Re: BAYES_99 makes lots of false-positive
Matt Kettler wrote: In sa 2.6x or older, yes.. in sa 3.0.0 or higher, no. First, phrases isn't quite accurate.. bayes stores tokens, and most of the tokens are simply words, not phrases. In SA 3.0.0 or higher the text tokens themselves are not stored, only the SHA1 hash of them is stored. This cannot be easily reversed to figure out what the text token was, but it's easy to figure out the hash of another token and compare the two. Thus, it's impossible for dump to display the text tokens, it doesn't know what they are. The main reason to do this in SA 3.x is performance. All the SHA hashes are the same size. No more variable-length string compares, just straight fixed-width binary compares. Ditto for record reads. A side effect is increased security.. nobody can look at your bayes DB and make assumptions about what your email conversations talk about. Thanks Matt, for the details. If you want to see the text tokens that match bayes for a particular message, you can do this by feeding a message to spamassassin in bayes debug mode.. spamassassin -D bayes=255 some key phrases, words in the spam mails? If so, can I see some chinese phrases? I've never tried, but the above should work for Chinese text, provided your local terminal supports it. message.txt That should let you know which tokens in the message are matching bayes, and what each gets (from 0. to 1., which represents 0% to 100%). Word of advice: if you see a LOT of innocuous words matching in the range of 0.90-1.0 you can worry. But do not worry about every single word that seems "wrong". A typical message will match a dozen or more tokens. All that said, how do you fix it? Feed your problem messages to sa-learn --ham. If it's really bad, wipe your bayes DB and start over. It sounds great to be able to see which tokens mach those in the bayes db. I tried a test message with -D bayes=255 like $ spamassassin -D bayes=255 /tmp/message >From [EMAIL PROTECTED] Fri Jul 14 10:32:01 2006 Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on asiaa.sinica.edu.tw X-Spam-Level: X-Spam-Status: No, score=-102.2 required=6.0 tests=ALL_TRUSTED,AWL, FROM_IAA_LOCAL_SITE1,USER_IN_WHITELIST autolearn=no version=3.1.0 Received: from [140.109.177.202] (genesis.asiaa.sinica.edu.tw [140.109.177.202]) by asiaa.sinica.edu.tw (8.13.1/8.13.1) with ESMTP id k6E2VqVw011774 for [EMAIL PROTECTED]; Fri, 14 Jul 2006 10:31:52 +0800 Message-ID: [EMAIL PROTECTED] Date: Fri, 14 Jul 2006 10:31:52 +0800 From: "Joshua, C.S. Chen" [EMAIL PROTECTED] User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20060418 Red Hat/1.7.13-1.4.1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: =?Big5?B?rEyswA==?= [EMAIL PROTECTED] Subject: test for spamassassin -D bayes=255 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new X-Keywords: X-UID: 9719 Status: O Content-Length: 88 Lines: 4 This is a test. How I want to see the tokens' details that bayes thinks. Cheers Joshua It just showed the original message, not the tokens and probabilities. Am I missing something here? Thanks very much Cheers Joshua
AW: Network tests slowing down spamassassin
Ramprasad wrote: Hi, SA works fine , for the quiet large setup that we have. ( we get upto 200k mails an hour at peak times ) But I notice it is too network dependent. A little problem with the network and all hell breaks loose. Mailq shoots up and SA starts timing out. Probably because I have enabled all kinds of BL tests and uri checks. But these checks are indispensable without these SA would have no teeth at all. So what is the best way to reduce network traffic. We are already getting the sbl-xbl lists from spamhaus so as to serve those lists locally , can I get any other lists locally ? Commercial agreements also are ok. Hi, i think the best way to reduce the network traffic regarding to the network test is to do all network test locally. we are serving many list locally. For example spamhaus (commercial agreement),spamcop (one time fee), njabl, sorbs , cbl.abuseat, dsbl (all free). We are using a rbldnsd to serve all local lists. You have to create your own DNS zone and adapt your SA config. You will get faster response and the processing time decrease of each message, which is processed by the SA. Sorry for my bad english. Stefan
spam with HTTP 503 payload
Check this out. Looks like the spam bots are set up to HTTP GET the payload html from a home base web server -- thereby allowing payload html to be modified easily as the spam run continues, without having to mess with the distributed net of zombies. I think we saw something similar before. Only thing is, the spammer forgot to fix the Apache error page to omit the ServerName -- so we can see that the home base is 66.36.241.158, a machine on a Washington, DC ISP. --j. Return-Path: [EMAIL PROTECTED] X-Original-To: [spamtrap] Delivered-To: [EMAIL PROTECTED] Received: from localhost [127.0.0.1] by radish.jmason.org with IMAP (fetchmail-6.3.2) for [EMAIL PROTECTED] (single-drop); Fri, 14 Jul 2006 03:00:41 +0100 (IST) Received: from a-hrq391ahiw2sz (ARennes-252-1-81-136.w86-203.abo.wanadoo.fr [86.203.52.136]) by dogma.boxhost.net (Postfix) with SMTP id 04DF53101D8 for [spamtrap]; Fri, 14 Jul 2006 02:51:24 +0100 (IST) Message-Id: [EMAIL PROTECTED] Date: Fri, 14 Jul 2006 02:51:24 +0100 (IST) From: [EMAIL PROTECTED] To: undisclosed-recipients:; X-IMAPbase: 1075077319 230635 Status: O X-UID: 230635 X-Keywords: !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title503 Service Temporarily Unavailable/title /headbody h1Service Temporarily Unavailable/h1 pThe server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later./p hr addressApache/2.0.53 (Fedora) Server at 66.36.241.158 Port 80/address /body/html
