Re: What changes would you make to stop spam? - United Nations Paper

[John Rudd]

On Aug 3, 2006, at 11:16 PM, [EMAIL PROTECTED] wrote:





From: "Kenneth Porter" <[EMAIL PROTECTED]>

--On Wednesday, August 02, 2006 12:02 PM -0700 MennovB 
<[EMAIL PROTECTED]>

wrote:


Anyway, IMHO with SYN throttle you would only be rate-limiting the
zombies, I would rather they stopped sending spam completely..


What I don't understand is how making them use the ISP server stops 
them
from spamming any more than rate-limiting direct port 25 
connections. Why
do the packets need to be reassembled in an MTA and stored and 
forwarded?

What does that step buy you?


For that matter, how in  would an IMAP MUA handle BCC?
{^_-}



Hi,

since a certain amount of spam I get is just bcc'd, making bcc harder 
could reduce spam :)


I've been re-thinking Marc's "IMAP for sending, instead of SMTP" 
proposal.  And this "block Bcc" part got me thinking even more.


I think he may be on to something.  But lets take it one step further.

Email via fingerd.  That'll throw off the spammers.

And to slow down their spam-bot attacks, I propose we replace the 
internet backbones with the long-proposed-but-never-implemented 
IP-via-carrier-pigeon.  We'll need an authentication scheme to go with 
this.  I'm going to suggest a GSSAPI method for wax envelope seals.  
Perfect for carrier pigeon packets.  And _EACH_ packet is individually 
authenticated.  PERFECT!


And we'll send preferred traffic (because we hate net neutrality!) over 
bongo-net.


I think this new internet architecture will stop the spammers in their 
tracks.  No, really, it will.

Re: whitelist poisoned? spam getting through

[Kelson Vibber]

On Thursday 03 August 2006 11:02 pm, Mathias Homann wrote:
> ohw can it be that the attached spam got through... the SA report
> says "user in whitelist", thus it gave the spam a really high
> negative score. How can that be, or rather, how can i stop it?

Looks like they used the same address for both the envelope sender and the 
recipient ([EMAIL PROTECTED]).  This is easy to do, and more common than you 
might think.

> Return-Path: <[EMAIL PROTECTED]>
...
> To: [EMAIL PROTECTED]

Simple answer: don't whitelist your own address.  Some spammers will do this 
deliberately, hoping it will get them past filters.

-- 
Kelson Vibber
SpeedGate Communications, 

Re: What changes would you make to stop spam? - United Nations Paper

[hamann . w]

>> From: "Kenneth Porter" <[EMAIL PROTECTED]>
>> 
>> > --On Wednesday, August 02, 2006 12:02 PM -0700 MennovB <[EMAIL PROTECTED]> 
>> > wrote:
>> > 
>> >> Anyway, IMHO with SYN throttle you would only be rate-limiting the
>> >> zombies, I would rather they stopped sending spam completely..
>> > 
>> > What I don't understand is how making them use the ISP server stops them 
>> > from spamming any more than rate-limiting direct port 25 connections. Why 
>> > do the packets need to be reassembled in an MTA and stored and forwarded? 
>> > What does that step buy you?
>> 
>> For that matter, how in  would an IMAP MUA handle BCC?
>> {^_-}
>> 

Hi,

since a certain amount of spam I get is just bcc'd, making bcc harder could 
reduce spam :)
or make spammers rethink their methods :(

Wolfgang Hamann

whitelist poisoned? spam getting through

[Mathias Homann]

Hi,


ohw can it be that the attached spam got through... the SA report 
says "user in whitelist", thus it gave the spam a really high 
negative score. How can that be, or rather, how can i stop it?

bye,
MH

--- spam starts here ---
Return-Path: <[EMAIL PROTECTED]>
X-Sieve: cmu-sieve 2.0
Return-Path: <[EMAIL PROTECTED]>
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on 
celebrimbor.eregion.home
X-Spam-Status: No, score=-44.8 required=5.0 
tests=BAYES_99,EXTRA_MPART_TYPE,
FORGED_MUA_OUTLOOK,HELO_DYNAMIC_DHCP,HELO_DYNAMIC_IPADDR,HTML_90_100,
HTML_IMAGE_ONLY_08,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1,

MIME_BOUND_NEXTPART,MIME_HTML_MOSTLY,MSGID_DOLLARS_RANDOM,MSGID_RANDY,
RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,
RCVD_IN_XBL,UNPARSEABLE_RELAY,URIBL_JP_SURBL,URIBL_OB_SURBL,
URIBL_SC_SURBL,URIBL_WS_SURBL,USER_IN_WHITELIST autolearn=no 
version=3.1.3
X-Spam-Level: 
Received: from www.eregion.de (unknown [127.0.0.1])
by www.eregion.de (Postfix on SuSE Linux 8.0 (i386)) with ESMTP id 
3F83618B6F
for <[EMAIL PROTECTED]>; Fri,  4 Aug 2006 03:05:16 + 
(UTC)
Received: from localhost (localhost [127.0.0.1])
by www.eregion.de (Postfix on SuSE Linux 8.0 (i386)) with ESMTP id 
DBB5918B6D
for <[EMAIL PROTECTED]>; Fri,  4 Aug 2006 05:05:15 +0200 (CEST)
Delivered-To: [EMAIL PROTECTED]
Received: from mail.megatokyo.de [88.198.0.105]
by localhost with POP3 (fetchmail-5.9.0)
for [EMAIL PROTECTED] (single-drop); Fri, 04 Aug 2006 05:05:15 +0200 
(CEST)
Received: (qmail 31246 invoked by uid 89); 4 Aug 2006 02:56:27 -
Received: from unknown (HELO dslb-084-057-185-162.pools.arcor-ip.net) 
(84.57.185.162)
  by 0 with SMTP; 4 Aug 2006 02:56:27 -
Received: from filter3.sitebytes.nl (port=20246 helo=31844lwpkxuln)
by dslb-084-057-185-162.pools.arcor-ip.net with smtp
id 3lO-iPq3S-YGM
for [EMAIL PROTECTED]; Fri, 04 Aug 2006 00:32:23 -0300
Message-ID: <[EMAIL PROTECTED]>
From: "susan lynch" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Say No to pain
Date: Fri, 04 Aug 2006 00:32:23 -0300
MIME-Version: 1.0
Content-Type: multipart/related;
  type="multipart/alternative";
  boundary="=_NextPart_000_0076_SKU8Y740.5W2FQM8H"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Virus-Scanned: Fri Aug  4 05:05:18 2006 +0200 (CEST) with ClamAV 
using ClamSMTP on celebrimbor.eregion.home
X-Length: 30555
X-UID: 46438

Re: postres bayes db and high load

[SM]

At 09:23 03-08-2006, Dan wrote:
Over the past few weeks, my company's mail server has been 
experiencing high loads that result in SA skipping emails.  I use a 
postgres database to manage bayes, awl and userprefs.  I am pretty 
sure that it is the bayes db that is causing the high load and 
resultant skipping, but I have no idea how to fix the problem.  I 
installed the SA DBI


[snip]


postgreSQL v8.0.4


Upgrade to Postgresql 8.1.4 if you can.  Turn on autovacuum.  Use 
BayesStore::PgSQL.


Regards,
-sm 

Re: What changes would you make to stop spam? - United Nations Paper

[jdow]

From: "Kenneth Porter" <[EMAIL PROTECTED]>
--On Thursday, August 03, 2006 6:43 AM +0100 Graham Murray 
<[EMAIL PROTECTED]> wrote:



ADSL is both always on and a 'fixed' (ie your phone line is physically
connected to a DSLAM port) so the ISPs must have sufficient IP addresses
for all their ADSL customers.


Not necessarily. A lot of providers have gone to PPPoE, where one goes 
through an authentication process before being assigned an address. I'm 
guessing this is intended to allow metering of the connection, not to make 
more addresses available.


It prevents rogue access.
{^_^}

Re: What changes would you make to stop spam? - United Nations Paper

[jdow]

From: "Kenneth Porter" <[EMAIL PROTECTED]>

--On Wednesday, August 02, 2006 2:47 PM -0700 jdow <[EMAIL PROTECTED]> 
wrote:



That slightly more than a year I spent as perhaps one of
the VERY first online stalking victims ever (1985-1987) was a hell
I'd rather not repeat.


Is this written up somewhere? I'd be interested in understanding the threat.


Brock Meeks (former MSNBC Chief Washington Correspondent) wrote it
up in about 1987. If you can contact him he might have a writeup
around. All I have, if I can find it, is a printed copy. And given
copyright laws I'm not going to type it into a computer and post it.

{^_^}

Re: What changes would you make to stop spam? - United Nations Paper

[jdow]

From: "Kenneth Porter" <[EMAIL PROTECTED]>

--On Wednesday, August 02, 2006 12:02 PM -0700 MennovB <[EMAIL PROTECTED]> 
wrote:



Anyway, IMHO with SYN throttle you would only be rate-limiting the
zombies, I would rather they stopped sending spam completely..


What I don't understand is how making them use the ISP server stops them 
from spamming any more than rate-limiting direct port 25 connections. Why 
do the packets need to be reassembled in an MTA and stored and forwarded? 
What does that step buy you?


For that matter, how in  would an IMAP MUA handle BCC?
{^_-}

Re: What changes would you make to stop spam? - United Nations Paper

[jdow]

From: "MennovB" <[EMAIL PROTECTED]>

jdow wrote:


The direct in that case is probably the fault of the underlying cable
provider more than Earthlink. Did the spam come through the Earthlink
servers or merely from an address that claimed to be Earthlink? By the
way, there is no such address as "cable.earthlink.net". The address
may have been spoofed.


Of course cable.earthlink.net does not exist, you must be joking ;-) and no


===8<---
[EMAIL PROTECTED] ~]$ ping cable.earthlink.net
ping: unknown host cable.earthlink.net
[EMAIL PROTECTED] ~]$
[EMAIL PROTECTED] ~]$ host cable.earthlink.net
[EMAIL PROTECTED] ~]$ dig cable.earthlink.net any

; <<>> DiG 9.3.1 <<>> cable.earthlink.net any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32859
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;cable.earthlink.net.   IN  ANY

;; ANSWER SECTION:
cable.earthlink.net.86400   IN  NS  itchy.earthlink.net.
cable.earthlink.net.86400   IN  NS  scratchy.earthlink.net.
cable.earthlink.net.86400   IN  SOA itchy.earthlink.net. 
hostmaster.earthlink.net. 2005031800 86400 3600 2592000 86400


;; AUTHORITY SECTION:
cable.earthlink.net.86400   IN  NS  scratchy.earthlink.net.
cable.earthlink.net.86400   IN  NS  itchy.earthlink.net.

;; ADDITIONAL SECTION:
itchy.earthlink.net.1484IN  A   207.69.188.196
scratchy.earthlink.net. 1484IN  A   207.69.188.197

;; Query time: 34 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Aug  3 19:59:24 2006
;; MSG SIZE  rcvd: 187
[EMAIL PROTECTED] ~]$ whois 24.41.24.117
[Querying whois.arin.net]
[whois.arin.net]
EarthLink Network, Inc. EARTHLINK-CABLE (NET-24-41-0-0-1)
 24.41.0.0 - 24.41.95.255
Charter Cable/Monterey Park LAN CBLMPLAN-USER0134 (NET-24-41-24-112-1)
 24.41.24.112 - 24.41.24.119
===8<---

No, I am not kidding or joking. It apparently does not exist. (Although
the response to "host" is intrigueing.) The dig any report shows it
"exists" but has no address of its own. Go figure. If it has no
address how can it be sent from cable.earthlink.net. I guess only its
subdomains exist. It is also Charter Cable in Monterey Park. So it is
probably a Charter Cable problem. (That must be a very small corporate
block for them or something like that.) Cable providers seem to be
remarkably lax on security. That probably does not have port 25 blocked.

Did the email submission go through smtpauth.earthlink.net or some
other route? If it didn't go through smtpauth.earthlink.net it is
not Earthlink originated spam.


it is not spoofed.
I mentioned 'cable' so that you could see it is not sent through the server
but directly, meaning port 25 to the Internet seems still wide open for that
host.
Here's the complete address: user-0c2i63l.cable.earthlink.net [24.41.24.117]
Spamassassin got that one fine with URIBL_JP_SURBL and GAPPY_SUBJECT! But I
rather didn't get it at all.. I know I want too much (or too little in this
case).


It looks like Earthlink needs to protect its name from Charter Cable's
predations.

{^_^} 

RE: ImageInfo plugin for SA

[Dallas L. Engelken]

> -Original Message-
> From: John Andersen [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, August 03, 2006 8:42 PM
> To: users@spamassassin.apache.org
> Subject: Re: ImageInfo plugin for SA
> 
> On Thursday 03 August 2006 16:50, Theo Van Dinter wrote:
> > On Fri, Aug 04, 2006 at 02:38:48AM +0200, Raymond Dijkxhoorn wrote:
> > > Could you post the altered one also somewhere ?
> >
> > Yeah, the files are in my sandbox:
> > 
> http://svn.apache.org/repos/asf/spamassassin/rules/trunk/sandbox/felic
> > ity/
> 
> So what happens next week when they switch to jpegs?
> 

I have several recent spam samples where they have used jpegs.  But
after I got gif and png complete and it was hitting so well, I had to
share.

Theo's modifications make it easy to add jpeg support.   I can add to
that tommorrow.

Cya,
Dallas

RE: ImageInfo plugin for SA

[Dallas L. Engelken]

> -Original Message-
> From: Theo Van Dinter [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, August 03, 2006 8:35 PM
> To: users@spamassassin.apache.org
> Subject: Re: ImageInfo plugin for SA
> 
> On Thu, Aug 03, 2006 at 07:05:52PM -0500, Dallas L. Engelken wrote:
> > > I made some major edits (1/3 smaller and also faster :) 
> ), but the 
> > > core algorithm is the same.  Overall, very good from my results:
> > 
> > Awesome... Thanks for that!   But no *_MULTI_LARGO hits???  
> I have tons
> > of these samples (today even)
> 
> I was just comparing the original results to the new results, 
> and neither have the multi hits:
> 
> old:
>   7.127   8.3265   0.1.000   0.873.00  T_DC_GIF_UNO_LARGO
>   3.646   4.2602   0.1.000   0.743.00  T_DC_IMAGE_SPAM
>   0.576   0.6732   0.1.000   0.233.00  T_DC_PNG_UNO_LARGO
>   0.000   0.   0.0.500   0.164.00  
> T_DC_GIF_MULTI_LARGO
>   0.000   0.   0.0.500   0.164.00  
> T_DC_PNG_MULTI_LARGO
> 
> new:
>   7.162   8.3673   0.1.000   0.933.00  T_DC_GIF_UNO_LARGO
>   3.681   4.3010   0.1.000   0.793.00  T_DC_IMAGE_SPAM
>   0.576   0.6732   0.1.000   0.243.00  T_DC_PNG_UNO_LARGO
>   0.000   0.   0.0.500   0.174.00  
> T_DC_PNG_MULTI_LARGO
>   0.000   0.   0.0.500   0.174.00  
> T_DC_GIF_MULTI_LARGO
> 
> Aha...  I think I see the problem, your cf file had a typo 
> that I didn't
> catch (missing leading __ ...)  :(   the new new results:
> 

Damn it.  I see the problem on GIF_ATTACH_4P now..  

