Re: New Spam Assassin user
Mike L wrote: I am a new user. I am running on Windows 2003. I have several domains on my servers. I only want one domain on my server to use spam assassin. Where and what do i need to do to only filter for 1 domain on my sever. Is this possible. I would also like to setup wrongmx on this as wel.. Thanks in advance. Mike You would do this with the tool that calls SA. There are some rules that send the spam to the users, but if you want to bypass SA all together, you'd do this with the tool that is actually calling SpamAssassin (be it spamc/spamd or spamassassin directly.) As far as wrongmx, that was pretty much answered in one of your other threads. Quoting Daryl: Yeah, put the plugin files in your local config directory... that's the same directory that has you local.cf file. If you want to only enable the WRONG_MX rule for a particular domain, you'll have to configure per user or domain scoring. I haven't seen any specs on your system, can you post the MTA and how you are calling SpamAssassin? This will help us help you. -- Thanks, JamesDR smime.p7s Description: S/MIME Cryptographic Signature
Re: FP's on BAD_ENC_HEADER in bounces from Microsoft SMTPSVC
On Thursday 15 June 2006 03:43, Alan Premselaar wrote: Aside from the QP scatter, this subject doesn't look like it's properly encoded. if memory serves, if the encoded subject needs to be broken across multiple lines, each line needs to have its own encoding start/end tags. so it should look something like: Subject: =?unicode-1-1-utf-7?Q?encoded_part?= =?unicode-1-1-utf-7?Q?more_encoded_part?= (someone correct me if i'm wrong) In RFC 2047 section 2, it's clear you're right and M$ are wrong: ... unencoded white space characters (such as SPACE and HTAB) are FORBIDDEN within an 'encoded-word'. For example, the character sequence =?iso-8859-1?q?this is some text?= would be parsed as four 'atom's, rather than as a single 'atom' ... RFC 822 (which 2047 was based on) says that a CRLF followed by space or tab is syntactically equivalent to just a space or tab. RFC 2822 has similar language. Hence encoded-words cannot be split across lines. Of course it's hard to tell because of the QuotedPrintable encoding artifacts, but it looks like your MS mail server is in some way misconfigured. Yes sorry about the extra QP coding on the attachments, I normally use mutt so didn't realise kmail was going to mangle them. I can resend them if you want, but they match what I sent except for the topmost Received line. We don't have an M$ mail server (and I for one don't want one). We're a Unix shop, as qmail and qpsmtpd in our own headers shows :) I'm quite prepared to believe this is a MS bug, it certainly looks like it. But it seems to be a long term one - seen in emails from SMTPSVC versions 5.0.2195.6713 and 6.0.3790.1830. Remote MS servers, configured for foreign languages, sending genuine non-spam bounces to non-spam mails cause SA to FP on this rule. Nick
Was One large image now is several small images
It seems the spammers have gotten smart to the fact that we were filtering for one large image and no text... now what I am seeing is that the spammers are sending many small images inline with the e-mails!But, I have yet to see a way to filter against this. Any thoughts?
