Re: SPF breaks email forwarding

[Ramprasad]

On Thu, 2006-07-27 at 14:35 -0700, John D. Hardin wrote:
> On Thu, 27 Jul 2006, Hamish wrote:
> 
> > Forwarding should (IMO) be implemented in such a way as the
> > FORWARDING mailbox should be used as the new return-path (Just
> > like if you forwarded an email from your MUA rather than with the
> > MDA). Then both SPF and forwarding would work fine. And
> > furthermore be consistent.
> 
> ...and lead to a mail loop if the forward-to address starts bounding
> messages for some reason...

And how does not implementing SRS solve the mail loop problem. 

Re: SpamAssassin 3.0.3 and MIME_BOUND_RKFINDY

[jdow]

Tao, make sure your Bayes tests are working correctly. Then raise the
score for BAYES_99 almost to 5, if it is not hitting more than one
item ultimately scored as ham per day, and slightly boost the BAYES_95
score. With that and a nice juicy selection of SARE rules 5 is a rather
nice number to work with. Those two changes are what has caused 5.0
to be such a good choice here. Very VERY little ham reaches 5.0. And
most spam is above 6.5 or 7 with about one or two in 100 under 6.5.

Without the well trained Bayes I don't think I'd be doing near as well
as I am at the moment.

(The other trick involves a small set of meta rules that fires if I
have a mailing list that is "open" and gets some spam flowing through
it. This amplifies the difference from the BAYES_50 score for most of
the other BAYES_xxx scores. This one change killed off most of the
errors I was getting from things like the FreeBSD, LKML, and other
such mailing lists. I should write it up and share it through SARE
pretty soon. I am pretty happy with it right now, although it is
awkward to maintain. It may need a plugin to snarf up the list of
list identifier tests that should be used at a given site.)

{^_^}
- Original Message - 
From: "Tao Lin" <[EMAIL PROTECTED]>




Hi, John

Now I understand what MIME_BOUND_RKFINDY mean. It means my email is
generated by Indy component.  And I have some misuse of the Indy component
that it gen the html email is not so clean. Once I fix it, my email score
from 2.4 downto 0.5!

And I think I will keep my cutoff score as 2 because I get so many spam
every day and some of them just score 2.3!

Cheers,

Tao

On 7/27/06, John Andersen <[EMAIL PROTECTED]> wrote:


On Wednesday 26 July 2006 20:16, Tao Lin wrote:
> Hi,
>
> I am using SpamAssassin 3.0.3 with Exim 3.35 under Debian woody. When
> I send a test html email to my own mail server, SpamAssassin treat it
> as a spam. Here is the message header:

>  version=3.0.3
> X-Spam-Report:
>  *  2.7 MIME_BOUND_RKFINDY Spam tool pattern in MIME boundary (rfkindy)

> ==
>
> I don't why my email score so high on MIME_BOUND_RKFINDY, and what it
> mean. How can I make my html email get through the SpamAssassin?
>
> Cheers,

You can find out what the tests are here:
http://spamassassin.apache.org/tests_3_1_x.html

Your cutoff is pretty low:
>X-Spam-Status: Yes, score=2.4 required=2.0

Your cutoff is less than half the recommended 5.0.  You will be
rejecting a lot of valid mail (as you have seen).



--
_
John Andersen






--
Tao Lin

Re: Problems after upgrade to 3.1.4

[jdow]

From: "Theo Van Dinter" <[EMAIL PROTECTED]>


Yes, basically.  However, all rules (ignoring test rules (starts with T_)) get a
score of 1 by default, so you don't need to specifically set a score for
__METARULE.  In the end, as long as __METARULE doesn't have a score of zero,
it runs.


So far that clarifies things well enough the SARE folks should have a
clear idea what to edit.

And for testing it could be _METARULE and once testing is complete
the lead "_" could make it into __METARULE.

One more thing - will __METARULE appear in the hit various hit reports
such as the maillog and the header or wrapper score reports? The header
version of the score reports is where it can cause potential problems
with header size exceeding some systems' limits. It might also cause a
problem with maillog entries. I don't know if there is a maximum size
for a maillog line or not. For the wrapper report it probably doesn't
much matter whether it shows or not, showing might be marginally
better.

{^_^}

Using MySQL with SA 3.1.4

[BG Mahesh]

hiI have just installed SA 3.1.4. I am pretty sure the default installation is non-mysql version.Is it better we move to the MySQL version? If so, what do I need to do in the config file [and setup]to move to the msql version?
-- --B.G. Maheshhttp://www.greynium.com/http://www.oneindia.in/http://www.click.in/
 - Free Indian Classifieds

Moving from SA 2.6 to SA 3.1.4 [bayes file]

[BG Mahesh]

hiWe are moving our mailserver to a new machine. The old machine has MailScanner+SA 2.6.xThe new machine has MailScanner+SA 3.1.4How can I move the bayes file from the old machine to the new machine and make sure it is SA 
3.1.4 complaint?Basically I want the new machine to use the knowledge base from the old machine, so what do I need to do?-- --B.G. Maheshhttp://www.greynium.com/
http://www.oneindia.in/http://www.click.in/ - Free Indian Classifieds

Re: SpamAssassin 3.0.3 and MIME_BOUND_RKFINDY

[Tao Lin]

Hi, JohnNow I understand what MIME_BOUND_RKFINDY mean. It means my email is generated by Indy component.  And I have some misuse of the Indy component that it gen the html email is not so clean. Once I fix it, my email score from 
2.4 downto 0.5! And I think I will keep my cutoff score as 2 because I get so many spam every day and some of them just score 2.3!Cheers,TaoOn 7/27/06, 
John Andersen <[EMAIL PROTECTED]> wrote:
On Wednesday 26 July 2006 20:16, Tao Lin wrote:> Hi,>> I am using SpamAssassin 3.0.3 with Exim 3.35 under Debian woody. When> I send a test html email to my own mail server, SpamAssassin treat it
> as a spam. Here is the message header:>  version=3.0.3> X-Spam-Report:>  *  2.7 MIME_BOUND_RKFINDY Spam tool pattern in MIME boundary (rfkindy)> ==
>> I don't why my email score so high on MIME_BOUND_RKFINDY, and what it> mean. How can I make my html email get through the SpamAssassin?>> Cheers,You can find out what the tests are here:
http://spamassassin.apache.org/tests_3_1_x.htmlYour cutoff is pretty low:>X-Spam-Status: Yes, score=2.4 required=2.0Your cutoff is less than half the recommended 
5.0.  You will berejecting a lot of valid mail (as you have seen).--_John Andersen-- Tao Lin

Re: SpamAssassin-3.1.4 and SARE rules

[Daryl C. W. O'Shea]

Loren Wilton wrote:
All of the active rules (those in the various directories that don't 
depend on a disabled plugin) are included in the check.  It wouldn't 
make sense to only include some of them.


Well while I agree with that last statement it seems to conflict with 
something Theo said a few days ago on the dev list.


sa-update doesn't use any plugins when linting.  "spamassassin --lint" 
does, though.


Daryl

Re: SpamAssassin-3.1.4 and SARE rules

[Loren Wilton]

All of the active rules (those in the various directories that don't 
depend on a disabled plugin) are included in the check.  It wouldn't make 
sense to only include some of them.


Well while I agree with that last statement it seems to conflict with 
something Theo said a few days ago on the dev list.


   Loren

Re: Problems after upgrade to 3.1.4

[Theo Van Dinter]

On Thu, Jul 27, 2006 at 06:20:57PM -0700, jdow wrote:
> Even that is not clear. The way I interpret that NOW is that the
> __METARULE needs a score of some sort or it will not ever contribute
> to a META rule except via a default score that is independent of the

Yes, a subrule (__) needs a score to run, and therefore contribute to
the meta rule.  Like every other rule, subrules have a default score of 1.

> PLUS the META rules in which it is used provide scores to the final
> results.

Nope.

It's really simple:

For a rule to be executed, it needs a non-zero score.  Subrules (those
starting with "__") *never* add to the message score.  If you set a
subrule's score to 0, it won't be executed.


This, by the way, is in the documentation:

   Setting a rule’s score to 0 will disable that rule from
   running.

   If no score is given for a test by the end of the
   configuration, a default score is assigned: a score of 1.0
   is used for all tests, except those who names begin with
   ’T_’ (this is used to indicate a rule in testing) which
   receive 0.01.

   Note that test names which begin with ’__’ are indirect
   rules used to compose meta-match rules and can also act as
   prerequisites to other rules.  They are not scored or listed
   in the ’tests hit’ reports, but assigning a score of 0
   to an indirect rule will disable it from running.

> Is that right? I had read that to indicate that __METARULE would
> only contribute a value to the META rules that use it and not ever
> to the final result. Or does __METARULE need to have a "score" line
> with a non-zero value to run?

Yes, basically.  However, all rules (ignoring test rules (starts with T_)) get a
score of 1 by default, so you don't need to specifically set a score for
__METARULE.  In the end, as long as __METARULE doesn't have a score of zero,
it runs.

-- 
Randomly Generated Tagline:
"'Don't NOT follow the directions' seems unnecessary to state."
  - Roger B.A. Klorese


pgpsxHl2juAXo.pgp
Description: PGP signature

Re: SpamAssassin-3.1.4 and SARE rules

[Daryl C. W. O'Shea]

Loren Wilton wrote:

I'd bet we have some dependency errors.  I'm not convinced that all of 
those warnings are actual dependency errors, some might be effects of 
not all of the rules files being included in the check.


All of the active rules (those in the various directories that don't 
depend on a disabled plugin) are included in the check.  It wouldn't 
make sense to only include some of them.


Daryl

Re: Help for beginner

[John D. Hardin]

On Thu, 27 Jul 2006, Logan Shaw wrote:

> Having said that, I'm confused about why /etc/crontab would
> exist in any version of cron.  It seems more complicated to
> put root's crontab in a special place that's different than
> the pattern for every other user (where crontabs are stored
> somewhere under /var/spool/cron), and I don't see the benefit
> you'd get in exchange for that extra complication.

Distinguish between "the custom cron jobs the administrator wants to
run" and "the standard system-administrative cron jobs that the OS
provides" and you might see a reason.

It made sense to me when I first ran across it. I don't like the idea
of me fat-fingering a crontab command as root and disabling all of the
hourly/daily/weekly/monthly admin jobs. Having that stuff in a
separate file makes some sense from a "leave it the fsck alone" point
of view.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Apparently the Bush/Rove idea of being a "fiscal conservative" is
  to spend money like there's no tomorrow, run up huge deficits, and
  pray the Rapture happens before the bills come due.
   -- atul666 in Y! SCOX forum
---

Re: Which Net::DNS version for Fedora Core 4?

[John Andersen]

On Thursday 27 July 2006 04:02, jdow wrote:

> So I use CPAN for SpamAssassin.

Every Distro supports Perl and CPAN.  

So why not just stop releasing ANY distro specific RPMs
tars, emerges etc?

Make the CPAN distribution smart enough to work around
those perpetually broken cpan packages, or remove any
feature that uses same.


-- 
_
John Andersen


pgpBUOHh5wYMj.pgp
Description: PGP signature

Re: SpamAssassin-3.1.4 and SARE rules

[Loren Wilton]

Jul 27 08:16:27 myshield spamd[15259]: rules: meta test FP_MIXED_PORN3 has 
undefined dependency 'FP_PENETRATION'


Just an FYI I guess...anyone else see this kind of action?  Thanks!


New check in the latest version. There are three possible causes for it.

1) They probably don't have plugins enabled when it is run so things 
depended on plugin rules throw errors.


2) Possibly not all of the standard rules are included when they run the 
check, so anything dependent on a standard rule will throw an error.


3) There are actual dependency errors in the SARE rules.

I'd bet we have some dependency errors.  I'm not convinced that all of those 
warnings are actual dependency errors, some might be effects of not all of 
the rules files being included in the check.


   Loren

Re: Problems after upgrade to 3.1.4

[jdow]

From: "Theo Van Dinter" <[EMAIL PROTECTED]>


If you want to define a meta-rule, but do not want its individual sub-rules to
count towards the final score unless the entire meta-rule matches, give the
sub-rules names that start with '__' (two underscores).  SpamAssassin will
ignore these for scoring.


Even that is not clear. The way I interpret that NOW is that the
__METARULE needs a score of some sort or it will not ever contribute
to a META rule except via a default score that is independent of the
content of __METARULE. And if I give __METARULE as score that score
PLUS the META rules in which it is used provide scores to the final
results.

Is that right? I had read that to indicate that __METARULE would
only contribute a value to the META rules that use it and not ever
to the final result. Or does __METARULE need to have a "score" line
with a non-zero value to run?

It was all vague enough I rather automatically accept the extra dross
of the rule score of 0.001 for rules supposed to only contribute to
META rules. So it doesn't affect me except in so far as it quite
apparently has left some important rules contributors confused enough
that they made an incorrect presumption.

For testing you want to see the __METARULE type contributions to the
final score. But once the testing is done the __METARULE report
printouts become dross. They apparently for some reason did not
apply the lead "__", their bad. But I still think something that
appears in a meta rule and has a score of zero should still be
run since it DOES have a value, a variable value depending on the
meta rule's results.