>   7.162   8.3673   0.1.000   0.953.00  T_DC_GIF_UNO_LARGO
>   4.016   4.6920   0.1.000   0.843.00  T_DC_IMAGE_SPAM
>   0.666   0.7786   0.1.000   0.364.00  
> T_DC_GIF_MULTI_LARGO
>   0.576   0.6732   0.1.000   0.313.00  T_DC_PNG_UNO_LARGO
>   0.000   0.   0.0.500   0.254.00  
> T_DC_PNG_MULTI_LARGO
> 

That looks better.  I guess I cant find  any sliced png samples here
either.  Oh well, little overhead to keep it just in case, since the
works done once.

Dallas

Re: Required Score parameter

[jdow]

From: "Patrick Sherrill" <[EMAIL PROTECTED]>

Sorry to bother the list, but I can't seem to find where spamassassin 
(v3.1.0) is getting the required_score from.  The headers show a required 
score of 5.5 and the required_score (required_hits) in local.cf is 4.8. I 
also checked the user_prefs in .spamassassin which is set to 5.  Can someone 
tell me what I'm missing?

TIA
Pat...


grep required_score /etc/mail/spamassassin/*.cf

Also make sure the user_prefs you looked at is really the user_prefs
spamc/spamd is using.

{^_^}

Re: Allowing IMAP/POP to Send Email

[jdow]

From: "Marc Perkel" <[EMAIL PROTECTED]>

Logan Shaw wrote:

On Thu, 3 Aug 2006, Marc Perkel wrote:
Not really - what I'm proposing is that the IMAP connection just pipe 
the message into an SMTP server. The IMAP is acting only and an 
authenticated connection back to SMTP. I'm not suggesting replacing 
SMTP. What I'm suggesting is that POP/IMAP can be used as a transport 
to get the mail there because it's an existing connection, is already 
established, is already authenticated with the credentials of the 
email account, and it isn't a port that people would block like port 
25 is.


I'm not trying to replace SMTP. I'm just trying to suggest a better 
way for end users to get outgoing email to the SMTP server.


Yes.  You've already said that.  What you're trying to do
is create an internet where SMTP traffic only occurs between
legitimate servers.  You then claim that if such an internet
existed, there would be a huge impact against spam.  I have
to concur that if that were true, spam would be greatly reduced.

Here's the problem though.  We've got a logical syllogism here:
"If X, then Y."  The "X" is "only legitimate servers speak
SMTP", and the "Y" is "spam will be greatly reduced".

I agree that the "if X, then Y" part of this argument is
sound.  The problem is, for Y to logically follow, you have
to establish X.  A syllogism works like this:

1.  If X, then Y.
2.  X is known to be true.
3.  Therefore, Y is true.

Part 1 is called the major premise.  Part 2 is called the
minor premise.  Part 3 is the conclusion.

Your argument is missing the minor premise.  You have to
establish the minor premise or your argument will have no
validity.

So then, do you wish to give up on your argument, or do you
wish to explain how you're going to accomplish this feat of
making sure that only legitimate servers try to contact other
servers via SMTP?

  - Logan



Spam is never eliminated - just reduced. Most spam comes from virus 
infected zombies that talk SMTP. If end users were by default set up so 
that they can only send email by IMAP then you can block off SMTP ports 
for end users isolating them from the SMTP world. That would take a huge 
bite out of the spam problem.


But then your network's SMTP server cannot talk to any other SMTP
server. You have to use a properly sanctioned one. THINK man. THINK.

{^_^}

Re: Allowing IMAP/POP to Send Email

[jdow]

From: "Marc Perkel" <[EMAIL PROTECTED]>


Chris Lear wrote:



What if I set up an SMTP server at home behind my ADSL router, collect 
my vanity-domain mail there, and access it via IMAP or POP3? It seems 
I only have one option, which is to send my mail via IMAP to my home 
server. Which then sends via SMTP to... the Internet (or via a 
smarthost). And the home server sending via SMTP is going to look a 
bit like a MUA sending via SMTP. How would you tell the difference? Is 
a home mail server outlawed in the brave new world? Or does my SMTP 
server have to learn to talk IMAP to make message submissions to the 
ISP's server?


Chris



Then it would be a server and talk SMTP. Servers still talk SMTP. I have 
a home SMTP server myself.


Yoohoo, Marc! What is the difference between a home SMTP server YOU
run and one that is included in malware that has turned your machine
into a Zombie?

It your specific network arrangement is to be supported then you are
allowing port 25 connections between your server and others. Thus you
have done absolutely nothing to reduce spam. You've only cost people
money changing their entire mail setups end to end.

{^_^}

Spamd using 100% CPU, even after reboot

[Christopher Martin]

I have a dual P3 server I am hoping to run as our main spam filtering
machine. I am satisfied the spam is being caught, I am just worried whether
it can deal with the load as the machine idles with one CPU fully utilised.

Here are some system details:

antispam02# uname -a
FreeBSD antispam02.ebit.com.au 6.1-RELEASE-p3 FreeBSD 6.1-RELEASE-p3 #0: Fri
Aug  4 10:23:56 EST 2006
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/ANTISPAM02  i386

antispam02# /usr/local/bin/spamd --version
SpamAssassin Server version 3.1.3
  running on Perl 5.8.8
  with SSL support (IO::Socket::SSL 0.97)

antispam02# pkg_info | grep spam
p5-Mail-SpamAssassin-3.1.3 A highly efficient mail filter for identifying
spam
pyzor-0.4.0_4   A collaborative, networked system to detect and block
spam
razor-agents-2.82   A distributed, collaborative, spam detection and
filtering
spamass-milter-0.3.1 Sendmail Milter (mail filter) plugin for SpamAssassin
spamass-rules-20060203 Custom rulesets for SpamAssassin


antispam02# ps auuwx | grep spam
nobody   624 99.0 12.0 66044 62004  ??  R11:01AM  56:58.12 spamd child
(perl5.8.8)
root 625  4.9 11.5 62668 59276  ??  S11:01AM   2:14.46 spamd child
(perl5.8.8)
root 496  0.0  0.4  4856  2256  ??  Ss   11:00AM   0:03.40
/usr/local/sbin/spamass-milter -f -p /var/run/spamass-milter.sock
root 506  0.0  9.7 53272 50252  ??  Ss   11:00AM   0:08.53
/usr/local/bin/spamd -c -d -r /var/run/spamd/spamd.pid (perl5.8.8)
root1529  0.0  0.3  2912  1536  ??  I12:07PM   0:00.02
/usr/local/bin/spamc
root1541  0.0  9.7 53272 50252  ??  S12:08PM   0:00.01 spamd child
(perl5.8.8)


There is a recurring error in maillog:

Aug  4 12:03:25 antispam02 spamd[625]: spamd: still running as root: user
not specified with -u, not found, or set to root, falling back to nobody at
/usr/local/bin/spamd line 1145,  line 4.


Is that related? Any ideas or suggestions?


Chris Martin

RE: ImageInfo plugin for SA

[Michael Scheidell]

Depends.

Do a 'locate SPF.pm' and see where yours is.

Mine is at:

/usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/Plugin/SPF.pm

Re: ImageInfo plugin for SA

[Theo Van Dinter]

On Thu, Aug 03, 2006 at 05:42:17PM -0800, John Andersen wrote:
> So what happens next week when they switch to jpegs?

Sounds like a new function and set of rules. :)

> Btw: Very minor typo in:
> describe   DC_PNG_UNO_LARGO Message contains a single large inline gif
> 
> You mean png for this one.

fixed. :)

-- 
Randomly Generated Tagline:
"A Young Eel is called this."- Jeopardy Question
 "What is a baby eel Alex."- Theo's Response


pgp3Kkv1zlql8.pgp
Description: PGP signature

Re: ImageInfo plugin for SA

[Spamassassin List]

Put the .pm file that is attached in your M::SA::Plugins dir.  Add to
your init.pre (or v310.pre) the following line.


Where is the usual Plugins dir?

regards

Re: ImageInfo plugin for SA

[John Andersen]

On Thursday 03 August 2006 16:50, Theo Van Dinter wrote:
> On Fri, Aug 04, 2006 at 02:38:48AM +0200, Raymond Dijkxhoorn wrote:
> > Could you post the altered one also somewhere ?
>
> Yeah, the files are in my sandbox:
> http://svn.apache.org/repos/asf/spamassassin/rules/trunk/sandbox/felicity/

So what happens next week when they switch to jpegs?

Btw: Very minor typo in:

metaDC_PNG_UNO_LARGO __PNG_ATTACH_1 && __PNG_AREA_180K
describe   DC_PNG_UNO_LARGO Message contains a single large inline gif

You mean png for this one.



-- 
_
John Andersen


pgp69GuB21vJm.pgp
Description: PGP signature

Re: ImageInfo plugin for SA

[Theo Van Dinter]

On Thu, Aug 03, 2006 at 09:35:05PM -0400, Theo Van Dinter wrote:
> Hrm.  Not sure how T_DC_IMAGE_SPAM got a bump there -- it's the same set of
> input mail.

It occured to me as I was sending that DC_IMAGE_SPAM is a meta with the new
rule that's hitting.  

-- 
Randomly Generated Tagline:
I'd love to, but I'm going to count the bristles in my toothbrush.


pgpyGZr0ebGrQ.pgp
Description: PGP signature

Re: ImageInfo plugin for SA

[Theo Van Dinter]

On Thu, Aug 03, 2006 at 07:05:52PM -0500, Dallas L. Engelken wrote:
> > I made some major edits (1/3 smaller and also faster :) ), 
> > but the core algorithm is the same.  Overall, very good from 
> > my results:
> 
> Awesome... Thanks for that!   But no *_MULTI_LARGO hits???  I have tons
> of these samples (today even)

I was just comparing the original results to the new results, and neither have
the multi hits:

old:
  7.127   8.3265   0.1.000   0.873.00  T_DC_GIF_UNO_LARGO
  3.646   4.2602   0.1.000   0.743.00  T_DC_IMAGE_SPAM
  0.576   0.6732   0.1.000   0.233.00  T_DC_PNG_UNO_LARGO
  0.000   0.   0.0.500   0.164.00  T_DC_GIF_MULTI_LARGO
  0.000   0.   0.0.500   0.164.00  T_DC_PNG_MULTI_LARGO

new:
  7.162   8.3673   0.1.000   0.933.00  T_DC_GIF_UNO_LARGO
  3.681   4.3010   0.1.000   0.793.00  T_DC_IMAGE_SPAM
  0.576   0.6732   0.1.000   0.243.00  T_DC_PNG_UNO_LARGO
  0.000   0.   0.0.500   0.174.00  T_DC_PNG_MULTI_LARGO
  0.000   0.   0.0.500   0.174.00  T_DC_GIF_MULTI_LARGO

Aha...  I think I see the problem, your cf file had a typo that I didn't
catch (missing leading __ ...)  :(   the new new results:

  7.162   8.3673   0.1.000   0.953.00  T_DC_GIF_UNO_LARGO
  4.016   4.6920   0.1.000   0.843.00  T_DC_IMAGE_SPAM
  0.666   0.7786   0.1.000   0.364.00  T_DC_GIF_MULTI_LARGO
  0.576   0.6732   0.1.000   0.313.00  T_DC_PNG_UNO_LARGO
  0.000   0.   0.0.500   0.254.00  T_DC_PNG_MULTI_LARGO

Hrm.  Not sure how T_DC_IMAGE_SPAM got a bump there -- it's the same set of
input mail.

-- 
Randomly Generated Tagline:
"It is easier to confess a defect then to claim a quality." - Max Beerbohm


pgpqUa9caFBBA.pgp
Description: PGP signature

Re: ImageInfo plugin for SA

[Raymond Dijkxhoorn]

Hi!


Could you post the altered one also somewhere ?


Yeah, the files are in my sandbox:
http://svn.apache.org/repos/asf/spamassassin/rules/trunk/sandbox/felicity/


Ok, perfect. Running nice.

On one box i have it together with the ocr one. So far the 'cheaper' rule 
is seeing about the same as the ocr.


Bye,
Raymond.

Re: ImageInfo plugin for SA

[Theo Van Dinter]

On Fri, Aug 04, 2006 at 02:38:48AM +0200, Raymond Dijkxhoorn wrote:
> Could you post the altered one also somewhere ?

Yeah, the files are in my sandbox:
http://svn.apache.org/repos/asf/spamassassin/rules/trunk/sandbox/felicity/

-- 
Randomly Generated Tagline:
"Running Linux 1.2 Because a 486 is a terrible thing to waste." - Unknown


pgpOSa3Y7znoT.pgp
Description: PGP signature

Re: ImageInfo plugin for SA

[Raymond Dijkxhoorn]

Theo,


On Thu, Aug 03, 2006 at 03:14:06PM -0500, Dallas L. Engelken wrote:

All those scores in the cf are just "WAGs", since none have been
masschecked.   Theo, could you sandbox this?



I made some major edits (1/3 smaller and also faster :) ), but the core
algorithm is the same.  Overall, very good from my results:

 MSECSSPAM% HAM% S/ORANK   SCORE  NAME
 029412 49520.856   0.000.00  (all messages)
0.0  85.5896  14.41040.856   0.000.00  (all messages as %)
 7.162   8.3673   0.1.000   0.933.00  DC_GIF_UNO_LARGO
 3.681   4.3010   0.1.000   0.793.00  DC_IMAGE_SPAM
 0.576   0.6732   0.1.000   0.243.00  DC_PNG_UNO_LARGO
 0.000   0.   0.0.500   0.174.00  DC_PNG_MULTI_LARGO
 0.000   0.   0.0.500   0.174.00  DC_GIF_MULTI_LARGO


Could you post the altered one also somewhere ?

Thanks,
Raymond.

Re: ImageInfo plugin for SA

[Michele Neylon:: Blacknight.ie]

Very nice. Over 100 hits on one box in less than half an hour!


-- 
Mr Michele Neylon
Blacknight Solutions
Quality Business Hosting & Colocation
http://www.blacknight.ie/
Tel. 1850 927 280
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Fax. +353 (0) 59  9164239

Re: postres bayes db and high load

[Mark Martinec]

Dan,

> Over the past few weeks, my company's mail server has been experiencing
> high loads that result in SA skipping emails.  I use a postgres database to
> manage bayes, awl and userprefs.  I am pretty sure that it is the bayes db
> that is causing the high load ...

Are you using a general-purpose SQL module:
  bayes_store_module Mail::SpamAssassin::BayesStore::SQL
or a dedicated and optimized:
  bayes_store_module Mail::SpamAssassin::BayesStore::PgSQL
?

See file sql/README.bayes in the SA distribution.

