Re: full rule required, or is there something better?
On Sat, Jun 17, 2006 at 06:05:43PM +0200, Michael Monnerie wrote: > Hello list, today I had a forged ebay e-mail containing an attachment > with a trojan. I would like to filter for the attachment name, is that > possible without a "full" rule? Sure. Use the MIMEHeader plugin. (you can even check out the other attachment name-related rules that exist... ;) ) (full rules -- boo!) -- Randomly Generated Tagline: "There is hopeful symbolism in the fact that flags do not wave in a vacuum." - Arthur C. Clarke pgpDdpUFgsW0r.pgp Description: PGP signature
Re: Adding Phishing Link rule
On Sat, Jun 17, 2006 at 09:56:03PM +0200, Yves Goergen wrote: > I'm running SpamAssassin on my Exim MTA and would like to add a rule of > which I don't think it's built-in yet: Phishing mails commonly have an > HTML link in them with a target like "http://12.34.56.78/..."; but a > label like "http[s]://somedomain/...". This case where the link label is Actually that is a rule already in 3.1 (HTTPS_IP_MISMATCH) (anchor text has to be https w/ some http href which is an IP). For other versions of that rule: http://wiki.apache.org/spamassassin/AntiPhishFakeUrlRule -- Randomly Generated Tagline: Captain! Someone has snorted all the dilithium crystals. pgpLIb1NpPOiX.pgp Description: PGP signature
Re: don't want to break anything
> delivered to local mail boxes, or the outside world, and my cpu is about > pegged with the Mailscanner process. If I disable spamassassin in > MailScanner everything works as expected??? There are a few possibilities here, all pretty much similar. You might have a bad rule that is taking too much processor time. You might have too many rules You might have too many spamd children (Or however MS does this) You might be trying to do a huge Bayes or AWL expire on each mail scan, and MS is killing the SA instance before it has a chance to complete. So the next one does the same thing. Look to the size of your bayes/all DBs and see if they are huge. Look at the log and see if it looks like the SA children seem to be trying to do bayes or awl stuff and getting killed in the middle. You can do a manual expire run and see if that cleans things up. If that isn't it, loop at 'top' and see if you are swapping like crazy. Probably not, as at least *some* mail should get thru this way. If you are completely processor bound and it isn't an expire run, you might have a bad rule. Try removing any local rules files temporarily. Loren
Re: Adding Phishing Link rule
The rule you suggest isn't particularly good. There are far too many legit mails (mostly mailing list type of things) that do exactly what you want to check for. So the FP rate is higher than most people would like. This has been discussed many times in the past. That said, I believe there is at least one SARE rule that checks for exactly what you want to look for. Loren
Re: don't want to break anything
> Get the tar file from spamassassin.apache.org > > Once downloaded, > > rpmbuild -tb file-you-downloaded > > cd /usr/src/redhat/RPMS/i386 > > Install the two files. That worked so well on one server, I did it to another! I hope the problem I have now is an easy fix. I am running MailScanner, spamassassin, sendmail. My server is taking in mail messages, but none are being delivered to local mail boxes, or the outside world, and my cpu is about pegged with the Mailscanner process. If I disable spamassassin in MailScanner everything works as expected???
Re: SQL Bayes with Postgres in SUSE9.3
On Sonntag, 18. Juni 2006 01:37 Michael Monnerie wrote:
> Hello, I'm wondering why I need different settings than written
> anywhere in the documentation. For the first time I tried to use
> bayes via SQL, and read the README and the wiki. They suggest this in
> local.cf:
>
> bayes_store_module
> Mail::SpamAssassin::BayesStore::PgSQL bayes_sql_dsn
>DBI:driver:database:hostname[:port] bayes_sql_username
> dbusername
> bayes_sql_password dbpassword
> (and optionally:)
> bayes_sql_override_usernamesomeusername
Sorry, forgot to post the errors from spamd:
[21920] dbg: bayes: unable to connect to database: missing "=" after
"zmi_sa_bayes:localhost" in connection info string
[21920] dbg: bayes: unable to connect to database: missing "=" after
"zmi_sa_bayes:localhost" in connection info string
> The next itch after this was, that I couldn't start spamd, because
> user vscan was not defined. After one
> insert into bayes_vars (username) values ('vscan');
> everything seems to work now.
