Re: On bichromatic GIF stock spam
No, I was thinking of multipart/alternative where one of the alternative streams is nothing but images. That doesn't strike me as legitimate. Can anyone think of a scenario where images *are* a legitimate alternative representation of text? Doesn't really help. The actual mails have a tiny gibberish text part, and a tiny to medium html part that has a few words of gibberish (usually the same as the text part) and the rest is calls to images. So there really is an html part. I did a trivial test for alternative and gif, and it didn't pan out very well. Will need some additional conditions to make it more usable. Loren
Re: [SPAM] Examples of Received Headers
Jim Hermann - UUN Hostmaster [EMAIL PROTECTED] writes: SPF is not enough. It does not eliminate the zombie or spambot. It is if you set your SPF record to allow your mailer(s) and hard fail on all others *and* the recipient of the forged email checks against SPF. The problems come when recipients do not check (and act on) SPF even when you have defined a 'tight' SPF record.
match text in html parts
I am receiving the same spam repeatedly but each message is different. I only identified a small part in the HTML which is always the same. I created a 'body' rule but it doesn't work. Is there other rule types apart from 'body' and 'header'?
spamc -d option problem
I'm trying to use the spamc -d option and it doesn't seem to be working. I have multiple hosts listed and it works fo the first host bot not for the second. spamc -x -d pascal.ctyme.com,localhost What am I doing wrong? Or is there a bug?
Re: spamc -d option problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marc Perkel wrote: I'm trying to use the spamc -d option and it doesn't seem to be working. I have multiple hosts listed and it works fo the first host bot not for the second. spamc -x -d pascal.ctyme.com,localhost What am I doing wrong? Or is there a bug? Please clarify what you mean by it isn't working. With just the -d option, your spamc client will always try to connect to pascal.ctyme.com first and only if that server is non-responsive will it then try to connect to the spamd process running on the localhost. If you want it to randomly connect to either box, add the -H switch. David Goldsmith -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3rc2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEn85B417vU8/9QfkRAujTAJ9lT6IaHVB1clyyAXMBhtC8Q7purACfVFit MJatpA8//3nuRZH7fIblED0= =vt9B -END PGP SIGNATURE-
Re: spamc -d option problem
David Goldsmith wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marc Perkel wrote: I'm trying to use the spamc -d option and it doesn't seem to be working. I have multiple hosts listed and it works fo the first host bot not for the second. spamc -x -d pascal.ctyme.com,localhost What am I doing wrong? Or is there a bug? Please clarify what you mean by "it isn't working". With just the -d option, your spamc client will always try to connect to pascal.ctyme.com first and only if that server is non-responsive will it then try to connect to the spamd process running on the localhost. If you want it to randomly connect to either box, add the -H switch. What I mean is it will connect to the first server, but if the first server is down it won't connect to the second server. And I have tried several tests and all the servers are working.
Re: match text in html parts
Toni Casueps wrote: I am receiving the same spam repeatedly but each message is different. I only identified a small part in the HTML which is always the same. I created a 'body' rule but it doesn't work. Is there other rule types apart from 'body' and 'header'? Yes there are other several kinds of rules. If you want to match html tags, use rawbody. If you want to match link targets, use uri. See also: http://wiki.apache.org/spamassassin/WritingRules (section titled: Advanced rule types (meta, uri, rawbody and friends))
RE: Examples of Received Headers
On Sun, 25 Jun 2006, Jim Hermann - UUN Hostmaster wrote: On Sun, 25 Jun 2006, Jim Hermann - UUN Hostmaster wrote: Here are examples of the Received Headers for the type of spam that are being sent with forged email addresses for a domain that I host. The Received headers in spams cannot be trusted, except for the Received headers put in by relays run by *you* or someone you trust. Received headers are trivially easy to forge and cary very little useful information in spams. These are Received Headers provided by the ISP that sent me the bounce message, not because of spam, but because the recipient did not exist. They put the Original Spam Full Headers in the message that they sent to me. Erm. Again, I'm not clear on what you provided examples of. Were the Received headers from the message headers of the bounce itself? If so, contact the ISP that you received the message from and ask them to implement SPF checks. Were the Received headers from the *body* of the bounce, where the other ISP put a copy of the spam headers? If so, you can't trust them and for the most part trying to parse them is a waste of time. If I can trust that my server identified the last server and the last server was the recipient server, then I think I can trust that they sent me the Full Headers as they received them. Yes, I know that the prior Received Headers could be forged. The headers as they received them are also likely forged. You *might* be able to trust the Received header that their mail relay put in, which could tell you from where they received the email. Beyond that, they are subject to forgery. I don't think that these spambots are bothering to try to forge the Received Headers. Usually the first two Received Headers have IP Addresses assigned to the same ISP. SPF is not enough. It does not eliminate the zombie or spambot. No, but it does fairly well what it is intended to do: eliminate forgeries. SPF is *not* an anti-spam tool. It is an anti-forgery tool. I agree, though, that it should be part of a larger set of tools. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ---
Postfix content filter/milter
Are there any postfix users out there who can recommend a way to delete mail based on spamassassin results? Specifically I need to know how to use a content filter or milter, and which one to use. Cheers!