Re: AW: Network tests slowing down spamassassin
Hi, i think the best way to reduce the network traffic regarding to the network test is to do all network test locally. we are serving many list locally. For example spamhaus (commercial agreement),spamcop (one time fee), njabl, sorbs , cbl.abuseat, dsbl (all free). We are using a rbldnsd to serve all local lists. Thanks for the info We are already using local lists from spamhaus. spamcop $1000 / year is unreasonable I will try njabl cdbl and DSBL. Can you tell me where do I get lists from SORBS couldnt get anything on their site Thanks Ram
debugging dnsbl issues
I am running SpamAssassin 3.1.2 on Windows 2003. I use DNSBL and URIBL, but have found that i have not been getting many hits on the DNSBLs, whereas the URIBLs do very well. I decided that i would set up a local caching DNS server (TreeWalk) to see if this would speed things up a bit and i tend to get 5 or more of the same spam coming to different users on my server. I can then cache the DNS lookups for the first one and it will speed up the next 5 lookups. This morning i was monitoring my DNS lookups to see that it is all working ok, and i noticed that several emails came in from the same ip address and that the DNS server had cached the responses and so didn't need to look them up again. However these emails did not hit any of the DNSBL rules. I then tested by hand the ip address at http://www.robtex.com/rbls/81.203.0.80.html and found that it was listed on a few of the block lists that i use. Here are some of the headers of that email: X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.2 (2006-05-25) on server X-Spam-Report: * 3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP * addr 2) * 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:..type= entry * 2.0 DATE_IN_FUTURE_03_06 Date: is 3 to 6 hours after Received: date * 1.1 HTML_IMAGE_ONLY_32 BODY:HTML:images with 2800-3200 bytes of words * 2.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95% * [score: 0.8432] * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.8 SARE_GIF_ATTACH FULL: Email has a inline gif * 1.0 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: callow*MUNGE*wast.com] * 3.8 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist * [URIs: callow*MUNGE*wast.com] * 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: callow*MUNGE*wast.com] * 2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist * [URIs: callow*MUNGE*wast.com] * 3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist * [URIs: callow*MUNGE*wast.com] * 4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist * [URIs: callow*MUNGE*wast.com] Received: from [127.0.0.1] by mydomain.co.uk with SMTP (HELO server.) (ArGoSoft Mail Server Pro for WinNT/2000/XP, Version 1.8 (1.8.8.7)); Thu, 13 Jul 2006 11:00:58 +0100 Received: from 81-203-0-80.user.ono.com ([81.203.0.80]) by server. (NAVGW 2.5.2.12) with SMTP id M2006071311005429502 for [EMAIL PROTECTED]; Thu, 13 Jul 2006 11:00:54 +0100 in the spamassassin debug log it says: dbg: dns: launching DNS A query for 80.0.203.81.sbl-xbl.spamhaus.org. dbg: dns: launching DNS A query for 80.0.203.81.sa-accredit.habeas.com. dbg: dns: launching DNS A query for 80.0.203.81.combined.njabl.org. dbg: dns: launching DNS A query for 80.0.203.81.bl.csma.biz. dbg: dns: launching DNS A query for 80.0.203.81.combined-HIB.dnsiplists.completewhois.com. dbg: dns: launching DNS TXT query for 80.0.203.81.list.dsbl.org. dbg: dns: launching DNS TXT query for 80.0.203.81.bl.spamcop.net. dbg: dns: launching DNS TXT query for 80.0.203.81.sa-trusted.bondedsender.org. dbg: dns: launching DNS A query for 80.0.203.81.sbl.csma.biz. dbg: dns: launching DNS A query for 80.0.203.81.dnsbl.sorbs.net. dbg: dns: launching DNS A query for 80.0.203.81.iadb.isipp.com. dbg: dns: success for 11 of 11 queries So it says it has successfully queried all of these and yet it didn't have one positive. I know it should have hit at least: sbl-xbl.spamhaus.org dnsbl.sorbs.net bl.spamcop.net list.dsbl.org and probably others as well. How can i debug why this is not hitting correctly? Why don't DNSBL check results show up in the debug log like the URIBL ones eg: uridnsbl: domain callow*MUNGE*wast.com listed (URIBL_AB_SURBL): 127.0.0.118 and in fact, why don't the uribl timeout lines tell you which ones have timed out? Instead they just say: [696] dbg: uridnsbl: done waiting for URIDNSBL lookups to complete [696] dbg: uridnsbl: aborting remaining lookups Whereas the DNSBL lookups, when they time out, helpfully say: [696] dbg: dns: timeout for spamcop after 13 seconds How do i change the timeout time for DNSBL lookups and URIBL lookups? In recent emails i have only found it to have hit when the DNS lookups HAVE timed out: [696] dbg: dns: launching DNS A query for 253.226.197.221.sbl-xbl.spamhaus.org. in background [696] dbg: dns: launching DNS A query for 253.226.197.221.sa-accredit.habeas.com. in background [696] dbg: dns: launching DNS A query for 253.226.197.221.combined.njabl.org. in background [696] dbg: dns: launching DNS A query for 253.226.197.221.bl.csma.biz. in background [696] dbg: dns: launching DNS A query for 253.226.197.221.combined-HIB.dnsiplists.completewhois.com. in background [696] dbg: dns: launching DNS TXT query for 253.226.197.221.list.dsbl.org. in
AW: AW: Network tests slowing down spamassassin