Re: Was One large image now is several small images
On Thu, 15 Jun 2006, Matt wrote: It seems the spammers have gotten smart to the fact that we were filtering for one large image and no text... now what I am seeing is that the spammers are sending many small images inline with the e-mails! But, I have yet to see a way to filter against this. Any thoughts? This is yet another argument for match counts in SA rules. It would be useful to score (say) .10 per image attachment after the first two or three... -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Look at the people at the top of both efforts. Linus Torvalds is a university graduate with a CS degree. Bill Gates is a university dropout who bragged about dumpster-diving and using other peoples' garbage code as the basis for his code. Maybe that has something to do with the difference in quality/security between Linux and Windows. -- anytwofiveelevenis on Y! SCOX -- 3 days until SWMBO's Birthday
Re: The Future of Email is SQL
On Wed, 2006-06-14 at 11:50 -0700, Steve Thomas wrote: So - like I said - this is visionary stuff. Think SQL - think outside the box. It's not all that visionary. Microsoft's been working on WinFS - a SQL based system for storing files - for years. It's supposed to have been released as a part of longhorn (vista), but they're pushing it back. Oracle has OCS , which consists of a mail/calendar/ldap/fileserver/webserver/ ... blah blah all with SQL storage. And the database is .. no points for guessing that. But OCS is a terrible resource HOG ( understatement ) I dont think there are many users for OCS IMHO SQL storage is definitely going to be there. The common indexing mechanism is what makes such storage interesting. I agree it is slow now, but hardware and software will get better then resource will not be an issue Ram
content is being striped
I am currently using SA 3.1.3 with the following Net-qmail (LWQ) Simscan 1.2 Ripmine Clamav The problem currently is that all messages are being delvered striped of their Subjects and Content I am complealy stumped by this and all my google searches have come up empty. Any help would be greatly appreciated. Below is my local.cf file required_hits 8 report_safe 0 rewrite_header Subject [SPAM] Thanks
Block: Google servers still on RBLs?
Title: Block: Google servers still on RBLs? I know this has been discussed before, but is there a reason google is still on RBLs? Nz-out-0102.google.com 64.233.162.203 listed on bl.spamcop.net 127.0.0.2 Chris Santerre SysAdmin and SARE/URIBL ninja http://www.uribl.com http://www.rulesemporium.com
What is normal period for SA retraining ?
I'm wanting to know many times per year do SA admins have to retrain ? Our setup sends mail to SA client for a score, then depending on score stores a backup of the mail in spam/ham mail folders for later review in case a mistake is made. We train SA and it detects flawlessly at this beginning time; the good mail numbers about 2000 per day and the spam rates at about 1 per day. In three months of time, SA is letting most of the spam through, the rates I've listed above being reversed. We keep a month of mail around for retraining, which is lot of work to go through. I was just wondering how ofter others have to do the same thing. Thanks! SA Version 2.64 skip_rbl_checks 0 bayes_auto_learn_threshold_spam 7 use_bayes 1 Jason Harris
Re: What is normal period for SA retraining ?
On Thu, Jun 15, 2006 at 01:17:51PM -0700, Harris, Jason (DIS) wrote: I'm wanting to know many times per year do SA admins have to retrain ? Our setup sends mail to SA client for a score, then depending on score stores a backup of the mail in spam/ham mail folders for later review in case a mistake is made. We train SA and it detects flawlessly at this beginning time; the good mail numbers about 2000 per day and the spam rates at about 1 per day. In three months of time, SA is letting most of the spam through, the rates I've listed above being reversed. We keep a month of mail around for retraining, which is lot of work to go through. I was just wondering how ofter others have to do the same thing. Thanks! SA Version 2.64 skip_rbl_checks 0 bayes_auto_learn_threshold_spam 7 use_bayes 1 Jason Harris I've never had to. All my clients use per-user Bayes, and those that care feed sa-learn anything that's mis-categorized. I have a very low false rate. Currently using v3.1.1. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Jesus wasn't (and isn't) politically correct. Send complaints to [EMAIL PROTECTED]
Re: What is normal period for SA retraining ?
On Thu, 15 Jun 2006 13:17:51 -0700, Harris, Jason \(DIS\) [EMAIL PROTECTED] wrote: I'm wanting to know many times per year do SA admins have to retrain ? Our setup sends mail to SA client for a score, then depending on score stores a backup of the mail in spam/ham mail folders for later review in case a mistake is made. We train SA and it detects flawlessly at this beginning time; the good mail numbers about 2000 per day and the spam rates at about 1 per day. In three months of time, SA is letting most of the spam through, the rates I've listed above being reversed. We keep a month of mail around for retraining, which is lot of work to go through. I was just wondering how ofter others have to do the same thing. Thanks! SA Version 2.64 skip_rbl_checks 0 bayes_auto_learn_threshold_spam 7 use_bayes 1 Jason Harris My Bayes DB is over 2 years old, I've done no mass retraining apart from a few initial attempts. Since then I don't use auto_learn. When I did I had the score set at 30 or above. With a score as low as 7 you are likely to get all sorts of bayes poisoning spams trained in which may explain why you are needing to retrain so often. 3.13 is the current version, I'm currently running 3.11 3.12 with various SARE rulesets and I get very few FP's. Those that are found on manual checks are retrained as ham, any spam getting through to the user is retrained as spam. That combination has worked here and with at least 2 other colleagues for about the same length of time (2 years +) HTH Nigel
Re: What is normal period for SA retraining ?