Re: Postfix content filter/milter
http://www.mailscanner.info -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Postfix content filter/milter
Justin Cook wrote: Are there any postfix users out there who can recommend a way to delete mail based on spamassassin results? Specifically I need to know how to use a content filter or milter, and which one to use. Cheers! By far the best method is to use amavisd-new together with Postfix! Amavisd-New -- http://www.ijs.si/software/amavisd/ Postfix conf --- http://www.ijs.si/software/amavisd/README.postfix.txt /Micke
Re: Postfix content filter/milter
* Michael Andersson [EMAIL PROTECTED]: By far the best method is to use amavisd-new together with Postfix! Amen to that -- Ralf Hildebrandt (i.A. des IT-Zentrums) [EMAIL PROTECTED] Charite - Universitätsmedizin BerlinTel. +49 (0)30-450 570-155 Gemeinsame Einrichtung von FU- und HU-BerlinFax. +49 (0)30-450 570-962 IT-Zentrum Standort CBF send no mail to [EMAIL PROTECTED]
RulesDuJour random.current.cf?
About a week ago I started seeing: The following rules had errors: William Stearn's RANDOM WORD Ruleset was not retrieved because of: 403 from http://www.sa-blacklist.stearns.org/sa-blacklist/random.current.cf. I ignored it for awhile, because I've seen transient problems with some of the RDJ rules in the past, but not for this long. Has this ruleset gone away? Thank you, -- Larry G. Starr - [EMAIL PROTECTED] or [EMAIL PROTECTED] Software Engineer: Full Compass Systems LTD. Phone: 608-831-7330 x 1347 FAX: 608-831-6330 === There are only three sports: bullfighting, mountaineering and motor racing, all the rest are merely games! - Ernest Hemmingway
Re: Bounced messages for email from forged email addresses for a hosted domain - need opinions
I think you've just proved my point. It's too hard to try and determine who to contact in these situations Do it like Spamcop does with SPAM: Contact *everybody* in the chain, and complain to them. Some sort of SPFcop would be nice for that.. cat /var/log/maillog | pflogsumm -d today | sendmail -f pflogsumm postmaster hard to follow :-) hope more postmasters will do this and act on it
RE: skip_rbl_checks
RE: skip_rbl_checks Does anyone know **exactly** what skip_rbl_checks = 1 turns off? I know that it turns of all regular RBL checks (where the IP address is checked against a traditional RBL) I'm fairly sure that it turns off SURBL URIBL checks, right? I'm fairly sure that it does NOT turn off DCC, Razor, Pyzor, etc, right? But what else is effected?... is there a comprehensive list or a more detailed explanation anywhere? Thanks, Rob McEwen PowerView Systems [EMAIL PROTECTED]
outlook email is beeing flag as spam...
Does any one know how to handle this?: -1.8 ALL_TRUSTED Passed through trusted hosts only via SMTP -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3371] 0.1 HTML_90_100 BODY: Message is 90% to 100% HTML 1.8 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of words 1.0 HTML_MESSAGE BODY: HTML included in message 1.7 MSGID_DOLLARS Message-Id has pattern used in spam 1.9 RATWARE_MS_HASH Bulk email fingerprint (msgid ms hash) found 2.8 RATWARE_OUTLOOK_NONAME Bulk email fingerprint (Outlook no name) found I cuold adjust ALL_TRUSTED so this won't be mark as spam, but what about other email being sent by outlook from outside? Any idea? Thanks.
Re: outlook email is beeing flag as spam...
