Re: DNSing MX to 127.0.0.1: Ruleset (or something) for this?
Ken A wrote: Don't accept mail for non-existent users. Your MTA should reject it. Yeah, we should. Not quite there yet. In spite of that, I thought it may be a good test to do anyway. Even if the mail is addressed to an existent user, if the MX for the sender domain is DNSed to the localhost address, there's no way (in my thinking) that it's a legitimate email, unless a clueless admin has accidentally DNSed the MX for their domain to be the localhost address. A mechanism that does what I propose would probably have a pretty short useful life anyway, I suppose - the arms race would move forward, such that spammers wouldn't DNS their MXes to the localhost address when such a test was prevalent in the community. Hi, I found a few of these trying to send mails people ording stuff through the website and then getting an order confirmation etc. It seems that one particular dns provider's web form makes it easy to configure that rubbish, and when I mailed the dns provider about the fact, I had the impression they did not even understand my concerns Cure: a) the web order form checks whether there is an MX or A anyway, so it can also check for 127 or 192.168 b) changes to the MTA so that an unroutable return path is treated as no return path __unless the mail came in from localnet in the first place__ I found a few more stupid admin setups as well ... like a municipal authority sending their incoming mail back to the government mx that just scanned the mail for them Wolfgang Hamann
Re: DNSing MX to 127.0.0.1: Ruleset (or something) for this?
Guy Waugh schrieb: The above stuff appears in my logs when, for example, our MX receives spam for an unknown local user and tries to bounce the mail back to the sender. You should not accept mail for unknown local users because bouncing it to a mostly faked sender means you're sending out collateral spam. (And why do you accept mail with a non-existent sender in the first place?) -thh
Re: Rule for non-DK-signed mail from yahoo
Mark Martinec writes: Thanks Justin and Daryl. (a) Is From:addr rather than EnvelopeFrom:addr the right header to use? I'd say yes. DK signs the message, not the envelope. I'm pretty sure the current milters look for a From: header to decide on what selector/etc to use. Right, DK (as well as DKIM) uses addresses in the header, not envelope. DK would choose Sender if it exists, otherwise a From, to obtain the signer domain. DKIM is more sophisticated (could use Resent-From,...), but basically, for direct mail the From header field is the most important one. (b) are Y! signing all mail? I would have assumed some systems are not yet using DK. This is a key question here. I'd hope yes, since Yahoo was the leading proponent in establishing this technology (now aiming for DKIM). Although their policy record still says 'testing' and 'signs SOME mail': $ host -t txt _domainkey.yahoo.com t=y\; o=~\; n=http://antispam.yahoo.com/domainkeys I think they are just conservative, trying to avoid some broken recipient's mailer from rejecting their genuine mail, or to avoid problems with mailing lists invalidating signatures when their user posts there. In 3.1.x, you have to set priority manually, unfortunately, to be higher than both of the subrules. in 3.2.x, it'll do that automatically for you. Thanks for the info. Personally I'd cut the score in half. Ok, perhaps. Slow DNS could cause FPs -- I've seen it happen on mail from rogers.com which Y! runs. Interesting. Further experience is welcome. The _domainkey.yahoo.com TXT policy record has TTL set to two hours, and one of their public keys (s1024._domainkey.yahoo.com) has a lifetime of 24 hours - so a local caching DNS resolver is likely to retrieve the policy from its cache, or from any one of the 5 registered Yahoo name servers. As far as I can tell, it is a global Yahoo thing, not something pertaining to one or another of their servers. What about gmail.com? They seem to be signing their mail too (see: host -t txt beta._domainkey.gmail.com) but also avoid full commitment in their policy (no policy = default policy). Any experience there? ah. Here's another one that just occurred to me -- (c): if you're keying off the From: header, watch out for mailing list traffic that appends a footer to the body. That will cause a verification failure, and fire the rule. in other words: - sender @ yahoo.com sends mail to mailmanlist @ somelist.com; - mailmanlist @ somelist.com appends the mailman footer to the body text/plain part; - recipient gets message, reads From addr, verifies DK sig, which now fails. --j.
Re: Rule for non-DK-signed mail from yahoo
in other words: - sender @ yahoo.com sends mail to mailmanlist @ somelist.com; - mailmanlist @ somelist.com appends the mailman footer to the body text/plain part; - recipient gets message, reads From addr, verifies DK sig, which now fails. FWIW, I've seen a few mails that had multiple DK signatures, apparently as the result of going through a DK signed mailing list when the original message had also been signed. Loren
Re: Rule for non-DK-signed mail from yahoo
Loren Wilton writes: in other words: - sender @ yahoo.com sends mail to mailmanlist @ somelist.com; - mailmanlist @ somelist.com appends the mailman footer to the body text/plain part; - recipient gets message, reads From addr, verifies DK sig, which now fails. FWIW, I've seen a few mails that had multiple DK signatures, apparently as the result of going through a DK signed mailing list when the original message had also been signed. yeah, I think if the list re-signs the message, that's ok, because it then doesn't matter if the internal signature fails (there being no need to check that). That may be a DKIM interpretation btw. --j.
Re: Using SA to prevent bouncing spam?
Den 14.08.2006 kl. 19:48 skrev Sanford Whiteman [EMAIL PROTECTED]: Hi, in order to avoid bouncing spam back to the (almost certainly) faked sender-addresses, I thought I could use SA directly: What's your MTA and/or SA-invoking app? Surely it is easier to have that agent parse SA's feedback (headers, subject mod or score) in deciding the final disposition of the msg than to try to trick the MTA into dumping the mail. I use Qmail. To obtain the above, I must patch with spam-control or similiar. I'd rather do something simpler. Please elaborate on the use case in which you can't use MTA processing rules to prevent backscatter, given that you trust SA markup completely here, right? I realize that I did not explain my setup sufficiently in the original post: I run a qmail frontend for a FirstClass system. The qmail accepts mail for about 500 domains, hosted on the FirstClass system, and scans them with SA. In then injects them into FirstClass. If the domain is known, but the user is wrong (as in [EMAIL PROTECTED]) the mail is rejected on smtp-level by FirstClass. Qmail then generates a bounce back to the original sender. In case of spam, origninal sender is faked and we have backscatter. I know qmail-ldap could be of some use here, but I have no way of setting up an ldap-server that knows legitimate FirstClass adressess (FirstClass itself could do it, but it is running at 99% capacity most of the time, so no go. Exporting adresses from FirstClass won't do either, as there are forum-adresses that wont export). This is a classic MTA frontend problem, but I'm afraid I'm stuck with it. I trust SA enough, that I would suppress all bounces generated by undeliverable mails that SA believes to be spam. I though that if spamassassin wold insert Reply-to: in any spam message, this would do the trick. It turns out I misread http://cr.yp.to/proto/mailloops.txt, confusing replier and bouncer. A replier will use Reply-To: before envelope-sender but a bouncer will not. Den 15.08.2006 kl. 03:56 skrev John Andersen [EMAIL PROTECTED]: On Monday 14 August 2006 01:44, Ole Nomann Thomsen wrote: Hi, in order to avoid bouncing spam back to the (almost certainly) faked sender-addresses, I thought I could use SA directly: Why would you bounce spam, with or without spamassassin? My original post wasn't clear: I *don't* want to bounce spam. And I dont want undeliverable spam to generate bounces. The question was (or should have been) how to avoid the latter in a simple way. Den 15.08.2006 kl. 04:21 skrev David B Funk [EMAIL PROTECTED]: Other people have already commented on the issue of bouncing spam. One detail that I think you don't understand, mail routing is controlled by the envelope-sender and envelope-recipient addresses, the addresses in the headers are ignored for that purposes. In most configurations SA only gets to see/change the headers, it does not get to mess with the envelope addresses at all. Thus even if you could get SA to change the header addresses it wouldn't have your desired effect. You're absolutely right. As mentioned above, I confused repliers and bouncers. - Ole (thoroughly castigated, thus enlightened :-)
Re: Using SA to prevent bouncing spam?
Ole Nomann Thomsen wrote: I run a qmail frontend for a FirstClass system. The qmail accepts mail for about 500 domains, hosted on the FirstClass system, and scans them with SA. In then injects them into FirstClass. If the domain is known, but the user is wrong (as in [EMAIL PROTECTED]) the mail is rejected on smtp-level by FirstClass. Qmail then generates a bounce back to the original sender. In case of spam, origninal sender is faked and we have backscatter. I know qmail-ldap could be of some use here, but I have no way of setting up an ldap-server that knows legitimate FirstClass adressess (FirstClass itself could do it, but it is running at 99% capacity most of the time, so no go. Exporting adresses from FirstClass won't do either, as there are forum-adresses that wont export). This is a classic MTA frontend problem, but I'm afraid I'm stuck with it. While I don't really see why ldap isn't an option, even with an 99% load, callout might be the solution. However, I don't run qmail but here's how it works with exim http://www.exim.org/exim-html-4.62/doc/html/spec_html/ch39.html#SECTcallver hälsningar, Andreas
Re: Using SA to prevent bouncing spam?
On Tuesday 15 August 2006 10:46, Ole Nomann Thomsen wrote: I run a qmail frontend for a FirstClass system. The qmail accepts mail for about 500 domains, hosted on the FirstClass system, and scans them with SA. In then injects them into FirstClass. If the domain is known, but the user is wrong (as in [EMAIL PROTECTED]) the mail is rejected on smtp-level by FirstClass. Qmail then generates a bounce back to the original sender. In case of spam, origninal sender is faked and we have backscatter. Consider switching to qpsmtpd instead of qmail-smtpd, and use a real-time recipient verification tool, instead of living with QMail's 'accept everything, then bounce' methods. Or a plugin that can read a static list of valid users exported from FirstClass.
Re: Using SA to prevent bouncing spam?
