnum0.cf # snap
> 70_sare_evilnum1.cf # snap
> 70_sare_evilnum2.cf # snap
> 70_sare_header0.cf # snap
> 70_sare_header1.cf # snap
> 70_sare_header2.cf # snap
> 70_sare_header3.cf # snap
> 70_sare_html.cf # snap
> 70_sare_obfu0.cf # snap
> 70_sare_obfu1.cf # snap
> 70_sare_oem.cf # snap
> 70_sare_random.cf # snap
> 70_sare_specific.cf # snap
> 70_sare_unsub.cf # snap
> 70_sare_uri0.cf # snap
> 72_sare_redirect_post3.0.0.cf # snap
> 99_FVGT_Tripwire.cf
> 99_sare_fraud_post25x.cf
>
>
> There is a lot of overlap there. What version of SA are you running?
> Perhaps we should start removing them one at time and see what
> happens to the memory usage.
>
> Dp.
>
>
Version 3.1.1.  I went back to my original list of:

TRUSTED_RULESETS="SARE_REDIRECT_POST300 SARE_EVILNUMBERS0
SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 SARE_BAYES_POISON_NXM SARE_HTML
SARE_HEADER SARE_SPECIFIC SARE_ADULT SARE_FRAUD SARE_SPOOF SARE_RANDOM
SARE_SPAMCOP_TOP200 SARE_OEM SARE_GENLSUBJ SARE_GENLSUBJ4
SARE_GENLSUBJ_ENG SARE_HIGHRISK SARE_UNSUB SARE_URI0 SARE_URI1
SARE_URI3 SARE_URI_ENG SARE_WHITELIST SARE_WHITELIST_SPF
SARE_WHITELIST_RCVD SARE_OBFU SARE_OBFU2 SARE_OBFU3 SARE_OBFU4
TRIPWIRE"

with the same effect.  I didn't see this issue before, so I suspect
I'll simply nuke all sare rules, start and start adding them one by
one.  I'll let you know how it goes =)

James

>
> On 17 May 2006 at 7:27, James Lay wrote:
>
> > Hello all!
> >
> > Soo.yesterday I decided to get gutsy and use just about all
> > the rules from SARE.  Here's my rulesdujour config:
> >
> > TRUSTED_RULESETS="ANTIDRUG BLACKLIST BLACKLIST_URI BOGUSVIRUS
> > RANDOMVAL SARE_ADULT SARE_BAYES_POISON_NXM SARE_BML
> > SARE_EVILNUMBERS0 SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 SARE_FRAUD
> > SARE_GENLSUBJ SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_GENLSUBJ2
> > SARE_GENLSUBJ3 SARE_GENLSUBJ_ENG SARE_GENLSUBJ_X30 SARE_HEADER
> > SARE_HEADER0 SARE_HEADER1 SARE_HEADER2 SARE_HEADER3
> > SARE_HEADER_ENG SARE_HEADER_X30 SARE_HIGHRISK SARE_HTML SARE_HTML0
> > SARE_HTML1 SARE_HTML2 SARE_HTML3 SARE_HTML4 SARE_HTML_ENG
> > SARE_OBFU SARE_OBFU0 SARE_OBFU1 SARE_OBFU2 SARE_OBFU3 SARE_OEM
> > SARE_RANDOM SARE_RATWARE SARE_REDIRECT SARE_REDIRECT_POST300
> > SARE_SPAMCOP_TOP200 SARE_SPECIFIC SARE_SPOOF SARE_UNSUB SARE_URI0
> > SARE_URI1 SARE_URI2 SARE_URI3 SARE_URI_ENG SARE_WHITELIST
> > TRIPWIRE"
> >
> > Now here's the output of ps aux:
> > USER   PID %CPU %MEMVSZ   RSS TTY  STAT START   TIME
> > COMMAND root  3338 31.6 26.8 287636 277940 ?   Ss   07:24
> > 0:39 /usr/bin/spamd -u filter -d -m 10 -r
> > /home/filter/run/spamd.pid --socketpath=/home/filter/run/spamd
> > filter3365 19.1 27.1 290940 281204 ?   S07:25   0:14
> > spamd child filter3366  0.0 26.7 287636 276788 ?   S
> > 07:25   0:00 spamd child
> >
> > Is this normal?
> >
> > James
>
>

Re: Minimizing spamd's memory footprint

2006-05-17 Thread jdow 

Do not use:
70_sare_evilnum0.cf # snap
70_sare_evilnum1.cf # snap
70_sare_evilnum2.cf # snap


{^_^}
- Original Message - 
From: "Dermot Paikkos" <[EMAIL PROTECTED]>

To: "Spamassassin" 
Sent: Wednesday, May 17, 2006 07:10
Subject: Re: Minimizing spamd's memory footprint



I wrote about this yesterday.

USER   PID %CPU %MEM   VSZ  RSS TTY  STAT START   TIME 
COMMAND


nobody   17140  1.3 13.1 194984 169432 ? S09:49   3:58 spamd 
child
nobody   18656  1.3 10.4 159208 134328 ? R10:08   3:43 spamd 
child
nobody   21371  1.1 12.7 191072 164440 ? S10:38   2:51 spamd 
child
nobody   21372  1.4 15.1 243424 195616 ? S10:38   3:34 spamd 
child
nobody   22331  1.4 22.7 327064 293176 ? S10:47   3:32 spamd 
child
nobody   22481  1.2 15.6 242200 201256 ? S10:49   3:10 spamd 
child


I am averaging 200MB per child.

Here are my other rules:
70_sare_bayes_poison_nxm.cf # snap
70_sare_evilnum0.cf # snap
70_sare_evilnum1.cf # snap
70_sare_evilnum2.cf # snap
70_sare_header0.cf # snap
70_sare_header1.cf # snap
70_sare_header2.cf # snap
70_sare_header3.cf # snap
70_sare_html.cf # snap
70_sare_obfu0.cf # snap
70_sare_obfu1.cf # snap
70_sare_oem.cf # snap
70_sare_random.cf # snap
70_sare_specific.cf # snap
70_sare_unsub.cf # snap
70_sare_uri0.cf # snap
72_sare_redirect_post3.0.0.cf # snap
99_FVGT_Tripwire.cf 
99_sare_fraud_post25x.cf 



There is a lot of overlap there. What version of SA are you running?
Perhaps we should start removing them one at time and see what 
happens to the memory usage.


Dp.



On 17 May 2006 at 7:27, James Lay wrote:


Hello all!

Soo.yesterday I decided to get gutsy and use just about all the
rules from SARE.  Here's my rulesdujour config:

TRUSTED_RULESETS="ANTIDRUG BLACKLIST BLACKLIST_URI BOGUSVIRUS
RANDOMVAL SARE_ADULT SARE_BAYES_POISON_NXM SARE_BML SARE_EVILNUMBERS0
SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 SARE_FRAUD SARE_GENLSUBJ
SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_GENLSUBJ2 SARE_GENLSUBJ3
SARE_GENLSUBJ_ENG SARE_GENLSUBJ_X30 SARE_HEADER SARE_HEADER0
SARE_HEADER1 SARE_HEADER2 SARE_HEADER3 SARE_HEADER_ENG SARE_HEADER_X30
SARE_HIGHRISK SARE_HTML SARE_HTML0 SARE_HTML1 SARE_HTML2 SARE_HTML3
SARE_HTML4 SARE_HTML_ENG SARE_OBFU SARE_OBFU0 SARE_OBFU1 SARE_OBFU2
SARE_OBFU3 SARE_OEM SARE_RANDOM SARE_RATWARE SARE_REDIRECT
SARE_REDIRECT_POST300 SARE_SPAMCOP_TOP200 SARE_SPECIFIC SARE_SPOOF
SARE_UNSUB SARE_URI0 SARE_URI1 SARE_URI2 SARE_URI3 SARE_URI_ENG
SARE_WHITELIST TRIPWIRE"

Now here's the output of ps aux:
USER   PID %CPU %MEMVSZ   RSS TTY  STAT START   TIME
COMMAND root  3338 31.6 26.8 287636 277940 ?   Ss   07:24  
0:39 /usr/bin/spamd -u filter -d -m 10 -r /home/filter/run/spamd.pid

--socketpath=/home/filter/run/spamd filter3365 19.1 27.1 290940
281204 ?   S07:25   0:14 spamd child filter3366  0.0 26.7
287636 276788 ?   S07:25   0:00 spamd child

Is this normal?

James

Re: New Obfuscation Technique?

2006-05-17 Thread Dan 

I run most of the production SARE rulesets here-- which would those be
in? Or are those some adhoc rules posted to the list that I didn't  
pick

up on? Just looking at where I might find the rules...


You're welcome to use mine (newly improved).  All of these catch on  
your sample:



body OBSFU_VIA1 /(?!VIAGRA)\bV(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?[I1\/\\] 
(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?A(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?G(\s|\s 
\s|\s\S|\s\S\s|\S\s|\S)?R(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?A\b/i


body OBSFU_CIA1 /(?!CIALIS)\bC(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?[I1\/\\] 
(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?A(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?L(\s|\s 
\s|\s\S|\s\S\s|\S\s|\S)?[I1\/\\](\s|\s\s|\s\S|\s\S\s|\S\s|\S)?S\b/i


body OBSFU_VAL1 /(?!VALIUM)\bV(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?A(\s|\s\s| 
\s\S|\s\S\s|\S\s|\S)?L(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?[I1\/\\](\s|\s\s| 
\s\S|\s\S\s|\S\s|\S)?U(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?M\b/i


body OBSFU_AMB1 /(?!AMBIEN)\bA(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?M(\s|\s\s| 
\s\S|\s\S\s|\S\s|\S)?B(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?[I1\/\\](\s|\s\s| 
\s\S|\s\S\s|\S\s|\S)?E(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?N\b/i


body OBSFU_XAN1 /(?!XANAX)\bX(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?A(\s|\s\s| 
\s\S|\s\S\s|\S\s|\S)?N(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?A(\s|\s\s|\s\S|\s 
\S\s|\S\s|\S)?X\b/i



Dan

Re: Minimizing spamd's memory footprint

2006-05-17 Thread jdow 

From: "James Lay" <[EMAIL PROTECTED]>


Hello all!