Does any one know how to handle this?: found I cuold adjust ALL_TRUSTED so this won't be mark as spam, but what about other email being sent by outlook from outside? Any idea? http://www.mozilla.com/thunderbird/
RE: outlook email is beeing flag as spam...
Honestly, those Outlook rules should be firing on a normal Outlook user, or they're scored way to high. I use Outlook every day and AFAIK, I've never had my e-mail rejected or tagged with those rules. It's probably time to look at what is being generated by these specific problem users that trigger those rules. Of course, you could always adjust the scores: score RATWARE_MS_HASH 0.01 score RATWARE_OUTLOOK_NONAME 0.01 But then realize that your users generating those message are going to be flagged as spam by a lot of other systems running SA, so the real solution is to find what's causing the rule to fireand fix the Outlook setup so it doesn't trigger it. Bret From: Screaming Eagle [mailto:[EMAIL PROTECTED] Sent: Monday, June 26, 2006 10:55 AMTo: spam mailling listSubject: outlook email is beeing flag as spam... Does any one know how to handle this?: -1.8 ALL_TRUSTED Passed through trusted hosts only via SMTP-0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3371]0.1 HTML_90_100 BODY: Message is 90% to 100% HTML1.8 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of words1.0 HTML_MESSAGE BODY: HTML included in message1.7 MSGID_DOLLARS Message-Id has pattern used in spam1.9 RATWARE_MS_HASH Bulk email fingerprint (msgid ms hash) found2.8 RATWARE_OUTLOOK_NONAME Bulk email fingerprint (Outlook no name) foundI cuold adjust ALL_TRUSTED so this won't be mark as spam, but what about other email being sent by outlook from outside? Any idea?Thanks.
Re: outlook email is beeing flag as spam...
Any pointers on this: real solution is to find what's causing the rule to fireand fix the Outlook setup so it doesn't trigger it?. Thanks.
Re: Not just use_bayes_rules 0
No one has any comments at all? -- Forwarded message -- From: Bart Schaefer [EMAIL PROTECTED] Date: Jun 23, 2006 10:49 PM Subject: Not just use_bayes_rules 0 To: Spamassassin Users List users@spamassassin.apache.org I want to make sure I'm not misinterpreting something else before I report this as a bug. I just tried use_bayes 1 use_bayes_rules 0 The effect of this seems to be that NONE of the rules are applied, except whitelist_from and blacklist_from. I had assumed it would just turn off the BAYES_* rules, as if they had all been given zero scores. use_bayes_rules ( 0 | 1 ) (default: 1) Whether to use rules using the naive-Bayesian-style classifier built into SpamAssassin. This allows you to disable the rules while leaving auto and manual learning enabled. Under what circumstances would one want to disable ALL the rules while still leaving auto- learning enabled? What good could possibly come of it?
Re: skip_rbl_checks
On Mon, Jun 26, 2006 at 01:45:14PM -0400, Rob McEwen (PowerView Systems) wrote: I know that it turns of all regular RBL checks (where the IP address is checked against a traditional RBL) Yes. I'm fairly sure that it turns off SURBL URIBL checks, right? No. The URIDNSBL plugin doesn't pay attention to the skip_rbl_checks option. I'm fairly sure that it does NOT turn off DCC, Razor, Pyzor, etc, right? Correct. But what else is effected?... is there a comprehensive list or a more detailed explanation anywhere? I don't think there's a lot of documentation written for users out there about this (wiki maybe?), but in general it's any rbl checks which is what the docs say. (ie: any of the check_rbl* rules) The slightly more detailed version is that if you grep through the code for skip_rbl_checks, there are three functions in EvalTests which check the option value: check_rbl_backend This ends up getting called by check_rbl, check_rbl_txt, check_rbl_accreditor -- all of which are exclusively used in the rules files. check_rbl_sub Also known as check_rbl_results_for, used exclusively in the rules files. _check_rbl_addresses Called from check_rbl_from_host and check_rbl_envfrom, used exclusively in the rules files. I'll leave it as an exercise for the reader to convert the above information into a rule listing, but in short it's the DNSBL and DNSWL rules. :) -- Randomly Generated Tagline: Software engineering is a race between engineers who try to create foolproof software and the universe which is trying to create bigger fools. So far, the universe is winning... - Michael H. Warfield pgp0MQWXyqBVM.pgp Description: PGP signature
Re: outlook email is beeing flag as spam...