Den 15.08.2006 kl. 12:01 skrev Andreas Pettersson [EMAIL PROTECTED]: While I don't really see why ldap isn't an option, even with an 99% load, callout might be the solution. However, I don't run qmail but here's how it works with exim http://www.exim.org/exim-html-4.62/doc/html/spec_html/ch39.html#SECTcallver Yeah, that is pretty neat. But the Firstclass system is running at 99% capacity on the E-mail injection too. I mean, we are really pumping it in, trying to level the peak-priod and everything. Performing callouts will probably cause it to emit strange noises and smoke.
Re: Using SA to prevent bouncing spam?
On Tuesday 15 August 2006 11:28, Ole Nomann Thomsen wrote: Yeah, that is pretty neat. But the Firstclass system is running at 99% capacity on the E-mail injection too. I mean, we are really pumping it in, trying to level the peak-priod and everything. Performing callouts will probably cause it to emit strange noises and smoke. Static goodrcptto lists are what you need then - assuming your FC user list doesn't change very often, you could do a nightly export from FC to flatfile/hashed file and feed that file to qmail. At that point though, we're beyond SA, and off topic :)
Re: Using SA to prevent bouncing spam?
Ole Nomann Thomsen wrote: Den 15.08.2006 kl. 12:01 skrev Andreas Pettersson [EMAIL PROTECTED]: While I don't really see why ldap isn't an option, even with an 99% load, callout might be the solution. However, I don't run qmail but here's how it works with exim http://www.exim.org/exim-html-4.62/doc/html/spec_html/ch39.html#SECTcallver Yeah, that is pretty neat. But the Firstclass system is running at 99% capacity on the E-mail injection too. I mean, we are really pumping it in, trying to level the peak-priod and everything. Performing callouts will probably cause it to emit strange noises and smoke. Why would it? It would generate the same amount of connect attempts to FC as it already does today, but the spam gets rejected instead of accepted and then bounced. Regards, Andreas
spampd performance on a relay mail server
Is anyone out there using spampd? I've been trying to setup a Spamassassin relay mail server and I'm really having performance issues. Our incoming MTA is averaging about 3 message per second. I would think that Spamassassin could keep up with that just fine. Is anyone else having problems with spampd and performance?
Re: spampd performance on a relay mail server
Dennis Teel wrote: Is anyone out there using spampd? I've been trying to setup a Spamassassin relay mail server and I'm really having performance issues. Our incoming MTA is averaging about 3 message per second. I would think that Spamassassin could keep up with that just fine. Is anyone else having problems with spampd and performance? How much memory have you got in the machine... I normally recommend 1GB per 'core' (Pentium HT=1.5 cores). Also check what network/DNS based tests you are doing... -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
RE: spampd performance on a relay mail server
Dennis Teel wrote: Is anyone out there using spampd? I've been trying to setup a Spamassassin relay mail server and I'm really having performance issues. Our incoming MTA is averaging about 3 message per second. I would think that Spamassassin could keep up with that just fine. Is anyone else having problems with spampd and performance? What are the specs on your server? What options do you use with spamd? SA tends to be a memory hog. The more add-on rulesets and plugins you use, the bigger each process becomes. Usually, the limiting factor for SA is memory, not CPU speed. Check your memory usage when the system becomes slow. If it's swapping, lower the number of spamd children, restart spamd and continue monitoring. -- Bowie
Re: DNSing MX to 127.0.0.1: Ruleset (or something) for this?
On Tue, 15 Aug 2006, Guy Waugh wrote: Aug 15 05:01:35 mailserver sendmail[13287]: k7EJ1YE7013287: SYSERR(root): localhost.fabulous.com. config error: mail loops back to me (MX problem?) Do people actively combat this somehow? Exim has a feature ignore_target_hosts which causes it to strip certain IP addresses from the list of MX hosts for a domain. I use it to block all abusive or unreachable MXs (listed below). This kicks in when Exim is doing address verification at SMTP time, for example sender verify fail for [EMAIL PROTECTED]: all relevant MX records point to non-existent hosts 0.0.0.0/8 # this net 10.0.0.0/8 # RFC 1918 127.0.0.0/8 # this host 169.254.0.0/16 # link-local 172.16.0.0/12 # RFC 1918 192.0.2.0/24# example net 192.168.0.0/16 # RFC 1918 198.18.0.0/15 # benchmark net 224.0.0.0/3 # multicast reserved It would probably be good to augment this list with bogon or hijacked address space, but then it would be more work to keep up-to-date. Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ FISHER: WEST OR NORTHWEST 4 OR 5 BECOMING VARIABLE 3 OR 4. FAIR. MODERATE OR GOOD.
Re: Using SA to prevent bouncing spam?
Andreas Pettersson wrote: Ole Nomann Thomsen wrote: I run a qmail frontend for a FirstClass system. The qmail accepts mail for about 500 domains, hosted on the FirstClass system, and scans them with SA. In then injects them into FirstClass. If the domain is known, but the user is wrong (as in [EMAIL PROTECTED]) the mail is rejected on smtp-level by FirstClass. Qmail then generates a bounce back to the original sender. In case of spam, origninal sender is faked and we have backscatter. I know qmail-ldap could be of some use here, but I have no way of setting up an ldap-server that knows legitimate FirstClass adressess (FirstClass itself could do it, but it is running at 99% capacity most of the time, so no go. Exporting adresses from FirstClass won't do either, as there are forum-adresses that wont export). This is a classic MTA frontend problem, but I'm afraid I'm stuck with it. While I don't really see why ldap isn't an option, even with an 99% load, callout might be the solution. However, I don't run qmail but here's how it works with exim http://www.exim.org/exim-html-4.62/doc/html/spec_html/ch39.html#SECTcallver hälsningar, Andreas chkuser for qmail, think 'Milter-Ahead' on steroids. http://www.interazioni.it/opensource/chkuser/ If you want to check a static list of users, try validrcptto, http://qmail.jms1.net/patches/validrcptto.cdb.shtml I use both, they work great, using SA to stop the backscatter after the fact is not the best way to go about this. I wouldn't worry about the high load on your FirstClass system, stop the spam from getting past the qmail server and your load will likely drop considerably. If you get as much spam as we do anyway ;^) DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
RE: spampd performance on a relay mail server
From: Dennis Teel [mailto:[EMAIL PROTECTED] At 08:05 AM 8/15/2006, you wrote: Dennis Teel wrote: Is anyone out there using spampd? I've been trying to setup a Spamassassin relay mail server and I'm really having performance issues. Our incoming MTA is averaging about 3 message per second. I would think that Spamassassin could keep up with that just fine. Is anyone else having problems with spampd and performance? What are the specs on your server? What options do you use with spamd? SA tends to be a memory hog. The more add-on rulesets and plugins you use, the bigger each process becomes. Usually, the limiting factor for SA is memory, not CPU speed. Check your memory usage when the system becomes slow. If it's swapping, lower the number of spamd children, restart spamd and continue monitoring. I'm not using spamd, I'm using spampd: http://www.worlddesign.com/index.cfm/rd/mta/spampd.htm Interesting. I haven't used that program, but based on the description, it should have the same type of memory requirements as spamd, so my suggestions still apply. -- Bowie
Re: [Maia-users] SA BAYES TIMING INFO
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 (This message is now CC'd to both maia-users and spamassassin mailing lists ) ( Continuing the thread in SpamAssassin ML RE: slow sql bayes store) Alexandre Ghisoli wrote: DB Server Actually, we got perfs problem with this one, probably related to Software RAID - new LSI Raid cards ordered PostgreSQL 8.1.4 AMD Opteron 3GHz 1GB RAM 2x IDE HDD, software raid 0.000 0 124718 0 non-token data: ntokens 2006-08-15 09:57:55 Maia: [process-quarantine-sub] TIMING [total 24368 ms] - msg-prep: 2 (0%), train-bayes: 23700 (97%), delete-mail: 666 (3%), rundown: 0 (0%) Ok. This looks like the best example yet of what I'm looking for. Good job presenting that data. :) Furthermore, from the parts I have quoted above, I think I can say without a doubt that *something* is messed up here. Even with software raid, that box should be able to handle learning a message faster than 24 seconds. Actually, unless you get a very good card, the opty might be able to handle the raid stuff better than many hardware raid cards. 124k rows should not be a problem for a database. I'm really thinking there's an algorithm problem withing the bayes learning code. It's making too many sql calls, or has a big 'O' problem... something. ( spamassasin folks, the original full message is archived at http://www.renaissoft.com/pipermail/maia-users/2006-August/007188.html ) To the spamassassin mailing list: These results seem typical of the reports I have seen. It has spanned both mysql and postgresql, several OS's, SCSI or IDE, RAID or not. The only consistent thing is that it is slow. There is also ageneral consensus that it seems like it got really slow around the time 3.x was installed, though we haven't yet had any solid reports to go back and forth and test it empirically. - -- David Morton Maia Mailguard- http://www.maiamailguard.com Morton Software Design and Consulting - http://www.dgrmm.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE4dBwUy30ODPkzl0RAmqTAKCfXa7x3A9d/n93RYswkqkRVK+eNwCdFeQS ZG+cxXgJ1I/jvIXEbhb8onc= =S7Jk -END PGP SIGNATURE-
Re: SARE sa-update channels available!
