AW: Network tests slowing down spamassassin

[Stefan Klewer]

Ramprasad wrote:
> Hi,
>   SA works fine , for the quiet large setup that we have. ( we get upto
> 200k mails an hour at peak times ) 
>   But I notice it is too network dependent. A little problem with the
> network and all hell breaks loose. Mailq shoots up and SA starts timing
> out. 
>  Probably because I have enabled all kinds of BL tests and uri checks.
> But these checks are indispensable without these SA would have no teeth
> at all.
>   
>   So what is the best way to reduce network traffic. We are already
> getting the sbl-xbl lists from spamhaus so as to serve those lists
> locally , can I get any other lists locally ?  Commercial agreements
> also are ok.
> 

Hi,
i think the best way to reduce the network traffic regarding to the network
test is to do all network test locally.
we are serving many list locally. For example spamhaus (commercial
agreement),spamcop (one time fee), njabl, sorbs , cbl.abuseat, dsbl (all
free).  We are using a rbldnsd to serve all local lists. 
You have to create your own DNS zone and adapt your SA config. You will get
faster response and the processing time decrease of each message, which is
processed by the SA.

Sorry for my bad english.

Stefan

spam with HTTP 503 payload

[Justin Mason]

Check this out.  Looks like the spam bots are set up to HTTP GET the
payload html from a "home base" web server -- thereby allowing payload
html to be modified easily as the spam run continues, without having to
mess with the distributed net of zombies.  I think we saw something
similar before.

Only thing is, the spammer forgot to fix the Apache error page to omit the
ServerName -- so we can see that the home base is 66.36.241.158, a machine
on a Washington, DC ISP.

--j.

Return-Path: <[EMAIL PROTECTED]>
X-Original-To: [spamtrap]
Delivered-To: [EMAIL PROTECTED]
Received: from localhost [127.0.0.1]
by radish.jmason.org with IMAP (fetchmail-6.3.2)
for <[EMAIL PROTECTED]> (single-drop); Fri, 14 Jul 2006 03:00:41 +0100 
(IST)
Received: from a-hrq391ahiw2sz (ARennes-252-1-81-136.w86-203.abo.wanadoo.fr 
[86.203.52.136])
by dogma.boxhost.net (Postfix) with SMTP id 04DF53101D8
for <[spamtrap]>; Fri, 14 Jul 2006 02:51:24 +0100 (IST)
Message-Id: <[EMAIL PROTECTED]>
Date: Fri, 14 Jul 2006 02:51:24 +0100 (IST)
From: [EMAIL PROTECTED]
To: undisclosed-recipients:;
X-IMAPbase: 1075077319 230635
Status: O
X-UID: 230635
X-Keywords: 
   



503 Service Temporarily Unavailable

Service Temporarily Unavailable
The server is temporarily unable to service your
request due to maintenance downtime or capacity
problems. Please try again later.

Apache/2.0.53 (Fedora) Server at 66.36.241.158 Port 80

Re: AW: Network tests slowing down spamassassin

[Ramprasad]

> Hi,
> i think the best way to reduce the network traffic regarding to the network
> test is to do all network test locally.
> we are serving many list locally. For example spamhaus (commercial
> agreement),spamcop (one time fee), njabl, sorbs , cbl.abuseat, dsbl (all
> free).  We are using a rbldnsd to serve all local lists. 

Thanks for the info
We are already using local lists from spamhaus. spamcop $1000 / year is
unreasonable I will try njabl cdbl and DSBL.  Can you tell me where do I
get lists from SORBS couldnt get anything on their site


Thanks
Ram

debugging dnsbl issues

[Ben Wylie]

I am running SpamAssassin 3.1.2 on Windows 2003.
I use DNSBL and URIBL, but have found that i have not been getting many
hits on the DNSBLs, whereas the URIBLs do very well.

I decided that i would set up a local caching DNS server (TreeWalk) to
see if this would speed things up a bit and i tend to get 5 or more of
the same spam coming to different users on my server. I can then cache
the DNS lookups for the first one and it will speed up the next 5 lookups.

This morning i was monitoring my DNS lookups to see that it is all
working ok, and i noticed that several emails came in from the same ip
address and that the DNS server had cached the responses and so didn't
need to look them up again. However these emails did not hit any of the
DNSBL rules. I then tested by hand the ip address at
http://www.robtex.com/rbls/81.203.0.80.html
and found that it was listed on a few of the block lists that i use.

Here are some of the headers of that email:

X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.2 (2006-05-25) on server
X-Spam-Report:
*  3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP
*  addr 2)
*  1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:..type= entry
*  2.0 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date
*  1.1 HTML_IMAGE_ONLY_32 BODY:HTML:images with 2800-3200 bytes of words
*  2.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
*  [score: 0.8432]
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  0.8 SARE_GIF_ATTACH FULL: Email has a inline gif
*  1.0 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
*  [URIs: callow*MUNGE*wast.com]
*  3.8 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
*  [URIs: callow*MUNGE*wast.com]
*  2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
*  [URIs: callow*MUNGE*wast.com]
*  2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
*  [URIs: callow*MUNGE*wast.com]
*  3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
*  [URIs: callow*MUNGE*wast.com]
*  4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
*  [URIs: callow*MUNGE*wast.com]
Received: from  [127.0.0.1] by mydomain.co.uk with SMTP (HELO server.)
  (ArGoSoft Mail Server Pro for WinNT/2000/XP, Version 1.8 (1.8.8.7));
Thu, 13 Jul 2006 11:00:58 +0100
Received: from 81-203-0-80.user.ono.com ([81.203.0.80])
 by server. (NAVGW 2.5.2.12) with SMTP id M2006071311005429502
 for <[EMAIL PROTECTED]>; Thu, 13 Jul 2006 11:00:54 +0100

in the spamassassin debug log it says:

dbg: dns: launching DNS A query for 80.0.203.81.sbl-xbl.spamhaus.org.
dbg: dns: launching DNS A query for 80.0.203.81.sa-accredit.habeas.com.
dbg: dns: launching DNS A query for 80.0.203.81.combined.njabl.org.
dbg: dns: launching DNS A query for 80.0.203.81.bl.csma.biz.
dbg: dns: launching DNS A query for
80.0.203.81.combined-HIB.dnsiplists.completewhois.com.
dbg: dns: launching DNS TXT query for 80.0.203.81.list.dsbl.org.
dbg: dns: launching DNS TXT query for 80.0.203.81.bl.spamcop.net.
dbg: dns: launching DNS TXT query for
80.0.203.81.sa-trusted.bondedsender.org.
dbg: dns: launching DNS A query for 80.0.203.81.sbl.csma.biz.
dbg: dns: launching DNS A query for 80.0.203.81.dnsbl.sorbs.net.
dbg: dns: launching DNS A query for 80.0.203.81.iadb.isipp.com.
dbg: dns: success for 11 of 11 queries

So it says it has successfully queried all of these and yet it didn't
have one positive.
I know it should have hit at least:
sbl-xbl.spamhaus.org
dnsbl.sorbs.net
bl.spamcop.net
list.dsbl.org
and probably others as well.