I suggested before that you had a problem with your trusted_hosts configuration. The headers below confirms that you have a problem with your trusted_hosts configuration. The solution isn't to adjust the score on ALL_TRUSTED. The solution is to correctly set trusted_hosts so that the rule doesn't trigger for mail that comes from non-trusted hosts. This will also "fix" a number of other score-related problems you are probably seeing. A LOT of stuff breaks in SA if the trust path is wrong. Loren - Original Message - From: Screaming Eagle To: spam mailling list Sent: Monday, June 26, 2006 10:55 AM Subject: outlook email is beeing flag as spam... Does any one know how to handle this?: -1.8 ALL_TRUSTED Passed through trusted hosts only via SMTP-0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3371]0.1 HTML_90_100 BODY: Message is 90% to 100% HTML1.8 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of words1.0 HTML_MESSAGE BODY: HTML included in message1.7 MSGID_DOLLARS Message-Id has pattern used in spam1.9 RATWARE_MS_HASH Bulk email fingerprint (msgid ms hash) found2.8 RATWARE_OUTLOOK_NONAME Bulk email fingerprint (Outlook no name) foundI cuold adjust ALL_TRUSTED so this won't be mark as spam, but what about other email being sent by outlook from outside? Any idea?Thanks.
Re: outlook email is beeing flag as spam...
2.8 RATWARE_OUTLOOK_NONAME Bulk email fingerprint (Outlook no name) Something has removed the X-Mailer line from the messages. Loren - Original Message - From: Bret Miller To: spam mailling list Sent: Monday, June 26, 2006 11:10 AM Subject: RE: outlook email is beeing flag as spam... Honestly, those Outlook rules should be firing on a normal Outlook user, or they're scored way to high. I use Outlook every day and AFAIK, I've never had my e-mail rejected or tagged with those rules. It's probably time to look at what is being generated by these specific problem users that trigger those rules. Of course, you could always adjust the scores: score RATWARE_MS_HASH 0.01 score RATWARE_OUTLOOK_NONAME 0.01 But then realize that your users generating those message are going to be flagged as spam by a lot of other systems running SA, so the real solution is to find what's causing the rule to fireand fix the Outlook setup so it doesn't trigger it. Bret From: Screaming Eagle [mailto:[EMAIL PROTECTED] Sent: Monday, June 26, 2006 10:55 AMTo: spam mailling listSubject: outlook email is beeing flag as spam... Does any one know how to handle this?: -1.8 ALL_TRUSTED Passed through trusted hosts only via SMTP-0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3371]0.1 HTML_90_100 BODY: Message is 90% to 100% HTML1.8 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of words1.0 HTML_MESSAGE BODY: HTML included in message1.7 MSGID_DOLLARS Message-Id has pattern used in spam1.9 RATWARE_MS_HASH Bulk email fingerprint (msgid ms hash) found2.8 RATWARE_OUTLOOK_NONAME Bulk email fingerprint (Outlook no name) foundI cuold adjust ALL_TRUSTED so this won't be mark as spam, but what about other email being sent by outlook from outside? Any idea?Thanks.
how can I test
I've upgraded my SA and there is a doubt. How can I test this software, before put mycomputer to work on the net? Sorry for my english, I'm a brazilian user. Thanks
Re: outlook email is beeing flag as spam...
Wow, I did not know this can break so many aspects of spamasassin, thank you for the information. I have set trusted_network on my local.cf file, I have set all except one network which have a netmask of 255.255.255.192, how should I handle this? Should it be like network ip/255.255.255.192? I have set it like so and have not seen any errors in log file.
RE: outlook email is beeing flag as spam...
Any pointers on this: real solution is to find what's causing the rule to fire and fix the Outlook setup so it doesn't trigger it?. Thanks. How about posting the message headers. The last three rules that fired (MSID_DOLLARS, RATWARE_MS_HASH, and RATWARE_OUTLOOK_NONAME) all indicate a problem with the message ID format in combination with another header. If you have something in your path removing headers from messages, that'll cause this. SA relies on the headers being preserved to get an accurate assessment of what's going on. Cleaning them out before calling SA is just asking for trouble. Bret
RulesDuJour Summary messages
I'm getting the following messages from the RulesDuJour run: RulesDuJour Run Summary on yoursummit.com: No index found for ruleset named ARE_BAYES_POISON_NXM. Check that this ruleset is still valid. SARE Top 200 spamcop ip addresses Ruleset (automatically generated) has changed on yoursummit.com. Version line: # Modified: 06/23/2006 2:58:27 PM EST No index found for ruleset named SARE_URI2. Check that this ruleset is still valid. How do I check that the ruleset is valid?? I went to rulesemporium and they say that these rules are still active with Auto-Update as yes. What do I need to do to rectify these issues? Thanks! Tracey Gates Lead Developer [EMAIL PROTECTED]
RE: Will SpamAssassin work with my mail setup?
