Re: [SPAM-TAG] Why is this not seen as spam?

[Jeff Chan]

On Wednesday, June 7, 2006, 11:33:52 PM, Tomas NW7US wrote:
> The following is a sample of mail that seems to pass through spamassassin,
> but somehow seems to get marked as "ham" as it is tested for spam  
> content.  I am not able to figure out why this is happening.

Try using the SARE stock rules:

  http://www.rulesemporium.com/rules.htm

> The one major issue I keep having with my server is with e-mail.  I  
> suspect that my sendmail is an open gate for spammers, though not in high  
> volume.  I think that I have curtailed a lot of it, but still see strange  
> things, that I am trying to track down.  This one is not an open gate  
> issue, but is still driving me nuts...

If your sendmail is recent (past few years) it won't be open
relay by default.  If it's not current, upgrade.

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Another example...

[NW7US, Tomas]

Here are headers from another example of spam, that is marked STRONGLY as  
NOT being spam.  What is VERY interesting about THIS one, is that it seems  
to actually be FROM me!!!  However, it made its rounds on other servers,  
first.  Is it possible someone is spoofing my email address??  Or, is  
there a gateway e-mail hole on my server?


Here are the headers: (and, I deleted my whitelists, like the auto learn  
one, etc.)



Return-Path:<[EMAIL PROTECTED]>   
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01)
on helios.hfradio.org   
X-Spam-Level:   
X-Spam-Status:  No, score=-86.2 required=1.0 tests=HTML_MESSAGE,
MIME_HTML_ONLY, MIME_HTML_ONLY_MULTI,
MPART_ALT_DIFF,RCVD_ILLEGAL_IP,RCVD_NUMERIC_HELO, 
UNPARSEABLE_RELAY,URIBL_JP_SURBL,URIBL_OB_SURBL,

URIBL_SBL, URIBL_SC_SURBL,URIBL_WS_SURBL,
USER_IN_WHITELIST autolearn=no version=3.1.3
Received:   from 60.234.111.150 ([60.234.111.150]) by helios.hfradio.org
(8.12.11/8.12.11) with ESMTP id k586UPVE019859 for
<[EMAIL PROTECTED]>; Wed, 7 Jun 2006 23:30:28 -0700   
Envelope-to:[EMAIL PROTECTED]   
Delivery-date:  Thu, 08 Jun 2006 18:36:11 +1200 
Received:   from [242.112.30.100] (helo=86678721) by 60.234.111.150
with smtp (Exim 4.60 (FreeBSD)) (envelope-from 
<[EMAIL PROTECTED]>)id  
W3mNJ-2xnyDQA-8Kx for [EMAIL PROTECTED];Thu, 08 Jun 2006  
18:36:11 +1200	

Received:   from gallery48.freeserve.co.uk (02055232 [17238173668])
by 124.1.211.112 (Qmailv1) with ESMTP id 0FJ2Y8TBN for
<[EMAIL PROTECTED]>; Thu, 08 Jun 2006 17:36:07 +1200  
Date:   Thu, 08 Jun 2006 17:36:07 +1200 
From:   "Jon R. Pirrello Jr" <[EMAIL PROTECTED]>
X-Mailer:   The Bat! (v2.12.00) Personal
X-Priority: 3   
Message-ID: <[EMAIL PROTECTED]>   
To: [EMAIL PROTECTED]   
Subject:General health store
X-IMAPbase: 1148015368 4545 
Status: O   
X-UID:  4545
Content-Length: 11005   
X-Keywords: 
X-Antivirus:AVG for E-mail 7.1.394 [268.8.2/357]
Mime-Version:   1.0 
Content-Type: 	multipart=mixed;  
b0undary="===AVGMAIL-4487C4C83823==="


(I changed the last header, in case it might case a problem... the message  
has an attachment that contained a virus or trojan.)



I could really use some help in figuring out how to end this sort of  
activity.


Thanks,

73 de Tomas, NW7US ( http://ic-discipleship-ministries.org/ )

: Propagation Editor for CQ, CQ VHF, Popular Communications :
: Creator; live propagation center http://prop.hfradio.org/ :
: Associate Member of Propagation Studies Committee of RSGB :
: 122.93W 47.67N / Brinnon, Washington USA CN87 CW/SSB/DIGI :
: 10x56526, FISTS 7055, FISTS NW 57, Lighthouse Society 144 :
: Technical Writer for http://entirenet.net  (Microsoft KB) :

Why is this not seen as spam?

[NW7US, Tomas]

Hi.

The following is a sample of mail that seems to pass through spamassassin,  
but somehow seems to get marked as "ham" as it is tested for spam  
content.  I am not able to figure out why this is happening.


If anyone could lend some insight on this, I'd appreciate it.

The one major issue I keep having with my server is with e-mail.  I  
suspect that my sendmail is an open gate for spammers, though not in high  
volume.  I think that I have curtailed a lot of it, but still see strange  
things, that I am trying to track down.  This one is not an open gate  
issue, but is still driving me nuts...


Thanks, in advance, for any help you might be able to offer.

First, I will show you the header information, then the body (at least a  
reasonable copy of the message).


Headers:


Return-Path:<[EMAIL PROTECTED]>   
X-Spam-Checker-Version: 	SpamAssassin 3.1.3 (2006-06-01) on  
my.server.domain.org	

X-Spam-Level:   
X-Spam-Status: 	No, score=0.0 required=1.0 tests=UNPARSEABLE_RELAY,  
UPPERCASE_25_50

autolearn=ham version=3.1.3 
Received: 	from 143000144 (host-213-213-227-17.brutele.be  
[213.213.227.17]) bymy.server.domain.org  
(8.12.11/8.12.11) with SMTP id k581jZvD024979for  
<[EMAIL PROTECTED]>; Wed, 7 Jun 2006 18:46:32 -0700
Received: 	from gms0.mar.lmco.com (142854568 [142884056]) by 
host-213-213-227-17.brutele.be (Qmailv1) with ESMTP id  
D1E9EE1BD9 for<[EMAIL PROTECTED]>; Wed,  
07 Jun 2006 20:48:40 -0500	

Date:   Wed, 07 Jun 2006 20:48:40 -0500 
From:   "Guiana V. Darkness" <[EMAIL PROTECTED]>
X-Mailer:   The Bat! (v2.00.8) Personal 
X-Priority: 3   
Message-ID: <[EMAIL PROTECTED]>   
To: Tomas <[EMAIL PROTECTED]> 
Subject:did the please 's ROI inform CLIFFORD 's penny  
X-AntiVirus:skaner antywirusowy poczty Wirtualnej Polski S. A.  
Status: O   
X-UID:  656 
Content-Length: 1248
X-Keywords: 
X-Antivirus:AVG for E-mail 7.1.394 [268.8.2/357]
Mime-Version:   1.0 
Content-Transfer-Encoding:  7bit
Content-Type:   text/plain


(I think that the AVG header is from my local box which is used to pop3  
the message from my server.  AVG is used locally on all incoming mail from  
my pop mailbox).


Now, the body:


WE TOLD YOU TO WATCH!!!
 IT'S STILL NOT TOO LATE! TRADING ALERT!!! Timing is everything!!!  
Profits of 200-400% EXPECTED TRADING  SYMB0L: ABSY  Opening Price:  
0.98
  Yes, it is MOVING, Tomorrow could be even BIGGER!!! A $1,000 dollar  
investment could yield a $5,000 dollar profit injust one trade if you  
trade out at the top. ABSY should be one of

the most profitable ST0CKs to trade this year. In this range the
ST0CK has potential to move in either direction in bigs wings.This means  
you should be able to buy at the lows and sell at thehighs for months to  
come. YOU COULD MAKE $$$THOUSANDS OF DOLLARS$$$ TRADING.THIS OVER AND  
OVER AGAIN. ABSY is also on The REG SHO Threshold list, this means  
someone is

short the ST0CK. Any significant volume spike could yield drastic
results. If the people that are short have to cover, they will bebuying  
the shares from you at higher prices. This makes this ST0CKa TRIPLE PLAY  
for profits. For pennies you can participate in a ST0CK that could yield  
results
over and over again just based on the trading patterns if thecompany is  
able to effectuate it's business model. WATCH OUT!!!We could see a GREAT  
STORY IN THE MAKING. GOOD LUCK AND TRADE OUT AT THE TOP

  --No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.8.2/357 - Release Date: 6/6/2006


--

73 de Tomas, NW7US ( http://ic-discipleship-ministries.org/ )

: Propagation Editor for CQ, CQ VHF, Popular Communications :
: Creator; live propagation center http://prop.hfradio.org/ :
: Associate Member of Propagation Studies Committee of RSGB :
: 122.93W 47.67N / Brinnon, Washington USA CN87 CW/SSB/DIGI :
: 10x56526, FISTS 7055, FISTS NW 57, Lighthouse Society 144 :
: Technical Writer for http://entirenet.net  (Microsoft KB) :

RE: is there a way to block email coming from

[Gary W. Smith]

SORBS decided last week to list all of the IP's in my ISP's range as
"Dailup".  SORBS removed them without any problem but these IP's are
provisioned to my ISP from Level-3.  They've done this twice in two
years now.  

How do they decide to change the status of these IP's on a given day?
The IP's in question even have a reserve lookup to the ISP that doesn't
contain .biz, dialup, or any other generic method of identification.

I have been loosing faith in these RBL companies but not as fast as I
have been in the ISP's that are rejecting out outbound mail.

We discovered this because one of our clients sent an email from his
office to his home account and got a bounce back saying he was a
spammer.  He was irritated as his home account is also on a custom
domain through another company.  They just took it upon themselves to
reject his mail.  We on the other hand mark it up and pass it on.

So my rant now is SORBS is starting to suck...  

> -Original Message-
> From: Daryl C. W. O'Shea [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 07, 2006 10:18 PM
> To: [EMAIL PROTECTED] Apache. Org
> Subject: Re: is there a way to block email coming from
> 
> On 6/8/2006 12:05 AM, Greg Allen wrote:
> >>However, the ISP dynamic address tests *do* belong in the MTA RBL
> >>checks. The fraction of legitimate emails received from dynamic-IP
> >>hosts is vanishingly small compared to the tens or hundreds of
> >>thousands of compromised Windows boxen spewing spam and viruses...
> >>
> >
> >
> > Sorry to poke in on the thread, but I disagree.
> >
> > Most small start-up businesses buy business class DSL these days
with 1-
> 5
> > fixed IP addresses. They often have small firewalls, anti-virus,
most
> > everything they should have. They probably don't have a full time IT
> staff.
> >
> > There are a lot of small businesses on these legitimate business
class
> DSL
> > lines with fixed IP addresses (which they pay extra for) who are
very
> > frequently incorrectly listed as "dynamic" IP addresses. The vast
> majority
> > of these small companies are NOT spammers.
> 
> Some of those small businesses aren't really all that small either.
> There are a number of ~500 employee companies around here that have
the
> same problem.  Some even with T1s (probably quietly provisioned over
> DSL) that have IPs smack in the middle of static business DSL ranges
> that are listed in SORBS' dynamic list.
> 
> 
> > If you are a system admin and you flat-out reject email that shows
on
> > various error ridden "dial-up" lists as "dynamic" IP address for a
> company,
> > other than your own, you should be fired IMO.
> 
> Likewise, if you're a system admin that is aware that they are in such
> dynamic lists and can't get out of them, you're asking for trouble not
> smart hosting your mail through a (RBL list-wise) cleaner relay.
> 
> I know that in the automotive industry there are a lot of tier 1
> suppliers and a number of MXes at a couple auto manufacturers that
> reject on SORBS dynamic listings (of truly static space).  Having mail
> blocked, or worse silently discarded or unread, could easily cost you
a
> LOT of revenue.  Having this happen when it's avoidable on your own
part
> is inexcusable, no matter how annoying it is that you can't send mail
> directly from IP space that you are paying to do so with.
> 
> 
> Daryl

Re: blocking email from Vietname is not working...

[Daryl C. W. O'Shea]

On 6/8/2006 12:03 AM, John D. Hardin wrote:

On Wed, 7 Jun 2006, Screaming Eagle wrote:



(1) countries.nerd.dk may not list vietnam. Take a look at their
website.

(2) The IP address may have been assigned to vietnam recently enough
that countries.nerd.dk doesn't have it (i.e. they are not up-to-date).

Try this:

  $ dig @vn.countries.nerd.dk 8.231.210.203.in-addr.arpa

I get:

  dig: couldn't get address for 'vn.countries.nerd.dk': not found

It seems they don't provide this information for vietnam.


"vn.countries.nerd.dk" isn't a name server and they don't list things 
like "8.231.210.203.in-addr.arpa".


The IP is listed though...

[EMAIL PROTECTED] dos]$ host 8.231.210.203.vn.countries.nerd.dk
8.231.210.203.vn.countries.nerd.dk has address 127.0.0.2




--
 11 days until SWMBO's Birthday


Yeah, don't forget that.


Daryl

Re: is there a way to block email coming from

[Daryl C. W. O'Shea]

On 6/8/2006 12:05 AM, Greg Allen wrote:

However, the ISP dynamic address tests *do* belong in the MTA RBL
checks. The fraction of legitimate emails received from dynamic-IP
hosts is vanishingly small compared to the tens or hundreds of
thousands of compromised Windows boxen spewing spam and viruses...




Sorry to poke in on the thread, but I disagree.

Most small start-up businesses buy business class DSL these days with 1-5
fixed IP addresses. They often have small firewalls, anti-virus, most
everything they should have. They probably don't have a full time IT staff.

There are a lot of small businesses on these legitimate business class DSL
lines with fixed IP addresses (which they pay extra for) who are very
frequently incorrectly listed as "dynamic" IP addresses. The vast majority
of these small companies are NOT spammers.


Some of those small businesses aren't really all that small either. 
There are a number of ~500 employee companies around here that have the 
same problem.  Some even with T1s (probably quietly provisioned over 
DSL) that have IPs smack in the middle of static business DSL ranges 
that are listed in SORBS' dynamic list.




If you are a system admin and you flat-out reject email that shows on
various error ridden "dial-up" lists as "dynamic" IP address for a company,
other than your own, you should be fired IMO.


Likewise, if you're a system admin that is aware that they are in such 
dynamic lists and can't get out of them, you're asking for trouble not 
smart hosting your mail through a (RBL list-wise) cleaner relay.


I know that in the automotive industry there are a lot of tier 1 
suppliers and a number of MXes at a couple auto manufacturers that 
reject on SORBS dynamic listings (of truly static space).  Having mail 
blocked, or worse silently discarded or unread, could easily cost you a 
LOT of revenue.  Having this happen when it's avoidable on your own part 
is inexcusable, no matter how annoying it is that you can't send mail 
directly from IP space that you are paying to do so with.