Hi, first you have to create an account on the sorbs site, after that you are able to open a ticket regarding to rsync subscription. A short summary why you want to use the rsync feed from sorbs (millione mails per day -- performance etc.) Ip addresses, which initiate the rsync and the sorbs admins are going to allow you the rsync. I hope i can help you ?? Stefan -Ursprüngliche Nachricht- Von: Ramprasad [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 14. Juli 2006 11:31 An: Stefan Klewer Cc: users@spamassassin.apache.org Betreff: Re: AW: Network tests slowing down spamassassin Hi, i think the best way to reduce the network traffic regarding to the network test is to do all network test locally. we are serving many list locally. For example spamhaus (commercial agreement),spamcop (one time fee), njabl, sorbs , cbl.abuseat, dsbl (all free). We are using a rbldnsd to serve all local lists. Thanks for the info We are already using local lists from spamhaus. spamcop $1000 / year is unreasonable I will try njabl cdbl and DSBL. Can you tell me where do I get lists from SORBS couldnt get anything on their site Thanks Ram
RE: The best way to use Spamassassin is to not use Spamassassin
-Original Message- From: John D. Hardin [mailto:[EMAIL PROTECTED] Sent: Thursday, July 13, 2006 7:14 PM To: SpamAssassin Users List Subject: RE: The best way to use Spamassassin is to not use Spamassassin From: John D. Hardin [mailto:[EMAIL PROTECTED] ...ewww! His leg came right off. *pop*. Now what do I do with it? You CAN'T point it at an rfc1918 address (10/8 127/8, 192.168/16, 172.16/21) or you will end up in the bogusmx blacklist. You could point it an unused ip address in your netblock. Legit email will timeout, then retry the primary (for hours or days) till the primary is up. Spambots till give up. Some ideas include your router (that should NOT have port 25 open!).
Re: Image only spam
Jack Gostl wrote: - Original Message - *From:* Steven Stern mailto:[EMAIL PROTECTED] *Cc:* Spamass mailto:users@spamassassin.apache.org *Sent:* Thursday, July 13, 2006 6:52 PM *Subject:* Re: Image only spam Jack Gostl wrote: - Original Message - From: Steven Stern [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] To: Spamass users@spamassassin.apache.org mailto:users@spamassassin.apache.org Sent: Wednesday, July 12, 2006 4:31 PM Subject: Re: Image only spam Jack Gostl wrote: Thanks for the response. Take it slow with me, spamassassin has been running so well for so long that I haven't had to fiddle with it in ages and I don't remember the details. Do I add these rules to my user_prefs? Or to my /etc/mail/local.cf files? - Original Message - From: Steven Stern [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] To: Spamass users@spamassassin.apache.org mailto:users@spamassassin.apache.org Sent: Wednesday, July 12, 2006 9:13 AM Subject: Re: Image only spam Jack Gostl wrote: I'm running SpamAssassin version 3.0.3 running on Perl version 5.8.2 under AIX 5.3. Starting a few months ago, I have been absolutely inundated with image only spam. I've gone from catching 99% of the spam with almost no false positives to less than 85%. I asked about this awhile ago, and tried to upgrade to SpamAssassin version 3.1.1 running on Perl version 5.8.0, and didn't see much improvement, so I left the prod machine alone. I'm sure I'm not the only one with this problem. Has anyone had any success with it? Thanks... Jack Are you using the SARE_STOCK rules from RulesDuJour at rulesemporium.com? We catch more than 99% of the image only stuff with the standard RBLs and 70_sare_stock.cf. In case you ask, these are the SARE rules we're using: TRUSTED_RULESETS=SARE_GENLSUBJ0 SARE_OBFU SARE_REDIRECT_POST300 SARE_ADULT SARE_HEADER0 SARE_CODING SARE_SPECIFIC SARE_SPOOF SARE_FRAUD SARE_WHITELIST_SPF SARE_WHITELIST_RCVD SARE_URI0 SARE_OEM SARE_STOCKS; -- Steve Hop over to the Rules Emporium (http://rulesemporium.com) and read about RulesDuJour. Install that and set up cron job to look for updates once a day. That's about it. It's about 30 minutes of think work up front to understand the documentation and install it. After that, set it and forget it. http://www.exit0.us/index.php?pagename=RulesDuJour I think you'll be happy with the trusted ruleset line above. wanted to tell you how this all turned out. I installed the new rules, incorrectly as Dimitri observed, and then restarted spamassassin. (spamd actually). The spam capture rate has zoomed from 85% into the high 90s. Looking back I see that we replaced our processor about a year ago, and have been exceptionally stable since then. We haven't IPLed in almost a year, which also means that spamassassin probably hasn't been started in almost as long. Obviously the new rules weren't the reason for the improvement, since they were installed wrong. So it must have been the restart. This makes me wonder, was it a corruption, or is there a cumulative effect. I wonder if anyone has any thoughts on that. I have a cron job scheduled for every Sunday sa-update spamassassin --lint /etc/init.d/spamassassin restart This will pick up updates to the basic SA rules if they update them. Is sa-update a script you wrote? And why run the --lint on a regular basis? sa-update is part of the SpamAssassin 3.1 package. See man sa-update. The string of commands executes sa-update. If it returns a non-error result, indicating it downloaded something, then the new rules are linted. I do this to make sure that there's nothing broken in any of the dozens of rules in my ruleset. If the ruleset is OK, then spamassassin is restarted to pick up the new rules from sa-update. -- Steve
Re: AW: AW: Network tests slowing down spamassassin
