The way SA checks the URI for domainname.us.tt
Hello, I submitted wealthpro.us.MUNGED.tt to uribl but he isn't added because SA will only see us.MUNGED.tt. I know there are some domains which use a 2 level tld zone. like .co.uk which will never be included. Is this not an TLD which has be to changed inside SA to a 2 level tld? If I check the website at us.MUNGED.tt they use a countrycode.tt -- With kind regards, Maurice Lucas TAOS-IT
Re: SPF breaks email forwarding
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John D. Hardin wrote: > On Thu, 27 Jul 2006, Hamish wrote: > >> Forwarding should (IMO) be implemented in such a way as the >> FORWARDING mailbox should be used as the new return-path (Just >> like if you forwarded an email from your MUA rather than with the >> MDA). Then both SPF and forwarding would work fine. And >> furthermore be consistent. > > ...and lead to a mail loop if the forward-to address starts > bounding messages for some reason... > Which would be resolved in exactly the same way in which mails that already loop is solved (i.e too many hops). (Assuming you don't rewrite <>. You could also add a header to indicate a forwaded email. X-ForwardedFor: and use that for a bounce). Either way existing forwarding is broken. Hamish. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEydHg/3QXwQQkZYwRAhq/AKC586G6dZDmmubAHToCnZ/j0irSlACgqIS6 jKqZTd2wj7NKwuH19Mx0Pr0= =q/0I -END PGP SIGNATURE-
Re: SPF breaks email forwarding
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gino Cerullo wrote: > > On 27-Jul-06, at 4:32 PM, Hamish wrote: > >> On Wednesday 26 July 2006 17:25, Marc Perkel wrote: >>> Benny Pedersen wrote: On Tue, July 25, 2006 18:51, Marc Perkel wrote: > SPF breaks email forwarding. My users use forwarding. fair, but why not stop using forwarding ? >>> >>> Because my customers want to use forwarding. >> >> Perhaps it would be fairer to say that SPF is fine but the >> forwarding is >> broken. >> >> Forwarding should (IMO) be implemented in such a way as the >> FORWARDING mailbox >> should be used as the new return-path (Just like if you forwarded >> an email >> from your MUA rather than with the MDA). Then both SPF and >> forwarding would >> work fine. And furthermore be consistent. >> >> >> Hamish. > > That's the basic idea behind SRS. The forwarding server re-writes > the header and takes responsibility for the forwarded email. > Huh. Fancy that, I never looked at SRS. (But do use SPF and markup on it in SA). (Although not for my home domain because the DNS is with register.com and they don't do TXT records). H -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEydI2/3QXwQQkZYwRAv+5AJsE03rlRqMu2uj1XCG2t3gvtiInPQCg22Pb T/W0uJdLDBZDyOL0Yr6f6cI= =1x8q -END PGP SIGNATURE-
Re: Moving from SA 2.6 to SA 3.1.4 [bayes file]
BG Mahesh wrote: hi We are moving our mailserver to a new machine. The old machine has MailScanner+SA 2.6.x The new machine has MailScanner+SA 3.1.4 How can I move the bayes file from the old machine to the new machine and make sure it is SA 3.1.4 complaint? Basically I want the new machine to use the knowledge base from the old machine, so what do I need to do? -- -- B.G. Mahesh http://www.greynium.com/ http://www.oneindia.in/ http://www.click.in/ - Free Indian Classifieds if you run sa-learn after the upgrade it should sort out the bayes file to the new format for you -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Image spams getting thru
I am suddenly facing a lot of image spams from a pretty effiecient spammer now . The Ips he is using are not listed anywhere All spams advertising stocks of HLUN.PK Am I alone facing this problem. Also I found that the From header in all mails is a typical repeated string Like these From: Rory [mailto:[EMAIL PROTECTED] From: Barbra [mailto:[EMAIL PROTECTED] From: Ada [mailto:[EMAIL PROTECTED] From: Hattie [mailto:[EMAIL PROTECTED] From: Stacy [mailto:[EMAIL PROTECTED] From: Lynne [mailto:[EMAIL PROTECTED] From: Juliet [mailto:[EMAIL PROTECTED] From: Genevieve [mailto:[EMAIL PROTECTED] From: Aisha [mailto:[EMAIL PROTECTED] From: Monique [mailto:[EMAIL PROTECTED] From: Kirsten [mailto:[EMAIL PROTECTED] From: Pablo [mailto:[EMAIL PROTECTED] From: Sadie [mailto:[EMAIL PROTECTED] Can I write a ruleset to hit these froms Thanks Ram
Re: Image spams getting thru
Hi! All spams advertising stocks of HLUN.PK Am I alone facing this problem. Also I found that the From header in all mails is a typical repeated string No this is seen all over. Anyone a nice rule? Bye, Raymond.