Errors here:
[2322] dbg: bayes: using username: vscan
[2322] dbg: bayes: database connection established
[2322] dbg: bayes: found bayes db version 3
[2322] dbg: bayes: unable to initialize READONLY database for vscan
user, aborting!
[2322] dbg: bayes: database connection established
[2322] dbg: bayes: found bayes db version 3
[2322] dbg: bayes: unable to initialize READONLY database for vscan
user, aborting!
Note that the word "READONLY" was set by me in
lib/Mail/SpamAssassin/BayesStore/SQL.pm line 141, because it was the
same message than in the function where the DB was NOT readonly. I just
wanted to know where the code was jumping around...
Ah yes, it's SA 3.1.3.
mfg zmi
--
// Michael Monnerie, Ing.BSc- http://it-management.at
// Tel: 0660/4156531 .network.your.ideas.
// PGP Key:"curl -s http://zmi.at/zmi3.asc | gpg --import"
// Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE
// Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE
pgpvkqB7Zo6SF.pgp
Description: PGP signature
SQL Bayes with Postgres in SUSE9.3
Hello, I'm wondering why I need different settings than written anywhere
in the documentation. For the first time I tried to use bayes via SQL,
and read the README and the wiki. They suggest this in local.cf:
bayes_store_module Mail::SpamAssassin::BayesStore::PgSQL
bayes_sql_dsn DBI:driver:database:hostname[:port]
bayes_sql_username dbusername
bayes_sql_password dbpassword
(and optionally:)
bayes_sql_override_usernamesomeusername
But that didn't work for me, I had to use:
bayes_store_module Mail::SpamAssassin::BayesStore::PgSQL
bayes_sql_dsn DBI:Pg:dbname=spamass;host=localhost
bayes_sql_username dbusername
bayes_sql_password dbpassword
bayes_sql_override_username vscan
So my DSN had to contain "dbname=" and "host=", separated via semicolon.
That seems to be because of my version of DBD::Pg, which is
perl-DBD-Pg-1.22-199 (rpm by SUSE9.3).
The next itch after this was, that I couldn't start spamd, because user
vscan was not defined. After one
insert into bayes_vars (username) values ('vscan');
everything seems to work now.
But I'm still wondering why the documentation differs from my
experience?
mfg zmi
--
// Michael Monnerie, Ing.BSc- http://it-management.at
// Tel: 0660/4156531 .network.your.ideas.
// PGP Key:"curl -s http://zmi.at/zmi3.asc | gpg --import"
// Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE
// Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE
pgpx2LdCztyem.pgp
Description: PGP signature
Pyzor and null body messages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Over the last day or two, we've started receiving LOTS of messages that have no message body, just headers. I've added a meta rule to check for the presence of 3 or more of the following: FORGED_RCVD_HELLO, MISSING_SUBJECT, EMPTY_MESSAGE, TO_CC_NONE. With the rule and its associated score, I am blocking more of them now but I am seeing an error with pyzor in my maillog. It seems pyzor does not like null-message files. I'm not real familiar with python so a quick look through client.py and __init__.py didn't reveal an obvious location to check for content size. Is there an option to tell pyzor to ignore empty messages or is there an easy mod to the code to add such a test? Thanks, Dave -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3rc2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFElJBp417vU8/9QfkRAgzMAKCEdYVYpURXDNnTkthj2OJHozNeaQCfUbp9 ks4sv2M7U84/5hMorzFAAWU= =e9WS -END PGP SIGNATURE-
Re: don't want to break anything
Raymond Norton wrote: > I have a Centos 4.x server with an rpm install of spamassasin ( > spamassassin-3.0.6-1.el4). I want to upgrade it to the newest version, so > I can use sa_update for new rules. I might be missing it, but I don't see > that Centos has an rpm available that I can upgrade to. Is there a way to > remove the rpm and reinstall from source, or upgrade with an rpm, so I do > not break my server? I scan mail for 12 school districts and can't afford > for a new install to go bad. > > > > Get the tar file from spamassassin.apache.org Once downloaded, rpmbuild -tb file-you-downloaded cd /usr/src/redhat/RPMS/i386 Install the two files. -- Steve
don't want to break anything
I have a Centos 4.x server with an rpm install of spamassasin ( spamassassin-3.0.6-1.el4). I want to upgrade it to the newest version, so I can use sa_update for new rules. I might be missing it, but I don't see that Centos has an rpm available that I can upgrade to. Is there a way to remove the rpm and reinstall from source, or upgrade with an rpm, so I do not break my server? I scan mail for 12 school districts and can't afford for a new install to go bad. -- Raymond Norton LCTN
Re: full rule required, or is there something better?
