Re: Stock/image-only spam still getting through

[Loren Wilton]

I've attached the one that just got through. spamassassin -t reports the 
following for it:


0.8 EXTRA_MPART_TYPE   Header has extraneous Content-type:...type= 
entry

2.9 HELO_DYNAMIC_SPLIT_IP  Relay HELO'd using suspicious hostname (Split
   IP)
1.3 RCVD_NUMERIC_HELO  Received: contains an IP address used for HELO
0.0 HTML_MESSAGE   BODY: HTML included in message
0.8 SARE_GIF_ATTACHFULL: Email has a inline gif


Well, I get

Content analysis details:   (12.2 points, 4.6 required)

pts rule name  description
 -- --
0.7 HOST_EQ_D_D_D_DHOST_EQ_D_D_D_D
0.9 HOST_EQ_D_D_D_DB   HOST_EQ_D_D_D_DB
0.8 HELO_DYNAMIC_SPLIT_IP  Relay HELO'd using suspicious hostname (Split 
IP)

1.1 HELO_EQ_IP_ADDRHELO using IP Address (not private)
0.1 RCVD_BY_IP Received by mail server with no name
0.3 IP_NOT_FRIENDLYIP_NOT_FRIENDLY
1.2 RCVD_NUMERIC_HELO  Received: contains an IP address used for HELO
0.2 HTML_20_30 BODY: Message is 20% to 30% HTML
0.0 HTML_MESSAGE   BODY: HTML included in message
5.0 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
   [score: 0.9948]
0.8 SARE_GIF_ATTACHFULL: Email has a inline gif
0.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
  [Blocked - see 
]

0.9 FM_NO_STYLEFM_NO_STYLE

Now 5 points is from Bayes_99.  But even without that it seems to do pretty 
well.


   Loren

Re: Rules getting bypassed?

[Rick van Vliet]

jdow wrote:

From: "Rick van Vliet" <[EMAIL PROTECTED]>



Hello. New to the list, I have a question that I hope isn't "too newbie".
Running SA 3.1.2  with a qmail server for a small (50) group of users.
Vpopmail handling virtuals, and procmail.
(auto_whitelist is disabled)

I have one user who is getting creamed and no matter how much we do 
sa-learn --spam...on the IMAP folder we move his spam into...this 
user's mail somehow gets through with low scores, and he's averaging 
60 spams a day, total,  with FORTY of those that actually get to his 
inbox.


Other than changing his email address, how would I teach SA that this 
is spam?


Thanks,
Rick


Return-Path:  <[EMAIL PROTECTED]>
X-Spam-Checker-Version:  SpamAssassin 3.1.2 (2006-05-25) on 
mail.vanmorel.com


Eliminate his Bayes filter and start over? On the other paw, there is
NO Bayes score on his mail as noted below. Are you learning the spam
under his account so that his Bayes is the one refreshed? Or do you
have a rule that is turning off Bayes for him altogether in his
user_prefs?

{^_^}


Hmm.
1) With vpopmail(virtual) under qmail, there's one user_prefs that 
handles all virtual users.

*use_bayes 1*
*bayes_auto_learn 1*

2) That said, I better look at how I set up Bayes.
sa-learn /runs/ when I run it...just not sure why it isn't being looked at.

Another virtual users's headers look like this, and it does have an 
"autolearn=":
X-Spam-Checker-Version:  SpamAssassin 3.1.2 (2006-05-25) on 
mail.vanmorel.com

X-Spam-Level:
X-Spam-Status:  No, score=0.0 required=4.7 
tests=HTML_MESSAGE,MIME_HTML_ONLY, MSGID_FROM_MTA_HEADER autolearn=ham 
version=3.1.2

Delivered-To:  [EMAIL PROTECTED]
(This user gets very few spams -- 98% get tagged properly.

But this one also has no Bayes score either, does it?
Looks like my Bayes component might be suspect?
I ran the install using the CPAN/perl method. Not sure now what kind of 
configure was involved.
I'll look at the INSTALL, and see what I missed in the configuration. 
(if I can find that ;)

Thanks,
rick

Re: Mail::SpamAssassin::Message how to replace a header?

[Theo Van Dinter]

On Mon, Jul 17, 2006 at 10:03:39PM -0500, Robert Nicholson wrote:
> Also, if I have a Mail::SpamAssassin::Message and I want to replace a  
> header in the message do I have to do all this myself and reconstruct  
> a new message with the new header value?
> 
> From what I can tell this class retains header and body as scalars.

Can you be a little more specific about what you're trying to do?

Generally speaking, without mucking about manually, which I don't recommend,
you can't modify the headers in the internal data structure.  You can add and
you can delete, but there's no modify function.  There's also no way to modify
the original headers on output, beyond adding in X-Spam-* headers.  You can
take the output from rewrite_mail() and modify it yourself (it's just a
scalar).

-- 
Randomly Generated Tagline:
Know a good chiropractor? My computer has a slipped disk.


pgptUeHaE6B4A.pgp
Description: PGP signature

Mail::SpamAssassin::Message how to replace a header?

[Robert Nicholson]

Also, if I have a Mail::SpamAssassin::Message and I want to replace a  
header in the message do I have to do all this myself and reconstruct  
a new message with the new header value?


From what I can tell this class retains header and body as scalars.

Re: Rules getting bypassed?

[jdow]

From: "Rick van Vliet" <[EMAIL PROTECTED]>



Hello. New to the list, I have a question that I hope isn't "too newbie".
Running SA 3.1.2  with a qmail server for a small (50) group of users.
Vpopmail handling virtuals, and procmail.
(auto_whitelist is disabled)

I have one user who is getting creamed and no matter how much we do 
sa-learn --spam...on the IMAP folder we move his spam into...this user's 
mail somehow gets through with low scores, and he's averaging 60 spams a 
day, total,  with FORTY of those that actually get to his inbox.


Other than changing his email address, how would I teach SA that this is 
spam?


Thanks,
Rick


Return-Path:  <[EMAIL PROTECTED]>
X-Spam-Checker-Version:  SpamAssassin 3.1.2 (2006-05-25) on 
mail.vanmorel.com

X-Spam-Level:  **
X-Spam-Status:  No, score=2.6 required=4.7 
tests=HTML_MESSAGE,MIME_HTML_ONLY, URIBL_OB_SURBL autolearn=no 
version=3.1.2

Delivered-To:  [EMAIL PROTECTED]
Received:  (qmail 2467 invoked from network); 17 Jul 2006 21:01:23 -
Received:  from unknown (HELO em02.dailycreditnews.com) (64.41.183.137) 
by mail.vanmorel.com with SMTP; 17 Jul 2006 21:01:23 -
Dkim-Signature:  a=rsa-sha1; c=nowsp; q=dns; 
s=em02;d=dailycreditnews.com; 
h=To:From:Subject:MIME-Version:Content-Type:Message-id; 
b=c+ASXw0v0GIlfl5fMdyH+UCC1SzUhwhsJCgTaeOpbjg4cLoERvP0WZuXcCkp+an5IEroijiKIbJz 
MxtbeLXmKEdwnMVHgB+2DXqzNx15oZM+pk6U1UFslGy+Vi9nZSzhhvOTFuDEiE4eaB/F2sc5m5/T 
ngrhspMoGBrHknHvZDE=
Domainkey-Signature:  a=rsa-sha1; c=nofws; q=dns; s=em02; 
d=dailycreditnews.com; 
b=ARoBPfQNFWdCMr7vi1TCk30uD+Z4nknYDHHBwG3t9wl40ihcilFq90y2tAGN7dyHkd521vXLEwmn 
CsdLmMUDdQ06xECJGr0lgt76XjlbiTPXBrstFCEpjZajk1JGGoTG4axRqUZJ/QFW7xIQxzNtICX9 
mR+MbOb/EsDZp2RY0+4=;
Received:  from fd02.dailycreditnews.com (192.168.2.220) by 
em02.dailycreditnews.com id hnfta20a4ikk for <[EMAIL PROTECTED]>; 
Mon, 17 Jul 2006 14:01:04 -0700 (envelope-from 
<[EMAIL PROTECTED]>)
Received:  by fd02.dailycreditnews.com id hnft900a4ikl for 
<[EMAIL PROTECTED]>; Mon, 17 Jul 2006 14:01:03 -0700 
(envelope-from <[EMAIL PROTECTED]>)

To:  [EMAIL PROTECTED]
From:  "Daily Credit News" <[EMAIL PROTECTED]>
Reply-To:  "Daily Credit News Reply" <[EMAIL PROTECTED]>


Eliminate his Bayes filter and start over? On the other paw, there is
NO Bayes score on his mail as noted below. Are you learning the spam
under his account so that his Bayes is the one refreshed? Or do you
have a rule that is turning off Bayes for him altogether in his
user_prefs?