I noticed a number of people have been trying to update the 70_sare_whitelist_spf.cf ruleset. In case any one had missed it mentioned in this thread, the ruleset is broken upstream (it's missing some required ifplugin lines) so updating that ruleset/channel will fail until it is fixed. Daryl On 8/13/2006 4:19 AM, Daryl C. W. O'Shea wrote: Hello all, For those of you interested in SpamAssassin's sa-update, I've created sa-update channels for all of the rules found at the SpamAssassin Rules Emporium website (http://www.rulesemporium.com/rules.htm). Brief directions for use are as follows: - download the channels' GPG key from: http://daryl.dostech.ca/sa-update/sare/GPG.KEY - import that key into sa-update's keyring: sa-update --import GPG.KEY - add the channels you want to a channel file (text file): updates.spamassassin.org 70_sare_adult.cf.sare.sa-update.dostech.net 70_sare_spoof.cf.sare.sa-update.dostech.net etc... - run sa-update -- tell it to use your channel file and to trust the channels' GPG key: sa-update --channelfile your-channel-file.txt --gpgkey 856AA88A Slightly more verbose directions are available here: http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt Also note that you'll want to remove any of the SARE rulesets updated above from your local site directory (often /etc/mail/spamassassin/) to keep them from overriding the ones installed by sa-update. Regards, Daryl
about value of max-children
Hello I use spamassassin as test. My mail server handles mails about 200 K in a day. What should I set value of the --max-children num in spamd ? I think the -m value is 5 as default. When I type perl -MSocket -e'print SOMAXCONN' I see 128 on display. Thanks
Re: about value of max-children
On 8/15/2006 10:01 AM, Halid Faith wrote: Hello I use spamassassin as test. My mail server handles mails about 200 K in a day. What should I set value of the --max-children num in spamd ? I think the -m value is 5 as default. When I type perl -MSocket -e'print SOMAXCONN' I see 128 on display. Thanks Start with budgeting 50MB of available RAM per child. If you start swap thrashing decrease the max number of children. Daryl
Re: [Maia-users] SA BAYES TIMING INFO
could it be that local_tests_only is *not* set to 1? in other words, that network results are being used in bayes training? That slows things down quite a lot. --j. David Morton writes: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 (This message is now CC'd to both maia-users and spamassassin mailing lists ) ( Continuing the thread in SpamAssassin ML RE: slow sql bayes store) Alexandre Ghisoli wrote: DB Server Actually, we got perfs problem with this one, probably related to Software RAID - new LSI Raid cards ordered PostgreSQL 8.1.4 AMD Opteron 3GHz 1GB RAM 2x IDE HDD, software raid 0.000 0 124718 0 non-token data: ntokens 2006-08-15 09:57:55 Maia: [process-quarantine-sub] TIMING [total 24368 ms] - msg-prep: 2 (0%), train-bayes: 23700 (97%), delete-mail: 666 (3%), rundown: 0 (0%) Ok. This looks like the best example yet of what I'm looking for. Good job presenting that data. :) Furthermore, from the parts I have quoted above, I think I can say without a doubt that *something* is messed up here. Even with software raid, that box should be able to handle learning a message faster than 24 seconds. Actually, unless you get a very good card, the opty might be able to handle the raid stuff better than many hardware raid cards. 124k rows should not be a problem for a database. I'm really thinking there's an algorithm problem withing the bayes learning code. It's making too many sql calls, or has a big 'O' problem... something. ( spamassasin folks, the original full message is archived at http://www.renaissoft.com/pipermail/maia-users/2006-August/007188.html ) To the spamassassin mailing list: These results seem typical of the reports I have seen. It has spanned both mysql and postgresql, several OS's, SCSI or IDE, RAID or not. The only consistent thing is that it is slow. There is also ageneral consensus that it seems like it got really slow around the time 3.x was installed, though we haven't yet had any solid reports to go back and forth and test it empirically. - -- David Morton Maia Mailguard- http://www.maiamailguard.com Morton Software Design and Consulting - http://www.dgrmm.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE4dBwUy30ODPkzl0RAmqTAKCfXa7x3A9d/n93RYswkqkRVK+eNwCdFeQS ZG+cxXgJ1I/jvIXEbhb8onc= =S7Jk -END PGP SIGNATURE-
Re: [Maia-users] SA BAYES TIMING INFO
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Justin Mason wrote: could it be that local_tests_only is *not* set to 1? in other words, that network results are being used in bayes training? That slows things down quite a lot. As far as I can see, there's no connection... bayes wouldn't have any use for that. Plus, in some error logs, I'm getting a stack trace that shows it times out in _put_tokens which is pretty much the database side of things. - -- David Morton Maia Mailguard- http://www.maiamailguard.com Morton Software Design and Consulting - http://www.dgrmm.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE4dbZUy30ODPkzl0RAjyUAKC7v6K8ql+gy5mBaK2wVbg8eIAMPACfQR/J iwZEDceHOkqj/szSRGCJWPw= =2GR2 -END PGP SIGNATURE-
RE: spampd performance on a relay mail server
Dennis Teel wrote: My server is a brand new P4 with 1 GB of RAM. I'm using the default options with SA and have added Razor2. Please keep SA questions on the list. I'm not an expert, just another user. There are lots of other people who read the list who may have good advice for you as well. As I just finished posting in another thread, my system is a P4 2.8 w/ 1GB RAM. It runs a mailserver, SpamAssassin, ClamAV, Amavisd, and some other stuff. I can run about 5 spamd children before I start having performance problems. Every server is different. Everything depends on how much memory you have, what other programs are running, and how much memory your spampd processes are using. Do what I suggested previously. Watch your memory usage and adjust the number of children up or down until you stop using swap. Once SA starts swapping, your performance goes down the drain very quickly. -- Bowie
Re: SPF and SORBS problems
On 8/14/2006 6:45 PM, Xepher wrote: I've got a server configured with postfix and spamassassin. The mailserver is the only one for the domain, and thus receives mail from other servers, as well as letting users connect directly (with smtp auth) to send mail. Everything works fine, EXCEPT when users send email to each other. In those cases, the emails get tagged both by SPF_FAIL and RCVD_IN_SORBS_DUL as those tests see the email as coming from the user's personal IP address. I've tried whitelist_from_spf [EMAIL PROTECTED] in local.cf, but it doesn't work. Messages still get tagged with SPF_FAIL. I didn't see any similar option for the RBL stuff. Is there any way to do conditional tests, such that SMTP Auth messages get whitelisted? I don't know if there's a way in postfix to add a header only to auth connections? All I could find for postfix was address rewriting stuff, nothing about conditional situations like an authenticated user. Any help would be appreciated, as I'd really rather not disable SPF and RBL completely. Yeah I have that problem as well, who doesn't. ;-) In the short term I just whitelisted the domains that the server is responsible for in local.cf so that all my users would automatically get a -100 added to their score when they send mail. This will nullify any scores added due to SPF and DUL. Example: whitelist_from [EMAIL PROTECTED] The drawback to this is that someone can spam you by forging your own domain but if your domain is protected by something like SPF then there is no worry of that. If you are running Postfix v2.3 you might want to look at this page http://wiki.apache.org/spamassassin/DynablockIssues under the heading 'I'm an ISP, and mails from our customers, using authenticated connections from another ISP, are hitting RCVD_IN_DYNABLOCK.' -- Gino Cerullo Pixel Point Studios 21 Chesham Drive Toronto, ON M3M 1W6 T: 416-247-7740 F: 416-247-7503
Re: Using SA to prevent bouncing spam?
Ole Nomann Thomsen wrote: Den 15.08.2006 kl. 12:01 skrev Andreas Pettersson [EMAIL PROTECTED]: While I don't really see why ldap isn't an option, even with an 99% load, callout might be the solution. However, I don't run qmail but here's how it works with exim http://www.exim.org/exim-html-4.62/doc/html/spec_html/ch39.html#SECTcallver Yeah, that is pretty neat. But the Firstclass system is running at 99% capacity on the E-mail injection too. I mean, we are really pumping it in, trying to level the peak-priod and everything. Performing callouts will probably cause it to emit strange noises and smoke. If your usernames don't change a lot, there's a validrcptto patch that seems to work quite well. John Simpson - http://www.jms1.net - has some good information on this (don't use IE to go there) I'm using a modified QmailRocks installation (modified because I helped with the Slackware writeup for QMR). I'm modifying further to try to squeeze better performance out of spamassassin and daemonizing. BW