all trusted when no received headers are found
IS there a way to stop all trusted being triggered when no received headers are found at all? Thanks Ben
RE: exim4 + forwarding + spamassassin
Tried that, and it didn't work. Even with file permissions set to 777, I was seeing these log entries: Jul 25 12:36:10 vps spamd[28501]: locker: safe_lock: cannot create tmp lockfile /.spamassassin/auto-whitelist.lock.vps.zinski.net.28501 for /.spamassassin/auto-whitelist.lock: Permission denied Jul 25 12:36:10 vps spamd[28501]: auto-whitelist: open of auto-whitelist file failed: locker: safe_lock: cannot create tmp lockfile /.spamassassin/auto-whitelist.lock.vps.zinski.net.28501 for /.spamassassin/auto-whitelist.lock: Permission denied And Jul 25 20:02:32 vps spamd[18096]: bayes: locker: safe_lock: cannot create tmp lockfile /.spamassassin/bayes.lock.vps.zinski.net.18096 for /.spamassassin/bayes.lock: Permission denied Jul 25 20:16:45 vps spamd[26594]: bayes: locker: safe_lock: cannot create lockfile /.spamassassin/bayes.mutex: Permission denied The only thing that would work was to chown the files to nobody:nobody (and, yes, I had the directory permissions set to 777 too.) Steve -Original Message- From: Thomas Lindell [mailto:[EMAIL PROTECTED] Sent: Thursday, July 27, 2006 2:17 PM To: users@spamassassin.apache.org Subject: RE: exim4 + forwarding + spamassassin You could have just chmoded the directorys and files to 744
Re: all trusted when no received headers are found
On Fri, July 28, 2006 13:56, Ben Wylie wrote: > IS there a way to stop all trusted being triggered when no received > headers are found at all? that will be brokken if that happens, your own mta should be there no matter how brokken the sending client is what you can do is trust less to avoid it, and make sure you own mta do not remove headers, last you can try to set your mta to force 7bit headers to see if the problem goes away, if it does, then you know the problem -- Benny
Re: SpamAssassin 3.0.3 and MIME_BOUND_RKFINDY
Excuse my ignorance, but I have seen mention of raising scores for Bayes_99, Bayes_95, and I have several SPAM messages that are trigerring Bayes_50 but are getting a score of 0.00. What are the differences between these and how do I go about raising the scores? I can't seem to find any documentation, so if you can point me at some I would greatly appreciate it! Thanks, James On Thu, 2006-07-27 at 20:12 -0700, jdow wrote: Tao, make sure your Bayes tests are working correctly. Then raise the score for BAYES_99 almost to 5, if it is not hitting more than one item ultimately scored as ham per day, and slightly boost the BAYES_95 score. With that and a nice juicy selection of SARE rules 5 is a rather nice number to work with. Those two changes are what has caused 5.0 to be such a good choice here. Very VERY little ham reaches 5.0. And most spam is above 6.5 or 7 with about one or two in 100 under 6.5. Without the well trained Bayes I don't think I'd be doing near as well as I am at the moment. (The other trick involves a small set of meta rules that fires if I have a mailing list that is "open" and gets some spam flowing through it. This amplifies the difference from the BAYES_50 score for most of the other BAYES_xxx scores. This one change killed off most of the errors I was getting from things like the FreeBSD, LKML, and other such mailing lists. I should write it up and share it through SARE pretty soon. I am pretty happy with it right now, although it is awkward to maintain. It may need a plugin to snarf up the list of list identifier tests that should be used at a given site.) {^_^} - Original Message - From: "Tao Lin" <[EMAIL PROTECTED]> > Hi, John > > Now I understand what MIME_BOUND_RKFINDY mean. It means my email is > generated by Indy component. And I have some misuse of the Indy component > that it gen the html email is not so clean. Once I fix it, my email score > from 2.4 downto 0.5! > > And I think I will keep my cutoff score as 2 because I get so many spam > every day and some of them just score 2.3! > > Cheers, > > Tao > > On 7/27/06, John Andersen <[EMAIL PROTECTED]> wrote: >> >> On Wednesday 26 July 2006 20:16, Tao Lin wrote: >> > Hi, >> > >> > I am using SpamAssassin 3.0.3 with Exim 3.35 under Debian woody. When >> > I send a test html email to my own mail server, SpamAssassin treat it >> > as a spam. Here is the message header: >> >> > version=3.0.3 >> > X-Spam-Report: >> > * 2.7 MIME_BOUND_RKFINDY Spam tool pattern in MIME boundary (rfkindy) >> >> > == >> > >> > I don't why my email score so high on MIME_BOUND_RKFINDY, and what it >> > mean. How can I make my html email get through the SpamAssassin? >> > >> > Cheers, >> >> You can find out what the tests are here: >> http://spamassassin.apache.org/tests_3_1_x.html >> >> Your cutoff is pretty low: >> >X-Spam-Status: Yes, score=2.4 required=2.0 >> >> Your cutoff is less than half the recommended 5.0. You will be >> rejecting a lot of valid mail (as you have seen). >> >> >> >> -- >> _ >> John Andersen >> >> >> > > > -- > Tao Lin >