Daryl

Re: sa-learn --username option

[Aaron Axelsen]

Matt,

Thanks for the reply.  I ended up writing a perl script to copy all the
spam to learn into a neutral location group owned.  In that same script
I then change the effective user id, and try to learn.  However, it
still is not learning as the effective user.  The script runs as root,
and still tries to learn as root

Is there some reason for this? Any suggestions?

-- Aaron

Matt Kettler wrote:
> Aaron Axelsen wrote:
>   
>> Hello,
>>
>> I am trying to run a cronjob as root which will learn a different
>> accounts spam into my spam db.  Example command:
>>
>> sa-learn -u user1 --spam /home/user2/Maildir/.Spam/cur/
>>
>> When the command runs, it learns the spam into /root/.spamassassin
>> instead of /home/user1/.spamassassin
>>
>> Does anyone have any idea why its doing this? 
>> 
>
> The -u option to sa-learn only works if you're using SQL for bayes
> storage, or if you're using virtual users.
>
> The caveat is revealed in the docs for sa-learn:
> --
> NOTE: This option will not change to the given /username/, it will only
> attempt to act on behalf of that user. Because of this you will need to
> have proper permissions to be able to change files owned by /username/.
> In the case of SQL this generally is not a problem.
> --
>
> In particular, that first sentence is important here. It will not change
> (setuid) to the given username, therefore the home directory does not
> change.
>
> If you want to exec sa-learn as a particular user, just use su in the
> straightforward unix fashion:
>
> su  user1  sa-learn --spam /home/user2/Maildir/.Spam/cur/
>
> Note that user1 will need read-privileges to
> /home/user2/Maildir/.Spam/cur/  for this to work.
>
>
>   

-- 
Aaron Axelsen
[EMAIL PROTECTED]

Great hosting, low prices.  Modevia Web Services LLC -- http://www.modevia.com

Re: Mail somehow bypassing spamassassin entirely showing up in my Inbox

[Daryl C. W. O'Shea]

On 6/7/2006 8:51 PM, Arias Hung wrote:

On Mon, 05 Jun 2006, Daryl C. W. O'Shea delivered in simple text monotype:


Daryl


<---snip--->

Ah, and one more quick question while I'm at it.  What would you suggest 
would be the best way to increase the alarm timeout value?

Straight in the spamd script?

When grepping spamd for alarm:

# bug 4699: this is the alarm that often ends up with an empty $@
alarm $timeout_tcp if ($timeout_tcp);
  alarm 0;
  alarm $timeout_child if ($timeout_child);
alarm 0;
  alarm $timeout_child if ($timeout_child);
alarm 0;


Or will setting the --child-timeout flag in spamd be enough?


You'd have to edit the current value (20) at line 953:

my $timer = Mail::SpamAssassin::Timeout->new({ secs => 20 });


You could try something higher, but it really shouldn't be necessary. 
If the copy is going to succeed (and hasn't really hung up for some 
reason) and is taking this long, chances are it's going to take the 
better part of an hour to actually scan the mail.


I'd look for swap issues first.


Daryl

Re: Mail somehow bypassing spamassassin entirely showing up in my Inbox

[Daryl C. W. O'Shea]

On 6/7/2006 8:09 PM, Arias Hung wrote:

On Tue, 06 Jun 2006, Daryl C. W. O'Shea delivered in simple text monotype:

How long are messages (that are logged) taking to be scanned by 
SpamAssassin when/before this happens.  What timeout are you using 
with spamc?  You are using spamc, right, and not spamassassin?


<---snip--->

Yes, i'm using spamc.  I didn't set timeout on spamc, so I'm assuming 
it's at its default level 300 seconds.  Should it be longer?


The default should be more than sufficient.


I'm also noticing a lot of copy_config timeouts, and a few normal 
timeouts that exceed the 300 seconds.  I will try upping the timeout 
value ... are you aware if the copy_config be resolved this way as well, 
or can upping the # of children help?


For the "normal timeouts", it sounds like you might be consistently 
having a problem with bayes expiry.  Although, such a problem isn't 
normally consistent AND long (time wise) when using spamd.  You could 
try running an  "sa-learn --force-expire"  to see if it helps.


As for the copy_config timeouts... what kind of system load are you 
seeing.  10, 50, 500, or higher?  The current 20 seconds alarm is twice 
the original alarm timeout, but if you've got a high enough load it 
could still be a problem.  You could increase this value to something 
practically unusable, like 300, but I'd be really surprised (and would 
like to about) if the timeout isn't being caused by insane load or 
excessive swapping.


So... how much memory do you have in this machine, how much is free, and 
how much (hopefully none or little) swap is being used.  If swap is 
being used, how much of the spamd processes are being swapped out (check 
will the system is idle after it's been busy for a bit).


Since you suggested that this might be a personal workstation you're 
running this on, there's a good chance that 4 children might actually be 
too many.


BTW... is this Linux, or BSD, or something else?


Daryl

RE: is there a way to block email coming from

[Greg Allen]

>
> However, the ISP dynamic address tests *do* belong in the MTA RBL
> checks. The fraction of legitimate emails received from dynamic-IP
> hosts is vanishingly small compared to the tens or hundreds of
> thousands of compromised Windows boxen spewing spam and viruses...
>

Sorry to poke in on the thread, but I disagree.

Most small start-up businesses buy business class DSL these days with 1-5
fixed IP addresses. They often have small firewalls, anti-virus, most
everything they should have. They probably don't have a full time IT staff.

There are a lot of small businesses on these legitimate business class DSL
lines with fixed IP addresses (which they pay extra for) who are very
frequently incorrectly listed as "dynamic" IP addresses. The vast majority
of these small companies are NOT spammers.

To expect every small start-up to be on a major Internet carrier with a T1
is simply not reality these days. To block on dynamic is asking for a lot of
trouble. It also is a pay-to-play mentality. If a start-up business can't
afford a T1 then they can't send email?

If you are a system admin and you flat-out reject email that shows on
various error ridden "dial-up" lists as "dynamic" IP address for a company,
other than your own, you should be fired IMO.

Re: blocking email from Vietname is not working...

[John D. Hardin]

On Wed, 7 Jun 2006, Screaming Eagle wrote:

> I have this in local.cf file:
> describe BL_COUNTRY_VN_1 Mail client in Vietnam
> header   BL_COUNTRY_VN_1 eval:check_rbl('vietnam', 'vn.countries.nerd.dk')
> scoreBL_COUNTRY_VN_1 8.0
> tflags   BL_COUNTRY_VN_1 net
> 
> Whis is it not working? I get an email from Vietname, and the score is 0.

(1) countries.nerd.dk may not list vietnam. Take a look at their
website.

(2) The IP address may have been assigned to vietnam recently enough
that countries.nerd.dk doesn't have it (i.e. they are not up-to-date).

Try this:

  $ dig @vn.countries.nerd.dk 8.231.210.203.in-addr.arpa

I get:

  dig: couldn't get address for 'vn.countries.nerd.dk': not found

It seems they don't provide this information for vietnam.

Try contacting nerd.dk directly.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 Look at the people at the top of both efforts. Linus Torvalds is a
 university graduate with a CS degree. Bill Gates is a university
 dropout who bragged about dumpster-diving and using other peoples'
 garbage code as the basis for his code. Maybe that has something to
 do with the difference in quality/security between Linux and
 Windows.  -- anytwofiveelevenis on Y! SCOX
--
 11 days until SWMBO's Birthday

Re: SA 3.1.1 sometimes takes a long time...

[Guy Waugh]

Daryl C. W. O'Shea wrote:

On 6/7/2006 9:58 PM, Matt Kettler wrote:


Guy Waugh wrote:




* I only turned on SA debugging for bayes and learn to get the above
log entries. Are bayes, learn and dns the only debugging flags
available? Maybe next time I should turn on dns debugging as well?



I know of at least one other... "all"

message, config, check, plugin and rules also appear to be other working
options, but I've not tested them. There's probably more.. grep the code
for "dbg".. the text preceding the colon is the debug category needed to
log it (unless all is enabled)




http://wiki.apache.org/spamassassin/DebugChannels


Thanks guys... should have seen that.

OK, I've turned on multitudinous debugging, and it seems to be 
struggling with file locking on the 'auto-whitelist' file. When the "451 
4.3.2" error happens, there are lots of these messages around it in the 
logfile:


Jun  8 13:21:05 server spamd[22947]: locker: safe_lock: trying to get 
lock on /var/vscan/spamassassin/auto-whitelist with 6 retries
Jun  8 13:21:05 server spamd[22941]: locker: safe_lock: trying to get 
lock on /var/vscan/spamassassin/auto-whitelist with 15 retries
Jun  8 13:21:06 server spamd[22943]: locker: safe_lock: trying to get 
lock on /var/vscan/spamassassin/auto-whitelist with 13 retries
Jun  8 13:21:06 server spamd[22942]: locker: safe_lock: trying to get 
lock on /var/vscan/spamassassin/auto-whitelist with 13 retries
Jun  8 13:21:06 server spamd[22945]: locker: safe_lock: trying to get 
lock on /var/vscan/spamassassin/auto-whitelist with 10 retries
Jun  8 13:21:06 server spamd[22947]: locker: safe_lock: trying to get 
lock on /var/vscan/spamassassin/auto-whitelist with 7 retries
Jun  8 13:21:06 server spamd[22944]: locker: safe_lock: trying to get 
lock on /var/vscan/spamassassin/auto-whitelist with 10 retries
Jun  8 13:21:06 server spamd[22946]: locker: safe_lock: trying to get 
lock on /var/vscan/spamassassin/auto-whitelist with 6 retries
Jun  8 13:21:06 server spamd[22941]: locker: safe_lock: trying to get 
lock on /var/vscan/spamassassin/auto-whitelist with 16 retries
Jun  8 13:21:06 server spamd[22943]: locker: safe_lock: trying to get 
lock on /var/vscan/spamassassin/auto-whitelist with 14 retries
Jun  8 13:21:07 server spamd[22940]: locker: safe_lock: trying to get 
lock on /var/vscan/spamassassin/auto-whitelist with 17 retries
Jun  8 13:21:07 server spamd[22947]: locker: safe_lock: trying to get 
lock on /var/vscan/spamassassin/auto-whitelist with 8 retries
Jun  8 13:21:07 server spamd[22941]: locker: safe_lock: trying to get 
lock on /var/vscan/spamassassin/auto-whitelist with 17 retries
Jun  8 13:21:07 server spamd[22940]: locker: safe_lock: trying to get 
lock on /var/vscan/spamassassin/auto-whitelist with 18 retries
Jun  8 13:21:07 server spamd[22945]: locker: safe_lock: trying to get 
lock on /var/vscan/spamassassin/auto-whitelist with 11 retries


OK, so... the auto-whitelist file is currently a Berkeley DB file. Does 
anyone know:


* Will there be locking issues if I put all the Berkeley DB stuff into, 
say, MySQL?


* Is there something else I can do to try to fix this, without going SQL?

Thanks again,
Guy.

Re: is there a way to block email coming from

[John D. Hardin]

On Wed, 7 Jun 2006, Steven W. Orr wrote:

> On Wednesday, Jun 7th 2006 at 09:53 -0700, quoth John D. Hardin:
> 
> =>On Wed, 7 Jun 2006, Screaming Eagle wrote:
> =>
> =>> country, other than USA?  How would you look up the network block
> =>> on country such as Romania, China, Taiwan,Thailand, Korea, and so
> =>> on...
> =>
> =>describe BL_COUNTRY_TW_1 Mail client in Taiwan
> =>header   BL_COUNTRY_TW_1 eval:check_rbl('taiwan', 'tw.countries.nerd.dk')
> =>scoreBL_COUNTRY_TW_1 0.5
> =>tflags   BL_COUNTRY_TW_1 net
> 
> I'm running a sendmail server and I already block a few countries
> in my mc file. e.g.,
> 
> FEATURE(enhdnsbl,`kr.countries.nerd.dk', `SPAM from Korea:$&{client_addr} 
> rejected',`t')dnl
> FEATURE(enhdnsbl,`cn.countries.nerd.dk', `SPAM from China:$&{client_addr} 
> rejected',`t')dnl
> 
> Are there any pros or cons to doing the checks in the mc file vs
> sa config? In the case of sa I am using spamass-milter so the
> message will be rejected either way.
> 
> TIA

The greatest drawback is that using the RBL within sendmail is an
all-or-nothing proposition. What if you *do* have legitimate
correspondents in those countries?

When I was doing that as postmaster for my company, it was only
because we did not do business in those countries at all, and I was
finding myself poking holes through for things like: one of our major
programming tool suppliers has their home office in Europe; I would
ask questions on Usenet or other online sites and get relevant replies
from other countries; some of our employees corresponded with
relatives in other countries.

It's more reasonable to do the country tests in SA, where they can
contribute to the score rather than being a pass-fail test.

However, the ISP dynamic address tests *do* belong in the MTA RBL
checks. The fraction of legitimate emails received from dynamic-IP
hosts is vanishingly small compared to the tens or hundreds of
thousands of compromised Windows boxen spewing spam and viruses...

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 Look at the people at the top of both efforts. Linus Torvalds is a
 university graduate with a CS degree. Bill Gates is a university
 dropout who bragged about dumpster-diving and using other peoples'
 garbage code as the basis for his code. Maybe that has something to
 do with the difference in quality/security between Linux and
 Windows.  -- anytwofiveelevenis on Y! SCOX
--
 11 days until SWMBO's Birthday

Re: SA 3.1.1 sometimes takes a long time...

[Daryl C. W. O'Shea]

On 6/7/2006 9:58 PM, Matt Kettler wrote:

Guy Waugh wrote:



* I only turned on SA debugging for bayes and learn to get the above
log entries. Are bayes, learn and dns the only debugging flags
available? Maybe next time I should turn on dns debugging as well?


I know of at least one other... "all"

message, config, check, plugin and rules also appear to be other working
options, but I've not tested them. There's probably more.. grep the code
for "dbg".. the text preceding the colon is the debug category needed to
log it (unless all is enabled)



http://wiki.apache.org/spamassassin/DebugChannels

Re: SA 3.1.1 sometimes takes a long time...