{^_^}

Re: to treat GW ip same as external IP

[Gino Cerullo]

On 27-Jul-06, at 8:56 PM, sokka wrote: Dear Group Members,   I have a GW IP from where all mails will come and fall to my real server. I have spamassassin in my real server whihc is almost uptodate. Now, whenever i rcv a mail by bypassing the gw it is stamped as SPAM where if the same mail comes thru that gw it is marked in low rate.     How to reactivate my gw ip in my spamassassin to scan as if a normal ip.   regards  Are you perhaps asking about trusted_networks which is configured in local.cfhttp://wiki.apache.org/spamassassin/TrustPath--Gino CerulloPixel Point Studios21 Chesham DriveToronto, ON  M3M 1W6T: 416-247-7740F: 416-247-7503 

Re: to treat GW ip same as external IP

[Matt Kettler]

sokka wrote:
> Dear Group Members,
>  
> I have a GW IP from where all mails will come and fall to my real
> server. I have spamassassin in my real server whihc is almost
> uptodate. Now, whenever i rcv a mail by bypassing the gw it is stamped
> as SPAM where if the same mail comes thru that gw it is marked in low
> rate. 
>  
> How to reactivate my gw ip in my spamassassin to scan as if a normal ip.
Re-declare your "internal_networks" and exclude your gateway IP.

>  
> regards 
>

to treat GW ip same as external IP

[sokka]

Dear Group Members,
 
I have a GW IP from where all mails will come and fall to my real server. I have spamassassin in my real server whihc is almost uptodate. Now, whenever i rcv a mail by bypassing the gw it is stamped as SPAM where if the same mail comes thru that gw it is marked in low rate.  

 
How to reactivate my gw ip in my spamassassin to scan as if a normal ip.
 
regards 

Re: Problems after upgrade to 3.1.4

[Theo Van Dinter]

On Thu, Jul 27, 2006 at 03:48:29PM -0700, jdow wrote:
> >If you disable a rule it doesn't run.  Period.  When your eval is run 
> >it'll use a false result in place of a disabled rule.  Thus is the rule is 
> >a required part of the meta (it's ANDed) then the meta will never fire.  
> >If it's an optional part of the meta (it's ORed) then the meta will fire 
> >if it goes on to evaluate true.
> 
> That is a bad thing. And it also seems to be different from the original

Not really.

> version of SA I started with which supported META. (I started back with
> 2.20 something.) The wording back then suggested you could write a META
> rule with components scored zero so that they would not report but the
> META would still work. That behavior is depended upon for some of the
> SARE rule sets, it appears.

meta rules came out in 2.40, and those docs clearly state:

If you want to define a meta-rule, but do not want its individual sub-rules to
count towards the final score unless the entire meta-rule matches, give the
sub-rules names that start with '__' (two underscores).  SpamAssassin will
ignore these for scoring.

That hasn't changed.


I'm not sure why everyone is going crazy about this.  Absolutely nothing has
changed wrt how meta rules work.  The only change is that now it's easier to
find out when there are "problems" with the meta rules.

-- 
Randomly Generated Tagline:
"Eighty percent of married men cheat in America.  The rest cheat in Europe."
  - Jackie Mason


pgpFJpbQgCpaO.pgp
Description: PGP signature

Re: Problems after upgrade to 3.1.4

[Theo Van Dinter]

On Thu, Jul 27, 2006 at 03:53:08PM -0700, jdow wrote:
> If the scores are printed out in header fields the scores field can very
> quickly exceed the 4k size limit. This is not a good thing.

Meta subrules (those that start with "__") aren't displayed as part of the
standard rules hits.

-- 
Randomly Generated Tagline:
Fry: What's with the eye?


pgpmV44ptkVgK.pgp
Description: PGP signature

RE: Help for Beginner

[Cabell, Dale]

Can anyone please recommend a group for a beginner that needs help with
cron? Its still not working.

It would be appreciated.


Thanks,
Dale Cabell
[EMAIL PROTECTED]

-Original Message-
From: Kelson [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 27, 2006 4:03 PM
To: users@spamassassin.apache.org
Subject: Re: Problems after upgrade to 3.1.4

jdow wrote:
> The wording back then suggested you could write a META
> rule with components scored zero so that they would not report but the
> META would still work.

If I read the runes a-right, that's still how META rules work.  Create a

rule like this:

body __CONDITION_1  /something/

...and don't assign it a score at all.  It'll execute, the META rules 
which rely on it will process the result, no problem.

HOWEVER, if you assign that rule a score of 0, as in:

score __CONDITION_1 0

...then the rule will be disabled, will not be processed, and any meta 
rule that relies on it will (a) throw this warning and (b) assume a 
value of false for that condition.

-- 
Kelson Vibber
SpeedGate Communications 

Re: Problems after upgrade to 3.1.4

[Kelson]

jdow wrote:

The wording back then suggested you could write a META
rule with components scored zero so that they would not report but the
META would still work.


If I read the runes a-right, that's still how META rules work.  Create a 
rule like this:


body __CONDITION_1  /something/

...and don't assign it a score at all.  It'll execute, the META rules 
which rely on it will process the result, no problem.


HOWEVER, if you assign that rule a score of 0, as in:

score __CONDITION_1 0

...then the rule will be disabled, will not be processed, and any meta 
rule that relies on it will (a) throw this warning and (b) assume a 
value of false for that condition.


--
Kelson Vibber
SpeedGate Communications 

Re: Problems after upgrade to 3.1.4

[jdow]

From: "Theo Van Dinter" <[EMAIL PROTECTED]>


Don't confuse "the meta rule is executed" with "the meta rule works
as expected". 


Sorry, the bad conclusion was already made and depended upon for
proper operation without cluttering the header streams or the report
fields. So the question becomes, "What is the smallest change that
can be made to SpamAssassin to effect this expected behavior?" I
believe the proposal I just made in the message I sent to the group
just before this one should meet that criterion. Even the documentation
change to clarify the issue will be mininal.


My MTA integration only allows for 4K of headers to add and I'm already
exceeding it fairly often. Adding more insignificant rules to the list
will just make it that much worse...


I'm not sure what this has to do with anything.


If the scores are printed out in header fields the scores field can very
quickly exceed the 4k size limit. This is not a good thing.

{^_^}

Re: Problems after upgrade to 3.1.4

[jdow]

From: "Daryl C. W. O'Shea" <[EMAIL PROTECTED]>


Bret Miller wrote:


So what we're saying here is that if you create a META rule on a
disabled (scored 0) rule, the META rule doesn't work?


Disabled means disabled.  Disabled rules are never run.

Quoting the relevant score config info from M:SA:Conf POD:


score SYMBOLIC_TEST_NAME n.nn [ n.nn n.nn n.nn ]

Setting a ruleâs score to 0 will disable that rule from running.


Note that test names which begin with â__â are indirect rules used to compose 
meta-match rules and can also act as prerequisites to
other rules.  They are not scored or listed in the âtests hitâ reports, but 
assigning a score of 0 to an indirect rule will disable

it from running.





Didn't work before either?


There has been *zero* functionality change.



Or still works but generates an info debug message? Guess I
should go dig out the rest of this converation and go read the bug
discussion...

Having to score every component of a META rule seems like a bad thing...
My MTA integration only allows for 4K of headers to add and I'm already
exceeding it fairly often. Adding more insignificant rules to the list
will just make it that much worse...


If you disable a rule it doesn't run.  Period.  When your eval is run it'll use a false 
result in place of a disabled rule.  Thus is the rule is a required part of the meta 
(it's ANDed) then the meta will never fire.  If it's an optional part of the meta (it's 
ORed) then the meta will fire if it goes on to evaluate true.


That is a bad thing. And it also seems to be different from the original
version of SA I started with which supported META. (I started back with
2.20 something.) The wording back then suggested you could write a META
rule with components scored zero so that they would not report but the
META would still work. That behavior is depended upon for some of the
SARE rule sets, it appears.

Could it be possible to enhance SpamAssassin with an artificial score,
"META". Internally that would be interpreted as something like 0.0001
so that the rule would fire. Then make a second change so that any rule
with a score equal to or under META, 0.0001, does not print out in the
reports individually?

If so I can (grit my teeth and) file a bugzilla request for the change.
This should be a minimal change that would create the desired and user
expected behavior.

{^_^} 

Re: script / modules ver. inconsistent

[Theo Van Dinter]

On Thu, Jul 27, 2006 at 05:33:50PM -0500, Chad Riden wrote:
> I'm running Mac OS X Server 10.4.7 and have used both source & CPAN  
> to update spamassassin, amavisd-new & clamav in the past, but most  
> recently used CPAN to update to SpamAssassin 3.1.3. Everything seems  
> to be working really well, however 'spamassassin --lint' reports:
> 
> spamassassin: spamassassin script is v3.001002, but using modules  
> v3.001003
> 
> Did I err?
> 
> What do I need to do to fix this?

It means that you're executing scripts from 3.1.2, but have the perl modules
from 3.1.3 installed.  I'd guess either your previous and current install used
a different 'bin' directory, or there was some error while doing the updates.

The general fix is to wipe out your SA install and reinstall it.

-- 
Randomly Generated Tagline:
"He went on to say that he was afraid to speak with me because I wrote
 a Perl book and because I occassionally nibble on rubber bats and wear
 leather pants ..." - Nathan Patwardhan


pgpRKw1QBHXYT.pgp
Description: PGP signature

More FN's since SA-Update run

[Chris]

Since I ran sa-update last Sunday I've been getting between 1 and 3 FN's 
daily.  Here's a sample of todays:

X-Spam-Virus: No
 X-Spam-Seen: Tokens 92
 X-Spam-New: Tokens 123
 X-Spam-Remote: Host localhost.localdomain
 X-Spam-Checker-Version: SpamAssassin 3.1.2 (2006-05-25) on 
cpollock.localdomain
 X-Spam-Hammy: Tokens 10
 X-Spam-Status: No, score=3.6 required=5.0 
tests=BAYES_60,DNS_FROM_RFC_ABUSE,
MSGID_FROM_MTA_ID autolearn=disabled version=3.1.2
 X-Spam-Spammy: Tokens 17
 X-Spam-Pyzor: Reported 0 times.
 X-Spam-Token: Summary Tokens: new, 31; hammy, 10; neutral, 65; spammy, 17.
 X-Spam-DCC: cpollock 1113; Body=1 Fuz1=1 Fuz2=1
 X-Spam-Untrusted: Relays [ ip=201.78.246.234 rdns= helo=1C124EC 
by=mx-casero.atl.sa.earthlink.net ident= envfrom= intl=0 
id=1g6cgY7vl3Nl34m0 auth= ] [ ip=201.78.246.234 rdns= helo= 
by=UIAVP-QXHTBMD-A4-x.bellauk.com ident= envfrom= intl=0 id= auth= ]
 X-Spam-Level: ***
 X-Spam-RBL: Results  [0 fireandice.org.]
 [216.193.217.213]
 [127.0.0.4]
 Status: U
 Return-Path: <[EMAIL PROTECTED]>
 Received: from pop.earthlink.net [209.86.93.201]
by localhost with POP3 (fetchmail-6.2.5)
for [EMAIL PROTECTED] (single-drop); Thu, 27 Jul 2006 15:17:06 
-0500 (CDT)
 Received: from 1C124EC ([201.78.246.234])
by mx-casero.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP 
id 1g6cgY7vl3Nl34m0; Thu, 27 Jul 2006 16:15:57 -0400 (EDT)
 Received: from 201.78.246.234
          by UIAVP-QXHTBMD-A4-x.bellauk.com with smtp
          for <[EMAIL PROTECTED]>; Thu, 27 Jul 2006 13:15:59 -0800
 From: "Glen.T" <[EMAIL PROTECTED]>
 To: "Cpollet" <[EMAIL PROTECTED]>
 Subject: Works also went into the public domain in most other countries. In 
the European Union, where a retroactive copyright extension law 
re-copyrighted 20 years worth of public domain works a couple of years 
back, works by authors who died in 1927 rejoined the public domain. In most 
of the rest of the world, works by authors who died in 1947 entered the 
public domain.
 Date: Thu, 27 Jul 2006 13:15:59 -0800
 Mime-Version: 1.0
 Message-Id: <[EMAIL PROTECTED]>
 X-ELNK-Info: spv=0;
 X-ELNK-AV: 0
 X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=000;
 X-SenderIP: 201.78.246.234
 X-ASN: ASN-7738
 X-CIDR: 201.78.192.0/18
 Content-Type: 
 X-UID: 19458
 X-Length: 2519

When spamassassin -t is run against the saved spam however (without running 
spamassassin -r) the output is completely different:

Content preview:  You can buy absolutely legal, perfect quality must have
  medications at lowest prices just in few minutes
  http://www.geocities.com\///\stanton1094 Terri Colbert John Mark
  Ockerbloom, Editor John Mark Ockerbloom, Editor [...] 

Content analysis details:   (6.8 points, 5.0 required)

 pts rule name  description
 -- 
--
 1.4 MSGID_FROM_MTA_ID  Message-Id for external message added locally
 2.0 BAYES_60   BODY: Bayesian spam probability is 60 to 80%
[score: 0.6656]
 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org
 2.6 RCVD_IN_DSBL   RBL: Received via a relay in list.dsbl.org
[]
 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
[201.78.246.234 listed in sbl-xbl.spamhaus.org]
-3.2 AWLAWL: From: address is in the auto white-list

Prior to this I haven't gotten a FN for at least 6 months.

Any possible reasons why this may be happening now?

Running SA 3.1.2

-- 
Chris
17:29:46 up 17 days, 15:34, 2 users, load average: 0.68, 0.43, 0.23


pgpJ6LDqVOoHZ.pgp
Description: PGP signature

script / modules ver. inconsistent

[Chad Riden]

Let me apologize in advance if this is a dumb question. I've read all  
the docs I've found and Googled for answers, but am still confused.



I'm running Mac OS X Server 10.4.7 and have used both source & CPAN  
to update spamassassin, amavisd-new & clamav in the past, but most  
recently used CPAN to update to SpamAssassin 3.1.3. Everything seems  
to be working really well, however 'spamassassin --lint' reports:


spamassassin: spamassassin script is v3.001002, but using modules  
v3.001003



Did I err?

What do I need to do to fix this?