How can i debug why this is not hitting correctly?
Why don't DNSBL check results show up in the debug log like the URIBL
ones eg:
uridnsbl: domain "callow*MUNGE*wast.com" listed (URIBL_AB_SURBL): 
127.0.0.118


and in fact, why don't the uribl timeout lines tell you which ones have
timed out? Instead they just say:
[696] dbg: uridnsbl: done waiting for URIDNSBL lookups to complete
[696] dbg: uridnsbl: aborting remaining lookups

Whereas the DNSBL lookups, when they time out, helpfully say:
[696] dbg: dns: timeout for spamcop after 13 seconds

How do i change the timeout time for DNSBL lookups and URIBL lookups?

In recent emails i have only found it to have hit when the DNS lookups
HAVE timed out:


[696] dbg: dns: launching DNS A query for
253.226.197.221.sbl-xbl.spamhaus.org. in background
[696] dbg: dns: launching DNS A query for
253.226.197.221.sa-accredit.habeas.com. in background
[696] dbg: dns: launching DNS A query for
253.226.197.221.combined.njabl.org. in background
[696] dbg: dns: launching DNS A query for
253.226.197.221.bl.csma.biz. in background
[696] dbg: dns: launching DNS A query for
253.226.197.221.combined-HIB.dnsiplists.completewhois.com.
in background
[696] dbg: dns: launching DNS TXT query for
253.226.197.221.list.dsbl.org. i

AW: AW: Network tests slowing down spamassassin

[Stefan Klewer]

Hi,

first you have to create an account on the sorbs site, after that you are
able to open a ticket regarding to rsync subscription.

A short summary why you want to use the rsync feed from sorbs (millione
mails per day --> performance etc.) Ip addresses, which initiate the rsync
and the sorbs admins are going to allow you the rsync.

I hope i can help you ??

Stefan

-Ursprüngliche Nachricht-
Von: Ramprasad [mailto:[EMAIL PROTECTED] 
Gesendet: Freitag, 14. Juli 2006 11:31
An: Stefan Klewer
Cc: users@spamassassin.apache.org
Betreff: Re: AW: Network tests slowing down spamassassin


> Hi,
> i think the best way to reduce the network traffic regarding to the
network
> test is to do all network test locally.
> we are serving many list locally. For example spamhaus (commercial
> agreement),spamcop (one time fee), njabl, sorbs , cbl.abuseat, dsbl (all
> free).  We are using a rbldnsd to serve all local lists. 

Thanks for the info
We are already using local lists from spamhaus. spamcop $1000 / year is
unreasonable I will try njabl cdbl and DSBL.  Can you tell me where do I
get lists from SORBS couldnt get anything on their site


Thanks
Ram

RE: The best way to use Spamassassin is to not use Spamassassin

[Michael Scheidell]

> -Original Message-
> From: John D. Hardin [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, July 13, 2006 7:14 PM
> To: SpamAssassin Users List
> Subject: RE: The best way to use Spamassassin is to not use 
> Spamassassin
> 
> 
> 
> > From: John D. Hardin [mailto:[EMAIL PROTECTED]
> 
> ...ewww! His leg came right off. *pop*.
> 
> Now what do I do with it?

You CAN'T point it at an rfc1918 address (10/8 127/8, 192.168/16,
172.16/21) or you will end up in the bogusmx blacklist.

You could point it an unused ip address in your netblock.
Legit email will timeout, then retry the primary (for hours or days)
till the primary is up.
Spambots till give up.

Some ideas include your router (that should NOT have port 25 open!).

Re: Image only spam

[Steven Stern]

Jack Gostl wrote:
>  
> - Original Message -
> *From:* Steven Stern 
> *Cc:* Spamass 
> *Sent:* Thursday, July 13, 2006 6:52 PM
> *Subject:* Re: Image only spam
> 
> Jack Gostl wrote:
>>
>> - Original Message - From: "Steven Stern"
>> <[EMAIL PROTECTED] >
>> To: "Spamass"  >
>> Sent: Wednesday, July 12, 2006 4:31 PM
>> Subject: Re: Image only spam
>>
>>
>>> Jack Gostl wrote:
 Thanks for the response.

 Take it slow with me, spamassassin has been running so well for so
 long that I haven't had to fiddle with it in ages and I don't
 remember the details. Do I add these rules to my user_prefs? Or to my
 /etc/mail/local.cf files?

 - Original Message - From: "Steven Stern"
 <[EMAIL PROTECTED] >
 To: "Spamass"  >
 Sent: Wednesday, July 12, 2006 9:13 AM
 Subject: Re: Image only spam