Lots of bayes_toks.expire warn: bayes: cannot open bayes databases
Dear List, I'm running spamassassin with simscan. The problem I got is that the e-mails that arrive to my server are scanned and forward to their mailboxes, but it seems that the server sending the e-mail doesn't notice that the mail arrived ok, so it sends it over and over getting sometimes 20 copies of the same mail. I think this is happening because my spamassassin is not well configured about the bayes learning, so I also get lots of bayes_toks.expireX files in the scan folder and lots of warn: bayes: cannot open bayes databases /var/spool/simscan/.spamassassin/bayes_* R/W: lock failed: Interrupted system call in the logs. I've been reading the FAQ and googling around but I can't figure out the best configuration. As I could understand, it is convenient when you have a heavy site to tell spamassassin in local.cf bayes_toks.expire=0 and use sa-learn to force an expire on a regular basis via cron. Is that the best option? Does anybody know a better configuration? I'm running the 3.1.3 version with the following options: OPTIONS=--round-robin --create-prefs --max-children 5 --username=simscan under Debian with a 2.6.8 kernel Thanks in advance! Agustín ls -l in the scanning folder: -rw--- 1 simscan simscan 5.1M Aug 15 12:12 auto-whitelist -rw-rw-rw- 1 simscan simscan6 Aug 15 12:12 auto-whitelist.mutex -rw-rw-rw- 1 simscan simscan 1.2K Aug 15 12:11 bayes.mutex -rw--- 1 simscan simscan 13K Aug 15 12:12 bayes_journal -rw--- 1 simscan simscan 656K Aug 15 12:08 bayes_seen -rw--- 1 simscan simscan 5.1M Aug 15 12:10 bayes_toks -rw--- 1 simscan simscan 2.3M Aug 12 06:27 bayes_toks.expire1001 -rw--- 1 simscan simscan 2.3M Aug 14 04:56 bayes_toks.expire10138 -rw--- 1 simscan simscan 288K Aug 14 18:49 bayes_toks.expire10434 -rw--- 1 simscan simscan 288K Aug 11 20:18 bayes_toks.expire11082 -rw--- 1 simscan simscan 48K Aug 15 12:10 bayes_toks.expire11278 -rw--- 1 simscan simscan 2.3M Aug 15 02:14 bayes_toks.expire11444 -rw--- 1 simscan simscan 544K Aug 14 09:52 bayes_toks.expire11752 -rw--- 1 simscan simscan 1.1M Aug 15 10:18 bayes_toks.expire1187 -rw--- 1 simscan simscan 2.4M Aug 13 00:43 bayes_toks.expire12828 -rw--- 1 simscan simscan 544K Aug 14 19:03 bayes_toks.expire13144 -rw--- 1 simscan simscan 1.1M Aug 15 02:25 bayes_toks.expire13744 -rw--- 1 simscan simscan 544K Aug 14 12:55 bayes_toks.expire13910 -rw--- 1 simscan simscan 544K Aug 14 19:13 bayes_toks.expire14168 -rw--- 1 simscan simscan 288K Aug 14 18:59 bayes_toks.expire14195 -rw--- 1 simscan simscan 2.3M Aug 12 13:34 bayes_toks.expire14497 -rw--- 1 simscan simscan 2.4M Aug 13 02:04 bayes_toks.expire14611 -rw--- 1 simscan simscan 544K Aug 11 19:54 bayes_toks.expire14726 -rw--- 1 simscan simscan 2.3M Aug 12 13:22 bayes_toks.expire16047 -rw--- 1 simscan simscan 1.1M Aug 14 09:33 bayes_toks.expire1625 -rw--- 1 simscan simscan 544K Aug 15 11:48 bayes_toks.expire16710 -rw--- 1 simscan simscan 544K Aug 14 13:38 bayes_toks.expire17029 -rw--- 1 simscan simscan 1.1M Aug 15 11:44 bayes_toks.expire18425 -rw--- 1 simscan simscan 544K Aug 14 13:13 bayes_toks.expire18518 -rw--- 1 simscan simscan 1.1M Aug 11 20:43 bayes_toks.expire19414 -rw--- 1 simscan simscan 544K Aug 14 10:42 bayes_toks.expire2015 -rw--- 1 simscan simscan 288K Aug 14 14:07 bayes_toks.expire20283 -rw--- 1 simscan simscan 2.1M Aug 15 09:01 bayes_toks.expire21349 -rw--- 1 simscan simscan 2.4M Aug 12 15:34 bayes_toks.expire21828 -rw--- 1 simscan simscan 2.2M Aug 14 08:38 bayes_toks.expire21920 -rw--- 1 simscan simscan 2.1M Aug 11 18:35 bayes_toks.expire2302 -rw--- 1 simscan simscan 544K Aug 14 21:39 bayes_toks.expire23208 -rw--- 1 simscan simscan 544K Aug 11 20:28 bayes_toks.expire23451 -rw--- 1 simscan simscan 2.4M Aug 12 17:03 bayes_toks.expire25164 -rw--- 1 simscan simscan 2.4M Aug 13 14:00 bayes_toks.expire25922 -rw--- 1 simscan simscan 2.3M Aug 15 09:47 bayes_toks.expire26062 -rw--- 1 simscan simscan 2.3M Aug 13 04:19 bayes_toks.expire26639 -rw--- 1 simscan simscan 1.1M Aug 15 11:09 bayes_toks.expire2694 -rw--- 1 simscan simscan 1.1M Aug 14 21:54 bayes_toks.expire27212 -rw--- 1 simscan simscan 544K Aug 14 15:50 bayes_toks.expire27311 -rw--- 1 simscan simscan 2.2M Aug 14 08:18 bayes_toks.expire27407 -rw--- 1 simscan simscan 1.1M Aug 11 18:45 bayes_toks.expire2776 -rw--- 1 simscan simscan 2.3M Aug 13 22:47 bayes_toks.expire28228 -rw--- 1 simscan simscan 160K Aug 14 22:03 bayes_toks.expire28271 -rw--- 1 simscan simscan 544K Aug 14 16:48 bayes_toks.expire29905 -rw--- 1 simscan simscan 2.5M Aug 12 02:34 bayes_toks.expire30490 -rw--- 1 simscan simscan 288K Aug 14 17:02 bayes_toks.expire30546 -rw--- 1 simscan simscan 2.3M Aug 12 02:45 bayes_toks.expire30788 -rw--- 1
.GIF images without .gif in filename and empty messages
I have two types of spam that are slipping through, and I'm wondering if anyone has rules to help with them. Thanks to the imageinfo plugin, most of my image spam has disappeared except for one particular type. I'm still seeing .gif image spams where the filename for the image does not contain .gif. Like this: Content-Type: image/gif; name=glitter Content-Transfer-Encoding: base64 Content-ID: [EMAIL PROTECTED] The other type of spam I'm seeing are empty messages. They have a single word for a subject, but nothing in the body. About a year ago, I was getting flooded with these, and I solved the problem by using the SARE_HTML_NO_BODY rule from 70_sare_html4.cf. However, this rule does not seem to hit on this recent crop of empty messages. I have no idea why. Is anyone else seeing these, and more importantly, does anyone have a rule for them? Craig
Re: Rule for non-DK-signed mail from yahoo
Mark Martinec writes: Thanks Justin and Daryl. (a) Is From:addr rather than EnvelopeFrom:addr the right header to use? I'd say yes. DK signs the message, not the envelope. I'm pretty sure the current milters look for a From: header to decide on what selector/etc to use. Right, DK (as well as DKIM) uses addresses in the header, not envelope. DK would choose Sender if it exists, otherwise a From, to obtain the signer domain. DKIM is more sophisticated (could use Resent-From,...), but basically, for direct mail the From header field is the most important one. (b) are Y! signing all mail? I would have assumed some systems are not yet using DK. This is a key question here. I'd hope yes, since Yahoo was the leading proponent in establishing this technology (now aiming for DKIM). Although their policy record still says 'testing' and 'signs SOME mail': $ host -t txt _domainkey.yahoo.com t=y\; o=~\; n=http://antispam.yahoo.com/domainkeys I think they are just conservative, trying to avoid some broken recipient's mailer from rejecting their genuine mail, or to avoid problems with mailing lists invalidating signatures when their user posts there. OK -- someone who would know, tells me: Pretty much all user-generated mail From: yahoo-owned domains is [now] signed, but that's not intended as a statement of spam/non-spam. Bear in mind the list/forwarding issue I also noted; most list installs don't re-sign mails, so an additional exemption for messages that contain List-Id might be worthwhile. mass-check should give a good idea, anyway. Dunno about gmail, yet. --j. In 3.1.x, you have to set priority manually, unfortunately, to be higher than both of the subrules. in 3.2.x, it'll do that automatically for you. Thanks for the info. Personally I'd cut the score in half. Ok, perhaps. Slow DNS could cause FPs -- I've seen it happen on mail from rogers.com which Y! runs. Interesting. Further experience is welcome. The _domainkey.yahoo.com TXT policy record has TTL set to two hours, and one of their public keys (s1024._domainkey.yahoo.com) has a lifetime of 24 hours - so a local caching DNS resolver is likely to retrieve the policy from its cache, or from any one of the 5 registered Yahoo name servers. As far as I can tell, it is a global Yahoo thing, not something pertaining to one or another of their servers. What about gmail.com? They seem to be signing their mail too (see: host -t txt beta._domainkey.gmail.com) but also avoid full commitment in their policy (no policy = default policy). Any experience there? Mark
rulesdujour question