On Sat, 17 Jun 2006, Michael Monnerie wrote: > On Samstag, 17. Juni 2006 18:55 John D. Hardin wrote: > > > > http://www.impsec.org/email-tools/procmail-security.html > > > > OK, sorry, my fault. I didn't say "I wanna do it in SA". If > there's some attachment with a certain name, it should get points > in SA. Well, it's reasonable to assume that. However, SA is not a security tool, and trying to force it to be one is probably a bad idea. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Insofar as the police deter by their presence, they are very, very good. Criminals take great pains not to commit a crime in front of them.-- Jeffrey Snyder --- Tomorrow: SWMBO's Birthday
Re: full rule required, or is there something better?
On Samstag, 17. Juni 2006 18:55 John D. Hardin wrote: > > http://www.impsec.org/email-tools/procmail-security.html > OK, sorry, my fault. I didn't say "I wanna do it in SA". If there's some attachment with a certain name, it should get points in SA. mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660/4156531 .network.your.ideas. // PGP Key:"curl -s http://zmi.at/zmi3.asc | gpg --import" // Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE // Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE pgpi5MF5HvjEo.pgp Description: PGP signature
Re: Adding Phishing Link rule
On 17.06.2006 22:05 CE(S)T, Michele Neylon :: Blacknight.ie wrote: > You could have a look at MailScanner (http://www.mailscanner.info) as > this has builtin support for phishing checks ... Sorry, MailScanner doesn't support SMTP-time checks and requires me to setup 2 separate Exim instances with non-standard configuration, this is all too hacky to me. I'm looking for a way to do that with SpamAssassin directly. -- Yves Goergen "LonelyPixel" <[EMAIL PROTECTED]> http://beta.unclassified.de – My web laboratory.
Re: Adding Phishing Link rule
You could have a look at MailScanner (http://www.mailscanner.info) as this has builtin support for phishing checks ... -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239
Adding Phishing Link rule
Hello, I'm running SpamAssassin on my Exim MTA and would like to add a rule of which I don't think it's built-in yet: Phishing mails commonly have an HTML link in them with a target like "http://12.34.56.78/..."; but a label like "http[s]://somedomain/...". This case where the link label is a domain but the target is a numeric IP, and even worse the case, where the label has https: and the target only http:, I would like to score a high number of points. Is this already built-in? I couldn't see it on such a mail I received today. How can I add this rule myself? The "rawbody" option only matches line by line, which doesn't help me because the link is split over multiple lines. What I need is something to match the entire message as one, with HTML kept intact but encoding (Quoted Printable...) resolved. I have seen the HTTPS_IP_MISMATCH rule that leads me to a Perl function. I don't understand Perl very well, and this specific function is way too complex for me. Also I don't know where to add my own Perl functions. The documentation doesn't tell me. -- Yves Goergen "LonelyPixel" <[EMAIL PROTECTED]> http://beta.unclassified.de – My web laboratory.