  Mark

RE: ImageInfo plugin for SA

[Dallas L. Engelken]

> -Original Message-
> From: Theo Van Dinter [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, August 03, 2006 6:52 PM
> To: users@spamassassin.apache.org
> Subject: Re: ImageInfo plugin for SA
> 
> On Thu, Aug 03, 2006 at 03:14:06PM -0500, Dallas L. Engelken wrote:
> > All those scores in the cf are just "WAGs", since none have been
> > masschecked.   Theo, could you sandbox this?
> 
> I made some major edits (1/3 smaller and also faster :) ), 
> but the core algorithm is the same.  Overall, very good from 
> my results:
> 
>   MSECSSPAM% HAM% S/ORANK   SCORE  NAME
>   029412 49520.856   0.000.00  (all messages)
> 0.0  85.5896  14.41040.856   0.000.00  (all messages as %)
>   7.162   8.3673   0.1.000   0.933.00  DC_GIF_UNO_LARGO
>   3.681   4.3010   0.1.000   0.793.00  DC_IMAGE_SPAM
>   0.576   0.6732   0.1.000   0.243.00  DC_PNG_UNO_LARGO
>   0.000   0.   0.0.500   0.174.00  DC_PNG_MULTI_LARGO
>   0.000   0.   0.0.500   0.174.00  DC_GIF_MULTI_LARGO
> 

Awesome... Thanks for that!   But no *_MULTI_LARGO hits???  I have tons
of these samples (today even)

# grep -c MULTI_LARGO spamd.log
83

They all look similar to this...

2006-08-03 03:46:16.847129500 [20349] dbg: imageinfo: 8 gif attachments
found
2006-08-03 03:46:16.852860500 [20349] dbg: imageinfo: check images of
type gif
2006-08-03 03:46:16.852938500 [20349] dbg: imageinfo: image catholic.gif
is 40 x 512 pixels (20480 pixels sq.)
2006-08-03 03:46:16.853007500 [20349] dbg: imageinfo: image flesh.gif is
254 x 4 pixels (1016 pixels sq.)
2006-08-03 03:46:16.853072500 [20349] dbg: imageinfo: image wetback.gif
is 254 x 113 pixels (28702 pixels sq.)
2006-08-03 03:46:16.853138500 [20349] dbg: imageinfo: image humorous.gif
is 94 x 626 pixels (58844 pixels sq.)
2006-08-03 03:46:16.853203500 [20349] dbg: imageinfo: image
willingly.gif is 40 x 28 pixels (1120 pixels sq.)
2006-08-03 03:46:16.853268500 [20349] dbg: imageinfo: image mostly.gif
is 40 x 81 pixels (3240 pixels sq.)
2006-08-03 03:46:16.853336500 [20349] dbg: imageinfo: image
hailstone.gif is 254 x 509 pixels (129286 pixels sq.)
2006-08-03 03:46:16.853402500 [20349] dbg: imageinfo: image rat race.gif
is 40 x 5 pixels (200 pixels sq.)
2006-08-03 03:46:16.896336500 [20349] info: spamd: identified spam
(22.7/5.0) for $global:200 in 2.6 seconds, 50713 bytes.
2006-08-03 03:46:16.896520500 [20349] info: spamd: result: Y 22 -
BAYES_50,CM_SLICED_STOCK,EXTRA_MPART_TYPE,GIF_AREA_200K,GIF_ATTACH_5P,GI
F_MULTI_LARGO,HELO_DYNAMIC_IPADDR2,HELO_DYNAMIC_SPLIT_IP,HTML_40_50,HTML
_IMAGE_ONLY_28,HTML_MESSAGE,RCVD_BY_IP,RCVD_NUMERIC_HELO,SARE_GIF_ATTACH
,SARE_GIF_STOX,URI_HTML_ONLY
scantime=2.6,size=50713,user=$global,uid=200,required_score=5.0,rhost=lo
calhost,raddr=127.0.0.1,rport=34848,mid=<001d01c34465$4cce9bb8$a38ebedc@
dxnd>,bayes=0.546644226347824,autolearn=unavailable,urihits=none

Are you sure the logic is working properly there?

D

Re: PureMessage-like spam gauge?

[Theo Van Dinter]

On Thu, Aug 03, 2006 at 02:34:17PM -0500, Chris St. Pierre wrote:
> --- Mail/SpamAssassin/PerMsgStatus.pm.bak   2006-08-03 13:52:55.0
> -0500
> +++ Mail/SpamAssassin/PerMsgStatus.pm   2006-08-03 14:24:02.0 -0500
[...]
> +   GAUGE => sub {
> +   my $arg = (shift || "*");
[...]

Just so folks know, it's generally a better idea to write a plugin to do this
so that you don't have to keep patching new installs of SpamAssassin. :)

-- 
Randomly Generated Tagline:
"the curls in your keyboard cord are losing electricity."
 - Today's BOFH Excuse


pgpvlyiq9Rzjj.pgp
Description: PGP signature

Re: ImageInfo plugin for SA

[Theo Van Dinter]

On Thu, Aug 03, 2006 at 03:14:06PM -0500, Dallas L. Engelken wrote:
> All those scores in the cf are just "WAGs", since none have been
> masschecked.   Theo, could you sandbox this?

I made some major edits (1/3 smaller and also faster :) ), but the core
algorithm is the same.  Overall, very good from my results:

  MSECSSPAM% HAM% S/ORANK   SCORE  NAME
  029412 49520.856   0.000.00  (all messages)
0.0  85.5896  14.41040.856   0.000.00  (all messages as %)
  7.162   8.3673   0.1.000   0.933.00  DC_GIF_UNO_LARGO
  3.681   4.3010   0.1.000   0.793.00  DC_IMAGE_SPAM
  0.576   0.6732   0.1.000   0.243.00  DC_PNG_UNO_LARGO
  0.000   0.   0.0.500   0.174.00  DC_PNG_MULTI_LARGO
  0.000   0.   0.0.500   0.174.00  DC_GIF_MULTI_LARGO

-- 
Randomly Generated Tagline:
"Today I set a motherboard on fire. Now the bizarre thing is that after 
 the smoke cleared it still worked." - Alan Cox


pgphpycSfnHFA.pgp
Description: PGP signature

Re: postres bayes db and high load

[Dan]

Thanks for the advice!I guess the consensus is to buy more RAM and/or switch to mysql.-Dan

Re: ImageInfo plugin for SA

[Jason Haar]

Just a comment to Dallas that his (? making a guess there) ImageInfo
module seems to be doing a good job for me.

I had a small sample of image-spam that currently gets past SA. Almost
all of it scored +4/+5 points with his module activated.

I also had a few recent inline-images "real" emails - didn't trigger any
of these rules.

So far I'm impressed :-)

Jason

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

RE: postres bayes db and high load

[Michael Scheidell]

Title: Message



 

  
  -Original Message-From: Dan 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, August 03, 2006 12:24 
  PMTo: users@spamassassin.apache.orgSubject: postres 
  bayes db and high load
  Over the past few weeks, my company's mail server has been experiencing 
  high loads that result in SA skipping emails.  I use a postgres database 
  to manage bayes, awl and userprefs.  I am pretty sure that it is the 
  bayes db that is causing the high load and resultant skipping, but I have no 
  idea how to fix the problem.  I installed the SA DBI plugin in hopes this 
  would decrease the load, but it hasn't.  I have also tried increasing 
  spamd's max-children parameter from 8 up to 27. It's appears that if 
  all of the spamd's children become busy SA skips the message all 
  together.  Or spamd stops working on a message when bayes times 
  out.  If the latter is the case, is there a way to tell spamd to continue 
  processing the message without bayes? I have included some details 
  below.  Any suggestions would be very helpful.I have systems running 800K email/day, no 
  problem,  I use mysql, it seemed to scale a lot better with one of 
  our other products (which has postgess issues when busy).  if using 
  mysql, use the correct .cfg file (mysql-large.cfg,  
  )
   
   
   The mail servers 
  stats:~3500 email/day2GHz Intel Celeron768M ramSA 
  v3.1.0postgreSQL v8.0.4database size: 333M bayes_seen: 378275 
  rowsbayes_token: 172484 rowsa snippet of maillog when the 
  disruption began:Aug  2 14:47:59 mail spamd[32613]: prefork: child 
  states: BBB Aug  2 14:47:59 mail 
  spamd[32613]: prefork: server reached --max-clients setting, consider raising 
  it Aug  2 14:47:59 mail spamd[3577]: spamd: connection from 
  localhost.localdomain [127.0.0.1 ] at port 49872 Aug  2 14:47:59 mail 
  spamd[3577]: spamd: processing message < 
  [EMAIL PROTECTED]om> for steve:0 Aug  2 
  14:48:16 mail spamd[3675]: bayes: child processing timeout at /usr/bin/spamd 
  line 1088. Aug  2 14:48:19 mail spamd[3675]: spamd: identified spam ( 
  25.9/5.0) for bug:0 in 5525.1 seconds, 2163 bytes. Aug  2 14:48:19 
  mail spamd[3675]: spamd: result: Y 25 - 
  BAYES_99,MY_ALL_CAPS,MY_CASINO,MY_OFFER, 
  MY_URI_2CHAR,MY_URI_ALPHNM,MY_URI_CHARNUM,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR 
  2_CHECK,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL 
  scantime= 
  5525.1,size=2163,user=bug,uid=0,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1 ,rport=48946, 
  mid=<[EMAIL PROTECTED]>,bayes=1,autolearn=failed 
  Aug  2 14:48:35 mail spamd[3675]: __alarm__ Aug  2 14:48:35 
  mail spamd[3675]: __alarm__ Aug  2 14:48:36 mail spamd[32613]: 
  prefork: child states: BBB Aug  2 14:48:36 
  mail spamd[32613]: prefork: server reached --max-clients setting, consider 
  raising it Aug  2 14:48:36 mail spamd[3675]: spamd: connection from 
  localhost.localdomain [127.0.0.1 ] at port 49881 Aug  2 14:48:40 mail 
  spamd[3675]: spamd: processing message < [EMAIL PROTECTED]> 
  for harriet:0 Aug  2 14:50:06 mail spamd[3835]: bayes: child 
  processing timeout at /usr/bin/spamd line 1088,  line 59. 
  

Re: spamass milter + clamav milter + milter greylist != working

[Bazooka Joe]

Thanks, I think I got it - i noticed you didn't have the clamav line
define(`confINPUT_MAIL_FILTERS', `clmilter')
so i took it out and clamav-milter seems to be working fine w/ out it.

re: headers - milter-greylist writes a new header line "Sender IP
whitelisted, not delayed by milter-greylist-1.6..." or whatever.

what do you use for the delay or wait time and auto whitelist time?

thx
chris

On 8/3/06, Ron Snyder <[EMAIL PROTECTED]> wrote:

> SA and clam work but greylist does nothing.  no errors, no added
> headers just nothing.

Why would you expect headers from greylist? Here's the evidence that
shows up that the greylisting did it's thing:
Aug  3 00:37:56 mailgate sendmail[29267]: k730bkG7029267: Milter:
to=<[EMAIL PROTECTED]>, reject=451 4.7.1 Please try again later
(TEMPFAIL)

Here are the relevant lines from my .mc
INPUT_MAIL_FILTER(`relaydelay', `S=local:/var/run/relaydelay.sock,
F=,T=S:1m;R:2m;E:3m')
INPUT_MAIL_FILTER(`clmilter', `S=local:/var/run/clamav/clmilter.socket,
F=,T=S:4m;R:4m')
INPUT_MAIL_FILTER(`spamassassin', `S=unix:/var/run/spamass.sock,
F=T,T=C:15m;S:4m;R:4m;E:10m')

You might need to check your maillog file to really get to the bottom of
why it doesn't seem to be working.

Re: postres bayes db and high load

[Davin Flatten]

Dan-

Make sure you are vacuuming your database.  I have seen similar 
postgresql slow downs with a large database that has not been vacuumed. 

For a permanent solution I would suggest migrating to mysql instead.  I 
love postgresql but it has a lot of overhead designed to make it a 
transactional database that really the bayes database, awl, etc.. does 
not really need.  I am running my bayes database now out of mysql for 
15K-30K messages a day with a bayes_token table of 50 million rows.  
Runs like a charm.


-Davin

spamass milter + clamav milter + milter greylist != working

[Bazooka Joe]

Has anyone gotten the 3 fore mentioned milters working together?

SA and clam work but greylist does nothing.  no errors, no added
headers just nothing.

if i take out clamav from the mc then greylisting works and SA works
but not all three together.

parts of sendmail.mc in question. (in order)

greylist:
INPUT_MAIL_FILTER(`greylist',
`S=local:/var/lib/milter-greylist/run/milter-greylist.sock')dnl
define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')dnl
define(`confMILTER_MACROS_HELO', `{verify}, {cert_subject}')dnl
define(`confMILTER_MACROS_ENVFROM', `i, {auth_authen}')dnl

clam-milter:
INPUT_MAIL_FILTER(`clmilter',
`S=local:/var/run/clamav-milter/clamav.sock, F=, T=S:4m;R:4m')dnl
define(`confINPUT_MAIL_FILTERS', `clmilter')

SA:
INPUT_MAIL_FILTER(`spamassassin',
`S=local:/var/run/spamass-milter/spamass-milter.sock, F=,
T=C:15m;S:4m;R:4m;E:10m')dnl


sry if this is too much of a sendmail centric question - I thought i
would w/ the server admins here first.

thx

Re: clamav virus db update

[John Thompson]

On 2006-08-03, Benny Pedersen <[EMAIL PROTECTED]> wrote:

> On Wed, August 2, 2006 22:28, John Thompson wrote:
>
>> Any explanation?
>
> make sure you have same database path in both freshclam.conf and clamd.conf

Bingo. Thanks!

-- 

-John ([EMAIL PROTECTED])

RE: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin'

[Jeff Moss]

Patching GIF.pm seems to have fixed the problem.  I patched gocr because
that was in the instructions that got posted, but patching GIF.pm wasn't
so I missed it.

  Jeff Moss

-Original Message-
From: Davin Flatten [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 03, 2006 3:54 PM
To: Jeff Moss
Cc: users@spamassassin.apache.org
Subject: Re: GIF Spam -- Setting up the 'OCR scanner and image validator
SA-plugin'

Jeff-

Make sure you apply the patches to both the gocr source and 
Image::ExifTool.   The gocr patch deals specifically with the segfault 
issues.

 From the docs:

# - Perl module Image::ExifTool and a patch for GIF pics:
#   http://antispam.imp.ch/patches/patch-GIF-Colortable
#
# - Gocr from http://jocr.sourceforge.net and a patch to
#   avoid segfaults with gocr:
#   http://antispam.imp.ch/patches/patch-gocr-segfault


Hope this helps.
-Davin

Re: RBL with Spamassassin works, but spamc/spamd don't use it

[John Andersen]

On Thursday 03 August 2006 04:47, decoder wrote:
> Hello,
>
> Recently I installed some rbl rules, using DNS, enabled rbl checks in
> the config etc. It all works fine with spamassassin < message. I see
> several scores from blacklists, so it is working.
>
> The problem is, spamc/spamd don't use these rules, they simply ignore
> rbl for the same kind of spam. I've restarted spamd and verified that it
> isn't set to local tests only.

Sounds like spamd was started with -L
This is a favorite SuSE trick.  If running SuSE see /etc/sysconfig/spamd
If running something else, check what starts spamd.  Also view
you /var/log/messages as spamd starts because some distros put
spamd in strange places and you end up running the old one, not the new 
one.  