{^_^}

Re: Getting spammed/attacked via this list?

[Loren Wilton]

I don't see the "software pitch" you are describing; or if I'm seeing it I 
don't recognize it.

The phrase you mention later is one I vaguely recall from a mail some time this 
last week.  There wasn't nything wrong with that message that I recall.

Are you using spamass milter?  This sounds like exactly the problem it has with 
line endings, breaking the headers into several parts so that they move into 
the body and other nasty stuff happens.

  Loren

Getting spammed/attacked via this list?

[James Butler]

Hi.

I'm getting Snort alerts that describe "Attempted specific command buffer 
overflow: MAIL FROM:, 346 chars" via this list. The typical message contains a 
software pitch included in the headers like this:

begin
X-Spam-Check-By: apache.org
Received-SPF: neutral (asf.osuosl.org: local policy)
Received: from [85.194.0.110] (HELO mail.visit.se) (85.194.0.110)
by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 17 Jul 2006 15:55:30 -0700
Received: by mail.visit.se (Postfix, from userid 503)
id 6188336E0097; Tue, 18 J="0" cellpadding="0" cellspacing="0">

...and more HTMLfollowed by a 345 character string ...
end

Then the rest of the mail headers and a (truncated?) list message that begins:

begin
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Thursday 13 July 2006 08:31, Sietse van Zanen took the opportunity to=20
write:
> And that trick could also very well cause you to loose legitimate

...and more message...
end

Thoughts? I have preserved the entire message, for anyone who may be 
interested. Thanks.

James

Re: sa-learn problem

[David Corbin]

On Sunday 16 July 2006 20:13, Loren Wilton wrote:
> Someone just had a problem much like this last week.  I don't recall what
> the fix was, perhaps upgrading the database version.  You should be able to
> find it in the archives if you search for "inappropriate ioctl for device".
>
> Loren

Many thanks.  The berkley database files were not in the latest format.  It's 
working well now.

Re: Will bayes-db be 'skewed' by feeding it spam only (one central database)

[Logan Shaw]

On Tue, 18 Jul 2006, Chr. v. Stuckrad wrote:

I'm a postmaster working with spamassassin (now debian sarge)
for the last years, we habe one filter-host for all mails,
so at the moment we have only one global bayes-database..

We are a department for math and computer science and so we get zillions
of spam for all addresses 'known on the net' and we get ham for lots of
different 'themes' for different workgroups in diverse languages (mostly
german of course, being Berlin Germany).
Not beeing allowed to peek into other users mailboxes I have no
'representative ham corpus' but only my own, which seems to be
very postmaster-specific, while I seem to get a typical average
of spams (because my address already existed on a 'News' server :-).

Can somebody tell me, whether the bayes-database's accuray does
deteriorate by feeding it 'only my spam' (my false negatives) and
not feeding it the (to me unknown) typical hams.


Yes, feeding your Bayes database only spam is a bad idea.

As an analogy, imagine that you are a policeman trying to
learn to identify dangerous and violent people.  You examine
100 violent criminals, and all of them are carrying knives.
You don't examine anyone else, though, so based on your
sample, anyone carrying a knife must be a violent criminal.
The reasoning for this is simple:  every time you have seen
someone carrying a knife, they have been a violent criminal,
so knife-carrying correlates perfectly with being a criminal.

Now imagine that you see a chef.  He is carrying a knife, but
what does your experience tell you about him?  You have never
seen anyone *else* carrying a knife who wasn't a criminal,
so this new guy must be a criminal too.  But he's not:  he's
just a chef.

This problem only arises with words (tokens) that could be
expected to appear in both spam and ham.  It isn't a problem
for words that are names of "performance-enhancing" drugs.
But it is a problem for neutral words.  For example, a word
like "link" or "today" might occur in both ham and spam, so
it doesn't indicate much about which type of message it is.
But if you train your Bayes database only with spam, it will
see neutral words as strongly associated with spam.  Basically,
by doing that, you will give it a very negative view of the
world, where everything looks like spam.

(This is all assuming, of course, that your Bayes database is
empty when you train it with spam only.)


To me it lately seems to slowly skew to let more and more spam
through, instead of 'catching' it.  Is this typical?  Do I have
to recreate the database? Or do I need to get 'ham from a set
of typical users' to balance the database? OR are there typical
values for bayes_auto_learn_threshold_{non,}spam, different from
the defatult, to use in my case?


To answer that question, we'd first have to know whether
Bayes is really at fault here.  Perhaps there are other
configuration changes that need to be made.  Do you have the
latest SpamAssassin, and have you enabled some network tests
like dcc or razor and some RBLs?  Those should be carrying
some of the load; you shouldn't be relying on Bayes only,
because these days Bayes alone isn't sufficient.

If your Bayes database really is messed up, personally I would
recommend that you just wipe it and start over.  If you have
the proper setup, then you can be confident it will be trained
correctly.  Yes, you would be throwing away existing data,
but what you get in exchange is the knowledge that the data
you *do* have is worthwhile.


Just curious why so many spams get through to me ...
(i.e. around 10 false negatives relative to 90 marked as spam,
which ist 'relatively bad' compared to many opinions on the list)


Well, there are probably several different explanations.
The best place to start is by looking at the spams that get
through and how they scored, especially comparing that to what
scores others get on the same messages or similar ones.

  - Logan

Re: The best way to use Spamassassin is to not use Spamassassin

[Magnus Holmgren]

On Thursday 13 July 2006 08:31, Sietse van Zanen took the opportunity to 
write:
> And that trick could also very well cause you to loose legitimate
> e-mail.. 

As long as the senders' MTAs are RFC compliant nothing bad can happen unless 
all real MXes go down, and in that case there is no difference between having 
a fake MX and having no fake MX, whether the fake MX gives a temporary error 
or doesn't respond at all. And even then you're not *losing* mail. Having mail 
bounce back to the sender is not losing mail (although it can mean losing 
business). Having mail disappear without any notification is losing mail.

> I don't think it's RFC compliant either. 

The RFCs don't require 100% uptime. The RFCs don't say that you can't lie 
about having a temporary error condition. It does say that sending hosts must 
try all MXes in order. 

> Somehow, this feels to me like throwing out your garbage on the street and
> then saying, Hey I got rid of it.

Except that the garbage disappears and noone has to clean it up. It's more 
like posting a sign saying "<- entrance through the next door" that makes 
spammers go away.

-- 
Magnus Holmgren[EMAIL PROTECTED]
   (No Cc of list mail needed, thanks)


pgp0LWHB2EcrN.pgp
Description: PGP signature

Re: Don't like what rewrite_mail is doing.

[Theo Van Dinter]

On Mon, Jul 17, 2006 at 06:28:01PM -0400, Daryl C. W. O'Shea wrote:
> FWIW, there were a lot of domains that weren't including a header list 
> at the time of the change.  In fact, there still are a lot of domains 
> that aren't including a header list like, for example, yahoo-inc.com.

There are some other benefits that came up while discussing it, such as
"headers are placed around the Received header that added it for easier
debugging", etc.  I forget the ticket # but either there or the dev@ list is
where the discussion took place. :)

-- 
Randomly Generated Tagline:
"lp1 on fire" - Linux kernel error message


pgpxPLhZm9g1X.pgp
Description: PGP signature

Will bayes-db be 'skewed' by feeding it spam only (one central database)

[Chr. v. Stuckrad]

Hi!

I'm a postmaster working with spamassassin (now debian sarge)
for the last years, we habe one filter-host for all mails,
so at the moment we have only one global bayes-database..

We are a department for math and computer science and so we get zillions
of spam for all addresses 'known on the net' and we get ham for lots of
different 'themes' for different workgroups in diverse languages (mostly
german of course, being Berlin Germany).
Not beeing allowed to peek into other users mailboxes I have no
'representative ham corpus' but only my own, which seems to be
very postmaster-specific, while I seem to get a typical average
of spams (because my address already existed on a 'News' server :-).