I checked the FAQ's and the searched the WIKI but couldn't find an answer to this question... My email client (thunderbird) connects directly to my remote POP Mail Server, which is hosted by my ISP. Is there a configuration of SpamAssassin that will work for me? Depends. If Thunderbird is running on Windows, try http://physics.ucsd.edu/~epivovar/anti-spam.htm Bret
Re: Start it up
Brian Hamlin wrote: I am putting along with Perl. I just wrote a script that loops through my mail, reads a msgs, sends it to SA, then writes it out to a nw mbox. When it is done, it copies the new mbox into the system one. * horribly slow * will miss mails * mayeb I made more mistakes but it is better than the alternative at the moment ideas still welcome. -Brian ps- yes, I am just a user here.. If I had somethin gvery specific to ask an admin, maybe I could get them to do it for me.. I am not sure what that might be in terms of the filter account, but I appreciate the cycles... Normally, you would run a new message through SA before it gets to your mailbox. If you need to do this at the user level (rather than in the MTA) the common method is with procmail: http://wiki.apache.org/spamassassin/UsedViaProcmail You can pass a whole mailbox to spamassassin with the --mbox option but you are still going to have the problem of overwriting an active mailbox file and possibly loosing mail. Procmail would be a better way to go for future mail.
Re: outlook email is beeing flag as spam...
header info: Date: Mon, 26 Jun 2006 12:42:00 -0400 X-Spam-Virus: No X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on ... X-Spam-Level: *** X-Spam-Status: Yes, score=7.6 required=7.0 tests=ALL_TRUSTED,BAYES_50, HTML_90_100,HTML_IMAGE_ONLY_28,HTML_MESSAGE,MSGID_DOLLARS, RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME autolearn=no version=3.1.3 Please ignore ALL_TRUSTED, i am working on setting up trusted_network parameters. Thanks.
setting up trusted_networks ....
All, I have search wiki for trusted_networks, but I am not getting results back. Is the synthax space delimited, like if I wanted 3 address range I could do this: 192.168.40. 10.10.30 nework ip/255.255.255.192 Would the above work? Thanks.
Re: outlook email is beeing flag as spam...
On Monday 26 June 2006 22:17, Screaming Eagle took the opportunity to write: header info: Date: Mon, 26 Jun 2006 12:42:00 -0400 X-Spam-Virus: No X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on ... X-Spam-Level: *** X-Spam-Status: Yes, score=7.6 required=7.0 tests=ALL_TRUSTED,BAYES_50, HTML_90_100,HTML_IMAGE_ONLY_28,HTML_MESSAGE,MSGID_DOLLARS, RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME autolearn=no version=3.1.3 All of them, please. You've already posted the rules hit; those lines don't add any information. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpOLx35yIyE2.pgp Description: PGP signature
RE: setting up trusted_networks ....
Screaming Eagle wrote: All, I have search wiki for trusted_networks, but I am not getting results back. Is the synthax space delimited, like if I wanted 3 address range I could do this: 192.168.40. 10.10.30 nework ip/255.255.255.192 Would the above work? Thanks. The spacing is correct, but I'm not sure if that mask specification will work. Try this: trusted_networks 192.168.40. 10.10.30.xxx/26 -- Bowie
Re: RulesDuJour Summary messages
Tracey Gates wrote: I'm getting the following messages from the RulesDuJour run: RulesDuJour Run Summary on yoursummit.com: No index found for ruleset named ARE_BAYES_POISON_NXM. Check that this ruleset is still valid. SARE Top 200 spamcop ip addresses Ruleset (automatically generated) has changed on yoursummit.com. Version line: # Modified: 06/23/2006 2:58:27 PM EST No index found for ruleset named SARE_URI2. Check that this ruleset is still valid. How do I check that the ruleset is valid?? I went to rulesemporium and they say that these rules are still active with Auto-Update as yes. What do I need to do to rectify these issues? Thanks! Tracey Gates Lead Developer [EMAIL PROTECTED] You may wish to check again... a. ARE_BAYES_POISON_NXM? Are you sure it's not SARE_BAYES_POISON_NXM? b. From SARE rules page: '... add one or more of SARE_URI0, SARE_URI1, SARE_URI3, or SARE_URI_ENG to TRUSTED_RULESETS ...' Where did you get SARE_URI2 from? HTH David Filion -- David Filion System / Network Administrator Auto123.com / XPrima Corporation
Re: Will SpamAssassin work with my mail setup?