Speaking of network tests... Other than traditional IP-address-based RBL lookups, SURBL/URIBL lookups, and network traffic for Razor, DCC, etc... is there anything ELSE for which a test requires network traffic which depends on a someone else's remote server that still runs even if/when SURBL/URIBL, Razor/DCC, and RBL lookups are ALL turned off? (for example, suppose that if ALL of these I mentioned above turned off, No rDNS is still tested for. If so, then No rDNS would be an example of what should be on the list that answers my question.) Thanks! Rob McEwen PowerView Systems [EMAIL PROTECTED]
Re: Image only spam
Converting to 3.1 is beginning to look better and better. Thanks - Original Message - From: Steven Stern [EMAIL PROTECTED] To: Spamass users@spamassassin.apache.org Sent: Friday, July 14, 2006 8:11 AM Subject: Re: Image only spam Jack Gostl wrote: - Original Message - *From:* Steven Stern mailto:[EMAIL PROTECTED] *Cc:* Spamass mailto:users@spamassassin.apache.org *Sent:* Thursday, July 13, 2006 6:52 PM *Subject:* Re: Image only spam Jack Gostl wrote: - Original Message - From: Steven Stern [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] To: Spamass users@spamassassin.apache.org mailto:users@spamassassin.apache.org Sent: Wednesday, July 12, 2006 4:31 PM Subject: Re: Image only spam Jack Gostl wrote: Thanks for the response. Take it slow with me, spamassassin has been running so well for so long that I haven't had to fiddle with it in ages and I don't remember the details. Do I add these rules to my user_prefs? Or to my /etc/mail/local.cf files? - Original Message - From: Steven Stern [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] To: Spamass users@spamassassin.apache.org mailto:users@spamassassin.apache.org Sent: Wednesday, July 12, 2006 9:13 AM Subject: Re: Image only spam Jack Gostl wrote: I'm running SpamAssassin version 3.0.3 running on Perl version 5.8.2 under AIX 5.3. Starting a few months ago, I have been absolutely inundated with image only spam. I've gone from catching 99% of the spam with almost no false positives to less than 85%. I asked about this awhile ago, and tried to upgrade to SpamAssassin version 3.1.1 running on Perl version 5.8.0, and didn't see much improvement, so I left the prod machine alone. I'm sure I'm not the only one with this problem. Has anyone had any success with it? Thanks... Jack Are you using the SARE_STOCK rules from RulesDuJour at rulesemporium.com? We catch more than 99% of the image only stuff with the standard RBLs and 70_sare_stock.cf. In case you ask, these are the SARE rules we're using: TRUSTED_RULESETS=SARE_GENLSUBJ0 SARE_OBFU SARE_REDIRECT_POST300 SARE_ADULT SARE_HEADER0 SARE_CODING SARE_SPECIFIC SARE_SPOOF SARE_FRAUD SARE_WHITELIST_SPF SARE_WHITELIST_RCVD SARE_URI0 SARE_OEM SARE_STOCKS; -- Steve Hop over to the Rules Emporium (http://rulesemporium.com) and read about RulesDuJour. Install that and set up cron job to look for updates once a day. That's about it. It's about 30 minutes of think work up front to understand the documentation and install it. After that, set it and forget it. http://www.exit0.us/index.php?pagename=RulesDuJour I think you'll be happy with the trusted ruleset line above. wanted to tell you how this all turned out. I installed the new rules, incorrectly as Dimitri observed, and then restarted spamassassin. (spamd actually). The spam capture rate has zoomed from 85% into the high 90s. Looking back I see that we replaced our processor about a year ago, and have been exceptionally stable since then. We haven't IPLed in almost a year, which also means that spamassassin probably hasn't been started in almost as long. Obviously the new rules weren't the reason for the improvement, since they were installed wrong. So it must have been the restart. This makes me wonder, was it a corruption, or is there a cumulative effect. I wonder if anyone has any thoughts on that. I have a cron job scheduled for every Sunday sa-update spamassassin --lint /etc/init.d/spamassassin restart This will pick up updates to the basic SA rules if they update them. Is sa-update a script you wrote? And why run the --lint on a regular basis? sa-update is part of the SpamAssassin 3.1 package. See man sa-update. The string of commands executes sa-update. If it returns a non-error result, indicating it downloaded something, then the new rules are linted. I do this to make sure that there's nothing broken in any of the dozens of rules in my ruleset. If the ruleset is OK, then spamassassin is restarted to pick up the new rules from sa-update. -- Steve
RE: The best way to use Spamassassin is to not use Spamassassin
On Fri, 14 Jul 2006, Michael Scheidell wrote: From: John D. Hardin [mailto:[EMAIL PROTECTED] ...ewww! His leg came right off. *pop*. Now what do I do with it? You CAN'T point it at an rfc1918 address (10/8 127/8, 192.168/16, 172.16/21) or you will end up in the bogusmx blacklist. Okay, that's useful information, but that's not what I was suggesting (with my tongue firmly in my cheek): ;; QUESTION SECTION: ;maila.microsoft.com. IN A ;; ANSWER SECTION: maila.microsoft.com.3 IN A 131.107.1.7 maila.microsoft.com.3 IN A 131.107.1.6 Those aren't RFC1918 addresses, or MS would never be able to receive mail via them. The humor value of that was obviously way too low, I'm giving up. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Windows and its users got mentioned at home today, after my wife the psych major brought up Seligman's theory of learned helplessness. -- Dan Birchall in a.s.r -- 10 days until The 37th anniversary of Apollo 11 landing on the Moon
Re: The best way to use Spamassassin is to not use Spamassassin