Thanks for your time,




--
Thanks,

Chad Riden

http://chad.riden.org/

http://www.ChadRiden.com/
http://www.myspace.com/chadriden

http://www.MangyDog.com/chad/
http://www.myspace.com/mangyk9

http://www.NashvilleStandUp.com/
http://www.myspace.com/nsup

Re: Help for beginner

[Theo Van Dinter]

On Thu, Jul 27, 2006 at 05:06:01PM -0500, Logan Shaw wrote:
> Having said that, I'm confused about why /etc/crontab would
> exist in any version of cron.  It seems more complicated to
> put root's crontab in a special place that's different than
> the pattern for every other user (where crontabs are stored
> somewhere under /var/spool/cron), and I don't see the benefit
> you'd get in exchange for that extra complication.

Well, it's not root's crontab, so ...

Regardless, this list isn't the best place to discuss systems administration
or how to manage your machine.

-- 
Randomly Generated Tagline:
"You ripped his arm off.
  Yeah ...  He had a spare."- From the movie Action Jackson


pgp5E3iiLBWcL.pgp
Description: PGP signature

Re: Problems after upgrade to 3.1.4

[Theo Van Dinter]

On Thu, Jul 27, 2006 at 02:48:06PM -0700, Bret Miller wrote:
> So what we're saying here is that if you create a META rule on a
> disabled (scored 0) rule, the META rule doesn't work? Didn't work before
> either?

It may have worked somewhat, but probably not as intended.  It really depends
on the meta rule.

> Or still works but generates an info debug message? Guess I
> should go dig out the rest of this converation and go read the bug
> discussion...

Don't confuse "the meta rule is executed" with "the meta rule works
as expected".  If the meta rule has a non-zero score, it's executed no
matter what the dependencies are doing.  However, the rule will like
not work correctly if subrules are disabled.

In 3.1.4, conditions where a meta rule's dependencies have an issue will
cause an info message to be generated.

> Having to score every component of a META rule seems like a bad thing...

You don't, but if a subrule/dependency is disabled, then ... well, it's
disabled.

> My MTA integration only allows for 4K of headers to add and I'm already
> exceeding it fairly often. Adding more insignificant rules to the list
> will just make it that much worse...

I'm not sure what this has to do with anything.

-- 
Randomly Generated Tagline:
"In case you're wondering why I mentioned 'My Fair Lady' and then sung 
 part of a song from 'West Side Story' ... it's because I'm stupid." - Pat Sajak


pgpMewFZ6o925.pgp
Description: PGP signature

Re: Help for beginner

[Logan Shaw]

On Thu, 27 Jul 2006, John D. Hardin wrote:

On Thu, 27 Jul 2006, Logan Shaw wrote:

On Thu, 27 Jul 2006, Theo Van Dinter wrote:



By default, they're probably already setup.  /etc/crontab usually points
at them.



What's an /etc/crontab?  I've never seen one of those before.



That's the global default crontab file (at least in some versions of
cron). It does things like run the hourly, daily, weekly and monthly
cron jobs via run-parts or a similar tool (at least in some versions
of cron).


Wow, it actually exists?!  I wrote what I did because I
thought you had made a typo and meant to say "root's crontab"
but wrote "/etc/crontab" instead even though /etc/crontab
doesn't literally exist.

Having said that, I'm confused about why /etc/crontab would
exist in any version of cron.  It seems more complicated to
put root's crontab in a special place that's different than
the pattern for every other user (where crontabs are stored
somewhere under /var/spool/cron), and I don't see the benefit
you'd get in exchange for that extra complication.

(OK, end of thinly-veiled Linux rant...)

  - Logan

Re: Problems after upgrade to 3.1.4

[Daryl C. W. O'Shea]

Bret Miller wrote:


So what we're saying here is that if you create a META rule on a
disabled (scored 0) rule, the META rule doesn't work?


Disabled means disabled.  Disabled rules are never run.

Quoting the relevant score config info from M:SA:Conf POD:


score SYMBOLIC_TEST_NAME n.nn [ n.nn n.nn n.nn ]

Setting a ruleâs score to 0 will disable that rule from running.



Note that test names which begin with â__â are indirect rules used to 
compose meta-match rules and can also act as prerequisites to
other rules.  They are not scored or listed in the âtests hitâ reports, but 
assigning a score of 0 to an indirect rule will disable
it from running.





Didn't work before either?


There has been *zero* functionality change.



Or still works but generates an info debug message? Guess I
should go dig out the rest of this converation and go read the bug
discussion...

Having to score every component of a META rule seems like a bad thing...
My MTA integration only allows for 4K of headers to add and I'm already
exceeding it fairly often. Adding more insignificant rules to the list
will just make it that much worse...


If you disable a rule it doesn't run.  Period.  When your eval is run 
it'll use a false result in place of a disabled rule.  Thus is the rule 
is a required part of the meta (it's ANDed) then the meta will never 
fire.  If it's an optional part of the meta (it's ORed) then the meta 
will fire if it goes on to evaluate true.



Daryl

RE: Problems after upgrade to 3.1.4

[Bret Miller]

> >> These occur with spamassassin -D --lint.  RDJ is up to date, as is
> >> sa-update.
> >>
> >> [6837] info: rules: meta test DIGEST_MULTIPLE has
> undefined dependency
> >> 'DCC_CHECK'
> >> [6837] info: rules: meta test SARE_SPEC_PROLEO_M2a has dependency
> >> 'MIME_QP_LONG_LINE' with a zero score
> >> [6837] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined
> >> dependency 'SARE_XMAIL_SUSP2'
> >> [6837] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined
> >> dependency 'SARE_HEAD_XAUTH_WARN'
> >> [6837] info: rules: meta test SARE_RD_SAFE has undefined dependency
> >> 'SARE_RD_SAFE_MKSHRT'
> >> [6837] info: rules: meta test SARE_RD_SAFE has undefined dependency
> >> 'SARE_RD_SAFE_GT'
> >> [6837] info: rules: meta test SARE_RD_SAFE has undefined dependency
> >> 'SARE_RD_SAFE_TINY'
> >> [6837] info: rules: meta test SARE_OBFU_CIALIS has
> undefined dependency
> >> 'SARE_OBFU_CIALIS2'
> >> [6837] info: rules: meta test FP_MIXED_PORN3 has undefined
> dependency
> >> 'FP_PENETRATION'
> >
> > It's just info.  Some of your rules have undefined
> dependencies or are
> > disabled via a zero score.
>
> If the rule is part of a meta a zero score on the rule should not
> matter. It should still be evaluated because ultimately it has an
> indirect score via the meta rule.
>
> I like to see the sub-rules of a meta rule hitting for tracking. So
> I always issue a 0.001 score or something like that which will not
> affect results materially.

So what we're saying here is that if you create a META rule on a
disabled (scored 0) rule, the META rule doesn't work? Didn't work before
either? Or still works but generates an info debug message? Guess I
should go dig out the rest of this converation and go read the bug
discussion...

Having to score every component of a META rule seems like a bad thing...
My MTA integration only allows for 4K of headers to add and I'm already
exceeding it fairly often. Adding more insignificant rules to the list
will just make it that much worse...

I guess it's time to write my own integration code... Ugh.

Bret

Re: Help for beginner

[John D. Hardin]

On Thu, 27 Jul 2006, Logan Shaw wrote:

> On Thu, 27 Jul 2006, Theo Van Dinter wrote:
> > By default, they're probably already setup.  /etc/crontab usually points
> > at them.
> 
> What's an /etc/crontab?  I've never seen one of those before.

That's the global default crontab file (at least in some versions of
cron). It does things like run the hourly, daily, weekly and monthly
cron jobs via run-parts or a similar tool (at least in some versions
of cron).

If you don't have an /etc/crontab then your cron package may be
improperly installed, or may have become damaged after installation.
Does your cron package report missing files if you verify its
integrity (however your package manager does that, e.g. "rpm -V
vixie-cron")?

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Windows Genuine Advantage (WGA) means that now you use your 
  computer at the sufferance of Microsoft Corporation. They can
  kill it remotely without your consent at any time for any reason.
--

Re: Which Net::DNS version for Fedora Core 4?

[jdow]

From: "Radoslaw Zielinski" <[EMAIL PROTECTED]>


No, it doesn't trim out the rules.  Unless the packager is mad.


I did NOT say the rules were left out. The TOOLS was left out, a
whole nice directory full of tools like the official SA version of
sa-stats.pl, and so forth. It normally appears as part of the
/usr/share/doc/spamassassin*/ directory as "tools". For at least
one distro of Fedora Core all that appeared in that directory were
pure documentation files. None of the rest of the stuff appeared.
Back in Red Hat days the other directories were supported in a
spamassassin-tools rpm file. Now that seems to be dropped. At least
when I went looking for sa-stats.pl on the FC4 distro I could not
find it and ripped the distro's spamassassin out by its tonsils
with extreme prejudice and installed via CPAN, which worked properly.

{^_^}

Re: SPF breaks email forwarding

[John D. Hardin]

On Thu, 27 Jul 2006, Hamish wrote:

> Forwarding should (IMO) be implemented in such a way as the
> FORWARDING mailbox should be used as the new return-path (Just
> like if you forwarded an email from your MUA rather than with the
> MDA). Then both SPF and forwarding would work fine. And
> furthermore be consistent.

...and lead to a mail loop if the forward-to address starts bounding
messages for some reason...

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Windows Genuine Advantage (WGA) means that now you use your 
  computer at the sufferance of Microsoft Corporation. They can
  kill it remotely without your consent at any time for any reason.
--

Re: Problems after upgrade to 3.1.4

[jdow]

From: "Daryl C. W. O'Shea" <[EMAIL PROTECTED]>


Steven Stern wrote:

These occur with spamassassin -D --lint.  RDJ is up to date, as is
sa-update.

[6837] info: rules: meta test DIGEST_MULTIPLE has undefined dependency
'DCC_CHECK'
[6837] info: rules: meta test SARE_SPEC_PROLEO_M2a has dependency
'MIME_QP_LONG_LINE' with a zero score
[6837] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined
dependency 'SARE_XMAIL_SUSP2'
[6837] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined
dependency 'SARE_HEAD_XAUTH_WARN'
[6837] info: rules: meta test SARE_RD_SAFE has undefined dependency
'SARE_RD_SAFE_MKSHRT'
[6837] info: rules: meta test SARE_RD_SAFE has undefined dependency
'SARE_RD_SAFE_GT'
[6837] info: rules: meta test SARE_RD_SAFE has undefined dependency
'SARE_RD_SAFE_TINY'
[6837] info: rules: meta test SARE_OBFU_CIALIS has undefined dependency
'SARE_OBFU_CIALIS2'
[6837] info: rules: meta test FP_MIXED_PORN3 has undefined dependency
'FP_PENETRATION'


It's just info.  Some of your rules have undefined dependencies or are 
disabled via a zero score.


If the rule is part of a meta a zero score on the rule should not
matter. It should still be evaluated because ultimately it has an
indirect score via the meta rule.

I like to see the sub-rules of a meta rule hitting for tracking. So
I always issue a 0.001 score or something like that which will not
affect results materially.

{^_^}

Re: OT humor

[jdow]

From: "Kelson" <[EMAIL PROTECTED]>


jdow wrote:

In the October "Analog Science Fiction and Fact" magazine one of the
short stories is titled "Nigerian Scam" by Richard A. Lovett, in which
the scammer really IS from "Vega", the protagonist misses seeing the
scam involved, and the scammer and gets "dealt with" in the end quite
um appropriately and thoroughly. In fact the scammer's end was quite
cathartic.


So this story would fall under the category of "Science fiction that you 
wish would be fact," right?


Wel, some of the ideas in it as part of the scam might be fun to
have around. It's just that poor old GLEIMICKR just sort of misunderstood
how hardware hackers work and as a result got a calibration parameter
about 16000:1 off which affected his scam's success and made the end
more or less inevitable.

{^_-}

RE: Help for beginner

[Cabell, Dale]

For course there is no run-pats in the manual...

Dale

-Original Message-
From: Cabell, Dale [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 27, 2006 1:57 PM
To: Logan Shaw; users@spamassassin.apache.org
Subject: RE: Help for beginner

Is this to run at 3:05am everyday?

Also, run-parts is not running does it wake up somehow?

Dale

-Original Message-
From: Logan Shaw [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 27, 2006 1:47 PM
To: users@spamassassin.apache.org
Subject: RE: Help for beginner

On Thu, 27 Jul 2006, Cabell, Dale wrote:
> How do I get cron to look at my cron scripts in cron.daily or hourly
for
> that matter? I can execute the script manually (e.g. ./). I did a
chmod
> 755 on the file. Do I need to do a 777?

The difference between 777 and 755 is that 777 would add the
"2" bit (write access) for group members and others.  Since
you're not trying to write to the script, that won't help.
Incidentally, I advise using the symbolic chmod notation until
you know the octal stuff off the top of your head.  To me,
it's much easier to remember that

 chmod u=rwx,go=rx foo

makes foo readable, writable, and executable by the "u"ser,
and only readable and executable by "g"roup and "o"ther than
it is to remember that "755" means the same thing.  "755"
does, however, have the advantage that it's quicker to type.

Anyway, a mildly strange thing about Linux is that it turns out
that the scripts in /etc/cron.daily aren't run by cron at all.
Instead, they're run by a command called "run-parts".  All this
command does is look in a directory, then run every script it
finds there.  This turns out to be handy for scheduling stuff
with cron because your nightly maintenance crud can have just
one cron entry, and then the jobs proceed in an orderly fashion,
one after another.

So, to get cron to run everything in /etc/cron.daily, you need
to add something like this to the crontab (using "crontab -e"
to make changes to root's crontab):

5 3 * * * run-parts /etc/cron.daily

Hope that helps.

