Re: What changes would you make to stop spam? - United Nations Paper
On Aug 3, 2006, at 11:16 PM, [EMAIL PROTECTED] wrote: From: "Kenneth Porter" <[EMAIL PROTECTED]> --On Wednesday, August 02, 2006 12:02 PM -0700 MennovB <[EMAIL PROTECTED]> wrote: Anyway, IMHO with SYN throttle you would only be rate-limiting the zombies, I would rather they stopped sending spam completely.. What I don't understand is how making them use the ISP server stops them from spamming any more than rate-limiting direct port 25 connections. Why do the packets need to be reassembled in an MTA and stored and forwarded? What does that step buy you? For that matter, how in would an IMAP MUA handle BCC? {^_-} Hi, since a certain amount of spam I get is just bcc'd, making bcc harder could reduce spam :) I've been re-thinking Marc's "IMAP for sending, instead of SMTP" proposal. And this "block Bcc" part got me thinking even more. I think he may be on to something. But lets take it one step further. Email via fingerd. That'll throw off the spammers. And to slow down their spam-bot attacks, I propose we replace the internet backbones with the long-proposed-but-never-implemented IP-via-carrier-pigeon. We'll need an authentication scheme to go with this. I'm going to suggest a GSSAPI method for wax envelope seals. Perfect for carrier pigeon packets. And _EACH_ packet is individually authenticated. PERFECT! And we'll send preferred traffic (because we hate net neutrality!) over bongo-net. I think this new internet architecture will stop the spammers in their tracks. No, really, it will.
Re: whitelist poisoned? spam getting through
On Thursday 03 August 2006 11:02 pm, Mathias Homann wrote: > ohw can it be that the attached spam got through... the SA report > says "user in whitelist", thus it gave the spam a really high > negative score. How can that be, or rather, how can i stop it? Looks like they used the same address for both the envelope sender and the recipient ([EMAIL PROTECTED]). This is easy to do, and more common than you might think. > Return-Path: <[EMAIL PROTECTED]> ... > To: [EMAIL PROTECTED] Simple answer: don't whitelist your own address. Some spammers will do this deliberately, hoping it will get them past filters. -- Kelson Vibber SpeedGate Communications,
Re: What changes would you make to stop spam? - United Nations Paper
>> From: "Kenneth Porter" <[EMAIL PROTECTED]> >> >> > --On Wednesday, August 02, 2006 12:02 PM -0700 MennovB <[EMAIL PROTECTED]> >> > wrote: >> > >> >> Anyway, IMHO with SYN throttle you would only be rate-limiting the >> >> zombies, I would rather they stopped sending spam completely.. >> > >> > What I don't understand is how making them use the ISP server stops them >> > from spamming any more than rate-limiting direct port 25 connections. Why >> > do the packets need to be reassembled in an MTA and stored and forwarded? >> > What does that step buy you? >> >> For that matter, how in would an IMAP MUA handle BCC? >> {^_-} >> Hi, since a certain amount of spam I get is just bcc'd, making bcc harder could reduce spam :) or make spammers rethink their methods :( Wolfgang Hamann
whitelist poisoned? spam getting through
Hi, ohw can it be that the attached spam got through... the SA report says "user in whitelist", thus it gave the spam a really high negative score. How can that be, or rather, how can i stop it? bye, MH --- spam starts here --- Return-Path: <[EMAIL PROTECTED]> X-Sieve: cmu-sieve 2.0 Return-Path: <[EMAIL PROTECTED]> X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on celebrimbor.eregion.home X-Spam-Status: No, score=-44.8 required=5.0 tests=BAYES_99,EXTRA_MPART_TYPE, FORGED_MUA_OUTLOOK,HELO_DYNAMIC_DHCP,HELO_DYNAMIC_IPADDR,HTML_90_100, HTML_IMAGE_ONLY_08,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1, MIME_BOUND_NEXTPART,MIME_HTML_MOSTLY,MSGID_DOLLARS_RANDOM,MSGID_RANDY, RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL, RCVD_IN_XBL,UNPARSEABLE_RELAY,URIBL_JP_SURBL,URIBL_OB_SURBL, URIBL_SC_SURBL,URIBL_WS_SURBL,USER_IN_WHITELIST autolearn=no version=3.1.3 X-Spam-Level: Received: from www.eregion.de (unknown [127.0.0.1]) by www.eregion.de (Postfix on SuSE Linux 8.0 (i386)) with ESMTP id 3F83618B6F for <[EMAIL PROTECTED]>; Fri, 4 Aug 2006 03:05:16 + (UTC) Received: from localhost (localhost [127.0.0.1]) by www.eregion.de (Postfix on SuSE Linux 8.0 (i386)) with ESMTP id DBB5918B6D for <[EMAIL PROTECTED]>; Fri, 4 Aug 2006 05:05:15 +0200 (CEST) Delivered-To: [EMAIL PROTECTED] Received: from mail.megatokyo.de [88.198.0.105] by localhost with POP3 (fetchmail-5.9.0) for [EMAIL PROTECTED] (single-drop); Fri, 04 Aug 2006 05:05:15 +0200 (CEST) Received: (qmail 31246 invoked by uid 89); 4 Aug 2006 02:56:27 - Received: from unknown (HELO dslb-084-057-185-162.pools.arcor-ip.net) (84.57.185.162) by 0 with SMTP; 4 Aug 2006 02:56:27 - Received: from filter3.sitebytes.nl (port=20246 helo=31844lwpkxuln) by dslb-084-057-185-162.pools.arcor-ip.net with smtp id 3lO-iPq3S-YGM for [EMAIL PROTECTED]; Fri, 04 Aug 2006 00:32:23 -0300 Message-ID: <[EMAIL PROTECTED]> From: "susan lynch" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Say No to pain Date: Fri, 04 Aug 2006 00:32:23 -0300 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="=_NextPart_000_0076_SKU8Y740.5W2FQM8H" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Virus-Scanned: Fri Aug 4 05:05:18 2006 +0200 (CEST) with ClamAV using ClamSMTP on celebrimbor.eregion.home X-Length: 30555 X-UID: 46438
Re: postres bayes db and high load
At 09:23 03-08-2006, Dan wrote: Over the past few weeks, my company's mail server has been experiencing high loads that result in SA skipping emails. I use a postgres database to manage bayes, awl and userprefs. I am pretty sure that it is the bayes db that is causing the high load and resultant skipping, but I have no idea how to fix the problem. I installed the SA DBI [snip] postgreSQL v8.0.4 Upgrade to Postgresql 8.1.4 if you can. Turn on autovacuum. Use BayesStore::PgSQL. Regards, -sm
Re: What changes would you make to stop spam? - United Nations Paper
From: "Kenneth Porter" <[EMAIL PROTECTED]> --On Thursday, August 03, 2006 6:43 AM +0100 Graham Murray <[EMAIL PROTECTED]> wrote: ADSL is both always on and a 'fixed' (ie your phone line is physically connected to a DSLAM port) so the ISPs must have sufficient IP addresses for all their ADSL customers. Not necessarily. A lot of providers have gone to PPPoE, where one goes through an authentication process before being assigned an address. I'm guessing this is intended to allow metering of the connection, not to make more addresses available. It prevents rogue access. {^_^}
Re: What changes would you make to stop spam? - United Nations Paper
From: "Kenneth Porter" <[EMAIL PROTECTED]> --On Wednesday, August 02, 2006 2:47 PM -0700 jdow <[EMAIL PROTECTED]> wrote: That slightly more than a year I spent as perhaps one of the VERY first online stalking victims ever (1985-1987) was a hell I'd rather not repeat. Is this written up somewhere? I'd be interested in understanding the threat. Brock Meeks (former MSNBC Chief Washington Correspondent) wrote it up in about 1987. If you can contact him he might have a writeup around. All I have, if I can find it, is a printed copy. And given copyright laws I'm not going to type it into a computer and post it. {^_^}
Re: What changes would you make to stop spam? - United Nations Paper
From: "Kenneth Porter" <[EMAIL PROTECTED]> --On Wednesday, August 02, 2006 12:02 PM -0700 MennovB <[EMAIL PROTECTED]> wrote: Anyway, IMHO with SYN throttle you would only be rate-limiting the zombies, I would rather they stopped sending spam completely.. What I don't understand is how making them use the ISP server stops them from spamming any more than rate-limiting direct port 25 connections. Why do the packets need to be reassembled in an MTA and stored and forwarded? What does that step buy you? For that matter, how in would an IMAP MUA handle BCC? {^_-}
Re: What changes would you make to stop spam? - United Nations Paper
From: "MennovB" <[EMAIL PROTECTED]> jdow wrote: The direct in that case is probably the fault of the underlying cable provider more than Earthlink. Did the spam come through the Earthlink servers or merely from an address that claimed to be Earthlink? By the way, there is no such address as "cable.earthlink.net". The address may have been spoofed. Of course cable.earthlink.net does not exist, you must be joking ;-) and no ===8<--- [EMAIL PROTECTED] ~]$ ping cable.earthlink.net ping: unknown host cable.earthlink.net [EMAIL PROTECTED] ~]$ [EMAIL PROTECTED] ~]$ host cable.earthlink.net [EMAIL PROTECTED] ~]$ dig cable.earthlink.net any ; <<>> DiG 9.3.1 <<>> cable.earthlink.net any ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32859 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;cable.earthlink.net. IN ANY ;; ANSWER SECTION: cable.earthlink.net.86400 IN NS itchy.earthlink.net. cable.earthlink.net.86400 IN NS scratchy.earthlink.net. cable.earthlink.net.86400 IN SOA itchy.earthlink.net. hostmaster.earthlink.net. 2005031800 86400 3600 2592000 86400 ;; AUTHORITY SECTION: cable.earthlink.net.86400 IN NS scratchy.earthlink.net. cable.earthlink.net.86400 IN NS itchy.earthlink.net. ;; ADDITIONAL SECTION: itchy.earthlink.net.1484IN A 207.69.188.196 scratchy.earthlink.net. 1484IN A 207.69.188.197 ;; Query time: 34 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Aug 3 19:59:24 2006 ;; MSG SIZE rcvd: 187 [EMAIL PROTECTED] ~]$ whois 24.41.24.117 [Querying whois.arin.net] [whois.arin.net] EarthLink Network, Inc. EARTHLINK-CABLE (NET-24-41-0-0-1) 24.41.0.0 - 24.41.95.255 Charter Cable/Monterey Park LAN CBLMPLAN-USER0134 (NET-24-41-24-112-1) 24.41.24.112 - 24.41.24.119 ===8<--- No, I am not kidding or joking. It apparently does not exist. (Although the response to "host" is intrigueing.) The dig any report shows it "exists" but has no address of its own. Go figure. If it has no address how can it be sent from cable.earthlink.net. I guess only its subdomains exist. It is also Charter Cable in Monterey Park. So it is probably a Charter Cable problem. (That must be a very small corporate block for them or something like that.) Cable providers seem to be remarkably lax on security. That probably does not have port 25 blocked. Did the email submission go through smtpauth.earthlink.net or some other route? If it didn't go through smtpauth.earthlink.net it is not Earthlink originated spam. it is not spoofed. I mentioned 'cable' so that you could see it is not sent through the server but directly, meaning port 25 to the Internet seems still wide open for that host. Here's the complete address: user-0c2i63l.cable.earthlink.net [24.41.24.117] Spamassassin got that one fine with URIBL_JP_SURBL and GAPPY_SUBJECT! But I rather didn't get it at all.. I know I want too much (or too little in this case). It looks like Earthlink needs to protect its name from Charter Cable's predations. {^_^}
RE: ImageInfo plugin for SA
> -Original Message- > From: John Andersen [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 03, 2006 8:42 PM > To: users@spamassassin.apache.org > Subject: Re: ImageInfo plugin for SA > > On Thursday 03 August 2006 16:50, Theo Van Dinter wrote: > > On Fri, Aug 04, 2006 at 02:38:48AM +0200, Raymond Dijkxhoorn wrote: > > > Could you post the altered one also somewhere ? > > > > Yeah, the files are in my sandbox: > > > http://svn.apache.org/repos/asf/spamassassin/rules/trunk/sandbox/felic > > ity/ > > So what happens next week when they switch to jpegs? > I have several recent spam samples where they have used jpegs. But after I got gif and png complete and it was hitting so well, I had to share. Theo's modifications make it easy to add jpeg support. I can add to that tommorrow. Cya, Dallas
RE: ImageInfo plugin for SA