Soo.yesterday I decided to get gutsy and use just about all the
rules from SARE.  Here's my rulesdujour config:

TRUSTED_RULESETS="ANTIDRUG BLACKLIST BLACKLIST_URI BOGUSVIRUS RANDOMVAL
SARE_ADULT SARE_BAYES_POISON_NXM SARE_BML SARE_EVILNUMBERS0
SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 SARE_FRAUD SARE_GENLSUBJ
SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_GENLSUBJ2 SARE_GENLSUBJ3
SARE_GENLSUBJ_ENG SARE_GENLSUBJ_X30 SARE_HEADER SARE_HEADER0
SARE_HEADER1 SARE_HEADER2 SARE_HEADER3 SARE_HEADER_ENG SARE_HEADER_X30
SARE_HIGHRISK SARE_HTML SARE_HTML0 SARE_HTML1 SARE_HTML2 SARE_HTML3
SARE_HTML4 SARE_HTML_ENG SARE_OBFU SARE_OBFU0 SARE_OBFU1 SARE_OBFU2
SARE_OBFU3 SARE_OEM SARE_RANDOM SARE_RATWARE SARE_REDIRECT
SARE_REDIRECT_POST300 SARE_SPAMCOP_TOP200 SARE_SPECIFIC SARE_SPOOF
SARE_UNSUB SARE_URI0 SARE_URI1 SARE_URI2 SARE_URI3 SARE_URI_ENG
SARE_WHITELIST TRIPWIRE"

Now here's the output of ps aux:
USER   PID %CPU %MEMVSZ   RSS TTY  STAT START   TIME COMMAND
root  3338 31.6 26.8 287636 277940 ?   Ss   07:24   0:39 /usr/bin/spamd -u 
filter -d -m 10 -r /home/filter/run/spamd.pid --socketpath=/home/filter/run/spamd

filter3365 19.1 27.1 290940 281204 ?   S07:25   0:14 spamd child
filter3366  0.0 26.7 287636 276788 ?   S07:25   0:00 spamd child

Is this normal?


Since you used SARE_EVILNUMBERS* without reading that they are deprecated
this is normal. Jettison them and use the BL tools instead.

{^_^}

Re: problem with using SARE rules, names longer than 22 chars

2006-05-17 Thread jdow 

From: "James E. Pratt" <[EMAIL PROTECTED]>
From: Jo [mailto:[EMAIL PROTECTED] 
Matt Kettler wrote:

Jo wrote:
  

Hi,

We're using spamassassin-3.0.5-3.el4 with amavisd-new-2.4.1-1.el4.rf.
Since yesterday I'm receiving this message when downloading the SARE
rules:

***WARNING***: spamassassin --lint failed.
Rolling configuration files back, not restarting SpamAssassin.
Rollback command is:  mv -f
/etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf
/etc/mail/spamassassin/RulesDuJour/72_sare_redirect_post3.0.0.cf.2;

mv

-f


/etc/mail/spamassassin/RulesDuJour/72_sare_redirect_post3.0.0.cf.2006051
7-0758

/etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf; mv -f
/etc/mail/spamassassin/70_sare_header0.cf
/etc/mail/spamassassin/RulesDuJour/70_sare_header0.cf.2; mv -f
/etc/mail/spamassassin/RulesDuJour/70_sare_header0.cf.20060517-0758
/etc/mail/spamassassin/70_sare_header0.cf;

Lint output: warning: rule 'SARE_MULT_SEXCLUBGMAILA' is over 22 chars
warning: rule 'SARE_BOUNDARY_0264192082' is over 22 chars
warning: rule 'SARE_MSGID_HEX30XIDSRVR' is over 22 chars
warning: rule 'SARE_BOUNDARY_D118112147' is over 22 chars
warning: rule 'SARE_HEAD_MIME_INVALID32' is over 22 chars
warning: rule 'SARE_MULT_SUBJR_XBNCETR' is over 22 chars
warning: rule 'SARE_FROM_SPAM_NAME2A177' is over 22 chars
lint: 7 issues detected.  please rerun with debug enabled for more
information.

Are these simply problems with the names? 


Yes, but it's not really a problem.
  
Thanks for your answer. I only saw after I sent the mail that they were 
only warnings and not errors. I'm a bit less worried now. I thought I 
had a version mismatch or something like that.

Would it help if I shortened those names?


You could, or you could wait until SARE fixes the rules.
  

Still it seems to strange to arbitrarily limit the length of those names

to 22 characters.

Am I really the only one who is having this problem?


I haven't noticed it yet.
  


I had the same probllem with sa 3.04

Anyhow, i solved it by changing the trusted ruleset entry
"SARE_HEADER_0" to "SARE_HEADER_X31" as advised on rulesemporium.com,
and all works fine now.

regards,
Jamie

<> They merely refer to the fact tha the report will slop over
"mail friendly" 80 character lines. The first thing I do when I update
a SpamAssassin is modify the tests to avoid the problems. I prefer more
descriptive names.

{^_-}

Re: problem with using SARE rules, names longer than 22 chars

2006-05-17 Thread jdow 

From: "Jo" <[EMAIL PROTECTED]>


Matt Kettler wrote:

Jo wrote:
  

Hi,

We're using spamassassin-3.0.5-3.el4 with amavisd-new-2.4.1-1.el4.rf.
Since yesterday I'm receiving this message when downloading the SARE
rules:

***WARNING***: spamassassin --lint failed.
Rolling configuration files back, not restarting SpamAssassin.
Rollback command is:  mv -f
/etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf
/etc/mail/spamassassin/RulesDuJour/72_sare_redirect_post3.0.0.cf.2; mv
-f
/etc/mail/spamassassin/RulesDuJour/72_sare_redirect_post3.0.0.cf.20060517-0758
/etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf; mv -f
/etc/mail/spamassassin/70_sare_header0.cf
/etc/mail/spamassassin/RulesDuJour/70_sare_header0.cf.2; mv -f
/etc/mail/spamassassin/RulesDuJour/70_sare_header0.cf.20060517-0758
/etc/mail/spamassassin/70_sare_header0.cf;

Lint output: warning: rule 'SARE_MULT_SEXCLUBGMAILA' is over 22 chars
warning: rule 'SARE_BOUNDARY_0264192082' is over 22 chars
warning: rule 'SARE_MSGID_HEX30XIDSRVR' is over 22 chars
warning: rule 'SARE_BOUNDARY_D118112147' is over 22 chars
warning: rule 'SARE_HEAD_MIME_INVALID32' is over 22 chars
warning: rule 'SARE_MULT_SUBJR_XBNCETR' is over 22 chars
warning: rule 'SARE_FROM_SPAM_NAME2A177' is over 22 chars
lint: 7 issues detected.  please rerun with debug enabled for more
information.

Are these simply problems with the names? 


Yes, but it's not really a problem.
  
Thanks for your answer. I only saw after I sent the mail that they were 
only warnings and not errors. I'm a bit less worried now. I thought I 
had a version mismatch or something like that.

Would it help if I shortened those names?


You could, or you could wait until SARE fixes the rules.
  
Still it seems to strange to arbitrarily limit the length of those names 
to 22 characters.

Am I really the only one who is having this problem?


I haven't noticed it yet.
  
That's odd if you are also using the SARE rules. Those names should be 
just as long on your system as they are on mine...


Cheers,

Jo


Are you sure you do not have an extremely dated rule set on your system
that uses the longer names? That was common in the pre 3.0 days. Since
then the SARE rules seem to have been sanitized.

grep SARE_MULT_SEXCLUB /etc/mail/spamassassin/*.cf (or wherever else you
might have some rules SpamAssassin can find.)

{^_^}

Re: Negative lookaround?

2006-05-17 Thread Matt Kettler 
David B Funk wrote:
> On Wed, 17 May 2006, Stuart Johnston wrote:
> 
>>> "Every variation" includes the whole world: FREE.  To exclude the whole
>>> word, I created a meta exception but as you might guess, this also finds
>>> the whole word elsewhere in the same message.  While its odd to have one
>>> word mangled and another not, spammers do it.  I'm told a negative
>>> lookaround will solve this problem, but I can't figure out how to do
>>> it.  Everything I've read relates to neighboring text, not the same text.
>>>
>>> How do I write a single regex that includes every variation except a
>>> single specific one?
>> Do you mean negative lookahead?
>>
>> body __OBSFU_FRE1 /(?!FREE)\bF(\s|\s\s|\s\S...
> 
> Almost, you -really- want that '\b' pattern enclosing the negative
> lookahead qualifier, otherwise it won't give you the expected results.

Are you sure? I find this works just fine.

FUZZY_MILF from the standard ruleset does this, as do 10 rules in
70_sare_obfu0.cf and 1 in 70_sare_specific.cf

Try grep -P '\(\?\!\w+\)\\b' 70_sare_obfu0.cf

Some of the shorter results are:

body  SARE_OBFU_BACK_NUM   m'(?!BACK)\bb\d?a\d?c\d?k\b'i
body  SARE_OBFU_SAVE_NUM   m'(?!save)\bs\d?a\d?v\d?e\b'i
body  SARE_OBFU_SAVINGS_NUMm'(?!savings)\bs\d?a\d?v\d?i\d?n\d?g\d?s\b'i
body  SARE_OBFU_NUM_YOUR   m'(?!YOUR)\bY\d?O\d?U\d?R\b'i


(why the author used m' instead of / is beyond me, as it serves no purpose in
these rules..  but a lot of SARE rules have really weird style so I'll chalk it
up to weird style.)

Re: Negative lookaround?

2006-05-17 Thread Dan 

Almost, you -really- want that '\b' pattern enclosing the negative
lookahead qualifier, otherwise it won't give you the expected results.



So try:

body OBSFU_FRE1 /\b(?!FREE)F(\s|\s\s|\s\S...


Sweet.  Is a \b also needed at the end:  (?!FREE\b) or does the main  
one at the end handle it?:


body __OBSFU_FRE1 /\b(?!FREE)F(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?R(\s|\s\s| 
\s\S|\s\S\s|\S\s|\S)?E(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?E\b/i




In that pattern you have "F(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?R"
Note that '(\s|\S)' says fire if it's either a space or a non-space
so that is functionally equivalent to '.' (IE the wildcard character).
Is that what you wanted? It may match on some real words.


Good point.  A dot would be more compact but by expressing every  
separator, I can more easily kill specific variations (just one or  
just the other) that FP.  Some also only trigger when multiples are  
found or when found alone only in the subject.


Dan

Re: Negative lookaround?

