Re: How can I (we) get rid of this?
jdow skrev: From: Anders Norrbring [EMAIL PROTECTED] Stuart Johnston skrev: Anders Norrbring wrote: Hiya all! I'm getting really sick on recieving 10-100 of the attached mails every day. Any suggestions on how to get rid of them? Apparently my Amavis-new and SpamAssassin only tags them from 0 to 1.6 points. FuzzyOCR, ImageInfo, SARE, sa-update. I haven't looked at FuzzyOCR or ImageInfo at all, are they compatible with SA 2.64? The world is not compatible with 2.64. Update if at ALL possible. (Note the special issues that may exist with bayes files.) {o.o} I've noticed.. :) I had been hoping I'd be able to put together a completely new mail server for quite some time, but haven't been able to find the time needed. As long as the running one is working, I prefer not to mess too much with it. I'll look into the SA upgrade though. Thanks for all answers! -- Anders Norrbring Norrbring Consulting
Re: animated GIF spam
At 10:26 PM 8/21/2006 -0700, John Rudd wrote: I also heard that interlaced gif spam is appearing now. Yes, I saw that post, however there wasn't a publicly available sample. Any such would be much appreciated. It'd be interesting to see how to counter them. Should be easy. One approach is pixel density. What I've been doing is reading JUST enough of the header to calculate the area (just like Dallas' excellent ImageInfo plugin), then dividing by the total raw file size of just the image (i.e. what one gets after base64 decoding just the GIF part), less the size of the obvious parts of the header. Works well, and is blindingly fast. Ham generally have a much LOWER density, because it's typically clipart, whereas spam is generally text, which compresses extremely well, resulting in a much HIGHER density. It's not fool proof, so I use a sliding scale, and have had only one FP this month (from an idiot (redundant) recruiter to one of my testers - the PNG misfiring was only half the points required to reject, and the able idiot managed to do several other things rare in Ham). The beauty is that the spammer can easily foil this by lowerering the density by adding more complexity, which increases the file size, so more bandwidth is consumed. :) Some stock spams do use a fancier font which scores lower, so I'm still considering other types of analysis as a backup. Specifically to address animated GIFs, it would be very easy to walk the raw image, calculating each frame's pixel density, simply ignoring the obvious chaff frames. Tomorrow, I'll write some code to decompose the frames and see what sort of numbers I get. For interlaced ... I have no idea. Depends a lot on how the interlaced images are stored, I guess. Yes, exactly. Until there's samples, I'm not going to worry about it. What we also need is a diverse Ham GIF corpus. Does anyone know of one? - Chip P.S. Dallas: it never occurred to me to _JUST_ score the area. My pixel density approach fails on multi-GIFs, so you saved my bacon there. ;)
Re: [Sare-users] (no subject)
SysAdmin wrote: I wrote the following rule in an attempt to catch these but I've obviously made some error. Can someone give me a little guidance as to where I went awry? rawbody SWF_r_AMPGFX1 /\.(com|net)/\w+/\?90\amp/i The forward slashes need to be escaped as well. Regards, Andreas
Re: Formatting plugin report
John D. Hardin wrote: Coders (if any): Can anybody point me at a code sample showing how to get details into the report SUMMARY tag from within a plugin? Like the [IP address etc.] in this: * 1.0 RBL_PSBL_01 RBL: Mail client listed by psbl.surriel.com * [64.8.111.2 listed in psbl.surriel.com] I can't seem to figure it out. I took a casual glance at the code, it seems to be related to the test_log subroutine, which populates test_log_msgs, that later gets added to the REPORT and SUMMARY.