John D. Hardin wrote: On Fri, 14 Jul 2006, Michael Scheidell wrote: From: John D. Hardin [mailto:[EMAIL PROTECTED]] ...ewww! His leg came right off. *pop*. Now what do I do with it? You CAN'T point it at an rfc1918 address (10/8 127/8, 192.168/16, 172.16/21) or you will end up in the bogusmx blacklist. Okay, that's useful information, but that's not what I was suggesting (with my tongue firmly in my cheek): ;; QUESTION SECTION: ;maila.microsoft.com. IN A ;; ANSWER SECTION: maila.microsoft.com.3 IN A 131.107.1.7 maila.microsoft.com.3 IN A 131.107.1.6 Those aren't RFC1918 addresses, or MS would never be able to receive mail via them. but if YOU point YOUR secondary MX records to mail1.microsoft.com, YOU WILL LOSE EMAIL, not just spam. it will be bounced, with a 5xx error (unknown user, unable to relay), the sending server won't retry it. The humor value of that was obviously way too low, I'm giving up. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Windows and its users got mentioned at home today, after my wife the psych major brought up Seligman's theory of "learned helplessness." -- Dan Birchall in a.s.r -- 10 days until The 37th anniversary of Apollo 11 landing on the Moon -- Michael Scheidell, CTO SECNAP Network Security / www.secnap.com [EMAIL PROTECTED] / 1+561-999-5000, x 1131
bypass spam checking outgoing email
Hi there! We have a server runing postfix + amavisd-new with spamassassin 3.1 (SuSE 10.1). We are very happy with the spam filtering capabilities of spamassassin, but we would like to disable checking against sbl, xbl lists (any kind of lists actually that check IPs) for all outgoing email, since sometimes our users might be in a public place (i.e internet cafe, public hotspot), and their IP might be in a CBL list, thus preventing them to send emails with this configuration. Is it possible to disable these rules only for outgoing email? TIA Ignacio
Re: White List and Yellow List DNS Servers - Proposal
Marc, I've developed a system similar to what you've described. For example, I do my own RLB lookups and reject messages which score above a certain number without doing additional spam filtering. (and I've custom weighed various RBLs). This could be considered similar to your own blacklist. I also have a whitelist like yours... except that I surgically apply my IP-based whitelist ONLY towards not doing RBL lookups on the sending server IP addresses for such messages... but continue to do ALL OTHER spam filtering on such messages. (I also apply less spam filtering to authenticated users messages) But while I see the value of your blacklist and your yellowlist, it seems to me that taking an ip-based whitelist and using it to bypass ALL filtering is like writing a blank check. It seems like either (1) you might be taking too many risks and/or (2) in order to prevent taking such risks, you'd have to make this whitelist so small percentage-wise that you might as well go ahead use SA to test all message not caught by your IP-based blacklist. Make sense? Your thoughts? (specifically, can you give examples where you feel VERY assured that you'd NEVER see spam from that remote IP address) Rob McEwen PowerView Systems [EMAIL PROTECTED] (478) 475-9032
question about SpamAssassin
Hi there, We use a MTA package called Extremail (http://www.extremail.com) and I was wondering if SpamAssasin is compatible with it. Thanks, Nathalie
Re: The best way to use Spamassassin is to not use Spamassassin
On Fri, 14 Jul 2006, Michael Scheidell wrote: John D. Hardin wrote: On Fri, 14 Jul 2006, Michael Scheidell wrote: From: John D. Hardin [mailto:[EMAIL PROTECTED] ...ewww! His leg came right off. *pop*. Now what do I do with it? You CAN'T point it at an rfc1918 address (10/8 127/8, 192.168/16, 172.16/21) or you will end up in the bogusmx blacklist. Okay, that's useful information, but that's not what I was suggesting (with my tongue firmly in my cheek): ;; QUESTION SECTION: ;maila.microsoft.com. IN A ;; ANSWER SECTION: maila.microsoft.com.3 IN A 131.107.1.7 maila.microsoft.com.3 IN A 131.107.1.6 Those aren't RFC1918 addresses, or MS would never be able to receive mail via them. but if YOU point YOUR secondary MX records to mail1.microsoft.com, YOU WILL LOSE EMAIL, not just spam. it will be bounced, with a 5xx error (unknown user, unable to relay), the sending server won't retry it. The humor value of that was obviously way too low, I'm giving up. Michael: *It was a joke*. Thanks for the UI, but I would never seriously suggest anyone set any of their MX records to point at *someone else's* mail server, and I would pity anyone who took such a suggestion seriously. 'course, they might learn something (the hard way) from doing that... You need to take some time off from work and recalibrate your humor detector. Guten tag. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Windows and its users got mentioned at home today, after my wife the psych major brought up Seligman's theory of learned helplessness. -- Dan Birchall in a.s.r -- 10 days until The 37th anniversary of Apollo 11 landing on the Moon
Re: The best way to use Spamassassin is to not use Spamassassin
|don't think so? I set up a 'joke' RBL, announced it AS a joke, told | everyone it listed all of ipv4 with a wildcard entry, and 3 years later, | I still get calls from 'lawyers' . | | google for 'blocked.secnap.net' and see what I mean. | (it even got into several of the anti-spam perl .pm files!!!) | LMAO!!! That is classic!
Re: question about SpamAssassin
We use a MTA package called Extremail (http://www.extremail.com) and I was wondering if SpamAssasin is compatible with it. Did you check their forums at http://extremail.monsterserver.de/main.php ? They have a forum dedicated to integrating anti-spam products with their server, although it requires a login before you can view any posts, so I don't know if SA is discussed in there. HTH, St-
Problem with exim and spamd set for my own user (fall back to nobody?)