[Matt Kettler]

Guy Waugh wrote:
> Hi folks,
>
> I'm pretty new to SpamAssassin. I have two MXes running sendmail
> 8.13.6, smtp-vilter 1.2.4, SA 3.1.1 and clamav 0.88. Sendmail uses
> smtp-vilter as a milter, and smtp-vilter calls clamd and spamd to scan
> incoming messages at the point of delivery.
>
> For most messages, it works fine - clamd does the virus scanning in a
> flash, and SA takes between 0.1 seconds and 3 seconds to do its job.
>
> However, for some emails, the SA scan goes over the 20 second timeout
> that we currently have defined (in /etc/smtp-vilter/spamd.conf). When
> this happens, sendmail tells the sender "451 4.3.2 - Please try again
> later".
>
20 seconds is *WAY* to short.. By default, SA will attempt to
oportunistically perform bayes database maintenance (expiring old
tokens, merging journals, etc).. this can take several minutes at a
time, but doesn't happen often (every 12 hrs at most, I think...)
> So, I have a few questions:
>
> * Anyone know why there would be such a gap between SA scanning for
> spam (up to 15:36:57 in the example above) and learning spam/ham (from
> 15:37:21)?
Waiting for a write lock.. turning on bayes_learn_to_journal helps this
much, but does make the  maintenance runs slightly longer. It also
causes "lag" in that your learning is not made live until a journal sync
occurs.


>
> * The Bayes database is in Berkeley DB format... would having it in an
> RDBMS help, perhaps?
Using SQL is the perfered method, and generally speaking much faster.
SDBM is another option, but it's not 100% bug free when I last tested
the conversion tools.
>
> * I only turned on SA debugging for bayes and learn to get the above
> log entries. Are bayes, learn and dns the only debugging flags
> available? Maybe next time I should turn on dns debugging as well?
I know of at least one other... "all"

message, config, check, plugin and rules also appear to be other working
options, but I've not tested them. There's probably more.. grep the code
for "dbg".. the text preceding the colon is the debug category needed to
log it (unless all is enabled)

i.e:

dbg("plugin: loading $package from $path");

requires all or plugin.


>
> * One thing I may want to do is configure the email server to only
> scan for spam for messages coming from the Internet. smtp-vilter does
> not seem to have this functionality, but it appears a few other milter
> packages do (amavisd-new, MIMEDefang?). Any thoughts on changing from
> smtp-vilter to one of these other milter packages? Difficulties, traps
> etc.? Seems like it should be pretty straightforward...
I'm not a milter user, can't comment (I use mailscanner)
>
> * Any other comments or thoughts?
>
> Thanks in advance,
> Guy.
>
>

Re: Spam assassin and postfix..

[Bill Randle]

On Wed, 2006-06-07 at 16:43 -0700, J Rangi wrote:
> Hello,
> I configured sapmassassin with postfix.
> Sapmassassin version is   spamassassin-3.0.3-4.fc4
> Here is my spam filter script..
> 
> **
> [EMAIL PROTECTED] log]# cat /usr/local/bin/spamfilter
> #variables
> SENDMAIL="/usr/sbin/sendmail.postfix -i"
> EGREP=/bin/egrep
> # Exit codes from 
> EX_UNAVAILABLE=69
> # Number of *'s in X-Spam-level header needed to sideline message:
> # (Eg. Score of 5.5 = "*" )
> SPAMLIMIT=5
> # Clean up when done or when aborting.
> trap "rm -f /var/tempfs/out.$$" 0 1 2 3 15
> # Pipe message to spamc
> cat | /usr/bin/spamc -u spamfilter > /var/tempfs/out.$$
> 
> if $EGREP -q "^X-Spam-Level: \*{$SPAMLIMIT,}" < /var/tempfs/out.$$
>   then
> ## Change the Email address where you want your spam to get fwd to
>   $SENDMAIL -f [EMAIL PROTECTED] < /var/tempfs/out.$$
>   else
> ###$SENDMAIL "$@" < /var/tempfs/out.$$
> $SENDMAIL $@ < /var/tempfs/out.$$
>   fi
> # Postfix returns the exit status of the Postfix sendmail command.
> exit $? *
> **
> 
> I made these changes in master.cf file..
> Changed this line by adding "-o content_filter=spamfilter:dummy" to the 
> default
> *smtp  inet  n   -   n   -   -   smtpd -o 
> content_filter=spamfilter:dummy *
> Added next two lines..
> *spamfilter unix -   n   n   -   -   pipe
>   flags=Rq user=spamfilter argv=/usr/local/bin/spamfilter -f ${sender} 
> -- ${recipient} *
> 
> Once postfix reloaded I can see that mails are being processed by 
> spamfilter.
> But for some mails I get these kind of error in the log file and user 
> receives mail from MAILER-DAEMON
> Can some please tell me why we get these only for some mail and how to 
> get rid of this problem.
> 
> Jun  7 10:51:44 localmail spamd[14011]: spamd: identified spam 
> (17.8/6.8) for spamfilter:7715 in 2.3 seconds, 1753 bytes.
> Jun  7 10:51:44 localmail spamd[14011]: spamd: result: Y 17 - 
> MSGID_FROM_MTA_HEADER,MSGID_FROM_MTA_ID,RCVD_IN_BL_SPAMCOP_NET,UNPARSEABLE_RELAY,URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL
>  
> scantime=2.3,size=1753,user=spamfilter,uid=7715,required_score=6.8,rhost=localhost.localdomain,raddr=127.0.0.1,rport=33304,mid=<[EMAIL
>  PROTECTED]>,autolearn=no 
> 
> Jun  7 10:51:44 localmail postfix/sendmail[14909]: fatal: Recipient 
> addresses must be specified on the command line or via the -t option
> Jun  7 10:51:44 localmail spamd[14009]: prefork: child states: II
> Jun  7 17:51:45 localmail postfix/postdrop[14910]: warning: stdin: 
> unexpected EOF in data, record type 78 length 85
> Jun  7 10:51:45 localmail postfix/postdrop[14910]: fatal: uid=7715: 
> malformed input
> Jun  7 10:51:46 localmail postfix/pipe[13865]: DA97E60EB2: 
> to=<[EMAIL PROTECTED]>, relay=spamfilter, delay=5, 
> status=bounced (command line usage error. Command output: 
> sendmail.postfix: fatal: Recipient addresses must be specified on the 
> command line or via the -t option postdrop: warning: stdin: unexpected 
> EOF in data, record type 78 length 85 postdrop: fatal: uid=7715: 
> malformed input )


The clue is in the error log. It says you must use "-t" or specify the
recipient on the sendmail command line. In the case the message is
detected as spam, you do this:
$SENDMAIL -f [EMAIL PROTECTED] < /var/tempfs/out.$$

There's no -t and no recipient. The -f option is the "from" part. I
suspect you want to send spam to [EMAIL PROTECTED], in which case
try something like this:
$SENDMAIL -f $2 [EMAIL PROTECTED] < /var/tempfs/out.$$

$2 should be the sender, as passed into the filter script.

Rather than calling spamc on each message, you might also consider
a daemon solution which will reduce the overhead and startup delay
time. Very helpful if processing a lot of mail. I use amavisd-new
and have it run clamd before spamassassin. There are others that
have been mentioned in this mailing list, as well.

-Bill

Re: Virtual Users

[David O'Brien]

Hello,

Thanks for the reply.

I am quite new at this.  I didn't actually know a lot about spamc.  Well
I still don't but I have read a little bit about it now.

I am calling SpamAssassin from an Exim ACL.

I have the following lines uncommented in my exim.conf

  warnspam  = nobody
  message   = X-Spam_score: $spam_score\n\
  X-Spam_score_int: $spam_score_int\n\
  X-Spam_bar: $spam_bar\n\
  X-Spam_report: $spam_report

I was thinking that I need to change "nobody" to be the email address of
the recipient...  however now I am not so sure.

I see that that '$local_part' and '$domain' variables are not set in
DATA ACL, and this is because you can have multiple recipients to an
email.  Therefore it is not possible to change "nobody" to the recipient
email address?

Is this because an email is only scanned once even if it is going to
multiple recipients?

If I change "nobody" to be [EMAIL PROTECTED], then %d and %l do expand
correctly in my log file.  So I can see that it works, but I don't know 
how to pass the email address to spamd...


So I guess I am a little confused now...

1. It seems logical that you only want to scan an email once, no matter 
how many people it is sent to.


2. But if you setup user_prefs, doesn't that mean that an email would be 
scanned once for each user based on their preferences?



Tom, I have spamassassin logging to its own log file /var/log/spamassassin

I followed the instructions here and it seems to be working ok : 
http://wiki.apache.org/spamassassin/SeparateLogFile



Thanks

David.

Re: Mail somehow bypassing spamassassin entirely showing up in my Inbox

[Arias Hung]

On Mon, 05 Jun 2006, Daryl C. W. O'Shea delivered in simple text monotype:


Daryl


<---snip--->

Ah, and one more quick question while I'm at it.  What would you suggest would 
be the best way to increase the alarm timeout value?
Straight in the spamd script?

When grepping spamd for alarm:

# bug 4699: this is the alarm that often ends up with an empty $@
alarm $timeout_tcp if ($timeout_tcp);
  alarm 0;
  alarm $timeout_child if ($timeout_child);
alarm 0;
  alarm $timeout_child if ($timeout_child);
alarm 0;


Or will setting the --child-timeout flag in spamd be enough?




pgptxWJkarZaQ.pgp
Description: PGP signature

SA 3.1.1 sometimes takes a long time...

[Guy Waugh]

Hi folks,

I'm pretty new to SpamAssassin. I have two MXes running sendmail 8.13.6, 
smtp-vilter 1.2.4, SA 3.1.1 and clamav 0.88. Sendmail uses smtp-vilter 
as a milter, and smtp-vilter calls clamd and spamd to scan incoming 
messages at the point of delivery.


For most messages, it works fine - clamd does the virus scanning in a 
flash, and SA takes between 0.1 seconds and 3 seconds to do its job.


However, for some emails, the SA scan goes over the 20 second timeout 
that we currently have defined (in /etc/smtp-vilter/spamd.conf). When 
this happens, sendmail tells the sender "451 4.3.2 - Please try again 
later".


I turned on SA debugging for a while, and when the "451 4.3.2" error 
happens, I see this in the logs:


Jun  7 15:36:56 server sendmail[573]: k575alO4000573: 
from=<[EMAIL PROTECTED]>, size=10049, class=0, nrcpts=1, 
msgid=<[EMAIL PROTECTED]>, proto=SMTP, daemon=MTA, 
relay=[213.85.143.136]
Jun  7 15:36:56 server sendmail[573]: k575alO4000573: Milter add: 
header: X-SMTP-Vilter-Version: 1.2.4

Jun  7 05:36:56 server smtp-vilter[527]: message contains no virus
Jun  7 15:36:56 server sendmail[573]: k575alO4000573: Milter add: 
header: X-SMTP-Vilter-Virus-Backend: clamd
Jun  7 15:36:56 server sendmail[573]: k575alO4000573: Milter add: 
header: X-SMTP-Vilter-Status: clean
Jun  7 15:36:56 server sendmail[573]: k575alO4000573: Milter add: 
header: X-SMTP-Vilter-clamd-Virus-Status: clean
Jun  7 15:36:56 server spamd[484]: spamd: connection from 
localhost.localdomain [127.0.0.1] at port 53693
Jun  7 15:36:56 server spamd[484]: spamd: checking message 
<[EMAIL PROTECTED]> for (unknown):508
Jun  7 15:36:56 server spamd[484]: bayes: tie-ing to DB file R/O 
/var/vscan/.spamassassin/bayes_toks
Jun  7 15:36:56 server spamd[484]: bayes: tie-ing to DB file R/O 
/var/vscan/.spamassassin/bayes_seen

Jun  7 15:36:56 server spamd[484]: bayes: found bayes db version 3
Jun  7 15:36:56 server spamd[484]: bayes: DB journal sync: last sync: 
1149658532
Jun  7 15:36:57 server spamd[484]: bayes: DB journal sync: last sync: 
1149658532
Jun  7 15:36:57 server spamd[484]: bayes: corpus size: nspam = 88503, 
nham = 231793
Jun  7 15:36:57 server spamd[484]: bayes: header tokens for *F = 
"U*silviooleg D*lpnet.com.br D*com.br D*br"
Jun  7 15:36:57 server spamd[484]: bayes: header tokens for *R = 
"U*silviooleg D*lpnet.com.br D*com.br D*br"
Jun  7 15:36:57 server spamd[484]: bayes: header tokens for *M = " 
333694818070 166676502833 lpnet com br "


(then 20-30 more bayes token lines, then...)

Jun  7 15:36:57 server spamd[484]: bayes: score = 0.99938356891068
Jun  7 15:36:57 server spamd[484]: bayes: DB journal sync: last sync: 
1149658532

Jun  7 15:36:57 server spamd[484]: bayes: untie-ing
Jun  7 15:36:57 server spamd[484]: bayes: untie-ing db_toks
Jun  7 15:36:57 server spamd[484]: bayes: untie-ing db_seen

(then this:)

Jun  7 05:37:16 server smtp-vilter[527]: spamd: lost header - no 
response to CHECK cmd
Jun  7 05:37:16 server smtp-vilter[527]: error during spam scan of file 
tmp/vilter.zJ7UnO

Jun  7 05:37:16 server smtp-vilter[527]: temporarily failing message
Jun  7 15:37:16 server sendmail[573]: k575alO4000573: Milter: data, 
reject=451 4.3.2 Please try again later
Jun  7 15:37:16 server sendmail[573]: k575alO4000573: 
to=<[EMAIL PROTECTED]>, delay=00:00:21, pri=40049, stat=Please 
try again later


(which happens when the 20 second timeout is reached. Then this:)

Jun  7 15:37:21 server spamd[484]: learn: auto-learn: currently using 
scoreset 3, recomputing score based on scoreset 1
Jun  7 15:37:21 server spamd[484]: learn: auto-learn: message score: 
35.038, computed score for autolearn: 23.6
Jun  7 15:37:21 server spamd[484]: learn: auto-learn? ham=0.1, spam=12, 
body-points=22.51, head-points=7.541, learned-points=3.5

Jun  7 15:37:21 server spamd[484]: learn: auto-learn? yes, spam (23.6 > 12)
Jun  7 15:37:21 server spamd[484]: learn: initializing learner
Jun  7 15:37:21 server spamd[484]: learn: learning spam
Jun  7 15:37:22 server spamd[484]: bayes: tie-ing to DB file R/W 
/var/vscan/.spamassassin/bayes_toks
Jun  7 15:37:22 server spamd[484]: bayes: tie-ing to DB file R/W 
/var/vscan/.spamassassin/bayes_seen

Jun  7 15:37:22 server spamd[484]: bayes: found bayes db version 3
Jun  7 15:37:22 server spamd[484]: bayes: header tokens for *F = 
"U*silviooleg D*lpnet.com.br D*com.br D*br"
Jun  7 15:37:22 server spamd[484]: bayes: header tokens for *R = 
"U*silviooleg D*lpnet.com.br D*com.br D*br"
Jun  7 15:37:22 server spamd[484]: bayes: header tokens for *M = " 
333694818070 166676502833 lpnet com br "
Jun  7 15:37:22 server spamd[484]: bayes: header tokens for To = 
"U*auniac10 D*chec.scu.edu.au D*scu.edu.au D*edu.au D*au"
Jun  7 15:37:22 server spamd[484]: bayes: header tokens for MIME-Version 
= " "
Jun  7 15:37:22 server spamd[484]: bayes: header tokens for *c = " 
Multipart/related; type="multipart/alternative";     
. "

Jun  7 15:37:22 server spamd[484]: bayes: header to

Re: Mail somehow bypassing spamassassin entirely showing up in my Inbox

[Arias Hung]

Actually, I just went throught the archives and found your suggestion a few 
months
ago regarding upping the alarm value from 10 to 100.  My problem actually sounds
like this might be a similar issue as I notice a lot more spam gets through when
I have a high load.