   - Logan

RE: Help for beginner

[Cabell, Dale]

Is this to run at 3:05am everyday?

Also, run-parts is not running does it wake up somehow?

Dale

-Original Message-
From: Logan Shaw [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 27, 2006 1:47 PM
To: users@spamassassin.apache.org
Subject: RE: Help for beginner

On Thu, 27 Jul 2006, Cabell, Dale wrote:
> How do I get cron to look at my cron scripts in cron.daily or hourly
for
> that matter? I can execute the script manually (e.g. ./). I did a
chmod
> 755 on the file. Do I need to do a 777?

The difference between 777 and 755 is that 777 would add the
"2" bit (write access) for group members and others.  Since
you're not trying to write to the script, that won't help.
Incidentally, I advise using the symbolic chmod notation until
you know the octal stuff off the top of your head.  To me,
it's much easier to remember that

 chmod u=rwx,go=rx foo

makes foo readable, writable, and executable by the "u"ser,
and only readable and executable by "g"roup and "o"ther than
it is to remember that "755" means the same thing.  "755"
does, however, have the advantage that it's quicker to type.

Anyway, a mildly strange thing about Linux is that it turns out
that the scripts in /etc/cron.daily aren't run by cron at all.
Instead, they're run by a command called "run-parts".  All this
command does is look in a directory, then run every script it
finds there.  This turns out to be handy for scheduling stuff
with cron because your nightly maintenance crud can have just
one cron entry, and then the jobs proceed in an orderly fashion,
one after another.

So, to get cron to run everything in /etc/cron.daily, you need
to add something like this to the crontab (using "crontab -e"
to make changes to root's crontab):

5 3 * * * run-parts /etc/cron.daily

Hope that helps.

   - Logan

RE: rulesets for spamassasin

[Kurt Buff]

> (And I have heard there is one
> person alive who thoroughly understands PostFix. He currently lives
> in an insane asylum. {^_-})
>
> {^_^} 

Heh. Not true.

You just need The Book of Postfix, by Ralf Hildebrandt and Patrick Koetter

http://www.bookpool.com/sm/1593270011

Excellent book.


  

Re: Help for beginner

[Logan Shaw]

On Thu, 27 Jul 2006, Theo Van Dinter wrote:

By default, they're probably already setup.  /etc/crontab usually points
at them.


What's an /etc/crontab?  I've never seen one of those before.


In general, don't make files world writable unless you know
you have to.


Agreed.

  - Logan

RE: Help for beginner

[Logan Shaw]

On Thu, 27 Jul 2006, Cabell, Dale wrote:

How do I get cron to look at my cron scripts in cron.daily or hourly for
that matter? I can execute the script manually (e.g. ./). I did a chmod
755 on the file. Do I need to do a 777?


The difference between 777 and 755 is that 777 would add the
"2" bit (write access) for group members and others.  Since
you're not trying to write to the script, that won't help.
Incidentally, I advise using the symbolic chmod notation until
you know the octal stuff off the top of your head.  To me,
it's much easier to remember that

chmod u=rwx,go=rx foo

makes foo readable, writable, and executable by the "u"ser,
and only readable and executable by "g"roup and "o"ther than
it is to remember that "755" means the same thing.  "755"
does, however, have the advantage that it's quicker to type.

Anyway, a mildly strange thing about Linux is that it turns out
that the scripts in /etc/cron.daily aren't run by cron at all.
Instead, they're run by a command called "run-parts".  All this
command does is look in a directory, then run every script it
finds there.  This turns out to be handy for scheduling stuff
with cron because your nightly maintenance crud can have just
one cron entry, and then the jobs proceed in an orderly fashion,
one after another.

So, to get cron to run everything in /etc/cron.daily, you need
to add something like this to the crontab (using "crontab -e"
to make changes to root's crontab):

5 3 * * * run-parts /etc/cron.daily

Hope that helps.

  - Logan

Re: SPF breaks email forwarding

[Gino Cerullo]

On 27-Jul-06, at 4:32 PM, Hamish wrote:


On Wednesday 26 July 2006 17:25, Marc Perkel wrote:

Benny Pedersen wrote:

On Tue, July 25, 2006 18:51, Marc Perkel wrote:

SPF breaks email forwarding. My users use forwarding.


fair, but why not stop using forwarding ?


Because my customers want to use forwarding.


Perhaps it would be fairer to say that SPF is fine but the  
forwarding is

broken.

Forwarding should (IMO) be implemented in such a way as the  
FORWARDING mailbox
should be used as the new return-path (Just like if you forwarded  
an email
from your MUA rather than with the MDA). Then both SPF and  
forwarding would

work fine. And furthermore be consistent.


Hamish.


That's the basic idea behind SRS. The forwarding server re-writes the  
header and takes responsibility for the forwarded email.



--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON  M3M 1W6

T: 416-247-7740
F: 416-247-7503

RE: Help for beginner

[Cabell, Dale]

Cron is running and it does not appear to execute the commands in the
directories.

Dale

-Original Message-
From: Theo Van Dinter [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 27, 2006 1:42 PM
To: users@spamassassin.apache.org
Subject: Re: Help for beginner

On Thu, Jul 27, 2006 at 01:31:48PM -0700, Cabell, Dale wrote:
> How do I get cron to look at my cron scripts in cron.daily or hourly
for
> that matter? I can execute the script manually (e.g. ./). I did a
chmod
> 755 on the file. Do I need to do a 777?

By default, they're probably already setup.  /etc/crontab usually points
at them.  In general, don't make files world writable unless you know
you have to.

FWIW, I would suggest reading up on system administration tasks in
Linux.
It would help with the types of issues you've been asking about, where
this isn't really the right place to discuss them.

-- 
Randomly Generated Tagline:
Oooh ... maca-ma-damia nuts.
 
-- Homer Simpson
   Bart's Dog Gets an F

Re: Help for beginner

[Theo Van Dinter]

On Thu, Jul 27, 2006 at 01:31:48PM -0700, Cabell, Dale wrote:
> How do I get cron to look at my cron scripts in cron.daily or hourly for
> that matter? I can execute the script manually (e.g. ./). I did a chmod
> 755 on the file. Do I need to do a 777?

By default, they're probably already setup.  /etc/crontab usually points
at them.  In general, don't make files world writable unless you know
you have to.

FWIW, I would suggest reading up on system administration tasks in Linux.
It would help with the types of issues you've been asking about, where
this isn't really the right place to discuss them.

-- 
Randomly Generated Tagline:
Oooh ... maca-ma-damia nuts.
 
-- Homer Simpson
   Bart's Dog Gets an F


pgphAj2OSno7l.pgp
Description: PGP signature

Re: SPF breaks email forwarding

[Hamish]

On Wednesday 26 July 2006 17:25, Marc Perkel wrote:
> Benny Pedersen wrote:
> > On Tue, July 25, 2006 18:51, Marc Perkel wrote:
> >> SPF breaks email forwarding. My users use forwarding.
> >
> > fair, but why not stop using forwarding ?
>
> Because my customers want to use forwarding.

Perhaps it would be fairer to say that SPF is fine but the forwarding is 
broken.

Forwarding should (IMO) be implemented in such a way as the FORWARDING mailbox 
should be used as the new return-path (Just like if you forwarded an email 
from your MUA rather than with the MDA). Then both SPF and forwarding would 
work fine. And furthermore be consistent.


Hamish.


pgpHpRZ3hZIMD.pgp
Description: PGP signature

RE: Help for beginner

[Cabell, Dale]

How do I get cron to look at my cron scripts in cron.daily or hourly for
that matter? I can execute the script manually (e.g. ./). I did a chmod
755 on the file. Do I need to do a 777?

Thanks,
Dale Cabell
[EMAIL PROTECTED]

-Original Message-
From: Theo Van Dinter [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 25, 2006 10:47 AM
To: users@spamassassin.apache.org
Subject: Re: Help for beginner

On Tue, Jul 25, 2006 at 10:38:14AM -0700, Cabell, Dale wrote:
> How do I tell if the version I have was installed using yum, Make,
etc?

You can probably figure out if it's a package or not.  "rpm -q
spamassassin" ?

> Where can I get a precompiled version? The tar file seems to be the
only
> available download.

There's no official "compiled" or packaged version.  Different distros
have it
available, and there's probably others out there that have it.

Is there a reason you don't make your own package?

"rpmbuild -tb Mail-SpamAssassin-..."

> How do I tell where the functionality, which is now in additional
> plugins was previously? I need to make sure the configuration stays
the
> same after upgrading.

Read the UPGRADE doc, do testing before the install, etc.  Generally
speaking,
the plugins work the same way as before, so just make sure that you have
enabled the ones you want, and disable the ones you don't want.

-- 
Randomly Generated Tagline:
"Hoping the problem magically goes away by ignoring it is the 'Microsoft
 approach to programming' and should never be allowed."  - Linus
Torvalds

Re: Problems after upgrade to 3.1.4

[Logan Shaw]

On Fri, 28 Jul 2006, sokka wrote:

I am trying to upgrade using perl butit still shows Mail::SpamAssassin
isuptodate. Let me know whether the version 3.1.4 is released for perl
installation.


If you're using a CPAN shell, you may need to give the command
"reload index" for it to grab the latest index of what's
available from CPAN and thereby see that 3.1.4 is available.

Try this:

perl -MCPAN -e shell

cpan> reload index
# it should load latest stuff from CPAN

cpan> m /Mail::SpamAssassin/
# verify that CPAN has 3.1.4

  - Logan

[no subject]

[sokka]

Dear Group Members,
 
I have a GW IP from where all mails will come and fall to my real server. I have spamassassin in my real server whihc is almost uptodate. Now, whenever i rcv a mail by bypassing the gw it is stamped as SPAM where if the same mail comes thru that gw it is marked in low rate. 

 
How to reactivate my gw ip in my spamassassin to scan as if a normal ip.
 
regards 

Re: Problems after upgrade to 3.1.4

[Theo Van Dinter]

On Fri, Jul 28, 2006 at 12:52:42AM +0530, sokka wrote:
> I am trying to upgrade using perl butit still shows Mail::SpamAssassin
> isuptodate. Let me know whether the version 3.1.4 is released for perl
> installation.

It's not quite clear what you're asking.  I think you're
asking if 3.1.4 is available via CPAN yet.  The answer to
that is yes, though it may not be out at all the mirrors yet.
(http://cpan.org/modules/by-module/Mail/Mail-SpamAssassin-3.1.4.tar.gz)

-- 
Randomly Generated Tagline:
Living your life is a task so difficult, it has never been attempted before.


pgpY5OnC8tjJz.pgp
Description: PGP signature

Re: Problems after upgrade to 3.1.4

[sokka]

Dear Groupmembers,
 
 
I am trying to upgrade using perl butit still shows Mail::SpamAssassin isuptodate. Let me know whether the version 3.1.4 is released for perl installation.
 
 
regards

RE: Problems after upgrade to 3.1.4

[Bret Miller]

> > > Does the upgrade do something like change the default local rules
> > > path, such that the dependency rules can no longer be found? Etc.
> >
> > No, the rules would likely have had these issues for a while (I
> > can't really comment on non-official rules), but with 3.1.4
> > there's now info output showing that there's a problem.
>
> Ah! Okay, I was making the assumption that the rules in question
> *were* all working before the upgrade.
>
> My mistake (and an easy one to make, too)...

I figure the SARE guys will be working on their rules to fix them
soon...

Bret

Re: Problems after upgrade to 3.1.4

[John D. Hardin]

On Thu, 27 Jul 2006, Theo Van Dinter wrote:

> > Does the upgrade do something like change the default local rules
> > path, such that the dependency rules can no longer be found? Etc.
> 
> No, the rules would likely have had these issues for a while (I
> can't really comment on non-official rules), but with 3.1.4
> there's now info output showing that there's a problem.

Ah! Okay, I was making the assumption that the rules in question
*were* all working before the upgrade.

My mistake (and an easy one to make, too)...

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The first time I saw a bagpipe, I thought the player was torturing
  an octopus. I was amazed they could scream so loudly.
-- cat_herder_5263 on Y! SCOX
---

Re: Problems after upgrade to 3.1.4

[Raymond Dijkxhoorn]

Hi!


It's just info.  Some of your rules have undefined dependencies or are
disabled via a zero score.



That's fairly obvious from the warning message.

I think both OPs point is that a 3.1.3 -> 3.1.4 (i.e. minor version
bugfix) upgrade shouldn't suddenly make a bunch of previously-working
rules simply disappear...

Does the upgrade do something like change the default local rules
path, such that the dependency rules can no longer be found? Etc.


It warns you that some of your rules have missing elements. Go look at 
those rules and get it fixed at theirs sources ;)


Bye,
Raymond.

Re: Problems after upgrade to 3.1.4

[Theo Van Dinter]

On Thu, Jul 27, 2006 at 11:21:54AM -0700, John D. Hardin wrote:
> I think both OPs point is that a 3.1.3 -> 3.1.4 (i.e. minor version
> bugfix) upgrade shouldn't suddenly make a bunch of previously-working
> rules simply disappear...

This wouldn't make rules disappear.  It's informational output, but not a
lint error.  You can follow the discussion in
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4347 if you want. :)

> Does the upgrade do something like change the default local rules
> path, such that the dependency rules can no longer be found? Etc.

No, the rules would likely have had these issues for a while (I can't
really comment on non-official rules), but with 3.1.4 there's now info output
showing that there's a problem.  (before, people would have had to manually
figure out that meta dependencies have issues)

-- 
Randomly Generated Tagline:
"The random quantum fluctuations of my brain are historical accidents that
 happen to have decided that the concepts of dynamic scoping and lexical
 scoping are orthogonal and should remain that way." - Larry Wall


pgpefYDYI2xvo.pgp
Description: PGP signature

Re: Problems after upgrade to 3.1.4

[Daryl C. W. O'Shea]

John D. Hardin wrote:

On Thu, 27 Jul 2006, Daryl C. W. O'Shea wrote:


Steven Stern wrote:

These occur with spamassassin -D --lint.  RDJ is up to date, as is
sa-update.