Re: Image spams getting thru
On Fri, July 28, 2006 13:14, Ramprasad wrote: > From: Rory [mailto:[EMAIL PROTECTED] > From: Barbra [mailto:[EMAIL PROTECTED] > > Can I write a ruleset to hit these froms yes attached a rule for this -- Benny# > header TWO_SUBJS ALL =~ /(?:^|\n)Subject:.*\nSubject:/s # > header DOUBLE_SUBJECT ALL =~ /\nSubject: *\nSubject:.\s+\S/m # # So this is what it boils down to, tested: # # headerL_DOUBLE_SUBJECTALL =~ /^Subject:.*^Subject:/smi # describe L_DOUBLE_SUBJECTrfc forbids two subject lines # score L_DOUBLE_SUBJECT0.9 # headerL_DOUBLE_FROM ALL =~ /^From:.*^From:/smi # describe L_DOUBLE_FROM rfc forbids two from lines # score L_DOUBLE_FROM 0.9 # # Thanks to both of you, Justin and Loren. # # Mark # header __DOUBLE_SUBJ ALL =~ /^Subject:.*^Subject:/smi header __DOUBLE_FROM ALL =~ /^From:.*^From:/smi meta DOUBLE_SUBJ_OR_FROM __DOUBLE_SUBJ || __DOUBLE_FROM describe DOUBLE_SUBJ_OR_FROM Contains more than one Subject or From header score DOUBLE_SUBJ_OR_FROM 2.0
Re: The way SA checks the URI for domainname.us.tt
On Fri, Jul 28, 2006 at 09:22:08AM +0200, Maurice Lucas wrote: > I submitted wealthpro.us.MUNGED.tt to uribl but he isn't added because > SA will only see us.MUNGED.tt. I'm not sure why you think that. us.tt is listed as a two level TLD in SA, so .us.tt is what gets used. -- Randomly Generated Tagline: MIPS: Meaningless Indicator of Processor Speed pgpANzQn2ms9J.pgp Description: PGP signature
Re: Image spams getting thru
Oops they were single from headers , but from different mails On Fri, 2006-07-28 at 16:50 +0200, Benny Pedersen wrote: > On Fri, July 28, 2006 13:14, Ramprasad wrote: > > From: Rory [mailto:[EMAIL PROTECTED] > > From: Barbra [mailto:[EMAIL PROTECTED] > > > > Can I write a ruleset to hit these froms > > yes > > attached a rule for this > > -- > Benny
Re: The way SA checks the URI for domainname.us.tt
On 7/28/2006 4:57 PM, Theo Van Dinter wrote: On Fri, Jul 28, 2006 at 09:22:08AM +0200, Maurice Lucas wrote: I submitted wealthpro.us.MUNGED.tt to uribl but he isn't added because SA will only see us.MUNGED.tt. I'm not sure why you think that. us.tt is listed as a two level TLD in SA, so .us.tt is what gets used. In that case the URIBL reviewer who rejected that must be clueless Alex
Re: The way SA checks the URI for domainname.us.tt
On Fri, 2006-07-28 at 10:57 -0400, Theo Van Dinter wrote: > On Fri, Jul 28, 2006 at 09:22:08AM +0200, Maurice Lucas wrote: > > I submitted wealthpro.us.MUNGED.tt to uribl but he isn't added because > > SA will only see us.MUNGED.tt. > > I'm not sure why you think that. us.tt is listed as a two level TLD in > SA, so .us.tt is what gets used. > I could have checked that if I did run a debug on that email. Thank you -- With kind regards, Maurice Lucas TAOS-IT
list of two level TLDs in SA
>> ... us.tt is listed as a two level TLD in SA I wasn't involved in that URIBL listing which brought this up... but, BTW, I'd love to have that "two level TLD in SA" list handy. Therefore, can someone point me in the right direction for where I could find SA's list of "two level TLDs"? Thanks! Rob McEwen PowerView Systems [EMAIL PROTECTED]
Re: list of two level TLDs in SA
On Fri, Jul 28, 2006 at 11:27:09AM -0400, Rob McEwen (PowerView Systems) wrote: > I wasn't involved in that URIBL listing which brought this up... but, BTW, > I'd love to have that "two level TLD in SA" list handy. Therefore, can > someone point me in the right direction for where I could find SA's list of > "two level TLDs"? Mail::SpamAssassin::Util::RegistrarBoundaries enjoy. :) -- Randomly Generated Tagline: Bender: He's a witch! pgp6L16emryWc.pgp Description: PGP signature
Re: list of two level TLDs in SA
Thanks for your help, Theo Van Dinter! Using your tip, I was able to find this on a web site here: http://cpan.uwinnipeg.ca/htdocs/Mail-SpamAssassin/Mail/SpamAssassin/Util/RegistrarBoundaries.pm.html (which I post in cause someone in the future stumbles upon this thread looking for this same answer but doesn't have SA source code handy) Thanks again! Rob McEwen PowerView Systems [EMAIL PROTECTED]
Re: SpamAssassin 3.0.3 and MIME_BOUND_RKFINDY
Golden, James wrote: I have several SPAM messages that are trigerring Bayes_50 but are getting a score of 0.00. BAYES_50 means Bayes thinks the message has a 50% chance of being spam. Which is the same as a 50% chance of being ham. In other words, Bayes looks at it, says, "I have no idea whether this is spam-like or not." So 0 is the appropriate score for BAYES_50.