Can somebody tell me, whether the bayes-database's accuray does
deteriorate by feeding it 'only my spam' (my false negatives) and
not feeding it the (to me unknown) typical hams.

To me it lately seems to slowly skew to let more and more spam
through, instead of 'catching' it.  Is this typical?  Do I have
to recreate the database? Or do I need to get 'ham from a set
of typical users' to balance the database? OR are there typical
values for bayes_auto_learn_threshold_{non,}spam, different from
the defatult, to use in my case?

Just curious why so many spams get through to me ... 
(i.e. around 10 false negatives relative to 90 marked as spam,
which ist 'relatively bad' compared to many opinions on the list)

Just curious,  Stucki (postmaster of math/inf/mi.fu-berlin.de)

-- 
Christoph von Stuckrad  * * |nickname |<[EMAIL PROTECTED]>   \
Freie Universitaet Berlin   |/_*|'stucki' |Tel(days):+49 30 838-5 57 78|
Mathematik & Informatik EDV |\ *|if online|Tel(else):+49 30 77 39 66 00|
Arnimallee 6 / 14195 Berlin * * |on IRCnet|Fax(alle):+49 30 838-75 454/

Re: Don't like what rewrite_mail is doing.

[Daryl C. W. O'Shea]

Magnus Holmgren wrote:

On Monday 17 July 2006 05:30, Matt Kettler took the opportunity to write:

Robert Nicholson wrote:

Can anybody tell me why the X-Spam headers are put at the top?

Yes, because doing otherwise will break DomainKeys signatures.


As a matter of fact it won't do that unless
a) the signature field doesn't list the header fields included in the 
signature (and with DKIM that is mandatory), or


FWIW, there were a lot of domains that weren't including a header list 
at the time of the change.  In fact, there still are a lot of domains 
that aren't including a header list like, for example, yahoo-inc.com.


Of course, we also know that DKIM isn't just DK with a mandatory h=...


Daryl

Rules getting bypassed?

[Rick van Vliet]

Hello. New to the list, I have a question that I hope isn't "too newbie".
Running SA 3.1.2  with a qmail server for a small (50) group of users.
Vpopmail handling virtuals, and procmail.
(auto_whitelist is disabled)

I have one user who is getting creamed and no matter how much we do 
sa-learn --spam...on the IMAP folder we move his spam into...this user's 
mail somehow gets through with low scores, and he's averaging 60 spams a 
day, total,  with FORTY of those that actually get to his inbox.


Other than changing his email address, how would I teach SA that this is 
spam?


Thanks,
Rick


Return-Path:  <[EMAIL PROTECTED]>
X-Spam-Checker-Version:  SpamAssassin 3.1.2 (2006-05-25) on 
mail.vanmorel.com

X-Spam-Level:  **
X-Spam-Status:  No, score=2.6 required=4.7 
tests=HTML_MESSAGE,MIME_HTML_ONLY, URIBL_OB_SURBL autolearn=no 
version=3.1.2

Delivered-To:  [EMAIL PROTECTED]
Received:  (qmail 2467 invoked from network); 17 Jul 2006 21:01:23 -
Received:  from unknown (HELO em02.dailycreditnews.com) (64.41.183.137) 
by mail.vanmorel.com with SMTP; 17 Jul 2006 21:01:23 -
Dkim-Signature:  a=rsa-sha1; c=nowsp; q=dns; 
s=em02;d=dailycreditnews.com; 
h=To:From:Subject:MIME-Version:Content-Type:Message-id; 
b=c+ASXw0v0GIlfl5fMdyH+UCC1SzUhwhsJCgTaeOpbjg4cLoERvP0WZuXcCkp+an5IEroijiKIbJz 
MxtbeLXmKEdwnMVHgB+2DXqzNx15oZM+pk6U1UFslGy+Vi9nZSzhhvOTFuDEiE4eaB/F2sc5m5/T 
ngrhspMoGBrHknHvZDE=
Domainkey-Signature:  a=rsa-sha1; c=nofws; q=dns; s=em02; 
d=dailycreditnews.com; 
b=ARoBPfQNFWdCMr7vi1TCk30uD+Z4nknYDHHBwG3t9wl40ihcilFq90y2tAGN7dyHkd521vXLEwmn 
CsdLmMUDdQ06xECJGr0lgt76XjlbiTPXBrstFCEpjZajk1JGGoTG4axRqUZJ/QFW7xIQxzNtICX9 
mR+MbOb/EsDZp2RY0+4=;
Received:  from fd02.dailycreditnews.com (192.168.2.220) by 
em02.dailycreditnews.com id hnfta20a4ikk for <[EMAIL PROTECTED]>; 
Mon, 17 Jul 2006 14:01:04 -0700 (envelope-from 
<[EMAIL PROTECTED]>)
Received:  by fd02.dailycreditnews.com id hnft900a4ikl for 
<[EMAIL PROTECTED]>; Mon, 17 Jul 2006 14:01:03 -0700 
(envelope-from <[EMAIL PROTECTED]>)

To:  [EMAIL PROTECTED]
From:  "Daily Credit News" <[EMAIL PROTECTED]>
Reply-To:  "Daily Credit News Reply" <[EMAIL PROTECTED]>

Re: Stock/image-only spam still getting through

[Theo Van Dinter]

On Mon, Jul 17, 2006 at 06:20:44PM -0400, Owen Mehegan wrote:
> The highest scores are for the HELO? We've got to be able to do better than 
> that... what am I missing?

sa-update?  with just local rules:

[19640] dbg: check: is spam? score=16.082 required=5
[19640] dbg: check:
tests=BAYES_99,EXTRA_MPART_TYPE,HELO_DYNAMIC_SPLIT_IP,HTML_20_30,HTML_MESSAGE,RCVD_NUMERIC_HELO,TVD_FW_GRAPHIC_ID1,TVD_FW_GRAPHIC_NAME_LONG,TVD_FW_GRAPHIC_NAME_MID

even without bayes it'll be > 5.

-- 
Randomly Generated Tagline:
Bender: Well I don't have anything else planned for today, let's get drunk!


pgpbrvebajy5s.pgp
Description: PGP signature

Stock/image-only spam still getting through

[Owen Mehegan]

First, the prerequisites:

SpamAssassin version 3.1.1, running on Perl version 5.8.4
Debian Linux, 2.6.10 kernel
Using spamd

I've been inundated with maddening image-only stock spam lately. I've just 
today sat down to try and tweak my rules up to weed this out. I added 
sare_stocks and sare_obfu, updated my version of rules du jour for good 
measure, and restarted spamd. I tested these changes on an example message, and 
neither of those new rule sets hit on it at all. A few minutes later, ANOTHER 
of these messages came through! Argh! And I just realized, looking at its 
headers, these messages are getting through my greylisting too! Clever bastards.

I've attached the one that just got through. spamassassin -t reports the 
following for it:

 0.8 EXTRA_MPART_TYPE   Header has extraneous Content-type:...type= entry
 2.9 HELO_DYNAMIC_SPLIT_IP  Relay HELO'd using suspicious hostname (Split
IP)
 1.3 RCVD_NUMERIC_HELO  Received: contains an IP address used for HELO
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.8 SARE_GIF_ATTACHFULL: Email has a inline gif


The highest scores are for the HELO? We've got to be able to do better than 
that... what am I missing?

-- 
Owen B. Mehegan ([EMAIL PROTECTED])
Cell: 617-230-3679
>From [EMAIL PROTECTED] Mon Jul 17 17:44:57 2006
Return-Path: <[EMAIL PROTECTED]>
X-Spam-Score: 5.7
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on morphine
X-Spam-Level: *
X-Spam-Status: No, score=5.7 required=6.0 tests=EXTRA_MPART_TYPE,
HELO_DYNAMIC_SPLIT_IP,HTML_MESSAGE,RCVD_NUMERIC_HELO,SARE_GIF_ATTACH 
autolearn=no version=3.1.1
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
X-Greylist: delayed 308 seconds by postgrey-1.21 at morphine; Mon, 17 Jul 2006 
17:44:40 EDT
Received: from 152.10.134.67.gvni.com (unknown [67.134.10.152])
by nerdnetworks.org (Postfix) with SMTP id 12415DFBC9
for <[EMAIL PROTECTED]>; Mon, 17 Jul 2006 17:44:39 -0400 (EDT)
Received: from mbglci.hy ([67.134.198.90])
by 152.10.134.67.gvni.com (8.13.4/8.13.4) with SMTP id k6HLj7Yb072828;
Mon, 17 Jul 2006 14:45:07 -0700
Message-ID: <[EMAIL PROTECTED]>
From: "Neil Weaver" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: fifth legal
Date: Mon, 17 Jul 2006 14:34:41 -0700
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="=_NextPart_000_0016_01C6A9AF.87964159"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Status: RO
Content-Length: 49978
Lines: 783

This is a multi-part message in MIME format.