Any other suggestions aside from this?

Thanks again for your help.


pgpOpPCwuOdi9.pgp
Description: PGP signature

Re: blocking email from Vietname is not working...

[Matt Kettler]

Screaming Eagle wrote:
> I have this in local.cf  file:
> describe BL_COUNTRY_VN_1 Mail client in Vietnam
> header   BL_COUNTRY_VN_1 eval:check_rbl('vietnam',
> 'vn.countries.nerd.dk ')
> scoreBL_COUNTRY_VN_1 8.0
> tflags   BL_COUNTRY_VN_1 net
>
> Whis is it not working? I get an email from Vietname, and the score is 0.
Well, at casual glance, the rule looks ok, although it would be more
standard to have the header line first and the describe line second.
However, that shouldn't be a problem...

Did you run spamassassin --lint to make sure there's no config typos?

Do you use spamd? If so, did you restart it? (local.cf is only parsed at
spamd startup time)

Have you verified that the IP in question is in fact listed by
vn.countries.nerd.dk? (note that countries.nerd.dk is NOT perfect, and
will not list each and every IP in a country)

Are you using a lot of lists all on countries.nerd.dk? If so, I'll warn
you that in my experience with blackholes.us, bombarding a site with
many queries will generally cause only the first few lists to actually
work. The rest of the queries get dropped.

Why are you using a DNSBL for this anyway? Why not use the RelayCountry
plugin that comes with SA 3.0.0 and higher?

If you install IP::Country and enable the RelayCountry plugin, this can
all run very fast with reasonable accuracy.. then you can make rules
like this:

header RELAY_CN X-Relay-Countries=~/\bCN\b/
describe RELAY_CN   Relayed through china
score RELAY_CN 1.0

All with no network-test overhead.

Re: Mail somehow bypassing spamassassin entirely showing up in my Inbox

[Arias Hung]

On Tue, 06 Jun 2006, Theo Van Dinter delivered in simple text monotype:


On Tue, Jun 06, 2006 at 06:28:48AM -0700, Arias Hung wrote:

intensive memory hogging nature of the beast.  At present
I'm using a recent spamassassin compiled from the svn version 
3.2.0-r386260.  My spamassasin logs have absolutely no trace of the spam


Just curious, is there a reason you're running 3.2.0?  It's completely not
meant for production use yet.


I usually try and use the latest bleeding edge on my client/workstation machine,
as i don't quite consider  it a 'production' machine, while familiarizing myself
with it in the process before upgrading 'production' level machines i 
administer.

Are you aware of any issues such as I described in 3.2.0?


Since you limited spamd to 4 children, if say, 6 messages come in that need to
be scanned, 2 will be left sitting around waiting for a child to free up.  If
it takes long enough that spamc or whatever calling spamc times out, the
message will (likely) continue through unprocessed.

<---snip--->

Yes, I'm noticing copy_config timeouts ... could this be a consequence of too 
little
children? 


pgpchRYXXYQxl.pgp
Description: PGP signature

Re: Mail somehow bypassing spamassassin entirely showing up in my Inbox

[Arias Hung]

On Tue, 06 Jun 2006, Daryl C. W. O'Shea delivered in simple text monotype:

How long are messages (that are logged) taking to be scanned by SpamAssassin when/before this happens.  What timeout are you using with 
spamc?  You are using spamc, right, and not spamassassin?

<---snip--->

Yes, i'm using spamc.  I didn't set timeout on spamc, so I'm assuming it's at 
its default level 300 seconds.  Should it be longer?

I'm also noticing a lot of copy_config timeouts, and a few normal timeouts that 
exceed the 300 seconds.  I will try upping the timeout value ... are you aware 
if the copy_config be resolved this way as well, or can upping the # of 
children help?



pgprk4eleBxpZ.pgp
Description: PGP signature

RE: Spam assassin and postfix..

[Gary W. Smith]

There are a few things that you can do a little differently.  You can
return the status of the spam check as well as the marked up message.
Then just check if $? -ne 0 (or whatever logic you like).
 

This is what we do.  In the event that the message is marked as a spam
we try to insert it into a database (the clean version of it).  If that
fails we drop the marked up version back into the postfix pipeline.



-Original Message-
From: J Rangi [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 07, 2006 4:44 PM
To: spam mailling list
Subject: Spam assassin and postfix.. 

Hello,
I configured sapmassassin with postfix.
Sapmassassin version is   spamassassin-3.0.3-4.fc4
Here is my spam filter script..

**
[EMAIL PROTECTED] log]# cat /usr/local/bin/spamfilter
#variables
SENDMAIL="/usr/sbin/sendmail.postfix -i"
EGREP=/bin/egrep
# Exit codes from 
EX_UNAVAILABLE=69
# Number of *'s in X-Spam-level header needed to sideline message:
# (Eg. Score of 5.5 = "*" )
SPAMLIMIT=5
# Clean up when done or when aborting.
trap "rm -f /var/tempfs/out.$$" 0 1 2 3 15
# Pipe message to spamc
cat | /usr/bin/spamc -u spamfilter > /var/tempfs/out.$$

if $EGREP -q "^X-Spam-Level: \*{$SPAMLIMIT,}" < /var/tempfs/out.$$
  then
## Change the Email address where you want your spam to get fwd to
  $SENDMAIL -f [EMAIL PROTECTED] < /var/tempfs/out.$$
  else
###$SENDMAIL "$@" < /var/tempfs/out.$$
$SENDMAIL $@ < /var/tempfs/out.$$
  fi
# Postfix returns the exit status of the Postfix sendmail command.
exit $? *
**

I made these changes in master.cf file..
Changed this line by adding "-o content_filter=spamfilter:dummy" to the 
default
*smtp  inet  n   -   n   -   -   smtpd -o 
content_filter=spamfilter:dummy *
Added next two lines..
*spamfilter unix -   n   n   -   -   pipe
  flags=Rq user=spamfilter argv=/usr/local/bin/spamfilter -f ${sender} 
-- ${recipient} *

Once postfix reloaded I can see that mails are being processed by 
spamfilter.
But for some mails I get these kind of error in the log file and user 
receives mail from MAILER-DAEMON
Can some please tell me why we get these only for some mail and how to 
get rid of this problem.

Jun  7 10:51:44 localmail spamd[14011]: spamd: identified spam 
(17.8/6.8) for spamfilter:7715 in 2.3 seconds, 1753 bytes.
Jun  7 10:51:44 localmail spamd[14011]: spamd: result: Y 17 - 
MSGID_FROM_MTA_HEADER,MSGID_FROM_MTA_ID,RCVD_IN_BL_SPAMCOP_NET,UNPARSEAB
LE_RELAY,URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC
_SURBL,URIBL_WS_SURBL 
scantime=2.3,size=1753,user=spamfilter,uid=7715,required_score=6.8,rhost
=localhost.localdomain,raddr=127.0.0.1,rport=33304,mid=<200606071751.k57
[EMAIL PROTECTED]>,autolearn=no 

Jun  7 10:51:44 localmail postfix/sendmail[14909]: fatal: Recipient 
addresses must be specified on the command line or via the -t option
Jun  7 10:51:44 localmail spamd[14009]: prefork: child states: II
Jun  7 17:51:45 localmail postfix/postdrop[14910]: warning: stdin: 
unexpected EOF in data, record type 78 length 85
Jun  7 10:51:45 localmail postfix/postdrop[14910]: fatal: uid=7715: 
malformed input
Jun  7 10:51:46 localmail postfix/pipe[13865]: DA97E60EB2: 
to=<[EMAIL PROTECTED]>, relay=spamfilter, delay=5, 
status=bounced (command line usage error. Command output: 
sendmail.postfix: fatal: Recipient addresses must be specified on the 
command line or via the -t option postdrop: warning: stdin: unexpected 
EOF in data, record type 78 length 85 postdrop: fatal: uid=7715: 
malformed input )
Jun  7 10:51:46 localmail postfix/cleanup[13864]: 6AF4562F46: 
message-id=<[EMAIL PROTECTED]>
Jun  7 10:51:46 localmail postfix/qmgr[13851]: 6AF4562F46: from=<>, 
size=3990, nrcpt=1 (queue active)
Jun  7 10:51:46 localmail postfix/qmgr[13851]: DA97E60EB2: removed
Jun  7 10:51:46 localmail postfix/smtp[14867]: 6AF4562F46: 
to=<[EMAIL PROTECTED]>, relay=mail.aleks.com[216.34.240.136], 
delay=0, status=sent (250 2.0.0 k57HpkM18899 Message accepted for
delivery)
Jun  7 10:51:46 localmail postfix/qmgr[13851]: 6AF4562F46: removed
Jun  7 10:51:48 localmail postfix/smtpd[13861]: connect from 
ip26.aleks.com[216.34.240.160]
Jun  7 10:51:48 localmail postfix/smtpd[13861]: 5F35C60EB2: 
client=ip26.aleks.com[216.34.240.160]
Jun  7 10:51:48 localmail postfix/cleanup[13913]: 5F35C60EB2: 
message-id=<[EMAIL PROTECTED]>

Re: Stock Spams; aka Pump and Dump part 2

[Ben Lentz]

> Ben Lentz wrote:
>>
>> Thanks, I'll definitely have to give that KAM ruleset a spin
>> on our
>> system. Any chance you could tell me where that TVD tag is
>> coming from?
>> Is that another SARE rule?
>
> That's from sa-update.  (TVD = Theo Van Dinter)
>
> If you are worried about sa-update breaking your system, you
> can run:
>
> sa-update --updatedir /tmp/updates
>
> to download the updates to a temp directory and then copy
> 80_additional.cf to your local rules directory - that's were
> the new
> rules seem to be.  I can't promise that wont break something
> else, though.
>

That's fantastic, thanks for the tip.

Spam assassin and postfix..

[J Rangi]

Hello,
I configured sapmassassin with postfix.
Sapmassassin version is   spamassassin-3.0.3-4.fc4
Here is my spam filter script..

**
[EMAIL PROTECTED] log]# cat /usr/local/bin/spamfilter
#variables
SENDMAIL="/usr/sbin/sendmail.postfix -i"
EGREP=/bin/egrep
# Exit codes from 
EX_UNAVAILABLE=69
# Number of *'s in X-Spam-level header needed to sideline message:
# (Eg. Score of 5.5 = "*" )
SPAMLIMIT=5
# Clean up when done or when aborting.
trap "rm -f /var/tempfs/out.$$" 0 1 2 3 15
# Pipe message to spamc
cat | /usr/bin/spamc -u spamfilter > /var/tempfs/out.$$

if $EGREP -q "^X-Spam-Level: \*{$SPAMLIMIT,}" < /var/tempfs/out.$$
 then
## Change the Email address where you want your spam to get fwd to
 $SENDMAIL -f [EMAIL PROTECTED] < /var/tempfs/out.$$
 else
   ###$SENDMAIL "$@" < /var/tempfs/out.$$
   $SENDMAIL $@ < /var/tempfs/out.$$
 fi
# Postfix returns the exit status of the Postfix sendmail command.
exit $? *
**

I made these changes in master.cf file..
Changed this line by adding "-o content_filter=spamfilter:dummy" to the 
default
*smtp  inet  n   -   n   -   -   smtpd -o 
content_filter=spamfilter:dummy *

Added next two lines..
*spamfilter unix -   n   n   -   -   pipe
 flags=Rq user=spamfilter argv=/usr/local/bin/spamfilter -f ${sender} 
-- ${recipient} *


Once postfix reloaded I can see that mails are being processed by 
spamfilter.
But for some mails I get these kind of error in the log file and user 
receives mail from MAILER-DAEMON
Can some please tell me why we get these only for some mail and how to 
get rid of this problem.


Jun  7 10:51:44 localmail spamd[14011]: spamd: identified spam 
(17.8/6.8) for spamfilter:7715 in 2.3 seconds, 1753 bytes.
Jun  7 10:51:44 localmail spamd[14011]: spamd: result: Y 17 - 
MSGID_FROM_MTA_HEADER,MSGID_FROM_MTA_ID,RCVD_IN_BL_SPAMCOP_NET,UNPARSEABLE_RELAY,URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL 
scantime=2.3,size=1753,user=spamfilter,uid=7715,required_score=6.8,rhost=localhost.localdomain,raddr=127.0.0.1,rport=33304,mid=<[EMAIL PROTECTED]>,autolearn=no 

Jun  7 10:51:44 localmail postfix/sendmail[14909]: fatal: Recipient 
addresses must be specified on the command line or via the -t option

Jun  7 10:51:44 localmail spamd[14009]: prefork: child states: II
Jun  7 17:51:45 localmail postfix/postdrop[14910]: warning: stdin: 
unexpected EOF in data, record type 78 length 85
Jun  7 10:51:45 localmail postfix/postdrop[14910]: fatal: uid=7715: 
malformed input
Jun  7 10:51:46 localmail postfix/pipe[13865]: DA97E60EB2: 
to=<[EMAIL PROTECTED]>, relay=spamfilter, delay=5, 
status=bounced (command line usage error. Command output: 
sendmail.postfix: fatal: Recipient addresses must be specified on the 
command line or via the -t option postdrop: warning: stdin: unexpected 
EOF in data, record type 78 length 85 postdrop: fatal: uid=7715: 
malformed input )
Jun  7 10:51:46 localmail postfix/cleanup[13864]: 6AF4562F46: 
message-id=<[EMAIL PROTECTED]>
Jun  7 10:51:46 localmail postfix/qmgr[13851]: 6AF4562F46: from=<>, 
size=3990, nrcpt=1 (queue active)

Jun  7 10:51:46 localmail postfix/qmgr[13851]: DA97E60EB2: removed
Jun  7 10:51:46 localmail postfix/smtp[14867]: 6AF4562F46: 
to=<[EMAIL PROTECTED]>, relay=mail.aleks.com[216.34.240.136], 
delay=0, status=sent (250 2.0.0 k57HpkM18899 Message accepted for delivery)

Jun  7 10:51:46 localmail postfix/qmgr[13851]: 6AF4562F46: removed
Jun  7 10:51:48 localmail postfix/smtpd[13861]: connect from 
ip26.aleks.com[216.34.240.160]
Jun  7 10:51:48 localmail postfix/smtpd[13861]: 5F35C60EB2: 
client=ip26.aleks.com[216.34.240.160]
Jun  7 10:51:48 localmail postfix/cleanup[13913]: 5F35C60EB2: 
message-id=<[EMAIL PROTECTED]>

blocking email from Vietname is not working...