Re: SpamAssassin 3.0.3 and MIME_BOUND_RKFINDY
On Fri, Jul 28, 2006 at 10:21:11AM -0700, Ninja Dude wrote: > In other words, Bayes looks at it, says, "I have no idea whether this is > spam-like or not." So 0 is the appropriate score for BAYES_50. FWIW, BAYES_50 actually has a tiny tiny non-zero score so it'll show up as a rule hit. Otherwise, people went crazy not understanding why there were no BAYES_* hits. -- Randomly Generated Tagline: "... before engaging in a battle of wits, one must ensure that one's opponent is armed." - Jamie Zawinkski pgpV9lxaLwDa8.pgp Description: PGP signature
Rules for short spams?
I'm getting hammered with short spams. Basically one line, a URI, then about 2 more lines. I've put a sample at http://www.espphotography.com/spam.txt . But that's about what they generally are. Very short, to the point so to speak. Any rules that would help these? Thanks. Evan
Re: Rules for short spams?
Evan Platt wrote: I'm getting hammered with short spams. Basically one line, a URI, then about 2 more lines. ... Any rules that would help these? Enable network tests. URIBL rules were basically invented for this type of spam, and they tend to work quite well. -- Kelson Vibber SpeedGate Communications
Re: SpamAssassin 3.0.3 and MIME_BOUND_RKFINDY
On 27-Jul-06, at 7:46 PM, Tao Lin wrote: Hi, John Now I understand what MIME_BOUND_RKFINDY mean. It means my email is generated by Indy component. And I have some misuse of the Indy component that it gen the html email is not so clean. Once I fix it, my email score from 2.4 downto 0.5! And I think I will keep my cutoff score as 2 because I get so many spam every day and some of them just score 2.3! You can train your bayes to learn the false negative email as spam, get some SARE custom rules, enable network test. Cheers, Tao Vincent System Administrator The Biomedical Research Centre University of British Columbia
per user Bayesian filtering
I have Postfix 2.2.10 and SpamAssassin 3.1.3. I have been trying to figure out how to set up per-user Bayesian filtering. Obviously I need to cause sa-learn to maintain a different database for each user. My question is how do I get SpamAssassin to use the DB corresponding to the recipient of the message? And if the message is destined to multiple recipients, each with separate Bayesian DBs, does/can SA score them separately?