2006-05-17 Thread David B Funk 
On Wed, 17 May 2006, Stuart Johnston wrote:

> > "Every variation" includes the whole world: FREE.  To exclude the whole
> > word, I created a meta exception but as you might guess, this also finds
> > the whole word elsewhere in the same message.  While its odd to have one
> > word mangled and another not, spammers do it.  I'm told a negative
> > lookaround will solve this problem, but I can't figure out how to do
> > it.  Everything I've read relates to neighboring text, not the same text.
> >
> > How do I write a single regex that includes every variation except a
> > single specific one?
>
> Do you mean negative lookahead?
>
> body __OBSFU_FRE1 /(?!FREE)\bF(\s|\s\s|\s\S...

Almost, you -really- want that '\b' pattern enclosing the negative
lookahead qualifier, otherwise it won't give you the expected results.
Since the negative lookahead removed the need for the meta rule, you
want this to be a real standalone rule so remove the leading '__' too.

So try:

body OBSFU_FRE1 /\b(?!FREE)F(\s|\s\s|\s\S...

In that pattern you have "F(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?R"
Note that '(\s|\S)' says fire if it's either a space or a non-space
so that is functionally equivalent to '.' (IE the wildcard character).
Is that what you wanted? It may match on some real words.

-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Negative lookaround?

2006-05-17 Thread Matt Kettler 
Dan wrote:

>>
>> I'd also suggest that the last-term of bare \S is not such a good idea.
>> /F\S?R\S?E\S?E\S?/i will match Frisbee.
Self-correction. That won't match Frisbee..

 However, it will match enforcement. (enFoRcEmEnt)

And  forever  (FoREvEr)

Admittedly the \b's of your original rule would keep those matches out, but you
get the idea.. There's a lot of words that have "free" embedded in them, but
there's a lot more that have F\S?R\S?E\S?E embedded in them.

Some may not get excluded by your \b requirement, such as the german domain
"frede.de", and the Surname "Foree"

http://en.wikipedia.org/wiki/Ken_Foree

Re: Negative lookaround?

2006-05-17 Thread Dan 
It's looking like you want to use the ReplaceTags plugin.  Check  
out the default rules.


Probably less work, thank you



Do you mean negative lookahead?

body __OBSFU_FRE1 /(?!FREE)\bF(\s|\s\s|\s\S...


Thats what I'm talking about, thank you



It's not "negative lookarround" it's "negative lookahead"

You use (?! ) to group-off a negative look-ahead.

body __OBSFU_FRE1
/(?!FREE)\bF(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?R(\s|\s\s|\s\S|\s\S\s|\S 
\s|\S)?E(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?E\b/i


Also, Might I suggest that (\s|\s\s|\s\S|\s\S\s|\S\s|\S)? is not  
very optimal
here. At minimum, turn off capture for the group by using (?: at  
the start.


I'd also suggest that the last-term of bare \S is not such a good  
idea.

/F\S?R\S?E\S?E\S?/i will match Frisbee.

I would also consider replacing the whole  (\s|\s\s|\s\S|\s\S\s|\S 
\s|\S)? group
with just: \s+\S?\s?  This does force at least one whitespace  
character in the

match, but that fixes the Frisbee problem.


So you might wish to try:

body __OBSFU_FRE1 /(?!FREE)\bF\s+\S?\s?R\s+\S?\s?E\s+\S?\s?E\b/i


You guys rock!:)

Dan

Re: Negative lookaround?

2006-05-17 Thread Matt Kettler 
Dan wrote:
> Sick of obsfucation, I'm going to town on spacing and letter variations,
> with one problem:
> 
> body __OBSFU_FRE1a /\bFREE\b/i
> body __OBSFU_FRE1b
> /\bF(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?R(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?E(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?E\b/i
> meta __OBSFU_FRE1 (!__OBSFU_FRE1a && __OBSFU_FRE1b)
> 
> 
> "Every variation" includes the whole world: FREE.  To exclude the whole
> word, I created a meta exception but as you might guess, this also finds
> the whole word elsewhere in the same message.  While its odd to have one
> word mangled and another not, spammers do it.  I'm told a negative
> lookaround will solve this problem, but I can't figure out how to do
> it.  Everything I've read relates to neighboring text, not the same text.  
> 
> How do I write a single regex that includes every variation except a
> single specific one?
It's not "negative lookarround" it's "negative lookahead"

You use (?! ) to group-off a negative look-ahead.

body __OBSFU_FRE1
/(?!FREE)\bF(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?R(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?E(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?E\b/i

Also, Might I suggest that (\s|\s\s|\s\S|\s\S\s|\S\s|\S)? is not very optimal
here. At minimum, turn off capture for the group by using (?: at the start.

I'd also suggest that the last-term of bare \S is not such a good idea.
/F\S?R\S?E\S?E\S?/i will match Frisbee.

I would also consider replacing the whole  (\s|\s\s|\s\S|\s\S\s|\S\s|\S)? group
with just: \s+\S?\s?  This does force at least one whitespace character in the
match, but that fixes the Frisbee problem.


So you might wish to try:

body __OBSFU_FRE1 /(?!FREE)\bF\s+\S?\s?R\s+\S?\s?E\s+\S?\s?E\b/i

Re: Negative lookaround?

2006-05-17 Thread Stuart Johnston 

Dan wrote:
Sick of obsfucation, I'm going to town on spacing and letter variations, 
with one problem:


body __OBSFU_FRE1a /\bFREE\b/i
body __OBSFU_FRE1b 
/\bF(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?R(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?E(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?E\b/i

meta __OBSFU_FRE1 (!__OBSFU_FRE1a && __OBSFU_FRE1b)


"Every variation" includes the whole world: FREE.  To exclude the whole 
word, I created a meta exception but as you might guess, this also finds 
the whole word elsewhere in the same message.  While its odd to have one 
word mangled and another not, spammers do it.  I'm told a negative 
lookaround will solve this problem, but I can't figure out how to do 
it.  Everything I've read relates to neighboring text, not the same text.  

How do I write a single regex that includes every variation except a 
single specific one?


Do you mean negative lookahead?

body __OBSFU_FRE1 /(?!FREE)\bF(\s|\s\s|\s\S...

Re: Negative lookaround?

2006-05-17 Thread Theo Van Dinter 
On Wed, May 17, 2006 at 02:59:16PM -0700, Dan wrote:
> How do I write a single regex that includes every variation except a  
> single specific one?

It's looking like you want to use the ReplaceTags plugin.  Check out the
default rules.

-- 
Randomly Generated Tagline:
"She's got a mortgage on my body and a lease on my soul."


pgpJ1rAuqGO9n.pgp
Description: PGP signature

Negative lookaround?

2006-05-17 Thread Dan 
Sick of obsfucation, I'm going to town on spacing and letter variations, with one problem:body __OBSFU_FRE1a /\bFREE\b/ibody __OBSFU_FRE1b /\bF(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?R(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?E(\s|\s\s|\s\S|\s\S\s|\S\s|\S)?E\b/imeta __OBSFU_FRE1 (!__OBSFU_FRE1a && __OBSFU_FRE1b)"Every variation" includes the whole world: FREE.  To exclude the whole word, I created a meta exception but as you might guess, this also finds the whole word elsewhere in the same message.  While its odd to have one word mangled and another not, spammers do it.  I'm told a negative lookaround will solve this problem, but I can't figure out how to do it.  Everything I've read relates to neighboring text, not the same text.  How do I write a single regex that includes every variation except a single specific one?Thanks,Dan

Re: problem with using SARE rules, names longer than 22 chars

2006-05-17 Thread Jo 

James E. Pratt schreef:
 



-Original Message-
From: Jo [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 17, 2006 9:05 AM

To: Matt Kettler
Cc: users@spamassassin.apache.org
Subject: Re: problem with using SARE rules, names longer than 22 chars

Matt Kettler wrote:
  

Jo wrote:
  


Hi,

We're using spamassassin-3.0.5-3.el4 with amavisd-new-2.4.1-1.el4.rf.
Since yesterday I'm receiving this message when downloading the SARE
rules:

***WARNING***: spamassassin --lint failed.
Rolling configuration files back, not restarting SpamAssassin.
Rollback command is:  mv -f
/etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf
/etc/mail/spamassassin/RulesDuJour/72_sare_redirect_post3.0.0.cf.2;
  

mv
  

-f

  

/etc/mail/spamassassin/RulesDuJour/72_sare_redirect_post3.0.0.cf.2006051
7-0758
  

/etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf; mv -f
/etc/mail/spamassassin/70_sare_header0.cf
/etc/mail/spamassassin/RulesDuJour/70_sare_header0.cf.2; mv -f
/etc/mail/spamassassin/RulesDuJour/70_sare_header0.cf.20060517-0758
/etc/mail/spamassassin/70_sare_header0.cf;

Lint output: warning: rule 'SARE_MULT_SEXCLUBGMAILA' is over 22 chars
warning: rule 'SARE_BOUNDARY_0264192082' is over 22 chars
warning: rule 'SARE_MSGID_HEX30XIDSRVR' is over 22 chars
warning: rule 'SARE_BOUNDARY_D118112147' is over 22 chars
warning: rule 'SARE_HEAD_MIME_INVALID32' is over 22 chars
warning: rule 'SARE_MULT_SUBJR_XBNCETR' is over 22 chars
warning: rule 'SARE_FROM_SPAM_NAME2A177' is over 22 chars
lint: 7 issues detected.  please rerun with debug enabled for more
information.

Are these simply problems with the names? 

  

Yes, but it's not really a problem.
  

Thanks for your answer. I only saw after I sent the mail that they were 
only warnings and not errors. I'm a bit less worried now. I thought I 
had a version mismatch or something like that.
  

Would it help if I shortened those names?

  

You could, or you could wait until SARE fixes the rules.
  


Still it seems to strange to arbitrarily limit the length of those names

to 22 characters.
  

Am I really the only one who is having this problem?

  

I haven't noticed it yet.
  



I had the same probllem with sa 3.04

Anyhow, i solved it by changing the trusted ruleset entry
"SARE_HEADER_0" to "SARE_HEADER_X31" as advised on rulesemporium.com,
and all works fine now.

regards,
Jamie
  

That seems to have solved the problem, even when it's  X30 instead of X31.