[Screaming Eagle]

I have this in local.cf file:
describe BL_COUNTRY_VN_1 Mail client in Vietnam
header   BL_COUNTRY_VN_1 eval:check_rbl('vietnam', 'vn.countries.nerd.dk')
score    BL_COUNTRY_VN_1 8.0
tflags   BL_COUNTRY_VN_1 net

Whis is it not working? I get an email from Vietname, and the score is 0. See below. Any idea?

X-Spam-Status: No, score=0.0 required=8.0 tests=BAYES_50 autolearn=ham 

version=3.1.0

X-Spam-Level: 

Received: from 4CFD6728 (adsl.hnpt.com.vn [203.210.231.8] (may be forged))



Thanks.

Re: Odd DCC Hit

[Matt Kettler]

David Goldsmith wrote:
> I just got a posting from the pen-test Security Focus mailing list.
> Here are the scores it got:
>
> X-Spam-Level: **
> X-Spam-Status: No, score=6.1 required=6.8 tests=DCC_CHECK,NO_REAL_NAME,
> UNPARSEABLE_RELAY,URIBL_BLACK autolearn=no version=3.1.3


> I can possibly understand the "list sponsored by " website URL
> being in a URIBL and generating a hit but how could this messages have
> generated "many" hits from DCC?

That's quite normal for really large mailing lists. DCC does NOT
strictly match spam. It matches bulk mail. Period.

DCC does not care if that bulk is a result of spamming, or merely
large-scale distribution. The security focus mailing lists have a truly
huge scale of distribution, and many subscribers there use DCC. Most of
those subscribers, such as yourself, are not using DCC correctly.

By default, every message received by your site is reported to the DCC
system. Every message. Spam or not.



In general, to DCC there's no difference between checking and reporting.
Thus, you must to configure DCC to explicitly whitelist messages from
your legitamate bulk senders, as otherwise they will be reported as soon
as you receive the message.

Re: Stock Spams; aka Pump and Dump part 2

[Stuart Johnston]

Ben Lentz wrote:


Thanks, I'll definitely have to give that KAM ruleset a spin on our 
system. Any chance you could tell me where that TVD tag is coming from? 
Is that another SARE rule?


That's from sa-update.  (TVD = Theo Van Dinter)

If you are worried about sa-update breaking your system, you can run:

sa-update --updatedir /tmp/updates

to download the updates to a temp directory and then copy 
80_additional.cf to your local rules directory - that's were the new 
rules seem to be.  I can't promise that wont break something else, though.

Re: Stock Spams; aka Pump and Dump part 2

[Ben Lentz]

- Original Message -
*From:* David Goldsmith <[EMAIL PROTECTED]>
*Sent:* 06/07/2006 04:56:37 PM
*To:* users@spamassassin.apache.org
*Subject:* Stock Spams; aka Pump and Dump part 2




-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ben Lentz wrote:
  

Greetings list,
I've been reading a pretty active and recent thread from one of the
sa-users mailing list archives that talks about a high rate of these
stock spams that are getting through. I, too, am currently suffering
from this problem and am wondering if anyone has any recommendations. I
would've joined in the conversation, but I just now subscribed to the
list. Apologies in advance...

I'm running 3.1.2 (just saw the 3.1.3 security update, I'll be upgrading
shortly) with bayes and network tests on, including the DCC, Razor2, and
Pyzor digest checks. Our bayes learning is configured for both autolearn
and based on feedback from the users via IMAP folders, stored in a MySQL
backend database. My bayes_seen table has 343,697 records in it. I am
also using the SARE stock spam custom rule set. Every message that comes
through does hit on the Bayes check, and usually registers somewhere
between 0% - 60%, so it won't produce a point value.



I've just setup Razor, DCC and Pyzor this week on our server and it
definitely makes a difference.

  

So, I'm kinda of the impression that I'm doing everything I'm supposed
to, but somehow these messages are all getting through with little to no
point value. Our threshold is only 4.0.



  

In addition to these:


***BREAKING NEWS ALERT ISSUED
We think the fun is just beginning with this stock.

Trade Date : 7 June 2006
Name : AbsoluteSKY, Inc.
S t o c k  :  A B S Y
Today : $0.95
10month Target : $1 - $3
Recommendation : 300-500%

That would be well over a 300% gain from these levels.
Big watch in play this tomorrow morning!
This stock will explode!
Do not wait until it is too late!!!
  


My scores for a similar ABSY pump/dump email:

 pts rule name  description
-  --
- --
 0.1 FORGED_RCVD_HELO   Received: contains a forged HELO
 2.4 TVD_STOCK1 BODY: Message looks like it's pushing a stock...
 0.8 SARE_LWSHORTT  BODY: SARE_LWSHORTT
 0.8 SARE_RMML_Stock7   BODY: SARE_RMML_Stock7
 0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
[score: 0.5001]
 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
]

  

We're also getting these:


The average home-loan we've given out this month is $400,000.00 @
  

4.03% int!


We do not care about your current credit/financial situation.

Last 3 closed-loans:

1. Holder, Natasha Houston, Texas 271,000 @ 4.12%
2. Chavez, Tyson Orlando, Florida 314,000 @ 4.33%
3. Hargrove, Ava Augusta, Georgia 713,000 @ 3.22%
  


I have also added the KAM.cf file (you can get it from
http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf)

Our server is blocking messages like this one.  Here are the
scores/rules we are giving it:

 pts rule name  description
-  --
- --
 4.5 KAM_GEO_STRING2URI: Use of geocities very likely spam as of Dec
2005
 2.2 DCC_CHECK  Listed in DCC
(http://rhyolite.com/anti-spam/dcc/)
 1.7 SARE_SPEC_XXGEOCITIES2 spamsign pointing to free webhost spam site
 0.0 AWLAWL: From: address is in the auto white-list

So 6.7 points came from DCC and the KAM.cf file

  

Any help would be greatly appreciated. Maybe I just need to start
regexing my heart out, but everything's always worked so well basically
out of the box with SA and the network checks. I also can't figure out
how these emails aren't getting listed in DCC, Pyzor, and Razor2. (Also,
my current Pyzor server is 82.94.255.100:24441, as the pyzor discover
one has been down)



Prior to my last weeks upgrades of current SA (3.1.3), sa-update for
latest default ruleset, current RDJ script and latest SARE rulesets and
Razor,Pyzor and DCC hashes, we did a lot of regex rules ourselves in a
site-specific *.cf file.  After adding the above-mentioned features, I
have removed all of our regex rules and pretty much everything is
catching.  Any messages that our rules would have added points to are
already scoring high enough.

  
Thanks 



Dave
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEhz2F417vU8/9QfkRAh0hAKCXsYnmbeA3002AE3Z0bGqJfDs0fwCeIsgj
bHXOrdc3Z+6IKZ42ZY/p8dI=
=kSFk
-END PGP SIGNATURE-
  


Thanks, I'll definitely have to give that KAM ruleset a spin on our 
system. Any chance you could tell me where that TVD tag is coming from? 
Is that another SARE rule?


As an as

Re: sa-learn --username option

[Jonathan Armitage]

In Solaris, that would be something like:

su - user1 -c "sa-learn --spam /home/user2/Maildir/.Spam/cur/"

Jon


Aaron Axelsen wrote:

I am trying to run a cronjob as root which will learn a different
accounts spam into my spam db.  Example command:

sa-learn -u user1 --spam /home/user2/Maildir/.Spam/cur/

When the command runs, it learns the spam into /root/.spamassassin
instead of /home/user1/.spamassassin

Re: Stock Spams; aka Pump and Dump part 2

[David Goldsmith]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ben Lentz wrote:
> Greetings list,
> I've been reading a pretty active and recent thread from one of the
> sa-users mailing list archives that talks about a high rate of these
> stock spams that are getting through. I, too, am currently suffering
> from this problem and am wondering if anyone has any recommendations. I
> would've joined in the conversation, but I just now subscribed to the
> list. Apologies in advance...
> 
> I'm running 3.1.2 (just saw the 3.1.3 security update, I'll be upgrading
> shortly) with bayes and network tests on, including the DCC, Razor2, and
> Pyzor digest checks. Our bayes learning is configured for both autolearn
> and based on feedback from the users via IMAP folders, stored in a MySQL
> backend database. My bayes_seen table has 343,697 records in it. I am
> also using the SARE stock spam custom rule set. Every message that comes
> through does hit on the Bayes check, and usually registers somewhere
> between 0% - 60%, so it won't produce a point value.

I've just setup Razor, DCC and Pyzor this week on our server and it
definitely makes a difference.

> So, I'm kinda of the impression that I'm doing everything I'm supposed
> to, but somehow these messages are all getting through with little to no
> point value. Our threshold is only 4.0.

> In addition to these:
>> ***BREAKING NEWS ALERT ISSUED
>> We think the fun is just beginning with this stock.
>>
>> Trade Date : 7 June 2006
>> Name : AbsoluteSKY, Inc.
>> S t o c k  :  A B S Y
>> Today : $0.95
>> 10month Target : $1 - $3
>> Recommendation : 300-500%
>>
>> That would be well over a 300% gain from these levels.
>> Big watch in play this tomorrow morning!
>> This stock will explode!
>> Do not wait until it is too late!!!

My scores for a similar ABSY pump/dump email:

 pts rule name  description
-  --
- --
 0.1 FORGED_RCVD_HELO   Received: contains a forged HELO
 2.4 TVD_STOCK1 BODY: Message looks like it's pushing a stock...
 0.8 SARE_LWSHORTT  BODY: SARE_LWSHORTT
 0.8 SARE_RMML_Stock7   BODY: SARE_RMML_Stock7
 0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
[score: 0.5001]
 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
]

> We're also getting these:
>> The average home-loan we've given out this month is $400,000.00 @
> 4.03% int!
>> We do not care about your current credit/financial situation.
>>
>> Last 3 closed-loans:
>>
>> 1. Holder, Natasha Houston, Texas 271,000 @ 4.12%
>> 2. Chavez, Tyson Orlando, Florida 314,000 @ 4.33%
>> 3. Hargrove, Ava Augusta, Georgia 713,000 @ 3.22%

I have also added the KAM.cf file (you can get it from
http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf)

Our server is blocking messages like this one.  Here are the
scores/rules we are giving it:

 pts rule name  description
-  --
- --
 4.5 KAM_GEO_STRING2URI: Use of geocities very likely spam as of Dec
2005
 2.2 DCC_CHECK  Listed in DCC
(http://rhyolite.com/anti-spam/dcc/)
 1.7 SARE_SPEC_XXGEOCITIES2 spamsign pointing to free webhost spam site
 0.0 AWLAWL: From: address is in the auto white-list

So 6.7 points came from DCC and the KAM.cf file

> Any help would be greatly appreciated. Maybe I just need to start
> regexing my heart out, but everything's always worked so well basically
> out of the box with SA and the network checks. I also can't figure out
> how these emails aren't getting listed in DCC, Pyzor, and Razor2. (Also,
> my current Pyzor server is 82.94.255.100:24441, as the pyzor discover
> one has been down)

Prior to my last weeks upgrades of current SA (3.1.3), sa-update for
latest default ruleset, current RDJ script and latest SARE rulesets and
Razor,Pyzor and DCC hashes, we did a lot of regex rules ourselves in a
site-specific *.cf file.  After adding the above-mentioned features, I
have removed all of our regex rules and pretty much everything is
catching.  Any messages that our rules would have added points to are
already scoring high enough.

> Thanks 

Dave
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEhz2F417vU8/9QfkRAh0hAKCXsYnmbeA3002AE3Z0bGqJfDs0fwCeIsgj
bHXOrdc3Z+6IKZ42ZY/p8dI=
=kSFk
-END PGP SIGNATURE-

Re: is there a way to block email coming from

[Steven W. Orr]

On Wednesday, Jun 7th 2006 at 09:53 -0700, quoth John D. Hardin:

=>On Wed, 7 Jun 2006, Screaming Eagle wrote:
=>
=>> country, other than USA?  How would you look up the network block
=>> on country such as Romania, China, Taiwan,Thailand, Korea, and so
=>> on...
=>
=>describe BL_COUNTRY_TW_1 Mail client in Taiwan
=>header   BL_COUNTRY_TW_1 eval:check_rbl('taiwan', 'tw.countries.nerd.dk')
=>scoreBL_COUNTRY_TW_1 0.5
=>tflags   BL_COUNTRY_TW_1 net

I'm running a sendmail server and I already block a few countries in my mc 
file. e.g., 

FEATURE(enhdnsbl,`kr.countries.nerd.dk', `SPAM from Korea:$&{client_addr} 
rejected',`t')dnl
FEATURE(enhdnsbl,`cn.countries.nerd.dk', `SPAM from China:$&{client_addr} 
rejected',`t')dnl

Are there any pros or cons to doing the checks in the mc file vs sa 
config? In the case of sa I am using spamass-milter so the message will be 
rejected either way.

TIA

-- 
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net

Stock Spams; aka Pump and Dump part 2

[Ben Lentz]

Greetings list,
I've been reading a pretty active and recent thread from one of the 
sa-users mailing list archives that talks about a high rate of these 
stock spams that are getting through. I, too, am currently suffering 
from this problem and am wondering if anyone has any recommendations. I 
would've joined in the conversation, but I just now subscribed to the 
list. Apologies in advance...


I'm running 3.1.2 (just saw the 3.1.3 security update, I'll be upgrading 
shortly) with bayes and network tests on, including the DCC, Razor2, and 
Pyzor digest checks. Our bayes learning is configured for both autolearn 
and based on feedback from the users via IMAP folders, stored in a MySQL 
backend database. My bayes_seen table has 343,697 records in it. I am 
also using the SARE stock spam custom rule set. Every message that comes 
through does hit on the Bayes check, and usually registers somewhere 
between 0% - 60%, so it won't produce a point value.


So, I'm kinda of the impression that I'm doing everything I'm supposed 
to, but somehow these messages are all getting through with little to no 
point value. Our threshold is only 4.0.