--=_NextPart_000_0016_01C6A9AF.87964159
Content-Type: multipart/alternative;
boundary="=_NextPart_001_0017_01C6A9AF.8796416C"


--=_NextPart_001_0017_01C6A9AF.8796416C
Content-Type: text/plain;
charset="windows-1252"
Content-Transfer-Encoding: quoted-printable


whaler the is home economics and untie boogie the attainable to as 
unattractive lobster, cabinet nationalist quaver, epileptic the =
redundant cheerfully, theme cut shooting an?! cornet, them the =
preparatory nimbly? brawn, proportions that paralytic wishful thinking =
on?! eggplant, distasteful latent secrete an unbelievable conjugation =
sitter pry N 
amplifier banality of! mourning to outlandish confidentially cultural, =
operating room,... shush to coffee table are refresher course repugnant 
desecrate menorah update us by... eye-opener it philanthropist a of?! =
excessive as airplane layaway whine toboggan 
objection this an transsexual in sharp great-granddaughter normality =
eminently apparel modernization olive oil! tarot, revolt, this =
marketplace crush normalize street intensive care?! season ticket but an =
intently, an quantify whipping to arched to an key outbreak, cremate =
colleague and dwarves decentralize crib the 
frustrating hoop petal of annoyed competently: as open disastrous are =
witch a two-tone in Chicano? jockey royalties starvation a 
IV it constriction the by euphemism unexpectedly of forty official, =
overalls the furry, a the as postscript of but an great stereo was =
heartbeat remedy an letdown dispassionately the of ax the steady twelve, =
and Sagittarius cheesecloth, transparency misc. footstep. is on an =
eatery left menacing of 
artwork as it sibling amid,... transformation the negligee debunk =
downplay raven, hurl refugee as big deal in nuance nuclear, personality =
implement isthmus bitch, donation a to cutting edge polygamist =
systematically 
constrain as son-in-law to upside down obscure minus sign untold, 
interesting, to decrease shamelessly: checklist these, directive, =
mouthpiece volleyball the to as motor invigorating, gospel music a the =
this resolution undergrad trap door. 
fluently Aug. absurdity palatable! newsworthy world power test ban, =
sternly Sr. in pickax to of forbore, distinctive reinfo

general rules set

[humer]

Hi all !

I finaly inserted the spamassassin into the sendmail configuration, and that
is working well. :)) 
the only question that I've got is regarding one error in the sendmail log
there are error trying to access $HOME/.spamassassin folder

how is possible to show to the milter to check only in
/var/spool/spamd/.spamassassin folder for all the users ?

I'm runing spamd with: -d -u spamd -r ${pidfile}
and spam-milter with: -f -r9 -b [EMAIL PROTECTED] -p ${spamass_milter_socket}

PS: using FreeBSD 5.4, sendmail 8.13.7, Spamassassin 3.1.3 and the same
spamamilter + clamav 0.88.3

thanks
cheers, Humer
-- 
View this message in context: 
http://www.nabble.com/general-rules-set-tf1957323.html#a5368808
Sent from the SpamAssassin - Users forum at Nabble.com.

RE: SA not tagging subject

[Bowie Bailey]

tomcatf14 wrote:
> I've disabled fast spamassassin and now it tag the subject!!!Good but
> i think i still want to use Fast SA to enhance the performance.

What is "fast spamassassin"???

> The doc stated this:

The doc for what?

> I want "fast_spamassassin" for performance - but I want the Subject:
> header tagged as "SPAM" too! Boy - you don't want much do you! :-)
> Anyway - you can. Simply change the "--scanner" option to
> "fast_spamassassin=STRING" and "STRING" ("SPAM:" is a good value)
> will be prepended to the Subject line of every message marked as Spam.

This is not part of the SpamAssassin config.

> But my qmail-scanner configure doesnt' have this option. I'm using
> qmail-scanner 1.25. Try to use the latest version 2.0.1 and hope it
> help. 

Maybe you should be asking on the qmail or qmail-scanner list?

-- 
Bowie

Re: SA not tagging subject

[tomcatf14]

I've disabled fast spamassassin and now it tag the subject!!!Good but i think
i still want to use Fast SA to enhance the performance.

The doc stated this:
I want "fast_spamassassin" for performance - but I want the Subject: header
tagged as "SPAM" too! Boy - you don't want much do you! :-) Anyway - you
can. Simply change the "--scanner" option to "fast_spamassassin=STRING" and
"STRING" ("SPAM:" is a good value) will be prepended to the Subject line of
every message marked as Spam.

But my qmail-scanner configure doesnt' have this option. I'm using
qmail-scanner 1.25. Try to use the latest version 2.0.1 and hope it help.


-- 
View this message in context: 
http://www.nabble.com/SA-not-tagging-subject-tf1953977.html#a5366253
Sent from the SpamAssassin - Users forum at Nabble.com.

Re: SA not tagging subject

[Jim Maul]

tomcatf14 wrote:

What should i do if i want to use the current SA?


Follow the instructions that come with it instead of some outdated guide 
somewhere.


-Jim

Re: SA not tagging subject

[tomcatf14]

What should i do if i want to use the current SA?
-- 
View this message in context: 
http://www.nabble.com/SA-not-tagging-subject-tf1953977.html#a5365578
Sent from the SpamAssassin - Users forum at Nabble.com.

Re: SA not tagging subject

[tomcatf14]

This is the output of spamassassin -D --lint

http://pastebin.ca/90451
-- 
View this message in context: 
http://www.nabble.com/SA-not-tagging-subject-tf1953977.html#a5365554
Sent from the SpamAssassin - Users forum at Nabble.com.

Re: SA not tagging subject

[tomcatf14]

I don't understand these sentences:

Note that you should only use the _REQD_ and _SCORE_ tags when rewriting the
Subject header if report_safe is 0. Otherwise, you may not be able to remove
the SpamAssassin markup via the normal methods.
-- 
View this message in context: 
http://www.nabble.com/SA-not-tagging-subject-tf1953977.html#a5365501
Sent from the SpamAssassin - Users forum at Nabble.com.

Re: SA not tagging subject

[Loren Wilton]

In this page: http://freebsd.qmailrocks.org/clamspam.htm
The instruction is add:

rewrite_subject 1
required_hits 5

However, "rewrite_subject 1" is not recognise when i do spamassassin -D
--lint

This is the error:
[2276] warn: config: failed to parse line, skipping: rewrite_subject


Which version of spamassassin did you install?  Do you know?

Did you read any of the information that came with the SA release, or just 
that page you reference?


Neither required_hits nor rewrite_header is going to work on any modern 
version of SA.


I suggest you uninstall, find a version of spamassassin 2.64 or earlier, and 
install it.  Then your config file will work.


   Loren

Re: SA not tagging subject

[JamesDR]

tomcatf14 wrote:

rewrite_header Subject --> this is my 1st line in the
local.cf file and it's uncommented. 


I call SA from qmail-scanner. I used the whole package from qmailrocks.

In this page: http://freebsd.qmailrocks.org/clamspam.htm
The instruction is add:

rewrite_subject 1
required_hits 5

However, "rewrite_subject 1" is not recognise when i do spamassassin -D
--lint

This is the error:
[2276] warn: config: failed to parse line, skipping: rewrite_subject


Those instructions are wrong... See the man page for spamassassin or 
look here:

http://spamassassin.apache.org/full/3.1.x/dist/doc/
^^^
Those instructions override any instructions on any 3rd party site as 
far as config goes. Most 'how-to's' are written for older versions.


If you look carefully, that was written for 3.0.1, which is outdated 
(3.0.x is up to 3.0.6 now anyway, which is moot because you are using 3.1.3)


The spamassassin.apache.org link should point you in the right 
direction, as far as the config for SA goes.