> Jack Gostl wrote:
>> I'm running SpamAssassin version 3.0.3   running on Perl version 5.8.2
>> under AIX 5.3. Starting a few months ago, I have been absolutely
>> inundated with "image only spam".  I've gone from catching 99% of the
>> spam with almost no false positives to less than 85%. I asked about
>> this
>> awhile ago, and tried to upgrade to SpamAssassin version 3.1.1 running
>> on Perl version 5.8.0, and didn't see much improvement, so I left the
>> prod machine alone.
>>
>> I'm sure I'm not the only one with this problem. Has anyone had any
>> success with it?
>>
>> Thanks...
>>
>> Jack
>>
>
> Are you using the SARE_STOCK rules from RulesDuJour at
> rulesemporium.com?  We catch more than 99% of the image only stuff with
> the standard RBLs and 70_sare_stock.cf.
>
> In case  you ask, these are the SARE rules we're using:
>
> TRUSTED_RULESETS="SARE_GENLSUBJ0 SARE_OBFU SARE_REDIRECT_POST300
> SARE_ADULT SARE_HEADER0 SARE_CODING SARE_SPECIFIC SARE_SPOOF SARE_FRAUD
> SARE_WHITELIST_SPF SARE_WHITELIST_RCVD SARE_URI0 SARE_OEM SARE_STOCKS";
>
> --
>
>  Steve
>
>>> Hop over to the Rules Emporium (http://rulesemporium.com) and read
>>> about RulesDuJour.  Install that and set up cron job to look for
>>> updates once a day.  That's about it.  It's about 30 minutes of think
>>> work up front to understand the documentation and install it. After
>>> that, set it and forget it.
>>>
>>> http://www.exit0.us/index.php?pagename=RulesDuJour
>>>
>>> I think you'll be happy with the trusted ruleset line above.
>>
>> wanted to tell you how this all turned out.
>>
>> I installed the new rules, incorrectly as Dimitri observed, and then
>> restarted spamassassin. (spamd actually). The spam capture rate has
>> zoomed from 85% into the high 90s. Looking back I see that we replaced
>> our processor about a year ago, and have been exceptionally stable since
>> then. We haven't IPLed in almost a year, which also means that
>> spamassassin probably hasn't been started in almost as long.
>>
>> Obviously the new rules weren't the reason for the improvement, since
>> they were installed wrong. So it must have been the restart. This makes
>> me wonder, was it a "corruption", or is there a cumulative effect. I
>> wonder if anyone has any thoughts on that.
>>
>>
> 
>> I have a cron job scheduled for every Sunday
>>
>  > sa-update && spamassassin --lint && /etc/init.d/spamassassin restart
>>
>> This will pick up updates to the basic SA rules if they update them.
> Is sa-update a script you wrote? And why run the --lint on a regular basis?
>  

sa-update is part of the SpamAssassin 3.1 package.  See "man sa-update".

The string of commands executes sa-update. If it returns a non-error
result, indicating it downloaded something, then the new rules are
linted.  I do this to make sure that there's nothing broken in any of
the dozens of rules in my ruleset. If the ruleset is OK, then
spamassassin is restarted to pick up the new rules from sa-update.
-- 

  Steve

Re: AW: AW: Network tests slowing down spamassassin

[Rob McEwen (PowerView Systems)]

Speaking of network tests...

Other than "traditional" IP-address-based RBL lookups, SURBL/URIBL lookups, and 
network traffic for Razor, DCC, etc... is there anything ELSE for which a test 
requires network traffic which depends on a someone else's remote server that 
still runs even if/when SURBL/URIBL, Razor/DCC, and RBL lookups are ALL turned 
off?

(for example, suppose that if ALL of these I mentioned above turned off, "No 
rDNS" is still tested for. If so, then "No rDNS" would be an example of what 
should be on the list that answers my question.)

Thanks!

Rob McEwen
PowerView Systems
[EMAIL PROTECTED]

Re: Image only spam

[Jack Gostl]

Converting to 3.1 is beginning to look better and better.

Thanks

- Original Message - 
From: "Steven Stern" <[EMAIL PROTECTED]>

To: "Spamass" 
Sent: Friday, July 14, 2006 8:11 AM
Subject: Re: Image only spam



Jack Gostl wrote:


- Original Message -
*From:* Steven Stern 
*Cc:* Spamass 
*Sent:* Thursday, July 13, 2006 6:52 PM
*Subject:* Re: Image only spam

Jack Gostl wrote:


- Original Message - From: "Steven Stern"
<[EMAIL PROTECTED] >
To: "Spamass" 
>

Sent: Wednesday, July 12, 2006 4:31 PM
Subject: Re: Image only spam



Jack Gostl wrote:

Thanks for the response.

Take it slow with me, spamassassin has been running so well for so
long that I haven't had to fiddle with it in ages and I don't
remember the details. Do I add these rules to my user_prefs? Or to my
/etc/mail/local.cf files?

- Original Message - From: "Steven Stern"
<[EMAIL PROTECTED] 
>

To: "Spamass" 
>

Sent: Wednesday, July 12, 2006 9:13 AM
Subject: Re: Image only spam



Jack Gostl wrote:
I'm running SpamAssassin version 3.0.3   running on Perl version 
5.8.2

under AIX 5.3. Starting a few months ago, I have been absolutely
inundated with "image only spam".  I've gone from catching 99% of 
the

spam with almost no false positives to less than 85%. I asked about
this
awhile ago, and tried to upgrade to SpamAssassin version 3.1.1 
running
on Perl version 5.8.0, and didn't see much improvement, so I left 
the

prod machine alone.

I'm sure I'm not the only one with this problem. Has anyone had any
success with it?

Thanks...

Jack



Are you using the SARE_STOCK rules from RulesDuJour at
rulesemporium.com?  We catch more than 99% of the image only stuff 
with

the standard RBLs and 70_sare_stock.cf.

In case  you ask, these are the SARE rules we're using:

TRUSTED_RULESETS="SARE_GENLSUBJ0 SARE_OBFU SARE_REDIRECT_POST300
SARE_ADULT SARE_HEADER0 SARE_CODING SARE_SPECIFIC SARE_SPOOF 
SARE_FRAUD
SARE_WHITELIST_SPF SARE_WHITELIST_RCVD SARE_URI0 SARE_OEM 
SARE_STOCKS";


--

 Steve


Hop over to the Rules Emporium (http://rulesemporium.com) and read
about RulesDuJour.  Install that and set up cron job to look for
updates once a day.  That's about it.  It's about 30 minutes of think
work up front to understand the documentation and install it. After
that, set it and forget it.

http://www.exit0.us/index.php?pagename=RulesDuJour

I think you'll be happy with the trusted ruleset line above.


wanted to tell you how this all turned out.

I installed the new rules, incorrectly as Dimitri observed, and then
restarted spamassassin. (spamd actually). The spam capture rate has
zoomed from 85% into the high 90s. Looking back I see that we replaced
our processor about a year ago, and have been exceptionally stable since
then. We haven't IPLed in almost a year, which also means that
spamassassin probably hasn't been started in almost as long.

Obviously the new rules weren't the reason for the improvement, since
they were installed wrong. So it must have been the restart. This makes
me wonder, was it a "corruption", or is there a cumulative effect. I
wonder if anyone has any thoughts on that.