> -Original Message- > From: Theo Van Dinter [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 03, 2006 8:35 PM > To: users@spamassassin.apache.org > Subject: Re: ImageInfo plugin for SA > > On Thu, Aug 03, 2006 at 07:05:52PM -0500, Dallas L. Engelken wrote: > > > I made some major edits (1/3 smaller and also faster :) > ), but the > > > core algorithm is the same. Overall, very good from my results: > > > > Awesome... Thanks for that! But no *_MULTI_LARGO hits??? > I have tons > > of these samples (today even) > > I was just comparing the original results to the new results, > and neither have the multi hits: > > old: > 7.127 8.3265 0.1.000 0.873.00 T_DC_GIF_UNO_LARGO > 3.646 4.2602 0.1.000 0.743.00 T_DC_IMAGE_SPAM > 0.576 0.6732 0.1.000 0.233.00 T_DC_PNG_UNO_LARGO > 0.000 0. 0.0.500 0.164.00 > T_DC_GIF_MULTI_LARGO > 0.000 0. 0.0.500 0.164.00 > T_DC_PNG_MULTI_LARGO > > new: > 7.162 8.3673 0.1.000 0.933.00 T_DC_GIF_UNO_LARGO > 3.681 4.3010 0.1.000 0.793.00 T_DC_IMAGE_SPAM > 0.576 0.6732 0.1.000 0.243.00 T_DC_PNG_UNO_LARGO > 0.000 0. 0.0.500 0.174.00 > T_DC_PNG_MULTI_LARGO > 0.000 0. 0.0.500 0.174.00 > T_DC_GIF_MULTI_LARGO > > Aha... I think I see the problem, your cf file had a typo > that I didn't > catch (missing leading __ ...) :( the new new results: > Damn it. I see the problem on GIF_ATTACH_4P now.. > 7.162 8.3673 0.1.000 0.953.00 T_DC_GIF_UNO_LARGO > 4.016 4.6920 0.1.000 0.843.00 T_DC_IMAGE_SPAM > 0.666 0.7786 0.1.000 0.364.00 > T_DC_GIF_MULTI_LARGO > 0.576 0.6732 0.1.000 0.313.00 T_DC_PNG_UNO_LARGO > 0.000 0. 0.0.500 0.254.00 > T_DC_PNG_MULTI_LARGO > That looks better. I guess I cant find any sliced png samples here either. Oh well, little overhead to keep it just in case, since the works done once. Dallas
Re: Required Score parameter
From: "Patrick Sherrill" <[EMAIL PROTECTED]> Sorry to bother the list, but I can't seem to find where spamassassin (v3.1.0) is getting the required_score from. The headers show a required score of 5.5 and the required_score (required_hits) in local.cf is 4.8. I also checked the user_prefs in .spamassassin which is set to 5. Can someone tell me what I'm missing? TIA Pat... grep required_score /etc/mail/spamassassin/*.cf Also make sure the user_prefs you looked at is really the user_prefs spamc/spamd is using. {^_^}
Re: Allowing IMAP/POP to Send Email
From: "Marc Perkel" <[EMAIL PROTECTED]> Logan Shaw wrote: On Thu, 3 Aug 2006, Marc Perkel wrote: Not really - what I'm proposing is that the IMAP connection just pipe the message into an SMTP server. The IMAP is acting only and an authenticated connection back to SMTP. I'm not suggesting replacing SMTP. What I'm suggesting is that POP/IMAP can be used as a transport to get the mail there because it's an existing connection, is already established, is already authenticated with the credentials of the email account, and it isn't a port that people would block like port 25 is. I'm not trying to replace SMTP. I'm just trying to suggest a better way for end users to get outgoing email to the SMTP server. Yes. You've already said that. What you're trying to do is create an internet where SMTP traffic only occurs between legitimate servers. You then claim that if such an internet existed, there would be a huge impact against spam. I have to concur that if that were true, spam would be greatly reduced. Here's the problem though. We've got a logical syllogism here: "If X, then Y." The "X" is "only legitimate servers speak SMTP", and the "Y" is "spam will be greatly reduced". I agree that the "if X, then Y" part of this argument is sound. The problem is, for Y to logically follow, you have to establish X. A syllogism works like this: 1. If X, then Y. 2. X is known to be true. 3. Therefore, Y is true. Part 1 is called the major premise. Part 2 is called the minor premise. Part 3 is the conclusion. Your argument is missing the minor premise. You have to establish the minor premise or your argument will have no validity. So then, do you wish to give up on your argument, or do you wish to explain how you're going to accomplish this feat of making sure that only legitimate servers try to contact other servers via SMTP? - Logan Spam is never eliminated - just reduced. Most spam comes from virus infected zombies that talk SMTP. If end users were by default set up so that they can only send email by IMAP then you can block off SMTP ports for end users isolating them from the SMTP world. That would take a huge bite out of the spam problem. But then your network's SMTP server cannot talk to any other SMTP server. You have to use a properly sanctioned one. THINK man. THINK. {^_^}
Re: Allowing IMAP/POP to Send Email
From: "Marc Perkel" <[EMAIL PROTECTED]> Chris Lear wrote: What if I set up an SMTP server at home behind my ADSL router, collect my vanity-domain mail there, and access it via IMAP or POP3? It seems I only have one option, which is to send my mail via IMAP to my home server. Which then sends via SMTP to... the Internet (or via a smarthost). And the home server sending via SMTP is going to look a bit like a MUA sending via SMTP. How would you tell the difference? Is a home mail server outlawed in the brave new world? Or does my SMTP server have to learn to talk IMAP to make message submissions to the ISP's server? Chris Then it would be a server and talk SMTP. Servers still talk SMTP. I have a home SMTP server myself. Yoohoo, Marc! What is the difference between a home SMTP server YOU run and one that is included in malware that has turned your machine into a Zombie? It your specific network arrangement is to be supported then you are allowing port 25 connections between your server and others. Thus you have done absolutely nothing to reduce spam. You've only cost people money changing their entire mail setups end to end. {^_^}
Spamd using 100% CPU, even after reboot
I have a dual P3 server I am hoping to run as our main spam filtering machine. I am satisfied the spam is being caught, I am just worried whether it can deal with the load as the machine idles with one CPU fully utilised. Here are some system details: antispam02# uname -a FreeBSD antispam02.ebit.com.au 6.1-RELEASE-p3 FreeBSD 6.1-RELEASE-p3 #0: Fri Aug 4 10:23:56 EST 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/ANTISPAM02 i386 antispam02# /usr/local/bin/spamd --version SpamAssassin Server version 3.1.3 running on Perl 5.8.8 with SSL support (IO::Socket::SSL 0.97) antispam02# pkg_info | grep spam p5-Mail-SpamAssassin-3.1.3 A highly efficient mail filter for identifying spam pyzor-0.4.0_4 A collaborative, networked system to detect and block spam razor-agents-2.82 A distributed, collaborative, spam detection and filtering spamass-milter-0.3.1 Sendmail Milter (mail filter) plugin for SpamAssassin spamass-rules-20060203 Custom rulesets for SpamAssassin antispam02# ps auuwx | grep spam nobody 624 99.0 12.0 66044 62004 ?? R11:01AM 56:58.12 spamd child (perl5.8.8) root 625 4.9 11.5 62668 59276 ?? S11:01AM 2:14.46 spamd child (perl5.8.8) root 496 0.0 0.4 4856 2256 ?? Ss 11:00AM 0:03.40 /usr/local/sbin/spamass-milter -f -p /var/run/spamass-milter.sock root 506 0.0 9.7 53272 50252 ?? Ss 11:00AM 0:08.53 /usr/local/bin/spamd -c -d -r /var/run/spamd/spamd.pid (perl5.8.8) root1529 0.0 0.3 2912 1536 ?? I12:07PM 0:00.02 /usr/local/bin/spamc root1541 0.0 9.7 53272 50252 ?? S12:08PM 0:00.01 spamd child (perl5.8.8) There is a recurring error in maillog: Aug 4 12:03:25 antispam02 spamd[625]: spamd: still running as root: user not specified with -u, not found, or set to root, falling back to nobody at /usr/local/bin/spamd line 1145, line 4. Is that related? Any ideas or suggestions? Chris Martin
RE: ImageInfo plugin for SA
Depends. Do a 'locate SPF.pm' and see where yours is. Mine is at: /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/SPF.pm
Re: ImageInfo plugin for SA
On Thu, Aug 03, 2006 at 05:42:17PM -0800, John Andersen wrote: > So what happens next week when they switch to jpegs? Sounds like a new function and set of rules. :) > Btw: Very minor typo in: > describe DC_PNG_UNO_LARGO Message contains a single large inline gif > > You mean png for this one. fixed. :) -- Randomly Generated Tagline: "A Young Eel is called this."- Jeopardy Question "What is a baby eel Alex."- Theo's Response pgp3Kkv1zlql8.pgp Description: PGP signature
Re: ImageInfo plugin for SA
Put the .pm file that is attached in your M::SA::Plugins dir. Add to your init.pre (or v310.pre) the following line. Where is the usual Plugins dir? regards
Re: ImageInfo plugin for SA
On Thursday 03 August 2006 16:50, Theo Van Dinter wrote: > On Fri, Aug 04, 2006 at 02:38:48AM +0200, Raymond Dijkxhoorn wrote: > > Could you post the altered one also somewhere ? > > Yeah, the files are in my sandbox: > http://svn.apache.org/repos/asf/spamassassin/rules/trunk/sandbox/felicity/ So what happens next week when they switch to jpegs? Btw: Very minor typo in: metaDC_PNG_UNO_LARGO __PNG_ATTACH_1 && __PNG_AREA_180K describe DC_PNG_UNO_LARGO Message contains a single large inline gif You mean png for this one. -- _ John Andersen pgp69GuB21vJm.pgp Description: PGP signature
Re: ImageInfo plugin for SA
On Thu, Aug 03, 2006 at 09:35:05PM -0400, Theo Van Dinter wrote: > Hrm. Not sure how T_DC_IMAGE_SPAM got a bump there -- it's the same set of > input mail. It occured to me as I was sending that DC_IMAGE_SPAM is a meta with the new rule that's hitting. -- Randomly Generated Tagline: I'd love to, but I'm going to count the bristles in my toothbrush. pgpyGZr0ebGrQ.pgp Description: PGP signature
Re: ImageInfo plugin for SA
On Thu, Aug 03, 2006 at 07:05:52PM -0500, Dallas L. Engelken wrote: > > I made some major edits (1/3 smaller and also faster :) ), > > but the core algorithm is the same. Overall, very good from > > my results: > > Awesome... Thanks for that! But no *_MULTI_LARGO hits??? I have tons > of these samples (today even) I was just comparing the original results to the new results, and neither have the multi hits: old: 7.127 8.3265 0.1.000 0.873.00 T_DC_GIF_UNO_LARGO 3.646 4.2602 0.1.000 0.743.00 T_DC_IMAGE_SPAM 0.576 0.6732 0.1.000 0.233.00 T_DC_PNG_UNO_LARGO 0.000 0. 0.0.500 0.164.00 T_DC_GIF_MULTI_LARGO 0.000 0. 0.0.500 0.164.00 T_DC_PNG_MULTI_LARGO new: 7.162 8.3673 0.1.000 0.933.00 T_DC_GIF_UNO_LARGO 3.681 4.3010 0.1.000 0.793.00 T_DC_IMAGE_SPAM 0.576 0.6732 0.1.000 0.243.00 T_DC_PNG_UNO_LARGO 0.000 0. 0.0.500 0.174.00 T_DC_PNG_MULTI_LARGO 0.000 0. 0.0.500 0.174.00 T_DC_GIF_MULTI_LARGO Aha... I think I see the problem, your cf file had a typo that I didn't catch (missing leading __ ...) :( the new new results: 7.162 8.3673 0.1.000 0.953.00 T_DC_GIF_UNO_LARGO 4.016 4.6920 0.1.000 0.843.00 T_DC_IMAGE_SPAM 0.666 0.7786 0.1.000 0.364.00 T_DC_GIF_MULTI_LARGO 0.576 0.6732 0.1.000 0.313.00 T_DC_PNG_UNO_LARGO 0.000 0. 0.0.500 0.254.00 T_DC_PNG_MULTI_LARGO Hrm. Not sure how T_DC_IMAGE_SPAM got a bump there -- it's the same set of input mail. -- Randomly Generated Tagline: "It is easier to confess a defect then to claim a quality." - Max Beerbohm pgpqUa9caFBBA.pgp Description: PGP signature
Re: ImageInfo plugin for SA
Hi! Could you post the altered one also somewhere ? Yeah, the files are in my sandbox: http://svn.apache.org/repos/asf/spamassassin/rules/trunk/sandbox/felicity/ Ok, perfect. Running nice. On one box i have it together with the ocr one. So far the 'cheaper' rule is seeing about the same as the ocr. Bye, Raymond.
Re: ImageInfo plugin for SA
On Fri, Aug 04, 2006 at 02:38:48AM +0200, Raymond Dijkxhoorn wrote: > Could you post the altered one also somewhere ? Yeah, the files are in my sandbox: http://svn.apache.org/repos/asf/spamassassin/rules/trunk/sandbox/felicity/ -- Randomly Generated Tagline: "Running Linux 1.2 Because a 486 is a terrible thing to waste." - Unknown pgpOSa3Y7znoT.pgp Description: PGP signature
Re: ImageInfo plugin for SA
Theo, On Thu, Aug 03, 2006 at 03:14:06PM -0500, Dallas L. Engelken wrote: All those scores in the cf are just "WAGs", since none have been masschecked. Theo, could you sandbox this? I made some major edits (1/3 smaller and also faster :) ), but the core algorithm is the same. Overall, very good from my results: MSECSSPAM% HAM% S/ORANK SCORE NAME 029412 49520.856 0.000.00 (all messages) 0.0 85.5896 14.41040.856 0.000.00 (all messages as %) 7.162 8.3673 0.1.000 0.933.00 DC_GIF_UNO_LARGO 3.681 4.3010 0.1.000 0.793.00 DC_IMAGE_SPAM 0.576 0.6732 0.1.000 0.243.00 DC_PNG_UNO_LARGO 0.000 0. 0.0.500 0.174.00 DC_PNG_MULTI_LARGO 0.000 0. 0.0.500 0.174.00 DC_GIF_MULTI_LARGO Could you post the altered one also somewhere ? Thanks, Raymond.