-- 
_
John Andersen


pgpWjHSHn9dmI.pgp
Description: PGP signature

Re: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin'

[Davin Flatten]

Jeff-

You might also want to see if you copy the message out of a client 
application like Thunderbird and then copy the image to your server and 
running giftopnm on it.  It might be that uudeview is the problem and 
not giftopnm.  The errors sounds like a corrupt gif image.  This should 
not effect the plugin however.


I would suggest turning on debugging output on Spamassassin to see where 
in the plugin the problem is occurring. Use the facility 'ocrtext' to 
and grep your logs for 'ocrtext'.  Should give you some info.


If you running spamd try:  --debug=ocrtext

-D, --debug[=areas]Print debugging messages (for areas)

Hope this helps.
-Davin

ImageInfo plugin for SA

[Dallas L. Engelken]

Greetings,

For those of you that dont want the overhead or hassel of installing all
extras to get OCR running, I give you a simpler (maybe less effective)
option..  It basically determines pixel coverage similar to what
eval:html_image_ratio() does, but html_image_ratio() actually reads
height="" and width="" params from html, and in these stock spams and
such, there is no height/width values to go off of.   So,
eval:pixel_coverage()  will actually read the gif and png headers and
calculate it from the actual image data. 

Put the .pm file that is attached in your M::SA::Plugins dir.  Add to
your init.pre (or v310.pre) the following line.

loadplugin Mail::SpamAssassin::Plugin::ImageInfo

And throw the imageinfo.cf ruleset in your local config dir (tweak
rules/scores as needed).  And dont forgot to restart spamd if you are
running it.   Feel free to tweak the ruleset you meet your needs.  It
has hit well for me today as is, but YMMV.

# grep -c _LARGO spamd.log
868

No outside tools required... yeah!   Sorry for the lack of
documentation, but I just dont have enough time to do it, and I wanted
share this.

All those scores in the cf are just "WAGs", since none have been
masschecked.   Theo, could you sandbox this?

Cya,
Dallas 


ImageInfo.pm
Description: ImageInfo.pm


imageinfo.cf
Description: imageinfo.cf

Re: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin'

[Davin Flatten]

Jeff-

Make sure you apply the patches to both the gocr source and 
Image::ExifTool.   The gocr patch deals specifically with the segfault 
issues.


From the docs:

# - Perl module Image::ExifTool and a patch for GIF pics:
#   http://antispam.imp.ch/patches/patch-GIF-Colortable
#
# - Gocr from http://jocr.sourceforge.net and a patch to
#   avoid segfaults with gocr:
#   http://antispam.imp.ch/patches/patch-gocr-segfault


Hope this helps.
-Davin

Re: Allowing IMAP/POP to Send Email & United Nations etc....

[Michael Parker]

Nigel Frankcom wrote:
> I'll put on my flameproof underwear for this
> 
> There's been a huge amount of crossfire on these/this subject, but I
> don't see how it has anything to do with SA; or am I missing the
> point?
> 
> Different protocols, yet another level of policing, but nothing about
> the fact that SA does a damned fine job of stopping what exists now,
> not what may or may not happen (n) years in the future.
> 
> Just my 2 pence worth
> 
> Nigel
> 

google "marc perkel"

My $.02

Michael

Re: PureMessage-like spam gauge?

[Chris St. Pierre]

Once I realized how easy it was to add new header rewrite functions, I just
hacked my own in.  If anyone's interested, the diff follows.

--- Mail/SpamAssassin/PerMsgStatus.pm.bak   2006-08-03 13:52:55.0
-0500
+++ Mail/SpamAssassin/PerMsgStatus.pm   2006-08-03 14:24:02.0 -0500
@@ -1230,6 +1230,13 @@

 AUTOLEARN => sub { return $self->get_autolearn_status(); },

+   GAUGE => sub {
+   my $arg = (shift || "*");
+   my $length = int($self->{score} / 10);
+   $length = 5 if $length > 5;
+   return $arg x $length;
+   },
+
 TESTS => sub {
   my $arg = (shift || ',');
   return (join($arg, sort(@{$self->{test_names_hit}})) ||
   "none");

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University

On Thu, 3 Aug 2006, Chris St. Pierre wrote:

>I'm switching to SpamAssassin from PureMessage.  One feature I'm used to is
>the GAUGE, which is used in rewriting headers much the same way as
>_STARS(*)_.  PureMessage differs from SpamAssassin in that it uses a
>percentage rather than a score for determining if something is spam -- things
>are 0% to 100% likely to be spam.
>
>GAUGE inserted one star for every 10% over the spam threshold.  This mean, for
>us, that you could never get more than six stars, and our subjects ranged from
>[SPAM:*] to [SPAM:**].  Now that I'm using SpamAssassin with a spam
>threshold of 5 and trying to do the same thing, my subjects range from
>[SPAM:*] to [SPAM:***...***], the latter of which is downright
>unreadable.
>
>Is there either: a) any way to get _STARS(*)_ to be a little less verbose; or
>b) use a different tag to get a similar effect?
>
>I'm aware that I'll most likely be unable to duplicate the behavior I'm
>accustomed to, but I'd like to give my users as much consistency as possible.
>
>Thanks!
>
>Chris St. Pierre
>Unix Systems Administrator
>Nebraska Wesleyan University
>

Re: Looking for advice on rule creation & regular expressions

[Kelson]

Rob McEwen (PowerView Systems) wrote:

Create the rule you mentioned, then create another rule for plan old
"advil"

...

But make this additional rule **subtract** points... either the same
or a little less than the amount of points added by the
obfuscation-catching rule, depending on whether you want to leave a
little bit of score in there for the correctly spelled instances or
cancel it out altogether.


That runs the risk that someone will include both the target word and
advil in a message.

A better solution is to use negative lookaheads.  I'm not familiar with
them myself, but I'm pretty sure you can find examples in either the
base SA rules or some of the SARE rules.

Lookahead/lookbehind in regular expressions:
http://www.regular-expressions.info/lookaround.html

Incidentally, this is the only legit .info site I can think of.  I'm
sure there's at least one other out there somewhere...

--
Kelson Vibber
SpeedGate Communications 

Re: Looking for advice on rule creation & regular expressions

[Rob McEwen (PowerView Systems)]

> I've come up with a rule that'll match every one of those instances, but
> also has the unfortunate consequence of matching plain old "ADVIL":

Create the rule you mentioned, then create another rule for plan old "advil"

Something like:

/badvil/b

But make this additional rule **subtract** points... either the same or a 
little less than the amount of points added by the obfuscation-catching rule, 
depending on whether you want to leave a little bit of score in there for the 
correctly spelled instances or cancel it out altogether.

Rob McEwen
PowerView Systems
[EMAIL PROTECTED]

PureMessage-like spam gauge?

[Chris St. Pierre]

I'm switching to SpamAssassin from PureMessage.  One feature I'm used to is
the GAUGE, which is used in rewriting headers much the same way as
_STARS(*)_.  PureMessage differs from SpamAssassin in that it uses a
percentage rather than a score for determining if something is spam -- things
are 0% to 100% likely to be spam.

GAUGE inserted one star for every 10% over the spam threshold.  This mean, for
us, that you could never get more than six stars, and our subjects ranged from
[SPAM:*] to [SPAM:**].  Now that I'm using SpamAssassin with a spam
threshold of 5 and trying to do the same thing, my subjects range from
[SPAM:*] to [SPAM:***...***], the latter of which is downright
unreadable.

Is there either: a) any way to get _STARS(*)_ to be a little less verbose; or
b) use a different tag to get a similar effect?

I'm aware that I'll most likely be unable to duplicate the behavior I'm
accustomed to, but I'd like to give my users as much consistency as possible.

Thanks!

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University

Re: postres bayes db and high load

[John D. Hardin]

On Thu, 3 Aug 2006, Dan wrote:

> The mail servers stats:
> ~3500 email/day
> 2GHz Intel Celeron
> 768M ram

Throw some more memory at it, if the motherboard supports it.

> Aug  2 14:48:19 mail spamd[3675]: spamd: identified spam ( 25.9/5.0) for
> bug:0 in 5525.1 seconds, 2163 bytes.

OUCH! 5500 seconds? It should *never* take more than a couple of
minutes (~120 sec) to score a message.

That *really* sounds like you're swap-thrashing.

What are your memory stats? (on Linux, "procinfo" or "cat
/proc/meminfo" and look for "swap total" vs. "swap free")

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 A weapons registration phase ... 4) allows for a degree of control
 to be exercised during the collection phase; 5) assists in the
 planning of the collection phase; ...
  -- the UN, who "doesn't want to confiscate guns"
---

Re: Allowing IMAP/POP Thread to Continue?

[David Cary Hart]

What a COLOSSAL waste of bandwidth, cycles and keyboard erosion.

-- 
Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com
   Don't Subsidize Criminals: http://boulderpledge.org

RE: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin'

[Jeff Moss]

Still trying to debug SA crashing with the OCR plugin.  I extracted the
base64 encoding from one of the offending messages.  Then I converted it
to image001.gif with uudeview.  But when I try to convert it to a pnm
file from the command line I get errors.

[filter]# giftopnm image001.gif > image001.pnm
giftopnm: too much input data, ignoring extra...
giftopnm: bogus character 0x00, ignoring
[filter]#

I have no idea what's causing this, how to fix it, or if it's even
related to the crashing problem.

  Jeff Moss


-Original Message-
From: Stuart Johnston [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 03, 2006 10:41 AM
To: users@spamassassin.apache.org
Subject: Re: GIF Spam -- Setting up the 'OCR scanner and image validator
SA-plugin'

Davin Flatten wrote:
> Just thought this might help someone out.  Thanks to M. Blapp for an 
> excellent SA Plugin.  Optical Character Recognition (OCR) can be used
to 
> nab those pesky spam messages that are hidden in gif,jpeg, or png
images...

This OCR stuff looks promising.  Any comments on performance?  How much
extra load does it put on a 
server?

RE: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin'

[davea]

I will be testing this later this evening using the instructions provided.
I will keep you posted.

Dave Augustus

> We're getting some image-spam stuck in the queue because they crash SA
> with this plugin turned on. We are using a custom setup built from
> amavisd-lite.
> I'm still trying to figure out what's causing it.
>
>   Jeff Moss
>
> -Original Message-
> From: Stuart Johnston [mailto:[EMAIL PROTECTED]
> Sent: Thursday, August 03, 2006 10:41 AM
> To: users@spamassassin.apache.org
> Subject: Re: GIF Spam -- Setting up the 'OCR scanner and image validator
> SA-plugin'
>
> Davin Flatten wrote:
>> Just thought this might help someone out.  Thanks to M. Blapp for an
>> excellent SA Plugin.  Optical Character Recognition (OCR) can be used
> to
>> nab those pesky spam messages that are hidden in gif,jpeg, or png
> images...
>
> This OCR stuff looks promising.  Any comments on performance?  How much
> extra load does it put on a
> server?
>
>

Re: What changes would you make to stop spam? - United Nations Paper

[John D. Hardin]

On Wed, 2 Aug 2006, John Andersen wrote:

> On Wednesday 02 August 2006 20:55, Sanford Whiteman wrote:
> > Because ?of ?that experience, I find myself
> > agreeing ?with ?the ?overall reaction of, in essence: "Kill me now, if
> > his ?proposal ?is ?going ?to be disseminated by any entity who doesn't
> > have enough techies on staff to shoot it down."
> 
> Sandy: you have a special skill for telling people to go to hell and having
> them looking forward to the trip.
> 
> I enjoyed your approach.

Ditto.

{applause}

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 A weapons registration phase ... 4) allows for a degree of control
 to be exercised during the collection phase; 5) assists in the
 planning of the collection phase; ...
  -- the UN, who "doesn't want to confiscate guns"
---

Re: Allowing IMAP/POP to Send Email & United Nations etc....

[Dhawal Doshy]

Nigel Frankcom wrote:

I'll put on my flameproof underwear for this

There's been a huge amount of crossfire on these/this subject, but I
don't see how it has anything to do with SA; or am I missing the
point?

Different protocols, yet another level of policing, but nothing about
the fact that SA does a damned fine job of stopping what exists now,
not what may or may not happen (n) years in the future.

Just my 2 pence worth


2 more units of whatever currency.. kill the threads. NOW!!

Re: Allowing IMAP/POP to Send Email

[Steve Thomas]

> Spam is never eliminated - just reduced. Most spam comes from virus
> infected zombies that talk SMTP. If end users were by default set up so
> that they can only send email by IMAP then you can block off SMTP ports
> for end users isolating them from the SMTP world. That would take a huge
> bite out of the spam problem.

Which is something that many ISPs and corporations already do. What makes
you think that any more of them will do it if your plan were to be
implemented?

Responsible networks are already blocking port 25, while irresponsible
networks (generalizing to make a point) aren't. What's going to happen to
make the irresponsible networks change their ways? Why hasn't it happened
already? What kind of incentive does your plan specifically provide to
help change those network owners' minds?

Allowing IMAP/POP to Send Email & United Nations etc....

[Nigel Frankcom]

I'll put on my flameproof underwear for this

There's been a huge amount of crossfire on these/this subject, but I
don't see how it has anything to do with SA; or am I missing the
point?

Different protocols, yet another level of policing, but nothing about
the fact that SA does a damned fine job of stopping what exists now,
not what may or may not happen (n) years in the future.

Just my 2 pence worth

Nigel

Re: Geographic Zone to Headers?