I have a cron job scheduled for every Sunday


 > sa-update && spamassassin --lint && /etc/init.d/spamassassin restart


This will pick up updates to the basic SA rules if they update them.
Is sa-update a script you wrote? And why run the --lint on a regular 
basis?




sa-update is part of the SpamAssassin 3.1 package.  See "man sa-update".

The string of commands executes sa-update. If it returns a non-error
result, indicating it downloaded something, then the new rules are
linted.  I do this to make sure that there's nothing broken in any of
the dozens of rules in my ruleset. If the ruleset is OK, then
spamassassin is restarted to pick up the new rules from sa-update.
--

 Steve

RE: The best way to use Spamassassin is to not use Spamassassin

[John D. Hardin]

On Fri, 14 Jul 2006, Michael Scheidell wrote:

> From: John D. Hardin [mailto:[EMAIL PROTECTED]
> > 
> > ...ewww! His leg came right off. *pop*.
> > 
> > Now what do I do with it?
> 
> You CAN'T point it at an rfc1918 address (10/8 127/8, 192.168/16,
> 172.16/21) or you will end up in the bogusmx blacklist.

Okay, that's useful information, but that's not what I was suggesting
(with my tongue firmly in my cheek):

;; QUESTION SECTION:
;maila.microsoft.com.   IN  A

;; ANSWER SECTION:
maila.microsoft.com.3   IN  A   131.107.1.7
maila.microsoft.com.3   IN  A   131.107.1.6

Those aren't RFC1918 addresses, or MS would never be able to receive
mail via them.

The humor value of that was obviously way too low, I'm giving up.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 Windows and its users got mentioned at home today, after my wife the
 psych major brought up Seligman's theory of "learned helplessness."
-- Dan Birchall in a.s.r
--
 10 days until The 37th anniversary of Apollo 11 landing on the Moon

Re: The best way to use Spamassassin is to not use Spamassassin

[Michael Scheidell]

John D. Hardin wrote:

  On Fri, 14 Jul 2006, Michael Scheidell wrote:

  
  
From: John D. Hardin [mailto:[EMAIL PROTECTED]]


  ...ewww! His leg came right off. *pop*.

Now what do I do with it?
  

You CAN'T point it at an rfc1918 address (10/8 127/8, 192.168/16,
172.16/21) or you will end up in the bogusmx blacklist.

  
  
Okay, that's useful information, but that's not what I was suggesting
(with my tongue firmly in my cheek):

;; QUESTION SECTION:
;maila.microsoft.com.   IN  A

;; ANSWER SECTION:
maila.microsoft.com.3   IN  A   131.107.1.7
maila.microsoft.com.3   IN  A   131.107.1.6

Those aren't RFC1918 addresses, or MS would never be able to receive
mail via them.

  

but if YOU point YOUR secondary MX records to mail1.microsoft.com, YOU
WILL LOSE EMAIL, not just spam.

it will be bounced, with a 5xx error (unknown user, unable to relay),
the sending server won't retry it.


  The humor value of that was obviously way too low, I'm giving up.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 Windows and its users got mentioned at home today, after my wife the
 psych major brought up Seligman's theory of "learned helplessness."
	-- Dan Birchall in a.s.r
--
 10 days until The 37th anniversary of Apollo 11 landing on the Moon

  



-- 
Michael Scheidell, CTO
SECNAP Network Security / www.secnap.com
[EMAIL PROTECTED]  / 1+561-999-5000, x 1131

bypass spam checking outgoing email

[Oenus Tech Services]

Hi there!

We have a server runing postfix + amavisd-new with spamassassin 3.1
(SuSE 10.1). We are very happy with the spam filtering capabilities of
spamassassin, but we would like to disable checking against sbl, xbl
lists (any kind of lists actually that check IPs) for all outgoing
email, since sometimes our users might be in a public place (i.e
internet cafe, public hotspot), and their IP might be in a CBL list,
thus preventing them to send emails with this configuration.

Is it possible to disable these rules only for outgoing email?

TIA

Ignacio

Re: White List and Yellow List DNS Servers - Proposal

[Rob McEwen (PowerView Systems)]

Marc,

I've developed a system similar to what you've described. For example, I do my 
own RLB lookups and reject messages which score above a certain number without 
doing additional spam filtering. (and I've custom weighed various RBLs). This 
could be considered similar to your own "blacklist".

I also have a whitelist like yours... except that I "surgically" apply my 
IP-based whitelist ONLY towards not doing RBL lookups on the sending server IP 
addresses for such messages... but continue to do ALL OTHER spam filtering on 
such messages. (I also apply less spam filtering to authenticated users 
messages)

But while I see the value of your blacklist and your yellowlist, it seems to me 
that taking an ip-based whitelist and using it to bypass ALL filtering is like 
writing a "blank check". It seems like either (1) you might be taking too many 
risks and/or (2) in order to prevent taking such risks, you'd have to make this 
whitelist so small percentage-wise that you might as well go ahead use SA to 
test all message not caught by your IP-based blacklist.

Make sense?

Your thoughts?

(specifically, can you give examples where you feel VERY assured that you'd 
NEVER see spam from that remote IP address)

Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
(478) 475-9032

question about SpamAssassin

[Nathalie Forster]

Hi there,
 
We use a MTA package called Extremail (http://www.extremail.com) and I was 
wondering if SpamAssasin is compatible with it.
 
Thanks,
 
Nathalie

Re: The best way to use Spamassassin is to not use Spamassassin

[John D. Hardin]

On Fri, 14 Jul 2006, Michael Scheidell wrote:

> John D. Hardin wrote:
> > On Fri, 14 Jul 2006, Michael Scheidell wrote:
> >   
> >> From: John D. Hardin [mailto:[EMAIL PROTECTED]
> >> 
> >>> ...ewww! His leg came right off. *pop*.
> >>>
> >>> Now what do I do with it?
> >>>   
> >> You CAN'T point it at an rfc1918 address (10/8 127/8, 192.168/16,
> >> 172.16/21) or you will end up in the bogusmx blacklist.
> >> 
> >
> > Okay, that's useful information, but that's not what I was suggesting
> > (with my tongue firmly in my cheek):
> >
> > ;; QUESTION SECTION:
> > ;maila.microsoft.com.   IN  A
> >
> > ;; ANSWER SECTION:
> > maila.microsoft.com.3   IN  A   131.107.1.7
> > maila.microsoft.com.3   IN  A   131.107.1.6
> >
> > Those aren't RFC1918 addresses, or MS would never be able to receive
> > mail via them.
>
> but if YOU point YOUR secondary MX records to mail1.microsoft.com, YOU 
> WILL LOSE EMAIL, not just spam.
> 
> it will be bounced, with a 5xx error (unknown user, unable to relay), 
> the sending server won't retry it.
> 
> > The humor value of that was obviously way too low, I'm giving up.