Thanks,

Jo

RE: Minimizing spamd's memory footprint

2006-05-17 Thread Chris Santerre 
Title: RE: Minimizing spamd's memory footprint





Holy crap! Is blacklist_URI the wstearns port over? Good grief don't use that! Just use SURBL or URIBL. That list would most definetly crush your server and get your cat pregnant!

--Chris 


> -Original Message-
> From: Matt Kettler [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, May 17, 2006 11:09 AM
> To: James Lay
> Cc: Spamassassin
> Subject: Re: Minimizing spamd's memory footprint
> 
> 
> James Lay wrote:
> > Hello all!
> > 
> > Soo.yesterday I decided to get gutsy and use just about all the
> > rules from SARE.  Here's my rulesdujour config:
> > 
> > TRUSTED_RULESETS="ANTIDRUG 
> 
> If you have SA 3.0.0 or higher, remove antidrug. These rules 
> are included in SA,
> and this ruleset is only for users of SA 2.6x and older.
> 
> I am the author of antidrug, so I speak with a solid 
> understanding of the ruleset.
> 
> At some point I will create antidrug-pre30.cf, antidrug-30.cf 
> and antidrug-31.cf.
> 
> After I've had that config for at least 6 months, I will 
> replace antidrug.cf
> with a file that generates a warning for anyone attempting to load it.
> 
> 
> BLACKLIST BLACKLIST_URI
> 
> 
> Ditch blacklist and blacklist_uri. Those rulesets are MAJOR 
> memory hogs.
> 
> (In general, look at the file size of your .cf files. 
> Anything over 128k is
> possibly a memory hog, and anything over 256k is quite likely 
> a memory hog.
> blacklist and blacklist_uri are both over 512k. blacklist is 
> nearly 2mb.
> 
>  BOGUSVIRUS RANDOMVAL
> > SARE_ADULT SARE_BAYES_POISON_NXM SARE_BML SARE_EVILNUMBERS0
> > SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 SARE_FRAUD SARE_GENLSUBJ
> > SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_GENLSUBJ2 SARE_GENLSUBJ3
> > SARE_GENLSUBJ_ENG SARE_GENLSUBJ_X30 SARE_HEADER SARE_HEADER0
> > SARE_HEADER1 SARE_HEADER2 SARE_HEADER3 SARE_HEADER_ENG 
> SARE_HEADER_X30
> > SARE_HIGHRISK SARE_HTML SARE_HTML0 SARE_HTML1 SARE_HTML2 SARE_HTML3
> > SARE_HTML4 SARE_HTML_ENG SARE_OBFU SARE_OBFU0 SARE_OBFU1 SARE_OBFU2
> > SARE_OBFU3 SARE_OEM SARE_RANDOM SARE_RATWARE SARE_REDIRECT
> > SARE_REDIRECT_POST300 SARE_SPAMCOP_TOP200 SARE_SPECIFIC SARE_SPOOF
> > SARE_UNSUB SARE_URI0 SARE_URI1 SARE_URI2 SARE_URI3 SARE_URI_ENG
> > SARE_WHITELIST TRIPWIRE"
> > 
> > Now here's the output of ps aux:
> > USER   PID %CPU %MEM    VSZ   RSS TTY  STAT START   
> TIME COMMAND
> > root  3338 31.6 26.8 287636 277940 ?   Ss   07:24   
> 0:39 /usr/bin/spamd -u filter -d -m 10 -r 
> /home/filter/run/spamd.pid --socketpath=/home/filter/run/spamd
> > filter    3365 19.1 27.1 290940 281204 ?   S    07:25   
> 0:14 spamd child
> > filter    3366  0.0 26.7 287636 276788 ?   S    07:25   
> 0:00 spamd child
> > 
> > Is this normal?
> 
> If you're using blacklist, yes..
> 
> > 
> > James
> > 
>

RE: New Obfuscation Technique?

2006-05-17 Thread Bret Miller 
> The SARE rules seem to catch that kind of thing rather neatly. In
> particular these are caught by some of the anti-Leo rules that Loren
> wrote.
> {^_^}


I run most of the production SARE rulesets here-- which would those be
in? Or are those some adhoc rules posted to the list that I didn't pick
up on? Just looking at where I might find the rules...

Bret


> - Original Message -
> From: "Bret Miller" <[EMAIL PROTECTED]>
>
>
> I hadn't seen this type of obfuscation before, though I admit I don't
> watch the dropped spam very closely. This one got returned to
> me via my
> AOL feedback loop, so was looking to see how to catch it. Any
> ideas? Get
> a sample message here:
>
> http://webmail.wcg.org/~support/16-02-01-P.txt
>
> Thanks,
> Bret
>
>
>

Re: Minimizing spamd's memory footprint

2006-05-17 Thread Mike Jackson 

Soo.yesterday I decided to get gutsy and use just about all the
rules from SARE.  Here's my rulesdujour config:

TRUSTED_RULESETS="ANTIDRUG BLACKLIST BLACKLIST_URI BOGUSVIRUS RANDOMVAL
SARE_ADULT SARE_BAYES_POISON_NXM SARE_BML SARE_EVILNUMBERS0
SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 SARE_FRAUD SARE_GENLSUBJ
SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_GENLSUBJ2 SARE_GENLSUBJ3
SARE_GENLSUBJ_ENG SARE_GENLSUBJ_X30 SARE_HEADER SARE_HEADER0
SARE_HEADER1 SARE_HEADER2 SARE_HEADER3 SARE_HEADER_ENG SARE_HEADER_X30
SARE_HIGHRISK SARE_HTML SARE_HTML0 SARE_HTML1 SARE_HTML2 SARE_HTML3
SARE_HTML4 SARE_HTML_ENG SARE_OBFU SARE_OBFU0 SARE_OBFU1 SARE_OBFU2
SARE_OBFU3 SARE_OEM SARE_RANDOM SARE_RATWARE SARE_REDIRECT
SARE_REDIRECT_POST300 SARE_SPAMCOP_TOP200 SARE_SPECIFIC SARE_SPOOF
SARE_UNSUB SARE_URI0 SARE_URI1 SARE_URI2 SARE_URI3 SARE_URI_ENG
SARE_WHITELIST TRIPWIRE"


I know I keep harping about this on the list, but you should check which 
rulesets are actually triggering on the spam your server receives. These are 
the rulesets I'm grabbing with RulesDuJour:


SARE_ADULT
SARE_BAYES_POISON_NXM
SARE_FRAUD
SARE_HTML0
SARE_OBFU0
SARE_OEM
SARE_RANDOM
SARE_REDIRECT_POST300
SARE_SPAMCOP_TOP200
SARE_SPECIFIC
SARE_SPOOF
SARE_WHITELIST_RCVD
SARE_WHITELIST_SPF
SARE_STOCKS

From looking at my logs, it's mostly SARE_SPECIFIC and SARE_STOCKS that 
trigger. Most of the others are wastes of resources for the spam my server 
receives. It could be the same for you too. OTOH, Bayes, Razor, and the DNS 
tests identify the most spam.

Problem compiling SpamAssassin (DB_file issue)

2006-05-17 Thread James Lay 
Title: Problem compiling SpamAssassin (DB_file issue)






Hey All!


Well…not sure what's going on…here's what I have.  Here's what I get with trying to install DB_File:


cpan> install DB_File

CPAN: Storable loaded ok

Going to read /home/jlay/.cpan/Metadata

  Database was generated on Tue, 16 May 2006 22:26:30 GMT

DB_File is up to date (1.814).


Doing a perl Makefile.PL gives me:


NOTE: the optional DB_File module is installed,

but is not an up-to-date version.


  Used to store data on-disk, for the Bayes-style logic and

  auto-whitelist.  *Much* more efficient than the other standard Perl

  database packages.  Strongly recommended.


Perl version is:


This is perl, v5.8.8 built for i486-linux


Make test fails with:


PERL_DL_NONLAZY=1 /usr/bin/perl5.8.8 "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t

t/basic_lint[992] warn: Use of uninitialized value in numeric ge (>=) at /usr/lib/perl5/5.8.8/i486-linux/DB_File.pm line 271.

[992] warn: Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/5.8.8/i486-linux/DB_File.pm line 275.

[992] warn: Deep recursion on subroutine "DB_File::AUTOLOAD" at /usr/lib/perl5/5.8.8/i486-linux/DB_File.pm line 234.


The make test eventually eats up all my memory and I have to reboot the box.  This is Slackware Current.  Any help here?  Thanks people.

James

Re: Minimizing spamd's memory footprint

2006-05-17 Thread Matt Kettler 
James Lay wrote:
> Hello all!
> 
> Soo.yesterday I decided to get gutsy and use just about all the
> rules from SARE.  Here's my rulesdujour config:
> 
> TRUSTED_RULESETS="ANTIDRUG 

If you have SA 3.0.0 or higher, remove antidrug. These rules are included in SA,
and this ruleset is only for users of SA 2.6x and older.

I am the author of antidrug, so I speak with a solid understanding of the 
ruleset.

At some point I will create antidrug-pre30.cf, antidrug-30.cf and 
antidrug-31.cf.

After I've had that config for at least 6 months, I will replace antidrug.cf
with a file that generates a warning for anyone attempting to load it.


BLACKLIST BLACKLIST_URI


Ditch blacklist and blacklist_uri. Those rulesets are MAJOR memory hogs.

(In general, look at the file size of your .cf files. Anything over 128k is
possibly a memory hog, and anything over 256k is quite likely a memory hog.
blacklist and blacklist_uri are both over 512k. blacklist is nearly 2mb.

 BOGUSVIRUS RANDOMVAL
> SARE_ADULT SARE_BAYES_POISON_NXM SARE_BML SARE_EVILNUMBERS0
> SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 SARE_FRAUD SARE_GENLSUBJ
> SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_GENLSUBJ2 SARE_GENLSUBJ3
> SARE_GENLSUBJ_ENG SARE_GENLSUBJ_X30 SARE_HEADER SARE_HEADER0
> SARE_HEADER1 SARE_HEADER2 SARE_HEADER3 SARE_HEADER_ENG SARE_HEADER_X30
> SARE_HIGHRISK SARE_HTML SARE_HTML0 SARE_HTML1 SARE_HTML2 SARE_HTML3
> SARE_HTML4 SARE_HTML_ENG SARE_OBFU SARE_OBFU0 SARE_OBFU1 SARE_OBFU2
> SARE_OBFU3 SARE_OEM SARE_RANDOM SARE_RATWARE SARE_REDIRECT
> SARE_REDIRECT_POST300 SARE_SPAMCOP_TOP200 SARE_SPECIFIC SARE_SPOOF
> SARE_UNSUB SARE_URI0 SARE_URI1 SARE_URI2 SARE_URI3 SARE_URI_ENG
> SARE_WHITELIST TRIPWIRE"
> 
> Now here's the output of ps aux:
> USER   PID %CPU %MEMVSZ   RSS TTY  STAT START   TIME COMMAND
> root  3338 31.6 26.8 287636 277940 ?   Ss   07:24   0:39 
> /usr/bin/spamd -u filter -d -m 10 -r /home/filter/run/spamd.pid 
> --socketpath=/home/filter/run/spamd
> filter3365 19.1 27.1 290940 281204 ?   S07:25   0:14 spamd child
> filter3366  0.0 26.7 287636 276788 ?   S07:25   0:00 spamd child
> 
> Is this normal?