[6837] info: rules: meta test DIGEST_MULTIPLE has undefined dependency
'DCC_CHECK'


...etc

It's just info.  Some of your rules have undefined dependencies or are 
disabled via a zero score.


That's fairly obvious from the warning message.


I thought so too, but a lot of people have asked.



I think both OPs point is that a 3.1.3 -> 3.1.4 (i.e. minor version
bugfix) upgrade shouldn't suddenly make a bunch of previously-working
rules simply disappear...


Who said the rules previously worked.  Who said they don't work now?



Does the upgrade do something like change the default local rules
path, such that the dependency rules can no longer be found? Etc.


Like I said, it's *just* info.  It's always been that way -- the rules 
have always had undefined or disabled dependencies.  We just let you 
know now -- see bug 4347.



Daryl

Re: Problems after upgrade to 3.1.4

[John D. Hardin]

On Thu, 27 Jul 2006, Daryl C. W. O'Shea wrote:

> Steven Stern wrote:
> > These occur with spamassassin -D --lint.  RDJ is up to date, as is
> > sa-update.
> > 
> > [6837] info: rules: meta test DIGEST_MULTIPLE has undefined dependency
> > 'DCC_CHECK'

...etc

> It's just info.  Some of your rules have undefined dependencies or are 
> disabled via a zero score.

That's fairly obvious from the warning message.

I think both OPs point is that a 3.1.3 -> 3.1.4 (i.e. minor version
bugfix) upgrade shouldn't suddenly make a bunch of previously-working
rules simply disappear...

Does the upgrade do something like change the default local rules
path, such that the dependency rules can no longer be found? Etc.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The first time I saw a bagpipe, I thought the player was torturing
  an octopus. I was amazed they could scream so loudly.
-- cat_herder_5263 on Y! SCOX
---

RE: exim4 + forwarding + spamassassin

[Thomas Lindell]

You could have just chmoded the directorys and files to 744 

 

-Original Message-
From: Zinski, Steve [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 27, 2006 12:37 PM
To: users@spamassassin.apache.org
Subject: RE: exim4 + forwarding + spamassassin

Well, guys, I think I resolved my problem. Since exim runs under the
"nobody" account (I could not get it to run as another user, believe me, I
tried!), I simply copied all of the bayes files from a known working account
to /.spamassassin and chown'ed them to "nobody". Everything is working great
now and I'm getting valid bayes scoring for all inbound Internet mail. I did
try setting up a system-wide path to bayes (in the SpamAssassin local.cf
file) but I was still running into permissions issues. So, for now,
everything works and exim4 is rejecting spam at smtp time. My spam (to my
personal account) has dropped from 100+ daily down to 4 or 5. And, as
someone else pointed out, if a legitimate e-mail gets rejected as spam, the
sender will know that I never got it and try something different. Thanks for
the help, everyone!

Steve

Re: SpamAssassin-3.1.4 and SARE rules

[Daryl C. W. O'Shea]

James Lay wrote:

Morning all!

Just upgraded from 3.1.3 to 3.1.4 and here's what I get:

Jul 27 08:16:27 myshield spamd[15259]: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_SUB_GAPPY_4 has undefined dependency '__SARE_SUB_GAPPY_6'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test __SARE_SUB_GAPPY_5 has undefined dependency '__SARE_SUB_OBFU_LQUOTE'  


[...]


Just an FYI I guess...anyone else see this kind of action?  Thanks!


It's just info.  Some of your rules have undefined dependencies.

Daryl

Re: Problems after upgrade to 3.1.4

[Daryl C. W. O'Shea]

Steven Stern wrote:

These occur with spamassassin -D --lint.  RDJ is up to date, as is
sa-update.

[6837] info: rules: meta test DIGEST_MULTIPLE has undefined dependency
'DCC_CHECK'
[6837] info: rules: meta test SARE_SPEC_PROLEO_M2a has dependency
'MIME_QP_LONG_LINE' with a zero score
[6837] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined
dependency 'SARE_XMAIL_SUSP2'
[6837] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined
dependency 'SARE_HEAD_XAUTH_WARN'
[6837] info: rules: meta test SARE_RD_SAFE has undefined dependency
'SARE_RD_SAFE_MKSHRT'
[6837] info: rules: meta test SARE_RD_SAFE has undefined dependency
'SARE_RD_SAFE_GT'
[6837] info: rules: meta test SARE_RD_SAFE has undefined dependency
'SARE_RD_SAFE_TINY'
[6837] info: rules: meta test SARE_OBFU_CIALIS has undefined dependency
'SARE_OBFU_CIALIS2'
[6837] info: rules: meta test FP_MIXED_PORN3 has undefined dependency
'FP_PENETRATION'


It's just info.  Some of your rules have undefined dependencies or are 
disabled via a zero score.


Daryl

Re: Which Net::DNS version for Fedora Core 4?

[Daryl C. W. O'Shea]

Jeff Chan wrote:

On Wednesday, July 26, 2006, 11:56:27 PM, Daryl O'Shea wrote:

On 7/27/2006 2:39 AM, jdow wrote:



Both Jeff and I are perplexed over a trio of hits on newnanutilities.org
in a message referring to the Fedora update mirror they host.


Three mixed up hits on separate messages?  I could sort of see it 
happening if the cache on all/most lookups for the message expired 
between checks.




I am running 3.0.6, essentially.



*shrug* not sure why you still insist on running 3.0.


Fedora Core 4 doesn't seem to have 3.1.3 rpms that will work
easily.  In particular they need a newer version of glibc.

Daryl,
Can you determine if 3.0.6 is safe to use with Net::DNS 0.49?


3.0.6 will exhibit the same occasional mix-ups as the rest of the 3.0 
series, regardless of the version on Net::DNS installed.


Daryl

RE: exim4 + forwarding + spamassassin

[Zinski, Steve]

Well, guys, I think I resolved my problem. Since exim runs under the
"nobody" account (I could not get it to run as another user, believe me,
I tried!), I simply copied all of the bayes files from a known working
account to /.spamassassin and chown'ed them to "nobody". Everything is
working great now and I'm getting valid bayes scoring for all inbound
Internet mail. I did try setting up a system-wide path to bayes (in the
SpamAssassin local.cf file) but I was still running into permissions
issues. So, for now, everything works and exim4 is rejecting spam at
smtp time. My spam (to my personal account) has dropped from 100+ daily
down to 4 or 5. And, as someone else pointed out, if a legitimate e-mail
gets rejected as spam, the sender will know that I never got it and try
something different. Thanks for the help, everyone!

Steve

Re: RBL Test Inclusion

[David Cary Hart]

On Thu, 27 Jul 2006 18:57:07 +0200 (CEST), "Benny Pedersen"
<[EMAIL PROTECTED]> opined:
> On Wed, July 26, 2006 20:59, David Cary Hart wrote:
> 
> > How can we be included as a standard test?
> 
> attached config should work now, if i did it right this time :-)
> 
I'm an SA nitwit so if anyone does change anything, please let me
know. Also, a general notion of results would be appreciated.

-- 
 "Black Hole": The economic effect of administering a DNSBL
Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com
   Don't Subsidize Criminals: http://boulderpledge.org

Re: RBL Test Inclusion

[Benny Pedersen]

On Wed, July 26, 2006 20:59, David Cary Hart wrote:

> How can we be included as a standard test?

attached config should work now, if i did it right this time :-)

-- 
Benny#
# this config is made by "Benny Pedersen" <[EMAIL PROTECTED]>
# field free to change anything if needed
#
# tested with sa 3.1.3
#
# Thanks to David for provideing this zone
#

header __TQM_DNSBL rbleval:check_rbl('TQM-DNSBL', 'dnsbl.tqmcube.com.')
describe __TQM_DNSBL Composite
tflags __TQM_DNSBL net
score __TQM_DNSBL 0.1

header TQM_DHCP eval:check_rbl_sub('TQM-DNSBL', '127.0.0.2')
describe TQM_DHCP Dynamic
tflags TQM_DHCP net
score TQM_DHCP 0.1

header TQM_SPAM eval:check_rbl_sub('TQM-DNSBL', '127.0.0.3')
describe TQM_SPAM Spam
tflags TQM_SPAM net
score TQM_SPAM 0.1

header TQM_KO eval:check_rbl_sub('TQM-DNSBL', '127.0.0.4')
describe TQM_KO Korea
tflags TQM_KO net
score TQM_KO 0.1

header TQM_PRC eval:check_rbl_sub('TQM-DNSBL', '127.0.0.5')
describe TQM_PRC China
tflags TQM_PRC net
score TQM_PRC 0.1

RE: "required" occasionally using wrong value

[Bowie Bailey]

Durwin F. De La Rue wrote:
> In my maillog, an occasional email comes up with the required as 10.0
> instead of the 5.0 I have set.  There are no user.prefs and daemon is
> started with -x option to boot.  My information is bwlow.
> 
> Thank you for your time,
> 
> Durwin
> 
> Linux version 2.6.11-1.27_FC3smp ([EMAIL PROTECTED])
> (gcc version 3.4.3 20050227 (Red Hat 3.4.3-22)) #1 SMP 
> 
> SpamAssassin version 3.1.3
> running on Perl version 5.8.5
> 
> === M A I L L O G ===
> Jul 27 09:54:24 zaphod spamd[11472]: spamd: result: . 2 -
> BAYES_50,EXTRA_MPART_TYPE,HTML_40_50,HTML_IMAGE_ONLY_32,HTML_MESSAGE
>
scantime=5.7,size=84434,user=sa-milt,uid=0,required_score=5.0,rhost=localhos
t.localdomain,raddr=127.0.0.1,rport=44596,mid=<001101c6b194$e0a3e037$30c0414
[EMAIL PROTECTED]>,bayes=0.519134957018267,autolearn=no
> Jul 27 09:54:24 zaphod sendmail[13815]: k6RFsFiu013815: Milter
> change: header X-Spam-Status: from No, hits=4.7 required=10.0
>
tests=EXTRA_MPART_TYPE,HTML_40_50,\n\tHTML_IMAGE_ONLY_32,HTML_MESSAGE,MIME_H
TML_MOSTLY,MIME_QP_LONG_LINE
> \n\tautolearn=no version=3.1.3 to No, score=2.6 required=5.0
>
tests=BAYES_50,EXTRA_MPART_TYPE,\r\n\tHTML_40_50,HTML_IMAGE_ONLY_32,HTML_MES
SAGE
> autolearn=no version=3.1.3 Jul 27 09:54:24 zaphod sendmail[13815]:
> k6RFsFiu013815: Milter change: header X-Spam-Level: from  to **  
> Jul 27 09:54:24 zaphod sendmail[13815]: k6RFsFiu013815: Milter
> change: header X-Spam-Checker-Version: from SpamAssassin 3.1.3
> (2006-06-01) on kaimen.swcp.com to SpamAssassin 3.1.3 (2006-06-01) on
> \r\n\tzaphod.mydomain.com   
> ===

Based on this log, it looks like the message was originally scanned
by kaimen.swcp.com and given this header:

X-Spam-Status: No, hits=4.7 required=10.0 tests=EXTRA_MPART_TYPE,HTML_40_50,
HTML_IMAGE_ONLY_32,HTML_MESSAGE,MIME_HTML_MOSTLY,MIME_QP_LONG_LINE 
autolearn=no version=3.1.3

It was then scanned by zaphod.mydomain.com and the header was changed
to this:

X-Spam-Status: No, score=2.6 required=5.0 tests=BAYES_50,EXTRA_MPART_TYPE,
HTML_40_50,HTML_IMAGE_ONLY_32,HTML_MESSAGE autolearn=no version=3.1.3

So apparently, the original header was added by another server and
then modified by your server.

-- 
Bowie

"required" occasionally using wrong value

[Durwin F. De La Rue]

In my maillog, an occasional email comes up with the required as 10.0
instead of the 5.0 I have set.  There are no user.prefs and daemon is
started with -x option to boot.  My information is bwlow.