I'm running spamassassin SpamAssassin Server version 3.1.1 running on Perl 5.8.8 with SSL support (IO::Socket::SSL 0.97) on a debian whith exim 4.62 I've set in /etc/defaults -u spamd (a user I created ...) and correctly I can see: # ps aux | grep spamd root 32646 0.1 4.8 28576 24820 ? Ss 19:27 0:00 /usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir -u spamd -d --pidfile=/var/run/spamd/spamd.pid 102 32647 2.5 5.1 30720 26752 ? S 19:27 0:11 spamd child 102 32648 0.0 4.5 28576 23348 ? S 19:27 0:00 spamd child root 306 0.0 0.1 2348 792 pts/2 S+ 19:35 0:00 grep spamd But when exim tries to call spamd ... I get: Jul 14 19:28:01 movi spamd[32647]: spamd: connection from movifvg [127.0.0.1] at port 43554 Jul 14 19:28:01 movi spamd[32647]: spamd: creating default_prefs: /nonexistent/.spamassassin/user_prefs Jul 14 19:28:01 movi spamd[32647]: config: cannot write to /nonexistent/.spamassassin/user_prefs: No such file or directory Jul 14 19:28:01 movi spamd[32647]: spamd: failed to create readable default_prefs: /nonexistent/.spamassassin/user_prefs Jul 14 19:28:01 movi spamd[32647]: mkdir /nonexistent: Permission denied at /usr/share/perl5/Mail/SpamAssassin.pm line 1469 Jul 14 19:28:01 movi spamd[32647]: spamd: checking message [EMAIL PROTECTED] for nobody:102 ^ Jul 14 19:28:06 movi spamd[32647]: mkdir /nonexistent: Permission denied at /usr/share/perl5/Mail/SpamAssassin.pm line 1469 Jul 14 19:28:06 movi spamd[32647]: locker: safe_lock: cannot create tmp lockfile /nonexistent/.spamassassin/auto-whitelist.lock.movi.fvg.it.32647 for /nonexistent/.spamassassin/auto-whitelist.lock: No such file or directoryJul 14 19:28:06 movi spamd[32647]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /nonexistent/.spamassassin/auto-whitelist.lock.movi.fvg.it.32647 for /nonexistent/.spamassassin/auto-whitelist.lock: No such file or directory why it falls back to nobody? (but correctly reporting 102, nobody on my system is 65534) Any hint? thanks Giorgio
Re: The best way to use Spamassassin is to not use Spamassassin
Michael Scheidell wrote: -Original Message- From: John D. Hardin [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 13, 2006 7:14 PM To: SpamAssassin Users List Subject: RE: The best way to use Spamassassin is to not use Spamassassin From: John D. Hardin [mailto:[EMAIL PROTECTED]] ...ewww! His leg came right off. *pop*. Now what do I do with it? You CAN'T point it at an rfc1918 address (10/8 127/8, 192.168/16, 172.16/21) or you will end up in the bogusmx blacklist. You could point it an unused ip address in your netblock. Legit email will timeout, then retry the primary (for hours or days) till the primary is up. Spambots till give up. Some ideas include your router (that should NOT have port 25 open!). Actually I return a 451 error on my highest MX record.
Re: Problem with exim and spamd set for my own user (fall back to nobody?)
On Fri, Jul 14, 2006 at 07:40:15PM +0200, Giorgio Volpe wrote: why it falls back to nobody? (but correctly reporting 102, nobody on my system is 65534) Any hint? spamc is apparently being run by nobody, and that information gets passed to spamd. Perhaps you want to run spamd with -x? -- Randomly Generated Tagline: I'm an idiot.. At least this [bug] took about 5 minutes to find.. We need to find some new terms to describe the rest of us mere mortals then. - Craig Schlenter in response to Linus Torvalds about a kernel bug. pgpgFp6XAloHY.pgp Description: PGP signature
Re: Problem with exim and spamd set for my own user (fall back to nobody?)