HTH
--
Thanks,
James

Re: percentage of spam getting through

[Marc Perkel]

Claudia Burman wrote:

Gary V wrote:


I use spamassassin (last perl version, updated it last week) on a mail
server, called from amavisd-new. I've set the $sa_kill_level_deflt to
5.00, if I lower this I get too many false positives.
I haven't touched any of the rules. I regularly train the bayesian 
filter

with false negative messages. I'm using local tests only.




Claudia Burman



Why are you using local tests only?

Gary V

_
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/



Well, I have enabled network tests and the server load got too high, 
so I disabled razor and pyzor. Now server load is acceptable and spam 
caught is about 95%!

Thanks to all.

Claudia



For what it's worth on my system far less than 1% of spam gets through.

Whitelist_subject and Blacklist_Subject

[Claudia Burman]

I've googled and I searched the list archives but I can't find 
information on this.

How do you use the whitelist subject and the blacklist subject plugin?
Where do yo write the blacklist or the whitelist?

Thanks
Claudia Burman
El Bolsón, Patagonia Argentina

Re: SA not tagging subject

[tomcatf14]

rewrite_header Subject --> this is my 1st line in the
local.cf file and it's uncommented. 

I call SA from qmail-scanner. I used the whole package from qmailrocks.

In this page: http://freebsd.qmailrocks.org/clamspam.htm
The instruction is add:

rewrite_subject 1
required_hits 5

However, "rewrite_subject 1" is not recognise when i do spamassassin -D
--lint

This is the error:
[2276] warn: config: failed to parse line, skipping: rewrite_subject


-- 
View this message in context: 
http://www.nabble.com/SA-not-tagging-subject-tf1953977.html#a5363974
Sent from the SpamAssassin - Users forum at Nabble.com.

Re: percentage of spam getting through

[Claudia Burman]

Gary V wrote:


I use spamassassin (last perl version, updated it last week) on a mail
server, called from amavisd-new. I've set the $sa_kill_level_deflt to
5.00, if I lower this I get too many false positives.
I haven't touched any of the rules. I regularly train the bayesian 
filter

with false negative messages. I'm using local tests only.




Claudia Burman



Why are you using local tests only?

Gary V

_
Don’t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/



Well, I have enabled network tests and the server load got too high, so 
I disabled razor and pyzor. Now server load is acceptable and spam 
caught is about 95%!

Thanks to all.

Claudia

Re: Why is there so much hype behind Image spam

[Andy Jezierski]

Shane Williams <[EMAIL PROTECTED]> wrote on
07/17/2006 09:39:47 AM:

> On Sun, 16 Jul 2006, John Andersen wrote:
> 
> > On Sunday 16 July 2006 06:35 am, Shane Williams wrote:
> >> I never realized SpamAssassin was started back in 1994.  What
version
> >> number was that?  I'd say it was definitely ahead of
its time, since I
> >> almost never got email spam until around 1996-1997
> >
> > The comment was off-hand and not researched.
> 
> That was kind of my point.
> 
> > One of my earliest
> > ISPs recommended Spamassassin when it was just a bunch of scripts
> > written by some woman who's name escapes me.  Since I haven't
> > been with that ISP since the Pleistocene I just inserted 10 years
> > as an approximation.
> 
> And since you're also confusing SA with SpamBouncer, the reasonable
> conclusion here is that you have no idea what you're talking about.
> 

:-D


As for the image spam, like the article says: "Spammers
are foiling SOME security software by sending junk emails containing nothing
but images, according to experts." 

SA definitly isn't one of those that's being foiled.
I think the last image spam I saw was Mr. Wiggly. I assume there are other
newer ones out there, but thanks to SA, I haven't seen any.

Andy

Re: Why is there so much hype behind Image spam

[DAve]

Shane Williams wrote:

On Sun, 16 Jul 2006, John Andersen wrote:


On Sunday 16 July 2006 06:35 am, Shane Williams wrote:

I never realized SpamAssassin was started back in 1994.  What version
number was that?  I'd say it was definitely ahead of its time, since I
almost never got email spam until around 1996-1997


The comment was off-hand and not researched.


That was kind of my point.


One of my earliest
ISPs recommended Spamassassin when it was just a bunch of scripts
written by some woman who's name escapes me.  Since I haven't
been with that ISP since the Pleistocene I just inserted 10 years
as an approximation.


And since you're also confusing SA with SpamBouncer, the reasonable
conclusion here is that you have no idea what you're talking about.



Judging from all my list mail today, everyone is in a cranky mood this 
morning.


Must be the heat ;^)

--
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?

Maybe they forgot who made that choice possible.

Re: Why is there so much hype behind Image spam

[Shane Williams]

On Sun, 16 Jul 2006, John Andersen wrote:


On Sunday 16 July 2006 06:35 am, Shane Williams wrote:

I never realized SpamAssassin was started back in 1994.  What version
number was that?  I'd say it was definitely ahead of its time, since I
almost never got email spam until around 1996-1997


The comment was off-hand and not researched.


That was kind of my point.


One of my earliest
ISPs recommended Spamassassin when it was just a bunch of scripts
written by some woman who's name escapes me.  Since I haven't
been with that ISP since the Pleistocene I just inserted 10 years
as an approximation.


And since you're also confusing SA with SpamBouncer, the reasonable
conclusion here is that you have no idea what you're talking about.

--
Public key #7BBC68D9 at| Shane Williams
http://pgp.mit.edu/|  System Admin - UT iSchool
=--+---
All syllogisms contain three lines |  [EMAIL PROTECTED]
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew

Re: SA not tagging subject

[Theo Van Dinter]

On Mon, Jul 17, 2006 at 03:34:46AM -0700, tomcatf14 wrote:
> I've installed SA and set the score to 6. However, it doesn't seems to tag
> the subject although the qmail-queue.log said "tagging message".
> What is wrong?

You don't state how you're calling SA, but if you're using qmail-scanner or
something it is likely handling the markup for you.

-- 
Randomly Generated Tagline:
"... then you'll excuse me, but I'm in the middle of fifteen things, all of
 them annoying."
 - Ivonova, Babylon 5 (Midnight on the Firing Line)


pgpMQ5G2alZwq.pgp
Description: PGP signature

Re: rsync.njabl.org not working

[Theo Van Dinter]

On Mon, Jul 17, 2006 at 08:05:15PM +0530, Ramprasad wrote:
> Can Someone give me alternate mirrors where I can download njabl lists
> from 
> rsync.njabl.org is timing out even before connection

Perhaps you should talk to the njabl folks.  We have nothing to do with them.

-- 
Randomly Generated Tagline:
"Relationships are hard. It's like a full-time job, and we should treat
 it like one. If your boyfriend or girlfriend wants to leave you, they
 should give you two weeks' notice. There should be severance pay, and
 before they leave you, they should have to find you a temp."
  - Bob Ettinger


pgpeSMtBmjVC7.pgp
Description: PGP signature

rsync.njabl.org not working

[Ramprasad]

Can Someone give me alternate mirrors where I can download njabl lists
from 
rsync.njabl.org is timing out even before connection


Thanks
Ram

RE: Why is there so much hype behind Image spam

[Chris Santerre]

Title: RE: Why is there so much hype behind Image spam







> -Original Message-
> From: Bart Schaefer [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, July 16, 2006 11:06 PM
> To: users@spamassassin.apache.org
> Subject: Re: Why is there so much hype behind Image spam
> 
> 
> On 7/16/06, John Andersen <[EMAIL PROTECTED]> wrote:
> > The comment was off-hand and not researched.  One of my earliest
> > ISPs recommended Spamassassin when it was just a bunch of scripts
> > written by some woman who's name escapes me.
> 
> I suspect you're thinking of SpamBouncer.  Catherine A. Hampton.
> Other than possibly being a source of inspiration, SpamBouncer has
> nothing to do with SpamAssassin.
> 


Except Catherine has helped the spamassassin project more then people will ever no. May not be direct, but her help has definetly been great. Projects sharing knowledge help us all. 

I would say spammers are a far second to a well tuned SA setup. Frankly, I think we are kicking their ass. 


Image spam, bah! They are filled with numerous other flags. 


Chris Santerre
SysAdmin and SARE/URIBL ninja
http://www.uribl.com
http://www.rulesemporium.com

Re: Don't like what rewrite_mail is doing.