If you're using blacklist, yes..

> 
> James
>

Re: problem with using SARE rules, names longer than 22 chars

2006-05-17 Thread Matt Kettler 
Jo wrote:
> Matt Kettler wrote:
>> Jo wrote:
>>>
>>> Are these simply problems with the names? 
>> Yes, but it's not really a problem.
>>   
> Thanks for your answer. I only saw after I sent the mail that they were
> only warnings and not errors. I'm a bit less worried now. I thought I
> had a version mismatch or something like that.
>>> Would it help if I shortened those names?
>>> 
>> You could, or you could wait until SARE fixes the rules.
>>   
> Still it seems to strange to arbitrarily limit the length of those names
> to 22 characters.


Yes, but it is NOT a limit. In this case it is just a warning, not an error.

SA will still use the rule, but it is warning you that the rule name is absurdly
long. Long rule names look bad in reports and waste some memory.

However, RDJ will not auto-load any rulesets with any warnings, as a precaution.

It should also be noted that SA 3.1.x increased the warning limit to 50 chars,
so you could upgrade to 3.1.x to eliminate the warning.

Personally, I'd suggest mailing the maintainer of the ruleset and get them to
fix it.

Re: spamassassin report

2006-05-17 Thread Magnus Holmgren 
Wednesday 17 May 2006 16:25 skrev Javier Marcon:
> Hello, I have a working spamassassin configuration, and when a mail gets 5
> or more of score, it generates a report in english, telling that that mail
> is a spam.  How can I configure it make that report in spanish instead of
> in english?

There is no Spanish translation in the official SpamAssassin tarball, but look 
at the file 30_text_fr.cf for an example of how to do it. Then make sure that 
the system locale is set to Spanish when SA is run.

-- 
Magnus Holmgren
[EMAIL PROTECTED]


pgpYMhXnsJbG1.pgp
Description: PGP signature

Re: Minimizing spamd's memory footprint

2006-05-17 Thread Dermot Paikkos 
I am on V3.02. 

I certainly would be interesting to know which one of these is 
causing the problem.
Dp.


On 17 May 2006 at 8:19, James Lay wrote:

> On Wed, 17 May 2006 15:10:45 +0100
> "Dermot Paikkos" <[EMAIL PROTECTED]> wrote:
> 
> > I wrote about this yesterday.
> > 
> > USER   PID %CPU %MEM   VSZ  RSS TTY  STAT START   TIME
> > COMMAND
> > 
> > nobody   17140  1.3 13.1 194984 169432 ? S09:49   3:58 spamd
> > child nobody   18656  1.3 10.4 159208 134328 ? R10:08   3:43
> > spamd child nobody   21371  1.1 12.7 191072 164440 ? S10:38 
> >  2:51 spamd child nobody   21372  1.4 15.1 243424 195616 ? S   
> > 10:38   3:34 spamd child nobody   22331  1.4 22.7 327064 293176 ?   
> >  S10:47   3:32 spamd child nobody   22481  1.2 15.6 242200
> > 201256 ? S10:49   3:10 spamd child
> > 
> > I am averaging 200MB per child.
> > 
> > Here are my other rules:
> > 70_sare_bayes_poison_nxm.cf # snap
> > 70_sare_evilnum0.cf # snap
> > 70_sare_evilnum1.cf # snap
> > 70_sare_evilnum2.cf # snap
> > 70_sare_header0.cf  # snap
> > 70_sare_header1.cf  # snap
> > 70_sare_header2.cf  # snap
> > 70_sare_header3.cf  # snap
> > 70_sare_html.cf # snap
> > 70_sare_obfu0.cf# snap
> > 70_sare_obfu1.cf# snap
> > 70_sare_oem.cf  # snap
> > 70_sare_random.cf   # snap
> > 70_sare_specific.cf # snap
> > 70_sare_unsub.cf# snap
> > 70_sare_uri0.cf # snap
> > 72_sare_redirect_post3.0.0.cf   # snap
> > 99_FVGT_Tripwire.cf 
> > 99_sare_fraud_post25x.cf
> > 
> > 
> > There is a lot of overlap there. What version of SA are you running?
> > Perhaps we should start removing them one at time and see what
> > happens to the memory usage.
> > 
> > Dp.
> > 
> > 
> Version 3.1.1.  I went back to my original list of:
> 
> TRUSTED_RULESETS="SARE_REDIRECT_POST300 SARE_EVILNUMBERS0
> SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 SARE_BAYES_POISON_NXM SARE_HTML
> SARE_HEADER SARE_SPECIFIC SARE_ADULT SARE_FRAUD SARE_SPOOF SARE_RANDOM
> SARE_SPAMCOP_TOP200 SARE_OEM SARE_GENLSUBJ SARE_GENLSUBJ4
> SARE_GENLSUBJ_ENG SARE_HIGHRISK SARE_UNSUB SARE_URI0 SARE_URI1
> SARE_URI3 SARE_URI_ENG SARE_WHITELIST SARE_WHITELIST_SPF
> SARE_WHITELIST_RCVD SARE_OBFU SARE_OBFU2 SARE_OBFU3 SARE_OBFU4
> TRIPWIRE"
> 
> with the same effect.  I didn't see this issue before, so I suspect
> I'll simply nuke all sare rules, start and start adding them one by
> one.  I'll let you know how it goes =)
> 
> James
> 
> > 
> > On 17 May 2006 at 7:27, James Lay wrote:
> > 
> > > Hello all!
> > > 
> > > Soo.yesterday I decided to get gutsy and use just about all
> > > the rules from SARE.  Here's my rulesdujour config:
> > > 
> > > TRUSTED_RULESETS="ANTIDRUG BLACKLIST BLACKLIST_URI BOGUSVIRUS
> > > RANDOMVAL SARE_ADULT SARE_BAYES_POISON_NXM SARE_BML
> > > SARE_EVILNUMBERS0 SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 SARE_FRAUD
> > > SARE_GENLSUBJ SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_GENLSUBJ2
> > > SARE_GENLSUBJ3 SARE_GENLSUBJ_ENG SARE_GENLSUBJ_X30 SARE_HEADER
> > > SARE_HEADER0 SARE_HEADER1 SARE_HEADER2 SARE_HEADER3
> > > SARE_HEADER_ENG SARE_HEADER_X30 SARE_HIGHRISK SARE_HTML SARE_HTML0
> > > SARE_HTML1 SARE_HTML2 SARE_HTML3 SARE_HTML4 SARE_HTML_ENG
> > > SARE_OBFU SARE_OBFU0 SARE_OBFU1 SARE_OBFU2 SARE_OBFU3 SARE_OEM
> > > SARE_RANDOM SARE_RATWARE SARE_REDIRECT SARE_REDIRECT_POST300
> > > SARE_SPAMCOP_TOP200 SARE_SPECIFIC SARE_SPOOF SARE_UNSUB SARE_URI0
> > > SARE_URI1 SARE_URI2 SARE_URI3 SARE_URI_ENG SARE_WHITELIST
> > > TRIPWIRE"
> > > 
> > > Now here's the output of ps aux:
> > > USER   PID %CPU %MEMVSZ   RSS TTY  STAT START   TIME
> > > COMMAND root  3338 31.6 26.8 287636 277940 ?   Ss   07:24 
> > > 0:39 /usr/bin/spamd -u filter -d -m 10 -r
> > > /home/filter/run/spamd.pid --socketpath=/home/filter/run/spamd
> > > filter3365 19.1 27.1 290940 281204 ?   S07:25   0:14
> > > spamd child filter3366  0.0 26.7 287636 276788 ?   S   
> > > 07:25   0:00 spamd child
> > > 
> > > Is this normal?
> > > 
> > > James
> > 
> >

spamassassin report

2006-05-17 Thread Javier Marcon 



Hello, I have a working spamassassin configuration, 
and when a mail gets 5 or more of score, it generates a report in english, 
telling that that mail is a spam.  How can I configure it make that 
report in spanish instead of in english?
 
Thanks,
 
Javier.