Are you using exiscan? If so, you need something like this in your acl: spam = spamd See for full examples: http://duncanthrax.net/exiscan-acl/exiscan-acl-examples.txt Giorgio Volpe wrote: I'm running spamassassin SpamAssassin Server version 3.1.1 running on Perl 5.8.8 with SSL support (IO::Socket::SSL 0.97) on a debian whith exim 4.62 I've set in /etc/defaults -u spamd (a user I created ...) and correctly I can see: # ps aux | grep spamd root 32646 0.1 4.8 28576 24820 ?Ss 19:27 0:00 /usr/sbin/spamd --create-prefs --max-children 5 --helper-home-dir -u spamd -d --pidfile=/var/run/spamd/spamd.pid 102 32647 2.5 5.1 30720 26752 ?S19:27 0:11 spamd child 102 32648 0.0 4.5 28576 23348 ?S19:27 0:00 spamd child root 306 0.0 0.1 2348 792 pts/2S+ 19:35 0:00 grep spamd But when exim tries to call spamd ... I get: Jul 14 19:28:01 movi spamd[32647]: spamd: connection from movifvg [127.0.0.1] at port 43554 Jul 14 19:28:01 movi spamd[32647]: spamd: creating default_prefs: /nonexistent/.spamassassin/user_prefs Jul 14 19:28:01 movi spamd[32647]: config: cannot write to /nonexistent/.spamassassin/user_prefs: No such file or directory Jul 14 19:28:01 movi spamd[32647]: spamd: failed to create readable default_prefs: /nonexistent/.spamassassin/user_prefs Jul 14 19:28:01 movi spamd[32647]: mkdir /nonexistent: Permission denied at /usr/share/perl5/Mail/SpamAssassin.pm line 1469 Jul 14 19:28:01 movi spamd[32647]: spamd: checking message [EMAIL PROTECTED] for nobody:102 ^ Jul 14 19:28:06 movi spamd[32647]: mkdir /nonexistent: Permission denied at /usr/share/perl5/Mail/SpamAssassin.pm line 1469 Jul 14 19:28:06 movi spamd[32647]: locker: safe_lock: cannot create tmp lockfile /nonexistent/.spamassassin/auto-whitelist.lock.movi.fvg.it.32647 for /nonexistent/.spamassassin/auto-whitelist.lock: No such file or directoryJul 14 19:28:06 movi spamd[32647]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /nonexistent/.spamassassin/auto-whitelist.lock.movi.fvg.it.32647 for /nonexistent/.spamassassin/auto-whitelist.lock: No such file or directory why it falls back to nobody? (but correctly reporting 102, nobody on my system is 65534) Any hint? thanks Giorgio
Re: bypass spam checking outgoing email
spamassassin, but we would like to disable checking against sbl, xbl lists (any kind of lists actually that check IPs) for all outgoing email, since sometimes our users might be in a public place (i.e Interesting idea. I can't recall if Amvis is one of the things that calls SA code directly, or if it uses spamc/spamd. I think you will end up having to set up two different SA configurations, and how you do this will depend on how SA is being called. I don't believe that you would need separate installations, and you could probably share the Bayes database if you are doing that already. But you would either want to disable all net tests when you call SA for outgoing mail, or you would want to specify an alternate local config directory with a different version of local.cf in it. Here you could zero the scores for the net test you don't want. I'd suggest leaving net tests enabled so you get the uribl-type tests done, but use a separate configuration file to disable the net tests you don't want for outgoing. Loren
Re: The best way to use Spamassassin is to not use Spamassassin
From: Michael Scheidell [EMAIL PROTECTED] Guess too much time in Miami and the Cuba Coffee.. ;-) by the way, watch our for jokes, then can get archived in google, and 4 years from now, someone will try to stop spam, find your post and implement it. don't think so? I set up a 'joke' RBL, announced it AS a joke, told everyone it listed all of ipv4 with a wildcard entry, and 3 years later, I still get calls from 'lawyers' . google for 'blocked.secnap.net' and see what I mean. (it even got into several of the anti-spam perl .pm files!!!) You are not alone. nofalsenegatives.stopspam.samspade.orgblocks all ipv4 nofalsepositive.stopspam.samspade.org lists nobody on ipv4 ipv4.fahq2.comblocks all of ipv4 random.bl.gweep.calists random addresses. http://spamlinks.net/filter-dnsbl-lists.htm lists the above and the real testrbl, bl.testrbl.cameldns.com, as DNSBL testing. I love the random one. {^_-}
using spamdc/spamd getting better results?
Hello forum, i read that SA can be worked in one of the following modes :spamassassin or spamd/spamc. My mail relay is built on sendmail and MailScanner configured wit SA 3.1.1. I read several posting that state that working with spamd/spamc option is the better one due to better performance. My question if that is true when working with MailScanner since there is one line in MailScanner.conf that state 'use spamassassin = yes'. In case that spamc/spamd is the better opting then how do i tell MailScanner to start spamd/spamc pair? How do i start spamc? I have tried with -p option but it sems to stuck? Regards, Yossi -- View this message in context: http://www.nabble.com/using-spamdc-spamd-getting-better-results--tf1945335.html#a5334006 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: mangled uris
On Thursday 13 July 2006 12:35, JamesDR took the opportunity to write: Ramprasad wrote: I dont understand the business sense behind this spam. Its a lose - lose game. The spammer never gets anyone to click,( who would click a broken url and fix it and click again ) the site owner never gets hits, the spam filter guy gets more headaches and the end user has to delete one more mail. I think it has more to do with them knowing their current efforts are in vain. So now it has come down to some rather odd tricks. I've seen a few that say webaddress and instruct the 'reader' to add http://www to the beginning and .dom to the ending. This to me seems fruitless, but it must be working on some group of people because I still see a few mails with this technique a day. It goes back to what users will do, and what they won't. Seems some will do what the spamer wants :-D In particular when it comes to getting the lower department back in business, I guess. :-) -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpjXdR3Z1ydY.pgp Description: PGP signature
only user_prefs from root read
hello, Spamassassin has been working for a few days now, i'm quite satisfied with it (actually i haven't got a single spam since then :) ) my only problem: it seems that spamass doesn't/cann't read the individual user_prefs files. i use a sendmail dual configuration, amavisd-new, and spamass-milter here some config files/outputs - root 21075 1 0 22:51:33 ? 0:05 /opt/csw/bin/perl -T /opt/csw/bin/spamd -d -u spamd root 21080 1 0 22:51:51 ? 0:02 /opt/csw/sbin/spamass-milter -p /var/run/spamass.sock -f spamd 21077 21075 0 22:51:40 ? 0:10 /opt/csw/bin/perl -T /opt/csw/bin/spamd -d -u spamd spamd 21076 21075 3 22:51:40 ? 1:13 /opt/csw/bin/perl -T /opt/csw/bin/spamd -d -u spamd #less /etc/mail/sendmail-rx.mc ... INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=T, T=C:15m;S:4m;R:4m;E:10m')dnl define(`confMILTER_MACROS_CONNECT',`b, j, _, {daemon_name}, {if_name}, {if_addr}')dnl ... - #less /opt/csw/etc/spamassassin/local.cf allow_user_rules 1 clear_report_template clear_unsafe_report_template required_score 3 use_bayes 1 bayes_auto_learn 1 i use spamass_milter 0.3.0 spamassassin3.1.3 on a #uname -a SunOS name 5.10 Generic_118822-25 sun4u sparc SUNW,Ultra-4 what did i do wrong? Thanks! Alex Thor.