In addition to these:
> ***BREAKING NEWS ALERT ISSUED
> We think the fun is just beginning with this stock.
>
> Trade Date : 7 June 2006
> Name : AbsoluteSKY, Inc.
> S t o c k  :  A B S Y
> Today : $0.95
> 10month Target : $1 - $3
> Recommendation : 300-500%
>
> That would be well over a 300% gain from these levels.
> Big watch in play this tomorrow morning!
> This stock will explode!
> Do not wait until it is too late!!!

We're also getting these:
> The average home-loan we've given out this month is $400,000.00 @ 
4.03% int!

> We do not care about your current credit/financial situation.
>
> Last 3 closed-loans:
>
> 1. Holder, Natasha Houston, Texas 271,000 @ 4.12%
> 2. Chavez, Tyson Orlando, Florida 314,000 @ 4.33%
> 3. Hargrove, Ava Augusta, Georgia 713,000 @ 3.22%
>
> 
http://geocities.yahoo.com.br/fearing_04toppingss4


Any help would be greatly appreciated. Maybe I just need to start 
regexing my heart out, but everything's always worked so well basically 
out of the box with SA and the network checks. I also can't figure out 
how these emails aren't getting listed in DCC, Pyzor, and Razor2. (Also, 
my current Pyzor server is 82.94.255.100:24441, as the pyzor discover 
one has been down)


Thanks

Re: get this type of spam....

[David Goldsmith]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Bowie Bailey wrote:
> Jim Knuth wrote:
>> Heute (07.06.2006/20:56 Uhr) schrieb Screaming Eagle,
>>
>>> All,
>>> I am getting this type of spam:
>>> X-Spam-Status: No, score=1.6 required=8.0
>>> tests=BAYES_50,DRUGS_MUSCLE,
>>> FORGED_RCVD_HELO,HTML_40_50,HTML_MESSAGE autolearn=no 
>>> How can I look up the definiton of  DRUGS_MUSCLE and
>>> FORGE_RCVD_HELO? 
>> grep in all *.cf
> 
> To find default rules:
> grep DRUGS_MUSCLE /usr/share/spamassassin/*.cf
> 
> To find add-on rules:
> grep DRUGS_MUSCLE /etc/mail/spamassassin/*.cf

Also files in directories under /var/lib/spamassassin if you are using
the 'sa-update' tool to pull down updated default SA rules.  For
example, with SA 3.1.3:

   grep /var/lib/spamassassin/3.001003/updates_spamassassin_org/*.cf

Dave
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEhyir417vU8/9QfkRAguqAKCRJsHPPYQQT6AHSY9tAXlwViHgVACeMYZ7
dnHYCFCA+C7HSlQ7HQVi9gY=
=tsZI
-END PGP SIGNATURE-

RE: get this type of spam....

[Bowie Bailey]

Jim Knuth wrote:
> Heute (07.06.2006/20:56 Uhr) schrieb Screaming Eagle,
> 
> > All,
> > I am getting this type of spam:
> > X-Spam-Status: No, score=1.6 required=8.0
> > tests=BAYES_50,DRUGS_MUSCLE,
> > FORGED_RCVD_HELO,HTML_40_50,HTML_MESSAGE autolearn=no 
> 
> > How can I look up the definiton of  DRUGS_MUSCLE and
> > FORGE_RCVD_HELO? 
> 
> grep in all *.cf

To find default rules:
grep DRUGS_MUSCLE /usr/share/spamassassin/*.cf

To find add-on rules:
grep DRUGS_MUSCLE /etc/mail/spamassassin/*.cf

-- 
Bowie

Re: get this type of spam....

[Jim Knuth]

Heute (07.06.2006/20:56 Uhr) schrieb Screaming Eagle,

> All,
> I am getting this type of spam:
> X-Spam-Status: No, score=1.6 required=8.0 tests=BAYES_50,DRUGS_MUSCLE,
> FORGED_RCVD_HELO,HTML_40_50,HTML_MESSAGE autolearn=no

> How can I look up the definiton of  DRUGS_MUSCLE and FORGE_RCVD_HELO?

> Thanks.


grep in all *.cf


-- 
Viele Gruesse, Kind regards,
 Jim Knuth
 [EMAIL PROTECTED]
 ICQ #277289867
--
Zufalls-Zitat
--
Gesundheit bezeichnet den Zustand eines Menschen, der nicht 
häufig genug untersucht wurde. (Dirk Maxeiner und Michael 
Miersch)
--
Der Text hat nichts mit dem Empfaenger der Mail zu tun
--
Virus free. Checked by NOD32 Version 1.1584 Build 7426  07.06.2006

get this type of spam....

[Screaming Eagle]

All,
I am getting this type of spam: 

X-Spam-Status: No, score=1.6 required=8.0 tests=BAYES_50,DRUGS_MUSCLE,

FORGED_RCVD_HELO,HTML_40_50,HTML_MESSAGE autolearn=no



How can I look up the definiton of  DRUGS_MUSCLE and FORGE_RCVD_HELO?

Thanks.

Re: is there a way to block email coming from

[John D. Hardin]

You can also block specific ISPs, with varying degrees of reliability.
For example:

describe BL_COUNTRY_FR_2 Mail client in France
header   BL_COUNTRY_FR_2 eval:check_rbl('wanadoo-fr', 
'wanadoo-fr.blackholes.us')
scoreBL_COUNTRY_FR_2 0.5
tflags   BL_COUNTRY_FR_2 net

Wanadoo is a French ISP that has a lot of dynamic-IP spammers.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 Look at the people at the top of both efforts. Linus Torvalds is a
 university graduate with a CS degree. Bill Gates is a university
 dropout who bragged about dumpster-diving and using other peoples'
 garbage code as the basis for his code. Maybe that has something to
 do with the difference in quality/security between Linux and
 Windows.  -- anytwofiveelevenis on Y! SCOX
--
 11 days until SWMBO's Birthday

Re: is there a way to block email coming from

[John D. Hardin]

On Wed, 7 Jun 2006, Screaming Eagle wrote:

> Is BL_COUNTRY_TW_1 for all country? "Mail client in Taiwan" is an arg value?
> If so, then this Synthax would be o.k:
> describe BL_COUNTRY_TW_1 Mail client in Korea?

Sorry, I assumed you were familiar with the syntax of rules in SA.

> On 6/7/06, John D. Hardin <[EMAIL PROTECTED]> wrote:
> >
> > On Wed, 7 Jun 2006, Screaming Eagle wrote:
> >
> > > country, other than USA?  How would you look up the network block
> > > on country such as Romania, China, Taiwan,Thailand, Korea, and so
> > > on...
> >
> > describe BL_COUNTRY_TW_1 Mail client in Taiwan

BL_COUNTRY_TW_1 is a unique label for this rule. For other country
rules, you'd change the "TW" part as appropriate. I recommend sticking
to the ISO two-letter country codes. If you had more than one rule for
a country you'd increment the "1" as appropriate. For example:

  describe BL_COUNTRY_KR_1 Mail client in Korea

> > header   BL_COUNTRY_TW_1 eval:check_rbl('taiwan', 'tw.countries.nerd.dk')

This says the check is a RBL test. You need to alter the label and
substitute arguments as appropriate. The appropriate substitutions
should be fairly obvious:

  header   BL_COUNTRY_KR_1 eval:check_rbl('korea', 'kr.countries.nerd.dk')

> > scoreBL_COUNTRY_TW_1 0.5
> > tflags   BL_COUNTRY_TW_1 net

These set the score for a match (higher is more spammy) and flags the
test as a network test. If you really wanted to punish someone in
Korea contacting your mail server, you would set a high score:

  scoreBL_COUNTRY_KR_1 5.0
  tflags   BL_COUNTRY_KR_1 net


You would end up with a block of rules that might look something like
this:


describe BL_COUNTRY_TH_1 Mail client in Thailand
header   BL_COUNTRY_TH_1 eval:check_rbl('thailand', 'th.countries.nerd.dk')
scoreBL_COUNTRY_TH_1 0.5
tflags   BL_COUNTRY_TH_1 net

describe BL_COUNTRY_JP_1 Mail client in Japan
header   BL_COUNTRY_JP_1 eval:check_rbl('japan', 'jp.countries.nerd.dk')
scoreBL_COUNTRY_JP_1 0.5
tflags   BL_COUNTRY_JP_1 net

describe BL_COUNTRY_CN_1 Mail client in China
header   BL_COUNTRY_CN_1 eval:check_rbl('china', 'cn.countries.nerd.dk')
scoreBL_COUNTRY_CN_1 0.5
tflags   BL_COUNTRY_CN_1 net

describe BL_COUNTRY_TW_1 Mail client in Taiwan
header   BL_COUNTRY_TW_1 eval:check_rbl('taiwan', 'tw.countries.nerd.dk')
scoreBL_COUNTRY_TW_1 0.5
tflags   BL_COUNTRY_TW_1 net

describe BL_COUNTRY_KR_1 Mail client in Korea
header   BL_COUNTRY_KR_1 eval:check_rbl('korea', 'kr.countries.nerd.dk')
scoreBL_COUNTRY_KR_1 0.5
tflags   BL_COUNTRY_KR_1 net

describe BL_COUNTRY_MX_1 Mail client in Mexico
header   BL_COUNTRY_MX_1 eval:check_rbl('mexico', 'mexico.blackholes.us')
scoreBL_COUNTRY_MX_1 0.5
tflags   BL_COUNTRY_MX_1 net

describe BL_COUNTRY_MX_2 Mail client in Mexico
header   BL_COUNTRY_MX_2 eval:check_rbl('mexico', 'mx.countries.nerd.dk')
scoreBL_COUNTRY_MX_2 0.5
tflags   BL_COUNTRY_MX_2 net


Note the two Mexico rules. It is possible for nerd.dk and
blackholes.us to list different netblocks due to the way they obtain
the IP -> Country mappings. One or the other may be "more fresh".

Hope this helps!

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 Look at the people at the top of both efforts. Linus Torvalds is a
 university graduate with a CS degree. Bill Gates is a university
 dropout who bragged about dumpster-diving and using other peoples'
 garbage code as the basis for his code. Maybe that has something to
 do with the difference in quality/security between Linux and
 Windows.  -- anytwofiveelevenis on Y! SCOX
--
 11 days until SWMBO's Birthday

Odd DCC Hit

[David Goldsmith]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I just got a posting from the pen-test Security Focus mailing list.
Here are the scores it got:

X-Spam-Level: **
X-Spam-Status: No, score=6.1 required=6.8 tests=DCC_CHECK,NO_REAL_NAME,
UNPARSEABLE_RELAY,URIBL_BLACK autolearn=no version=3.1.3
X-Spam-Pyzor: Reported 0 times.
X-Spam-DD: EATSERVER:iceman12.giac.net 1166; Body=many Fuz1=many Fuz2=many
X-Spam-Report:
*  1.0 NO_REAL_NAME From: does not include a real name
*  0.0 UNPARSEABLE_RELAY Informational: message has unparseable
relay
*  lines
*  2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
*  3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
*  [URIs: cenzic.com]

I can possibly understand the "list sponsored by " website URL
being in a URIBL and generating a hit but how could this messages have
generated "many" hits from DCC?

Dave
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEhw9x417vU8/9QfkRAi6sAJ4x+YEjJdTlh5ePwc9pbxktof3iYwCgtHvH
Xsee+hJZ17K+IUkzOP4eblA=
=zbDj
-END PGP SIGNATURE-

RE: All digits

[Chris Santerre]

Title: RE: All digits







> -Original Message-
> From: jdow [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, June 07, 2006 5:40 AM
> To: users@spamassassin.apache.org
> Subject: Re: All digits
> 
> 
> From: "" <[EMAIL PROTECTED]>
> 
> >I have to wonder if a spammer is testing their Zombies since 
> all I have received are from
> > Dialup/broadband customers.  Could this be the rain before 
> the flood of spam/virus?
> >
> > 
> 
> Word is that it may be a test run of a new version of Bagle.


As I use a DUL/DSL pool RBL I've only had 2 ever slip thru. Both already caught as spam. If anything, these 'tests' give the RBL guys heads up on the Zombie IPs. Its kind of pointless and sillybut then again, I guess thats expected :) 

Chris Santerre
SysAdmin and SARE/URIBL ninja
http://www.uribl.com
http://www.rulesemporium.com

Re: is there a way to block email coming from

[Screaming Eagle]

Is BL_COUNTRY_TW_1 for all country? "Mail client in Taiwan" is an arg value? If so, then this Synthax would be o.k: 
describe BL_COUNTRY_TW_1 Mail client in Korea?

Thanks.On 6/7/06, John D. Hardin <[EMAIL PROTECTED]> wrote:
On Wed, 7 Jun 2006, Screaming Eagle wrote:> country, other than USA?  How would you look up the network block> on country such as Romania, China, Taiwan,Thailand, Korea, and so> on...describe BL_COUNTRY_TW_1 Mail client in Taiwan
header   BL_COUNTRY_TW_1 eval:check_rbl('taiwan', 'tw.countries.nerd.dk')scoreBL_COUNTRY_TW_1 0.5tflags   BL_COUNTRY_TW_1 net-- John Hardin KA7OHZICQ#15735746
http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79--- Look at the people at the top of both efforts. Linus Torvalds is a
 university graduate with a CS degree. Bill Gates is a university dropout who bragged about dumpster-diving and using other peoples' garbage code as the basis for his code. Maybe that has something to do with the difference in quality/security between Linux and

Windows.  --
anytwofiveelevenis on Y! SCOX-- 11 days until SWMBO's Birthday

Re: is there a way to block email coming from

[Steve Thomas]

> country, other than USA?  How would you look up the network block on
> country
> such as Romania, China, Taiwan,Thailand, Korea, and so on...
>
> Thanks.

Check out http://countries.nerd.dk/ and http://www.blackholes.us/

Re: is there a way to block email coming from

[John D. Hardin]

On Wed, 7 Jun 2006, Screaming Eagle wrote:

> country, other than USA?  How would you look up the network block
> on country such as Romania, China, Taiwan,Thailand, Korea, and so
> on...

describe BL_COUNTRY_TW_1 Mail client in Taiwan
header   BL_COUNTRY_TW_1 eval:check_rbl('taiwan', 'tw.countries.nerd.dk')
scoreBL_COUNTRY_TW_1 0.5
tflags   BL_COUNTRY_TW_1 net


--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 Look at the people at the top of both efforts. Linus Torvalds is a
 university graduate with a CS degree. Bill Gates is a university
 dropout who bragged about dumpster-diving and using other peoples'
 garbage code as the basis for his code. Maybe that has something to
 do with the difference in quality/security between Linux and
 Windows.  -- anytwofiveelevenis on Y! SCOX
--
 11 days until SWMBO's Birthday

is there a way to block email coming from

[Screaming Eagle]

country, other than USA?  How would you look up the network block
on country such as Romania, China, Taiwan,Thailand, Korea, and so on...