Thank you for your time,

Durwin


Linux version 2.6.11-1.27_FC3smp ([EMAIL PROTECTED]) (gcc version 3.4.3 
20050227 (Red Hat 3.4.3-22)) #1 SMP

SpamAssassin version 3.1.3
running on Perl version 5.8.5

=== L O C A L . C F ===
$ cat local.cf 
required_score   5.0
rewrite_header subject [SPAM](_SCORE_)
report_safe 0
use_bayes   1
bayes_auto_learn  1
skip_rbl_checks 0
use_pyzor   1
ok_locales  all
===

=== S E N D M A I L ===
divert(0)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`$Id: generic-linux.mc,v 8.1 1999/09/24 22:48:05 gshapiro Exp $')
OSTYPE(linux)dnl
DOMAIN(generic)dnl
INPUT_MAIL_FILTER(`spamassassin', 
`S=local:/var/run/spamass-milter/spamass-milter.sock, 
F=,T=C:15m;S:4m;R:4m;E:10m')dnl
FEATURE(`relay_entire_domain')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
MAILER(smtp)dnl
===

=== S P A M D ===
SPAMDOPTIONS="-x -d"
=

=== S P A M A S S - M I L T E R ===
EXTRA_FLAGS="-i 127.0.0.1,204.29.236.0/24 -r 5"
===

=== M A I L L O G ===
Jul 27 09:48:50 zaphod sendmail[13093]: k6PMnpOo007820: to=<[EMAIL PROTECTED]>, 
delay=1+16:58:59, xdelay=00:06:19, mailer=esmtp, pri=3363981, 
relay=snail.crumbum.net. [65.246.161.71], dsn=4.0.0, stat=Deferred: Connection 
timed out with snail.crumbum.net.
Jul 27 09:49:21 zaphod sendmail[13798]: k6RFnI1b013798: from=<[EMAIL 
PROTECTED]>, size=10292, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, 
proto=ESMTP, daemon=MTA, relay=IDENT:[EMAIL PROTECTED] [64.84.5.25]
Jul 27 09:49:21 zaphod spamd[11472]: spamd: connection from 
localhost.localdomain [127.0.0.1] at port 46265 
Jul 27 09:49:21 zaphod spamd[11472]: spamd: processing message <[EMAIL 
PROTECTED]> for sa-milt:0 
Jul 27 09:49:28 zaphod spamd[11472]: spamd: clean message (-2.4/5.0) for 
sa-milt:0 in 6.4 seconds, 10740 bytes. 
Jul 27 09:49:28 zaphod spamd[11472]: spamd: result: . -2 - 
AWL,BAYES_00,HTML_MESSAGE,HTML_TITLE_EMPTY,SPF_PASS 
scantime=6.4,size=10740,user=sa-milt,uid=0,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=46265,mid=<[EMAIL
 PROTECTED]>,bayes=1.11022302462516e-16,autolearn=ham 
Jul 27 09:49:28 zaphod sendmail[13798]: k6RFnI1b013798: Milter add: header: 
X-Spam-Status: No, score=-2.4 required=5.0 
tests=AWL,BAYES_00,HTML_MESSAGE,\r\n\tHTML_TITLE_EMPTY,SPF_PASS autolearn=ham 
version=3.1.3
Jul 27 09:49:28 zaphod sendmail[13798]: k6RFnI1b013798: Milter add: header: 
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on 
\r\n\tzaphod.mydomain.com
Jul 27 09:49:28 zaphod spamd[3681]: prefork: child states: II 
Jul 27 09:49:29 zaphod sendmail[13803]: k6RFnI1b013798: to=<[EMAIL PROTECTED]>, 
delay=00:00:10, xdelay=00:00:01, mailer=esmtpalt, pri=130292, relay=[127.0.0.1] 
[127.0.0.1], dsn=2.0.0, stat=Sent (Message accepted for delivery)
Jul 27 09:54:18 zaphod sendmail[13815]: k6RFsFiu013815: from=<[EMAIL 
PROTECTED]>, size=83324, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, 
proto=ESMTP, daemon=MTA, relay=taka.swcp.com [198.59.115.12]
Jul 27 09:54:18 zaphod spamd[11472]: spamd: connection from 
localhost.localdomain [127.0.0.1] at port 44596 
Jul 27 09:54:18 zaphod spamd[11472]: spamd: processing message <[EMAIL 
PROTECTED]> for sa-milt:0 
Jul 27 09:54:24 zaphod spamd[11472]: spamd: clean message (2.6/5.0) for 
sa-milt:0 in 5.7 seconds, 84434 bytes. 
Jul 27 09:54:24 zaphod spamd[11472]: spamd: result: . 2 - 
BAYES_50,EXTRA_MPART_TYPE,HTML_40_50,HTML_IMAGE_ONLY_32,HTML_MESSAGE 
scantime=5.7,size=84434,user=sa-milt,uid=0,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=44596,mid=<[EMAIL
 PROTECTED]>,bayes=0.519134957018267,autolearn=no 
Jul 27 09:54:24 zaphod sendmail[13815]: k6RFsFiu013815: Milter change: header 
X-Spam-Status: from No, hits=4.7 required=10.0 
tests=EXTRA_MPART_TYPE,HTML_40_50,\n\tHTML_IMAGE_ONLY_32,HTML_MESSAGE,MIME_HTML_MOSTLY,MIME_QP_LONG_LINE
 \n\tautolearn=no version=3.1.3 to No, score=2.6 required=5.0 
tests=BAYES_50,EXTRA_MPART_TYPE,\r\n\tHTML_40_50,HTML_IMAGE_ONLY_32,HTML_MESSAGE
 autolearn=no version=3.1.3
Jul 27 09:54:24 zaphod sendmail[13815]: k6RFsFiu013815: Milter change: header 
X-Spam-Level: from  to **
Jul 27 09:54:24 zaphod sendmail[13815]: k6RFsFiu013815: Milter change: header 
X-Spam-Checker-Version: from SpamAssassin 3.1.3 (2006-06-01) on kaimen.swcp.com 
to SpamAssassin 3.1.3 (2006-06-01) on \r\n\tzaphod.mydomain.com
Jul 27 09:54:24 zaphod spamd[3681]: prefork: child states: II 
Jul 27 09:54:26 zaphod sendmail[13823]: k6RFsFiu013815: to=<[EMAIL PROTECTED]>, 
delay=00:00:09, xdelay=00:00:02, mailer=esmtpalt, pri=203324, relay=[127.0.0.1] 
[127.0.0.1], dsn=2.0.0, stat=Sent (Message accepted for delivery)
Jul 27 09:55:08 za

Re: OT humor

[Kelson]

jdow wrote:

In the October "Analog Science Fiction and Fact" magazine one of the
short stories is titled "Nigerian Scam" by Richard A. Lovett, in which
the scammer really IS from "Vega", the protagonist misses seeing the
scam involved, and the scammer and gets "dealt with" in the end quite
um appropriately and thoroughly. In fact the scammer's end was quite
cathartic.


So this story would fall under the category of "Science fiction that you 
wish would be fact," right?


--
Kelson Vibber
SpeedGate Communications 

Re: exim4 + forwarding + spamassassin

[Stuart Johnston]

jdow wrote:

From: "Chr. v. Stuckrad" <[EMAIL PROTECTED]>


On Thu, 27 Jul 2006, jdow wrote:


From: "Loren Wilton" <[EMAIL PROTECTED]>

...

I've never seen the logic of placing SpamAssassin inside the incoming
transaction before the termination of the SMTP connection rather than
down the pipe in the MDA.


If you want to 'reject spam' (wih score over a given
threshold) and because you do not want to generate bounces,
you have to check 'inside the transaction', to tell the sending
MTA, that you do not accept the current mail becaus of spam.


That's fine. But you can't do it and make it work right. It also
makes each email transaction a second or more longer. If your
mail load can tolerate this, I suppose it is barely workable.
But you double your machine load doing so. You are better off
using block lists with a small score for each BL and then grey
list for questionable scores and block for known bad. SpamAssassin
is way too much code to traverse just for that small function.


It works great on my 2 user personal system.  It would probably require a little more hardware for 
my 2k+ user work system.  ;)




This only works with site-wide bayes and global setup, except
if you make sure, that you know the (then exactly one?) recipient
of the message at the end of incoming data (the single '.' in the
SMTP-Protocol, the 'acl_smtp_data' in exim4).


Parsing on the fly for recipient means you need something to do
this before it gets to Bayes. That's even more code to run.


How hard is it to parse an "RCPT TO:"?  Besides, most servers will have already parsed this to make 
sure it is a valid recipient.





Beware of 'overloading the system' if you check incoming mails
'durig arrival', you will have to restrict the number of concurrent
SMTP-connections by the maximum of spamchecks your system can handle.


Of course, so greylisting is better with far less throughput damage.


I've only started to think about implementing (selective) greylisting on my systems but I hear that 
the spammers are starting to wise up to it.





Stucki

PS.: I too prefer 'only to tag' the spams, and let the user decide
do discard them.  I tested both ways and to me the only safe way
to never crowd the system ist to spamcheck on the inside in an
exim-queuerunner.  The nr. of queuerunners can then simply be
adjusted to the capabilites of the server.


Score only and pass to recipient with a clear XXX.X score in
the subject markup. That allows easy sorting by score and elimination
even in stupid tools like OutlookExpress.

The logic for running SA before the SMTP transaction is complete is
more wishful thinking than practical. This is probably especially
true with smtp tools like PostFix that run in a chroot jail.


I don't really like the idea of sending spam to a black hole (quarantining).  Only tagging as you 
suggest puts the responsibility on the users but knowing the limited tech-savy-ness of most of my 
users and the volume of spam they would receive makes that option less attractive to me.  Even 
sorting by score or creating filters is asking a bit much of many of my users.


Anyway, that's why I like the idea of SMTP-time rejection - not accepting the responsibility of the 
message in the first place.  Plus, if a legit mail does get blocked, the recipient will get 
notified.  (Even though I haven't been able to implement it on a large scale.)

SpamAssassin-3.1.4 and SARE rules

[James Lay]

Morning all!

Just upgraded from 3.1.3 to 3.1.4 and here's what I get:

Jul 27 08:16:27 myshield spamd[15259]: rules: meta test DIGEST_MULTIPLE has 
undefined dependency 'DCC_CHECK'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_SUB_GAPPY_4 has 
undefined dependency '__SARE_SUB_GAPPY_6'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test __SARE_SUB_GAPPY_5 has 
undefined dependency '__SARE_SUB_OBFU_LQUOTE'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test __SARE_SUB_GAPPY_3 has 
undefined dependency '__SARE_SUB_OBFU_LQUOTE'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test __SARE_SUB_GAPPY_3 has 
undefined dependency '__SARE_SUB_OBFU_2PERIOD'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_SUB_GAPPY_3 has 
undefined dependency '__SARE_SUB_GAPPY_6'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_SUB_ACCEPT_CCARDS 
has undefined dependency '__SARE_SUB_FROM_PAYPAL'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test __SARE_SUB_GAPPY_4 has 
undefined dependency '__SARE_SUB_OBFU_LQUOTE'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test __SARE_SUB_GAPPY_4 has 
undefined dependency '__SARE_SUB_OBFU_2PERIOD'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_SPEC_PROLEO_M2a 
has dependency 'MIME_QP_LONG_LINE' with a zero score  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_SUB_GAPPY_2 has 
undefined dependency '__SARE_SUB_OBFU_LQUOTE'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_SUB_GAPPY_6 has 
undefined dependency '__SARE_SUB_OBFU_LQUOTE'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_SUB_SEEN_ON has 
dependency 'SUBJ_AS_SEEN' with a zero score  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_MULT_SPAM_NETIP 
has undefined dependency 'SARE_HEAD_SPAM_NETIP'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_SUB_GAPPY_5 has 
undefined dependency '__SARE_SUB_GAPPY_6'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_SUB_DBL_MEDICTN 
has undefined dependency '__SARE_SUB_DBL_MEDICATION'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_SUB_DBL_MEDICTN 
has undefined dependency '__SARE_SUB_OK_MEDICATION'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_HEAD_SUBJ_RAND has 
undefined dependency 'SARE_XMAIL_SUSP2'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_HEAD_SUBJ_RAND has 
dependency 'X_AUTH_WARN_FAKED' with a zero score  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_SUB_GAPPY_8 has 
undefined dependency '__SARE_SUB_OBFU_LQUOTE'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_FROM_FREE has 
dependency 'ADDR_FREE' with a zero score  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_HEAD_8BIT_NOSPM 
has undefined dependency '__SARE_HEAD_8BIT_DATE'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_HEAD_8BIT_NOSPM 
has undefined dependency '__SARE_HEAD_8BIT_RECV'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_MULT_RATW_03 has 
undefined dependency '__SARE_MULT_RATW_03E'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_HEAD_XORIP_NOTIP 
has undefined dependency 'X_ORIG_IPNOT_IPV4'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_SUB_GAPPY_7 has 
undefined dependency '__SARE_SUB_OBFU_LQUOTE'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_RD_SAFE has 
undefined dependency 'SARE_RD_SAFE_MKSHRT'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_RD_SAFE has 
undefined dependency 'SARE_RD_SAFE_GT'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_RD_SAFE has 
undefined dependency 'SARE_RD_SAFE_TINY'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_MSGID_LONG35 has 
undefined dependency '__SARE_MSGID_LONG50'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_MSGID_LONG35 has 
undefined dependency '__SARE_MSGID_LONG55'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_MSGID_LONG35 has 
undefined dependency '__SARE_MSGID_LONG65'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_MSGID_LONG35 has 
undefined dependency '__SARE_MSGID_LONG75'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_MSGID_LONG40 has 
undefined dependency '__SARE_MSGID_LONG50'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_MSGID_LONG40 has 
undefined dependency '__SARE_MSGID_LONG55'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_MSGID_LONG40 has 
undefined dependency '__SARE_MSGID_LONG65'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_MSGID_LONG40 has 
undefined dependency '__SARE_MSGID_LONG75'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_SUB_FREE has 
undefined dependency 'SUB_FREE_CAP'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_SUB_FREE has 
undefined dependency 'SUB_FREE_INSTANT'  
Jul 27 08:16:27 myshield spamd[15259]: rules: meta test SARE_SUB_

Re: Which Net::DNS version for Fedora Core 4?

[John D. Hardin]

On Thu, 27 Jul 2006, Jeff Chan wrote:

> Fedora Core 4 doesn't seem to have 3.1.3 rpms that will work
> easily.  In particular they need a newer version of glibc.

My virtual hosting site is running FC4. I compiled 3.1.3 from the
pristine source (after removing the 3.0.mumble RPM) and have had zero
problems so far. It was very simple and straightforward.