Re: Minimizing spamd's memory footprint

2006-05-17 Thread James Lay 
On Wed, 17 May 2006 15:10:45 +0100
"Dermot Paikkos" <[EMAIL PROTECTED]> wrote:

> I wrote about this yesterday.
> 
> USER   PID %CPU %MEM   VSZ  RSS TTY  STAT START   TIME 
> COMMAND
> 
> nobody   17140  1.3 13.1 194984 169432 ? S09:49   3:58 spamd 
> child
> nobody   18656  1.3 10.4 159208 134328 ? R10:08   3:43 spamd 
> child
> nobody   21371  1.1 12.7 191072 164440 ? S10:38   2:51 spamd 
> child
> nobody   21372  1.4 15.1 243424 195616 ? S10:38   3:34 spamd 
> child
> nobody   22331  1.4 22.7 327064 293176 ? S10:47   3:32 spamd 
> child
> nobody   22481  1.2 15.6 242200 201256 ? S10:49   3:10 spamd 
> child
> 
> I am averaging 200MB per child.
> 
> Here are my other rules:
> 70_sare_bayes_poison_nxm.cf   # snap
> 70_sare_evilnum0.cf   # snap
> 70_sare_evilnum1.cf   # snap
> 70_sare_evilnum2.cf   # snap
> 70_sare_header0.cf# snap
> 70_sare_header1.cf# snap
> 70_sare_header2.cf# snap
> 70_sare_header3.cf# snap
> 70_sare_html.cf   # snap
> 70_sare_obfu0.cf  # snap
> 70_sare_obfu1.cf  # snap
> 70_sare_oem.cf# snap
> 70_sare_random.cf # snap
> 70_sare_specific.cf   # snap
> 70_sare_unsub.cf  # snap
> 70_sare_uri0.cf   # snap
> 72_sare_redirect_post3.0.0.cf # snap
> 99_FVGT_Tripwire.cf   
> 99_sare_fraud_post25x.cf  
> 
> 
> There is a lot of overlap there. What version of SA are you running?
> Perhaps we should start removing them one at time and see what 
> happens to the memory usage.
> 
> Dp.
> 
> 
Version 3.1.1.  I went back to my original list of:

TRUSTED_RULESETS="SARE_REDIRECT_POST300 SARE_EVILNUMBERS0
SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 SARE_BAYES_POISON_NXM SARE_HTML
SARE_HEADER SARE_SPECIFIC SARE_ADULT SARE_FRAUD SARE_SPOOF SARE_RANDOM
SARE_SPAMCOP_TOP200 SARE_OEM SARE_GENLSUBJ SARE_GENLSUBJ4
SARE_GENLSUBJ_ENG SARE_HIGHRISK SARE_UNSUB SARE_URI0 SARE_URI1
SARE_URI3 SARE_URI_ENG SARE_WHITELIST SARE_WHITELIST_SPF
SARE_WHITELIST_RCVD SARE_OBFU SARE_OBFU2 SARE_OBFU3 SARE_OBFU4 TRIPWIRE"

with the same effect.  I didn't see this issue before, so I suspect
I'll simply nuke all sare rules, start and start adding them one by
one.  I'll let you know how it goes =)

James

> 
> On 17 May 2006 at 7:27, James Lay wrote:
> 
> > Hello all!
> > 
> > Soo.yesterday I decided to get gutsy and use just about all the
> > rules from SARE.  Here's my rulesdujour config:
> > 
> > TRUSTED_RULESETS="ANTIDRUG BLACKLIST BLACKLIST_URI BOGUSVIRUS
> > RANDOMVAL SARE_ADULT SARE_BAYES_POISON_NXM SARE_BML
> > SARE_EVILNUMBERS0 SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 SARE_FRAUD
> > SARE_GENLSUBJ SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_GENLSUBJ2
> > SARE_GENLSUBJ3 SARE_GENLSUBJ_ENG SARE_GENLSUBJ_X30 SARE_HEADER
> > SARE_HEADER0 SARE_HEADER1 SARE_HEADER2 SARE_HEADER3 SARE_HEADER_ENG
> > SARE_HEADER_X30 SARE_HIGHRISK SARE_HTML SARE_HTML0 SARE_HTML1
> > SARE_HTML2 SARE_HTML3 SARE_HTML4 SARE_HTML_ENG SARE_OBFU SARE_OBFU0
> > SARE_OBFU1 SARE_OBFU2 SARE_OBFU3 SARE_OEM SARE_RANDOM SARE_RATWARE
> > SARE_REDIRECT SARE_REDIRECT_POST300 SARE_SPAMCOP_TOP200
> > SARE_SPECIFIC SARE_SPOOF SARE_UNSUB SARE_URI0 SARE_URI1 SARE_URI2
> > SARE_URI3 SARE_URI_ENG SARE_WHITELIST TRIPWIRE"
> > 
> > Now here's the output of ps aux:
> > USER   PID %CPU %MEMVSZ   RSS TTY  STAT START   TIME
> > COMMAND root  3338 31.6 26.8 287636 277940 ?   Ss   07:24  
> > 0:39 /usr/bin/spamd -u filter -d -m 10 -r /home/filter/run/spamd.pid
> > --socketpath=/home/filter/run/spamd filter3365 19.1 27.1 290940
> > 281204 ?   S07:25   0:14 spamd child filter3366  0.0
> > 26.7 287636 276788 ?   S07:25   0:00 spamd child
> > 
> > Is this normal?
> > 
> > James
> 
>

Re: Minimizing spamd's memory footprint

2006-05-17 Thread Dermot Paikkos 
I wrote about this yesterday.

USER   PID %CPU %MEM   VSZ  RSS TTY  STAT START   TIME 
COMMAND

nobody   17140  1.3 13.1 194984 169432 ? S09:49   3:58 spamd 
child
nobody   18656  1.3 10.4 159208 134328 ? R10:08   3:43 spamd 
child
nobody   21371  1.1 12.7 191072 164440 ? S10:38   2:51 spamd 
child
nobody   21372  1.4 15.1 243424 195616 ? S10:38   3:34 spamd 
child
nobody   22331  1.4 22.7 327064 293176 ? S10:47   3:32 spamd 
child
nobody   22481  1.2 15.6 242200 201256 ? S10:49   3:10 spamd 
child

I am averaging 200MB per child.

Here are my other rules:
70_sare_bayes_poison_nxm.cf # snap
70_sare_evilnum0.cf # snap
70_sare_evilnum1.cf # snap
70_sare_evilnum2.cf # snap
70_sare_header0.cf  # snap
70_sare_header1.cf  # snap
70_sare_header2.cf  # snap
70_sare_header3.cf  # snap
70_sare_html.cf # snap
70_sare_obfu0.cf# snap
70_sare_obfu1.cf# snap
70_sare_oem.cf  # snap
70_sare_random.cf   # snap
70_sare_specific.cf # snap
70_sare_unsub.cf# snap
70_sare_uri0.cf # snap
72_sare_redirect_post3.0.0.cf   # snap
99_FVGT_Tripwire.cf 
99_sare_fraud_post25x.cf


There is a lot of overlap there. What version of SA are you running?
Perhaps we should start removing them one at time and see what 
happens to the memory usage.

Dp.



On 17 May 2006 at 7:27, James Lay wrote:

> Hello all!
> 
> Soo.yesterday I decided to get gutsy and use just about all the
> rules from SARE.  Here's my rulesdujour config:
> 
> TRUSTED_RULESETS="ANTIDRUG BLACKLIST BLACKLIST_URI BOGUSVIRUS
> RANDOMVAL SARE_ADULT SARE_BAYES_POISON_NXM SARE_BML SARE_EVILNUMBERS0
> SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 SARE_FRAUD SARE_GENLSUBJ
> SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_GENLSUBJ2 SARE_GENLSUBJ3
> SARE_GENLSUBJ_ENG SARE_GENLSUBJ_X30 SARE_HEADER SARE_HEADER0
> SARE_HEADER1 SARE_HEADER2 SARE_HEADER3 SARE_HEADER_ENG SARE_HEADER_X30
> SARE_HIGHRISK SARE_HTML SARE_HTML0 SARE_HTML1 SARE_HTML2 SARE_HTML3
> SARE_HTML4 SARE_HTML_ENG SARE_OBFU SARE_OBFU0 SARE_OBFU1 SARE_OBFU2
> SARE_OBFU3 SARE_OEM SARE_RANDOM SARE_RATWARE SARE_REDIRECT
> SARE_REDIRECT_POST300 SARE_SPAMCOP_TOP200 SARE_SPECIFIC SARE_SPOOF
> SARE_UNSUB SARE_URI0 SARE_URI1 SARE_URI2 SARE_URI3 SARE_URI_ENG
> SARE_WHITELIST TRIPWIRE"
> 
> Now here's the output of ps aux:
> USER   PID %CPU %MEMVSZ   RSS TTY  STAT START   TIME
> COMMAND root  3338 31.6 26.8 287636 277940 ?   Ss   07:24  
> 0:39 /usr/bin/spamd -u filter -d -m 10 -r /home/filter/run/spamd.pid
> --socketpath=/home/filter/run/spamd filter3365 19.1 27.1 290940
> 281204 ?   S07:25   0:14 spamd child filter3366  0.0 26.7
> 287636 276788 ?   S07:25   0:00 spamd child
> 
> Is this normal?
> 
> James

Re: unsubscribe

2006-05-17 Thread Richard Collyer 

Jeremy wrote:
unsubscribe 



__ NOD32 1.1543 (20060517) Information __

This message was checked by NOD32 antivirus system.
http://www.eset.com





send e-mail to [EMAIL PROTECTED]

Re: Delete spam or move to a folder?

2006-05-17 Thread NM Public 

Sur 2006-05-17, Yusuf Ahmed skribis:
Couldn't find a thread like this hence this new one. Just 
wondering what strategy people are using when it comes to 
dealing with email that gets enough points to be considered as 
spam. Eg. being deleted and quarantined, or delivered and 
quarantined etc.



I put everything with a score of 2 (yes 2) or more in a MaybeSpam 
mailbox. I then greenlist (aka whitelist) any non-spam message 
that is delivered to the MaybeSpam mailbox. I do not use Bayes. 
Details about my system are in these 2 messages:


  Using a MaybeSpam Mailbox
  

  Server-Side Address Books and Server-Side Greenlists
  

Hope this helps,
Feedback is welcome!
 Nancy
  (sent via gmane.mail.spam.spamassassin.general)

--
  Nancy McGough
  Infinite Ink: 
  Bookmarks & Blog:

Minimizing spamd's memory footprint

2006-05-17 Thread James Lay 
Hello all!

Soo.yesterday I decided to get gutsy and use just about all the
rules from SARE.  Here's my rulesdujour config:

TRUSTED_RULESETS="ANTIDRUG BLACKLIST BLACKLIST_URI BOGUSVIRUS RANDOMVAL
SARE_ADULT SARE_BAYES_POISON_NXM SARE_BML SARE_EVILNUMBERS0
SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 SARE_FRAUD SARE_GENLSUBJ
SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_GENLSUBJ2 SARE_GENLSUBJ3
SARE_GENLSUBJ_ENG SARE_GENLSUBJ_X30 SARE_HEADER SARE_HEADER0
SARE_HEADER1 SARE_HEADER2 SARE_HEADER3 SARE_HEADER_ENG SARE_HEADER_X30
SARE_HIGHRISK SARE_HTML SARE_HTML0 SARE_HTML1 SARE_HTML2 SARE_HTML3
SARE_HTML4 SARE_HTML_ENG SARE_OBFU SARE_OBFU0 SARE_OBFU1 SARE_OBFU2
SARE_OBFU3 SARE_OEM SARE_RANDOM SARE_RATWARE SARE_REDIRECT
SARE_REDIRECT_POST300 SARE_SPAMCOP_TOP200 SARE_SPECIFIC SARE_SPOOF
SARE_UNSUB SARE_URI0 SARE_URI1 SARE_URI2 SARE_URI3 SARE_URI_ENG
SARE_WHITELIST TRIPWIRE"

Now here's the output of ps aux:
USER   PID %CPU %MEMVSZ   RSS TTY  STAT START   TIME COMMAND
root  3338 31.6 26.8 287636 277940 ?   Ss   07:24   0:39 /usr/bin/spamd 
-u filter -d -m 10 -r /home/filter/run/spamd.pid 
--socketpath=/home/filter/run/spamd
filter3365 19.1 27.1 290940 281204 ?   S07:25   0:14 spamd child
filter3366  0.0 26.7 287636 276788 ?   S07:25   0:00 spamd child

Is this normal?