Michael:

*It was a joke*. Thanks for the UI, but I would never seriously
suggest anyone set any of their MX records to point at *someone
else's* mail server, and I would pity anyone who took such a
suggestion seriously.

'course, they might learn something (the hard way) from doing that...

You need to take some time off from work and recalibrate your humor
detector.

Guten tag.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 Windows and its users got mentioned at home today, after my wife the
 psych major brought up Seligman's theory of "learned helplessness."
-- Dan Birchall in a.s.r
--
 10 days until The 37th anniversary of Apollo 11 landing on the Moon

Re: The best way to use Spamassassin is to not use Spamassassin

[Michael Scheidell]

Guess too much time in Miami and the Cuba Coffee.. ;-)

by the way, watch our for jokes, then can get archived in google, and 4 
years from now, someone will try to stop spam, find  your post and 
implement it.


don't think so? I set up a 'joke' RBL, announced it AS a joke, told 
everyone it listed all of ipv4 with a wildcard entry, and 3 years later, 
I still get calls from 'lawyers' .


google for 'blocked.secnap.net' and see what I mean.
(it even got into several of the anti-spam perl .pm files!!!)


--
Michael Scheidell, CTO
SECNAP Network Security / www.secnap.com
[EMAIL PROTECTED]  / 1+561-999-5000, x 1131

Re: The best way to use Spamassassin is to not use Spamassassin

[John D. Hardin]

On Fri, 14 Jul 2006, Michael Scheidell wrote:

> Guess too much time in Miami and the Cuba Coffee.. ;-)

*envy*
 
> by the way, watch our for jokes, then can get archived in google,
> and 4 years from now, someone will try to stop spam, find your
> post and implement it.

Ja. Oh, well.
 
> don't think so? I set up a 'joke' RBL, announced it AS a joke,
> told everyone it listed all of ipv4 with a wildcard entry, and 3
> years later, I still get calls from 'lawyers' .
>
> google for 'blocked.secnap.net' and see what I mean.
> (it even got into several of the anti-spam perl .pm files!!!)

Goodness.

I bow to my master...

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 Windows and its users got mentioned at home today, after my wife the
 psych major brought up Seligman's theory of "learned helplessness."
-- Dan Birchall in a.s.r
--
 10 days until The 37th anniversary of Apollo 11 landing on the Moon

Re: bypass spam checking outgoing email

[Faisal N Jawdat]

On Jul 14, 2006, at 9:46 AM, Oenus Tech Services wrote:

We have a server runing postfix + amavisd-new with spamassassin 3.1
(SuSE 10.1). We are very happy with the spam filtering capabilities of
spamassassin, but we would like to disable checking against sbl, xbl
lists (any kind of lists actually that check IPs) for all outgoing
email, since sometimes our users might be in a public place (i.e
internet cafe, public hotspot), and their IP might be in a CBL list,
thus preventing them to send emails with this configuration.


are your users sending via port 587, with auth?

-faisal

Re: The best way to use Spamassassin is to not use Spamassassin

[qqqq]

|don't think so? I set up a 'joke' RBL, announced it AS a joke, told 
| everyone it listed all of ipv4 with a wildcard entry, and 3 years later, 
| I still get calls from 'lawyers' .
| 
| google for 'blocked.secnap.net' and see what I mean.
| (it even got into several of the anti-spam perl .pm files!!!)
| 


LMAO!!!

That is classic!

Re: question about SpamAssassin

[Steve Thomas]

> We use a MTA package called Extremail (http://www.extremail.com) and I was
> wondering if SpamAssasin is compatible with it.

Did you check their forums at http://extremail.monsterserver.de/main.php ?
They have a forum dedicated to integrating anti-spam products with their
server, although it requires a login before you can view any posts, so I
don't know if SA is discussed in there.

HTH,
St-

Problem with exim and spamd set for my own user (fall back to nobody?)

[Giorgio Volpe]

I'm running spamassassin 
SpamAssassin Server version 3.1.1
  running on Perl 5.8.8
  with SSL support (IO::Socket::SSL 0.97)

on a debian whith exim 4.62

I've set in /etc/defaults  -u spamd (a user I created ...)
and correctly I can see:
# ps aux | grep spamd
root 32646  0.1  4.8  28576 24820 ?    Ss   19:27   0:00
/usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir -u
spamd -d --pidfile=/var/run/spamd/spamd.pid
102  32647  2.5  5.1  30720 26752 ?    S    19:27   0:11 spamd
child
102  32648  0.0  4.5  28576 23348 ?    S    19:27   0:00 spamd
child
root   306  0.0  0.1   2348   792 pts/2    S+   19:35   0:00 grep
spamd

But when exim tries to call spamd ... I get:
Jul 14 19:28:01 movi spamd[32647]: spamd: connection from
movifvg [127.0.0.1] at port 43554
Jul 14 19:28:01 movi spamd[32647]: spamd: creating default_prefs:
/nonexistent/.spamassassin/user_prefs
Jul 14 19:28:01 movi spamd[32647]: config: cannot write to
/nonexistent/.spamassassin/user_prefs: No such file or directory
Jul 14 19:28:01 movi spamd[32647]: spamd: failed to create readable
default_prefs: /nonexistent/.spamassassin/user_prefs
Jul 14 19:28:01 movi spamd[32647]: mkdir /nonexistent: Permission
denied at /usr/share/perl5/Mail/SpamAssassin.pm line 1469
Jul 14 19:28:01 movi spamd[32647]: spamd: checking message
<[EMAIL PROTECTED]> for nobody:102
   
^
Jul 14 19:28:06 movi spamd[32647]: mkdir /nonexistent: Permission
denied at /usr/share/perl5/Mail/SpamAssassin.pm line 1469
Jul 14 19:28:06 movi spamd[32647]: locker: safe_lock: cannot create tmp
lockfile
/nonexistent/.spamassassin/auto-whitelist.lock.movi.fvg.it.32647 for
/nonexistent/.spamassassin/auto-whitelist.lock: No such file or
directoryJul 14 19:28:06 movi spamd[32647]: auto-whitelist: open of
auto-whitelist file failed: locker: safe_lock: cannot create tmp
lockfile
/nonexistent/.spamassassin/auto-whitelist.lock.movi.fvg.it.32647 for
/nonexistent/.spamassassin/auto-whitelist.lock: No such file or
directory


why it falls back to nobody? (but correctly reporting 102, nobody on my
system is 65534)

Any hint?

thanks

    Giorgio

Re: The best way to use Spamassassin is to not use Spamassassin

[Marc Perkel]

Michael Scheidell wrote:

  
-Original Message-
From: John D. Hardin [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, July 13, 2006 7:14 PM
To: SpamAssassin Users List
Subject: RE: The best way to use Spamassassin is to not use 
Spamassassin





  From: John D. Hardin [mailto:[EMAIL PROTECTED]]
  

...ewww! His leg came right off. *pop*.