hi/etc/rulesdujour/config reads,[EMAIL PROTECTED] RulesDuJour]# more /etc/rulesdujour/config TRUSTED_RULESETS=TRIPWIRE SARE_ADULT SARE_OBFU0 SARE_OBFU1 SARE_URI0 SARE_URI1SA_DIR=/etc/mail/spamassassin MAIL_ADDRESS=[EMAIL PROTECTED]SA_RESTART=killall -HUP spamdEverytime we execute rules_du_jour cf files are downloaded into /etc/mail/spamassassin and /etc/mail/spamassassin/RulesDuJour Is this normal? All cf files are duplicates in both these directories and they look so old.[EMAIL PROTECTED] spamassassin]# ls -l RulesDuJour/total 428-rw-r--r-- 1 root root 53868 Apr 20 14:30 70_sare_adult.cf -rw-r--r-- 1 root root 51886 Oct 2 2005 70_sare_obfu0.cf-rw-r--r-- 1 root root 106627 Oct 2 2005 70_sare_obfu1.cf-rw-r--r-- 1 root root 17879 Oct 5 2005 70_sare_uri0.cf-rw-r--r-- 1 root root 24248 Oct 11 2005 70_sare_uri1.cf -rw-r--r-- 1 root root 56238 Jun 2 2005 99_FVGT_Tripwire.cf-rw-r--r-- 1 root root 63479 Jan 30 2006 rules_du_jourAlso what do I need to add to Trusted_rulesets to get image spam working? -- --B.G. Mahesh
FuzzyOCR error on processing gif sample file
Downloaded and installed the latest FuzzyOCR 2.1c Ran the tests and the jpg and png ones worked fine, but for the gif sample I received: spamassassin -t ocr-gif.eml giftopnm: error reading magic number (null): EOF / read error reading magic number Broken pipe I have all the required files in place, any ideas? Other than that the plugin looks good so far. Thanks. Rob
Re: rulesdujour question
On Tuesday August 15 2006 12:41 pm, BG Mahesh wrote: hi /etc/rulesdujour/config reads, [EMAIL PROTECTED] RulesDuJour]# more /etc/rulesdujour/config TRUSTED_RULESETS=TRIPWIRE SARE_ADULT SARE_OBFU0 SARE_OBFU1 SARE_URI0 SARE_URI1 SA_DIR=/etc/mail/spamassassin MAIL_ADDRESS=[EMAIL PROTECTED] SA_RESTART=killall -HUP spamd Everytime we execute rules_du_jour cf files are downloaded into /etc/mail/spamassassin and /etc/mail/spamassassin/RulesDuJour Is this normal? Yes. The rules in /etc/mail/spamassassin are the ones read by SA. All cf files are duplicates in both these directories and they look so old. You really want to list the rules you want updated by RDJ in the /etc/rulesdujour/config file. Some rules are older. [EMAIL PROTECTED] spamassassin]# ls -l RulesDuJour/ total 428 -rw-r--r-- 1 root root 53868 Apr 20 14:30 70_sare_adult.cf -rw-r--r-- 1 root root 51886 Oct 2 2005 70_sare_obfu0.cf -rw-r--r-- 1 root root 106627 Oct 2 2005 70_sare_obfu1.cf -rw-r--r-- 1 root root 17879 Oct 5 2005 70_sare_uri0.cf -rw-r--r-- 1 root root 24248 Oct 11 2005 70_sare_uri1.cf -rw-r--r-- 1 root root 56238 Jun 2 2005 99_FVGT_Tripwire.cf -rw-r--r-- 1 root root 63479 Jan 30 2006 rules_du_jour Also what do I need to add to Trusted_rulesets to get image spam working? Look in recent archives. There have been active discussions about image spam. -- -- B.G. Mahesh HTH. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: FuzzyOCR error on processing gif sample file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rob Mangiafico wrote: Downloaded and installed the latest FuzzyOCR 2.1c Ran the tests and the jpg and png ones worked fine, but for the gif sample I received: spamassassin -t ocr-gif.eml giftopnm: error reading magic number (null): EOF / read error reading magic number Broken pipe I have all the required files in place, any ideas? Other than that the plugin looks good so far. Thanks. Rob Hrm, I just ran the same command on the same file and it all worked fine. Can you please tell me the versions of your toolchain? (giflib, netpbm, gocr) Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE4f6QJQIKXnJyDxURAstWAJ9jNKo1PgG12UiTvJUGB1B5f9mOwgCdHH+1 FkAzN8ryJODHnmLQbiH+PLk= =uUvX -END PGP SIGNATURE-
spam inside images
Hello I have the problem that now we are receiving spams and all the content was written in one image attached into the email, in this conditions the rules to check words, phrases, etc , don't work Thanks in advance for any answer Enediel Linux user 300141 Debian GNU/Linux
Re: FuzzyOCR error on processing gif sample file
On Tue, 15 Aug 2006, decoder wrote: Rob Mangiafico wrote: Downloaded and installed the latest FuzzyOCR 2.1c Ran the tests and the jpg and png ones worked fine, but for the gif sample I received: spamassassin -t ocr-gif.eml giftopnm: error reading magic number (null): EOF / read error reading magic number Broken pipe I have all the required files in place, any ideas? Other than that the plugin looks good so far. Thanks. Rob Hrm, I just ran the same command on the same file and it all worked fine. Can you please tell me the versions of your toolchain? (giflib, netpbm, gocr) RHEL 3.8 rpm -q netpbm netpbm-9.24-11.30.4 rpm -q libungif libungif-4.1.0-15.el3.3 from source: giflib-4.1.4.tar.gz gocr-0.40.tar.gz Rob
RE: rulesdujour question
BG Mahesh wrote: hi /etc/rulesdujour/config reads, [EMAIL PROTECTED] RulesDuJour]# more /etc/rulesdujour/config TRUSTED_RULESETS=TRIPWIRE SARE_ADULT SARE_OBFU0 SARE_OBFU1 SARE_URI0 SARE_URI1 There are quite a few good rule sets from SARE. You may want to go to www.rulesemporium.com/rules.htm and read through the descriptions. SARE_STOCKS, in particular, is very useful right now. SA_DIR=/etc/mail/spamassassin MAIL_ADDRESS=[EMAIL PROTECTED] SA_RESTART=killall -HUP spamd Everytime we execute rules_du_jour cf files are downloaded into /etc/mail/spamassassin and /etc/mail/spamassassin/RulesDuJour Is this normal? All cf files are duplicates in both these directories and they look so old. That is normal. SA will read its rules from /etc/mail/spamassassin. /etc/mail/spamassassin/RulesDuJour is used by RDJ in its update process. [EMAIL PROTECTED] spamassassin]# ls -l RulesDuJour/ total 428 -rw-r--r-- 1 root root 53868 Apr 20 14:30 70_sare_adult.cf -rw-r--r-- 1 root root 51886 Oct 2 2005 70_sare_obfu0.cf -rw-r--r-- 1 root root 106627 Oct 2 2005 70_sare_obfu1.cf -rw-r--r-- 1 root root 17879 Oct 5 2005 70_sare_uri0.cf -rw-r--r-- 1 root root 24248 Oct 11 2005 70_sare_uri1.cf -rw-r--r-- 1 root root 56238 Jun 2 2005 99_FVGT_Tripwire.cf -rw-r--r-- 1 root root 63479 Jan 30 2006 rules_du_jour Don't worry about this directory. RDJ will take care of it. Also what do I need to add to Trusted_rulesets to get image spam working? Razor2 can help with image spam. You may also want to take a look at the fuzzyocr plugin. There have been lots of discussions about it on the list recently. -- Bowie
Re: spam inside images
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 enediel gonzalez wrote: Hello I have the problem that now we are receiving spams and all the content was written in one image attached into the email, in this conditions the rules to check words, phrases, etc , don't work Thanks in advance for any answer Enediel Linux user 300141 Debian GNU/Linux Check out http://wiki.apache.org/spamassassin/FuzzyOcrPlugin Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE4gWJJQIKXnJyDxURAhPSAJ49MEPXUGVJ3vXvuGxG69mSFCyyzwCfbBLG tfflvfbA/euTBt2rmQU2y+U= =COjs -END PGP SIGNATURE-
Re: FuzzyOCR error on processing gif sample file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rob Mangiafico wrote: On Tue, 15 Aug 2006, decoder wrote: Rob Mangiafico wrote: Downloaded and installed the latest FuzzyOCR 2.1c Ran the tests and the jpg and png ones worked fine, but for the gif sample I received: spamassassin -t ocr-gif.eml giftopnm: error reading magic number (null): EOF / read error reading magic number Broken pipe I have all the required files in place, any ideas? Other than that the plugin looks good so far. Thanks. Rob Hrm, I just ran the same command on the same file and it all worked fine. Can you please tell me the versions of your toolchain? (giflib, netpbm, gocr) RHEL 3.8 rpm -q netpbm netpbm-9.24-11.30.4 rpm -q libungif libungif-4.1.0-15.el3.3 from source: giflib-4.1.4.tar.gz gocr-0.40.tar.gz Rob Your netpbm seems very old, I am using 10.34. This could be the cause, try the newest version, though I can't guarrantee that this is the cause. If that doesn't work, try saving the gif image from the ocr-gif.eml sample and run the commands manually over the file to see which step fails. Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE4gZMJQIKXnJyDxURAiOlAJ9UPBiIjxM8W3d/py/kkUKq8U892ACfWtLC vY4kZ6WayJxURnwdSbCp1aY= =5d3Z -END PGP SIGNATURE-
How to give score a message which was learnt with sa-learn --spam ?
Hi I use spamassassin3.1.1 How can I give a high score some messages I have teached to my server with sa-learn --spam /directory ? Thanks
Re: .GIF images without .gif in filename and empty messages
Thanks to the imageinfo plugin, most of my image spam has disappeared except for one particular type. I'm still seeing .gif image spams where the filename for the image does not contain .gif. Like this: Are you using the latest version that 'decoder' posted? I'm pretty sure he added code to handle improper file type suffixes. (Of course he might not handle the no suffix case.) Content-Type: image/gif; name=glitter The other type of spam I'm seeing are empty messages. They have a single word I haven't noticed any of these on my system, but they should be easy enough to catch. Without seeing one I can't guess why the empty body rule would be failing. Can you post one as a txt message someplace? Loren
Antiword Rules
Does anyone have an anti word based PM/CF file-set? I don't want to reinvent the wheel if I don't need to. Thanks. --Michel Vaillancourt Wolfstar Systems
Re: How to give score a message which was learnt with sa-learn --spam ?