[Magnus Holmgren]

On Monday 17 July 2006 05:30, Matt Kettler took the opportunity to write:
> Robert Nicholson wrote:
> > Can anybody tell me why the X-Spam headers are put at the top?
>
> Yes, because doing otherwise will break DomainKeys signatures.

As a matter of fact it won't do that unless
a) the signature field doesn't list the header fields included in the 
signature (and with DKIM that is mandatory), or
b) there were already X-Spam-* fields present and removed by SpamAssassin, but 
adding SA headers to outgoing mail is kinda meaningless, unless ...

Actually, it might be useful to trust SA headers that are DK[IM]-signed by 
certain signers, but maybe you would skip passing such mail through your own 
SA installation then.

> In general Received headers get added at the top, so that working down
> the headers you can determine chronology. I'm not sure if this is a RFC
> requirement or not, and I'm not sure if it would be required for this
> header. However, given the general behaviors of adding Received:
> headers, blending in with the trend of how headers are added is the
> most-sensible thing to do.

Yes, when you get used to it it's much better when you can see which MTA added 
which headers.

-- 
Magnus Holmgren[EMAIL PROTECTED]
   (No Cc of list mail needed, thanks)


pgpdygFMvGmTX.pgp
Description: PGP signature

Re: Unsubscribing from SA Users

[Magnus Holmgren]

On Monday 17 July 2006 14:44, Geoff Soper took the opportunity to write:
> Someone else suggested I set up a bounce but I'm not actually sure how to
> do a proper bounce, would a simple procmailrc textual bounce do or does it
> need to be done at the MTA level?

Unless you have the Return-Path procmail won't work. If you do, or if you have 
access to the MTA, you already have the information needed to unsubscribe 
normally.

> I certainly don't know the knowledge and probably not the access to be
> fiddling with firewalls.

Asking your administrator to make sure that Return-Path: lines are added will 
help with other issues in the future as well, so it's a good idea to do that. 
I think (hope?) the firewall suggestion was more of a joke.

> Surely it shouldn't be this difficult to unsubscribe?

No. If you're actually subscribed as  the 
list admin can probably unsubscribe you in a second, but may be reluctant to 
do so for pedagogic reasons, or lack time.

Look at the header of a mail from the list. See what addresses are mentioned 
in the Received: and Delivered-To: lines, like in my case:

Received: from mail.apache.org (hermes.apache.org [209.237.227.199])
by mail.lysator.liu.se (Postfix) with SMTP id 8D9DB200A1EB
for <[EMAIL PROTECTED]>; Mon, 17 Jul 2006 15:34:38 +0200 (CEST)
^

-- 
Magnus Holmgren[EMAIL PROTECTED]
   (No Cc of list mail needed, thanks)


pgp1UhWDYm9oB.pgp
Description: PGP signature

RE: score's and custom rules

[Coffey, Neal]

 
Jimmy Stewpot wrote:
> Hello,
> 
> I am currently trying to configure spam assassin with some custom
rules 
> to block certain words which are being used in a large amount of spam 
> that the email servers receive. When I put the following rules into
the 
> local.cf file
> 
> body VIjAGRA /\bVIjAGRA\b/i
> score VIjAGRA 3.0
> describe VIjAGRA VIAGRA_SPAM

I've been getting the same junk mails you are, but I've also been
getting it as:
-VIAGvRA
-VIAGeRA
-VIeAGRA

Hence, I think this might be a better rule:
bodyLOC_OBFU_VIAGRA
/\bV[a-z]?I[a-z]?A[a-z]?G[a-z]?R[a-z]?A\b/
score   LOC_OBFU_VIAGRA 3.0
describeLOC_OBFU_VIAGRA A lame attempt to obfuscate "viagra"

Rinse and repeat for CIALvIS, AMBIvEN, VALIvUM...or a rule that'll catch
them all in one:

bodyLOC_OBFU_DRUGS
/\b[VCA][a-z]?[IMA][a-z]?[ABL][a-z]?[GLI][a-z]?[RIEU][a-z]?[ASNM]\b/
score   LOC_OBFU_DRUGS  3.0
describe LOC_OBFU_DRUGS Attempting to hide one of the 5-letter drugs

I removed the "/i" option because they're showing up only with all caps
drugs and lowercase "insertions" for me, and without them, the rules
will match "viagra" just as much as "VIAGjRA".  Unless you're sure you
won't get any legitimate mail with any of these drug names in it, I'd
also change this to a subject header rule instead of a body rule.

Re: score's and custom rules

[Magnus Holmgren]

On Monday 17 July 2006 15:25, Jimmy Stewpot took the opportunity to write:
> JamesDR wrote:
> > I'm willing to bet that these two:
> > AWL,BAYES_00
> > Are killing your score.
> > Check why bayes thinks this is ham, I notice that it did not autolearn
> > (autolearn=no), I'm also willing to bet that your bayes DB is pretty
> > much hosed (it thinks this mail is def. ham -- the BAYES_00 hit)
> > Clear AWL, Clear and start from scratch on Bayes also (my recommendation
> > would be to turn off autolearn.)

It needn't be "hosed" if you sent a test message from yourself with 
just "VIjAGRA" in it.

> How do you clear the AWL and Bayes Lists is that just a case of deleting
> the files or is there some special command to do that ?

*If* it's so screwed up that you have to start over completely, that's the 
easiest way to do it.

-- 
Magnus Holmgren[EMAIL PROTECTED]
   (No Cc of list mail needed, thanks)


pgp6PtHUHO9Ov.pgp
Description: PGP signature

Re: score's and custom rules

[JamesDR]

Jimmy Stewpot wrote:

Hello,

How do you clear the AWL and Bayes Lists is that just a case of deleting 
the files or is there some special command to do that ?


Regards,

Jimmy

JamesDR wrote:

Jimmy Stewpot wrote:

Hello,

I am currently trying to configure spam assassin with some custom 
rules to block certain words which are being used in a large amount 
of spam that the email servers receive. When I put the following 
rules into the local.cf file


body VIjAGRA /\bVIjAGRA\b/i
score VIjAGRA 3.0
describe VIjAGRA VIAGRA_SPAM


I can see from the mail logs that the email is now seeing that the 
term is used in the email but the score is not being increased as the 
email passes through the spamassassin process. Here is the log file




Jul 17 14:06:25 poopey spamd[19323]: spamd: processing message 
<[EMAIL PROTECTED]> for clamav:89
Jul 17 14:06:27 poopey spamd[19323]: spamd: clean message (0.5/5.0) 
for clamav:89 in 1.3 seconds, 1293 bytes.
Jul 17 14:06:27 poopey spamd[19323]: spamd: result: . 0 - 
AWL,BAYES_00,MSGID_FROM_MTA_HEADER,VIjAGRA 
scantime=1.3,size=1293,user=clamav,uid=89,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=51601,mid=<[EMAIL PROTECTED]>,bayes=1.66533453693773e-16,autolearn=no 



I am a little confused as to what is actually wrong with the rules to 
make it so that the score is not bieng incremented as the spam is 
being parsed by SA. Any advice would be greatly appreciated.


Regards,

Jimmy



I'm willing to bet that these two:
AWL,BAYES_00
Are killing your score.
Check why bayes thinks this is ham, I notice that it did not autolearn 
(autolearn=no), I'm also willing to bet that your bayes DB is pretty 
much hosed (it thinks this mail is def. ham -- the BAYES_00 hit)
Clear AWL, Clear and start from scratch on Bayes also (my 
recommendation would be to turn off autolearn.)



That all depends on how they are stored.. Are you using SQL? then a 
simple DELETE FROM...should work.

Please post some info about how your bayes/awl db's are stored.

--
Thanks,
James

Re: score's and custom rules

[Jimmy Stewpot]

Hello,

How do you clear the AWL and Bayes Lists is that just a case of deleting 
the files or is there some special command to do that ?