Now what do I do with it?

  
  
You CAN'T point it at an rfc1918 address (10/8 127/8, 192.168/16,
172.16/21) or you will end up in the bogusmx blacklist.

You could point it an unused ip address in your netblock.
Legit email will timeout, then retry the primary (for hours or days)
till the primary is up.
Spambots till give up.

Some ideas include your router (that should NOT have port 25 open!).
  


Actually I return a 451 error on my highest MX record.

Re: Problem with exim and spamd set for my own user (fall back to nobody?)

[Theo Van Dinter]

On Fri, Jul 14, 2006 at 07:40:15PM +0200, Giorgio Volpe wrote:
> why it falls back to nobody? (but correctly reporting 102, nobody on my 
> system is 65534)
> 
> Any hint?

spamc is apparently being run by nobody, and that information gets passed
to spamd.  Perhaps you want to run spamd with -x?

-- 
Randomly Generated Tagline:
"> I'm an idiot.. At least this [bug] took about 5 minutes to find..
  We need to find some new terms to describe the rest of us mere mortals
  then." - Craig Schlenter in response to Linus Torvalds about a kernel bug.


pgpgFp6XAloHY.pgp
Description: PGP signature

Re: Problem with exim and spamd set for my own user (fall back to nobody?)

[Stuart Johnston]

Are you using exiscan?  If so, you need something like this in your acl:

spam = spamd

See for full examples:

http://duncanthrax.net/exiscan-acl/exiscan-acl-examples.txt

Giorgio Volpe wrote:

I'm running spamassassin

SpamAssassin Server version 3.1.1
  running on Perl 5.8.8
  with SSL support (IO::Socket::SSL 0.97)

on a debian whith exim 4.62

I've set in /etc/defaults  -u spamd (a user I created ...)
and correctly I can see:

# ps aux | grep spamd
root 32646  0.1  4.8  28576 24820 ?Ss   19:27   0:00
/usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir -u
spamd -d --pidfile=/var/run/spamd/spamd.pid
102  32647  2.5  5.1  30720 26752 ?S19:27   0:11
spamd child
102  32648  0.0  4.5  28576 23348 ?S19:27   0:00
spamd child
root   306  0.0  0.1   2348   792 pts/2S+   19:35   0:00
grep spamd

But when exim tries to call spamd ... I get:

Jul 14 19:28:01 movi spamd[32647]: spamd: connection from movifvg
[127.0.0.1] at port 43554
Jul 14 19:28:01 movi spamd[32647]: spamd: creating default_prefs:
/nonexistent/.spamassassin/user_prefs
Jul 14 19:28:01 movi spamd[32647]: config: cannot write to
/nonexistent/.spamassassin/user_prefs: No such file or directory
Jul 14 19:28:01 movi spamd[32647]: spamd: failed to create readable
default_prefs: /nonexistent/.spamassassin/user_prefs
Jul 14 19:28:01 movi spamd[32647]: mkdir /nonexistent: Permission
denied at /usr/share/perl5/Mail/SpamAssassin.pm line 1469
Jul 14 19:28:01 movi spamd[32647]: spamd: checking message
<[EMAIL PROTECTED]> for nobody:102
   
^

Jul 14 19:28:06 movi spamd[32647]: mkdir /nonexistent: Permission
denied at /usr/share/perl5/Mail/SpamAssassin.pm line 1469
Jul 14 19:28:06 movi spamd[32647]: locker: safe_lock: cannot create
tmp lockfile
/nonexistent/.spamassassin/auto-whitelist.lock.movi.fvg.it.32647 for
/nonexistent/.spamassassin/auto-whitelist.lock: No such file or
directoryJul 14 19:28:06 movi spamd[32647]: auto-whitelist: open of
auto-whitelist file failed: locker: safe_lock: cannot create tmp
lockfile
/nonexistent/.spamassassin/auto-whitelist.lock.movi.fvg.it.32647 for
/nonexistent/.spamassassin/auto-whitelist.lock: No such file or
directory


why it falls back to nobody? (but correctly reporting 102, nobody on my 
system is 65534)


Any hint?

thanks

Giorgio

Re: bypass spam checking outgoing email

[Loren Wilton]

spamassassin, but we would like to disable checking against sbl, xbl
lists (any kind of lists actually that check IPs) for all outgoing
email, since sometimes our users might be in a public place (i.e


Interesting idea.

I can't recall if Amvis is one of the things that calls SA code directly, or 
if it uses spamc/spamd.


I think you will end up having to set up two different SA configurations, 
and how you do this will depend on how SA is being called.  I don't believe 
that you would need separate installations, and you could probably share the 
Bayes database if you are doing that already.


But you would either want to disable all net tests when you call SA for 
outgoing mail, or you would want to specify an alternate local config 
directory with a different version of local.cf in it.  Here you could zero 
the scores for the net test you don't want.


I'd suggest leaving net tests enabled so you get the uribl-type tests done, 
but use a separate configuration file to disable the net tests you don't 
want for outgoing.


   Loren

Re: The best way to use Spamassassin is to not use Spamassassin

[jdow]

From: "Michael Scheidell" <[EMAIL PROTECTED]>


Guess too much time in Miami and the Cuba Coffee.. ;-)

by the way, watch our for jokes, then can get archived in google, and 4 
years from now, someone will try to stop spam, find  your post and 
implement it.


don't think so? I set up a 'joke' RBL, announced it AS a joke, told 
everyone it listed all of ipv4 with a wildcard entry, and 3 years later, 
I still get calls from 'lawyers' .


google for 'blocked.secnap.net' and see what I mean.
(it even got into several of the anti-spam perl .pm files!!!)