You may also want to go into CPAN and update the dependencies.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Insofar as the police deter by their presence, they are very, very
  good. Criminals take great pains not to commit a crime in front of
  them.-- Jeffrey Snyder
---

RE: Non-english mail and Bayes

[Bowie Bailey]

Stand H wrote:
> --- Kelson <[EMAIL PROTECTED]> wrote:
> 
> > Stand H wrote:
> >  > I'm not sure if I can feed non-english email to
> >  > sa-learn.
> > 
> > Bowie Bailey wrote:
> > > Let it learn as much
> > > ham and spam as you can manage and don't worry about languages.
> > 
> > One thing to look out for:  Try to get both ham and spam for each
> > language.  The last thing you want is for Bayes to
> > decide that common,
> > let's say, German words are signs of spam because
> > the only German text
> > it's ever seen is spam.
> > 
> > As Bowie points out, Bayes doesn't care about the
> > languages themselves
> > -- it's the tokens (for practical purposes, the
> > words).  It doesn't care
> > whether "Necesito ir a casa a las dos y media." is
> > Spanish, it only
> > cares whether it's seen the words "Necesito", "ir", "casa", etc.
> > more often in ham or in spam.
> 
> Hi Kelson and Bowie,
> 
> Thank you for your reply.
> 
> In the situation that the sender client app doesn't
> encode the message properly, should I train it?
> 
> Some user receive messages with the subject like
> ¿'Ü'©'â'½'ç'Ü'â'Í and it's considered illegal and got
> hit by SUBJ_ILLEGAL_CHARS. When subject is encoded
> properly it is like
> ?iso-2022-jp?B?GyRCJEokKyQ/JDckYyRpGyhC?=
> 
> And the body is encoded as =82=BF=82=DC=82=A9
> 
> So in these cases, does it make sense to train the
> message. I'm curious how bayes work effectively with
> these illegal char and encoded char.

Just train it.  Bayes doesn't care -- it will break the message up
into tokens and learn them.  If you get more non-encoded spam than
ham, then Bayes will start using these tokens as signs of spam.

> Another thing, say my friend forwards an email to
> me(he just wants to let me know the info in the
> message) and i want to train his email as ham. Should
> I just train it or remove the some headers first?

Just train it.  The only exception to this is if your friend forwards
you a spam message.  In this case, it is a message that you wanted to
receive, but it contains a bunch of spam content.  In those types of
cases, I just drop the email and don't train it either way.

On the other hand, if you control your friend's email server and he
forwards you a message to be trained for him, you have to extract the
original message from the forward and then train based on that.  There
are several other issues with this type of thing.  If you are
interested, search the list archives.

-- 
Bowie

RE: How to get the X-Spam headers back to the bottom

[Bowie Bailey]

[EMAIL PROTECTED] wrote:
> This small edit will place x-spam headers back at the bottom of the
> original headers where god intended. I assume they changed this for a
> reason, presumably to maintain any cryptographic email signatures
> that include bits of header, so use this edit with discretion.

Two main reasons that I'm aware of.

1) Adding the headers to the top avoids causing problems with
   DomainKeys.

2) By adding the headers at the top, you can tell which server added
   them.  This can be useful if the message passes through additional
   servers after SA has been run.

And one extra...

3) Now I don't have to search down through the headers to find the SA
   markup.  It's right there at the top.

I didn't like it either when it was first changed, but now I find that
I prefer the spam headers at the top.

-- 
Bowie

RE: sa-learn with random text (hash busters)... problem?

[Bowie Bailey]

Guy Waugh wrote:
> Hi folks,
> 
> Running SA-3.1.1...
> 
> I actually have two questions...
> 
> 1. Is it a problem to sa-learn spam with hash buster text (the random
> crap) in it? Will it confuse the Bayes system and be A Bad Thing? I've
> searched the archives of this list and googled around a bit, but came
> up with not much...

All that random junk is actually helpful to Bayes.  Real emails don't
contain it.  So feed Bayes everything you can and don't worry about
what's in it.

> 2. I have two MXes running SA, each with their own MySQL database for
> the Bayes data. I'd like to move to a one-database model, rather than
> one-database-per-MX. Any thoughts on how best to do this? Should I
> just take one of the databases and point the other MX's SA at it, or
> should I try to make another Bayes database out of the two databases
> I currently have, somehow combining data from the two existent Bayes
> databases? Is there anything in the Bayes database that is particular
> to the host (I assume not, but don't know much about Bayes, so
> thought I'd ask)? 

As far as I know, there is no easy way to combine the two databases.
So just pick one and use it.

-- 
Bowie

OT humor

[jdow]

In the October "Analog Science Fiction and Fact" magazine one of the
short stories is titled "Nigerian Scam" by Richard A. Lovett, in which
the scammer really IS from "Vega", the protagonist misses seeing the
scam involved, and the scammer and gets "dealt with" in the end quite
um appropriately and thoroughly. In fact the scammer's end was quite
cathartic.

{^_-}

Re: Which Net::DNS version for Fedora Core 4?

[Radoslaw Zielinski]

jdow <[EMAIL PROTECTED]> [27-07-2006 14:02]:
> From: "Radoslaw Zielinski" <[EMAIL PROTECTED]>
[...]
>> Just get the *.spec file from the *.src.rpm, change Version: 3.0.x to
>> 3.1.4, put source in `rpmbuild -E %_sourcedir` and run rpmbuild -bb.
> Nah - I've learned not to use distro versions of SpamAssassin. They
> are mostly broken. They seem to leave out little things like all
> the SpamAssassin tools.

If the dev team doesn't consider them worthy to be installed (by
including in EXE_FILES in Makefile.PL), why should the distributors?

> Making a spec file version probably trims
> out the rules, too. So I use CPAN for SpamAssassin. (And I have learned
[...]

No, it doesn't trim out the rules.  Unless the packager is mad.

-- 
Radosław Zieliński <[EMAIL PROTECTED]>


pgpGR6qXq0ZZ6.pgp
Description: PGP signature

Re: MailWatch on separate server

[Martin Hepworth]

Paul Tenfjord wrote:

Hello all.


I am configuring a setup where mysql is installed on a separate computer. 
I have two computers, one running postfix and mailscanner, the second running 
mysql and some other services.

MailScanner is configured to log to SQL to the second computer.

I am now trying to set up mailwatch on the second computer so that my mailhub 
is purely postfix and mailscanner.
However under mailwatches conf.php I have to define both  MailScanner path and 
Spamassassin path, so my question is this simple: 
Is it possible to install Mailwatch on a different server then Mailscanner?


Hints and suggestions are highly apprecitated

Kind Regard Paul


Kinda the wrong emailing list - try the mailwatch list and we'll tell 
you how to do it from there.


Also hang around IRC for more than 30 seconds when you ask a question, 
some of us have day jobs ya know ;-)


--
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.   

**

Re: Which Net::DNS version for Fedora Core 4?

[jdow]

From: "Radoslaw Zielinski" <[EMAIL PROTECTED]>


Jeff Chan <[EMAIL PROTECTED]> [27-07-2006 09:34]:

On Wednesday, July 26, 2006, 11:56:27 PM, Daryl O'Shea wrote:

On 7/27/2006 2:39 AM, jdow wrote:

[...]

I am running 3.0.6, essentially.

*shrug* not sure why you still insist on running 3.0.

Fedora Core 4 doesn't seem to have 3.1.3 rpms that will work
easily.  In particular they need a newer version of glibc.


Just get the *.spec file from the *.src.rpm, change Version: 3.0.x to
3.1.4, put source in `rpmbuild -E %_sourcedir` and run rpmbuild -bb.


Nah - I've learned not to use distro versions of SpamAssassin. They
are mostly broken. They seem to leave out little things like all
the SpamAssassin tools. Making a spec file version probably trims
out the rules, too. So I use CPAN for SpamAssassin. (And I have learned
to "doubt" the veracity of all the other elements of the distros as
a result. RedHat used to be pretty good. Fedora is pretty close to
trash.)

{^_^}

MailWatch on separate server

[Paul Tenfjord]

Hello all.


I am configuring a setup where mysql is installed on a separate computer. 
I have two computers, one running postfix and mailscanner, the second running 
mysql and some other services.
MailScanner is configured to log to SQL to the second computer.

I am now trying to set up mailwatch on the second computer so that my mailhub 
is purely postfix and mailscanner.
However under mailwatches conf.php I have to define both  MailScanner path and 
Spamassassin path, so my question is this simple: 
Is it possible to install Mailwatch on a different server then Mailscanner?

Hints and suggestions are highly apprecitated

Kind Regard Paul

Re: Yahoo footer

[jdow]

Those tend to get nicely marked up here and I generally find that leaving
them marked up is just fine with me. I consider the whole message to be
spam. Using Yahoo mail is its own punishment. Yahoo Groups are pain
enough with the stupid advertising. (So are SourceForge based mailing
lists like the apcupsd list.)

If it matters to me I add the list to my special processing for lists
rules that stretch the Bayes scores both up and down. That is working
exceptionally well with all the lists I use it with. But I'm NOT
going to expose my system to all the spam that would use forged
yahoo spew footer messages if they had a free pass.

(I still haven't forgiven Yahoo for purchasing egroups and ruining
them.)

{^_^}
- Original Message - 
From: "Ben Wylie" <[EMAIL PROTECTED]>

To: 
Sent: Thursday, July 27, 2006 03:19
Subject: Yahoo footer


Does SpamAssassin already try to ignore the footers of large web email providers such as 
hotmail and yahoo?


Yahoo have a footer advertising their spamguard, but use a spammy term.

-
 All New Yahoo! Mail  – Tired of [EMAIL PROTECTED]@! come-ons? Let our 
SpamGuard protect you.

Do we just accept the hits we get from that or is there someway to stop getting the 
viagra hits when it is in that setting?


Thanks
Ben 

Re: exim4 + forwarding + spamassassin

[jdow]

From: "Chr. v. Stuckrad" <[EMAIL PROTECTED]>


On Thu, 27 Jul 2006, jdow wrote:


From: "Loren Wilton" <[EMAIL PROTECTED]>

...

I've never seen the logic of placing SpamAssassin inside the incoming
transaction before the termination of the SMTP connection rather than
down the pipe in the MDA.


If you want to 'reject spam' (wih score over a given
threshold) and because you do not want to generate bounces,
you have to check 'inside the transaction', to tell the sending
MTA, that you do not accept the current mail becaus of spam.


That's fine. But you can't do it and make it work right. It also
makes each email transaction a second or more longer. If your
mail load can tolerate this, I suppose it is barely workable.
But you double your machine load doing so. You are better off
using block lists with a small score for each BL and then grey
list for questionable scores and block for known bad. SpamAssassin
is way too much code to traverse just for that small function.


This only works with site-wide bayes and global setup, except
if you make sure, that you know the (then exactly one?) recipient
of the message at the end of incoming data (the single '.' in the
SMTP-Protocol, the 'acl_smtp_data' in exim4).


Parsing on the fly for recipient means you need something to do
this before it gets to Bayes. That's even more code to run.


Beware of 'overloading the system' if you check incoming mails
'durig arrival', you will have to restrict the number of concurrent
SMTP-connections by the maximum of spamchecks your system can handle.


Of course, so greylisting is better with far less throughput damage.


Stucki

PS.: I too prefer 'only to tag' the spams, and let the user decide
do discard them.  I tested both ways and to me the only safe way
to never crowd the system ist to spamcheck on the inside in an
exim-queuerunner.  The nr. of queuerunners can then simply be
adjusted to the capabilites of the server.


Score only and pass to recipient with a clear XXX.X score in
the subject markup. That allows easy sorting by score and elimination
even in stupid tools like OutlookExpress.

The logic for running SA before the SMTP transaction is complete is
more wishful thinking than practical. This is probably especially
true with smtp tools like PostFix that run in a chroot jail.

{^_^}

Re: SPF breaks email forwarding

[Magnus Holmgren]

On Wednesday 26 July 2006 00:42, Marc Perkel took the opportunity to write:
> If any of my customers fail to get any email that they are supposed to
> get then that's not acceptable. It does happen and when it does - I fix
> it. Several of my customers forward email from other account to accounts
> that pass through my servers. So if I used SPF then I would lose email
> to these customers.

You lose mail when it disappears without trace (without bounce message). Under 
no circumstance should an SPF hardfail cause that to happen (but the sender 
may be a machine that doesn't know what to do with the bounce). Blocking 
legitimate mail is bad, but not as bad as throwing it away.

-- 
Magnus Holmgren[EMAIL PROTECTED]
   (No Cc of list mail needed, thanks)


pgpzS9KzhZqvq.pgp
Description: PGP signature

Problems after upgrade to 3.1.4

[Steven Stern]

These occur with spamassassin -D --lint.  RDJ is up to date, as is
sa-update.

[6837] info: rules: meta test DIGEST_MULTIPLE has undefined dependency
'DCC_CHECK'
[6837] info: rules: meta test SARE_SPEC_PROLEO_M2a has dependency
'MIME_QP_LONG_LINE' with a zero score
[6837] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined
dependency 'SARE_XMAIL_SUSP2'
[6837] info: rules: meta test SARE_HEAD_SUBJ_RAND has undefined
dependency 'SARE_HEAD_XAUTH_WARN'
[6837] info: rules: meta test SARE_RD_SAFE has undefined dependency
'SARE_RD_SAFE_MKSHRT'
[6837] info: rules: meta test SARE_RD_SAFE has undefined dependency
'SARE_RD_SAFE_GT'
[6837] info: rules: meta test SARE_RD_SAFE has undefined dependency
'SARE_RD_SAFE_TINY'
[6837] info: rules: meta test SARE_OBFU_CIALIS has undefined dependency
'SARE_OBFU_CIALIS2'
[6837] info: rules: meta test FP_MIXED_PORN3 has undefined dependency
'FP_PENETRATION'

-- 

  Steve

Re: Should this hit more rules?

[Dimitri Yioulos]

On Thursday July 27 2006 5:48 am, Loren Wilton wrote:
> > Looks like he is using some "unofficial" SARE rules.
> >
> > http://rulesemporium.com/rules/99_FVGT_meta.cf
> > http://www.rulesemporium.com/rules/88_FVGT_body.cf
>
> Fred writes good rules.  ;-)
>
> Loren

Indeed!  Score on the stoopid spam example in my earlier post jumped 
up nicely.  Thanks, Fred.