Harris, Jason (DIS) wrote: I'm wanting to know many times per year do SA admins have to retrain ? In a well-maintained install, you should NEVER have to retrain unless you have a catastrophic failure that crashes your live system *and* your backups. Regular manual training of missed spam and mistagged ham is also critical to keep Bayes healthy. SA Version 2.64 Have you patched it with the SURBL addon? http://sourceforge.net/projects/spamcopuri/ I've been using this on three servers, and it's been a MAJOR help in keeping SA2.64 effective. 3.x versions are just too resource-intensive for these systems. Regular feedback in the form of manual training of missed spam and the occasional (~1 every few months) mistagged ham has kept Bayes pretty accurate, too. Customer feedback gives me ~15-25 missed spams per week on this system. This setup has been running with minor tweaks since ~SA2.44, with sitewide Bayes introduced along about 2.54 or 2.55 (I never installed earlier 2.5x versions due to the series of bugs that popped up). It's survived hardware upgrades and a cross-distro move from RH7.3 to Debian woody - but I've never had to completely wipe and retrain the Bayes database. (I had some fun getting Debian woody to recognize the RH7.3 Bayes db; I had to build a custom DB_File and force it to install over top of the stock Debian version.) The same pretty much applies to my personal server's SA install (which I run per-user Bayes instead of sitewide). I get ~5-6 messages slipping through each week, which I collect in a newspam folder that I manually feed to sa-learn on an irregular Oh look, three missed spams today basis. -kgd
Re: Block: Google servers still on RBLs?
Chris Santerre [EMAIL PROTECTED] writes: I know this has been discussed before, but is there a reason google is still on RBLs? Nz-out-0102.google.com 64.233.162.203 listed on bl.spamcop.net 127.0.0.2 http://www.spamcop.net/w3m?action=checkblockip=64.233.162.203 2006-06-15T21:00:00Z quote 64.233.162.203 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 14 hours. Causes of listing * System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) * SpamCop users have reported system as a source of spam less than 10 times in the past week /quote -- [pl2en: Andrew] Andrzej Adam Filip : [EMAIL PROTECTED] : [EMAIL PROTECTED] http://anfi.homeunix.net/http://www.linkedin.com/in/andfil
Re: FP's on BAD_ENC_HEADER in bounces from Microsoft SMTPSVC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nick Leverton wrote: [snip] We don't have an M$ mail server (and I for one don't want one). We're a Unix shop, as qmail and qpsmtpd in our own headers shows :) I'm quite prepared to believe this is a MS bug, it certainly looks like it. But it seems to be a long term one - seen in emails from SMTPSVC versions 5.0.2195.6713 and 6.0.3790.1830. Remote MS servers, configured for foreign languages, sending genuine non-spam bounces to non-spam mails cause SA to FP on this rule. Nick Nick, As much as I'd like to say yeah, it's yet another bad MS program ... i'm not entirely convinced of that. We used to run Exchange 2000 with Japanese DSN messages and I'm certain that we didn't have this problem. As such, I suspect that the organizations that are using these particular Exchange servers have probably just mis-configured them. Of course I find it curious that they would use utf-7 encoding instead of utf-8 (which seems more widely accepted). Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEkjeVE2gsBSKjZHQRApMVAKCd4nBjHBPAPSDdy+ZYnbovP3YqTACgkEu/ vvA7PRzYcUULfx+kTp/aEoM= =fv/m -END PGP SIGNATURE-