On Tue, 15 Aug 2006, Halid Faith wrote: How can I give a high score some messages I have teached to my server with sa-learn --spam /directory ? sa-learn adds the words in those messages to the Bayes database, in this case as signs of spam. They are not used to directly score messages, but rather to help the Bayes analysis to decide how spammy future messages look based on those words. If there are spammy phrases in those messages that you'd like to look for in future messages, then you need to write custom rules to test for them and assign them a score. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The difference is that Unix has had thirty years of technical types demanding basic functionality of it. And the Macintosh has had fifteen years of interface fascist users shaping its progress. Windows has the hairpin turns of the Microsoft marketing machine and that's all.-- Red Drag Diva ---
FuzzyOCR Config
Hi Folks, I installed the ocrtext plugin yesterday, and although running it doesn't appear to block any of the GIF spams I receive, its analyzing them, just not coming up with anything. So I just found the FuzzyOcr plugin, but it doesn't seem to be executed by spamd. I added a --debug=FuzzyOcr to the end of my spamd command line, but I don't see any debug messages from FuzzyOcr. With a similar command line for ocrtext I could see it looking at GIFs. I couldn't find any config details, is there anything I need to do other than drop the files into the /etc/mail/spamassasin directory to have spamassasin load the plugin. I ran spamassassin -D --lint, and here is grep of the fuzzy related messages. [EMAIL PROTECTED] spamassassin]# grep -i fuzzy lint.out [6315] dbg: config: read file /etc/mail/spamassassin/FuzzyOcr.cf [6315] dbg: plugin: fixed relative path: /etc/mail/spamassassin/FuzzyOcr.pm [6315] dbg: plugin: loading FuzzyOcr from /etc/mail/spamassassin/FuzzyOcr.pm [6315] dbg: plugin: registered FuzzyOcr=HASH(0x986b7e4) [6315] dbg: plugin: FuzzyOcr=HASH(0x986b7e4) implements 'parse_config' [6315] dbg: plugin: registering glue method for dummy_check (FuzzyOcr=HASH(0x986b7e4)) [6315] dbg: plugin: registering glue method for check_fuzzy_ocr (FuzzyOcr=HASH(0x986b7e4)) Am I missing something obvious here? Cheers, Mark. -- View this message in context: http://www.nabble.com/FuzzyOCR-Config-tf2110728.html#a5819470 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: FuzzyOCR Config
pdxbrit wrote: Hi Folks, I installed the ocrtext plugin yesterday, and although running it doesn't appear to block any of the GIF spams I receive, its analyzing them, just not coming up with anything. So I just found the FuzzyOcr plugin, but it doesn't seem to be executed by spamd. I added a --debug=FuzzyOcr to the end of my spamd command line, but I don't see any debug messages from FuzzyOcr. With a similar command line for ocrtext I could see it looking at GIFs. I couldn't find any config details, is there anything I need to do other than drop the files into the /etc/mail/spamassasin directory to have spamassasin load the plugin. I ran spamassassin -D --lint, and here is grep of the fuzzy related messages. [EMAIL PROTECTED] spamassassin]# grep -i fuzzy lint.out [6315] dbg: config: read file /etc/mail/spamassassin/FuzzyOcr.cf [6315] dbg: plugin: fixed relative path: /etc/mail/spamassassin/FuzzyOcr.pm [6315] dbg: plugin: loading FuzzyOcr from /etc/mail/spamassassin/FuzzyOcr.pm [6315] dbg: plugin: registered FuzzyOcr=HASH(0x986b7e4) [6315] dbg: plugin: FuzzyOcr=HASH(0x986b7e4) implements 'parse_config' [6315] dbg: plugin: registering glue method for dummy_check (FuzzyOcr=HASH(0x986b7e4)) [6315] dbg: plugin: registering glue method for check_fuzzy_ocr (FuzzyOcr=HASH(0x986b7e4)) Am I missing something obvious here? Cheers, Mark. I assume you did restart spamd? If so, set the verbose level in FuzzyOcr.cf to 2, that enables debug messages and creates debug out files in the current directory which contain the recognized format and the recognized text. Try running then spamassassin -t somesample and spamc -R somesample Try using the samples from my site (sample-mails.tar.gz) to verify it is working Chris
Re: Antiword Rules
Michel Vaillancourt wrote: Does anyone have an anti word based PM/CF file-set? I don't want to reinvent the wheel if I don't need to. Thanks. --Michel Vaillancourt Wolfstar Systems I wanted to implement the functions into FuzzyOcr maybe, and rename the plugin somehow. Or create a seperate plugin for that, whatever you people want. But if you want to write it, feel free to do so :) I didn't start yet :) Currently I am working on a postfix hashcash stamper so this could still take a while until it is finished :) Chris
Weird behaviour after disabling sa-learn
Hi, I have been doing some testing with SA - Using maildrop to do the spam scanning. In my maildrop script I was playing around with calling 'sa-learn --sync spam' everytime spam was detected and 'sa-learn --sync ham' when messages were clean. I had this running for a while to see what kind of impact/improvement this had if any. I then came to the conclusion that there seemed to be no point in teaching bayes spam when SA allready knows its spam, so I disabled the sa-learn calls. All good. Until I looked at my spam graphs - (generated with qmailmrtg7). I have attached my graph so you can see the precise moment that I disabled sa-learn. The load on the machine plummetted (expected) - but the graphs also indicated that the number of mails scanned (clean + spam) had significantly decreased. I am hoping that this is some type of error with qmailmrtg7 reporting, because obviously (to management) something looks seriously wrong. Any advice here would be appreciated -- Regards, Scott Ryan Telkom Internet - Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. - spamd-day.png Description: PNG image
Re: .GIF images without .gif in filename and empty messages
Quoting Loren Wilton [EMAIL PROTECTED]: Thanks to the imageinfo plugin, most of my image spam has disappeared except for one particular type. I'm still seeing .gif image spams where the filename for the image does not contain .gif. Like this: Are you using the latest version that 'decoder' posted? I'm pretty sure he added code to handle improper file type suffixes. (Of course he might not handle the no suffix case.) Didn't decoder post the OCR stuff? I thought imageinfo was posted by Dallas. Anyway, regardless, I think I may be running an older version. I'll check it and upgrade if necessary. The other type of spam I'm seeing are empty messages. They have a single word I haven't noticed any of these on my system, but they should be easy enough to catch. Without seeing one I can't guess why the empty body rule would be failing. Can you post one as a txt message Sure: http://pastebin.com/769187 Note that I am aware that I am running an older version of SA (3.0.x). Unfortunately, upgrading is not feasible at this time. Thanks for any help or advice you can give! Craig
Re: dreaming of a plugin ....
Bookworm writes: [EMAIL PROTECTED] wrote: that analyzes and scores email addresses: we have big companies that give their employees more or less random strings as email addresses (but length will not be extremely long) Otherwise we have email addresses that somehow are built from a person's name, (e.g first.last, f.last, last17f or similar), and we have addresses that are a person's nick, or otherwise relate to its hobby or profession. In rare cases someone would make an email address from the name of some celebrity. Now something that seems to be typical for spam are display names that look like a person's name along with email addresses that look like a different person's name, and often seems to belong to a different language. The hypothhetical plugin would have to find out whether the mail addy looks like a name, whether the display name looks like a name as well, and only in that case determine whether the names have anything in common Wolfgang Hamann Or simply a plugin that scans for more than three numeric characters in the first portion of the email address. On one of the boards I host and maintain, I frequently see things like [EMAIL PROTECTED] (yes, plural). I get them in spams as well. The reason I said more than three is that I know that with AOL and similar, you get stuff like [EMAIL PROTECTED] - because of all the bobs. Of course, you could simply tell it to ignore @aol/hotmail/excite - the major boards that do this. If nothing else, it'd be a nice test to increase the probability of spam. we used to have rules to match these -- not sure if they're still about -- check in 20_head_tests.cf. --j. Hi, I am aware of the too many digits etc rules. From a german perspective, t-online.de and gmx.net should be added to the category suggests a 3digit number when trying to use your first name similar to aol/hotmail, so I would not see a bobby351@ as a real spam indicator. This one certainly is, however: From: Mrs. Abigail Beagle [EMAIL PROTECTED] It features a display name that looks like a person's name, along with an email that looks like a different person's name As for the hotmails - I have made it a habit in php webforms to check whether the visitor's domain exists - it seems to catch quite a few silly mail addresses Wolfgang Hamann
Re: FuzzyOCR Config
decoder wrote: I assume you did restart spamd? If so, set the verbose level in FuzzyOcr.cf to 2, that enables debug messages and creates debug out files in the current directory which contain the recognized format and the recognized text. Try running then spamassassin -t somesample and spamc -R somesample Try using the samples from my site (sample-mails.tar.gz) to verify it is working Chris Hi Chris, Thanks for the quick reply. Looks like I have a couple of problems, first was it wasn't picking up giffix, and I've now fixed that. Your sample emails generate hits, and now create debug files in the local directory. My own test email doesn't seem to generate a hit, here's the debug. Looks like gocr just doesn't come up with anything useful for it. [EMAIL PROTECTED] ~]# cat debug.6808.focr File type: 1 lnside keing negs fic iniestcsghi i fl f tfff gfflh t t i i t i l t l x ir i i i i tx i li l x i i i x t i i x h tl tc tcs gsc l l n hl c h i n dl tc dudci dns h i i l l t ilk lc nn ltc rccc li sci ngsh k t tc k hl t k ct lii lil n l l tll k scdng li dl nn cul di nglii l l l l l lic ln cjiil c t loo ll iloc i wc ol ic liil mlon tj lt i q i j tj jt i ltt l trthj ij ji ti tj t j l i jj ij i tjta ji it q ili lt it tjtlil li llq lt tlli lt tlj i ttiji t ltjilaj t lljl ajlll ttlt hjj q jt it jilt ni t q l l ah l ccl nr c ccl s h r li l s n llrl s cl ls ti ic r li l li il rln c c r li ir h nris ln ch ccl n ch r hc ccllccl nc li r l rc n r li l cl sl lccl nr ch c s s c cl t rlii l rl tr ccl nr n s l cc rs n ch n c l i trl r s ch s s r li ir h n cl c n i I've uploaded the image file that was attached to that email. http://www.nabble.com/user-files/322/bell.gif The only other problem I have is that running from spamd it doesn't create debug file, but I do get this error message. Aug 15 12:45:00 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 178, GEN11 line 712. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 1. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 2. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 3. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 4. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 5. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 6. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 7. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 8. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 9. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 10. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 11. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 12. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 13. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 14. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 15. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 16. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 17. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 18. cheers, Mark. -- View this message in context: http://www.nabble.com/FuzzyOCR-Config-tf2110728.html#a5820580 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: bayes not run on some mail
On Monday 14 August 2006 11:02, Nigel Frankcom took the opportunity to say: On Mon, 14 Aug 2006 01:52:33 -0700, jdow [EMAIL PROTECTED] wrote: (I manually train here. I distrust automatic training.) {^_^} I agree with not autotraining, imo it's a damned good way to get your bayes poisoned. With beast's error I got the impression only _some_ mails were being missed which would imply either a file lock issue or not enough child processes? Autotraining should be completely safe *if* you are able to relearn all miscategorised mail. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpspt3CTQirW.pgp Description: PGP signature
Re: FuzzyOCR Config
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 pdxbrit wrote: decoder wrote: I assume you did restart spamd? If so, set the verbose level in FuzzyOcr.cf to 2, that enables debug messages and creates debug out files in the current directory which contain the recognized format and the recognized text. Try running then spamassassin -t somesample and spamc -R somesample Try using the samples from my site (sample-mails.tar.gz) to verify it is working Chris Hi Chris, Thanks for the quick reply. Looks like I have a couple of problems, first was it wasn't picking up giffix, and I've now fixed that. Your sample emails generate hits, and now create debug files in the local directory. My own test email doesn't seem to generate a hit, here's the debug. Looks like gocr just doesn't come up with anything useful for it. [EMAIL PROTECTED] ~]# cat debug.6808.focr File type: 1 lnside keing negs fic iniestcsghi i fl f tfff gfflh t t i i t i l t l x ir i i i i tx i li l x i i i x t i i x h tl tc tcs gsc l l n hl c h i n dl tc dudci dns h i i l l t ilk lc nn ltc rccc li sci ngsh k t tc k hl t k ct lii lil n l l tll k scdng li dl nn cul di nglii l l l l l lic ln cjiil c t loo ll iloc i wc ol ic liil mlon tj lt i q i j tj jt i ltt l trthj ij ji ti tj t j l i jj ij i tjta ji it q ili lt it tjtlil li llq lt tlli lt tlj i ttiji t ltjilaj t lljl ajlll ttlt hjj q jt it jilt ni t q l l ah l ccl nr c ccl s h r li l s n llrl s cl ls ti ic r li l li il rln c c r li ir h nris ln ch ccl n ch r hc ccllccl nc li r l rc n r li l cl s l lccl nr ch c s s c cl t rlii l rl tr ccl nr n s l cc rs n ch n c l i trl r s ch s s r li ir h n cl c n i I've uploaded the image file that was attached to that email. http://www.nabble.com/user-files/322/bell.gif The only other problem I have is that running from spamd it doesn't create debug file, but I do get this error message. Aug 15 12:45:00 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 178, GEN11 line 712. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 1. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 2. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 3. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 4. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 5. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 6. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 7. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 8. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 9. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 10. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 11. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 12. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 13. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 14. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 15. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 16. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 17. Aug 15 12:45:01 ravenwood spamd[6632]: print() on closed filehandle DEBUG at /etc/mail/spamassassin/FuzzyOcr.pm line 197, OCR_DATA line 18. cheers, Mark. Hey again, I have analyzed your image with my gocr, and I get: samples # gocr -i bell.gif ) Trading ,4lert for FRID,4Y, ,4UGUST ll! ,4 M,4_oR PR C,4MP,4IGN IS lNDERW,4Y! Some vey EXPLOSIVE G,4INS are eqe_ed!. i. !.