Re: ImageInfo plugin for SA
Very nice. Over 100 hits on one box in less than half an hour! -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239
Re: postres bayes db and high load
Dan, > Over the past few weeks, my company's mail server has been experiencing > high loads that result in SA skipping emails. I use a postgres database to > manage bayes, awl and userprefs. I am pretty sure that it is the bayes db > that is causing the high load ... Are you using a general-purpose SQL module: bayes_store_module Mail::SpamAssassin::BayesStore::SQL or a dedicated and optimized: bayes_store_module Mail::SpamAssassin::BayesStore::PgSQL ? See file sql/README.bayes in the SA distribution. Mark
RE: ImageInfo plugin for SA
> -Original Message- > From: Theo Van Dinter [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 03, 2006 6:52 PM > To: users@spamassassin.apache.org > Subject: Re: ImageInfo plugin for SA > > On Thu, Aug 03, 2006 at 03:14:06PM -0500, Dallas L. Engelken wrote: > > All those scores in the cf are just "WAGs", since none have been > > masschecked. Theo, could you sandbox this? > > I made some major edits (1/3 smaller and also faster :) ), > but the core algorithm is the same. Overall, very good from > my results: > > MSECSSPAM% HAM% S/ORANK SCORE NAME > 029412 49520.856 0.000.00 (all messages) > 0.0 85.5896 14.41040.856 0.000.00 (all messages as %) > 7.162 8.3673 0.1.000 0.933.00 DC_GIF_UNO_LARGO > 3.681 4.3010 0.1.000 0.793.00 DC_IMAGE_SPAM > 0.576 0.6732 0.1.000 0.243.00 DC_PNG_UNO_LARGO > 0.000 0. 0.0.500 0.174.00 DC_PNG_MULTI_LARGO > 0.000 0. 0.0.500 0.174.00 DC_GIF_MULTI_LARGO > Awesome... Thanks for that! But no *_MULTI_LARGO hits??? I have tons of these samples (today even) # grep -c MULTI_LARGO spamd.log 83 They all look similar to this... 2006-08-03 03:46:16.847129500 [20349] dbg: imageinfo: 8 gif attachments found 2006-08-03 03:46:16.852860500 [20349] dbg: imageinfo: check images of type gif 2006-08-03 03:46:16.852938500 [20349] dbg: imageinfo: image catholic.gif is 40 x 512 pixels (20480 pixels sq.) 2006-08-03 03:46:16.853007500 [20349] dbg: imageinfo: image flesh.gif is 254 x 4 pixels (1016 pixels sq.) 2006-08-03 03:46:16.853072500 [20349] dbg: imageinfo: image wetback.gif is 254 x 113 pixels (28702 pixels sq.) 2006-08-03 03:46:16.853138500 [20349] dbg: imageinfo: image humorous.gif is 94 x 626 pixels (58844 pixels sq.) 2006-08-03 03:46:16.853203500 [20349] dbg: imageinfo: image willingly.gif is 40 x 28 pixels (1120 pixels sq.) 2006-08-03 03:46:16.853268500 [20349] dbg: imageinfo: image mostly.gif is 40 x 81 pixels (3240 pixels sq.) 2006-08-03 03:46:16.853336500 [20349] dbg: imageinfo: image hailstone.gif is 254 x 509 pixels (129286 pixels sq.) 2006-08-03 03:46:16.853402500 [20349] dbg: imageinfo: image rat race.gif is 40 x 5 pixels (200 pixels sq.) 2006-08-03 03:46:16.896336500 [20349] info: spamd: identified spam (22.7/5.0) for $global:200 in 2.6 seconds, 50713 bytes. 2006-08-03 03:46:16.896520500 [20349] info: spamd: result: Y 22 - BAYES_50,CM_SLICED_STOCK,EXTRA_MPART_TYPE,GIF_AREA_200K,GIF_ATTACH_5P,GI F_MULTI_LARGO,HELO_DYNAMIC_IPADDR2,HELO_DYNAMIC_SPLIT_IP,HTML_40_50,HTML _IMAGE_ONLY_28,HTML_MESSAGE,RCVD_BY_IP,RCVD_NUMERIC_HELO,SARE_GIF_ATTACH ,SARE_GIF_STOX,URI_HTML_ONLY scantime=2.6,size=50713,user=$global,uid=200,required_score=5.0,rhost=lo calhost,raddr=127.0.0.1,rport=34848,mid=<001d01c34465$4cce9bb8$a38ebedc@ dxnd>,bayes=0.546644226347824,autolearn=unavailable,urihits=none Are you sure the logic is working properly there? D
Re: PureMessage-like spam gauge?
On Thu, Aug 03, 2006 at 02:34:17PM -0500, Chris St. Pierre wrote: > --- Mail/SpamAssassin/PerMsgStatus.pm.bak 2006-08-03 13:52:55.0 > -0500 > +++ Mail/SpamAssassin/PerMsgStatus.pm 2006-08-03 14:24:02.0 -0500 [...] > + GAUGE => sub { > + my $arg = (shift || "*"); [...] Just so folks know, it's generally a better idea to write a plugin to do this so that you don't have to keep patching new installs of SpamAssassin. :) -- Randomly Generated Tagline: "the curls in your keyboard cord are losing electricity." - Today's BOFH Excuse pgpvlyiq9Rzjj.pgp Description: PGP signature
Re: ImageInfo plugin for SA
On Thu, Aug 03, 2006 at 03:14:06PM -0500, Dallas L. Engelken wrote: > All those scores in the cf are just "WAGs", since none have been > masschecked. Theo, could you sandbox this? I made some major edits (1/3 smaller and also faster :) ), but the core algorithm is the same. Overall, very good from my results: MSECSSPAM% HAM% S/ORANK SCORE NAME 029412 49520.856 0.000.00 (all messages) 0.0 85.5896 14.41040.856 0.000.00 (all messages as %) 7.162 8.3673 0.1.000 0.933.00 DC_GIF_UNO_LARGO 3.681 4.3010 0.1.000 0.793.00 DC_IMAGE_SPAM 0.576 0.6732 0.1.000 0.243.00 DC_PNG_UNO_LARGO 0.000 0. 0.0.500 0.174.00 DC_PNG_MULTI_LARGO 0.000 0. 0.0.500 0.174.00 DC_GIF_MULTI_LARGO -- Randomly Generated Tagline: "Today I set a motherboard on fire. Now the bizarre thing is that after the smoke cleared it still worked." - Alan Cox pgphpycSfnHFA.pgp Description: PGP signature
Re: postres bayes db and high load
Thanks for the advice!I guess the consensus is to buy more RAM and/or switch to mysql.-Dan
Re: ImageInfo plugin for SA
Just a comment to Dallas that his (? making a guess there) ImageInfo module seems to be doing a good job for me. I had a small sample of image-spam that currently gets past SA. Almost all of it scored +4/+5 points with his module activated. I also had a few recent inline-images "real" emails - didn't trigger any of these rules. So far I'm impressed :-) Jason -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
RE: postres bayes db and high load
Title: Message -Original Message-From: Dan [mailto:[EMAIL PROTECTED] Sent: Thursday, August 03, 2006 12:24 PMTo: users@spamassassin.apache.orgSubject: postres bayes db and high load Over the past few weeks, my company's mail server has been experiencing high loads that result in SA skipping emails. I use a postgres database to manage bayes, awl and userprefs. I am pretty sure that it is the bayes db that is causing the high load and resultant skipping, but I have no idea how to fix the problem. I installed the SA DBI plugin in hopes this would decrease the load, but it hasn't. I have also tried increasing spamd's max-children parameter from 8 up to 27. It's appears that if all of the spamd's children become busy SA skips the message all together. Or spamd stops working on a message when bayes times out. If the latter is the case, is there a way to tell spamd to continue processing the message without bayes? I have included some details below. Any suggestions would be very helpful.I have systems running 800K email/day, no problem, I use mysql, it seemed to scale a lot better with one of our other products (which has postgess issues when busy). if using mysql, use the correct .cfg file (mysql-large.cfg, ) The mail servers stats:~3500 email/day2GHz Intel Celeron768M ramSA v3.1.0postgreSQL v8.0.4database size: 333M bayes_seen: 378275 rowsbayes_token: 172484 rowsa snippet of maillog when the disruption began:Aug 2 14:47:59 mail spamd[32613]: prefork: child states: BBB Aug 2 14:47:59 mail spamd[32613]: prefork: server reached --max-clients setting, consider raising it Aug 2 14:47:59 mail spamd[3577]: spamd: connection from localhost.localdomain [127.0.0.1 ] at port 49872 Aug 2 14:47:59 mail spamd[3577]: spamd: processing message < [EMAIL PROTECTED]om> for steve:0 Aug 2 14:48:16 mail spamd[3675]: bayes: child processing timeout at /usr/bin/spamd line 1088. Aug 2 14:48:19 mail spamd[3675]: spamd: identified spam ( 25.9/5.0) for bug:0 in 5525.1 seconds, 2163 bytes. Aug 2 14:48:19 mail spamd[3675]: spamd: result: Y 25 - BAYES_99,MY_ALL_CAPS,MY_CASINO,MY_OFFER, MY_URI_2CHAR,MY_URI_ALPHNM,MY_URI_CHARNUM,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR 2_CHECK,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime= 5525.1,size=2163,user=bug,uid=0,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1 ,rport=48946, mid=<[EMAIL PROTECTED]>,bayes=1,autolearn=failed Aug 2 14:48:35 mail spamd[3675]: __alarm__ Aug 2 14:48:35 mail spamd[3675]: __alarm__ Aug 2 14:48:36 mail spamd[32613]: prefork: child states: BBB Aug 2 14:48:36 mail spamd[32613]: prefork: server reached --max-clients setting, consider raising it Aug 2 14:48:36 mail spamd[3675]: spamd: connection from localhost.localdomain [127.0.0.1 ] at port 49881 Aug 2 14:48:40 mail spamd[3675]: spamd: processing message < [EMAIL PROTECTED]> for harriet:0 Aug 2 14:50:06 mail spamd[3835]: bayes: child processing timeout at /usr/bin/spamd line 1088, line 59.
Re: spamass milter + clamav milter + milter greylist != working
Thanks, I think I got it - i noticed you didn't have the clamav line define(`confINPUT_MAIL_FILTERS', `clmilter') so i took it out and clamav-milter seems to be working fine w/ out it. re: headers - milter-greylist writes a new header line "Sender IP whitelisted, not delayed by milter-greylist-1.6..." or whatever. what do you use for the delay or wait time and auto whitelist time? thx chris On 8/3/06, Ron Snyder <[EMAIL PROTECTED]> wrote: > SA and clam work but greylist does nothing. no errors, no added > headers just nothing. Why would you expect headers from greylist? Here's the evidence that shows up that the greylisting did it's thing: Aug 3 00:37:56 mailgate sendmail[29267]: k730bkG7029267: Milter: to=<[EMAIL PROTECTED]>, reject=451 4.7.1 Please try again later (TEMPFAIL) Here are the relevant lines from my .mc INPUT_MAIL_FILTER(`relaydelay', `S=local:/var/run/relaydelay.sock, F=,T=S:1m;R:2m;E:3m') INPUT_MAIL_FILTER(`clmilter', `S=local:/var/run/clamav/clmilter.socket, F=,T=S:4m;R:4m') INPUT_MAIL_FILTER(`spamassassin', `S=unix:/var/run/spamass.sock, F=T,T=C:15m;S:4m;R:4m;E:10m') You might need to check your maillog file to really get to the bottom of why it doesn't seem to be working.
Re: postres bayes db and high load
Dan- Make sure you are vacuuming your database. I have seen similar postgresql slow downs with a large database that has not been vacuumed. For a permanent solution I would suggest migrating to mysql instead. I love postgresql but it has a lot of overhead designed to make it a transactional database that really the bayes database, awl, etc.. does not really need. I am running my bayes database now out of mysql for 15K-30K messages a day with a bayes_token table of 50 million rows. Runs like a charm. -Davin
spamass milter + clamav milter + milter greylist != working
Has anyone gotten the 3 fore mentioned milters working together? SA and clam work but greylist does nothing. no errors, no added headers just nothing. if i take out clamav from the mc then greylisting works and SA works but not all three together. parts of sendmail.mc in question. (in order) greylist: INPUT_MAIL_FILTER(`greylist', `S=local:/var/lib/milter-greylist/run/milter-greylist.sock')dnl define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')dnl define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')dnl define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')dnl clam-milter: INPUT_MAIL_FILTER(`clmilter', `S=local:/var/run/clamav-milter/clamav.sock, F=, T=S:4m;R:4m')dnl define(`confINPUT_MAIL_FILTERS', `clmilter') SA: INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass-milter/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl sry if this is too much of a sendmail centric question - I thought i would w/ the server admins here first. thx
Re: clamav virus db update
On 2006-08-03, Benny Pedersen <[EMAIL PROTECTED]> wrote: > On Wed, August 2, 2006 22:28, John Thompson wrote: > >> Any explanation? > > make sure you have same database path in both freshclam.conf and clamd.conf Bingo. Thanks! -- -John ([EMAIL PROTECTED])
RE: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin'
Patching GIF.pm seems to have fixed the problem. I patched gocr because that was in the instructions that got posted, but patching GIF.pm wasn't so I missed it. Jeff Moss -Original Message- From: Davin Flatten [mailto:[EMAIL PROTECTED] Sent: Thursday, August 03, 2006 3:54 PM To: Jeff Moss Cc: users@spamassassin.apache.org Subject: Re: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin' Jeff- Make sure you apply the patches to both the gocr source and Image::ExifTool. The gocr patch deals specifically with the segfault issues. From the docs: # - Perl module Image::ExifTool and a patch for GIF pics: # http://antispam.imp.ch/patches/patch-GIF-Colortable # # - Gocr from http://jocr.sourceforge.net and a patch to # avoid segfaults with gocr: # http://antispam.imp.ch/patches/patch-gocr-segfault Hope this helps. -Davin
Re: RBL with Spamassassin works, but spamc/spamd don't use it
On Thursday 03 August 2006 04:47, decoder wrote: > Hello, > > Recently I installed some rbl rules, using DNS, enabled rbl checks in > the config etc. It all works fine with spamassassin < message. I see > several scores from blacklists, so it is working. > > The problem is, spamc/spamd don't use these rules, they simply ignore > rbl for the same kind of spam. I've restarted spamd and verified that it > isn't set to local tests only. Sounds like spamd was started with -L This is a favorite SuSE trick. If running SuSE see /etc/sysconfig/spamd If running something else, check what starts spamd. Also view you /var/log/messages as spamd starts because some distros put spamd in strange places and you end up running the old one, not the new one. -- _ John Andersen pgpWjHSHn9dmI.pgp Description: PGP signature
Re: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin'
Jeff- You might also want to see if you copy the message out of a client application like Thunderbird and then copy the image to your server and running giftopnm on it. It might be that uudeview is the problem and not giftopnm. The errors sounds like a corrupt gif image. This should not effect the plugin however. I would suggest turning on debugging output on Spamassassin to see where in the plugin the problem is occurring. Use the facility 'ocrtext' to and grep your logs for 'ocrtext'. Should give you some info. If you running spamd try: --debug=ocrtext -D, --debug[=areas]Print debugging messages (for areas) Hope this helps. -Davin
ImageInfo plugin for SA
Greetings, For those of you that dont want the overhead or hassel of installing all extras to get OCR running, I give you a simpler (maybe less effective) option.. It basically determines pixel coverage similar to what eval:html_image_ratio() does, but html_image_ratio() actually reads height="" and width="" params from html, and in these stock spams and such, there is no height/width values to go off of. So, eval:pixel_coverage() will actually read the gif and png headers and calculate it from the actual image data. Put the .pm file that is attached in your M::SA::Plugins dir. Add to your init.pre (or v310.pre) the following line. loadplugin Mail::SpamAssassin::Plugin::ImageInfo And throw the imageinfo.cf ruleset in your local config dir (tweak rules/scores as needed). And dont forgot to restart spamd if you are running it. Feel free to tweak the ruleset you meet your needs. It has hit well for me today as is, but YMMV. # grep -c _LARGO spamd.log 868 No outside tools required... yeah! Sorry for the lack of documentation, but I just dont have enough time to do it, and I wanted share this. All those scores in the cf are just "WAGs", since none have been masschecked. Theo, could you sandbox this? Cya, Dallas ImageInfo.pm Description: ImageInfo.pm imageinfo.cf Description: imageinfo.cf
Re: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin'
Jeff- Make sure you apply the patches to both the gocr source and Image::ExifTool. The gocr patch deals specifically with the segfault issues. From the docs: # - Perl module Image::ExifTool and a patch for GIF pics: # http://antispam.imp.ch/patches/patch-GIF-Colortable # # - Gocr from http://jocr.sourceforge.net and a patch to # avoid segfaults with gocr: # http://antispam.imp.ch/patches/patch-gocr-segfault Hope this helps. -Davin
Re: Allowing IMAP/POP to Send Email & United Nations etc....