Thanks.

RE: Virtual Users

[Bowie Bailey]

Tom Ray wrote:
> 
> I'm trying to do the same thing that David is doing. I have spamd
> running with --config-virtual-dir=/mail/%d/mail/%l so it should expand
> to mail/detroitonline.com/mail/tom for any email being sent to me.
> 
> Within my directory I have a directory called ".spamassassin" and
> within that I have a user_prefs file. I have my score set to 2 while
> the global is set to 5.

I think this is your problem.  With the setting shown above, it will
look for your user_prefs file in the directory specified:

/mail/detroitonline.com/mail/tom/user_prefs

Maybe you want this instead:

--config-virtual-dir=/mail/%d/mail/%l/.spamassassin

> Within exim I have spamc set to run as "spamc -u
> [EMAIL PROTECTED]" which does expand to [EMAIL PROTECTED]
> However I can't find the logfile that David refers to. Spamd start up,
> stops, etc all display with in my syslog as to any -D messages. So I
> have a couple questions..

Right, everything should go to syslog.

> 1) Where do I find that entry at that David refers to?

Syslog.

> 2) Spam is being scanned but it's being scored out of 5 instead of 2
> which means it's reading the global file and not my user file.

Because it's looking in the wrong place for your user_prefs.  See
above.

> 3) It is my understanding that spamc needs to run as a user on the
> machine, but if these are virtual accounts and don't exist on the
> machine how will spamc run everything? In Exim the user exim runs
> everything and all mail files and directories have to be set with exim
> as the user and group.

Exactly.  If the user exim owns the directories, spamc should run as
that user.  You then use the -u option to determine where SA looks
for the user_prefs, Bayes, and AWL files.

> 4) Am I doing this right? I've laid out my specs before and asked that
> but no ones said yes or no.

Pretty close.  Just make the change shown above and you should be
fine.

-- 
Bowie

RE: Spam Virus MX forwarding firewall

[Paul Tenfjord]

Hi Phil.

Thank you for the quick reply.
I was considering using amavis, but mailscanner looks promising indeed.
Speedwice, what do you recommend amavis versus mailscanner. 
Also does your SA configuration support user defined settings as explained 
previously? Are you storing in sql or userfile? I am very interested in 
hearing about your configuration. 
How high is your server load with 20k per day, and what hardware do you have?

Thanks again.

Paul 

-- Original Message --
From: "Randal, Phil" <[EMAIL PROTECTED]>
Date:  Wed, 7 Jun 2006 16:11:36 +0100 

>Have a look at MailScanner (http://www.mailscanner.info) along with
>MailWatch (http://mailwatch.sf.net), mailscanner-mrtg
>(http://mailscannermrtg.sf.net/), and Vispan
>(http://www.while.org.uk/mailstats/).
>
>Add ClamAV and Bitdefender for Linux to the mix and you're zapping most
>viruses before they get anywhere near your real mail server.
>
>We're happily processing 20,000 emails a day on our MailScanner box.
>
>Cheers,
>
>Phil
>
>--
>Phil Randal
>Network Engineer
>Herefordshire Council
>Hereford, UK  
>
>> -Original Message-
>> From: Paul Tenfjord [mailto:[EMAIL PROTECTED] 
>> Sent: 07 June 2006 15:59
>> To: users@spamassassin.apache.org
>> Subject: Spam Virus MX forwarding firewall
>> 
>> Hello mailing list.
>> My first post, nice to meet you all.
>> 
>> I'm setting up a Spam&Virus mail firewall (forwarding only).
>> This is a MX only server, it has no pop3/imap, it's only 
>> purpose is to clean 
>> mail and route it to the next server which then delivers it 
>> to imap accounts. 
>> For this purpose I am considering Postfix, as I am familiar with it.
>> I am hoping to get some information/suggestions on how to do 
>> this in a way 
>> that is fast,secure, easy to add /domains users and stable. 
>> I need the option to have user specific settings, some 
>> domains wants to route 
>> all spam to [EMAIL PROTECTED], specific domains want to 
>> delete (if SA tags 
>> the mail that is over a certain limit) and some to tag SPAM 
>> in the subject 
>> header. 
>> I am very interested in storing the domains in SQL or LDAP 
>> rather then text 
>> files. Does somebody know the performance loss/gain on sql 
>> versus text file 
>> when dealing with thousands of domains with users. 
>> Also I am interested in statistics on how many mails pass and 
>> how many gets 
>> tagged if this is available somewhere.
>> 
>> A lot of question for a first post, I am hoping for a positive answer.
>> 
>> 
>> 
>> Kind Regards 
>> Paul Tenfjord
>> 
>

Re: Virtual Users

[Tom Ray]

Bowie Bailey wrote:

David O'Brien wrote:
  

Hello,

I am running SpamAssassin version 3.0.4-2.fc4, exim 4.62-1.fc4 &
dovecot 0.99.14-4.fc4 


I have virtual users, with mail being stored in the directory format
/data/mail/domain.com/user/ 
So, the mail for [EMAIL PROTECTED] would be stored in
/data/mail/obrien.com/david/ 


I have tried setting the --virtual-config-dir option to
--virtual-config-dir=/data/mail/%d/%l so the user_prefs file would be
created in the correct location, however %d and %l do not seem to be
expanding to the domain and local part of the username.  I am getting
the following in my log file:


"Using default config for nobody: /data/mail///user_prefs"

I have seen this mentioned before, but have not seen a solution. 
Does anyone have any idea what the problem is, and what the solution
is?  



Are you providing the email address via spamc?

spamc -u [EMAIL PROTECTED]

  
I'm trying to do the same thing that David is doing. I have spamd 
running with --config-virtual-dir=/mail/%d/mail/%l so it should expand 
to mail/detroitonline.com/mail/tom for any email being sent to me.


Within my directory I have a directory called ".spamassassin" and within 
that I have a user_prefs file. I have my score set to 2 while the global 
is set to 5.


Within exim I have spamc set to run as "spamc -u 
[EMAIL PROTECTED]" which does expand to [EMAIL PROTECTED] 
However I can't find the logfile that David refers to. Spamd start up, 
stops, etc all display with in my syslog as to any -D messages. So I 
have a couple questions..


1) Where do I find that entry at that David refers to?
2) Spam is being scanned but it's being scored out of 5 instead of 2 
which means it's reading the global file and not my user file.
3) It is my understanding that spamc needs to run as a user on the 
machine, but if these are virtual accounts and don't exist on the 
machine how will spamc run everything? In Exim the user exim runs 
everything and all mail files and directories have to be set with exim 
as the user and group.
4) Am I doing this right? I've laid out my specs before and asked that 
but no ones said yes or no.


Any help would be appreciated.

Thanks.

--

Tom Ray
Detroit Online

http://www.detroitonline.com
Toll Free: 888-235-6817 x501
Local: 313-887-0805 x501

Re: Spam Virus MX forwarding firewall

[DAve]

Paul Tenfjord wrote:

Hello mailing list.
My first post, nice to meet you all.

I'm setting up a Spam&Virus mail firewall (forwarding only).
This is a MX only server, it has no pop3/imap, it's only purpose is to clean 
mail and route it to the next server which then delivers it to imap accounts. 
For this purpose I am considering Postfix, as I am familiar with it.
I am hoping to get some information/suggestions on how to do this in a way 
that is fast,secure, easy to add /domains users and stable. 
I need the option to have user specific settings, some domains wants to route 
all spam to [EMAIL PROTECTED], specific domains want to delete (if SA tags 
the mail that is over a certain limit) and some to tag SPAM in the subject 
header. 
I am very interested in storing the domains in SQL or LDAP rather then text 
files. Does somebody know the performance loss/gain on sql versus text file 
when dealing with thousands of domains with users. 
Also I am interested in statistics on how many mails pass and how many gets 
tagged if this is available somewhere.


A lot of question for a first post, I am hoping for a positive answer.



Kind Regards 
Paul Tenfjord





We have the setup you describe implemented via MailScanner, MailWatch, 
and Sendmail+milter-ahead. Works very well.


DAve

--
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?

Maybe they forgot who made that choice possible.

RE: Spam Virus MX forwarding firewall

[Bowie Bailey]

Paul Tenfjord wrote:
> I'm setting up a Spam&Virus mail firewall (forwarding only).
> This is a MX only server, it has no pop3/imap, it's only purpose is
> to clean mail and route it to the next server which then delivers it
> to imap accounts. For this purpose I am considering Postfix, as I am
> familiar with it. 

I'll leave the implementation details to someone else, I've just got
a general comment on this setup.

Make sure that this mail firewall can reject mail to unknown users.
Otherwise, it will be overwhelmed by having to scan way too many
messages, have a mail queue full of undeliverable bounces, and be
responsible for sending "Delivery Failure" spam to all of the forged
senders.

If the mail firewall can reject unknown users, it will not have to
spend any time scanning those messages and since it rejects them up
front, it doesn't have to send DSNs for them.

On my system, this reduces the load on my mailserver by 75%.  You may
not see this dramatic a difference if you don't get lots of dictionary
attacks, but you should still do it to prevent bouncing messages back
to the people who have had their email addresses forged.

-- 
Bowie

Re: error in spamassassin

[Theo Van Dinter]

On Wed, Jun 07, 2006 at 03:06:36PM +0800, Joel Cruz wrote:
> Hi! I installed FC2 with sendmail, MailScanner and spamassassin I did
> not encounter error in my installation but when I type the command
> #spamassassin --lint it shows 
[...]
> Please help me I'm not good in linux. where can I fix my prob?

The first question is what version of SpamAssassin are you using?
(spamassassin -v)

-- 
Randomly Generated Tagline:
"It's not you Bernie.  I guess I'm just not used to being chased around
 a mall at night by killer robots." - Linda from the movie "Chopping Mall"


pgpKxubl5MnHI.pgp
Description: PGP signature

RE: Spam Virus MX forwarding firewall

[Randal, Phil]

Have a look at MailScanner (http://www.mailscanner.info) along with
MailWatch (http://mailwatch.sf.net), mailscanner-mrtg
(http://mailscannermrtg.sf.net/), and Vispan
(http://www.while.org.uk/mailstats/).

Add ClamAV and Bitdefender for Linux to the mix and you're zapping most
viruses before they get anywhere near your real mail server.

We're happily processing 20,000 emails a day on our MailScanner box.

Cheers,

Phil

--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

> -Original Message-
> From: Paul Tenfjord [mailto:[EMAIL PROTECTED] 
> Sent: 07 June 2006 15:59
> To: users@spamassassin.apache.org
> Subject: Spam Virus MX forwarding firewall
> 
> Hello mailing list.
> My first post, nice to meet you all.
> 
> I'm setting up a Spam&Virus mail firewall (forwarding only).
> This is a MX only server, it has no pop3/imap, it's only 
> purpose is to clean 
> mail and route it to the next server which then delivers it 
> to imap accounts. 
> For this purpose I am considering Postfix, as I am familiar with it.
> I am hoping to get some information/suggestions on how to do 
> this in a way 
> that is fast,secure, easy to add /domains users and stable. 
> I need the option to have user specific settings, some 
> domains wants to route 
> all spam to [EMAIL PROTECTED], specific domains want to 
> delete (if SA tags 
> the mail that is over a certain limit) and some to tag SPAM 
> in the subject 
> header. 
> I am very interested in storing the domains in SQL or LDAP 
> rather then text 
> files. Does somebody know the performance loss/gain on sql 
> versus text file 
> when dealing with thousands of domains with users. 
> Also I am interested in statistics on how many mails pass and 
> how many gets 
> tagged if this is available somewhere.
> 
> A lot of question for a first post, I am hoping for a positive answer.
> 
> 
> 
> Kind Regards 
> Paul Tenfjord
> 

RE: Whitelist_from clarification

[Randal, Phil]

myspace.com publishes an SPF record:

  "v=spf1 mx ip4:63.208.226.34 ip4:204.16.32.0/22 ip4:67.134.143.0/24
~all"

If you've done

  loadplugin Mail::SpamAssassin::Plugin::SPF

and made sure that your MTA sets an appropriate Envelope-From: header
(MailScanner users should have "envelope_sender_header
X-MailScanner-From" in their spam.assassin.prefs.conf) and have verified
that SPF checks are working, then

  whitelist_from_spf [EMAIL PROTECTED]

should work too.

Phil
--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

> -Original Message-
> From: Bret Miller [mailto:[EMAIL PROTECTED] 
> Sent: 07 June 2006 15:23
> To: James Lay; Spamassassin
> Subject: RE: Whitelist_from clarification
> 
> > Soomail from myspace has been getting tagged as 
> spam...been trying
> > to halt that on a domain basis.  Here's what I've tried (and seen
> > online):
> > 
> > .*myspace.com
> > @myspace.com
> > *myspace.com
> > [EMAIL PROTECTED]
> > 
> > Can someone tell me which is the correct format?  Thanks!
> 
> whitelist_from [EMAIL PROTECTED]
> 
> If your server correctly inserts a received header before calling SA,
> you might be able to use something like:
> 
> Whitelist_from_rcvd [EMAIL PROTECTED] servername
> 
> Bret
> 
> 
> 
> 

Spam Virus MX forwarding firewall

[Paul Tenfjord]

Hello mailing list.
My first post, nice to meet you all.

I'm setting up a Spam&Virus mail firewall (forwarding only).
This is a MX only server, it has no pop3/imap, it's only purpose is to clean 
mail and route it to the next server which then delivers it to imap accounts. 
For this purpose I am considering Postfix, as I am familiar with it.
I am hoping to get some information/suggestions on how to do this in a way 
that is fast,secure, easy to add /domains users and stable. 
I need the option to have user specific settings, some domains wants to route 
all spam to [EMAIL PROTECTED], specific domains want to delete (if SA tags 
the mail that is over a certain limit) and some to tag SPAM in the subject 
header. 
I am very interested in storing the domains in SQL or LDAP rather then text 
files. Does somebody know the performance loss/gain on sql versus text file 
when dealing with thousands of domains with users. 
Also I am interested in statistics on how many mails pass and how many gets 
tagged if this is available somewhere.

A lot of question for a first post, I am hoping for a positive answer.