You are not alone. 
nofalsenegatives.stopspam.samspade.orgblocks all ipv4

nofalsepositive.stopspam.samspade.org lists nobody on ipv4
ipv4.fahq2.comblocks all of ipv4
random.bl.gweep.calists random addresses.

http://spamlinks.net/filter-dnsbl-lists.htm lists the above and the
real testrbl, bl.testrbl.cameldns.com, as "DNSBL testing".

I love the random one.
{^_-}

using spamdc/spamd getting better results?

[yossim]

Hello forum,

i read that SA can be worked in one of the following modes :spamassassin or
spamd/spamc. My mail relay is built on sendmail and MailScanner configured
wit SA 3.1.1.

I read several posting that state that working with spamd/spamc option is
the better one due to better performance. My question if that is true when
working with MailScanner since there is one line in MailScanner.conf that
state 'use spamassassin = yes'.

In case that spamc/spamd is the better opting then how do i tell MailScanner
to start spamd/spamc pair?

How do i start spamc? I have tried with -p option but it sems to stuck?

Regards,

Yossi


-- 
View this message in context: 
http://www.nabble.com/using-spamdc-spamd-getting-better-results--tf1945335.html#a5334006
Sent from the SpamAssassin - Users forum at Nabble.com.

Re: mangled uris

[Magnus Holmgren]

On Thursday 13 July 2006 12:35, JamesDR took the opportunity to write:
> Ramprasad wrote:
> >  I dont understand the business sense behind this spam. Its a lose -
> > lose game. The spammer never gets anyone to click,( who would click a
> > broken url and fix it and click again )  the site owner never gets hits,
> > the spam filter guy gets more headaches and the end user has to delete
> > one more mail.
>
> I think it has more to do with them knowing their current efforts are in
> vain. So now it has come down to some rather odd tricks. I've seen a few
> that say webaddress and instruct the 'reader' to add http://www to the
> beginning and .dom to the ending. This to me seems fruitless, but it
> must be working on some group of people because I still see a few mails
> with this technique a day. It goes back to what users will do, and what
> they won't. Seems some will do what the spamer wants :-D

In particular when it comes to getting the lower department back in business, 
I guess. :-)

-- 
Magnus Holmgren[EMAIL PROTECTED]
   (No Cc of list mail needed, thanks)


pgpjXdR3Z1ydY.pgp
Description: PGP signature

only user_prefs from root read

[Alex Thor.]

hello,

Spamassassin has been working for a few days now, i'm quite satisfied
with it (actually i haven't got a single spam since then :) )
my only problem:
it seems that spamass doesn't/cann't read the individual user_prefs
files.

i use a sendmail dual configuration, amavisd-new, and spamass-milter

here some config files/outputs


-
root 21075 1   0 22:51:33 ?   0:05 /opt/csw/bin/perl
-T /opt/csw/bin/spamd -d -u spamd
root 21080 1   0 22:51:51 ?
0:02 /opt/csw/sbin/spamass-milter -p /var/run/spamass.sock -f
   spamd 21077 21075   0 22:51:40 ?   0:10 /opt/csw/bin/perl
-T /opt/csw/bin/spamd -d -u spamd
   spamd 21076 21075   3 22:51:40 ?   1:13 /opt/csw/bin/perl
-T /opt/csw/bin/spamd -d -u spamd




#less /etc/mail/sendmail-rx.mc


...


INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=T,
T=C:15m;S:4m;R:4m;E:10m')dnl
define(`confMILTER_MACROS_CONNECT',`b, j, _, {daemon_name}, {if_name},
{if_addr}')dnl

...


-





#less /opt/csw/etc/spamassassin/local.cf

allow_user_rules 1


clear_report_template
clear_unsafe_report_template

required_score 3

use_bayes 1

bayes_auto_learn 1


i use

spamass_milter  0.3.0 
spamassassin3.1.3

 on a


#uname -a
SunOS name 5.10 Generic_118822-25 sun4u sparc SUNW,Ultra-4


what did i do wrong?

Thanks! 
Alex Thor. 

Hm, all caps subject rule may need a little tweak....

[jdow]

"[Apcupsd-users]LETTER", a quite obvious spam, probably could safely
have triggered an all caps rule on the subject if it ignored content
between the braces.

This might be a useful rule enhancement, not that this particular spam
made it even CLOSE to getting through the filters here.

{^_^}

RE: only user_prefs from root read

[Gary V]

hello,

Spamassassin has been working for a few days now, i'm quite satisfied
with it (actually i haven't got a single spam since then :) )
my only problem:
it seems that spamass doesn't/cann't read the individual user_prefs
files.

i use a sendmail dual configuration, amavisd-new, and spamass-milter



There is only one user when you run amavisd-new - the amavisd-new user 
(usually amavis or vscan). Only the user prefs for that user are read when 
amavisd-new scans a message with spamassassin. I'm not familiar with 
sendmail or spamass-milter, but I would imagine amavisd-new runs after 
spamass-milter, so any mail passed to amavisd-new will have the previous 
spamassassin results ignored. If spam checks are enabled in amavisd-new, you 
are running the mail through spamassassin twice.


Gary V

_
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

how to dump message as it enters spamassassin

[sa]

Hi,

I am new to this list. I have searched the spamassassin FAQ and list 
archive but couldn't find the answer.


I have the following test rule in my local.cf:
header LOCAL_MISSING_MSGID  MESSAGEID =~ /^UNSET$/ [if-unset: UNSET]
describe LOCAL_MISSING_MSGIDMissing Message-Id header
score LOCAL_MISSING_MSGID   0.010

But it's not triggering. Other rules in local.cf are working, just this 
one isn't. To make things more complicated, my MTA inserts a Message-Id 
header when it doesn't see one, so by the time I get the source of the 
mail and feed it to spamassassin, it passes.