Nigel Frankcom wrote: > I'll put on my flameproof underwear for this > > There's been a huge amount of crossfire on these/this subject, but I > don't see how it has anything to do with SA; or am I missing the > point? > > Different protocols, yet another level of policing, but nothing about > the fact that SA does a damned fine job of stopping what exists now, > not what may or may not happen (n) years in the future. > > Just my 2 pence worth > > Nigel > google "marc perkel" My $.02 Michael
Re: PureMessage-like spam gauge?
Once I realized how easy it was to add new header rewrite functions, I just hacked my own in. If anyone's interested, the diff follows. --- Mail/SpamAssassin/PerMsgStatus.pm.bak 2006-08-03 13:52:55.0 -0500 +++ Mail/SpamAssassin/PerMsgStatus.pm 2006-08-03 14:24:02.0 -0500 @@ -1230,6 +1230,13 @@ AUTOLEARN => sub { return $self->get_autolearn_status(); }, + GAUGE => sub { + my $arg = (shift || "*"); + my $length = int($self->{score} / 10); + $length = 5 if $length > 5; + return $arg x $length; + }, + TESTS => sub { my $arg = (shift || ','); return (join($arg, sort(@{$self->{test_names_hit}})) || "none"); Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University On Thu, 3 Aug 2006, Chris St. Pierre wrote: >I'm switching to SpamAssassin from PureMessage. One feature I'm used to is >the GAUGE, which is used in rewriting headers much the same way as >_STARS(*)_. PureMessage differs from SpamAssassin in that it uses a >percentage rather than a score for determining if something is spam -- things >are 0% to 100% likely to be spam. > >GAUGE inserted one star for every 10% over the spam threshold. This mean, for >us, that you could never get more than six stars, and our subjects ranged from >[SPAM:*] to [SPAM:**]. Now that I'm using SpamAssassin with a spam >threshold of 5 and trying to do the same thing, my subjects range from >[SPAM:*] to [SPAM:***...***], the latter of which is downright >unreadable. > >Is there either: a) any way to get _STARS(*)_ to be a little less verbose; or >b) use a different tag to get a similar effect? > >I'm aware that I'll most likely be unable to duplicate the behavior I'm >accustomed to, but I'd like to give my users as much consistency as possible. > >Thanks! > >Chris St. Pierre >Unix Systems Administrator >Nebraska Wesleyan University >
Re: Looking for advice on rule creation & regular expressions
Rob McEwen (PowerView Systems) wrote: Create the rule you mentioned, then create another rule for plan old "advil" ... But make this additional rule **subtract** points... either the same or a little less than the amount of points added by the obfuscation-catching rule, depending on whether you want to leave a little bit of score in there for the correctly spelled instances or cancel it out altogether. That runs the risk that someone will include both the target word and advil in a message. A better solution is to use negative lookaheads. I'm not familiar with them myself, but I'm pretty sure you can find examples in either the base SA rules or some of the SARE rules. Lookahead/lookbehind in regular expressions: http://www.regular-expressions.info/lookaround.html Incidentally, this is the only legit .info site I can think of. I'm sure there's at least one other out there somewhere... -- Kelson Vibber SpeedGate Communications
Re: Looking for advice on rule creation & regular expressions
> I've come up with a rule that'll match every one of those instances, but > also has the unfortunate consequence of matching plain old "ADVIL": Create the rule you mentioned, then create another rule for plan old "advil" Something like: /badvil/b But make this additional rule **subtract** points... either the same or a little less than the amount of points added by the obfuscation-catching rule, depending on whether you want to leave a little bit of score in there for the correctly spelled instances or cancel it out altogether. Rob McEwen PowerView Systems [EMAIL PROTECTED]
PureMessage-like spam gauge?
I'm switching to SpamAssassin from PureMessage. One feature I'm used to is the GAUGE, which is used in rewriting headers much the same way as _STARS(*)_. PureMessage differs from SpamAssassin in that it uses a percentage rather than a score for determining if something is spam -- things are 0% to 100% likely to be spam. GAUGE inserted one star for every 10% over the spam threshold. This mean, for us, that you could never get more than six stars, and our subjects ranged from [SPAM:*] to [SPAM:**]. Now that I'm using SpamAssassin with a spam threshold of 5 and trying to do the same thing, my subjects range from [SPAM:*] to [SPAM:***...***], the latter of which is downright unreadable. Is there either: a) any way to get _STARS(*)_ to be a little less verbose; or b) use a different tag to get a similar effect? I'm aware that I'll most likely be unable to duplicate the behavior I'm accustomed to, but I'd like to give my users as much consistency as possible. Thanks! Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University
Re: postres bayes db and high load
On Thu, 3 Aug 2006, Dan wrote: > The mail servers stats: > ~3500 email/day > 2GHz Intel Celeron > 768M ram Throw some more memory at it, if the motherboard supports it. > Aug 2 14:48:19 mail spamd[3675]: spamd: identified spam ( 25.9/5.0) for > bug:0 in 5525.1 seconds, 2163 bytes. OUCH! 5500 seconds? It should *never* take more than a couple of minutes (~120 sec) to score a message. That *really* sounds like you're swap-thrashing. What are your memory stats? (on Linux, "procinfo" or "cat /proc/meminfo" and look for "swap total" vs. "swap free") -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- A weapons registration phase ... 4) allows for a degree of control to be exercised during the collection phase; 5) assists in the planning of the collection phase; ... -- the UN, who "doesn't want to confiscate guns" ---
Re: Allowing IMAP/POP Thread to Continue?
What a COLOSSAL waste of bandwidth, cycles and keyboard erosion. -- Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com Don't Subsidize Criminals: http://boulderpledge.org
RE: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin'
Still trying to debug SA crashing with the OCR plugin. I extracted the base64 encoding from one of the offending messages. Then I converted it to image001.gif with uudeview. But when I try to convert it to a pnm file from the command line I get errors. [filter]# giftopnm image001.gif > image001.pnm giftopnm: too much input data, ignoring extra... giftopnm: bogus character 0x00, ignoring [filter]# I have no idea what's causing this, how to fix it, or if it's even related to the crashing problem. Jeff Moss -Original Message- From: Stuart Johnston [mailto:[EMAIL PROTECTED] Sent: Thursday, August 03, 2006 10:41 AM To: users@spamassassin.apache.org Subject: Re: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin' Davin Flatten wrote: > Just thought this might help someone out. Thanks to M. Blapp for an > excellent SA Plugin. Optical Character Recognition (OCR) can be used to > nab those pesky spam messages that are hidden in gif,jpeg, or png images... This OCR stuff looks promising. Any comments on performance? How much extra load does it put on a server?
RE: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin'
I will be testing this later this evening using the instructions provided. I will keep you posted. Dave Augustus > We're getting some image-spam stuck in the queue because they crash SA > with this plugin turned on. We are using a custom setup built from > amavisd-lite. > I'm still trying to figure out what's causing it. > > Jeff Moss > > -Original Message- > From: Stuart Johnston [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 03, 2006 10:41 AM > To: users@spamassassin.apache.org > Subject: Re: GIF Spam -- Setting up the 'OCR scanner and image validator > SA-plugin' > > Davin Flatten wrote: >> Just thought this might help someone out. Thanks to M. Blapp for an >> excellent SA Plugin. Optical Character Recognition (OCR) can be used > to >> nab those pesky spam messages that are hidden in gif,jpeg, or png > images... > > This OCR stuff looks promising. Any comments on performance? How much > extra load does it put on a > server? > >
Re: What changes would you make to stop spam? - United Nations Paper
On Wed, 2 Aug 2006, John Andersen wrote: > On Wednesday 02 August 2006 20:55, Sanford Whiteman wrote: > > Because ?of ?that experience, I find myself > > agreeing ?with ?the ?overall reaction of, in essence: "Kill me now, if > > his ?proposal ?is ?going ?to be disseminated by any entity who doesn't > > have enough techies on staff to shoot it down." > > Sandy: you have a special skill for telling people to go to hell and having > them looking forward to the trip. > > I enjoyed your approach. Ditto. {applause} -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- A weapons registration phase ... 4) allows for a degree of control to be exercised during the collection phase; 5) assists in the planning of the collection phase; ... -- the UN, who "doesn't want to confiscate guns" ---
Re: Allowing IMAP/POP to Send Email & United Nations etc....
Nigel Frankcom wrote: I'll put on my flameproof underwear for this There's been a huge amount of crossfire on these/this subject, but I don't see how it has anything to do with SA; or am I missing the point? Different protocols, yet another level of policing, but nothing about the fact that SA does a damned fine job of stopping what exists now, not what may or may not happen (n) years in the future. Just my 2 pence worth 2 more units of whatever currency.. kill the threads. NOW!!
Re: Allowing IMAP/POP to Send Email
> Spam is never eliminated - just reduced. Most spam comes from virus > infected zombies that talk SMTP. If end users were by default set up so > that they can only send email by IMAP then you can block off SMTP ports > for end users isolating them from the SMTP world. That would take a huge > bite out of the spam problem. Which is something that many ISPs and corporations already do. What makes you think that any more of them will do it if your plan were to be implemented? Responsible networks are already blocking port 25, while irresponsible networks (generalizing to make a point) aren't. What's going to happen to make the irresponsible networks change their ways? Why hasn't it happened already? What kind of incentive does your plan specifically provide to help change those network owners' minds?
Allowing IMAP/POP to Send Email & United Nations etc....
I'll put on my flameproof underwear for this There's been a huge amount of crossfire on these/this subject, but I don't see how it has anything to do with SA; or am I missing the point? Different protocols, yet another level of policing, but nothing about the fact that SA does a damned fine job of stopping what exists now, not what may or may not happen (n) years in the future. Just my 2 pence worth Nigel
Re: Geographic Zone to Headers?