Re: per user Bayesian filtering
I just realized the question also applies to outgoing mail. Would that be based on the senders DB? What about for relayed mail? Is there a way to make it so that SA only gets invoked for incoming mail? Joe Harvell wrote: > I have Postfix 2.2.10 and SpamAssassin 3.1.3. I have been trying to > figure out how to set up per-user Bayesian filtering. Obviously I need > to cause sa-learn to maintain a different database for each user. My > question is how do I get SpamAssassin to use the DB corresponding to the > recipient of the message? And if the message is destined to multiple > recipients, each with separate Bayesian DBs, does/can SA score them > separately? > >
Re: all trusted when no received headers are found
Ben Wylie wrote: > IS there a way to stop all trusted being triggered when no received > headers are found at all? > > Thanks > Ben > > That should not happen in recent versions of SA.. What version are you on? SA 3.1.x will only fire ALL_TRUSTED if all of the following are met: 1) there is at LEAST one trusted relay 2) there are NO untrusted relays 3) there are NO unparseable Received: headers. A message with no Received: headers would not match the first criteria. Early members of the SA 3.0 series and the 2.6 series suffer from bugs where only criteria 2 applies, causing false-positives on messages with no Received: headers, or malformed Received: headers. Code that implements this, from EvalTests.pm of SA 3.1.0: sub check_all_trusted { my ($self) = @_; return $self->{num_relays_trusted} && !$self->{num_relays_untrusted} && !$self->{num_relays_unparseable}; } And the buggy version from 3.0.0: sub check_all_trusted { my ($self) = @_; if ($self->{num_relays_untrusted} > 0) { return 0; } else { return 1; } }
Re: Image spams getting thru
From: "Benny Pedersen" <[EMAIL PROTECTED]> On Fri, July 28, 2006 13:14, Ramprasad wrote: From: Rory [mailto:[EMAIL PROTECTED] From: Barbra [mailto:[EMAIL PROTECTED] Can I write a ruleset to hit these froms yes attached a rule for this I think he meant the "cardiac.cardiac" and "adjudge.adjudge" part of the From line. Your rule simply prevents more than 1 Subject: header line and more than 1 From: header line. {^_^}
Re: list of two level TLDs in SA
From: "Rob McEwen (PowerView Systems)" <[EMAIL PROTECTED]> Thanks for your help, Theo Van Dinter! Using your tip, I was able to find this on a web site here: http://cpan.uwinnipeg.ca/htdocs/Mail-SpamAssassin/Mail/SpamAssassin/Util/RegistrarBoundaries.pm.html (which I post in cause someone in the future stumbles upon this thread looking for this same answer but doesn't have SA source code handy) Rob, with perl the source code is ALWAYS available: [EMAIL PROTECTED] ~]$ ls /usr/lib/perl5/site_perl/5.8.6/Mail/SpamAssassin/Util RegistrarBoundaries.pm The perl language is interpreted. That's why it can take a long time to start perl applications. {^_-}
sa-learn killed, bayes not available
The bayesian filter seems super-delicate. If I run sa-learn on a mailbox with more than about 200 messages in it, it gets killed, I'm not sure why: $ sa-learn --spam --dir Maildir/.spam/cur/ Killed $ If sa-learn gets killed in the middle, it leaves a database that it thinks is empty. Before a killed process: debug: bayes: found bayes db version 3 debug: bayes corpus size: nspam = 592, nham = 562 After a killed process: debug: bayes: found bayes db version 3 debug: bayes: Not available for scanning, only 0 spam(s) in Bayes DB < 200 rescanning doesn't do any good, because sa-learn still knows about the messages it's already looked at. I have to start training all over by deleting bayes_seen and bayes_toks. Furthermore, this kills my bayesian filter and Spamassassin lets through about 75% of my incoming spam without it. I've got thousands of spams and hams ready to feed to sa-learn, but having to feed them 100 at a time is cumbersome and starting over again a dozen times in the last few days Other than backing up my .spamassassin directory before I run sa-learn each time, are there any suggestions? I'm running 3.0.3, but it's a hosted box so upgrading isn't my call. Thanks, Steve -- Steven M. Scotten <[EMAIL PROTECTED]> The future will blow your mind
Re: Rules for short spams?
On Fri, July 28, 2006 19:28, Evan Platt wrote: > I'm getting hammered with short spams. Basically one line, a URI, > then about 2 more lines. > > I've put a sample at http://www.espphotography.com/spam.txt . But > that's about what they generally are. Very short, to the point so to speak. > > Any rules that would help these? http://www.uribl.com/ please add URI there if its missing -- Benny
Re: SpamAssassin 3.0.3 and MIME_BOUND_RKFINDY