Is there a way to dump the input message as it enters spamassassin? I 
have spamd running as a daemon, using version 3.1.1. The log shows:


spamd[12345]: spamd: checking message (unknown) for (unknown):102

Thanks,
Robert

RE: only user_prefs from root read

[Gary V]

hello,

Spamassassin has been working for a few days now, i'm quite satisfied
with it (actually i haven't got a single spam since then :) )
my only problem:
it seems that spamass doesn't/cann't read the individual user_prefs
files.

i use a sendmail dual configuration, amavisd-new, and spamass-milter



There is only one user when you run amavisd-new - the amavisd-new user 
(usually amavis or vscan). Only the user prefs for that user are read when 
amavisd-new scans a message with spamassassin. I'm not familiar with 
sendmail or spamass-milter, but I would imagine amavisd-new runs after 
spamass-milter, so any mail passed to amavisd-new will have the previous 
spamassassin results ignored. If spam checks are enabled in amavisd-new, 
you are running the mail through spamassassin twice.


Gary V


This may also apply:
http://marc.theaimsgroup.com/?l=spamassassin-users&m=109099505924168&w=2

_
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/

Re: using spamdc/spamd getting better results?

[Steve Thomas]

Hi Yossi,

> My mail relay is built on sendmail and MailScanner configured
> wit SA 3.1.1.
> ...
> How do i start spamc?

IIRC, MailScanner loads the SpamAssassin perl modules directly - it
doesn't use spamc/d, nor does it use the "spamassassin" script.

HTH,
St-

Re: RE: only user_prefs from root read

[Alex Thor.]

On 2006-07-14 22:39, Gary V wrote:
> >>hello,
> >>
> >>Spamassassin has been working for a few days now, i'm quite
satisfied
> >>with it (actually i haven't got a single spam since then :) )
> >>my only problem:
> >>it seems that spamass doesn't/cann't read the individual user_prefs
> >>files.
> >>
> >>i use a sendmail dual configuration, amavisd-new, and spamass-milter
> >>
> >
> >There is only one user when you run amavisd-new - the amavisd-new
user 
> >(usually amavis or vscan).

amavisd should have nothing to do with spamass-milter

> > Only the user prefs for that user are read when 
> >amavisd-new scans a message with spamassassin.

correct

> > I'm not familiar with 
> >sendmail or spamass-milter, but I would imagine amavisd-new runs
after 
> >spamass-milter,

indeed. amavisd-new is relaying between the two MTA-sendmails

> > so any mail passed to amavisd-new will have the previous 
> >spamassassin results ignored. If spam checks are enabled in
amavisd-new, 
> >you are running the mail through spamassassin twice.

spam checks are disabled in amavisd-new

> >
> >Gary V
> 
> This may also apply:
> http://marc.theaimsgroup.com/?l=spamassassin-users

i disagree here, spamass-milter can definitively handle per-user prefs,
that's the reason i chose it in the first place :)
...but i'm still doing something wrong

thanks,
Alex

Re: RE: only user_prefs from root read

[Gary V]

Not sure if this still applies, but you have:

/opt/csw/sbin/spamass-milter -p /var/run/spamass.sock -f

According to:
http://www.monkey.org/freebsd/archive/freebsd-questions/200411/msg01326.html

"Make sure you are passing spamass-milter the "-u defaultuser" flag;
otherwise it won't try to extract the recipient name from the incoming
email."

Gary V

_
FREE pop-up blocking with the new MSN Toolbar – get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

Re: White List and Yellow List DNS Servers - Proposal

[Marc Perkel]

Rob McEwen (PowerView Systems) wrote:

Marc,

I've developed a system similar to what you've described. For example, I do my own RLB 
lookups and reject messages which score above a certain number without doing additional 
spam filtering. (and I've custom weighed various RBLs). This could be considered similar 
to your own "blacklist".

I also have a whitelist like yours... except that I "surgically" apply my 
IP-based whitelist ONLY towards not doing RBL lookups on the sending server IP addresses 
for such messages... but continue to do ALL OTHER spam filtering on such messages. (I 
also apply less spam filtering to authenticated users messages)

But while I see the value of your blacklist and your yellowlist, it seems to me that 
taking an ip-based whitelist and using it to bypass ALL filtering is like writing a 
"blank check". It seems like either (1) you might be taking too many risks 
and/or (2) in order to prevent taking such risks, you'd have to make this whitelist so 
small percentage-wise that you might as well go ahead use SA to test all message not 
caught by your IP-based blacklist.

Make sense?

Your thoughts?

(specifically, can you give examples where you feel VERY assured that you'd 
NEVER see spam from that remote IP address)

  


You can't spoof hosts and there are hosts that never send spam. My bank, 
Wells Fargo, never sends spam. So - why not whitelist them. My idea is 
that if you track hosts and the never send spam then why bother spam 
filtering them? It loads the system and you risk false positives.

Re: how to dump message as it enters spamassassin

[Loren Wilton]

I have the following test rule in my local.cf:
header LOCAL_MISSING_MSGID  MESSAGEID =~ /^UNSET$/ [if-unset: UNSET]
describe LOCAL_MISSING_MSGIDMissing Message-Id header
score LOCAL_MISSING_MSGID   0.010


header__HAVE_MSGIDexists:MESSAGEID
metaMISSING_MSGID!__HAVE_MSGID

or

header__HAVE_MSGIDMESSAGEID=~/./
metaMISSING_MSGID!__HAVE_MSGID

The first test will test to see if the item exists.  The second will test 
that it both exists and is not blank.




But it's not triggering. Other rules in local.cf are working, just this 
one isn't. To make things more complicated, my MTA inserts a Message-Id 
header when it doesn't see one, so by the time I get the source of the 
mail and feed it to spamassassin, it passes.


Is there a way to dump the input message as it enters spamassassin? I have 
spamd running as a daemon, using version 3.1.1. The log shows:


spamassassin -t 

Re: RE: only user_prefs from root read

[Loren Wilton]

i disagree here, spamass-milter can definitively handle per-user prefs,
that's the reason i chose it in the first place :)
...but i'm still doing something wrong


FWIW, spamasss-milter has been known to have problems with recent versions 
of SA.


   Loren

Re: RE: only user_prefs from root read

[Alex Thor.]

On 2006-07-15 01:21, Gary V wrote:
> Not sure if this still applies, but you have:
> 
> /opt/csw/sbin/spamass-milter -p /var/run/spamass.sock -f
> 
> According to:
> http://www.monkey.org/freebsd/archive/freebsd-questions/200411/msg01326.html
> 
> "Make sure you are passing spamass-milter the "-u defaultuser" flag;
> otherwise it won't try to extract the recipient name from the incoming
> email."
> 
> Gary V
> 
> 
> 
Thanks!
it works like a charm! :)

Alex