On Wed, 2 Aug 2006 21:27:48 +0200 (CEST), "Benny Pedersen" <[EMAIL PROTECTED]> opined: > On Wed, August 2, 2006 17:51, David Cary Hart wrote: > > > EXPERIMENTALLY, I have added "world.tqmcube.com" as a zone which > > is obviously not included in the composite. This returns a text > > record of the country of origin. > > good > > > For example - with linux: > > #dig +short 199.227.237.209.world.tqmcube.com -t txt > > will return "United States". > > nice, but is it for mta or spamassassinn ? > > if its for mta, why need to tell the country of the ip ? > > if its for spamassassin it will be to much dns lookups for things > that can be added to dnsbl.tqmcube.com as a subtest with seperate > results > > you allready have ko and prc as example > > PS: for my test of the dnsbl zone its none false positive or > negative here so far > I have revised this as follows: ;; QUESTION SECTION: ;193.128.95.59.world.tqmcube.com. INANY ;; ANSWER SECTION: 193.128.95.59.world.tqmcube.com. 2100 IN A 127.0.0.110 193.128.95.59.world.tqmcube.com. 2100 IN TXT"IN" The index of ISO country codes and return codes: :127.0.0.10: AD :127.0.0.11: AE :127.0.0.12: AF :127.0.0.13: AG :127.0.0.14: AI :127.0.0.15: AL :127.0.0.16: AM :127.0.0.17: AN :127.0.0.18: AO :127.0.0.19: AQ :127.0.0.20: AR :127.0.0.21: AS :127.0.0.22: AT :127.0.0.23: AU :127.0.0.24: AW :127.0.0.25: AZ :127.0.0.254: BA :127.0.0.26: BB :127.0.0.27: BD :127.0.0.28: BE :127.0.0.29: BF :127.0.0.30: BG :127.0.0.31: BH :127.0.0.32: BI :127.0.0.33: BJ :127.0.0.34: BM :127.0.0.35: BN :127.0.0.36: BO :127.0.0.37: BR :127.0.0.38: BS :127.0.0.39: BT :127.0.0.40: BV :127.0.0.41: BW :127.0.0.42: BY :127.0.0.43: BZ :127.0.0.44: CA :127.0.0.45: CC :127.0.0.46: CD :127.0.0.47: CF :127.0.0.48: CG :127.0.0.49: CH :127.0.0.50: CI :127.0.0.51: CK :127.0.0.52: CL :127.0.0.53: CM :127.0.0.54: CN :127.0.0.55: CO :127.0.0.56: CR :127.0.0.57: CS :127.0.0.58: CU :127.0.0.59: CV :127.0.0.60: CX :127.0.0.61: CY :127.0.0.62: CZ :127.0.0.63: DE :127.0.0.64: DJ :127.0.0.65: DK :127.0.0.66: DM :127.0.0.67: DO :127.0.0.68: DZ :127.0.0.69: EC :127.0.0.70: EE :127.0.0.71: EG :127.0.0.72: EH :127.0.0.73: ER :127.0.0.74: ES :127.0.0.75: ET :127.0.0.76: EU :127.0.0.77: FI :127.0.0.78: FJ :127.0.0.79: FK :127.0.0.80: FM :127.0.0.81: FO :127.0.0.82: FR :127.0.0.83: FX :127.0.0.84: GA :127.0.0.85: GD :127.0.0.86: GE :127.0.0.87: GF :127.0.0.88: GH :127.0.0.89: GI :127.0.0.90: GL :127.0.0.91: GM :127.0.0.92: GN :127.0.0.93: GP :127.0.0.94: GQ :127.0.0.95: GR :127.0.0.96: GS :127.0.0.97: GT :127.0.0.98: GU :127.0.0.99: GW :127.0.0.100: GY :127.0.0.101: HK :127.0.0.102: HM :127.0.0.103: HN :127.0.0.104: HR :127.0.0.105: HT :127.0.0.106: HU :127.0.0.107: ID :127.0.0.108: IE :127.0.0.109: IL :127.0.0.110: IN :127.0.0.111: IO :127.0.0.112: IQ :127.0.0.113: IR :127.0.0.114: IS :127.0.0.115: IT :127.0.0.116: JM :127.0.0.117: JO :127.0.0.118: JP :127.0.0.119: KE :127.0.0.120: KG :127.0.0.121: KH :127.0.0.122: KI :127.0.0.123: KM :127.0.0.124: KN :127.0.0.125: KP :127.0.0.126: KR :127.0.0.127: KW :127.0.0.128: KY :127.0.0.129: KZ :127.0.0.130: LA :127.0.0.131: LB :127.0.0.132: LC :127.0.0.133: LI :127.0.0.134: LK :127.0.0.135: LR :127.0.0.136: LS :127.0.0.137: LT :127.0.0.138: LU :127.0.0.139: LV :127.0.0.140: LY :127.0.0.141: MA :127.0.0.142: MC :127.0.0.143: MD :127.0.0.144: MG :127.0.0.145: MH :127.0.0.146: MK :127.0.0.147: ML :127.0.0.148: MM :127.0.0.149: MN :127.0.0.150: MO :127.0.0.151: MP :127.0.0.152: MQ :127.0.0.153: MR :127.0.0.154: MS :127.0.0.155: MT :127.0.0.156: MU :127.0.0.157: MV :127.0.0.158: MW :127.0.0.159: MX :127.0.0.160: MY :127.0.0.161: MZ :127.0.0.162: NA :127.0.0.163: NC :127.0.0.164: NE :127.0.0.165: NF :127.0.0.166: NG :127.0.0.167: NI :127.0.0.168: NL :127.0.0.169: NO :127.0.0.170: NP :127.0.0.171: NR :127.0.0.172: NT :127.0.0.173: NU :127.0.0.174: NZ :127.0.0.175: OM :127.0.0.176: PA :127.0.0.177: PE :127.0.0.178: PF :127.0.0.179: PG :127.0.0.180: PH :127.0.0.181: PK :127.0.0.182: PL :127.0.0.183: PM :127.0.0.184: PN :127.0.0.185: PR :127.0.0.186: PS :127.0.0.187: PT :127.0.0.188: PW :127.0.0.189: PY :127.0.0.190: QA :127.0.0.191: RE :127.0.0.192: RO :127.0.0.193: RU :127.0.0.194: RW :127.0.0.195: SA :127.0.0.196: SB :127.0.0.197: SC :127.0.0.198: SD :127.0.0.199: SE :127.0.0.200: SG :127.0.0.201: SH :127.0.0.202: SI :127.0.0.203: SJ :127.0.0.204: SK :127.0.0.205: SL :127.0.0.206: SM :127.0.0.207: SN :127.0.0.208: SO :127.0.0.209: SR :127.0.0.210: ST :127.0.0.211: SU :127.0.0.212: SV :127.0.0.213: SY :127.0.0.214: SZ :127.0.0.215: TC :127.0.0.216: TD :127.0.0.217: TF :127.0.0.218: TG :127.0.0.219: TH :127.0.0.220: TJ :127.0.0.221: TK :127.0.0.222: TM :127.0.0.223: TN :127.0.0.224: TO :127.0.0.225: TP :127.0.0.226: TR :127.0.0.227: TT :127.0.0.228: TV :127.0.0.229: TW :127.0.0.230: TZ :127.0.0.231: UA :127.0.0.232: UG :127.0.0.233: UK :127.0.0.234: UM :127.0.0.235: US :127.0.0.236: UY :127.0.0.237: UZ :127.0.0.238: VA :127.0.0.239: VC :127.0.0.240: VE :127.0.0.241: V
Re: Allowing IMAP/POP to Send Email
On Thursday 03 August 2006 19:25, Marc Perkel took the opportunity to say: > Chris Lear wrote: > > What if I set up an SMTP server at home behind my ADSL router, collect > > my vanity-domain mail there, and access it via IMAP or POP3? It seems > > I only have one option, which is to send my mail via IMAP to my home > > server. Which then sends via SMTP to... the Internet (or via a > > smarthost). And the home server sending via SMTP is going to look a > > bit like a MUA sending via SMTP. How would you tell the difference? Is > > a home mail server outlawed in the brave new world? Or does my SMTP > > server have to learn to talk IMAP to make message submissions to the > > ISP's server? > > > Then it would be a server and talk SMTP. Servers still talk SMTP. I have > a home SMTP server myself. Ooookaaay... but they have to use SMTP AUTH, right? So why can't MUAs talk SMTP as well then? The only reason you have left is that you want to remove existing functionality (SMTP) from MUAs and replace it with something (two things, even) that doesn't yet exist (mail submission over POP and IMAP). -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpjVGA2O2fNe.pgp Description: PGP signature
Re: Allowing IMAP/POP to Send Email
Marc Perkel wrote: Spam is never eliminated - just reduced. Most spam comes from virus infected zombies that talk SMTP. If end users were by default set up so that they can only send email by IMAP then you can block off SMTP ports for end users isolating them from the SMTP world. That would take a huge bite out of the spam problem. For about a day. Spam software writers aren't stupid. All the standards that would be necessary for this kind of system to work on a broad scale would have to be open. By the time you got every ISP in one slice of the world to do this, then this will be exploited. My own home ISP had this happen to them. Bellsouth (in my area at least) blocked both 25 out and 25 in. We had to send through Bellsouth's mail server. At first it was configured as an open relay for their customers. Then you had to authenticate. After they enabled authentication, I haven't seen a single Bellsouth DSL originating email spam (from the res blocks.) If others have, chime in. But from what I see, this works. It did anger me at first because they didn't tell their customers, and when directly asked they denied doing such (maybe just their help desk drones didn't know.) Anyway. Block 25, require auth to the isp's server. Done. SMTP-AUTH would be EXACTLY the same as what you purpose. Here's an idea. Quit waisting your time here. You haven't found any supporters here. Try security lists. Write a letter to your ISP, your friend's ISP, your place of business's ISP and see what they say. I bet they'll say "Not feasible -- SMTP-AUTH works just fine" -- Thanks, James
RE: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin'
We're getting some image-spam stuck in the queue because they crash SA with this plugin turned on. We are using a custom setup built from amavisd-lite. I'm still trying to figure out what's causing it. Jeff Moss -Original Message- From: Stuart Johnston [mailto:[EMAIL PROTECTED] Sent: Thursday, August 03, 2006 10:41 AM To: users@spamassassin.apache.org Subject: Re: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin' Davin Flatten wrote: > Just thought this might help someone out. Thanks to M. Blapp for an > excellent SA Plugin. Optical Character Recognition (OCR) can be used to > nab those pesky spam messages that are hidden in gif,jpeg, or png images... This OCR stuff looks promising. Any comments on performance? How much extra load does it put on a server?
Re: Allowing IMAP/POP to Send Email
Logan Shaw wrote: On Thu, 3 Aug 2006, Marc Perkel wrote: Not really - what I'm proposing is that the IMAP connection just pipe the message into an SMTP server. The IMAP is acting only and an authenticated connection back to SMTP. I'm not suggesting replacing SMTP. What I'm suggesting is that POP/IMAP can be used as a transport to get the mail there because it's an existing connection, is already established, is already authenticated with the credentials of the email account, and it isn't a port that people would block like port 25 is. I'm not trying to replace SMTP. I'm just trying to suggest a better way for end users to get outgoing email to the SMTP server. Yes. You've already said that. What you're trying to do is create an internet where SMTP traffic only occurs between legitimate servers. You then claim that if such an internet existed, there would be a huge impact against spam. I have to concur that if that were true, spam would be greatly reduced. Here's the problem though. We've got a logical syllogism here: "If X, then Y." The "X" is "only legitimate servers speak SMTP", and the "Y" is "spam will be greatly reduced". I agree that the "if X, then Y" part of this argument is sound. The problem is, for Y to logically follow, you have to establish X. A syllogism works like this: 1. If X, then Y. 2. X is known to be true. 3. Therefore, Y is true. Part 1 is called the major premise. Part 2 is called the minor premise. Part 3 is the conclusion. Your argument is missing the minor premise. You have to establish the minor premise or your argument will have no validity. So then, do you wish to give up on your argument, or do you wish to explain how you're going to accomplish this feat of making sure that only legitimate servers try to contact other servers via SMTP? - Logan Spam is never eliminated - just reduced. Most spam comes from virus infected zombies that talk SMTP. If end users were by default set up so that they can only send email by IMAP then you can block off SMTP ports for end users isolating them from the SMTP world. That would take a huge bite out of the spam problem.
Re: Allowing IMAP/POP to Send Email
Chris Lear wrote: What if I set up an SMTP server at home behind my ADSL router, collect my vanity-domain mail there, and access it via IMAP or POP3? It seems I only have one option, which is to send my mail via IMAP to my home server. Which then sends via SMTP to... the Internet (or via a smarthost). And the home server sending via SMTP is going to look a bit like a MUA sending via SMTP. How would you tell the difference? Is a home mail server outlawed in the brave new world? Or does my SMTP server have to learn to talk IMAP to make message submissions to the ISP's server? Chris Then it would be a server and talk SMTP. Servers still talk SMTP. I have a home SMTP server myself.
Re: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin'
Stuart- Not significant that I have noticed. We are running a dedicated spamassassin gateway however. It's only job is to process spam. It is running dual Xeon 2.80GHz/2MB cache with 4GB of RAM over RAID5 with some scratch partitions loaded in RAM. We also run clamav, mimedefang, bayes out of mysql, and milter-greylist on the same machine. We process 15,000-30,000 emails a day on this machine. One thing that could be improved would be to add which directory the plugin uses as scratch. I would put this over into my memory based mounts and that would at least lower the I/O overhead. -Davin
Re: What changes would you make to stop spam? - United Nations Paper
Kenneth Porter wrote: > > Will ISP's do anything? Are they doing anything now for outbound spam? > They will have to otherwise they will end up in a blacklist ;-) Most of the ISP's here are already scanning on inbound spam, not too hard to do it for outgoing then. The ISP I use the most reacts quite fast on abuse. And they have already used an automatically shutoff of clients in the time of virus outbreaks, that traffic got detected and then all you could access was 1 page with an explanation how to get connected again. That's doable too by counting the amount of outgoing spam I think. > BTW, are there any SMTP providers operating independent of ISP's, sorta > like independent newsgroup providers, so that one can use authenticated > SMTP over the submission port to that provider instead of one's ISP? > Yes, the ones who I know about offer anti SPAM/virus services. We've used cleanport for a while for that. It wasn't authenticated but firewalled, SMTP was only opened up for certain IP-addresses of ours. Regards Menno -- View this message in context: http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5636668 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin'
Davin Flatten schreef: Just thought this might help someone out. Thanks to M. Blapp for an excellent SA Plugin. Optical Character Recognition (OCR) can be used to nab those pesky spam messages that are hidden in gif,jpeg, or png images... I ran a search on the patch and I didn't see any references to the bayes learner. Wouldn't it be a logical choice to feed (and test) the OCR text to the bayes learner just like any other plaintext mail content? The OCR results will of course contain some gibberish, but that shouldn't be very different from the usual bayes poison. I think this could further improve the OCR feature (haven't tested the patch yet btw). Regards, Stephan
Re: [AMaViS-user] sa-update (sa v 3.1.4)
On Thu, Aug 03, 2006 at 11:47:58AM -0500, Stuart Johnston wrote: > I'm a little confused about this as well. When I run spamassassin -D, it > shows rules being loaded from /var/lib/spamassassin/3.001003 and > /etc/mail/spamassassin but NOT /usr/share/spamassassin/ That sounds correct. > Also, doing a diff I don't see any rules that are in > /usr/share/spamassassin/ but not in /var/lib/spamassassin/3.001003. There are definitely differences between the files in the directories, though at the moment most of the new rules are in a new 80_additional.cf file. Perhaps you didn't use "diff -N" ? :) -- Randomly Generated Tagline: (Bp) Syntax Error! - My reality check just cleared. pgpGsiVg60u32.pgp Description: PGP signature
Re: What changes would you make to stop spam? - United Nations Paper
Marc Perkel wrote: So you think that viruses are going to know how to find and decrypt the passwords of all email programs? Network sniffers, keystroke loggers, weak encryption, maliciously patching the email app -- that's four possibilities off the top of my head. They don't even need to be able to handle all of them -- just the more popular ones. -- Kelson Vibber SpeedGate Communications
Re: sa-update (sa v 3.1.4)
On Thu, 8/3/2006 11:01:09 -0400 Theo Van Dinter wrote: > > On Thu, Aug 03, 2006 at 10:15:47AM -0400, Will Nordmeyer wrote: > > If I run sa-update without any other parameters, it'll create an update > > dir put the updates in it and spamassassin will use the generated > > updates dir by default (do I need to restart SA, or does sa-update > > handle that?). > > Yes. As for restart, sa-update won't do that for you. > > > If I use the --updatedir parameter I have to go into SA and rewrite it > > to use my updatedir. > > Or otherwise include the new config files in some other way ala in > /etc/mail/spamassassin/local.cf (or a similarly named file): > > include /where/I/want/updates/to/be/channel.cf > > I forgot to mention this in my previous mail, sorry. > > > If I use --updatedir and point it to the SA default rules dir, I'm > > screwed. > > Not screwed, but you'll break some parts of SpamAssassin, yes. The > default rules directory is meant to be written to during installation > and that's it. In the end, you can do what you want with it, but if you > remove critical files, you shouldn't expect things to work correctly. > > > Have I summarized sa-update usage properly? > > Your intimating that sa-update sucks, where IMHO the problems described > here are with its usage and an expectation that the software in general > should DWIM as opposed to DWIS. > > In general, if you don't like how something works, feel free to open a > ticket and provide a patch. :) > Not my intent at all Theo... Just trying to distill it down to something easy. And that is - if you run sa-update and let it make all the decisions about update dirs/etc. Then the updates are easy, simple and everybody happily plays well together. And (to me) yeah - I'm screwed if I decide my update dir is the same as my default rules dir - not because sa-update sucks at all... but because I didn't differentiate between DEFAULT rules and UPDATES. My apologies - sa-update is a wonderful feature, I was quite pleased when I saw it added...