Visit the wiki for information on changing scores and how the four score numbers are used. http://wiki.apache.org/spamassassin/ You can learn about the specific BAYES_ scores in this file: /usr/share/spamassassin/50_scores.cf Do not change the scores there. The four scores listed are used under these conditions in left to right order: no network rules and no bayes, network rules but no bayes, bayes but no network rules, and both network rules and Bayes active. For Bayes scores you usually want to tweak the final rule since you DO run network tests, don't you? {^_-} Hit the "SCORING OPTIONS" paragraphs in "man Mail::SpamAssassin::Conf" for more details. You might change this in user_prefs if you are not using site wide rules and scores or you might change them in "local.cf", usually as /etc/mail/spamassassin/local.cf although ymmv. The lines might look like: score BAYES_50 0 0 1.567 0.001 score BAYES_99 0 0 5.001 5.001 Oh yeah - I very slightly tweaked BAYES_50 so that hits on it show in the scores. That way I know for sure it is running. Silly me. But mommies like to keep tabs on their children's activities. {^_-} Now, I set the score all the way up over 5 ever so slightly in increments. I kept increasing it until I got over 5 or started getting hams marked as spams WITH BAYES_99 involved in the markup. With my particular setup I have not had on my account, at least, (can't speak for Loren here "fer shure") a BAYES_99 on anything but genuine spam. So it climbed up there. (If Loren gets some BAYES_99 spams he can reduce the BAYES_99 spam score slightly in his user prefs. {^_-}) {^_^} - Original Message - From: "Golden, James" <[EMAIL PROTECTED]> Excuse my ignorance, but I have seen mention of raising scores for Bayes_99, Bayes_95, and I have several SPAM messages that are trigerring Bayes_50 but are getting a score of 0.00. What are the differences between these and how do I go about raising the scores? I can't seem to find any documentation, so if you can point me at some I would greatly appreciate it! Thanks, James On Thu, 2006-07-27 at 20:12 -0700, jdow wrote: Tao, make sure your Bayes tests are working correctly. Then raise the score for BAYES_99 almost to 5, if it is not hitting more than one item ultimately scored as ham per day, and slightly boost the BAYES_95 score. With that and a nice juicy selection of SARE rules 5 is a rather nice number to work with. Those two changes are what has caused 5.0 to be such a good choice here. Very VERY little ham reaches 5.0. And most spam is above 6.5 or 7 with about one or two in 100 under 6.5. Without the well trained Bayes I don't think I'd be doing near as well as I am at the moment. (The other trick involves a small set of meta rules that fires if I have a mailing list that is "open" and gets some spam flowing through it. This amplifies the difference from the BAYES_50 score for most of the other BAYES_xxx scores. This one change killed off most of the errors I was getting from things like the FreeBSD, LKML, and other such mailing lists. I should write it up and share it through SARE pretty soon. I am pretty happy with it right now, although it is awkward to maintain. It may need a plugin to snarf up the list of list identifier tests that should be used at a given site.) {^_^} - Original Message - From: "Tao Lin" <[EMAIL PROTECTED]> > Hi, John > > Now I understand what MIME_BOUND_RKFINDY mean. It means my email is > generated by Indy component. And I have some misuse of the Indy component > that it gen the html email is not so clean. Once I fix it, my email score > from 2.4 downto 0.5! > > And I think I will keep my cutoff score as 2 because I get so many spam > every day and some of them just score 2.3! > > Cheers, > > Tao > > On 7/27/06, John Andersen <[EMAIL PROTECTED]> wrote: >> >> On Wednesday 26 July 2006 20:16, Tao Lin wrote: >> > Hi, >> > >> > I am using SpamAssassin 3.0.3 with Exim 3.35 under Debian woody. When >> > I send a test html email to my own mail server, SpamAssassin treat it >> > as a spam. Here is the message header: >> >> > version=3.0.3 >> > X-Spam-Report: >> > * 2.7 MIME_BOUND_RKFINDY Spam tool pattern in MIME boundary (rfkindy) >> >> > == >> > >> > I don't why my email score so high on MIME_BOUND_RKFINDY, and what it >> > mean. How can I make my html email get through the SpamAssassin? >> > >> > Cheers, >> >> You can find out what the tests are here: >> http://spamassassin.apache.org/tests_3_1_x.html >> >> Your cutoff is pretty low: >> >X-Spam-Status: Yes, score=2.4 required=2.0 >> >> Your cutoff is less than half the recommended 5.0. You will be >> rejecting a lot of valid mail (as you have seen). >> >> >> >> -- >> _ >> John Andersen >> >> >> > > > -- > Tao Lin >
Re: SpamAssassin 3.0.3 and MIME_BOUND_RKFINDY