[David Cary Hart]

On Wed, 2 Aug 2006 21:27:48 +0200 (CEST), "Benny Pedersen"
<[EMAIL PROTECTED]> opined:
> On Wed, August 2, 2006 17:51, David Cary Hart wrote:
> 
> > EXPERIMENTALLY, I have added "world.tqmcube.com" as a zone which
> > is obviously not included in the composite. This returns a text
> > record of the country of origin.
> 
> good
> 
> > For example - with linux:
> > #dig +short 199.227.237.209.world.tqmcube.com -t txt
> > will return "United States".
> 
> nice, but is it for mta or spamassassinn ?
> 
> if its for mta, why need to tell the country of the ip ?
> 
> if its for spamassassin it will be to much dns lookups for things
> that can be added to dnsbl.tqmcube.com as a subtest with seperate
> results
> 
> you allready have ko and prc as example
> 
> PS: for my test of the dnsbl zone its none false positive or
> negative here so far
> 
I have revised this as follows:

;; QUESTION SECTION:
;193.128.95.59.world.tqmcube.com. INANY

;; ANSWER SECTION:
193.128.95.59.world.tqmcube.com. 2100 IN A  127.0.0.110
193.128.95.59.world.tqmcube.com. 2100 IN TXT"IN"

The index of ISO country codes and return codes:

:127.0.0.10: AD
:127.0.0.11: AE
:127.0.0.12: AF
:127.0.0.13: AG
:127.0.0.14: AI
:127.0.0.15: AL
:127.0.0.16: AM
:127.0.0.17: AN
:127.0.0.18: AO
:127.0.0.19: AQ
:127.0.0.20: AR
:127.0.0.21: AS
:127.0.0.22: AT
:127.0.0.23: AU
:127.0.0.24: AW
:127.0.0.25: AZ
:127.0.0.254: BA
:127.0.0.26: BB
:127.0.0.27: BD
:127.0.0.28: BE
:127.0.0.29: BF
:127.0.0.30: BG
:127.0.0.31: BH
:127.0.0.32: BI
:127.0.0.33: BJ
:127.0.0.34: BM
:127.0.0.35: BN
:127.0.0.36: BO
:127.0.0.37: BR
:127.0.0.38: BS
:127.0.0.39: BT
:127.0.0.40: BV
:127.0.0.41: BW
:127.0.0.42: BY
:127.0.0.43: BZ
:127.0.0.44: CA
:127.0.0.45: CC
:127.0.0.46: CD
:127.0.0.47: CF
:127.0.0.48: CG
:127.0.0.49: CH
:127.0.0.50: CI
:127.0.0.51: CK
:127.0.0.52: CL
:127.0.0.53: CM
:127.0.0.54: CN
:127.0.0.55: CO
:127.0.0.56: CR
:127.0.0.57: CS
:127.0.0.58: CU
:127.0.0.59: CV
:127.0.0.60: CX
:127.0.0.61: CY
:127.0.0.62: CZ
:127.0.0.63: DE
:127.0.0.64: DJ
:127.0.0.65: DK
:127.0.0.66: DM
:127.0.0.67: DO
:127.0.0.68: DZ
:127.0.0.69: EC
:127.0.0.70: EE
:127.0.0.71: EG
:127.0.0.72: EH
:127.0.0.73: ER
:127.0.0.74: ES
:127.0.0.75: ET
:127.0.0.76: EU
:127.0.0.77: FI
:127.0.0.78: FJ
:127.0.0.79: FK
:127.0.0.80: FM
:127.0.0.81: FO
:127.0.0.82: FR
:127.0.0.83: FX
:127.0.0.84: GA
:127.0.0.85: GD
:127.0.0.86: GE
:127.0.0.87: GF
:127.0.0.88: GH
:127.0.0.89: GI
:127.0.0.90: GL
:127.0.0.91: GM
:127.0.0.92: GN
:127.0.0.93: GP
:127.0.0.94: GQ
:127.0.0.95: GR
:127.0.0.96: GS
:127.0.0.97: GT
:127.0.0.98: GU
:127.0.0.99: GW
:127.0.0.100: GY
:127.0.0.101: HK
:127.0.0.102: HM
:127.0.0.103: HN
:127.0.0.104: HR
:127.0.0.105: HT
:127.0.0.106: HU
:127.0.0.107: ID
:127.0.0.108: IE
:127.0.0.109: IL
:127.0.0.110: IN
:127.0.0.111: IO
:127.0.0.112: IQ
:127.0.0.113: IR
:127.0.0.114: IS
:127.0.0.115: IT
:127.0.0.116: JM
:127.0.0.117: JO
:127.0.0.118: JP
:127.0.0.119: KE
:127.0.0.120: KG
:127.0.0.121: KH
:127.0.0.122: KI
:127.0.0.123: KM
:127.0.0.124: KN
:127.0.0.125: KP
:127.0.0.126: KR
:127.0.0.127: KW
:127.0.0.128: KY
:127.0.0.129: KZ
:127.0.0.130: LA
:127.0.0.131: LB
:127.0.0.132: LC
:127.0.0.133: LI
:127.0.0.134: LK
:127.0.0.135: LR
:127.0.0.136: LS
:127.0.0.137: LT
:127.0.0.138: LU
:127.0.0.139: LV
:127.0.0.140: LY
:127.0.0.141: MA
:127.0.0.142: MC
:127.0.0.143: MD
:127.0.0.144: MG
:127.0.0.145: MH
:127.0.0.146: MK
:127.0.0.147: ML
:127.0.0.148: MM
:127.0.0.149: MN
:127.0.0.150: MO
:127.0.0.151: MP
:127.0.0.152: MQ
:127.0.0.153: MR
:127.0.0.154: MS
:127.0.0.155: MT
:127.0.0.156: MU
:127.0.0.157: MV
:127.0.0.158: MW
:127.0.0.159: MX
:127.0.0.160: MY
:127.0.0.161: MZ
:127.0.0.162: NA
:127.0.0.163: NC
:127.0.0.164: NE
:127.0.0.165: NF
:127.0.0.166: NG
:127.0.0.167: NI
:127.0.0.168: NL
:127.0.0.169: NO
:127.0.0.170: NP
:127.0.0.171: NR
:127.0.0.172: NT
:127.0.0.173: NU
:127.0.0.174: NZ
:127.0.0.175: OM
:127.0.0.176: PA
:127.0.0.177: PE
:127.0.0.178: PF
:127.0.0.179: PG
:127.0.0.180: PH
:127.0.0.181: PK
:127.0.0.182: PL
:127.0.0.183: PM
:127.0.0.184: PN
:127.0.0.185: PR
:127.0.0.186: PS
:127.0.0.187: PT
:127.0.0.188: PW
:127.0.0.189: PY
:127.0.0.190: QA
:127.0.0.191: RE
:127.0.0.192: RO
:127.0.0.193: RU
:127.0.0.194: RW
:127.0.0.195: SA
:127.0.0.196: SB
:127.0.0.197: SC
:127.0.0.198: SD
:127.0.0.199: SE
:127.0.0.200: SG
:127.0.0.201: SH
:127.0.0.202: SI
:127.0.0.203: SJ
:127.0.0.204: SK
:127.0.0.205: SL
:127.0.0.206: SM
:127.0.0.207: SN
:127.0.0.208: SO
:127.0.0.209: SR
:127.0.0.210: ST
:127.0.0.211: SU
:127.0.0.212: SV
:127.0.0.213: SY
:127.0.0.214: SZ
:127.0.0.215: TC
:127.0.0.216: TD
:127.0.0.217: TF
:127.0.0.218: TG
:127.0.0.219: TH
:127.0.0.220: TJ
:127.0.0.221: TK
:127.0.0.222: TM
:127.0.0.223: TN
:127.0.0.224: TO
:127.0.0.225: TP
:127.0.0.226: TR
:127.0.0.227: TT
:127.0.0.228: TV
:127.0.0.229: TW
:127.0.0.230: TZ
:127.0.0.231: UA
:127.0.0.232: UG
:127.0.0.233: UK
:127.0.0.234: UM
:127.0.0.235: US
:127.0.0.236: UY
:127.0.0.237: UZ
:127.0.0.238: VA
:127.0.0.239: VC
:127.0.0.240: VE
:127.0.0.241: V

Re: Allowing IMAP/POP to Send Email

[Magnus Holmgren]

On Thursday 03 August 2006 19:25, Marc Perkel took the opportunity to say:
> Chris Lear wrote:
> > What if I set up an SMTP server at home behind my ADSL router, collect
> > my vanity-domain mail there, and access it via IMAP or POP3? It seems
> > I only have one option, which is to send my mail via IMAP to my home
> > server. Which then sends via SMTP to... the Internet (or via a
> > smarthost). And the home server sending via SMTP is going to look a
> > bit like a MUA sending via SMTP. How would you tell the difference? Is
> > a home mail server outlawed in the brave new world? Or does my SMTP
> > server have to learn to talk IMAP to make message submissions to the
> > ISP's server?
> >
> Then it would be a server and talk SMTP. Servers still talk SMTP. I have
> a home SMTP server myself.

Ooookaaay... but they have to use SMTP AUTH, right? So why can't MUAs talk 
SMTP as well then? The only reason you have left is that you want to remove 
existing functionality (SMTP) from MUAs and replace it with something (two 
things, even) that doesn't yet exist (mail submission over POP and IMAP).

-- 
Magnus Holmgren[EMAIL PROTECTED]
   (No Cc of list mail needed, thanks)


pgpjVGA2O2fNe.pgp
Description: PGP signature

Re: Allowing IMAP/POP to Send Email

[JamesDR]

Marc Perkel wrote:
Spam is never eliminated - just reduced. Most spam comes from virus 
infected zombies that talk SMTP. If end users were by default set up so 
that they can only send email by IMAP then you can block off SMTP ports 
for end users isolating them from the SMTP world. That would take a huge 
bite out of the spam problem.



For about a day. Spam software writers aren't stupid. All the standards 
that would be necessary for this kind of system to work on a broad scale 
would have to be open. By the time you got every ISP in one slice of the 
world to do this, then this will be exploited. My own home ISP had this 
happen to them. Bellsouth (in my area at least) blocked both 25 out and 
25 in. We had to send through Bellsouth's mail server. At first it was 
configured as an open relay for their customers. Then you had to 
authenticate. After they enabled authentication, I haven't seen a single 
Bellsouth DSL originating email spam (from the res blocks.) If others 
have, chime in. But from what I see, this works. It did anger me at 
first because they didn't tell their customers, and when directly asked 
they denied doing such (maybe just their help desk drones didn't know.) 
Anyway. Block 25, require auth to the isp's server. Done. SMTP-AUTH 
would be EXACTLY the same as what you purpose. Here's an idea. Quit 
waisting your time here. You haven't found any supporters here. Try 
security lists. Write a letter to your ISP, your friend's ISP, your 
place of business's ISP and see what they say. I bet they'll say "Not 
feasible -- SMTP-AUTH works just fine"


--
Thanks,
James

RE: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin'

[Jeff Moss]

We're getting some image-spam stuck in the queue because they crash SA
with this plugin turned on. We are using a custom setup built from
amavisd-lite.
I'm still trying to figure out what's causing it.

  Jeff Moss 

-Original Message-
From: Stuart Johnston [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 03, 2006 10:41 AM
To: users@spamassassin.apache.org
Subject: Re: GIF Spam -- Setting up the 'OCR scanner and image validator
SA-plugin'

Davin Flatten wrote:
> Just thought this might help someone out.  Thanks to M. Blapp for an 
> excellent SA Plugin.  Optical Character Recognition (OCR) can be used
to 
> nab those pesky spam messages that are hidden in gif,jpeg, or png
images...

This OCR stuff looks promising.  Any comments on performance?  How much
extra load does it put on a 
server?

Re: Allowing IMAP/POP to Send Email

[Marc Perkel]

Logan Shaw wrote:

On Thu, 3 Aug 2006, Marc Perkel wrote:
Not really - what I'm proposing is that the IMAP connection just pipe 
the message into an SMTP server. The IMAP is acting only and an 
authenticated connection back to SMTP. I'm not suggesting replacing 
SMTP. What I'm suggesting is that POP/IMAP can be used as a transport 
to get the mail there because it's an existing connection, is already 
established, is already authenticated with the credentials of the 
email account, and it isn't a port that people would block like port 
25 is.


I'm not trying to replace SMTP. I'm just trying to suggest a better 
way for end users to get outgoing email to the SMTP server.


Yes.  You've already said that.  What you're trying to do
is create an internet where SMTP traffic only occurs between
legitimate servers.  You then claim that if such an internet
existed, there would be a huge impact against spam.  I have
to concur that if that were true, spam would be greatly reduced.

Here's the problem though.  We've got a logical syllogism here:
"If X, then Y."  The "X" is "only legitimate servers speak
SMTP", and the "Y" is "spam will be greatly reduced".

I agree that the "if X, then Y" part of this argument is
sound.  The problem is, for Y to logically follow, you have
to establish X.  A syllogism works like this:

1.  If X, then Y.
2.  X is known to be true.
3.  Therefore, Y is true.

Part 1 is called the major premise.  Part 2 is called the
minor premise.  Part 3 is the conclusion.

Your argument is missing the minor premise.  You have to
establish the minor premise or your argument will have no
validity.

So then, do you wish to give up on your argument, or do you
wish to explain how you're going to accomplish this feat of
making sure that only legitimate servers try to contact other
servers via SMTP?

  - Logan



Spam is never eliminated - just reduced. Most spam comes from virus 
infected zombies that talk SMTP. If end users were by default set up so 
that they can only send email by IMAP then you can block off SMTP ports 
for end users isolating them from the SMTP world. That would take a huge 
bite out of the spam problem.

Re: Allowing IMAP/POP to Send Email

[Marc Perkel]

Chris Lear wrote:



What if I set up an SMTP server at home behind my ADSL router, collect 
my vanity-domain mail there, and access it via IMAP or POP3? It seems 
I only have one option, which is to send my mail via IMAP to my home 
server. Which then sends via SMTP to... the Internet (or via a 
smarthost). And the home server sending via SMTP is going to look a 
bit like a MUA sending via SMTP. How would you tell the difference? Is 
a home mail server outlawed in the brave new world? Or does my SMTP 
server have to learn to talk IMAP to make message submissions to the 
ISP's server?


Chris



Then it would be a server and talk SMTP. Servers still talk SMTP. I have 
a home SMTP server myself.

Re: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin'

[Davin Flatten]

Stuart-

Not significant that I have noticed.  We are running a dedicated 
spamassassin gateway

however.  It's only job is to process spam.  It is running dual Xeon
2.80GHz/2MB cache with 4GB of RAM over RAID5 with some scratch partitions
loaded in RAM.  We also run clamav, mimedefang, bayes out of mysql, and
milter-greylist on the same machine.

We process 15,000-30,000 emails a day on this machine.

One thing that could be improved would be to add which directory the 
plugin uses as scratch.  I would put this over into my memory based 
mounts and that would at least lower the I/O overhead.


-Davin

Re: What changes would you make to stop spam? - United Nations Paper

[MennovB]

Kenneth Porter wrote:
> 
> Will ISP's do anything? Are they doing anything now for outbound spam?
> 
They will have to otherwise they will end up in a blacklist ;-)
Most of the ISP's here are already scanning on inbound spam, not too hard to
do it for outgoing then.
The ISP I use the most reacts quite fast on abuse. And they have already
used an automatically shutoff of clients in the time of virus outbreaks,
that traffic got detected and then all you could access was 1 page with an
explanation how to get connected again. That's doable too by counting the
amount of outgoing spam I think.



> BTW, are there any SMTP providers operating independent of ISP's, sorta 
> like  independent newsgroup providers, so that one can use authenticated 
> SMTP over the submission port to that provider instead of one's ISP?
> 
Yes, the ones who I know about offer anti SPAM/virus services. We've used
cleanport for a while for that. It wasn't authenticated but firewalled, SMTP
was only opened up for certain IP-addresses of ours.

Regards
Menno
-- 
View this message in context: 
http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5636668
Sent from the SpamAssassin - Users forum at Nabble.com.

Re: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin'

[Stephan Bosch]

Davin Flatten schreef:
Just thought this might help someone out.  Thanks to M. Blapp for an 
excellent SA Plugin.  Optical Character Recognition (OCR) can be used to 
nab those pesky spam messages that are hidden in gif,jpeg, or png images...


I ran a search on the patch and I didn't see any references to the bayes 
learner. Wouldn't it be a logical choice to feed (and test) the OCR text 
to the bayes learner just like any other plaintext mail content? The OCR 
results will of course contain some gibberish, but that shouldn't be 
very different from the usual bayes poison. I think this could further 
improve the OCR feature (haven't tested the patch yet btw).


Regards,

Stephan

Re: [AMaViS-user] sa-update (sa v 3.1.4)

[Theo Van Dinter]

On Thu, Aug 03, 2006 at 11:47:58AM -0500, Stuart Johnston wrote:
> I'm a little confused about this as well.  When I run spamassassin -D, it 
> shows rules being loaded from /var/lib/spamassassin/3.001003 and 
> /etc/mail/spamassassin but NOT /usr/share/spamassassin/

That sounds correct.