Re: [AMaViS-user] sa-update (sa v 3.1.4)
Gary V wrote: Mark wrote: Theo, to change Mail::SpamAssassin to provide a suitable default for LOCAL_STATE_DIR. Please consider this a feature request. http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4952 :) Appreciated! # sa-update --updatedir /usr/local/share/spamassassin Warning: This will break your installation -- there are files in def_rules_dir that aren't in the updates, and sa-update will be happy to delete all of the files in the directory for you. local_state_dir and def_rules_dir are not interchangeable. Ouch, thanks. Sorry for spreading false suggestions. Mark Observation and questions: I though the rules provided with sa-update were additions to existing rules, but I guess I have not paid much attention. Is it true then that the rules downloaded through sa-update are a complete rule set in themselves? I'm a little confused about this as well. When I run spamassassin -D, it shows rules being loaded from /var/lib/spamassassin/3.001003 and /etc/mail/spamassassin but NOT /usr/share/spamassassin/ Also, doing a diff I don't see any rules that are in /usr/share/spamassassin/ but not in /var/lib/spamassassin/3.001003. There are a few extra files though, [languages, sa-update-pubkey.txt, triplets.txt, user_prefs.template]. I suppose you probably don't want those to get deleted.
Re: sa-update problems
Theo Van Dinter wrote: On Thu, Aug 03, 2006 at 06:15:38PM +0200, Bjorn Jensen wrote: Aug 3 18:05:30 mail3 spamd[590]: config: cannot opendir /var/lib/spamassassin/3.001003: Permission denied Aug 3 18:05:30 mail3 spamd[590]: config: cannot opendir /var/lib/spamassassin/3.001003: Permission denied The directory /var/lib/spamassassin/3.001003 exists and there's another directory in there with the new rules, just like the wiki says about sa-update, and if I run spamassassin -D --lint it shows no problems, and I'm also able to scan emails through that just fine, just not spamd Hrm, that's extremely odd. Is there something special about how you run spamd? chroot jail? limitations via something like selinux? Thank god, you pointed me in the right direction. The server is a fedora core 5 server where spamassassin has been installed by yum/rpm and selinux was set to enforcing. It has now been set to disabled, and it can now read the files. Regards, Bjorn Jensen
Re: More honesty in spam
Yesterday I noticed that the stock-image spams I had been receiving were pushing "Espion International, Inc, a leader in the fight against email based viruses, spam...". :) Kelson wrote: I received a stock spam this morning. The randomly generated sender name was, and I kid you not... "Bagle variant" Somehow, that wouldn't surprise me at all!
Re: sa-update problems
On Thu, Aug 03, 2006 at 06:15:38PM +0200, Bjorn Jensen wrote: > Aug 3 18:05:30 mail3 spamd[590]: config: cannot opendir > /var/lib/spamassassin/3.001003: Permission denied > Aug 3 18:05:30 mail3 spamd[590]: config: cannot opendir > /var/lib/spamassassin/3.001003: Permission denied > The directory /var/lib/spamassassin/3.001003 exists and there's another > directory in there with the new rules, just like the wiki says about > sa-update, and if I run spamassassin -D --lint it shows no problems, and > I'm also able to scan emails through that just fine, just not spamd Hrm, that's extremely odd. Is there something special about how you run spamd? chroot jail? limitations via something like selinux? Generally speaking, if the dirs can be accessed via any general user w/ spamassassin, there shouldn't be any problem using spamd. > [EMAIL PROTECTED] spamassassin]# ll /var/lib/spamassassin > total 8 > drwxr-xr-x 3 root root 4096 Aug 3 17:53 3.001003 > [EMAIL PROTECTED] spamassassin]# ll /var/lib/spamassassin/3.001003 > total 16 > drwxr-xr-x 2 root root 4096 Aug 3 17:53 updates_spamassassin_org > -rw-r--r-- 1 root root 2151 Aug 3 17:53 updates_spamassassin_org.cf Hrm. This looks fine to me. -- Randomly Generated Tagline: "... and don't we all love Pspice?"- Instructor Dean pgpDYPfVpx2nh.pgp Description: PGP signature
More honesty in spam
I received a stock spam this morning. The randomly generated sender name was, and I kid you not... "Bagle variant" Somehow, that wouldn't surprise me at all! -- Kelson Vibber SpeedGate Communications
Re: What changes would you make to stop spam? - United Nations Paper
--On Thursday, August 03, 2006 8:47 AM -0700 MennovB <[EMAIL PROTECTED]> wrote: I don't want to make the zombies use the ISP's SMTP server, I want to stop them from spamming. Right now they can only connect directly to the Internet so if the ISP blocks direct SMTP outgoing the zombies stop working, they can't deliver their spam. Ok, that addresses the existing direct-to-MX zombies. Probably they will then be adapted to figure out and use the ISP's SMTP server, but that makes them easy to detect for the ISP. Will ISP's do anything? Are they doing anything now for outbound spam? Apart from the SMTP-servers from the ISP there may be some other addresses you legitimately want to access with SMTP, could be serviced by the ISP with a web-interface where you can configure a certain number of accessible IP-addressess. I'd rather it be completely open to anyone who's demonstrated having a clue. BTW, are there any SMTP providers operating independent of ISP's, sorta like independent newsgroup providers, so that one can use authenticated SMTP over the submission port to that provider instead of one's ISP?
postres bayes db and high load
Over the past few weeks, my company's mail server has been experiencing high loads that result in SA skipping emails. I use a postgres database to manage bayes, awl and userprefs. I am pretty sure that it is the bayes db that is causing the high load and resultant skipping, but I have no idea how to fix the problem. I installed the SA DBI plugin in hopes this would decrease the load, but it hasn't. I have also tried increasing spamd's max-children parameter from 8 up to 27. It's appears that if all of the spamd's children become busy SA skips the message all together. Or spamd stops working on a message when bayes times out. If the latter is the case, is there a way to tell spamd to continue processing the message without bayes? I have included some details below. Any suggestions would be very helpful.The mail servers stats:~3500 email/day2GHz Intel Celeron768M ramSA v3.1.0postgreSQL v8.0.4database size: 333M bayes_seen: 378275 rowsbayes_token: 172484 rowsa snippet of maillog when the disruption began:Aug 2 14:47:59 mail spamd[32613]: prefork: child states: BBB Aug 2 14:47:59 mail spamd[32613]: prefork: server reached --max-clients setting, consider raising it Aug 2 14:47:59 mail spamd[3577]: spamd: connection from localhost.localdomain [127.0.0.1 ] at port 49872 Aug 2 14:47:59 mail spamd[3577]: spamd: processing message < [EMAIL PROTECTED]om> for steve:0 Aug 2 14:48:16 mail spamd[3675]: bayes: child processing timeout at /usr/bin/spamd line 1088. Aug 2 14:48:19 mail spamd[3675]: spamd: identified spam ( 25.9/5.0) for bug:0 in 5525.1 seconds, 2163 bytes. Aug 2 14:48:19 mail spamd[3675]: spamd: result: Y 25 - BAYES_99,MY_ALL_CAPS,MY_CASINO,MY_OFFER, MY_URI_2CHAR,MY_URI_ALPHNM,MY_URI_CHARNUM,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR 2_CHECK,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime= 5525.1,size=2163,user=bug,uid=0,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1 ,rport=48946, mid=<[EMAIL PROTECTED]>,bayes=1,autolearn=failed Aug 2 14:48:35 mail spamd[3675]: __alarm__ Aug 2 14:48:35 mail spamd[3675]: __alarm__ Aug 2 14:48:36 mail spamd[32613]: prefork: child states: BBB Aug 2 14:48:36 mail spamd[32613]: prefork: server reached --max-clients setting, consider raising it Aug 2 14:48:36 mail spamd[3675]: spamd: connection from localhost.localdomain [127.0.0.1 ] at port 49881 Aug 2 14:48:40 mail spamd[3675]: spamd: processing message < [EMAIL PROTECTED]> for harriet:0 Aug 2 14:50:06 mail spamd[3835]: bayes: child processing timeout at /usr/bin/spamd line 1088, line 59.
sa-update problems
I just ran sa-update for the first time today, and now I'm getting this when starting up spamd: Aug 3 18:05:30 mail3 spamd[590]: config: cannot opendir /var/lib/spamassassin/3.001003: Permission denied Aug 3 18:05:30 mail3 spamd[590]: config: cannot opendir /var/lib/spamassassin/3.001003: Permission denied Aug 3 18:05:32 mail3 spamd[590]: spamd: server started on port 783/tcp (running version 3.1.3) Aug 3 18:05:32 mail3 spamd[590]: spamd: server pid: 590 Aug 3 18:05:32 mail3 spamd[590]: spamd: server successfully spawned child process, pid 592 Aug 3 18:05:32 mail3 spamd[590]: spamd: server successfully spawned child process, pid 593 This seems to mean that no local rules are loaded and most spam goes right through. The directory /var/lib/spamassassin/3.001003 exists and there's another directory in there with the new rules, just like the wiki says about sa-update, and if I run spamassassin -D --lint it shows no problems, and I'm also able to scan emails through that just fine, just not spamd spamd is running like so: root 624 0.4 1.5 52032 46960 ?Ss 18:06 0:01 /usr/bin/spamd -d -c --min-children=5 -m15 -i xxx.xxx.xxx.xxx -H -A xxx.xxx.xxx.xxx -r /var/run/spamd.pid root 626 3.3 1.6 56760 52260 ?S18:06 0:13 spamd child root 627 0.3 1.5 53816 48924 ?S18:06 0:01 spamd child root 663 0.0 1.5 52596 47452 ?S18:09 0:00 spamd child root 679 0.0 1.4 52032 45788 ?S18:12 0:00 spamd child The directories: [EMAIL PROTECTED] spamassassin]# ll /var/lib/spamassassin total 8 drwxr-xr-x 3 root root 4096 Aug 3 17:53 3.001003 [EMAIL PROTECTED] spamassassin]# ll /var/lib/spamassassin/3.001003 total 16 drwxr-xr-x 2 root root 4096 Aug 3 17:53 updates_spamassassin_org -rw-r--r-- 1 root root 2151 Aug 3 17:53 updates_spamassassin_org.cf [EMAIL PROTECTED] spamassassin]# ll /var/lib/spamassassin/3.001003/updates_spamassassin_org total 720 -rw-r--r-- 1 root root 5479 Aug 3 17:53 10_misc.cf -rw-r--r-- 1 root root 8112 Aug 3 17:53 20_advance_fee.cf -rw-r--r-- 1 root root 1602 Aug 3 17:53 20_anti_ratware.cf -rw-r--r-- 1 root root 6690 Aug 3 17:53 20_body_tests.cf -rw-r--r-- 1 root root 1534 Aug 3 17:53 20_compensate.cf -rw-r--r-- 1 root root 14287 Aug 3 17:53 20_dnsbl_tests.cf -rw-r--r-- 1 root root 15636 Aug 3 17:53 20_drugs.cf -rw-r--r-- 1 root root 11380 Aug 3 17:53 20_fake_helo_tests.cf -rw-r--r-- 1 root root 33153 Aug 3 17:53 20_head_tests.cf -rw-r--r-- 1 root root 17501 Aug 3 17:53 20_html_tests.cf -rw-r--r-- 1 root root 3305 Aug 3 17:53 20_meta_tests.cf -rw-r--r-- 1 root root 2135 Aug 3 17:53 20_net_tests.cf -rw-r--r-- 1 root root 15880 Aug 3 17:53 20_phrases.cf -rw-r--r-- 1 root root 4711 Aug 3 17:53 20_porn.cf -rw-r--r-- 1 root root 17038 Aug 3 17:53 20_ratware.cf -rw-r--r-- 1 root root 9690 Aug 3 17:53 20_uri_tests.cf -rw-r--r-- 1 root root 2228 Aug 3 17:53 23_bayes.cf -rw-r--r-- 1 root root 420 Aug 3 17:53 25_accessdb.cf -rw-r--r-- 1 root root 1342 Aug 3 17:53 25_antivirus.cf -rw-r--r-- 1 root root 9114 Aug 3 17:53 25_body_tests_es.cf -rw-r--r-- 1 root root 17673 Aug 3 17:53 25_body_tests_pl.cf -rw-r--r-- 1 root root 190 Aug 3 17:53 25_dcc.cf -rw-r--r-- 1 root root 1990 Aug 3 17:53 25_dkim.cf -rw-r--r-- 1 root root 1944 Aug 3 17:53 25_domainkeys.cf -rw-r--r-- 1 root root 2735 Aug 3 17:53 25_hashcash.cf -rw-r--r-- 1 root root 189 Aug 3 17:53 25_pyzor.cf -rw-r--r-- 1 root root 2201 Aug 3 17:53 25_razor2.cf -rw-r--r-- 1 root root 8339 Aug 3 17:53 25_replace.cf -rw-r--r-- 1 root root 2870 Aug 3 17:53 25_spf.cf -rw-r--r-- 1 root root 352 Aug 3 17:53 25_textcat.cf -rw-r--r-- 1 root root 7536 Aug 3 17:53 25_uribl.cf -rw-r--r-- 1 root root 47385 Aug 3 17:53 30_text_de.cf -rw-r--r-- 1 root root 34883 Aug 3 17:53 30_text_fr.cf -rw-r--r-- 1 root root 1667 Aug 3 17:53 30_text_it.cf -rw-r--r-- 1 root root 38211 Aug 3 17:53 30_text_nl.cf -rw-r--r-- 1 root root 30281 Aug 3 17:53 30_text_pl.cf -rw-r--r-- 1 root root 2883 Aug 3 17:53 30_text_pt_br.cf -rw-r--r-- 1 root root 33700 Aug 3 17:53 50_scores.cf -rw-r--r-- 1 root root 1113 Aug 3 17:53 60_awl.cf -rw-r--r-- 1 root root 4903 Aug 3 17:53 60_whitelist.cf -rw-r--r-- 1 root root 2367 Aug 3 17:53 60_whitelist_dkim.cf -rw-r--r-- 1 root root 3480 Aug 3 17:53 60_whitelist_spf.cf -rw-r--r-- 1 root root 1723 Aug 3 17:53 60_whitelist_subject.cf -rw-r--r-- 1 root root 12968 Aug 3 17:53 80_additional.cf -rw-r--r-- 1 root root 0 Aug 3 17:53 empty.pre -rw-r--r-- 1 root root36 Aug 3 17:53 MIRRORED.BY [EMAIL PROTECTED] spamassassin]# Regards, Bjorn Jensen
Re: What changes would you make to stop spam? - United Nations Paper
--On Thursday, August 03, 2006 6:43 AM +0100 Graham Murray <[EMAIL PROTECTED]> wrote: ADSL is both always on and a 'fixed' (ie your phone line is physically connected to a DSLAM port) so the ISPs must have sufficient IP addresses for all their ADSL customers. Not necessarily. A lot of providers have gone to PPPoE, where one goes through an authentication process before being assigned an address. I'm guessing this is intended to allow metering of the connection, not to make more addresses available.