RE: only user_prefs from root read
hello, Spamassassin has been working for a few days now, i'm quite satisfied with it (actually i haven't got a single spam since then :) ) my only problem: it seems that spamass doesn't/cann't read the individual user_prefs files. i use a sendmail dual configuration, amavisd-new, and spamass-milter There is only one user when you run amavisd-new - the amavisd-new user (usually amavis or vscan). Only the user prefs for that user are read when amavisd-new scans a message with spamassassin. I'm not familiar with sendmail or spamass-milter, but I would imagine amavisd-new runs after spamass-milter, so any mail passed to amavisd-new will have the previous spamassassin results ignored. If spam checks are enabled in amavisd-new, you are running the mail through spamassassin twice. Gary V This may also apply: http://marc.theaimsgroup.com/?l=spamassassin-usersm=109099505924168w=2 _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/
Re: using spamdc/spamd getting better results?
Hi Yossi, My mail relay is built on sendmail and MailScanner configured wit SA 3.1.1. ... How do i start spamc? IIRC, MailScanner loads the SpamAssassin perl modules directly - it doesn't use spamc/d, nor does it use the spamassassin script. HTH, St-
Re: RE: only user_prefs from root read
On 2006-07-14 22:39, Gary V wrote: hello, Spamassassin has been working for a few days now, i'm quite satisfied with it (actually i haven't got a single spam since then :) ) my only problem: it seems that spamass doesn't/cann't read the individual user_prefs files. i use a sendmail dual configuration, amavisd-new, and spamass-milter There is only one user when you run amavisd-new - the amavisd-new user (usually amavis or vscan). amavisd should have nothing to do with spamass-milter Only the user prefs for that user are read when amavisd-new scans a message with spamassassin. correct I'm not familiar with sendmail or spamass-milter, but I would imagine amavisd-new runs after spamass-milter, indeed. amavisd-new is relaying between the two MTA-sendmails so any mail passed to amavisd-new will have the previous spamassassin results ignored. If spam checks are enabled in amavisd-new, you are running the mail through spamassassin twice. spam checks are disabled in amavisd-new Gary V This may also apply: http://marc.theaimsgroup.com/?l=spamassassin-users i disagree here, spamass-milter can definitively handle per-user prefs, that's the reason i chose it in the first place :) ...but i'm still doing something wrong thanks, Alex
Re: RE: only user_prefs from root read
Not sure if this still applies, but you have: /opt/csw/sbin/spamass-milter -p /var/run/spamass.sock -f According to: http://www.monkey.org/freebsd/archive/freebsd-questions/200411/msg01326.html Make sure you are passing spamass-milter the -u defaultuser flag; otherwise it won't try to extract the recipient name from the incoming email. Gary V _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
Re: White List and Yellow List DNS Servers - Proposal
Rob McEwen (PowerView Systems) wrote: Marc, I've developed a system similar to what you've described. For example, I do my own RLB lookups and reject messages which score above a certain number without doing additional spam filtering. (and I've custom weighed various RBLs). This could be considered similar to your own blacklist. I also have a whitelist like yours... except that I surgically apply my IP-based whitelist ONLY towards not doing RBL lookups on the sending server IP addresses for such messages... but continue to do ALL OTHER spam filtering on such messages. (I also apply less spam filtering to authenticated users messages) But while I see the value of your blacklist and your yellowlist, it seems to me that taking an ip-based whitelist and using it to bypass ALL filtering is like writing a blank check. It seems like either (1) you might be taking too many risks and/or (2) in order to prevent taking such risks, you'd have to make this whitelist so small percentage-wise that you might as well go ahead use SA to test all message not caught by your IP-based blacklist. Make sense? Your thoughts? (specifically, can you give examples where you feel VERY assured that you'd NEVER see spam from that remote IP address) You can't spoof hosts and there are hosts that never send spam. My bank, Wells Fargo, never sends spam. So - why not whitelist them. My idea is that if you track hosts and the never send spam then why bother spam filtering them? It loads the system and you risk false positives.
Re: how to dump message as it enters spamassassin
I have the following test rule in my local.cf: header LOCAL_MISSING_MSGID MESSAGEID =~ /^UNSET$/ [if-unset: UNSET] describe LOCAL_MISSING_MSGIDMissing Message-Id header score LOCAL_MISSING_MSGID 0.010 header__HAVE_MSGIDexists:MESSAGEID metaMISSING_MSGID!__HAVE_MSGID or header__HAVE_MSGIDMESSAGEID=~/./ metaMISSING_MSGID!__HAVE_MSGID The first test will test to see if the item exists. The second will test that it both exists and is not blank. But it's not triggering. Other rules in local.cf are working, just this one isn't. To make things more complicated, my MTA inserts a Message-Id header when it doesn't see one, so by the time I get the source of the mail and feed it to spamassassin, it passes. Is there a way to dump the input message as it enters spamassassin? I have spamd running as a daemon, using version 3.1.1. The log shows: spamassassin -t message Loren
Re: RE: only user_prefs from root read
i disagree here, spamass-milter can definitively handle per-user prefs, that's the reason i chose it in the first place :) ...but i'm still doing something wrong FWIW, spamasss-milter has been known to have problems with recent versions of SA. Loren