James

unsubscribe

2006-05-17 Thread Jeremy 
unsubscribe

UTF-8?

2006-05-17 Thread Candee Vaglica 



I have SA 
3.1.1 running on RH 9.0.
I'm using 
rewrite_header Subject --SPAM [SA-_SCORE_]
 
I then filter the 
mail with my gateway product.
 
The problem is that 
some of the messages have invalid characters in the subject line; and the 
filtering software allows it through; even though the subject and score have 
been changed.
 
Subject: --SPAM 
[SA-9.4] John, Make up to =?UTF8?Q?=24?=6,239 a month 
 
Has anyone else seen 
this?Any ideas?
 

RE: problem with using SARE rules, names longer than 22 chars

2006-05-17 Thread James E. Pratt 
 


-Original Message-
From: Jo [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 17, 2006 9:05 AM
To: Matt Kettler
Cc: users@spamassassin.apache.org
Subject: Re: problem with using SARE rules, names longer than 22 chars

Matt Kettler wrote:
> Jo wrote:
>   
>> Hi,
>>
>> We're using spamassassin-3.0.5-3.el4 with amavisd-new-2.4.1-1.el4.rf.
>> Since yesterday I'm receiving this message when downloading the SARE
>> rules:
>>
>> ***WARNING***: spamassassin --lint failed.
>> Rolling configuration files back, not restarting SpamAssassin.
>> Rollback command is:  mv -f
>> /etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf
>> /etc/mail/spamassassin/RulesDuJour/72_sare_redirect_post3.0.0.cf.2;
mv
>> -f
>>
/etc/mail/spamassassin/RulesDuJour/72_sare_redirect_post3.0.0.cf.2006051
7-0758
>> /etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf; mv -f
>> /etc/mail/spamassassin/70_sare_header0.cf
>> /etc/mail/spamassassin/RulesDuJour/70_sare_header0.cf.2; mv -f
>> /etc/mail/spamassassin/RulesDuJour/70_sare_header0.cf.20060517-0758
>> /etc/mail/spamassassin/70_sare_header0.cf;
>>
>> Lint output: warning: rule 'SARE_MULT_SEXCLUBGMAILA' is over 22 chars
>> warning: rule 'SARE_BOUNDARY_0264192082' is over 22 chars
>> warning: rule 'SARE_MSGID_HEX30XIDSRVR' is over 22 chars
>> warning: rule 'SARE_BOUNDARY_D118112147' is over 22 chars
>> warning: rule 'SARE_HEAD_MIME_INVALID32' is over 22 chars
>> warning: rule 'SARE_MULT_SUBJR_XBNCETR' is over 22 chars
>> warning: rule 'SARE_FROM_SPAM_NAME2A177' is over 22 chars
>> lint: 7 issues detected.  please rerun with debug enabled for more
>> information.
>>
>> Are these simply problems with the names? 
>> 
> Yes, but it's not really a problem.
>   
Thanks for your answer. I only saw after I sent the mail that they were 
only warnings and not errors. I'm a bit less worried now. I thought I 
had a version mismatch or something like that.
>> Would it help if I shortened those names?
>> 
> You could, or you could wait until SARE fixes the rules.
>   
Still it seems to strange to arbitrarily limit the length of those names

to 22 characters.
>> Am I really the only one who is having this problem?
>> 
> I haven't noticed it yet.
>   

I had the same probllem with sa 3.04

Anyhow, i solved it by changing the trusted ruleset entry
"SARE_HEADER_0" to "SARE_HEADER_X31" as advised on rulesemporium.com,
and all works fine now.

regards,
Jamie

Re: problem with using SARE rules, names longer than 22 chars

2006-05-17 Thread Jo 

Matt Kettler wrote:

Jo wrote:
  

Hi,

We're using spamassassin-3.0.5-3.el4 with amavisd-new-2.4.1-1.el4.rf.
Since yesterday I'm receiving this message when downloading the SARE
rules:

***WARNING***: spamassassin --lint failed.
Rolling configuration files back, not restarting SpamAssassin.
Rollback command is:  mv -f
/etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf
/etc/mail/spamassassin/RulesDuJour/72_sare_redirect_post3.0.0.cf.2; mv
-f
/etc/mail/spamassassin/RulesDuJour/72_sare_redirect_post3.0.0.cf.20060517-0758
/etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf; mv -f
/etc/mail/spamassassin/70_sare_header0.cf
/etc/mail/spamassassin/RulesDuJour/70_sare_header0.cf.2; mv -f
/etc/mail/spamassassin/RulesDuJour/70_sare_header0.cf.20060517-0758
/etc/mail/spamassassin/70_sare_header0.cf;

Lint output: warning: rule 'SARE_MULT_SEXCLUBGMAILA' is over 22 chars
warning: rule 'SARE_BOUNDARY_0264192082' is over 22 chars
warning: rule 'SARE_MSGID_HEX30XIDSRVR' is over 22 chars
warning: rule 'SARE_BOUNDARY_D118112147' is over 22 chars
warning: rule 'SARE_HEAD_MIME_INVALID32' is over 22 chars
warning: rule 'SARE_MULT_SUBJR_XBNCETR' is over 22 chars
warning: rule 'SARE_FROM_SPAM_NAME2A177' is over 22 chars
lint: 7 issues detected.  please rerun with debug enabled for more
information.

Are these simply problems with the names? 


Yes, but it's not really a problem.
  
Thanks for your answer. I only saw after I sent the mail that they were 
only warnings and not errors. I'm a bit less worried now. I thought I 
had a version mismatch or something like that.

Would it help if I shortened those names?


You could, or you could wait until SARE fixes the rules.
  
Still it seems to strange to arbitrarily limit the length of those names 
to 22 characters.

Am I really the only one who is having this problem?


I haven't noticed it yet.
  
That's odd if you are also using the SARE rules. Those names should be 
just as long on your system as they are on mine...


Cheers,

Jo

RE: Delete spam or move to a folder?

2006-05-17 Thread Bowie Bailey 
Ed Kasky wrote:
> 
> After reading quite a few opinions on this list I have come to the
> conclusion that if I delete an email sight unseen, how do I know
> that I am  deleting a legitimate email?  

You don't.  That is why quite a few people (myself included) prefer to
deliver everything and let the user be responsible for checking their
spam folder for false positives.

In the case of users who receive tons of spam, I will drop spam
messages with very high scores (15-20), but I am sure to stress to the
user that there is still a possibility of losing real email.  I prefer
to be conservative on this, but in reality, I have yet to see a valid
email score higher than 10.

-- 
Bowie

Re: Delete spam or move to a folder?

2006-05-17 Thread Will Nordmeyer 
Craig,

How do you have procmail set up to deliver to the spam vs. likely spam 
folders?

I have mine configured to folder anything with SPAM-STATUS: Yes (or 
whatever that flag is)... but have been wondering about setting it up 
to automatically delete anything scored in the 20+ range (for example) 
and then save others so that they can be reviewed.

--Will

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Yusuf Ahmed wrote:
> > Hi Guys,
> >  
> > Couldn't find a thread like this hence this new one. Just wondering 
what
> > strategy people are using when it comes to dealing with email that 
gets
> > enough points to be considered as spam. Eg. being deleted and
> > quarantined, or delivered and quarantined etc.
> >  
> > I'm using store and deliver - is that the general concept out there 
with
> > everyone?
> >  
> > Regards,
> > Yusuf.
> 
> Hey Yusuf.
> Everything received here gets delivered, and procmail sorts the spam 
and
> likely-spam into different folders.
> This means we can quickly see misfires either way, and has the added
> benefit over milter-level bounces that bayes gets to see everything 
too.
> 
> C.
> 
> - --
> Craig McLean  http://fukka.co.uk
> [EMAIL PROTECTED] Where the fun never starts
>   Powered by FreeBSD, and GIN!
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.3 (GNU/Linux)
> 
> iD8DBQFEauQQMDDagS2VwJ4RAlX/AKCc+98dlkA43ReYXk3mMSVQJcdOWACdF8lD
> rJgm0R4Omwch2jH7UXbVs0U=
> =Bg73
> -END PGP SIGNATURE-
> 
>

Re: problem with using SARE rules, names longer than 22 chars

2006-05-17 Thread Matt Kettler 
Jo wrote:
> Hi,
>
> We're using spamassassin-3.0.5-3.el4 with amavisd-new-2.4.1-1.el4.rf.
> Since yesterday I'm receiving this message when downloading the SARE
> rules:
>
> ***WARNING***: spamassassin --lint failed.
> Rolling configuration files back, not restarting SpamAssassin.
> Rollback command is:  mv -f
> /etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf
> /etc/mail/spamassassin/RulesDuJour/72_sare_redirect_post3.0.0.cf.2; mv
> -f
> /etc/mail/spamassassin/RulesDuJour/72_sare_redirect_post3.0.0.cf.20060517-0758
> /etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf; mv -f
> /etc/mail/spamassassin/70_sare_header0.cf
> /etc/mail/spamassassin/RulesDuJour/70_sare_header0.cf.2; mv -f
> /etc/mail/spamassassin/RulesDuJour/70_sare_header0.cf.20060517-0758
> /etc/mail/spamassassin/70_sare_header0.cf;
>
> Lint output: warning: rule 'SARE_MULT_SEXCLUBGMAILA' is over 22 chars
> warning: rule 'SARE_BOUNDARY_0264192082' is over 22 chars
> warning: rule 'SARE_MSGID_HEX30XIDSRVR' is over 22 chars
> warning: rule 'SARE_BOUNDARY_D118112147' is over 22 chars
> warning: rule 'SARE_HEAD_MIME_INVALID32' is over 22 chars
> warning: rule 'SARE_MULT_SUBJR_XBNCETR' is over 22 chars
> warning: rule 'SARE_FROM_SPAM_NAME2A177' is over 22 chars
> lint: 7 issues detected.  please rerun with debug enabled for more
> information.
>
> Are these simply problems with the names? 
Yes, but it's not really a problem.
> Would it help if I shortened those names?
You could, or you could wait until SARE fixes the rules.
> Am I really the only one who is having this problem?
I haven't noticed it yet.