On Mon, 26 Jun 2006, Terry Wray wrote: I checked the FAQ's and the searched the WIKI but couldn't find an answer to this question... My email client (thunderbird) connects directly to my remote POP Mail Server, which is hosted by my ISP. Is there a configuration of SpamAssassin that will work for me? If you don't have access to the ISP's mail server you have to run it locally. If you're running on Windows a suggestion has already been offered. If you're running on a *nix (probably including OS-X) you can set up local delivery via spamassassin using fetchmail to retrieve your email and delivery via a local SMTP server (e.g. sendmail) or via a delivery agent like procmail. Spamassassin would hook into this using the standard methods (milter, procmail+spamc, etc.) This might be rather more involved of a project than you're willing to pursue... :) -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You are in a maze of twisty little protocols, all written by Microsoft. --
RE: outlook email is beeing flag as spam...
On Monday 26 June 2006 22:17, Screaming Eagle took the opportunity to write: header info: Date: Mon, 26 Jun 2006 12:42:00 -0400 X-Spam-Virus: No X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on ... X-Spam-Level: *** X-Spam-Status: Yes, score=7.6 required=7.0 tests=ALL_TRUSTED,BAYES_50, HTML_90_100,HTML_IMAGE_ONLY_28,HTML_MESSAGE,MSGID_DOLLARS, RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME autolearn=no version=3.1.3 All of them, please. You've already posted the rules hit; those lines don't add any information. Message-ID:? Received:? This can't be all the headers... Bret
RE: RulesDuJour Summary messages
Well that's just itI don't know where it's getting these. I don't have SARE_URI2 in my rules_du_jour file to update. The listing for the ARE_BAYES_POISON_NXM is listed as SARE_BAYES_POISON_NXM. I can't seem to find a file that contains the URI2 that is not commented out and the POISON spelled wrong. What file could these be in for me to correct these issues? Tracey Gates Lead Developer [EMAIL PROTECTED] 1350 South Boulder, Third Floor / Tulsa, OK 74119-3203 Phone 918-663-0991 / Fax 918-663-0840 This communication is intended only for the recipient(s) named above; may be confidential and/or legally privileged; and, must be treated as such in accordance with state and federal laws. If you are not the intended recipient, you are hereby notified that any use of this communication, or any of its contents, is prohibited. If you have received this communication in error, please reply to the sender and then delete the message from your computer system immediately. -Original Message- From: David Filion [mailto:[EMAIL PROTECTED] Sent: Monday, June 26, 2006 3:55 PM To: users@spamassassin.apache.org Subject: Re: RulesDuJour Summary messages Tracey Gates wrote: I'm getting the following messages from the RulesDuJour run: RulesDuJour Run Summary on yoursummit.com: No index found for ruleset named ARE_BAYES_POISON_NXM. Check that this ruleset is still valid. SARE Top 200 spamcop ip addresses Ruleset (automatically generated) has changed on yoursummit.com. Version line: # Modified: 06/23/2006 2:58:27 PM EST No index found for ruleset named SARE_URI2. Check that this ruleset is still valid. How do I check that the ruleset is valid?? I went to rulesemporium and they say that these rules are still active with Auto-Update as yes. What do I need to do to rectify these issues? Thanks! Tracey Gates Lead Developer [EMAIL PROTECTED] You may wish to check again... a. ARE_BAYES_POISON_NXM? Are you sure it's not SARE_BAYES_POISON_NXM? b. From SARE rules page: '... add one or more of SARE_URI0, SARE_URI1, SARE_URI3, or SARE_URI_ENG to TRUSTED_RULESETS ...' Where did you get SARE_URI2 from? HTH David Filion -- David Filion System / Network Administrator Auto123.com / XPrima Corporation
RE: RulesDuJour Summary messages
On Monday June 26 2006 5:17 pm, you wrote: Tracey Gates wrote .. Well that's just itI don't know where it's getting these. I don't have SARE_URI2 in my rules_du_jour file to update. The listing for the ARE_BAYES_POISON_NXM is listed as SARE_BAYES_POISON_NXM. I can't seem to find a file that contains the URI2 that is not commented out and the POISON spelled wrong. What file could these be in for me to correct these issues? Tracey Gates Lead Developer [EMAIL PROTECTED] /etc/rulesdujour/config? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: outlook email is beeing flag as spam...