Re: sa-update (sa v 3.1.4)
On Thu, Aug 03, 2006 at 08:56:42AM -0700, Bret Miller wrote: > The Mail::SpamAssassin module doc in 3.1.4 doesn't list local_state_dir > as an option for Mail::SpamAssassin->new. Should it? Is that how an app > is supposed to pass this information? Gah! /me continues cursing JM's addition of local_state_dir So apparently (unbeknownst to me until just now) there isn't a local_state_dir override option that can be passed in, you'd have to set the LOCAL_STATE_DIR macro which will get used ala: '__local_state_dir__/spamassassin/__version__', (where __local_state_dir__ == LOCAL_STATE_DIR, for now) I'll see if I can fix that for 3.1.5 via bug 4952. /me grumbles some more -- Randomly Generated Tagline: "Do not marry a person that you know that you can live with; only marry someone that you cannot live without." - Unknown pgpAsrkLVJsuE.pgp Description: PGP signature
Re: Looking for advice on rule creation & regular expressions
Coffey, Neal wrote: Logan Shaw wrote: For what it's worth, I thought all spams of that form were prescription drug spams, but recently I got one like this as well: [snip: rolex, tiffany, etc...] Come to think of it, I've seen one or two of these ones, too, and totally forgot. Guess I'll be making rules for these as well... However, there is one obvious way to do it. Like this: ... Since the first and last characters of all four branches are always the same, you can optimize it a tiny bit by factoring out the common parts of the branches: /A(?:.DVI|D.VI|DV.I|DVI.)L/ Ok. This is looking a little better, then... I've taken your suggestion, and added the possibilities of repeated characters and substitutions for "I" into it.. /A(?:.A?DV[Iilj]|D.D?V[Iilj]|DV.V?[Iilj]|DV[Iilj].[Iilj]?)L/ The little bit of testing I threw at it looks good so far. I'll try it with the actual prescription drug names, do a bit of testing, and share my results. More suggestions for improving the regex are still welcome, of course :) How about.. http://www.sandgnat.com/cmos/ - dhawal
Re: Looking for advice on rule creation & regular expressions
Coffey, Neal wrote: I'm trying to create a rule to catch some of the perscription drug references that come into our system. We're not in pharmaceuticals, so I'm not too concerned about false positives :) Some examples of what I'm looking for (using an innocent drug so I don't trip someone else's filters): ADVwIL ADxDVIL ADxV1L Advjjl Have a look at the ReplaceTags plugin: http://wiki.apache.org/spamassassin/ReplaceTags Also, I have a script that will generate a rule that catches a lot of this type of spam in a similar manner to the ReplaceTags plugin: http://sandgnat.com/cmos/cmos.jsp?words=advil&matchobfuonly=true&multigapenabled=true&multigap=2&duplicatecharsenabled=true&duplicatechars=2 I've come up with a rule that'll match every one of those instances, but also has the unfortunate consequence of matching plain old "ADVIL": /A[a-z]?A?D[a-z]?D?V[a-z]?V?[Il1j][a-z]?[Il1j]?L[a-z]?L?/ You probably want to add a negative lookahead, like so: /(?!\badvil\b)A[a-z]?A?D[a-z]?D?V[a-z]?V?[Il1j][a-z]?[Il1j]?L[a-z]?L?/ This will look ahead for \badvil\b and if found, stop testing the rest of the pattern and the match fails.
Re: What changes would you make to stop spam? - United Nations Paper
--On Wednesday, August 02, 2006 2:47 PM -0700 jdow <[EMAIL PROTECTED]> wrote: That slightly more than a year I spent as perhaps one of the VERY first online stalking victims ever (1985-1987) was a hell I'd rather not repeat. Is this written up somewhere? I'd be interested in understanding the threat.
RE: Looking for advice on rule creation & regular expressions
Logan Shaw wrote: > For what it's worth, I thought all spams of that form were > prescription drug spams, but recently I got one like this as well: > > [snip: rolex, tiffany, etc...] Come to think of it, I've seen one or two of these ones, too, and totally forgot. Guess I'll be making rules for these as well... > However, there is one obvious way to do it. Like this: > ... > Since the first and last characters of all four branches are > always the same, you can optimize it a tiny bit by factoring > out the common parts of the branches: > > /A(?:.DVI|D.VI|DV.I|DVI.)L/ Ok. This is looking a little better, then... I've taken your suggestion, and added the possibilities of repeated characters and substitutions for "I" into it.. /A(?:.A?DV[Iilj]|D.D?V[Iilj]|DV.V?[Iilj]|DV[Iilj].[Iilj]?)L/ The little bit of testing I threw at it looks good so far. I'll try it with the actual prescription drug names, do a bit of testing, and share my results. More suggestions for improving the regex are still welcome, of course :)
RE: sa-update (sa v 3.1.4)
> On Thu, Aug 03, 2006 at 03:28:05PM +0200, Mark Martinec wrote: > > Well, this is not entirely true. It is not the SpamAssassin modules > > that sets a default value for LOCAL_STATE_DIR => '/var/lib' in the > > SA object, but it is the application program that does it: the > > spamassassin, sa-update and spamd. > > True. > > > Which means that other application programs like amavisd-new > > or other callers of SA modules won't see the rules updates > > in /var/lib/spamassasin unless explicitly configured to do so ... > > You would want to make sure that the third party application you're > running supports the version of SA you're using, yes. local_state_dir > was an API change from 3.1.0, unfortunately, but it's been known about > for several months now. The Mail::SpamAssassin module doc in 3.1.4 doesn't list local_state_dir as an option for Mail::SpamAssassin->new. Should it? Is that how an app is supposed to pass this information? Bret
Re: What changes would you make to stop spam? - United Nations Paper
--On Wednesday, August 02, 2006 3:25 PM -0700 jdow <[EMAIL PROTECTED]> wrote: I keep several gigabytes of email data around. With POP3 it is easy to store locally. With IMAP it's a pain in the . My boss logs in from several computers, including a laptop he takes everywhere. I got tired of keeping all his POP3 mail stores in sync using scripts, so I switched him to IMAP, and set Mozilla on his clients to keep local mirrors (particularly important for detached work). The wire-level work is about the same, but I don't have to maintain a bunch of scripts anymore. It's our server, not an ISP's, so we don't have to worry about size constraints. (And this is also an argument for allowing savvy users to operate servers at home, to provide high-volume mail storage accessible from anywhere in the world.)
Re: What changes would you make to stop spam? - United Nations Paper
Kenneth Porter wrote: > > What I don't understand is how making them use the ISP server stops them > from spamming any more than rate-limiting direct port 25 connections. Why > do the packets need to be reassembled in an MTA and stored and forwarded? > What does that step buy you? > I don't want to make the zombies use the ISP's SMTP server, I want to stop them from spamming. Right now they can only connect directly to the Internet so if the ISP blocks direct SMTP outgoing the zombies stop working, they can't deliver their spam. Probably they will then be adapted to figure out and use the ISP's SMTP server, but that makes them easy to detect for the ISP. Apart from the SMTP-servers from the ISP there may be some other addresses you legitimately want to access with SMTP, could be serviced by the ISP with a web-interface where you can configure a certain number of accessible IP-addressess. Regards Menno van Bennekom -- View this message in context: http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5635088 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: Looking for advice on rule creation & regular expressions
On Thu, 3 Aug 2006, Coffey, Neal wrote: I'm trying to create a rule to catch some of the perscription drug references that come into our system. We're not in pharmaceuticals, so I'm not too concerned about false positives :) Some examples of what I'm looking for (using an innocent drug so I don't trip someone else's filters): ADVwIL ADxDVIL ADxV1L Advjjl For what it's worth, I thought all spams of that form were prescription drug spams, but recently I got one like this as well: Subject: Re: nunocREjPLICA OMxEGA ROxLEX BRxEITLING CAxRTIER BVxLGARI PAxTEK TIxFFANY & CO Or summed up in english: insertion of a random character, the same thing but with a letter repeated, inserted character and "1" (or "l") instead of "I", and the recent (and odd) occurrence of "I" replaced with "jj". I've come up with a rule that'll match every one of those instances, but also has the unfortunate consequence of matching plain old "ADVIL": /A[a-z]?A?D[a-z]?D?V[a-z]?V?[Il1j][a-z]?[Il1j]?L[a-z]?L?/ I'm fairly sure there is no sane way to do this with "?" operators in a regexp. However, there is one obvious way to do it. Like this: /A.DVIL|AD.VIL|ADV.IL|ADVI.L/ Basically, if there is exactly one extra character, then it will have to occur in one of 4 positions (in a 5-character word), assuming it doesn't occur at the very beginning or very end. So, you have 4 possible paths to take through the regexp, one for each position that the extra character occurs in. Since the first and last characters of all four branches are always the same, you can optimize it a tiny bit by factoring out the common parts of the branches: /A(?:.DVI|D.VI|DV.I|DVI.)L/ Hope that helps. - Logan
Re: What changes would you make to stop spam? - United Nations Paper
--On Wednesday, August 02, 2006 2:03 PM -0500 Logan Shaw <[EMAIL PROTECTED]> wrote: What might really be nice is some sort of language that could be used to write up a document to configure a mail client for a given ISP and user. It could configure all necessary settings and would work with any client, making this a one-step process even if 10 or 20 different settings have to be entered. Is LDAP a reasonable choice for this? At one point Cyrusoft Mulberry was pushing ACAP, but that doesn't seem to have caught on. But it seems like every list I'm on is mentioning LDAP for authentication for some service, so maybe email client settings can be stored there. One then just configures the LDAP login info. One would need to standardize an LDAP schema for this configuration, though.
Re: What changes would you make to stop spam? - United Nations Paper
--On Wednesday, August 02, 2006 12:02 PM -0700 MennovB <[EMAIL PROTECTED]> wrote: Anyway, IMHO with SYN throttle you would only be rate-limiting the zombies, I would rather they stopped sending spam completely.. What I don't understand is how making them use the ISP server stops them from spamming any more than rate-limiting direct port 25 connections. Why do the packets need to be reassembled in an MTA and stored and forwarded? What does that step buy you?