From: "Theo Van Dinter" <[EMAIL PROTECTED]> FWIW, BAYES_50 actually has a tiny tiny non-zero score so it'll show up as a rule hit. Otherwise, people went crazy not understanding why there were no BAYES_* hits. Gee, I can take out my BAYES_50 tweak. {^_-}
Re: The way SA checks the URI for domainname.us.tt
From: "Yet Another Ninja" <[EMAIL PROTECTED]> On 7/28/2006 4:57 PM, Theo Van Dinter wrote: On Fri, Jul 28, 2006 at 09:22:08AM +0200, Maurice Lucas wrote: I submitted wealthpro.us.MUNGED.tt to uribl but he isn't added because SA will only see us.MUNGED.tt. I'm not sure why you think that. us.tt is listed as a two level TLD in SA, so .us.tt is what gets used. In that case the URIBL reviewer who rejected that must be clueless Maybe not, may have simply not looked far enough, Alex: ===8<--- [EMAIL PROTECTED] ~]$ whois wealthpro.us.tt [Querying http://www.nic.tt/cgi-bin/search.pl] Enter Domain Name (exactly and with the .tt extension): Submit The Domain Name wealthpro.us.tt has not yet been Registered ===8<--- nic.tt lies maybe. But then this is us.tt: ===8<--- Domain Name us.tt Registrant Name Juergen Riedel Registrant Address Landhausstrasse 110 Stuttgart BW 70190 DE DNS Information {ns1.idnscan.net,ns2.idnscan.net,ns3.idnscan.net}, {62.146.83.82,213.133.115.132,62.146.83.90} Expiration Date 01-31-2009 Last Updated 02-17-2003 Administrative Contact Juergen Riedel, [EMAIL PROTECTED], +497112865799, (fax) +497112868450 Technical Contact Juergen Riedel, [EMAIL PROTECTED], +497112865799, (fax) +497112868450 Billing Contact Juergen Riedel, [EMAIL PROTECTED], +497112865799, (fax) +497112868450 ===8<--- So must have not moved up one to see if us.tt was a twofer or not. It appears not. It appears to be a single registrant inside the RIPE block 213.239.203.0/24. Mr. simply made an all too easy mistake to make and presumed anything .tt that looked twofer like was indeed a twofer. {^_-}
Re: The way SA checks the URI for domainname.us.tt
From: "Maurice Lucas" <[EMAIL PROTECTED]> On Fri, 2006-07-28 at 10:57 -0400, Theo Van Dinter wrote: On Fri, Jul 28, 2006 at 09:22:08AM +0200, Maurice Lucas wrote: > I submitted wealthpro.us.MUNGED.tt to uribl but he isn't added because > SA will only see us.MUNGED.tt. I'm not sure why you think that. us.tt is listed as a two level TLD in SA, so .us.tt is what gets used. I could have checked that if I did run a debug on that email. And after my playing around with whois one comes to the confusion or conclusion that us.it is not a two level domain or else whois is very broken. I vote for the former conclusion. If you play with the standard spammer trick .us.it it comes back with the same address. Methinks I feel a patch coming on if Theo reads this. {^_-}
Re: The way SA checks the URI for domainname.us.tt
On Fri, Jul 28, 2006 at 04:08:42PM -0700, jdow wrote: > And after my playing around with whois one comes to the confusion or > conclusion that us.it is not a two level domain or else whois is very > broken. I vote for the former conclusion. If you play with the standard > spammer trick .us.it it comes back with the same address. > > Methinks I feel a patch coming on if Theo reads this. Why? us.tt acts as a registrar (www.us.tt -> joynic.com), dolling out .us.tt to others, so we want to be able to deal with that. Same as other .tt 2TLDs. -- Randomly Generated Tagline: "Israel today announced that it is giving up. The Zionist state will dissolve in two weeks time, and its citizens will disperse to various resort communities around the world. Said Prime Minister Yitzhak Shamir, 'Who needs the aggravation?'" -- Dennis Miller, "Satuday Night Live" News pgp2xRAhDkffx.pgp Description: PGP signature
Re: The way SA checks the URI for domainname.us.tt
From: "Maurice Lucas" <[EMAIL PROTECTED]> On Fri, 2006-07-28 at 10:57 -0400, Theo Van Dinter wrote: On Fri, Jul 28, 2006 at 09:22:08AM +0200, Maurice Lucas wrote: > I submitted wealthpro.us.MUNGED.tt to uribl but he isn't added because > SA will only see us.MUNGED.tt. I'm not sure why you think that. us.tt is listed as a two level TLD in SA, so .us.tt is what gets used. I could have checked that if I did run a debug on that email. Thank you Addendum - it appears .uk.tt also responds with the same address. Ditto for es.tt Oops! I did a wget on the address. This is the meat of the message: Where do you want to deliver your ad today? O kay - .tt is basically a corrupt top level with most of its .tt domains ALL pointing to "boost Media US". I wonder how many OTHER TLDs have this generic problem. You made a remarkably good catch Maurice. {^_^}
Re: The way SA checks the URI for domainname.us.tt