Re: full rule required, or is there something better?
On Sat, 17 Jun 2006, Michael Monnerie wrote: > Hello list, today I had a forged ebay e-mail containing an attachment > with a trojan. I would like to filter for the attachment name, is that > possible without a "full" rule? > > full ZMIde_EBAYBILL1 /name="Ebay-Rechnung.pdf.zip"/ > describe ZMIde_EBAYBILL1 false ebay bill .zip file > scoreZMIde_EBAYBILL1 4.9 http://www.impsec.org/email-tools/procmail-security.html -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- What nuts do with guns is terrible, certainly. But what evil or crazy people do with *anything* is not a valid argument for banning that item. -- John C. Randolph <[EMAIL PROTECTED]> --- Tomorrow: SWMBO's Birthday
Counting rules possible?
Hello, I started to change the ZMI_GERMAN ruleset, to using counters. I have some body rules "JOBHAVE" 1-24, and if 2 of them hit, it gets x points, if 3 hit, it gets another y points, and if 4 hit, another z points. Currently I do that with 3 different meta's, each counting JOBHAVE1-24 and comparing with >=n. This is expensive for CPU, so some abbreviation would be nice: meta T_ZMIde_JOBHAVE (__ZMIde_JOBHAVE1 + __ZMIde_JOBHAVE2 + __ZMIde_JOBHAVE3 + __ZMIde_JOBHAVE4 + __ZMIde_JOBHAVE5 + __ZMIde_JOBHAVE6 + __ZMIde_JOBHAVE7 + __ZMIde_JOBHAVE8 +__ZMIde_JOBHAVE9 + __ZMIde_JOBHAVE10 + __ZMIde_JOBHAVE11 + __ZMIde_JOBHAVE12 + __ZMIde_JOBHAVE13 + __ZMIde_JOBHAVE14 + __ZMIde_JOBHAVE15 + __ZMIde_JOBHAVE16 + __ZMIde_JOBHAVE17 + __ZMIde_JOBHAVE18 + __ZMIde_JOBHAVE19 + __ZMIde_JOBHAVE20 + __ZMIde_JOBHAVE21 + __ZMIde_JOBHAVE22 + __ZMIde_JOBHAVE23 + __ZMIde_JOBHAVE24) meta T_have_gt_2 T_ZMIde_JOBHAVE >= 2 describe T_have_gt_2 test hit: we can meta meta's scoreT_have_gt_2 If I could write the first JOBHAVE rule which has a sum of say 8 hits, and then just compare below with a meta JOBHAVE >= 2, it would save some CPU. Is that possible, or do I really all the time have to rewrite the full JOBHAVE rule again, just with different >= values? mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660/4156531 .network.your.ideas. // PGP Key:"curl -s http://zmi.at/zmi3.asc | gpg --import" // Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE // Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE pgpLTLJZoG0iW.pgp Description: PGP signature
full rule required, or is there something better?
Hello list, today I had a forged ebay e-mail containing an attachment with a trojan. I would like to filter for the attachment name, is that possible without a "full" rule? full ZMIde_EBAYBILL1 /name="Ebay-Rechnung.pdf.zip"/ describe ZMIde_EBAYBILL1 false ebay bill .zip file scoreZMIde_EBAYBILL1 4.9 mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660/4156531 .network.your.ideas. // PGP Key:"curl -s http://zmi.at/zmi3.asc | gpg --import" // Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE // Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE pgpDC2PsDHT0a.pgp Description: PGP signature
Re: SpamAssassin Question
slyandjen wrote: > If SpamAssasin is enable > > does it ignore the whitelist/blacklist settings in MailScanner? > MailScanner will still use it's own white/black lists even when SpamAssassin is enabled. It should also be noted that white/black lists, as well as any "spam lists" you enable in MailScanner will take their actions without regard for how low or how high SA scores a message.