> Also, doing a diff I don't see any rules that are in 
> /usr/share/spamassassin/ but not in /var/lib/spamassassin/3.001003.

There are definitely differences between the files in the directories, though
at the moment most of the new rules are in a new 80_additional.cf file.
Perhaps you didn't use "diff -N" ? :)

-- 
Randomly Generated Tagline:
(Bp) Syntax Error! - My reality check just cleared.


pgpGsiVg60u32.pgp
Description: PGP signature

Re: What changes would you make to stop spam? - United Nations Paper

[Kelson]

Marc Perkel wrote:
So you think that viruses are going to know how to find and decrypt the 
passwords of all email programs?


Network sniffers, keystroke loggers, weak encryption, maliciously 
patching the email app -- that's four possibilities off the top of my head.


They don't even need to be able to handle all of them -- just the more 
popular ones.


--
Kelson Vibber
SpeedGate Communications 

Re: sa-update (sa v 3.1.4)

[Will Nordmeyer]

On Thu, 8/3/2006 11:01:09 -0400 Theo Van Dinter wrote:
> 
> On Thu, Aug 03, 2006 at 10:15:47AM -0400, Will Nordmeyer wrote:
> > If I run sa-update without any other parameters, it'll create an 
update 
> > dir put the updates in it and spamassassin will use the generated 
> > updates dir by default (do I need to restart SA, or does sa-update 
> > handle that?).
> 
> Yes.  As for restart, sa-update won't do that for you.
> 
> > If I use the --updatedir parameter I have to go into SA and rewrite 
it 
> > to use my updatedir.
> 
> Or otherwise include the new config files in some other way ala in
> /etc/mail/spamassassin/local.cf (or a similarly named file):
> 
> include /where/I/want/updates/to/be/channel.cf
> 
> I forgot to mention this in my previous mail, sorry.
> 
> > If I use --updatedir and point it to the SA default rules dir, I'm 
> > screwed.
> 
> Not screwed, but you'll break some parts of SpamAssassin, yes.  The
> default rules directory is meant to be written to during installation
> and that's it.  In the end, you can do what you want with it, but if 
you
> remove critical files, you shouldn't expect things to work correctly.
> 
> > Have I summarized sa-update usage properly?
> 
> Your intimating that sa-update sucks, where IMHO the problems 
described
> here are with its usage and an expectation that the software in 
general
> should DWIM as opposed to DWIS.
> 
> In general, if you don't like how something works, feel free to open a
> ticket and provide a patch. :)
> 
Not my intent at all Theo...  Just trying to distill it down to 
something easy.  And that is - if you run sa-update and let it make all 
the decisions about update dirs/etc.  Then the updates are easy, simple 
and everybody happily plays well together.

And (to me) yeah - I'm screwed if I decide my update dir is the same as 
my default rules dir - not because sa-update sucks at all... but 
because I didn't differentiate between DEFAULT rules and UPDATES.  

My apologies - sa-update is a wonderful feature, I was quite pleased 
when I saw it added... 

Re: [AMaViS-user] sa-update (sa v 3.1.4)

[Stuart Johnston]

Gary V wrote:

Mark wrote:


Theo,



to change Mail::SpamAssassin to provide a suitable default
for LOCAL_STATE_DIR. Please consider this a feature request.

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4952  :)



Appreciated!



# sa-update --updatedir /usr/local/share/spamassassin

Warning: This will break your installation -- there are files in
def_rules_dir that aren't in the updates, and sa-update will be
happy to delete all of the files in the directory for you.
local_state_dir and def_rules_dir are not interchangeable.



Ouch, thanks. Sorry for spreading false suggestions.



  Mark


Observation and questions:

I though the rules provided with sa-update were additions to existing
rules, but I guess I have not paid much attention. Is it true then
that the rules downloaded through sa-update are a complete rule set in
themselves?


I'm a little confused about this as well.  When I run spamassassin -D, it shows rules being loaded 
from /var/lib/spamassassin/3.001003 and /etc/mail/spamassassin but NOT /usr/share/spamassassin/


Also, doing a diff I don't see any rules that are in /usr/share/spamassassin/ but not in 
/var/lib/spamassassin/3.001003.  There are a few extra files though, [languages, 
sa-update-pubkey.txt, triplets.txt, user_prefs.template].  I suppose you probably don't want those 
to get deleted.

Re: sa-update problems

[Bjorn Jensen]

Theo Van Dinter wrote:

On Thu, Aug 03, 2006 at 06:15:38PM +0200, Bjorn Jensen wrote:
  
Aug  3 18:05:30 mail3 spamd[590]: config: cannot opendir 
/var/lib/spamassassin/3.001003: Permission denied
Aug  3 18:05:30 mail3 spamd[590]: config: cannot opendir 
/var/lib/spamassassin/3.001003: Permission denied



  
The directory /var/lib/spamassassin/3.001003 exists and there's another 
directory in there with the new rules, just like the wiki says about 
sa-update, and if I run spamassassin -D --lint it shows no problems, and 
I'm also able to scan emails through that just fine, just not spamd



Hrm, that's extremely odd.  Is there something special about how you run
spamd?  chroot jail?  limitations via something like selinux?
  

Thank god, you pointed me in the right direction.
The server is a fedora core 5 server where spamassassin has been 
installed by yum/rpm and selinux was set to enforcing. It has now been 
set to disabled, and it can now read the files.


Regards,
Bjorn Jensen

Re: More honesty in spam

[Stuart Johnston]

Yesterday I noticed that the stock-image spams I had been receiving were pushing "Espion 
International, Inc, a leader in the fight against email based viruses, spam...".  :)


Kelson wrote:
I received a stock spam this morning.  The randomly generated sender 
name was, and I kid you not...


"Bagle variant"

Somehow, that wouldn't surprise me at all!

Re: sa-update problems

[Theo Van Dinter]

On Thu, Aug 03, 2006 at 06:15:38PM +0200, Bjorn Jensen wrote:
> Aug  3 18:05:30 mail3 spamd[590]: config: cannot opendir 
> /var/lib/spamassassin/3.001003: Permission denied
> Aug  3 18:05:30 mail3 spamd[590]: config: cannot opendir 
> /var/lib/spamassassin/3.001003: Permission denied

> The directory /var/lib/spamassassin/3.001003 exists and there's another 
> directory in there with the new rules, just like the wiki says about 
> sa-update, and if I run spamassassin -D --lint it shows no problems, and 
> I'm also able to scan emails through that just fine, just not spamd

Hrm, that's extremely odd.  Is there something special about how you run
spamd?  chroot jail?  limitations via something like selinux?

Generally speaking, if the dirs can be accessed via any general user w/
spamassassin, there shouldn't be any problem using spamd.

> [EMAIL PROTECTED] spamassassin]# ll /var/lib/spamassassin
> total 8
> drwxr-xr-x 3 root root 4096 Aug  3 17:53 3.001003
> [EMAIL PROTECTED] spamassassin]# ll /var/lib/spamassassin/3.001003
> total 16
> drwxr-xr-x 2 root root 4096 Aug  3 17:53 updates_spamassassin_org
> -rw-r--r-- 1 root root 2151 Aug  3 17:53 updates_spamassassin_org.cf

Hrm.  This looks fine to me.

-- 
Randomly Generated Tagline:
"... and don't we all love Pspice?"- Instructor Dean


pgpDYPfVpx2nh.pgp
Description: PGP signature

More honesty in spam

[Kelson]

I received a stock spam this morning.  The randomly generated sender 
name was, and I kid you not...


"Bagle variant"

Somehow, that wouldn't surprise me at all!

--
Kelson Vibber
SpeedGate Communications 

Re: What changes would you make to stop spam? - United Nations Paper

[Kenneth Porter]

--On Thursday, August 03, 2006 8:47 AM -0700 MennovB <[EMAIL PROTECTED]> 
wrote:



I don't want to make the zombies use the ISP's SMTP server, I want to stop
them from spamming.
Right now they can only connect directly to the Internet so if the ISP
blocks direct SMTP outgoing the zombies stop working, they can't deliver
their spam.


Ok, that addresses the existing direct-to-MX zombies.


Probably they will then be adapted to figure out and use the ISP's SMTP
server, but that makes them easy to detect for the ISP.


Will ISP's do anything? Are they doing anything now for outbound spam?


Apart from the SMTP-servers from the ISP there may be some other addresses
you legitimately want to access with SMTP, could be serviced by the ISP
with a web-interface where you can configure a certain number of
accessible IP-addressess.


I'd rather it be completely open to anyone who's demonstrated having a clue.

BTW, are there any SMTP providers operating independent of ISP's, sorta 
like  independent newsgroup providers, so that one can use authenticated 
SMTP over the submission port to that provider instead of one's ISP?

postres bayes db and high load

[Dan]

Over the past few weeks, my company's mail server has been experiencing high loads that result in SA skipping emails.  I use a postgres database to manage bayes, awl and userprefs.  I am pretty sure that it is the bayes db that is causing the high load and resultant skipping, but I have no idea how to fix the problem.  I installed the SA DBI plugin in hopes this would decrease the load, but it hasn't.  I have also tried increasing spamd's max-children parameter from 8 up to 27.
It's appears that if all of the spamd's children become busy SA skips the message all together.  Or spamd stops working on a message when bayes times out.  If the latter is the case, is there a way to tell spamd to continue processing the message without bayes?
I have included some details below.  Any suggestions would be very helpful.The mail servers stats:~3500 email/day2GHz Intel Celeron768M ramSA v3.1.0postgreSQL v8.0.4database size: 333M
bayes_seen: 378275 rowsbayes_token: 172484 rowsa snippet of maillog when the disruption began:Aug  2 14:47:59 mail spamd[32613]: prefork: child states: BBB Aug  2 14:47:59 mail spamd[32613]: prefork: server reached --max-clients setting, consider raising it 
Aug  2 14:47:59 mail spamd[3577]: spamd: connection from localhost.localdomain [127.0.0.1
] at port 49872 Aug  2 14:47:59 mail spamd[3577]: spamd: processing message <

[EMAIL PROTECTED]om> for steve:0 Aug  2 14:48:16 mail spamd[3675]: bayes: child processing timeout at /usr/bin/spamd line 1088. Aug  2 14:48:19 mail spamd[3675]: spamd: identified spam (
25.9/5.0) for bug:0 in 5525.1 seconds, 2163 bytes. Aug  2 14:48:19 mail spamd[3675]: spamd: result: Y 25 - BAYES_99,MY_ALL_CAPS,MY_CASINO,MY_OFFER, MY_URI_2CHAR,MY_URI_ALPHNM,MY_URI_CHARNUM,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR 2_CHECK,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL scantime=
5525.1,size=2163,user=bug,uid=0,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1
,rport=48946, mid=<[EMAIL PROTECTED]>,bayes=1,autolearn=failed Aug  2 14:48:35 mail spamd[3675]: __alarm__ 
Aug  2 14:48:35 mail spamd[3675]: __alarm__ Aug  2 14:48:36 mail spamd[32613]: prefork: child states: BBB Aug  2 14:48:36 mail spamd[32613]: prefork: server reached --max-clients setting, consider raising it 
Aug  2 14:48:36 mail spamd[3675]: spamd: connection from localhost.localdomain [127.0.0.1
] at port 49881 Aug  2 14:48:40 mail spamd[3675]: spamd: processing message <

[EMAIL PROTECTED]> for harriet:0 Aug  2 14:50:06 mail spamd[3835]: bayes: child processing timeout at /usr/bin/spamd line 1088,  line 59. 

sa-update problems

[Bjorn Jensen]

I just ran sa-update for the first time today, and now I'm getting this 
when starting up spamd:


Aug  3 18:05:30 mail3 spamd[590]: config: cannot opendir 
/var/lib/spamassassin/3.001003: Permission denied
Aug  3 18:05:30 mail3 spamd[590]: config: cannot opendir 
/var/lib/spamassassin/3.001003: Permission denied
Aug  3 18:05:32 mail3 spamd[590]: spamd: server started on port 783/tcp 
(running version 3.1.3)

Aug  3 18:05:32 mail3 spamd[590]: spamd: server pid: 590
Aug  3 18:05:32 mail3 spamd[590]: spamd: server successfully spawned 
child process, pid 592
Aug  3 18:05:32 mail3 spamd[590]: spamd: server successfully spawned 
child process, pid 593


This seems to mean that no local rules are loaded and most spam goes 
right through.


The directory /var/lib/spamassassin/3.001003 exists and there's another 
directory in there with the new rules, just like the wiki says about 
sa-update, and if I run spamassassin -D --lint it shows no problems, and 
I'm also able to scan emails through that just fine, just not spamd


spamd is running like so:

root   624  0.4  1.5  52032 46960 ?Ss   18:06   0:01 
/usr/bin/spamd -d -c --min-children=5 -m15 -i xxx.xxx.xxx.xxx -H -A 
xxx.xxx.xxx.xxx -r /var/run/spamd.pid

root   626  3.3  1.6  56760 52260 ?S18:06   0:13 spamd child
root   627  0.3  1.5  53816 48924 ?S18:06   0:01 spamd child
root   663  0.0  1.5  52596 47452 ?S18:09   0:00 spamd child
root   679  0.0  1.4  52032 45788 ?S18:12   0:00 spamd child