here u go, hope this shed some lights...: Received: from deskandys (192-168-240-205. [192.168.240.205]) by smtpserver. (8.11.6/8.11.6) with ESMTP id k5QGgDN01015; Mon, 26 Jun 2006 12:42:13 -0400 Date: Mon, 26 Jun 2006 12:42:00 -0400 ... Message-Id: [EMAIL PROTECTED] X-Spam-Virus: No X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on smtpserver. X-Spam-Level: *** X-Spam-Status: Yes, score=7.6 required=7.0 tests=ALL_TRUSTED,BAYES_50, HTML_90_100,HTML_IMAGE_ONLY_28,HTML_MESSAGE,MSGID_DOLLARS, RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME autolearn=no version=3.1.3 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_44A00E6A.133D516C Status: RO Content-Length: 13240 Lines: 318 This is a multi-part message in MIME format. =_44A00E6A.133D516C Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit
RE: Postfix content filter/milter
-Original Message- From: Justin Cook [mailto:[EMAIL PROTECTED] Sent: Monday, June 26, 2006 10:02 AM To: users@spamassassin.apache.org Subject: Postfix content filter/milter Are there any postfix users out there who can recommend a way to delete mail based on spamassassin results? Specifically I need to know how to use a content filter or milter, and which one to use. Cheers! - The simple way... If you are running postfix at the server, you can use HEADER_CHECKS HEADER_CHECKS runs *after* Spamassassin, so it can detect spam points added by SA in the header. So, lets say you wanted to redirect anything with 15 points or more to a certain email address, or even just delete it at the server... you could do it with HEADER_CHECKS rules. Do a search in a search engine to find the syntax. http://search.msn.com/results.aspx?q=HEADER_CHECKS+spam-levelFORM=QBRE3
RE: outlook email is beeing flag as spam...
-1.8 ALL_TRUSTEDPassed through trusted hosts only via SMTP -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3371] 0.1 HTML_90_100BODY: Message is 90% to 100% HTML 1.8 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of words 1.0 HTML_MESSAGE BODY: HTML included in message 1.7 MSGID_DOLLARS Message-Id has pattern used in spam 1.9 RATWARE_MS_HASHBulk email fingerprint (msgid ms hash) found 2.8 RATWARE_OUTLOOK_NONAME Bulk email fingerprint (Outlook no name) found FWIW, I just sent myself a test message using Outlook and these are the only rules that fired: -1.8 ALL_TRUSTED -2.6 BAYES_00 -0.0 AWL I'm using Outlook 2003 (11.8010.6568) SP2 and SA 3.1.0.
Re: waiting
If no one's answered you, posting that you are waiting is likely to piss people off to where you'll be ignored and / or put in peoples kill file, especially not 5 hours after your initial post. Have patience. No one here is 'paid' to answer you, so any help you get is out of the goodness of peoples hearts. However I can suggest you provide as much information as possible. Suggestions would be any specifics, i.e. what version you upgraded to, how spamassassin is called, the o/s it's running on, etc, and why there is a doubt - ie you state you upgraded, hence you were previously using it. So why the doubt? On Mon, June 26, 2006 5:11 pm, Mauro Leite wrote: -- Forwarded message -- From: Mauro Leite [EMAIL PROTECTED] Date: 26/06/2006 15:50 Subject: how can I test To: users@spamassassin.apache.org I've upgraded my SA and there is a doubt. How can I test this software, before put my computer to work on the net? Sorry for my english, I'm a brazilian user. Thanks
Re: setting up trusted_networks ....