Kind Regards 
Paul Tenfjord

Re: Whitelist_from clarification

[Benny Pedersen]

> Soomail from myspace has been getting tagged as spam...been trying
> to halt that on a domain basis.  Here's what I've tried (and seen online):
> .*myspace.com
> @myspace.com
> *myspace.com
> [EMAIL PROTECTED]
> Can someone tell me which is the correct format?

last one

Re: Whitelist_from clarification

[Ramprasad]

On Wed, 2006-06-07 at 07:03 -0600, James Lay wrote:
> Hey all!
> 
> Soomail from myspace has been getting tagged as spam...been trying
> to halt that on a domain basis.  Here's what I've tried (and seen
> online):
> 
> .*myspace.com
> @myspace.com
> *myspace.com
> [EMAIL PROTECTED]
> 
> Can someone tell me which is the correct format?  Thanks!
> 
> James

Oops
Now spammers know how to spam you, just forge the from address. 

:-)

RE: Whitelist_from clarification

[Bret Miller]

> Soomail from myspace has been getting tagged as spam...been trying
> to halt that on a domain basis.  Here's what I've tried (and seen
> online):
>
> .*myspace.com
> @myspace.com
> *myspace.com
> [EMAIL PROTECTED]
>
> Can someone tell me which is the correct format?  Thanks!

whitelist_from [EMAIL PROTECTED]

If your server correctly inserts a received header before calling SA,
you might be able to use something like:

Whitelist_from_rcvd [EMAIL PROTECTED] servername

Bret

RE: Virtual Users

[Bowie Bailey]

David O'Brien wrote:
> Hello,
> 
> I am running SpamAssassin version 3.0.4-2.fc4, exim 4.62-1.fc4 &
> dovecot 0.99.14-4.fc4 
> 
> I have virtual users, with mail being stored in the directory format
> /data/mail/domain.com/user/ 
> So, the mail for [EMAIL PROTECTED] would be stored in
> /data/mail/obrien.com/david/ 
> 
> I have tried setting the --virtual-config-dir option to
> --virtual-config-dir=/data/mail/%d/%l so the user_prefs file would be
> created in the correct location, however %d and %l do not seem to be
> expanding to the domain and local part of the username.  I am getting
> the following in my log file:
> 
> "Using default config for nobody: /data/mail///user_prefs"
> 
> I have seen this mentioned before, but have not seen a solution. 
> Does anyone have any idea what the problem is, and what the solution
> is?  

Are you providing the email address via spamc?

spamc -u [EMAIL PROTECTED]

-- 
Bowie

Whitelist_from clarification

[James Lay]

Hey all!

Soomail from myspace has been getting tagged as spam...been trying
to halt that on a domain basis.  Here's what I've tried (and seen
online):

.*myspace.com
@myspace.com
*myspace.com
[EMAIL PROTECTED]

Can someone tell me which is the correct format?  Thanks!

James

RE: Need to edit this rule

[Randal, Phil]

Best done at the MailScanner level...

in /etc/MailScanner/MailScanner.conf

  Use SpamAssassin = %rules-dir%/spamassassin.rules

and in spamassassin.rules

From:   127.0.0.1   no
From:   yourserverIP and From: firstbhph.com  no 
FromOrTo:   default yes

You don't want to whitelist spoofed email from your domain not arriving
from one of your servers.

Cheers,

Phil
--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

> -Original Message-
> From: Dimitri Yioulos [mailto:[EMAIL PROTECTED] 
> Sent: 07 June 2006 13:16
> To: users@spamassassin.apache.org
> Subject: Re: Need to edit this rule
> 
> Folks,
> 
> I'm not as smart as I's like to think I am.  (For info's sake, my 
> setup includes sendmail, MailScanner, clamav, spamassassin, 
> MailWatch, and Synonym.) My reason for scanning mail from my own 
> domain was really to catch any virii or other mal.  Of course, I run 
> an av proggie at every desktop, and clam is running on key (read 
> file) servers.  But, our customers expect 100% clean mail from us, so 
> the extra precaution is worth it.  However, as several of you have 
> kindly pointed out in so many words, I don't need to run spam 
> scanning on my domain's mail.  So, I guess I can go ahead and 
> whitelist my domain.
> 
> "And my head I'd be scratchin'
> while my thoughts were busy hatchin'
> if I only had a brain."
> 
> Thanks.
> 
> Dimitri
> 
> On Wednesday June 07 2006 5:45 am, jdow wrote:
> > Will, the real question for Dimitri is "why is he checking the
> > emails within his own domain?" One (perhaps rashly) presumes
> > Dimitri realizes that he can do nothing about how *I* might score
> > his domain name. I am afraid he's stuck. At least the score is low.
> >
> > {o.o}
> >
> > From: "Will Nordmeyer" <[EMAIL PROTECTED]>
> >
> > > Just put
> > > score FROM_DOMAIN_NOVOWEL 
> > >
> > > in your local.cf
> > >
> > > (IE:
> > > score FROM_DOMAIN_NOVOWEL 0.3
> > >
> > > You don't want to adjust it in the master file - your adjustment
> > > would be overwritten everytime you upgraded.
> > >
> > >> Hi, all.
> > >>
> > >> It seem that, just lately, the following rule is being hit:
> > >>
> > >> FROM_DOMAIN_NOVOWEL domain has series of non-vowel letters
> > >>
> > >> As our domain name contains a series of non-vowel letters, I'd
> > >> like
> > >
> > > to
> > >
> > >> reduce the score associated with this rule.  Problem is, I can't
> > >> seem to locate it.  Can anyone point me to it?
> > >>
> > >> Thanks.
> > >>
> > >> Dimitri
> > >>
> > >>
> > >> --
> > >> This message has been scanned for viruses and
> > >> dangerous content by MailScanner, and is
> > >> believed to be clean.
> 
> -- 
> Dimitri Yioulos, CIO
> First 1 Financial Corporation
> 
> 600 Cordwainer Dr.
> Norwell, MA 02061
> 781-871-4220 x1007
> [EMAIL PROTECTED]
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 

Re: Need to edit this rule

[Dimitri Yioulos]

Folks,

I'm not as smart as I's like to think I am.  (For info's sake, my 
setup includes sendmail, MailScanner, clamav, spamassassin, 
MailWatch, and Synonym.) My reason for scanning mail from my own 
domain was really to catch any virii or other mal.  Of course, I run 
an av proggie at every desktop, and clam is running on key (read 
file) servers.  But, our customers expect 100% clean mail from us, so 
the extra precaution is worth it.  However, as several of you have 
kindly pointed out in so many words, I don't need to run spam 
scanning on my domain's mail.  So, I guess I can go ahead and 
whitelist my domain.

"And my head I'd be scratchin'
while my thoughts were busy hatchin'
if I only had a brain."

Thanks.

Dimitri

On Wednesday June 07 2006 5:45 am, jdow wrote:
> Will, the real question for Dimitri is "why is he checking the
> emails within his own domain?" One (perhaps rashly) presumes
> Dimitri realizes that he can do nothing about how *I* might score
> his domain name. I am afraid he's stuck. At least the score is low.
>
> {o.o}
>
> From: "Will Nordmeyer" <[EMAIL PROTECTED]>
>
> > Just put
> > score FROM_DOMAIN_NOVOWEL 
> >
> > in your local.cf
> >
> > (IE:
> > score FROM_DOMAIN_NOVOWEL 0.3
> >
> > You don't want to adjust it in the master file - your adjustment
> > would be overwritten everytime you upgraded.
> >
> >> Hi, all.
> >>
> >> It seem that, just lately, the following rule is being hit:
> >>
> >> FROM_DOMAIN_NOVOWEL domain has series of non-vowel letters
> >>
> >> As our domain name contains a series of non-vowel letters, I'd
> >> like
> >
> > to
> >
> >> reduce the score associated with this rule.  Problem is, I can't
> >> seem to locate it.  Can anyone point me to it?
> >>
> >> Thanks.
> >>
> >> Dimitri
> >>
> >>
> >> --
> >> This message has been scanned for viruses and
> >> dangerous content by MailScanner, and is
> >> believed to be clean.

-- 
Dimitri Yioulos, CIO
First 1 Financial Corporation

600 Cordwainer Dr.
Norwell, MA 02061
781-871-4220 x1007
[EMAIL PROTECTED]

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Best use of caching DNS servers

[Ramprasad]

> As you suggest, you will get higher cache hit rates with a
> centralized server, at the cost of some LAN traffic.  But a
> few million DNS queries per day over a LAN is probably
> insignificant.
> 
> Given that the BL zone files are pretty large, I'd recommend a
> centralized server running rbldnsd.  That way you're not using up
> a lot of memory for BLs across many boxes.  rbldnsd is so efficient
> that you could probably just pick some existing server that has
> enough memory and choose it to be your rbldnsd server.  You don't
> need a new box; any old server with enough memory will work.

Will rbldnsd be efficient when I am using dns forwarding for some zones.
For eg we have a local nameserver serving for zones like sbl-
xbl.spamhaus.org. ( This local nameserver is actually a rbldnsd server
running on port 530 )

Thanks
Ram

Re: Need to edit this rule

[jdow]

Will, the real question for Dimitri is "why is he checking the emails
within his own domain?" One (perhaps rashly) presumes Dimitri realizes
that he can do nothing about how *I* might score his domain name. I am
afraid he's stuck. At least the score is low.

{o.o}

From: "Will Nordmeyer" <[EMAIL PROTECTED]>
Just put 
score FROM_DOMAIN_NOVOWEL 


in your local.cf

(IE:
score FROM_DOMAIN_NOVOWEL 0.3

You don't want to adjust it in the master file - your adjustment would 
be overwritten everytime you upgraded.  


Hi, all.

It seem that, just lately, the following rule is being hit:

FROM_DOMAIN_NOVOWEL domain has series of non-vowel letters

As our domain name contains a series of non-vowel letters, I'd like 
to 
reduce the score associated with this rule.  Problem is, I can't seem 
to locate it.  Can anyone point me to it?


Thanks.

Dimitri


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: All digits

[jdow]

From: "" <[EMAIL PROTECTED]>


I have to wonder if a spammer is testing their Zombies since all I have 
received are from
Dialup/broadband customers.  Could this be the rain before the flood of 
spam/virus?




Word is that it may be a test run of a new version of Bagle.
{^_^} 

Re: Best use of caching DNS servers

[Jeff Chan]

On Wednesday, June 7, 2006, 1:50:49 AM, Ramprasad Ramprasad wrote:
> We have an array of 8 load balanced linux boxes running Spamassassin
> with peak traffic upto 20k mails per hour per server.

> How do I make optimum use of DNS caching. Currently I am using bind as
> caching DNS server on each machine. Would it be better I have a central
> DNS server. That way the DNS Cache hit will increase dramatically , but
> could also bog the DNS server down with too many requests.
> Also which is the best caching nameserver I can use on linux

Hi Ram,
Presumably you're asking about DNS caching of RBL and SURBL DNS
queries, at perhaps a few million queries per day.

A couple different ways to organize this would be to centralize
the queries onto a server or two, or to decentralize them onto
each local server as now.

In terms of query performance, BIND would have no problem either
way, but getting the zone files locally and running rbldnsd
instead of BIND would be vastly more efficient.  rbldnsd runs
much smaller in memory, and uses much less cpu than BIND, so it's
preferred in this application.  (It's what rbldnsd was designed
for, whereas BIND is more of a general purpose nameserver.  BIND
has lots of features, arguably way too many in this application.)

As you suggest, you will get higher cache hit rates with a
centralized server, at the cost of some LAN traffic.  But a
few million DNS queries per day over a LAN is probably
insignificant.

Given that the BL zone files are pretty large, I'd recommend a
centralized server running rbldnsd.  That way you're not using up
a lot of memory for BLs across many boxes.  rbldnsd is so efficient
that you could probably just pick some existing server that has
enough memory and choose it to be your rbldnsd server.  You don't
need a new box; any old server with enough memory will work.

(What is enough memory depends on which BLs and other
applications you run locally.  The BLS probably take up no more
than a few hundred MB.)

More howtos and faqs about setting up rbldnsd, etc., are at:

  http://www3.surbl.org/rsync-signup.html

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Re: Newbie question

[Justin Mason]

Radoslaw Zielinski writes:
> Gary Forrest - Netnorth <[EMAIL PROTECTED]> [06-06-2006 15:52]:
> [...]
> > This sort of works, in that the email receives a negative score.
> > The problem is SA still spends time checking the email ( taking 3-12 seconds
> > to scan )
> 
> Well, there was that short-circuit idea (with implementation), but it
> got kicked off to a branch; IIRC -- without a single technical argument.
> You might want to apply the patch yourself.
> 
> http://issues.apache.org/SpamAssassin/show_bug.cgi?id=3109

Well, there are concerns that it breaks other speed-up approaches
in the same part of the code.

Personally, I think it's great, though, and should be applied.  More
testimonials noting improved results would be helpful though ;)

--j.

RE: All digits

[Randal, Phil]

f-secure: http://www.f-secure.com/weblog/#0894
 
Internet Storm Centre: http://isc.sans.org/diary.php?storyid=1384
 
Cheers,
 
Phil
--Phil RandalNetwork 
EngineerHerefordshire CouncilHereford, UK 
 

  
  
  From: Giff Hammar 
  [mailto:[EMAIL PROTECTED] Sent: 06 June 2006 
  19:22To: users@spamassassin.apache.orgSubject: All 
  digits
  
  I'm seeing a few 
  e-mails with a subject that contains only digits or is blank and a body that 
  contains a random number of digits, usually three to six. There is nothing 
  else in the body. Is anyone else seeing this? New software a botmaster is 
  trying?
   
  Giff
   
  Giff Hammar
  IT Director
  Certified Parts Warehouse
  http://www.certifiedparts.com
  mailto: [EMAIL PROTECTED]
  V: 603.516.1707
  F: 603.516.1702
  M: 603.490.7163
   

Best use of caching DNS servers

[Ramprasad]

We have an array of 8 load balanced linux boxes running Spamassassin
with peak traffic upto 20k mails per hour per server.

How do I make optimum use of DNS caching. Currently I am using bind as
caching DNS server on each machine. Would it be better I have a central
DNS server. That way the DNS Cache hit will increase dramatically , but
could also bog the DNS server down with too many requests.
Also which is the best caching nameserver I can use on linux


Thanks
Ram

error in spamassassin

[Joel Cruz]

Hi! I installed FC2 with sendmail, MailScanner and spamassassin I did
not encounter error in my installation but when I type the command
#spamassassin --lint it shows 
Failed to parse line in SpamAssassin configuration, skipping:
lock_method flock
Failed to parse line in SpamAssassin configuration, skipping:
use_auto_whitelist 0
Failed to parse line in SpamAssassin configuration, skipping:
envelope_sender_header X-MailScanner-From

Please help me I'm not good in linux. where can I fix my prob?



thanks!!!