Looking for advice on rule creation & regular expressions
I'm trying to create a rule to catch some of the perscription drug references that come into our system. We're not in pharmaceuticals, so I'm not too concerned about false positives :) Some examples of what I'm looking for (using an innocent drug so I don't trip someone else's filters): ADVwIL ADxDVIL ADxV1L Advjjl Or summed up in english: insertion of a random character, the same thing but with a letter repeated, inserted character and "1" (or "l") instead of "I", and the recent (and odd) occurrence of "I" replaced with "jj". I've come up with a rule that'll match every one of those instances, but also has the unfortunate consequence of matching plain old "ADVIL": /A[a-z]?A?D[a-z]?D?V[a-z]?V?[Il1j][a-z]?[Il1j]?L[a-z]?L?/ Now, I'm by no means a regular expression guru. I'm hoping someone on this list can help me refine this a bit, either by sharing a method of making it match the obfuscated name without matching the unobfuscated name, or even a different approach to the same end. Any advice?
Re: sa-update error
On Thu, Aug 03, 2006 at 04:08:16PM +0100, Nigel Frankcom wrote: > >> channel: attempt to rm channel pre file failed, attempting to continue > >> anyway at /usr/bin/sa-update line 694 > >> --lint -D shows no errors, just wondering if I should be concerned? > > I don't use updatedir - just straight sa-update. I'll add detail to > the ticket Aha! I see the issue! Crap! Yeah, please open the ticket and I'll get a patch written up. Dang it. -- Randomly Generated Tagline: "It timed me out... I hate Windows." - Prof. Farr pgptwSfJwZZVM.pgp Description: PGP signature
Re: Allowing IMAP/POP to Send Email
On Thu, 3 Aug 2006, Marc Perkel wrote: Not really - what I'm proposing is that the IMAP connection just pipe the message into an SMTP server. The IMAP is acting only and an authenticated connection back to SMTP. I'm not suggesting replacing SMTP. What I'm suggesting is that POP/IMAP can be used as a transport to get the mail there because it's an existing connection, is already established, is already authenticated with the credentials of the email account, and it isn't a port that people would block like port 25 is. I'm not trying to replace SMTP. I'm just trying to suggest a better way for end users to get outgoing email to the SMTP server. Yes. You've already said that. What you're trying to do is create an internet where SMTP traffic only occurs between legitimate servers. You then claim that if such an internet existed, there would be a huge impact against spam. I have to concur that if that were true, spam would be greatly reduced. Here's the problem though. We've got a logical syllogism here: "If X, then Y." The "X" is "only legitimate servers speak SMTP", and the "Y" is "spam will be greatly reduced". I agree that the "if X, then Y" part of this argument is sound. The problem is, for Y to logically follow, you have to establish X. A syllogism works like this: 1. If X, then Y. 2. X is known to be true. 3. Therefore, Y is true. Part 1 is called the major premise. Part 2 is called the minor premise. Part 3 is the conclusion. Your argument is missing the minor premise. You have to establish the minor premise or your argument will have no validity. So then, do you wish to give up on your argument, or do you wish to explain how you're going to accomplish this feat of making sure that only legitimate servers try to contact other servers via SMTP? - Logan
Re: sa-update error
On Thu, 3 Aug 2006 10:06:31 -0400, Theo Van Dinter <[EMAIL PROTECTED]> wrote: >On Thu, Aug 03, 2006 at 10:19:44AM +0100, Nigel Frankcom wrote: >> channel: attempt to rm channel pre file failed, attempting to continue >> anyway at /usr/bin/sa-update line 694 >> --lint -D shows no errors, just wondering if I should be concerned? > >Hrm. Well, it's one of those "features" as opposed to a bug >(though I'd appreciate it if you could open a BZ ticket about it: >http://issues.apache.org/SpamAssassin/). In short, there's no problem -- >it'll happen the first time you run sa-update in 3.1.4 and you're using >updatedir to aim at a non-standard (and already existing) location. > >The code assumes that certain files should exist if the update directory >already exists, so when it tries to delete the files and they're not >there, it shows a warning -- but if this is the first time sa-update >from 3.1.4 is run, the channel pre file won't exist. I don't use updatedir - just straight sa-update. I'll add detail to the ticket Kind regards Nigel
Re: sa-update (sa v 3.1.4)
On Thu, Aug 03, 2006 at 03:33:59PM +0100, Mike Bostock wrote: > OK Now I am really confused. Do I assume that SpamAssassin looks in > /var/lib/spamassassin// for rules definitions and not > /usr/share/spamassassin? Right -- if the update directory exists, SA will use that instead of the default rules directory. -- Randomly Generated Tagline: "It was entirely possible to read a Russian novel during the pause between stepping on the gas and feeling any semblance of forward motion." - Unknown about the AMC Gremlin pgpaJjwPdxdwV.pgp Description: PGP signature
Re: sa-update (sa v 3.1.4)
On Thu, Aug 03, 2006 at 10:15:47AM -0400, Will Nordmeyer wrote: > If I run sa-update without any other parameters, it'll create an update > dir put the updates in it and spamassassin will use the generated > updates dir by default (do I need to restart SA, or does sa-update > handle that?). Yes. As for restart, sa-update won't do that for you. > If I use the --updatedir parameter I have to go into SA and rewrite it > to use my updatedir. Or otherwise include the new config files in some other way ala in /etc/mail/spamassassin/local.cf (or a similarly named file): include /where/I/want/updates/to/be/channel.cf I forgot to mention this in my previous mail, sorry. > If I use --updatedir and point it to the SA default rules dir, I'm > screwed. Not screwed, but you'll break some parts of SpamAssassin, yes. The default rules directory is meant to be written to during installation and that's it. In the end, you can do what you want with it, but if you remove critical files, you shouldn't expect things to work correctly. > Have I summarized sa-update usage properly? Your intimating that sa-update sucks, where IMHO the problems described here are with its usage and an expectation that the software in general should DWIM as opposed to DWIS. In general, if you don't like how something works, feel free to open a ticket and provide a patch. :) -- Randomly Generated Tagline: "There's not much you can do to ruin strips of marinated boneless chicken breast sauteed with onions and green peppers." - the Center for Science in the Public Interest about Chicken Fajitas pgp01Ap3UD8VG.pgp Description: PGP signature
Re: Am I wasting my time with SpamCop?
[EMAIL PROTECTED] writes: > On Wed, 2 Aug 2006, Andrzej Adam Filip wrote: > >> "Steven W. Orr" <[EMAIL PROTECTED]> writes: >> >> > On Wednesday, Aug 2nd 2006 at 13:50 -0700, quoth Derek Harding: >> > >> > =>On Wed, 2006-08-02 at 16:37 -0400, Tom Ray wrote: >> > =>> Anyone serious about stopping SPAM should not use SpamCop. They have no >> > =>> real checking method, it's like AOL's spam blocking method...they just >> > =>> let users submit what they think is spam and then block it. It's >> > =>> pointless. There's not even a way to contact anyone at SpamCop to fix a >> > =>> falsely listed server or what not. >> > => >> > =>Spamcop has its problems, some very serious, however the above >> > >> > Hold on there Bullwinkle! I have been religiously using spamcop in the >> > hopes that the reports that are sent out get used by at least some of the >> > ISPs. Am I wrong about this? >> >> They help keep *good* ISPs clean. Bad ISPs care very little. >> I assume I receive <1% of received spam from good ISPs. >> >> It is not a bad idea to post copies of spamcop.net submitted spam (after >> munging) to NANAS with spamcop.net report link. > > I like to think that I'm a "good ISP", but I've had at least one of my > servers listed a few times by them. They delist in 24 hours, but there > are still people who reject using SpamCop as a BL. I do not recommend > this. > > Spamcop lists any server that bounces email into one of their spam traps. > I contacted them via their newsgroups and they are adamant that no server > should ever bounce email or have any kind of autoreply. > > While I agree that bouncing (as opposed to rejecting) email because it is > detected as spam or a virus is very bad, they're basically insisting that > you violate RFCs 2821 and 3464. If you have customer autoresponders, > you're SOL. If you host mailing lists that uses an autoreply confirmation > (itself an anti-spam measure), you're SOL. They insist that this is "bad > behavior". I insist that it's neccessary for my business and in > compliance with all applicable RFCs. > > I use them in SA...2.0 score, which I lowered from 3.5 when I notice that > yahoo groups were listed. But the only BLs I reject against are sbl-xbl, > which catches a big chunk with virtually no false positives. > > James Smallacombe PlantageNet, Inc. CEO and Janitor > [EMAIL PROTECTED] > http://3.am I and Steven were talking about using spamcop.net for spam reporting to the responsible ISP. You talk about spam blocking/scoring. -- [pl2en: Andrew] Andrzej Adam Filip : [EMAIL PROTECTED] : [EMAIL PROTECTED]
Re: Am I wasting my time with SpamCop?
David Baron <[EMAIL PROTECTED]> writes: > On Wednesday 02 August 2006 23:09, Zinski, Steve wrote: >> I use SpamCop to report my spam. >> >> I use the SpamHaus RBL as a first line of defense then I use >> SpamAssassin to catch the rest of the spam coming to my server. >> >> Am I wasting my time? Should I just delete low-scoring spam and let the >> honeypots harvest and report to the various RBLs, or should I keep >> reporting spam via SpamCop (which wastes a lot of my time). > > SpamCop has disabled subscriptions to mailing lists several times because of > erroneous alerting. I have reported them to my provider's "abuse" handlers. I > therefore do not recommend SpamCop. Make *clear* distiction between thre basic ways of using spmacop.net 1) email blocking at MTA level [may be controversial cause of "zero+ tolerance"] 2) scoring by SpamAssassin [score may be decreased or zeroed] 3) spam *reporting* (automatization of sending LARTs) [*I recomend it*] -- [pl2en: Andrew] Andrzej Adam Filip : [EMAIL PROTECTED] : [EMAIL PROTECTED]
Re: sa-update (sa v 3.1.4)
Theo, > > to change Mail::SpamAssassin to provide a suitable default > > for LOCAL_STATE_DIR. Please consider this a feature request. > > http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4952 :) Appreciated! > > # sa-update --updatedir /usr/local/share/spamassassin > > Warning: This will break your installation -- there are files in > def_rules_dir that aren't in the updates, and sa-update will be > happy to delete all of the files in the directory for you. > local_state_dir and def_rules_dir are not interchangeable. Ouch, thanks. Sorry for spreading false suggestions. Mark
Re: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin'
Theo Van Dinter wrote: > On Thu, Aug 03, 2006 at 02:14:38PM +0200, Matthias Keller wrote: > >> I downloaded the archive for 3.1.0 and there's no Timeout.pm at all - so >> i guess this has been introduced in 3.1.1 or so..? >> > > Correct, it was added into 3.1.1 (bug 4696). > > >> Does anyone know if it's safe to let it away? >> > > I haven't looked at the plugin -- if the Timeout code is not actively being > used by the plugin, then you should be able to just comment out the line. > Hmm it seems to be used, at least I find one occurence of Mail::SpamAssassin::Timeout in the .pm file # # Limit the scantime # $permsgstatus->enter_helper_run_mode(); my $timer = Mail::SpamAssassin::Timeout->new({ secs => $self->{main}->{conf}->{ocrtext_timeout} }); my $err = $timer->run_and_catch(sub { .. So I guess this plugins really only runs from 3.1.1 onwards?? > The flip side is, why are you still running 3.1.0? ;) > I know, but this is a productive system and I'll have to test an upgrade first on the test server as I cant take any risks on that server... But an upgrade is on top of my to do list Matt
Re: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin'
Davin Flatten wrote: Just thought this might help someone out. Thanks to M. Blapp for an excellent SA Plugin. Optical Character Recognition (OCR) can be used to nab those pesky spam messages that are hidden in gif,jpeg, or png images... This OCR stuff looks promising. Any comments on performance? How much extra load does it put on a server?
Re: sa-update (sa v 3.1.4)
In your message regarding Re: sa-update (sa v 3.1.4) dated Thu, 3 Aug 2006 15:16:42 +0100, Obantec Support said that ... >OS- - Original Message - >OS- From: "Theo Van Dinter" <[EMAIL PROTECTED]> >OS- To: >OS- Sent: Thursday, August 03, 2006 3:01 PM >OS- Subject: Re: sa-update (sa v 3.1.4) >OS- Hi Theo >OS- your right i just ran sa-update and it updated the >OS- /var/lib/spamassassin/3.001003 folder files. >OS- Mark OK Now I am really confused. Do I assume that SpamAssassin looks in /var/lib/spamassassin// for rules definitions and not /usr/share/spamassassin? -- Mike
Re: Allowing IMAP/POP to Send Email
* Marc Perkel wrote (03/08/06 14:39): Tony Finch wrote: The reason that message submission is done with SMTP is because of the number of SMTP extensions that the MUA will want to use, in particular DSNs, deliver-by, deliver-after, message tracking, and whatever else may be invented in the future. If you want to make message submission a part of IMAP and POP then you'll have to re-do all these SMTP extensions twice, which is a colossal waste of time. Not really - what I'm proposing is that the IMAP connection just pipe the message into an SMTP server. The IMAP is acting only and an authenticated connection back to SMTP. I'm not suggesting replacing SMTP. What I'm suggesting is that POP/IMAP can be used as a transport to get the mail there because it's an existing connection, is already established, is already authenticated with the credentials of the email account, and it isn't a port that people would block like port 25 is. I'm not trying to replace SMTP. I'm just trying to suggest a better way for end users to get outgoing email to the SMTP server. What if I set up an SMTP server at home behind my ADSL router, collect my vanity-domain mail there, and access it via IMAP or POP3? It seems I only have one option, which is to send my mail via IMAP to my home server. Which then sends via SMTP to... the Internet (or via a smarthost). And the home server sending via SMTP is going to look a bit like a MUA sending via SMTP. How would you tell the difference? Is a home mail server outlawed in the brave new world? Or does my SMTP server have to learn to talk IMAP to make message submissions to the ISP's server? Chris
Re: sa-update (sa v 3.1.4)
- Original Message - From: "Theo Van Dinter" <[EMAIL PROTECTED]> To: Sent: Thursday, August 03, 2006 3:01 PM Subject: Re: sa-update (sa v 3.1.4) Hi Theo your right i just ran sa-update and it updated the /var/lib/spamassassin/3.001003 folder files. Mark