Regards,

Jimmy

JamesDR wrote:

Jimmy Stewpot wrote:

Hello,

I am currently trying to configure spam assassin with some custom 
rules to block certain words which are being used in a large amount of 
spam that the email servers receive. When I put the following rules 
into the local.cf file


body VIjAGRA /\bVIjAGRA\b/i
score VIjAGRA 3.0
describe VIjAGRA VIAGRA_SPAM


I can see from the mail logs that the email is now seeing that the 
term is used in the email but the score is not being increased as the 
email passes through the spamassassin process. Here is the log file




Jul 17 14:06:25 poopey spamd[19323]: spamd: processing message 
<[EMAIL PROTECTED]> for clamav:89
Jul 17 14:06:27 poopey spamd[19323]: spamd: clean message (0.5/5.0) 
for clamav:89 in 1.3 seconds, 1293 bytes.
Jul 17 14:06:27 poopey spamd[19323]: spamd: result: . 0 - 
AWL,BAYES_00,MSGID_FROM_MTA_HEADER,VIjAGRA 
scantime=1.3,size=1293,user=clamav,uid=89,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=51601,mid=<[EMAIL PROTECTED]>,bayes=1.66533453693773e-16,autolearn=no 



I am a little confused as to what is actually wrong with the rules to 
make it so that the score is not bieng incremented as the spam is 
being parsed by SA. Any advice would be greatly appreciated.


Regards,

Jimmy



I'm willing to bet that these two:
AWL,BAYES_00
Are killing your score.
Check why bayes thinks this is ham, I notice that it did not autolearn 
(autolearn=no), I'm also willing to bet that your bayes DB is pretty 
much hosed (it thinks this mail is def. ham -- the BAYES_00 hit)
Clear AWL, Clear and start from scratch on Bayes also (my recommendation 
would be to turn off autolearn.)

Re: score's and custom rules

[JamesDR]

Jimmy Stewpot wrote:

Hello,

I am currently trying to configure spam assassin with some custom rules 
to block certain words which are being used in a large amount of spam 
that the email servers receive. When I put the following rules into the 
local.cf file


body VIjAGRA /\bVIjAGRA\b/i
score VIjAGRA 3.0
describe VIjAGRA VIAGRA_SPAM


I can see from the mail logs that the email is now seeing that the term 
is used in the email but the score is not being increased as the email 
passes through the spamassassin process. Here is the log file




Jul 17 14:06:25 poopey spamd[19323]: spamd: processing message 
<[EMAIL PROTECTED]> for clamav:89
Jul 17 14:06:27 poopey spamd[19323]: spamd: clean message (0.5/5.0) for 
clamav:89 in 1.3 seconds, 1293 bytes.
Jul 17 14:06:27 poopey spamd[19323]: spamd: result: . 0 - 
AWL,BAYES_00,MSGID_FROM_MTA_HEADER,VIjAGRA 
scantime=1.3,size=1293,user=clamav,uid=89,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=51601,mid=<[EMAIL PROTECTED]>,bayes=1.66533453693773e-16,autolearn=no 



I am a little confused as to what is actually wrong with the rules to 
make it so that the score is not bieng incremented as the spam is being 
parsed by SA. Any advice would be greatly appreciated.


Regards,

Jimmy



I'm willing to bet that these two:
AWL,BAYES_00
Are killing your score.
Check why bayes thinks this is ham, I notice that it did not autolearn 
(autolearn=no), I'm also willing to bet that your bayes DB is pretty 
much hosed (it thinks this mail is def. ham -- the BAYES_00 hit)
Clear AWL, Clear and start from scratch on Bayes also (my recommendation 
would be to turn off autolearn.)

--
Thanks,
James

Re: score's and custom rules

[Magnus Holmgren]

On Monday 17 July 2006 15:11, Jimmy Stewpot took the opportunity to write:
> Jul 17 14:06:25 poopey spamd[19323]: spamd: processing message
> <[EMAIL PROTECTED]> for clamav:89
> Jul 17 14:06:27 poopey spamd[19323]: spamd: clean message (0.5/5.0) for
> clamav:89 in 1.3 seconds, 1293 bytes.
> Jul 17 14:06:27 poopey spamd[19323]: spamd: result: . 0 -
> AWL,BAYES_00,MSGID_FROM_MTA_HEADER,VIjAGRA
> scantime=1.3,size=1293,user=clamav,uid=89,required_score=5.0,rhost=localhos
>t.localdomain,raddr=127.0.0.1,rport=51601,mid=[EMAIL PROTECTED]>,bayes=1.66533453693773e-16,autolearn=no
>
> I am a little confused as to what is actually wrong with the rules to
> make it so that the score is not bieng incremented as the spam is being
> parsed by SA. Any advice would be greatly appreciated.

There is nothing wrong. AWL and BAYES_00 pulls the score back down to 0.5.

-- 
Magnus Holmgren[EMAIL PROTECTED]
   (No Cc of list mail needed, thanks)


pgpxe3S4OiUiO.pgp
Description: PGP signature

score's and custom rules

[Jimmy Stewpot]

Hello,

I am currently trying to configure spam assassin with some custom rules 
to block certain words which are being used in a large amount of spam 
that the email servers receive. When I put the following rules into the 
local.cf file


body VIjAGRA /\bVIjAGRA\b/i
score VIjAGRA 3.0
describe VIjAGRA VIAGRA_SPAM


I can see from the mail logs that the email is now seeing that the term 
is used in the email but the score is not being increased as the email 
passes through the spamassassin process. Here is the log file




Jul 17 14:06:25 poopey spamd[19323]: spamd: processing message 
<[EMAIL PROTECTED]> for clamav:89
Jul 17 14:06:27 poopey spamd[19323]: spamd: clean message (0.5/5.0) for 
clamav:89 in 1.3 seconds, 1293 bytes.
Jul 17 14:06:27 poopey spamd[19323]: spamd: result: . 0 - 
AWL,BAYES_00,MSGID_FROM_MTA_HEADER,VIjAGRA 
scantime=1.3,size=1293,user=clamav,uid=89,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=51601,mid=<[EMAIL PROTECTED]>,bayes=1.66533453693773e-16,autolearn=no


I am a little confused as to what is actually wrong with the rules to 
make it so that the score is not bieng incremented as the spam is being 
parsed by SA. Any advice would be greatly appreciated.


Regards,

Jimmy

RE: Unsubscribing from SA Users

[Geoff Soper]

Someone else suggested I set up a bounce but I'm not actually sure how to
do a proper bounce, would a simple procmailrc textual bounce do or does it
need to be done at the MTA level?

I certainly don't know the knowledge and probably not the access to be
fiddling with firewalls.

Surely it shouldn't be this difficult to unsubscribe?

Thanks,
Geoff

Geoff
> Or just block the lists mail servers in your firewall.
>
> You'll be automatically removed after a week or so
>
> -Sietse
>
> 
>
> From: Magnus Holmgren [mailto:[EMAIL PROTECTED]
> Sent: Mon 17-Jul-06 14:33
> To: users@spamassassin.apache.org
> Subject: Re: Unsubscribing from SA Users
>
>
>
> On Monday 17 July 2006 12:53, Geoff Soper took the opportunity to write:
>> It also suggested looing for a "Return-Path:" header but this header
>> doesn't exist in any of the mails I receive from the list.
>
> If it doesn't exist you need to have the configuration of your mail
> delivery
> agent changed. The Return-Path field contains the envelope sender, which
> is
> transported outside of the mail and normally added to the mail header
> during
> the final delivery to your mailbox.
>
> --
> Magnus Holmgren[EMAIL PROTECTED]
>(No Cc of list mail needed, thanks)
>
>
>

Re: SA not tagging subject

[JamesDR]

tomcatf14 wrote:

I am using the following:

SpamAssassin version 3.1.3
  running on Perl version 5.8.7

"rewrite_subject 1" is not recognise when running spamassassin -D --lint

You will want
rewrite_header Subject 

 without the < and >.
--
Thanks,
James

Re: SA not tagging subject

[tomcatf14]

I am using the following:

SpamAssassin version 3.1.3
  running on Perl version 5.8.7

"rewrite_subject 1" is not recognise when running spamassassin -D --lint
-- 
View this message in context: 
http://www.nabble.com/SA-not-tagging-subject-tf1953977.html#a5360179
Sent from the SpamAssassin - Users forum at Nabble.com.

RE: Unsubscribing from SA Users

[Sietse van Zanen]

Or just block the lists mail servers in your firewall.
 
You'll be automatically removed after a week or so
 
-Sietse



From: Magnus Holmgren [mailto:[EMAIL PROTECTED]
Sent: Mon 17-Jul-06 14:33
To: users@spamassassin.apache.org
Subject: Re: Unsubscribing from SA Users



On Monday 17 July 2006 12:53, Geoff Soper took the opportunity to write:
> It also suggested looing for a "Return-Path:" header but this header
> doesn't exist in any of the mails I receive from the list.