Re: spamassasin and mysql

2006-05-17 Thread Javier Marcon 
Yes, also the script configtest.pl form Maya (that tests that), returns
this:

javiermarcon:/var/amavisd/maia/scripts# ./configtest.pl

MAIA MAILGUARD CONFIGURATION TEST

This script checks for the presence of applications and Perl modules
required by amavisd-maia, SpamAssassin, and Maia Mailguard's maintenance
scripts.  Version numbers are also checked, and if a newer version of
a component is recommended, you should consider upgrading to at least
the minimum recommended version.

If you have already configured your Maia Mailguard database, the script
will also test the connection to that database.

Remember also to run the configtest.php script on your web server to
perform similar tests of your web, PHP, and PEAR environment.

Application/Module  Version   Status

Perl :5.8.4 : OK
file(1)  : 4.12 : OK
Archive::Tar : 1.23 : OK
Archive::Zip : 1.14 : OK
BerkeleyDB   :  N/A : NOT INSTALLED (Maia Mailguard's optional
caching feature requires this)
Compress::Zlib   : 1.41 : OK
Convert::TNEF: 0.17 : OK
Convert::UUlib   : 1.06 : OK
Crypt::Blowfish  : 2.10 : OK
Crypt::CBC   : 2.17 : OK
Crypt::OpenSSL::RSA  : 0.23 : OK
Data::UUID   : 0.14 : OK
DB_File  :1.808 : OK
DBD::mysql   :   2.9006 : OK
DBD::Pg  :  N/A : NOT INSTALLED (required if you use
PostgreSQL as your Maia Mailguard database)
DBI  : 1.50 : OK
Digest::MD5  : 2.33 : OK
Digest::SHA1 : 2.10 : OK
File::Spec   : 0.87 : OK
HTML::Parser : 3.45 : OK
HTTP::Date   : 1.47 : OK
IO::Stringy  :2.110 : OK
IO::Zlib : 1.04 : OK
IP::Country  : 2.21 : OK
LWP::UserAgent   :2.033 : OK
Mail::Address: 1.62 : OK
Mail::DomainKeys : 0.80 : OK
Mail::Internet   : 1.62 : OK
Mail::SpamAssassin   :3.1.0 : OK
Mail::SPF::Query :  1.999.1 : OK
MIME::Base64 : 3.04 : OK
MIME::Parser :5.420 : OK
MIME::QuotedPrint: 3.03 : OK
Net::CIDR::Lite  : 0.20 : OK
Net::DNS : 0.57 : OK
Net::Server  : 0.90 : UPGRADE RECOMMENDED (minimum version 0.93)
Net::SMTP: 2.29 : OK
Pod::Usage   : 1.16 : OK
Template : 2.14 : OK
Time::HiRes  : 1.59 : OK
Unix::Syslog :0.100 : OK
URI  : 1.35 : OK

Database DSN test: PASSED

javiermarcon:/var/amavisd/maia/scripts#

Also I was able to import data to that database using the script
convert_awl_dbm_to_sql that exports the whitelist from spamassassin to the
database.

Thanks,

Javier.
- Original Message -
From: "Craig Morrison" <[EMAIL PROTECTED]>
To: "Javier Marcon" <[EMAIL PROTECTED]>
Cc: 
Sent: Wednesday, May 17, 2006 3:21 AM
Subject: Re: spamassasin and mysql


> Javier Marcon wrote:
> > Can't connect to data source mysql:usuarios:localhost, no database
> > driver specified and DBI_DSN env var not set at
> > /usr/share/perl5/Mail/SpamAssassin/BayesStore/SQL.pm line 141
>
> Are you sure DBI/DBD got installed correctly?
>
> --
> Craig
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.392 / Virus Database: 268.6.0/341 - Release Date: 16/05/2006
>
>

Re: Delete spam or move to a folder?

2006-05-17 Thread Ed Kasky 


At 11:28 PM Tuesday, 5/16/2006, Yusuf Ahmed wrote -=>

Hi Guys,
 
Couldn't find a thread like this
hence this new one. Just wondering what strategy people are using when it
comes to dealing with email that gets enough points to be considered as
spam. Eg. being deleted and quarantined, or delivered and quarantined
etc.
 
I'm using store and deliver - is
that the general concept out there with
everyone?
After reading quite a few opinions on this list I have come to the
conclusion that if I delete an email sight unseen, how do I know that I
am  deleting a legitimate email?
Ed

. . . . . . . . . . . . . . . . . .
Randomly Generated Quote (752 of 1050):
Nothing contributes more to peace of soul than having
no opinion at all.  - George Christopher Lichtenberg

Re: Increase overall preformance

2006-05-17 Thread Clay Davis 
With the subject as it is; did anyone's filter kick this as spam?  :-)
Clay

>>> "jdow" <[EMAIL PROTECTED]> 5/17/2006 12:11 am >>>
From: "Benjamin Adams" <[EMAIL PROTECTED]>

> In Four days,
> Spamassasin marked 1477 messages and missed 755 that where spam.
> 
> I have my Required set to 5
> 
> what is the variable to drop the required in 3.1?
> I is it still required_score?
> 
> 
> Is there something else I can do to help the overall performance?

SARE rule sets come to mind. Some careful Bayes training comes to mind.
Using SURBL comes to mind.

{^_^}

FP with FORGED_HOTMAIL_RCVD

2006-05-17 Thread Dhawal Doshy 
Running SA 3.1.1 on centos 4.3 with original rules (no sa-update).. The 
mail is genuine ham. Are more details required??


Received: from bay0-omc1-s5.bay0.hotmail.com (unknown [65.54.246.77])
 by mx1.netmagicians.com (Postfix) with ESMTP id 00D46CB9E2
 for <[EMAIL PROTECTED]>; Tue, 16 May 2006 19:04:28 +0530 (IST)
Received: from BAY111-W8 ([64.4.17.108]) by 
bay0-omc1-s5.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211);

  Tue, 16 May 2006 06:34:34 -0700
X-Originating-IP: [xxx.xx.xx.xxx]
X-Originating-Email: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
From: "Full Name" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Pending invoice in domain control panel..
Date: Tue, 16 May 2006 19:04:34 +0530
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
X-OriginalArrivalTime: 16 May 2006 13:34:34.0982 (UTC) 
FILETIME=[786FE860:01C678ED]


- dhawal

Re: Delete spam or move to a folder?

2006-05-17 Thread jdow 

Encapsulate the message. Rewrite the header to include the score (NNN.D).
Sort all spam into a spam folder in the MUA. Sort the spam by subject and
double check the low scores while chortling over the high scores.

{^_^}
- Original Message - 
From: "Sietse van Zanen" <[EMAIL PROTECTED]>



My strategy is to reject any messages that have a high score (+11). Mail with scores 
between 6 and 11 get delivered with the report_safe option (original message as 
attachment). The rewritten body contains a message to be careful opening the attachment 
and to only do so, when it is sure it has been unjustly tagged as spam.


This works fine for me and my users (which are all quite educated). When you have less 
able users, it would probably be better to deliver spam in a special location only 
administrators can access.


Of course scoring depends on what checks you run, so this might need finetuning. I run 
most checks (URIBL, RAZOR2, DCC, BAYES, DNSBL)


-Sietse



From: Yusuf Ahmed [mailto:[EMAIL PROTECTED]

Hi Guys,

Couldn't find a thread like this hence this new one. Just wondering what strategy people 
are using when it comes to dealing with email that gets enough points to be considered as 
spam. Eg. being deleted and quarantined, or delivered and quarantined etc.


I'm using store and deliver - is that the general concept out there with 
everyone?

Regards,
Yusuf.

Re: Delete spam or move to a folder?

2006-05-17 Thread Craig McLean 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Yusuf Ahmed wrote:
> Hi Guys,
>  
> Couldn't find a thread like this hence this new one. Just wondering what
> strategy people are using when it comes to dealing with email that gets
> enough points to be considered as spam. Eg. being deleted and
> quarantined, or delivered and quarantined etc.
>  
> I'm using store and deliver - is that the general concept out there with
> everyone?
>  
> Regards,
> Yusuf.

Hey Yusuf.
Everything received here gets delivered, and procmail sorts the spam and
likely-spam into different folders.
This means we can quickly see misfires either way, and has the added
benefit over milter-level bounces that bayes gets to see everything too.

C.

- --
Craig McLeanhttp://fukka.co.uk
[EMAIL PROTECTED]   Where the fun never starts
Powered by FreeBSD, and GIN!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEauQQMDDagS2VwJ4RAlX/AKCc+98dlkA43ReYXk3mMSVQJcdOWACdF8lD
rJgm0R4Omwch2jH7UXbVs0U=
=Bg73
-END PGP SIGNATURE-

RE: Delete spam or move to a folder?

2006-05-17 Thread Sietse van Zanen 
My strategy is to reject any messages that have a high score (+11). Mail with 
scores between 6 and 11 get delivered with the report_safe option (original 
message as attachment). The rewritten body contains a message to be careful 
opening the attachment and to only do so, when it is sure it has been unjustly 
tagged as spam.
 
This works fine for me and my users (which are all quite educated). When you 
have less able users, it would probably be better to deliver spam in a special 
location only administrators can access.
 
Of course scoring depends on what checks you run, so this might need 
finetuning. I run most checks (URIBL, RAZOR2, DCC, BAYES, DNSBL)
 
-Sietse



From: Yusuf Ahmed [mailto:[EMAIL PROTECTED]
Sent: Wed 17-May-06 8:28
To: users@spamassassin.apache.org
Subject: Delete spam or move to a folder?


Hi Guys,
 
Couldn't find a thread like this hence this new one. Just wondering what 
strategy people are using when it comes to dealing with email that gets enough 
points to be considered as spam. Eg. being deleted and quarantined, or 
delivered and quarantined etc.
 
I'm using store and deliver - is that the general concept out there with 
everyone?
 
Regards,
Yusuf.