Spamd not able to drop root privileges at arbitrary times
Greetings all, I have a bit of a mystery. Recently, I installed spamassassin on a new server. Everything seems to be working fine, except for one little hitch. It seems that arbitrarily, spamd is unable to drop root privileges. Here's the relevant log message: spamd: still running as root: user not specified with -u, not found, or set to root, falling back to nobody at /usr/sbin/spamd line 1150, GEN1596 line 4. This generates a few other subsequent errors, but I believe this to be the crux of the problem. Here's some background information to fill in the gaps... I'm invoking spamc from .procmailrc files for each individual user, which (to my understanding) sends the username and mail message to the spamd daemon for processing. 95% of the time, spamd is able to drop root privileges and perform perfectly. It seems that arbitrarily, however, this error is generated when it is unable to. This happens for the same user, but I'm not quite sure why sometimes it can drop root privileges and other times it can't. I've tried placing the -u username in the call to spamc, with the same results...about 95% success rate, the rest of the times are those arbitrary cases where it can't drop root privileges. Also, it is (or might be) important to note that I see no setuid to root succeeded messages in my logs, so either it's being invoked as root initially, or not at all. I'll do my best to answer any additional questions, and look forward to hopefully some helpful pointers! I'm running: Debian Sarge SpamAssassin version 3.1.0 running on Perl version 5.8.4 Thanks in advance. Best Regards, Ryan -- Ryan Steele Systems Administrator [EMAIL PROTECTED] AgoraNet, Inc. (302) 224-2475 314 E. Main Street, Suite 1 (302) 224-2552 (fax) Newark, DE 19711http://www.agora-net.com
Re: Spamd not able to drop root privileges at arbitrary times
On Tue, 15 Aug 2006, Ryan Steele wrote: spamd: still running as root: user not specified with -u, not found, or set to root, falling back to nobody at /usr/sbin/spamd line 1150, GEN1596 line 4. aolMe, too!/aol It happens to me pretty regularly. I don't have any per-user configs set up. I'm running: Debian Sarge SpamAssassin version 3.1.0 running on Perl version 5.8.4 Linux FC4, SA 3.1.3, Perl 5.8.6 In 3.1.3 it appears to have moved to line #1148. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The difference is that Unix has had thirty years of technical types demanding basic functionality of it. And the Macintosh has had fifteen years of interface fascist users shaping its progress. Windows has the hairpin turns of the Microsoft marketing machine and that's all.-- Red Drag Diva ---
Re: Blocking based on ALL IPs in the header
On Tuesday 08 August 2006 21:32, Rob McEwen (PowerView Systems) took the opportunity to say: Just thought ya'll would be interested to know that I just spent about 45 minutes trying to convince an I.T. guy at one of the largest regional banks in my area that a spam filter should ONLY check the IP address of the sending mail server against RBLs, NOT every single IP contained within the header. I told him that often, dynamically assigned IPs will show up in blacklists even if they've never sent spam and I explained that on any given day, a person's own computer can get reassigned a blacklisted IP which was previously used by a spammer or by a worm-infected computer even if that computer has never had a worm and the user never had sent a spam. It depends on the blacklist. Some, like Spamhaus SBL, only list IP addresses known to be operated by spammers (and not unsuspecting home users with hijacked computers). SA scores mail with such IP addresses in ANY Received line. For other lists, the first hop is ignored unless it's the *only* hop. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgp2nqBODb14B.pgp Description: PGP signature
Re: Spamd not able to drop root privileges at arbitrary times
On Tue, Aug 15, 2006 at 05:12:42PM -0400, Ryan Steele wrote: hitch. It seems that arbitrarily, spamd is unable to drop root privileges. Here's the relevant log message: spamd: still running as root: user not specified with -u, not found, or set to root, falling back to nobody at /usr/sbin/spamd line 1150, GEN1596 line 4. The message generally means that either the user calling spamd doesn't exist on the spamd server, or more likely spamc is being called by root and for security reasons spamd switches to nobody. -- Randomly Generated Tagline: Thinking hard can lead to social problems, such as chess. - Dogbert pgpSdpIGVfBNe.pgp Description: PGP signature
Re: FuzzyOCR Config
decoder wrote: Hey again, I have analyzed your image with my gocr, and I get: samples # gocr -i bell.gif ) Trading ,4lert for FRID,4Y, ,4UGUST ll! ,4 M,4_oR PR C,4MP,4IGN IS lNDERW,4Y! Some vey EXPLOSIVE G,4INS are eqe_ed!. i. !. Tc,r,,.?,d,,e,,l,},.?,t.e,_.,feri,?,.a.,,,i,umr,est,,l.,l,,.,,;_',(,?.,_,,.,,c,,.,,,. ( tua) h')g i'rice_. 'm).m C'l)._)ge Tl)ursd.a) _. (). l ì l Tl' (_r.i. '.3ì__n) Eqmred TradingRan_ Around S5.OO .r.r.r This one is _ing ro r_e ofr.r nnn _cr QuJcK _ND rR_DE our rHE rop nnn We all know it's the big announcements that make these gems mOVe. We believe the time to get in is now. t l ,1tL_I7 tI7i,s c)r7e gc) 17igI7er_ ,1r7d 17igI7er_ ,111 ,_) l().,_\_'rH,_' Probably your gocr is older, it is very important to always use the newest version of this tool. I've seen major differences in recognition between different versions. What version do you use? I can only speculate about the debug errors but my guess would be: spamd is running as a different user and is not able to create the debug out file (whereever it tries to create them) because of wrong permissions. Try looking into that :) Chris Interesting I re-ran gocr by hand and received the same analysis that you did. I'm running 0.4 which I downloaded from the sourceforge website yesterday. Anyway, I'm not sure what just changed, (I'm pretty sure I didn't change anything this time - I restarted spamd several times, but had restarted it several times before), but I'm now successfully rating images for spam! This is an incredibly cool, and very useful plugin. Thanks very much for all your help Chris. Cheers, Mark. -- View this message in context: http://www.nabble.com/FuzzyOCR-Config-tf2110728.html#a5823415 Sent from the SpamAssassin - Users forum at Nabble.com.