The directories:
[EMAIL PROTECTED] spamassassin]# ll /var/lib/spamassassin
total 8
drwxr-xr-x 3 root root 4096 Aug  3 17:53 3.001003
[EMAIL PROTECTED] spamassassin]# ll /var/lib/spamassassin/3.001003
total 16
drwxr-xr-x 2 root root 4096 Aug  3 17:53 updates_spamassassin_org
-rw-r--r-- 1 root root 2151 Aug  3 17:53 updates_spamassassin_org.cf
[EMAIL PROTECTED] spamassassin]# ll 
/var/lib/spamassassin/3.001003/updates_spamassassin_org

total 720
-rw-r--r-- 1 root root  5479 Aug  3 17:53 10_misc.cf
-rw-r--r-- 1 root root  8112 Aug  3 17:53 20_advance_fee.cf
-rw-r--r-- 1 root root  1602 Aug  3 17:53 20_anti_ratware.cf
-rw-r--r-- 1 root root  6690 Aug  3 17:53 20_body_tests.cf
-rw-r--r-- 1 root root  1534 Aug  3 17:53 20_compensate.cf
-rw-r--r-- 1 root root 14287 Aug  3 17:53 20_dnsbl_tests.cf
-rw-r--r-- 1 root root 15636 Aug  3 17:53 20_drugs.cf
-rw-r--r-- 1 root root 11380 Aug  3 17:53 20_fake_helo_tests.cf
-rw-r--r-- 1 root root 33153 Aug  3 17:53 20_head_tests.cf
-rw-r--r-- 1 root root 17501 Aug  3 17:53 20_html_tests.cf
-rw-r--r-- 1 root root  3305 Aug  3 17:53 20_meta_tests.cf
-rw-r--r-- 1 root root  2135 Aug  3 17:53 20_net_tests.cf
-rw-r--r-- 1 root root 15880 Aug  3 17:53 20_phrases.cf
-rw-r--r-- 1 root root  4711 Aug  3 17:53 20_porn.cf
-rw-r--r-- 1 root root 17038 Aug  3 17:53 20_ratware.cf
-rw-r--r-- 1 root root  9690 Aug  3 17:53 20_uri_tests.cf
-rw-r--r-- 1 root root  2228 Aug  3 17:53 23_bayes.cf
-rw-r--r-- 1 root root   420 Aug  3 17:53 25_accessdb.cf
-rw-r--r-- 1 root root  1342 Aug  3 17:53 25_antivirus.cf
-rw-r--r-- 1 root root  9114 Aug  3 17:53 25_body_tests_es.cf
-rw-r--r-- 1 root root 17673 Aug  3 17:53 25_body_tests_pl.cf
-rw-r--r-- 1 root root   190 Aug  3 17:53 25_dcc.cf
-rw-r--r-- 1 root root  1990 Aug  3 17:53 25_dkim.cf
-rw-r--r-- 1 root root  1944 Aug  3 17:53 25_domainkeys.cf
-rw-r--r-- 1 root root  2735 Aug  3 17:53 25_hashcash.cf
-rw-r--r-- 1 root root   189 Aug  3 17:53 25_pyzor.cf
-rw-r--r-- 1 root root  2201 Aug  3 17:53 25_razor2.cf
-rw-r--r-- 1 root root  8339 Aug  3 17:53 25_replace.cf
-rw-r--r-- 1 root root  2870 Aug  3 17:53 25_spf.cf
-rw-r--r-- 1 root root   352 Aug  3 17:53 25_textcat.cf
-rw-r--r-- 1 root root  7536 Aug  3 17:53 25_uribl.cf
-rw-r--r-- 1 root root 47385 Aug  3 17:53 30_text_de.cf
-rw-r--r-- 1 root root 34883 Aug  3 17:53 30_text_fr.cf
-rw-r--r-- 1 root root  1667 Aug  3 17:53 30_text_it.cf
-rw-r--r-- 1 root root 38211 Aug  3 17:53 30_text_nl.cf
-rw-r--r-- 1 root root 30281 Aug  3 17:53 30_text_pl.cf
-rw-r--r-- 1 root root  2883 Aug  3 17:53 30_text_pt_br.cf
-rw-r--r-- 1 root root 33700 Aug  3 17:53 50_scores.cf
-rw-r--r-- 1 root root  1113 Aug  3 17:53 60_awl.cf
-rw-r--r-- 1 root root  4903 Aug  3 17:53 60_whitelist.cf
-rw-r--r-- 1 root root  2367 Aug  3 17:53 60_whitelist_dkim.cf
-rw-r--r-- 1 root root  3480 Aug  3 17:53 60_whitelist_spf.cf
-rw-r--r-- 1 root root  1723 Aug  3 17:53 60_whitelist_subject.cf
-rw-r--r-- 1 root root 12968 Aug  3 17:53 80_additional.cf
-rw-r--r-- 1 root root 0 Aug  3 17:53 empty.pre
-rw-r--r-- 1 root root36 Aug  3 17:53 MIRRORED.BY
[EMAIL PROTECTED] spamassassin]#
Regards,

Bjorn Jensen

Re: What changes would you make to stop spam? - United Nations Paper

[Kenneth Porter]

--On Thursday, August 03, 2006 6:43 AM +0100 Graham Murray 
<[EMAIL PROTECTED]> wrote:



ADSL is both always on and a 'fixed' (ie your phone line is physically
connected to a DSLAM port) so the ISPs must have sufficient IP addresses
for all their ADSL customers.


Not necessarily. A lot of providers have gone to PPPoE, where one goes 
through an authentication process before being assigned an address. I'm 
guessing this is intended to allow metering of the connection, not to make 
more addresses available.

Re: sa-update (sa v 3.1.4)

[Theo Van Dinter]

On Thu, Aug 03, 2006 at 08:56:42AM -0700, Bret Miller wrote:
> The Mail::SpamAssassin module doc in 3.1.4 doesn't list local_state_dir
> as an option for Mail::SpamAssassin->new. Should it? Is that how an app
> is supposed to pass this information?

Gah!  /me continues cursing JM's addition of local_state_dir

So apparently (unbeknownst to me until just now) there isn't a
local_state_dir override option that can be passed in, you'd have to
set the LOCAL_STATE_DIR macro which will get used ala:

  '__local_state_dir__/spamassassin/__version__',

(where __local_state_dir__ == LOCAL_STATE_DIR, for now)


I'll see if I can fix that for 3.1.5 via bug 4952.

/me grumbles some more

-- 
Randomly Generated Tagline:
"Do not marry a person that you know that you can live with; only marry
 someone that you cannot live without." - Unknown


pgpAsrkLVJsuE.pgp
Description: PGP signature

Re: Looking for advice on rule creation & regular expressions

[Dhawal Doshy]

Coffey, Neal wrote:

Logan Shaw wrote:

For what it's worth, I thought all spams of that form were
prescription drug spams, but recently I got one like this as well:

[snip: rolex, tiffany, etc...]


Come to think of it, I've seen one or two of these ones, too, and
totally forgot.  Guess I'll be making rules for these as well...


However, there is one obvious way to do it.  Like this:
...
Since the first and last characters of all four branches are
always the same, you can optimize it a tiny bit by factoring
out the common parts of the branches:

/A(?:.DVI|D.VI|DV.I|DVI.)L/


Ok.  This is looking a little better, then... I've taken your
suggestion, and added the possibilities of repeated characters and
substitutions for "I" into it..

/A(?:.A?DV[Iilj]|D.D?V[Iilj]|DV.V?[Iilj]|DV[Iilj].[Iilj]?)L/

The little bit of testing I threw at it looks good so far.  I'll try it
with the actual prescription drug names, do a bit of testing, and share
my results.  More suggestions for improving the regex are still welcome,
of course :)


How about..
http://www.sandgnat.com/cmos/

- dhawal

Re: Looking for advice on rule creation & regular expressions

[Chris Thielen]

Coffey, Neal wrote:

I'm trying to create a rule to catch some of the perscription drug
references that come into our system.  We're not in pharmaceuticals, so
I'm not too concerned about false positives :)

Some examples of what I'm looking for (using an innocent drug so I don't
trip someone else's filters):

ADVwIL
ADxDVIL
ADxV1L
Advjjl
 
  


Have a look at the ReplaceTags plugin:
http://wiki.apache.org/spamassassin/ReplaceTags

Also, I have a script that will generate a rule that catches a lot of 
this type of spam in a similar manner to the ReplaceTags plugin:


http://sandgnat.com/cmos/cmos.jsp?words=advil&matchobfuonly=true&multigapenabled=true&multigap=2&duplicatecharsenabled=true&duplicatechars=2

I've come up with a rule that'll match every one of those instances, but
also has the unfortunate consequence of matching plain old "ADVIL":

/A[a-z]?A?D[a-z]?D?V[a-z]?V?[Il1j][a-z]?[Il1j]?L[a-z]?L?/
  

You probably want to add a negative lookahead, like so:
/(?!\badvil\b)A[a-z]?A?D[a-z]?D?V[a-z]?V?[Il1j][a-z]?[Il1j]?L[a-z]?L?/
This will look ahead for \badvil\b and if found, stop testing the rest 
of the pattern and the match fails.

Re: What changes would you make to stop spam? - United Nations Paper

[Kenneth Porter]

--On Wednesday, August 02, 2006 2:47 PM -0700 jdow <[EMAIL PROTECTED]> 
wrote:



That slightly more than a year I spent as perhaps one of
the VERY first online stalking victims ever (1985-1987) was a hell
I'd rather not repeat.


Is this written up somewhere? I'd be interested in understanding the threat.

RE: Looking for advice on rule creation & regular expressions

[Coffey, Neal]

Logan Shaw wrote:
> For what it's worth, I thought all spams of that form were
> prescription drug spams, but recently I got one like this as well:
> 
> [snip: rolex, tiffany, etc...]

Come to think of it, I've seen one or two of these ones, too, and
totally forgot.  Guess I'll be making rules for these as well...

> However, there is one obvious way to do it.  Like this:
> ...
> Since the first and last characters of all four branches are
> always the same, you can optimize it a tiny bit by factoring
> out the common parts of the branches:
> 
>   /A(?:.DVI|D.VI|DV.I|DVI.)L/

Ok.  This is looking a little better, then... I've taken your
suggestion, and added the possibilities of repeated characters and
substitutions for "I" into it..

/A(?:.A?DV[Iilj]|D.D?V[Iilj]|DV.V?[Iilj]|DV[Iilj].[Iilj]?)L/

The little bit of testing I threw at it looks good so far.  I'll try it
with the actual prescription drug names, do a bit of testing, and share
my results.  More suggestions for improving the regex are still welcome,
of course :)

RE: sa-update (sa v 3.1.4)

[Bret Miller]

> On Thu, Aug 03, 2006 at 03:28:05PM +0200, Mark Martinec wrote:
> > Well, this is not entirely true. It is not the SpamAssassin modules
> > that sets a default value for LOCAL_STATE_DIR => '/var/lib' in the
> > SA object, but it is the application program that does it: the
> > spamassassin, sa-update and spamd.
>
> True.
>
> > Which means that other application programs like amavisd-new
> > or other callers of SA modules won't see the rules updates
> > in /var/lib/spamassasin unless explicitly configured to do so ...
>
> You would want to make sure that the third party application you're
> running supports the version of SA you're using, yes.  local_state_dir
> was an API change from 3.1.0, unfortunately, but it's been known about
> for several months now.

The Mail::SpamAssassin module doc in 3.1.4 doesn't list local_state_dir
as an option for Mail::SpamAssassin->new. Should it? Is that how an app
is supposed to pass this information?

Bret

Re: What changes would you make to stop spam? - United Nations Paper

[Kenneth Porter]

--On Wednesday, August 02, 2006 3:25 PM -0700 jdow <[EMAIL PROTECTED]> 
wrote:



I keep several gigabytes of email data around. With POP3 it is easy
to store locally. With IMAP it's a pain in the .


My boss logs in from several computers, including a laptop he takes 
everywhere. I got tired of keeping all his POP3 mail stores in sync using 
scripts, so I switched him to IMAP, and set Mozilla on his clients to keep 
local mirrors (particularly important for detached work). The wire-level 
work is about the same, but I don't have to maintain a bunch of scripts 
anymore.


It's our server, not an ISP's, so we don't have to worry about size 
constraints. (And this is also an argument for allowing savvy users to 
operate servers at home, to provide high-volume mail storage accessible 
from anywhere in the world.)

Re: What changes would you make to stop spam? - United Nations Paper

[MennovB]

Kenneth Porter wrote:
> 
> What I don't understand is how making them use the ISP server stops them 
> from spamming any more than rate-limiting direct port 25 connections. Why 
> do the packets need to be reassembled in an MTA and stored and forwarded? 
> What does that step buy you?
> 
I don't want to make the zombies use the ISP's SMTP server, I want to stop
them from spamming.
Right now they can only connect directly to the Internet so if the ISP
blocks direct SMTP outgoing the zombies stop working, they can't deliver
their spam.
Probably they will then be adapted to figure out and use the ISP's SMTP
server, but that makes them easy to detect for the ISP.
Apart from the SMTP-servers from the ISP there may be some other addresses
you legitimately want to access with SMTP, could be serviced by the ISP with
a web-interface where you can configure a certain number of accessible
IP-addressess.

Regards
Menno van Bennekom
-- 
View this message in context: 
http://www.nabble.com/What-changes-would-you-make-to-stop-spamUnited-Nations-Paper-tf2035870.html#a5635088
Sent from the SpamAssassin - Users forum at Nabble.com.

Re: Looking for advice on rule creation & regular expressions

[Logan Shaw]

On Thu, 3 Aug 2006, Coffey, Neal wrote:

I'm trying to create a rule to catch some of the perscription drug
references that come into our system.  We're not in pharmaceuticals, so
I'm not too concerned about false positives :)

Some examples of what I'm looking for (using an innocent drug so I don't
trip someone else's filters):

ADVwIL
ADxDVIL
ADxV1L
Advjjl


For what it's worth, I thought all spams of that form were prescription
drug spams, but recently I got one like this as well:

Subject: Re: nunocREjPLICA

OMxEGA
ROxLEX
BRxEITLING
CAxRTIER
BVxLGARI
PAxTEK
TIxFFANY & CO


Or summed up in english: insertion of a random character, the same thing
but with a letter repeated, inserted character and "1" (or "l") instead
of "I", and the recent (and odd) occurrence of "I" replaced with "jj".

I've come up with a rule that'll match every one of those instances, but
also has the unfortunate consequence of matching plain old "ADVIL":

/A[a-z]?A?D[a-z]?D?V[a-z]?V?[Il1j][a-z]?[Il1j]?L[a-z]?L?/


I'm fairly sure there is no sane way to do this with "?"
operators in a regexp.

However, there is one obvious way to do it.  Like this:

/A.DVIL|AD.VIL|ADV.IL|ADVI.L/

Basically, if there is exactly one extra character, then it will
have to occur in one of 4 positions (in a 5-character word),
assuming it doesn't occur at the very beginning or very end.
So, you have 4 possible paths to take through the regexp,
one for each position that the extra character occurs in.

Since the first and last characters of all four branches are
always the same, you can optimize it a tiny bit by factoring
out the common parts of the branches:

/A(?:.DVI|D.VI|DV.I|DVI.)L/

Hope that helps.

  - Logan

Re: What changes would you make to stop spam? - United Nations Paper

[Kenneth Porter]

--On Wednesday, August 02, 2006 2:03 PM -0500 Logan Shaw 
<[EMAIL PROTECTED]> wrote:



What might really be nice is some sort of language that could
be used to write up a document to configure a mail client for a
given ISP and user.  It could configure all necessary settings
and would work with any client, making this a one-step process
even if 10 or 20 different settings have to be entered.


Is LDAP a reasonable choice for this?

At one point Cyrusoft Mulberry was pushing ACAP, but that doesn't seem to 
have caught on. But it seems like every list I'm on is mentioning LDAP for 
authentication for some service, so maybe email client settings can be 
stored there. One then just configures the LDAP login info. One would need 
to standardize an LDAP schema for this configuration, though.

Re: What changes would you make to stop spam? - United Nations Paper

[Kenneth Porter]

--On Wednesday, August 02, 2006 12:02 PM -0700 MennovB <[EMAIL PROTECTED]> 
wrote:



Anyway, IMHO with SYN throttle you would only be rate-limiting the
zombies, I would rather they stopped sending spam completely..


What I don't understand is how making them use the ISP server stops them 
from spamming any more than rate-limiting direct port 25 connections. Why 
do the packets need to be reassembled in an MTA and stored and forwarded? 
What does that step buy you?

Looking for advice on rule creation & regular expressions

[Coffey, Neal]

I'm trying to create a rule to catch some of the perscription drug
references that come into our system.  We're not in pharmaceuticals, so
I'm not too concerned about false positives :)

Some examples of what I'm looking for (using an innocent drug so I don't
trip someone else's filters):

ADVwIL
ADxDVIL
ADxV1L
Advjjl
 
Or summed up in english: insertion of a random character, the same thing
but with a letter repeated, inserted character and "1" (or "l") instead
of "I", and the recent (and odd) occurrence of "I" replaced with "jj".