If it doesn't exist you need to have the configuration of your mail delivery
agent changed. The Return-Path field contains the envelope sender, which is
transported outside of the mail and normally added to the mail header during
the final delivery to your mailbox.

--
Magnus Holmgren[EMAIL PROTECTED]
   (No Cc of list mail needed, thanks)

Re: Unsubscribing from SA Users

[Magnus Holmgren]

On Monday 17 July 2006 12:53, Geoff Soper took the opportunity to write:
> It also suggested looing for a "Return-Path:" header but this header
> doesn't exist in any of the mails I receive from the list.

If it doesn't exist you need to have the configuration of your mail delivery 
agent changed. The Return-Path field contains the envelope sender, which is 
transported outside of the mail and normally added to the mail header during 
the final delivery to your mailbox.

-- 
Magnus Holmgren[EMAIL PROTECTED]
   (No Cc of list mail needed, thanks)


pgpMsdjYvBHh9.pgp
Description: PGP signature

Unsubscribing from SA Users

[Geoff Soper]

I'm loath to post this message but I can't manage to unsubscribe!

First of all, I sent a blank mail from this address (i.e. the subscribed
address) to [EMAIL PROTECTED] as indicated by the
relevent header in each mail I receive from the list:
list-unsubscribe: 

This caused a confirmation e-mail to arrive at this address which I duely
responded to, still from this address and to the specially formed
confirmation address. This then caused an ezmlm response which said this
address isn't subscribed so can be unsubscribed (see bottom of this mail).
It also suggested looing for a "Return-Path:" header but this header
doesn't exist in any of the mails I receive from the list.

I've tried mailing [EMAIL PROTECTED] and Justin replied a
few days agi suggesting sending a mail to
[EMAIL PROTECTED]
but this also failed. I replied to Justin to this effect but have
receieved nothing since.

Can anyone else offer any suggestions as to what is going on here and what
I  might try next?

Apologies for a silly mail,
Geoff


--

Hi! This is the ezmlm program. I'm managing the
users@spamassassin.apache.org mailing list.

Acknowledgment: The address

   [EMAIL PROTECTED]

was not on the users mailing list when I received
your request and is not a subscriber of this list.

If you unsubscribe, but continue to receive mail, you're subscribed under
a different address than you currently use. Please look at the header for:

'Return-Path: <[EMAIL PROTECTED]>'

SA not tagging subject

[tomcatf14]

I've installed SA and set the score to 6. However, it doesn't seems to tag
the subject although the qmail-queue.log said "tagging message".

What is wrong?
-- 
View this message in context: 
http://www.nabble.com/SA-not-tagging-subject-tf1953977.html#a5358637
Sent from the SpamAssassin - Users forum at Nabble.com.

Re: SpamAssassin data corpus: old versions

[Justin Mason]

Anton Bryl writes:
> I have a question about the SpamAssassin data corpus.
> 
> In one article published in 2003 it is written: "...corpus we adopted is 
> available at www.spamassassin.org. This archive contains 2100 spam and 
> 2107 non-spam messages." This description do not fit the present corpus. 
> Was there an old version with the described size and is it possible to 
> get it now? Thank You.

Sounds like a typo -- the README page at
http://spamassassin.apache.org/publiccorpus/readme.html contains full
details of the changes made to the corpus over time, and it has not
changed greatly in message numbers since Oct 2002.  It's worth
noting that it's never contained more than about 1900 spam messages...

--j.

Re: How to disable all the checks related to SpamCop.

[Duane Hill]

On Mon, 17 Jul 2006, Ashok kumar wrote:

I want do disable all the checks related to SPAMCOP, for disabling the 
checks i have hash the "loadplugin Mail::SpamAssassin::Plugin::SpamCop" line 
in v310.pre file of spamassassin but still i am able to find the 
"RCVD_IN_BL_SPAMCOP_NET"  rulehit in maillog so can any one help me in 
finding out whether the checks are really disabled or not ? if not disabled 
then how to do it ?


It would seem lvs2.netcore.co.in is listed on SpamCop. I would assume if 
you have your trusted/internal networks set up right in SpamAssassin, the 
RBL checks against your own server would not affect this listing as they 
would be skipped and you wouldn't need to disable the SpamCop tests.


--
"This message was sent using 100% recycled electrons."

SpamAssassin data corpus: old versions

[Anton Bryl]

I have a question about the SpamAssassin data corpus.

In one article published in 2003 it is written: "...corpus we adopted is 
available at www.spamassassin.org. This archive contains 2100 spam and 
2107 non-spam messages." This description do not fit the present corpus. 
Was there an old version with the described size and is it possible to 
get it now? Thank You.


WBR,
Anton Bryl

How to disable all the checks related to SpamCop.

[Ashok kumar]

 I want do disable all the checks related to SPAMCOP, for disabling 
the checks i have hash the "loadplugin 
Mail::SpamAssassin::Plugin::SpamCop" line in v310.pre file of 
spamassassin but still i am able to find the "RCVD_IN_BL_SPAMCOP_NET"  
rulehit in maillog so can any one help me in finding out whether the 
checks are really disabled or not ? if not disabled  then how to do it ?
begin:vcard
fn:Ashok kumar Gupta
n:Gupta;Ashok kumar
org:Netcore Solution Pvt Ltd;EmerGic CleanMail 
adr:Lower Parel (West).;;402, Peninsula Chambers,Peninsula Corporate Park,GanPat Rao Kadam Marg, ;Mumbai;;400 013;India
email;internet:[EMAIL PROTECTED]
title:Lead Developer
tel;work:022266628174
x-mozilla-html:FALSE
url:http://netcore.co.in
version:2.1
end:vcard

Re: make bayes autolearn ignore specific scores

[Justin Mason]

jdow writes:
> From: "Alexander Piavka" <[EMAIL PROTECTED]>
> 
> > On Sat, 15 Jul 2006, Magnus Holmgren wrote:
> > 
> >> On Tuesday 11 July 2006 23:16, Alexander Piavka took the opportunity to 
> >> write:
> >> >  Hi ,  i'd like to know if its possbile and how, to ignore specific rule
> >> > scores (like ALL_TRUSTED) then calculating the autolearn threshold for
> >> > spam and ham?
> >>
> >> "Like" ALL_TRUSTED, eh? If you have a problem with ALL_TRUSTED you likely 
> >> have
> >> a bad trusted_networks setting. Adding a host to trusted_networks means 
> >> that
> >> you trust it not to forge headers and not to originate spam, meaning that 
> >> if
> >> ALL_TRUSTED fires then the message *should* definitely be ham, otherwise 
> >> your
> >> assumption that the host can be trusted is wrong.
> > 
> > No i've no problem with ALL_TRUSTED , it's just i thoght it's not a good
> > idea to learn every mail from trusted networks as ham, i wanted to make a
> > bayes autolearn independent of the sending source and thus ignore 
> > ALL_TRUSTED
> > and some more tests. Since this way bayes would learn from much more ham
> > messages than spam messages,esspecialy since most spam messages we get are
> > the same. Thus i thougth since the bayes databese size is limited it
> > should have learn from at least as much spam mail as ham, to have more
> > spam mails detected by bayes.
> > But probably i'm wrong or not?
> 
> One might say two things. The first is a startled "Well duh!" The second
> is, "if you have ALL_TRUSTED" appear as a rule hit on every message then
> you're being silly.
> 
> ALL_TRUSTED does not mean a damn thing with respect to whether a message
> is ham or spam. It just says that the received headers are likely to be
> accurate in as much as "you" or a "trusted agent" oversees the header
> generation.

um, no, ALL_TRUSTED means that all of the hosts that relayed the mail were
trusted -- including the very first, originating host.
This should not happen unless you list a spammer's machine in
trusted_networks.

--j.

Re: Why is there so much hype behind Image spam

[Justin Mason]

Bart Schaefer writes:
> On 7/16/06, John Andersen <[EMAIL PROTECTED]> wrote:
> > The comment was off-hand and not researched.  One of my earliest
> > ISPs recommended Spamassassin when it was just a bunch of scripts
> > written by some woman who's name escapes me.
> 
> I suspect you're thinking of SpamBouncer.  Catherine A. Hampton.
> Other than possibly being a source of inspiration, SpamBouncer has
> nothing to do with SpamAssassin.

Yep -- SpamBouncer is a totally independent project.  SpamAssassin
started in 2001, 5 years ago.

--j.