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: exim4 + forwarding + spamassassin

[Chris Lear]

* Zinski, Steve wrote (27/07/06 02:50):

Not sure how to get exim to pass the initial scan to spamd using a
different user. I've gone through my exim.conf file and changed every
single "user = " entry to a known user and it still insists on using
"nobody" for the first pass.

Another thing that intrigues me is the wording of the log entries.

In the first pass, spamd says that it's "checking" the message. In the
second pass it says "processing" the message.


I think exim only puts the message through spamassassin once (then 
subsequently caches the result, if required), and uses the username set 
up in the acl:


# Reject messages with a SpamAssassin score >7
deny message   = Rejected: Flagged as spam ($spam_score).
 spam  = nobody:true
 ^^ <- **here**
 condition = ${if >{$spam_score_int}{70}{1}{0}}

I have a similar setup, except that I run spamc as a user called spamd. 
This gives site-side bayes, and works fine.


Is it possible that the second run through spamd is from you running 
spamc after the message is delivered? Ie, not from exim?


There's an exim-users mailing list that's probably a better place for 
these questions.


Chris




-Original Message-
From: Stuart Johnston [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, July 26, 2006 3:05 PM

To: users@spamassassin.apache.org
Subject: Re: exim4 + forwarding + spamassassin

Your first scan is running as nobody (that's bad) but the second is
running as szinski.  That would explain the BAYES_99.  I'm not sure
about the FORGED_RCVD_HELO and HTML_50_60 though.


Zinski, Steve wrote:

I need some help trying to figure out why spamassassin scores the same
message differently.

I am using an ACL with exim4 to scan email during the actual smtp
connection (so I can reject spam before my server accepts it). It's
pretty straightforward. My ACL looks like this:
 
# Reject messages with a SpamAssassin score >7

deny message   = Rejected: Flagged as spam ($spam_score).
 spam  = nobody:true
 condition = ${if >{$spam_score_int}{70}{1}{0}}

Everything works just fine for mail destined to local accounts, but
there seems to be a discrepancy in spamassassin when mail is delivered
to a forwarded account (the forwarder directs mail to another local
account; i.e., [EMAIL PROTECTED] --> [EMAIL PROTECTED]). What
happens is that spamassassin scores the message low (non-spam) when it
accepts it from the Internet, but then scores it higher (as spam) when
the message is rerouted to the local mailbox. Here is a snippet from
maillog that illustrates this:

Jul 26 07:58:20 vps spamd[7361]: spamd: connection from localhost
[127.0.0.1] at port 56458 
Jul 26 07:58:20 vps spamd[7361]: spamd: setuid to nobody succeeded 
Jul 26 07:58:20 vps spamd[7361]: spamd: checking message
<[EMAIL PROTECTED]> for nobody:99 
Jul 26 07:58:20 vps spamd[7361]: spamd: clean message (2.6/5.0) for
nobody:99 in 0.1 seconds, 2230 bytes. 
Jul 26 07:58:20 vps spamd[7361]: spamd: result: . 2 -

HTML_MESSAGE,URIBL_SBL,URIBL_WS_SURBL


scantime=0.1,size=2230,user=nobody,uid=99,required_score=5.0,rhost=local
host,raddr=127.0.0.1,rport=56458,mid=<[EMAIL PROTECTED]
8>,autolearn=no 
Jul 26 07:58:20 vps spamd[26587]: prefork: child states: II 
Jul 26 07:58:21 vps spamd[7361]: spamd: connection from localhost
[127.0.0.1] at port 56459 
Jul 26 07:58:21 vps spamd[7361]: spamd: setuid to szinski succeeded 
Jul 26 07:58:21 vps spamd[7361]: spamd: processing message
<[EMAIL PROTECTED]> for szinski:503 
Jul 26 07:58:21 vps spamd[7361]: spamd: identified spam (7.5/5.0) for
szinski:503 in 0.6 seconds, 2183 bytes. 
Jul 26 07:58:21 vps spamd[7361]: spamd: result: Y 7 -



BAYES_99,FORGED_RCVD_HELO,HTML_50_60,HTML_MESSAGE,URIBL_SBL,URIBL_WS_SUR

BL


scantime=0.6,size=2183,user=szinski,uid=503,required_score=5.0,rhost=loc
alhost,raddr=127.0.0.1,rport=56459,mid=<[EMAIL PROTECTED]

hn8>,bayes=0.97051713734,autolearn=no

As you can see, during the initial smtp pass (accepting from remote
host) the message is deemed "clean" with a score of 2.6. Then, when

the

same message is delivered to the local account, it's identified as

spam

with a score of 7.5. Unfortunately, my ACL only kicks in during the
first pass so the message gets accepted and delivered instead of
rejected. Anyone know what I might be doing wrong here?

Any help would be greatly appreciated.

Steve Zinski
University of Richmond

Re: Which Net::DNS version for Fedora Core 4?

[Radoslaw Zielinski]

Jeff Chan <[EMAIL PROTECTED]> [27-07-2006 09:34]:
> On Wednesday, July 26, 2006, 11:56:27 PM, Daryl O'Shea wrote:
>> On 7/27/2006 2:39 AM, jdow wrote:
[...]
>>> I am running 3.0.6, essentially.
>> *shrug* not sure why you still insist on running 3.0.
> Fedora Core 4 doesn't seem to have 3.1.3 rpms that will work
> easily.  In particular they need a newer version of glibc.

Just get the *.spec file from the *.src.rpm, change Version: 3.0.x to
3.1.4, put source in `rpmbuild -E %_sourcedir` and run rpmbuild -bb.

-- 
Radosław Zieliński <[EMAIL PROTECTED]>


pgphmArDxRiDp.pgp
Description: PGP signature

Yahoo footer

[Ben Wylie]

Does SpamAssassin already try to ignore the footers of large web email 
providers such as hotmail and yahoo?


Yahoo have a footer advertising their spamguard, but use a spammy term.

-
 All New Yahoo! Mail  – Tired of [EMAIL PROTECTED]@! come-ons? Let our SpamGuard 
protect you.


Do we just accept the hits we get from that or is there someway to stop 
getting the viagra hits when it is in that setting?


Thanks
Ben

Re: exim4 + forwarding + spamassassin

[Chr. v. Stuckrad]

On Thu, 27 Jul 2006, jdow wrote:

> From: "Loren Wilton" <[EMAIL PROTECTED]>
...
> I've never seen the logic of placing SpamAssassin inside the incoming
> transaction before the termination of the SMTP connection rather than
> down the pipe in the MDA.

If you want to 'reject spam' (wih score over a given
threshold) and because you do not want to generate bounces,
you have to check 'inside the transaction', to tell the sending
MTA, that you do not accept the current mail becaus of spam.

This only works with site-wide bayes and global setup, except
if you make sure, that you know the (then exactly one?) recipient
of the message at the end of incoming data (the single '.' in the
SMTP-Protocol, the 'acl_smtp_data' in exim4).

Beware of 'overloading the system' if you check incoming mails
'durig arrival', you will have to restrict the number of concurrent
SMTP-connections by the maximum of spamchecks your system can handle.

Stucki

PS.: I too prefer 'only to tag' the spams, and let the user decide
do discard them.  I tested both ways and to me the only safe way
to never crowd the system ist to spamcheck on the inside in an
exim-queuerunner.  The nr. of queuerunners can then simply be
adjusted to the capabilites of the server.

-- 
Christoph von Stuckrad  * * |nickname |<[EMAIL PROTECTED]>   \
Freie Universitaet Berlin   |/_*|'stucki' |Tel(days):+49 30 838-5 57 78|
Mathematik & Informatik EDV |\ *|if online|Tel(else):+49 30 77 39 66 00|
Arnimallee 6 / 14195 Berlin * * |on IRCnet|Fax(alle):+49 30 838-75 454/

Re: Should this hit more rules?

[jdow]

From: "Loren Wilton" <[EMAIL PROTECTED]>

Looks like he is using some "unofficial" SARE rules.

http://rulesemporium.com/rules/99_FVGT_meta.cf
http://www.rulesemporium.com/rules/88_FVGT_body.cf



Fred writes good rules.  ;-)


I think at least some of Fred's rules are now formal SARE rule
sets, though.
{^_-}

Re: exim4 + forwarding + spamassassin

[jdow]

From: "Loren Wilton" <[EMAIL PROTECTED]>


Jul 26 07:58:20 vps spamd[7361]: spamd: result: . 2 -
HTML_MESSAGE,URIBL_SBL,URIBL_WS_SURBL

Jul 26 07:58:21 vps spamd[7361]: spamd: result: Y 7 -
BAYES_99,FORGED_RCVD_HELO,HTML_50_60,HTML_MESSAGE,URIBL_SBL,URIBL_WS_SUR
BL

There are two obvious differences here, Bayes and the forged header complaint.  I'd bet 
that most of the score results from Bayes.


I don't know enough about your system to really guess why Bayes doesn't seem to be 
running the first time.  Possibly you run as a different user, and either bayes is 
disabled in user_prefs for that user, or there is a permissions problem, or something 
else along those lines.


The forged helo rule is probably triggering because of a header added after > the first 
scan.  It probably isn't adding a huge amount to the score. spamassassin -D on that 
message would probably show up what it doesn't like > in the received headers.


The first time he runs is as the mail is coming in before the connection
is closed. There is no way of knowing which user to use for Bayes so
it's stuck. It gets run as nobody automatically in that case.

I've never seen the logic of placing SpamAssassin inside the incoming
transaction before the termination of the SMTP connection rather than
down the pipe in the MDA.

{^_^} 

Re: Which Net::DNS version for Fedora Core 4?

[jdow]

From: "Jeff Chan" <[EMAIL PROTECTED]>


On Wednesday, July 26, 2006, 11:56:27 PM, Daryl O'Shea wrote:

On 7/27/2006 2:39 AM, jdow wrote:



Both Jeff and I are perplexed over a trio of hits on newnanutilities.org
in a message referring to the Fedora update mirror they host.


Three mixed up hits on separate messages?  I could sort of see it 
happening if the cache on all/most lookups for the message expired 
between checks.




I am running 3.0.6, essentially.



*shrug* not sure why you still insist on running 3.0.


Fedora Core 4 doesn't seem to have 3.1.3 rpms that will work
easily.  In particular they need a newer version of glibc.


 Fedora Core 4 thinks I am running 3.3 at the moment.
I loaded the real 3.0.3 via CPAN and hand modified to 4, 5, and 6
by making my own diffs.

{^_-}

Re: Which Net::DNS version for Fedora Core 4?

[jdow]

From: "Daryl C. W. O'Shea" <[EMAIL PROTECTED]>


On 7/27/2006 2:39 AM, jdow wrote:


Both Jeff and I are perplexed over a trio of hits on newnanutilities.org
in a message referring to the Fedora update mirror they host.


Three mixed up hits on separate messages?  I could sort of see it 
happening if the cache on all/most lookups for the message expired 
between checks.




I am running 3.0.6, essentially.


*shrug* not sure why you still insist on running 3.0.


I keep telling myself it's time to hit 3.1.x, at least. But then I
realize I'd have to figure out how to put in the print options that
allow Loren to see the headers or body the way the rules engines
see them for writing good rules.

{^_^}

Re: Should this hit more rules?

[Loren Wilton]

Looks like he is using some "unofficial" SARE rules.

http://rulesemporium.com/rules/99_FVGT_meta.cf
http://www.rulesemporium.com/rules/88_FVGT_body.cf



Fred writes good rules.  ;-)

   Loren

Re: exim4 + forwarding + spamassassin

[Loren Wilton]

Jul 26 07:58:20 vps spamd[7361]: spamd: result: . 2 -
HTML_MESSAGE,URIBL_SBL,URIBL_WS_SURBL

Jul 26 07:58:21 vps spamd[7361]: spamd: result: Y 7 -
BAYES_99,FORGED_RCVD_HELO,HTML_50_60,HTML_MESSAGE,URIBL_SBL,URIBL_WS_SUR
BL

There are two obvious differences here, Bayes and the forged header 
complaint.  I'd bet that most of the score results from Bayes.


I don't know enough about your system to really guess why Bayes doesn't seem 
to be running the first time.  Possibly you run as a different user, and 
either bayes is disabled in user_prefs for that user, or there is a 
permissions problem, or something else along those lines.


The forged helo rule is probably triggering because of a header added after 
the first scan.  It probably isn't adding a huge amount to the score. 
spamassassin -D on that message would probably show up what it doesn't like 
in the received headers.


   Loren

Re: How to identify image spam finally?

[Loren Wilton]

majority of mails I receive has a big image on the top, sometimes
combined from multiple image files, containing a lot of text I don't
want to read (stocks "info" and the like), followed by some lines of


Try the rulesemporium stock rules.

   Loren

Re: Which Net::DNS version for Fedora Core 4?

[Jeff Chan]

On Wednesday, July 26, 2006, 11:56:27 PM, Daryl O'Shea wrote:
> On 7/27/2006 2:39 AM, jdow wrote:

>> Both Jeff and I are perplexed over a trio of hits on newnanutilities.org
>> in a message referring to the Fedora update mirror they host.

> Three mixed up hits on separate messages?  I could sort of see it 
> happening if the cache on all/most lookups for the message expired 
> between checks.


>> I am running 3.0.6, essentially.

> *shrug* not sure why you still insist on running 3.0.

Fedora Core 4 doesn't seem to have 3.1.3 rpms that will work
easily.  In particular they need a newer version of glibc.

Daryl,
Can you determine if 3.0.6 is safe to use with Net::DNS 0.49?

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/