I've come up with a rule that'll match every one of those instances, but
also has the unfortunate consequence of matching plain old "ADVIL":

/A[a-z]?A?D[a-z]?D?V[a-z]?V?[Il1j][a-z]?[Il1j]?L[a-z]?L?/

Now, I'm by no means a regular expression guru.  I'm hoping someone on
this list can help me refine this a bit, either by sharing a method of
making it match the obfuscated name without matching the unobfuscated
name, or even a different approach to the same end.  Any advice?

Re: sa-update error

[Theo Van Dinter]

On Thu, Aug 03, 2006 at 04:08:16PM +0100, Nigel Frankcom wrote:
> >> channel: attempt to rm channel pre file failed, attempting to continue
> >> anyway at /usr/bin/sa-update line 694
> >> --lint -D shows no errors, just wondering if I should be concerned?
> 
> I don't use updatedir - just straight sa-update. I'll add detail to
> the ticket

Aha!  I see the issue!  Crap!

Yeah, please open the ticket and I'll get a patch written up.  Dang it.

-- 
Randomly Generated Tagline:
"It timed me out... I hate Windows." - Prof. Farr


pgptwSfJwZZVM.pgp
Description: PGP signature

Re: Allowing IMAP/POP to Send Email

[Logan Shaw]

On Thu, 3 Aug 2006, Marc Perkel wrote:
Not really - what I'm proposing is that the IMAP connection just pipe the 
message into an SMTP server. The IMAP is acting only and an authenticated 
connection back to SMTP. I'm not suggesting replacing SMTP. What I'm 
suggesting is that POP/IMAP can be used as a transport to get the mail there 
because it's an existing connection, is already established, is already 
authenticated with the credentials of the email account, and it isn't a port 
that people would block like port 25 is.


I'm not trying to replace SMTP. I'm just trying to suggest a better way for 
end users to get outgoing email to the SMTP server.


Yes.  You've already said that.  What you're trying to do
is create an internet where SMTP traffic only occurs between
legitimate servers.  You then claim that if such an internet
existed, there would be a huge impact against spam.  I have
to concur that if that were true, spam would be greatly reduced.

Here's the problem though.  We've got a logical syllogism here:
"If X, then Y."  The "X" is "only legitimate servers speak
SMTP", and the "Y" is "spam will be greatly reduced".

I agree that the "if X, then Y" part of this argument is
sound.  The problem is, for Y to logically follow, you have
to establish X.  A syllogism works like this:

1.  If X, then Y.
2.  X is known to be true.
3.  Therefore, Y is true.

Part 1 is called the major premise.  Part 2 is called the
minor premise.  Part 3 is the conclusion.

Your argument is missing the minor premise.  You have to
establish the minor premise or your argument will have no
validity.

So then, do you wish to give up on your argument, or do you
wish to explain how you're going to accomplish this feat of
making sure that only legitimate servers try to contact other
servers via SMTP?

  - Logan

Re: sa-update error

[Nigel Frankcom]

On Thu, 3 Aug 2006 10:06:31 -0400, Theo Van Dinter
<[EMAIL PROTECTED]> wrote:

>On Thu, Aug 03, 2006 at 10:19:44AM +0100, Nigel Frankcom wrote:
>> channel: attempt to rm channel pre file failed, attempting to continue
>> anyway at /usr/bin/sa-update line 694
>> --lint -D shows no errors, just wondering if I should be concerned?
>
>Hrm.  Well, it's one of those "features" as opposed to a bug
>(though I'd appreciate it if you could open a BZ ticket about it:
>http://issues.apache.org/SpamAssassin/).  In short, there's no problem --
>it'll happen the first time you run sa-update in 3.1.4 and you're using
>updatedir to aim at a non-standard (and already existing) location.
>
>The code assumes that certain files should exist if the update directory
>already exists, so when it tries to delete the files and they're not
>there, it shows a warning -- but if this is the first time sa-update
>from 3.1.4 is run, the channel pre file won't exist.

I don't use updatedir - just straight sa-update. I'll add detail to
the ticket

Kind regards

Nigel

Re: sa-update (sa v 3.1.4)

[Theo Van Dinter]

On Thu, Aug 03, 2006 at 03:33:59PM +0100, Mike Bostock wrote:
> OK Now I am really confused.  Do I assume that SpamAssassin looks in
> /var/lib/spamassassin// for rules definitions and not
> /usr/share/spamassassin?

Right -- if the update directory exists, SA will use that instead of the
default rules directory.

-- 
Randomly Generated Tagline:
"It was entirely possible to read a Russian novel during the pause
 between stepping on the gas and feeling any semblance of forward motion."
 - Unknown about the AMC Gremlin


pgpaJjwPdxdwV.pgp
Description: PGP signature

Re: sa-update (sa v 3.1.4)

[Theo Van Dinter]

On Thu, Aug 03, 2006 at 10:15:47AM -0400, Will Nordmeyer wrote:
> If I run sa-update without any other parameters, it'll create an update 
> dir put the updates in it and spamassassin will use the generated 
> updates dir by default (do I need to restart SA, or does sa-update 
> handle that?).

Yes.  As for restart, sa-update won't do that for you.

> If I use the --updatedir parameter I have to go into SA and rewrite it 
> to use my updatedir.

Or otherwise include the new config files in some other way ala in
/etc/mail/spamassassin/local.cf (or a similarly named file):

include /where/I/want/updates/to/be/channel.cf

I forgot to mention this in my previous mail, sorry.

> If I use --updatedir and point it to the SA default rules dir, I'm 
> screwed.

Not screwed, but you'll break some parts of SpamAssassin, yes.  The
default rules directory is meant to be written to during installation
and that's it.  In the end, you can do what you want with it, but if you
remove critical files, you shouldn't expect things to work correctly.

> Have I summarized sa-update usage properly?

Your intimating that sa-update sucks, where IMHO the problems described
here are with its usage and an expectation that the software in general
should DWIM as opposed to DWIS.

In general, if you don't like how something works, feel free to open a
ticket and provide a patch. :)

-- 
Randomly Generated Tagline:
"There's not much you can do to ruin strips of marinated boneless chicken
 breast sauteed with onions and green peppers."
   - the Center for Science in the Public Interest about Chicken Fajitas


pgp01Ap3UD8VG.pgp
Description: PGP signature

Re: Am I wasting my time with SpamCop?

[Andrzej Adam Filip]

[EMAIL PROTECTED] writes:

> On Wed, 2 Aug 2006, Andrzej Adam Filip wrote:
>
>> "Steven W. Orr" <[EMAIL PROTECTED]> writes:
>>
>> > On Wednesday, Aug 2nd 2006 at 13:50 -0700, quoth Derek Harding:
>> >
>> > =>On Wed, 2006-08-02 at 16:37 -0400, Tom Ray wrote:
>> > =>> Anyone serious about stopping SPAM should not use SpamCop. They have no
>> > =>> real checking method, it's like AOL's spam blocking method...they just
>> > =>> let users submit what they think is spam and then block it. It's
>> > =>> pointless. There's not even a way to contact anyone at SpamCop to fix a
>> > =>> falsely listed server or what not.
>> > =>
>> > =>Spamcop has its problems, some very serious, however the above
>> >
>> > Hold on there Bullwinkle! I have been religiously using spamcop in the
>> > hopes that the reports that are sent out get used by at least some of the
>> > ISPs. Am I wrong about this?
>>
>> They help keep *good* ISPs clean. Bad ISPs care very little.
>> I assume I receive <1% of received spam from good ISPs.
>>
>> It is not a bad idea to post copies of spamcop.net submitted spam (after
>> munging) to NANAS with spamcop.net report link.
>
> I like to think that I'm a "good ISP", but I've had at least one of my
> servers listed a few times by them.  They delist in 24 hours, but there
> are still people who reject using SpamCop as a BL.  I do not recommend
> this.
>
> Spamcop lists any server that bounces email into one of their spam traps.
> I contacted them via their newsgroups and they are adamant that no server
> should ever bounce email or have any kind of autoreply.
>
> While I agree that bouncing (as opposed to rejecting) email because it is
> detected as spam or a virus is very bad, they're basically insisting that
> you violate RFCs 2821 and 3464.  If you have customer autoresponders,
> you're SOL.  If you host mailing lists that uses an autoreply confirmation
> (itself an anti-spam measure), you're SOL.  They insist that this is "bad
> behavior".  I insist that it's neccessary for my business and in
> compliance with all applicable RFCs.
>
> I use them in SA...2.0 score, which I lowered from 3.5 when I notice that
> yahoo groups were listed.  But the only BLs I reject against are sbl-xbl,
> which catches a big chunk with virtually no false positives.
>
> James Smallacombe   PlantageNet, Inc. CEO and Janitor
> [EMAIL PROTECTED] 
> http://3.am

I and Steven were talking about using spamcop.net for spam reporting to
the responsible ISP. You talk about spam blocking/scoring. 

-- 
[pl2en: Andrew] Andrzej Adam Filip : [EMAIL PROTECTED] : [EMAIL PROTECTED]

Re: Am I wasting my time with SpamCop?

[Andrzej Adam Filip]

David Baron <[EMAIL PROTECTED]> writes:

> On Wednesday 02 August 2006 23:09, Zinski, Steve wrote:
>> I use SpamCop to report my spam.
>>
>> I use the SpamHaus RBL as a first line of defense then I use
>> SpamAssassin to catch the rest of the spam coming to my server.
>>
>> Am I wasting my time? Should I just delete low-scoring spam and let the
>> honeypots harvest and report to the various RBLs, or should I keep
>> reporting spam via SpamCop (which wastes a lot of my time).
>
> SpamCop has disabled subscriptions to mailing lists several times because of 
> erroneous alerting. I have reported them to my provider's "abuse" handlers. I 
> therefore do not recommend SpamCop.

Make *clear* distiction between thre basic ways of using spmacop.net
1) email blocking at MTA level [may be controversial cause of "zero+ tolerance"]
2) scoring by SpamAssassin [score may be decreased or zeroed]
3) spam *reporting* (automatization of  sending LARTs) [*I recomend it*]

-- 
[pl2en: Andrew] Andrzej Adam Filip : [EMAIL PROTECTED] : [EMAIL PROTECTED]

Re: sa-update (sa v 3.1.4)

[Mark Martinec]

Theo,

> > to change Mail::SpamAssassin to provide a suitable default
> > for LOCAL_STATE_DIR. Please consider this a feature request.
>
> http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4952  :)

Appreciated!

> > # sa-update --updatedir /usr/local/share/spamassassin
>
> Warning: This will break your installation -- there are files in
> def_rules_dir that aren't in the updates, and sa-update will be
> happy to delete all of the files in the directory for you.
> local_state_dir and def_rules_dir are not interchangeable.

Ouch, thanks. Sorry for spreading false suggestions.

  Mark

Re: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin'

[Matthias Keller]

Theo Van Dinter wrote:
> On Thu, Aug 03, 2006 at 02:14:38PM +0200, Matthias Keller wrote:
>   
>> I downloaded the archive for 3.1.0 and there's no Timeout.pm at all - so
>> i guess this has been introduced in 3.1.1 or so..?
>> 
>
> Correct, it was added into 3.1.1 (bug 4696).
>
>   
>> Does anyone know if it's safe to let it away?
>> 
>
> I haven't looked at the plugin -- if the Timeout code is not actively being
> used by the plugin, then you should be able to just comment out the line.
>   
Hmm it seems to be used, at least I find one occurence of
Mail::SpamAssassin::Timeout in the .pm file

#
# Limit the scantime
#
$permsgstatus->enter_helper_run_mode();
my $timer = Mail::SpamAssassin::Timeout->new({ secs =>
$self->{main}->{conf}->{ocrtext_timeout} });
my $err = $timer->run_and_catch(sub {
..

So I guess this plugins really only runs from 3.1.1 onwards??
> The flip side is, why are you still running 3.1.0? ;)
>   
I know, but this is a productive system and I'll have to test an upgrade
first on the test server as I cant take any risks on that server...
But an upgrade is on top of my to do list

Matt

Re: GIF Spam -- Setting up the 'OCR scanner and image validator SA-plugin'

[Stuart Johnston]

Davin Flatten wrote:
Just thought this might help someone out.  Thanks to M. Blapp for an 
excellent SA Plugin.  Optical Character Recognition (OCR) can be used to 
nab those pesky spam messages that are hidden in gif,jpeg, or png images...


This OCR stuff looks promising.  Any comments on performance?  How much extra load does it put on a 
server?

Re: sa-update (sa v 3.1.4)

[Mike Bostock]

In your message regarding Re: sa-update (sa v 3.1.4) dated Thu, 3 Aug 2006
15:16:42 +0100, Obantec Support said that ...


>OS- - Original Message -
>OS- From: "Theo Van Dinter" <[EMAIL PROTECTED]>
>OS- To: 
>OS- Sent: Thursday, August 03, 2006 3:01 PM
>OS- Subject: Re: sa-update (sa v 3.1.4)

>OS- Hi Theo

>OS- your right i just ran sa-update and it updated the
>OS- /var/lib/spamassassin/3.001003 folder files.

>OS- Mark


OK Now I am really confused.  Do I assume that SpamAssassin looks in
/var/lib/spamassassin// for rules definitions and not
/usr/share/spamassassin?


--
Mike

Re: Allowing IMAP/POP to Send Email

[Chris Lear]

* Marc Perkel wrote (03/08/06 14:39):


Tony Finch wrote:

The reason that message submission is done with SMTP is because of the
number of SMTP extensions that the MUA will want to use, in particular
DSNs, deliver-by, deliver-after, message tracking, and whatever else may
be invented in the future. If you want to make message submission a part
of IMAP and POP then you'll have to re-do all these SMTP extensions twice,
which is a colossal waste of time.


  


Not really - what I'm proposing is that the IMAP connection just pipe 
the message into an SMTP server. The IMAP is acting only and an 
authenticated connection back to SMTP. I'm not suggesting replacing 
SMTP. What I'm suggesting is that POP/IMAP can be used as a transport to 
get the mail there because it's an existing connection, is already 
established, is already authenticated with the credentials of the email 
account, and it isn't a port that people would block like port 25 is.


I'm not trying to replace SMTP. I'm just trying to suggest a better way 
for end users to get outgoing email to the SMTP server.




What if I set up an SMTP server at home behind my ADSL router, collect 
my vanity-domain mail there, and access it via IMAP or POP3? It seems I 
only have one option, which is to send my mail via IMAP to my home 
server. Which then sends via SMTP to... the Internet (or via a 
smarthost). And the home server sending via SMTP is going to look a bit 
like a MUA sending via SMTP. How would you tell the difference? Is a 
home mail server outlawed in the brave new world? Or does my SMTP server 
have to learn to talk IMAP to make message submissions to the ISP's server?


Chris

Re: sa-update (sa v 3.1.4)

[Obantec Support]

- Original Message - 
From: "Theo Van Dinter" <[EMAIL PROTECTED]>
To: 
Sent: Thursday, August 03, 2006 3:01 PM
Subject: Re: sa-update (sa v 3.1.4)

Hi Theo

your right i just ran sa-update and it updated the
/var/lib/spamassassin/3.001003 folder files.

Mark