FuzzyOCR install issues
Chris, I am in the process of installing and testing FuzzyOcr, but i am having some issues with netpbm. I installed netpbm via yum and have version netpbm-10.25-2.EL4.2 installed now. the problem is that giftopnm, jpegtopnm, and pngtopnm are nowhere to be found on the system. any suggestions? I'm on RHEL 4.1 Thanks, Devin
Re: FuzzyOCR install issues
Ok, I installed libjpeg-devel, libpng-devel, and libtiff-devel, then I DL and compiled netpbm-10.34 from source. it all went well, and now I have all 3 of those convertor executables on my system. i then ran some tests on your sample mails. the gif sample works great. - exactly like in your README file. the png sample gives me this error: /usr/local/netpbm/bin/pngtopnm: symbol lookup error: /usr/local/ netpbm/bin/pngtopnm: undefined symbol: pnm_allocrow ERROR pnm.c L213: read and the jpeg sample gives me this error: jpegtopnm: WRITING PPM FILE /usr/local/netpbm/bin/jpegtopnm: symbol lookup error: /usr/local/ netpbm/bin/jpegtopnm: undefined symbol: pnm_allocrow ERROR pnm.c L213: read any ideas? Thanks, Devin On Aug 15, 2006, at 4:03 PM, [EMAIL PROTECTED] wrote: Chris, I am in the process of installing and testing FuzzyOcr, but i am having some issues with netpbm. I installed netpbm via yum and have version netpbm-10.25-2.EL4.2 installed now. the problem is that giftopnm, jpegtopnm, and pngtopnm are nowhere to be found on the system. any suggestions? I'm on RHEL 4.1 Thanks, Devin
Re: about value of max-children
From: Halid Faith [EMAIL PROTECTED] Hello I use spamassassin as test. My mail server handles mails about 200 K in a day. What should I set value of the --max-children num in spamd ? I think the -m value is 5 as default. When I type perl -MSocket -e'print SOMAXCONN' I see 128 on display. Past several you probably won't see any speedup. Several may be as low as two and as high as your memory will support if DNS tests are slow for you. You can fine tune this by slowly increasing the -m value until you see the machine start using swap space. Back off 10% to 20% for a safety value and go with that if nothing else will be using the machine. {^_^}
Re: Rule for non-DK-signed mail from yahoo
Thank you all for the feedback. FWIW, I've seen a few mails that had multiple DK signatures, apparently as the result of going through a DK signed mailing list when the original message had also been signed. yeah, I think if the list re-signs the message, that's ok, because it then doesn't matter if the internal signature fails (there being no need to check that). That may be a DKIM interpretation btw. That should not be a problem - if the message is re-signed, and the resigner inserts his own Sender header field as it is supposed to do, outer DK and DKIM signatures will succeed and the rule will not fire thanks to !DK_VERIFIED. DK verification may fail if the mail goes through mailing lists. ah. Here's another one that just occurred to me -- (c): if you're keying off the From: header, watch out for mailing list traffic that appends a footer to the body. That will cause a verification failure, and fire the rule. Bear in mind the list/forwarding issue I also noted; most list installs don't re-sign mails, so an additional exemption for messages that contain List-Id might be worthwhile. mass-check should give a good idea, anyway. Some (most?) mailing lists are indeed problematic, so the rule should not fire if it looks like the message was passed through a mailing list. I'm glad that this ML seems to do pretty well in avoiding breaking of original signatures. (and the postfix-users ML for DKIM, but not for DK, because it appends a Sender:) This is what I have now: header __L_ML0Precedence=~ /\b(list|bulk)\b/i header __L_ML1exists:List-Id header __L_ML2exists:List-Post header __L_ML3exists:Mailing-List header __L_HAS_SENDER exists:Sender meta __L_VIA_ML __L_ML0 || __L_ML1 || __L_ML2 || __L_ML3 || __L_HAS_SENDER header __L_FROM_YAHOO From:addr =~ /@yahoo\.com$/i header __L_FROM_GMAIL From:addr =~ /@gmail\.com$/i meta UNVERIFIED_YAHOO __L_FROM_YAHOO !__L_VIA_ML !DK_VERIFIED priority UNVERIFIED_YAHOO 500 scoreUNVERIFIED_YAHOO 2.5 meta UNVERIFIED_GMAIL __L_FROM_GMAIL !__L_VIA_ML !DK_VERIFIED priority UNVERIFIED_GMAIL 500 scoreUNVERIFIED_GMAIL 2.5 Checking the last 12 hours of the log, I found two false positives, one was a yahoo user with a regular yahoo account, who posted directly through his home ISP's mailer (not through yahoo), but provided his yahoo From address. The other was a forwarding through a gmail account, which did not (re)sign the message. Seems pretty good - and 2.5 score points is not too bad for an otherwise healthy message. OK -- someone who would know, tells me: Pretty much all user-generated mail From: yahoo-owned domains is [now] signed, but that's not intended as a statement of spam/non-spam. Certainly not, but either way, we can be certain that the massage came from the signing domain it claims to be, which makes it easier to apply other rules like blacklisting etc, if mail happens to be spam. Which is why I'd suggest something like: # give some incentive for people to start signing their mail: score DKIM_VERIFIED -1.5 score DK_VERIFIED -1.0 SpamAssassin has some merit and influence on the population, so it may just as well be setting some trends. If spamers start signing their mail, so much the better. Mark
Re: FuzzyOCR install issues
Well, I finally got everything working after realizing that there is a RHEL4 package called netpbm-progs. So, i deleted everything i installed from source, and installed all of the rpms instead. No more errors. oddly enough, I only find 2 spam words in the sample jpeg mail, as opposed to 4 in your README file. Question: there is the focr_autodisable_score parameter to skip FuzzyOcr if there are already enough points. The problem is that FuzzyOcr runs very early in the chain, and hence this feature is unusable. How can I tell SA to run FuzzyOcr later or last? Thanks, Devin
Honest Phisher
Now here's an honest phisher: Subject: =?utf-8?Q?[PHISHING]: Important Information About Your Fifth Third Bank Account [Tue, 15 Aug 2006 18:25:54 +0180]?= -- Chris 18:47:44 up 16 days, 16 min, 1 user, load average: 0.23, 0.30, 0.27 ~~ There is never time to do it right, but always time to do it over -- Murphy's Laws of Computation n°4 ~~ pgpNHwgOLsCvo.pgp Description: PGP signature
Re: FuzzyOCR error on processing gif sample file
On Tue, 15 Aug 2006, decoder wrote: Rob Mangiafico wrote: On Tue, 15 Aug 2006, decoder wrote: Rob Mangiafico wrote: Downloaded and installed the latest FuzzyOCR 2.1c Ran the tests and the jpg and png ones worked fine, but for the gif sample I received: spamassassin -t ocr-gif.eml giftopnm: error reading magic number (null): EOF / read error reading magic number Broken pipe Your netpbm seems very old, I am using 10.34. This could be the cause, try the newest version, though I can't guarrantee that this is the cause. If that doesn't work, try saving the gif image from the ocr-gif.eml sample and run the commands manually over the file to see which step fails. Thanks. I removed the RHEL rpm for netpbm, installed 10.26 from source (10.34 did not like RHEL 3 OS it seems) but still have issues with the gif file. If anyone has a working system for RHEL 3 (centOS 3) and the new OCR plugin, please post how you got it working. Thanks, and thanks for a great plugin. Rob
RE: Rule for non-DK-signed mail from yahoo
-Original Message- From: Mark Martinec [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 15, 2006 7:38 PM To: users@spamassassin.apache.org Subject: Re: Rule for non-DK-signed mail from yahoo This is what I have now: I get this on a lint with SA 3.13: Does it need escape in front of '@'? [38743] warn: Possible unintended interpolation of @gmail in string at /usr/local/etc/mail/spamassassin/99_dk_signs.cf, rule __L_FROM_GMAIL, line 1. [38743] warn: Possible unintended interpolation of @yahoo in string at /usr/local/etc/mail/spamassassin/99_dk_signs.cf, rule __L_FROM_YAHOO, line 1. [38743] warn: rules: failed to run header tests, skipping some: Global symbol @gmail requires explicit package name at /usr/local/etc/mail/spamassassin/99_dk_signs.cf, rule __L_FROM_GMAIL, line 1. [38743] warn: Global symbol @yahoo requires explicit package name at /usr/local/etc/mail/spamassassin/99_dk_signs.cf, rule __L_FROM_YAHOO, line 1. [38743] warn: lint: 2 issues detected, please rerun with debug enabled for more information
Re: Rule for non-DK-signed mail from yahoo
On Wed, 2006-08-16 at 01:37 +0200, Mark Martinec wrote: header __L_FROM_YAHOO From:addr =~ /@yahoo\.com$/i header __L_FROM_GMAIL From:addr =~ /@gmail\.com$/i You should escape the @ signs in the expression: /[EMAIL PROTECTED]/i Chris
Re: Rule for non-DK-signed mail from yahoo
On Wednesday August 16 2006 01:47, Chris Stone wrote: On Wed, 2006-08-16 at 01:37 +0200, Mark Martinec wrote: header __L_FROM_YAHOO From:addr =~ /@yahoo\.com$/i header __L_FROM_GMAIL From:addr =~ /@gmail\.com$/i You should escape the @ signs in the expression: /[EMAIL PROTECTED]/i Yes, just found out the minute after I posted, last minute typo.
Re: .GIF images without .gif in filename and empty messages
On Tue, 15 Aug 2006, Craig Baird wrote: [snip..] The other type of spam I'm seeing are empty messages. They have a single word for a subject, but nothing in the body. About a year ago, I was getting flooded with these, and I solved the problem by using the SARE_HTML_NO_BODY rule from 70_sare_html4.cf. However, this rule does not seem to hit on this recent crop of empty messages. I have no idea why. Is anyone else seeing these, and more importantly, does anyone have a rule for them? I've been seeing floods of these critters recently, I assume that it's some ratware misfire. Here's what works for me: # must use 'rawbody' as 'body' also includes Subject: header text # see if message rawbody contains at least -one- non-blank character rawbody __MSG_RAW_EXISTS/\S/ # Nope, declare the message to be missing the body meta L_MISSING_BODY ! __MSG_RAW_EXISTS describe L_MISSING_BODY Message body empty score L_MISSING_BODY0.5 # if they didn't give us a message body and are from a bad place, hit them # hard. # meta L_MISSING_BODY2( L_MISSING_BODY ( RCVD_IN_MAPS_DUL || L_RCVD_IN_XBL || L_RCVD_IN_DBFBL || RCVD_IN_BL_SPAMCOP_NET || RCVD_IN_SORBS || RCVD_IN_NJABL || RCVD_IN_NJABL_DIALUP || L_RCVD_IN_CBL || NO_DNS_FOR_FROM )) score L_MISSING_BODY2 3.0 -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
SPF checks on internal relays (attn: Halid Faith [EMAIL PROTECTED])
It looks like ihlas.net.tr is running SPF checks on mail relays within their local network. This is a bad idea, since this will cause most if not all SPF checks performed on internal relays to fail, as nobody else can be assumed to have your maile gateway in their SPF list... On 15 Aug 2006 [EMAIL PROTECTED] wrote: Date: 15 Aug 2006 18:31:29 - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: failure notice Hi. This is the qmail-send program at mailhub.ihlas.net.tr. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. [EMAIL PROTECTED]: 213.238.128.223 does not like recipient. Remote host said: 550 See http://spf.pobox.com/why.html?sender=jhardin%40impsec.orgip=213.238.128.250receiver=0 (#5.7.1) Giving up on 213.238.128.223. ihlas.net.tr. 153360 IN MX 5 mailhub.ihlas.net.tr. mailhub.ihlas.net.tr. 10043 IN A213.238.128.250 world - mailhub.ihlas.net.tr (SPF passes) - 213.238.128.223 (SPF fails) I tried mailing this to [EMAIL PROTECTED] but it bounced with a no such user, so I'm forced to broadcast this to the list. Sorry. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The difference is that Unix has had thirty years of technical types demanding basic functionality of it. And the Macintosh has had fifteen years of interface fascist users shaping its progress. Windows has the hairpin turns of the Microsoft marketing machine and that's all.-- Red Drag Diva ---
Performance of MySQL vs. Filesystem
Dear list, I was thinking about switching our SAs from config files to MySQL. Now I am wondering if there are any advantages in SAs performance when using MySQL. Does anyone of you have any information on that? Thank you very much in advance, Stefan