From: "Maurice Lucas" <[EMAIL PROTECTED]> On Fri, 2006-07-28 at 10:57 -0400, Theo Van Dinter wrote: On Fri, Jul 28, 2006 at 09:22:08AM +0200, Maurice Lucas wrote: > I submitted wealthpro.us.MUNGED.tt to uribl but he isn't added because > SA will only see us.MUNGED.tt. I'm not sure why you think that. us.tt is listed as a two level TLD in SA, so .us.tt is what gets used. I could have checked that if I did run a debug on that email. Further addendum for Theo. This is the ttnic official list of twofers: co.tt, com.tt, org.tt, net.tt, biz.tt, info.tt, pro.tt, int.tt, coop.tt, jobs.tt, mobi.tt, travel.tt, museum.tt, aero.tt, or name.tt. All others are phake. (phake == fake++) {^_-}
Re: The way SA checks the URI for domainname.us.tt
From: "jdow" <[EMAIL PROTECTED]> From: "Maurice Lucas" <[EMAIL PROTECTED]> On Fri, 2006-07-28 at 10:57 -0400, Theo Van Dinter wrote: On Fri, Jul 28, 2006 at 09:22:08AM +0200, Maurice Lucas wrote: > I submitted wealthpro.us.MUNGED.tt to uribl but he isn't added because > SA will only see us.MUNGED.tt. I'm not sure why you think that. us.tt is listed as a two level TLD in SA, so .us.tt is what gets used. I could have checked that if I did run a debug on that email. Further addendum for Theo. This is the ttnic official list of twofers: co.tt, com.tt, org.tt, net.tt, biz.tt, info.tt, pro.tt, int.tt, coop.tt, jobs.tt, mobi.tt, travel.tt, museum.tt, aero.tt, or name.tt. All others are phake. (phake == fake++) Correction .gov.tt and .edu.tt are legit and have their own registrar. nic.tt points to the .tt registrar. {^_^}
Re: The way SA checks the URI for domainname.us.tt
From: "Theo Van Dinter" <[EMAIL PROTECTED]> Quoth Theo: Why? us.tt acts as a registrar (www.us.tt -> joynic.com), dolling out .us.tt to others, so we want to be able to deal with that. Same as other .tt 2TLDs. Quoth the Trinidad Tobago registrar, ttnic at http://www.nic.tt/ : ===8<--- (Reformatted only.) Welcome to the Trinidad and Tobago Network Information Centre (TTNIC). The TTNIC is responsible for the registration of Internet domain names under the TT (Trinidad and Tobago) Top Level Domain. We do not require applicants to have a physical presence in Trinidad and Tobago. Registrants must agree to be bound by all Terms and Conditions, and must accept the Uniform Dispute Resolution Policy. Registrants can apply for second level domains (e.g., companyname.tt) or third level domains within co.tt, com.tt, org.tt, net.tt, biz.tt, info.tt, pro.tt, int.tt, coop.tt, jobs.tt, mobi.tt, travel.tt, museum.tt, aero.tt, or name.tt. gov.tt subdomains are now managed by the Government of Trinidad and Tobago ( TT Government's Web Site ) edu.tt subdomain applications must be submitted at www.edu.tt and are cost free (with free hosting if needed) ===8<--- Somebody got VERY clever with that joynic pseudo-registrar. {^_-}
Re: per user Bayesian filtering
On Friday 28 July 2006 10:33, Joe Harvell wrote: > I have Postfix 2.2.10 and SpamAssassin 3.1.3. I have been trying to > figure out how to set up per-user Bayesian filtering. Obviously I need > to cause sa-learn to maintain a different database for each user. My > question is how do I get SpamAssassin to use the DB corresponding to the > recipient of the message? And if the message is destined to multiple > recipients, each with separate Bayesian DBs, does/can SA score them > separately? This isn't a postfix question so much as it is a MDA Question. What does local delivery on your system? Procmail? Cyrus? Do you use Amavis? As the mail is handed off from Postfix to your local delivery agent, that agent decides if it will use SA or not. -- _ John Andersen pgp2DmjmwXJc6.pgp Description: PGP signature
Re: Rules for short spams?
At 10:40 AM 7/28/2006, you wrote: Enable network tests. URIBL rules were basically invented for this type of spam, and they tend to work quite well. It looks like I'm not, but I'm not able to see how to - I use spamassassin on a os/x box. I call spamc from procmail spamc -s 512000 All google search tells me to not call spamc with -l On a similiar note: I added urirhssub URIBL_BLACK multi.uribl.com.A 2 bodyURIBL_BLACK eval:check_uridnsbl('URIBL_BLACK') describeURIBL_BLACK Contains an URL listed in the URIBL blacklist tflags URIBL_BLACK net score URIBL_BLACK 3.0 urirhssub URIBL_GREY multi.uribl.com.A 4 bodyURIBL_GREY eval:check_uridnsbl('URIBL_GREY') describeURIBL_GREY Contains an URL listed in the URIBL greylist tflags URIBL_GREY net score URIBL_GREY 0.25 to my local.cf. Now I'm seeing in my mail.log: www spamd[269]: Use of uninitialized value in exists at /Library/Perl/5.8.6/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 718, line 384.\n Any ideas? Thanks. Evan
spamassassin on qmail
Hi ALL does spamassassin work on qmail MTA Thanks and Regards Kaushal