Screaming Eagle wrote: All, I have search wiki for trusted_networks, but I am not getting results back. Is the synthax space delimited, like if I wanted 3 address range I could do this: 192.168.40. 10.10.30 nework ip/255.255.255.192 Would the above work? Thanks. Try the Mail::SpamAssassin::Conf manpage instead of the wiki: http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Conf.html#network_test_options
Re: Start it up
just a quick note of good news. It seems something is changing in the behavior of procmail/spamassassin on the server for me.. Here is what I did over the last 5 days as a user, no admin privs... in $HOME/.spamassassin -rm'd a lock file on the autowhitelist from 30 days ago -cleared auto-whitelist.dir, auto-whitelist.pag (right or wrong, I did it, emptied, not rm) - exported and reimported the bayes DB via db_load erased the 700mb+ /var/mail/userxxx file (all mail) cleared the procmail log (which was also huge, yrs), manually called spamassassin programmatically a bunch of times, sometimes in debug mode, and with lint, then, added whitelist to/from to my user_prefs, along with a couple of minor user_prefs tweaks. Now, (it seems, cross fingers) magically the /var/mail/userxxx file is being kept small by something. The rates of spamassassin marked headers getting to my desktop client are much, much higher. I can't say how often SA was being called previously, but it seemed negligable. And my user_prefs changes are being reflected in the SA tests. Solaris / SunOS 5.8 Spam assassin 2.6 was getting 8000+ msgs a day through to me. We shall see what the new rates are, but it looks a _lot_ better. thanks to Stuart for a couple of thoughts in my dire predicament hth signing off -Brian __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Postfix content filter/milter
Thanks Greg! That was by far the easiest solution, although I'm looking into clam-av and amavisd-new as well, so thanks to you other guys too! Greg Allen wrote: -Original Message- From: Justin Cook [mailto:[EMAIL PROTECTED]] Sent: Monday, June 26, 2006 10:02 AM To: users@spamassassin.apache.org Subject: Postfix content filter/milter Are there any postfix users out there who can recommend a way to delete mail based on spamassassin results? Specifically I need to know how to use a content filter or milter, and which one to use. Cheers! - The simple way... If you are running postfix at the server, you can use HEADER_CHECKS HEADER_CHECKS runs *after* Spamassassin, so it can detect spam points added by SA in the header. So, lets say you wanted to redirect anything with 15 points or more to a certain email address, or even just delete it at the server... you could do it with HEADER_CHECKS rules. Do a search in a search engine to find the syntax. http://search.msn.com/results.aspx?q=HEADER_CHECKS+spam-levelFORM=QBRE3
RE: Postfix content filter/milter
-Original Message- From: Justin Cook [mailto:[EMAIL PROTECTED] Sent: Monday, June 26, 2006 9:07 PM To: Greg Allen Cc: users@spamassassin.apache.org Subject: Re: Postfix content filter/milter Thanks Greg! That was by far the easiest solution, although I'm looking into clam-av and amavisd-new as well, so thanks to you other guys too! Well, if you like the easy way, you can also do this. http://wiki.apache.org/spamassassin/ClamAVPlugin ;-) That is what I do. It will save you from having to learn amavisd-new (or another milter) and having to install and upkeep amavisd-new (or another milter). Unless there is something specific in amavisd-new that you really need, there is not much reason to use it just for Spamassassin IMO.
Re: Will SpamAssassin work with my mail setup?
From: Terry Wray [EMAIL PROTECTED] I checked the FAQ's and the searched the WIKI but couldn't find an answer to this question... My email client (thunderbird) connects directly to my remote POP Mail Server, which is hosted by my ISP. Is there a configuration of SpamAssassin that will work for me? Modulo the flexibility of Thunderbird you should be able to. I do something akin to this with Outlook Express. I use fetchmail to get mail from the ISP. I feed that through procmail as the MDA. Procmail calls spamc-spamd for the filtering. It also does some prefiltering before I get to SpamAssassin. {^_^}
Re: [dns-operations] negative caching of throwaway spam domains
I wonder if it is pure coincidence or not - There seems to have been an upswing in the use of 0-day domains today (which don't get caught by DOB - e.g. stedatlan.com-M olpartmen.com-M in the past hour). But we still have the various BLs, so these are still high scoring spams:-) Oh well, if spammers lose the use of their new domains for most of the first week, some good has still been done. Paul Shupak [EMAIL PROTECTED]
Re: Why do Spambot HELO Signatures appear to be random characters?
BTW, Notice that the HELO signatures have an identifying characteristic: randomness http://policyd.sf.net/ find # HELO Randomization Prevention (HRP) in the readme Could we use the HELO randomness to identify the source as a Spambot? postfix can reject it with out any patches to it