Re: [Sare-users] (no subject)
Andreas Pettersson wrote: SysAdmin wrote: I wrote the following rule in an attempt to catch these but I've obviously made some error. Can someone give me a little guidance as to where I went awry? rawbody SWF_r_AMPGFX1 /\.(com|net)/\w+/\?90\amp/i The forward slashes need to be escaped as well. Regards, Andreas Sorry, this went to the wrong list.. Regards, Andreas
Re: animated GIF spam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John Rudd wrote: On Aug 21, 2006, at 10:13 PM, Chip M. wrote: While skimming thru my daily rejected spam pile, did a double take when a GIF spam seemed to blink at me. Thought it was a sw glitch at first... then realized the sneaky Borg had adapted again. Took a look at the frames in PaintShopPro's AnimationShop, and the first three are all but blank (wee bit of noise), followed by the payload. Below are links to the raw message, and the extracted GIF: http://Puffin.net/software/spam/samples/0001a_animated_gif.eml http://Puffin.net/software/spam/samples/0001b_been.gif Decoder/Chris, I'd view this as a compliment to your FuzzyOCR. ;) I'll implement that in the next release :) thx :D The good news is that ImageInfo should have no problem with this particular instance, as the initial width x height are correct. Time to recalibrate those phaser frequencies! :) - Chip I also heard that interlaced gif spam is appearing now. This will be supported then, too. Not a big deal:) It'd be interesting to see how to counter them. For animated, is there a clean break between frames of animation, something that netpbm or whatever can easily identify and break out into individual images? It would be CPU intensive, but the right way to fight it might be to run the FuzzyOCR on each frame. And/or have a setting for maximum frames to process, and if the GIF goes over that number of frames, give it a huge spam score. Or add this score per frame, so that the number of frames increases the spam score directly, and automatically bail out if they cross a certain threshold (score from number of animation frames alone = 20, then just return 20 ... or something; which saves you on processing the frames themselves). Sounds good :) But there might be a better way... but I'm not sure atm, got to read up on it in the netpbm manual first:) For interlaced ... I have no idea. Depends a lot on how the interlaced images are stored, I guess. And whether or not netpbm can generate the final image for processing, instead of having to work on the interlaced data. Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE6rlvJQIKXnJyDxURAg8iAKCnQkgGNY/o+iJDf+WG0KSisyi32QCeJ8zR DfefnLEv8Tkow0O6HhbieLs= =lj4i -END PGP SIGNATURE-
RE: Running on Debian stable
Hi Gary, On Sun, 20 Aug 2006, Gary V wrote: installs an initscript, so there are advantages. Mixing both methods is often a bad thing however. Ok, I'll definite refrain myself from doing that. Are you using DCC/Razor2/Pyzor? Are they (along with other network based tests) working? What rules are hitting when you get somthing you think should have been marked as spam, but isn't? Are you hitting rules like ALL_TRUSTED when you should not be? Maybe you should post examples of local.cf and user_prefs. ... To see if anything is going on as far as net tests go, you can break out debugging info and try stuff like: spamassassin --lint --debug area=1,dns Here you would want to see: dbg: dns: is Net::DNS::Resolver available? yes spamassassin --lint --debug area=1,uri spamassassin --lint --debug area=1,razor2 spamassassin --lint --debug area=1,dcc spamassassin --lint --debug area=1,pyzor Thank you for these suggestions. I found out that several of these were either not installed or disabled. Since turning them on (and waiting a day or so for more spam to come in...first time in my life I wanted more spam!), I've noticed that razor2 contributes much to the score. So far, I haven't had a spam missed. My spam is sent to a folder and as for the score, I've set it to 5.0, which seems ok. I actually think the default score of 5.0 is too low based on its current settings (i.e., with razor2, etc. turned off). With them turned on, 5.0 seems just right. Thank you for your help! It seems to be running fine on my Debian machine now. The D key was starting to break after hitting it so much every day! :) Ray
SA settings
Hi all, Not pertaining to Debian (I think)... I was wondering in what order are SA's settings read in. Is this correct: 1) /etc/spamassassin/init.pre 2) /etc/spamassassin/local.cf 3) /usr/share/spamassassin/*.cf 4) ~/.spamassassin/user_prefs I also have a v310.pre and a v312.pre in /etc/spamassassin/. As I am running v3.1.3, can I assume they are backups of init.pre? I suppose if I change #1-#3, I have to restart the daemon, but not #4? I read in the FAQ that changes to #4 are not read by the SA daemon unless allow_user_rules is turned on. As the root user of a single-user system, should I turn it on (what is the reason for turning it off other than potentially slowing down the system; is there a security reason?) or should I move everything to #2? The only thing important in user_prefs is: # Speakers of Asian languages, like Chinese, Japanese and Korean, will almost # definitely want to uncomment the following lines. They will switch off some # rules that detect 8-bit characters, which commonly trigger on mails using CJK # character sets, or that assume a western-style charset is in use. # #score HTML_COMMENT_8BITS 0 score UPPERCASE_25_50 0 score UPPERCASE_50_75 0 score UPPERCASE_75_100 0 score OBSCURED_EMAIL 0 which I honestly don't know what it means... :) Ray
Patch against segfaulting gocr
Hi I've been struggling with gocr segfaulting or floating point exceptioning on some pictures lately in FuzzyOcr Then I remembered a patch suggested long time ago for the Ocr Plugin. Installed it and all the pictures in question that previously crashed one or the other gocr Version I had worked now... Maybe that helps some of you with broken pipes (because of gocr) and stuff http://antispam.imp.ch/patches/patch-gocr-segfault Enjoy :) Matt
Is anyone else seeing these?
Is anyone else seeing this sort of spam? It consists of a short message and always has a URL in it that ends with the string '/sk/'. The URL points to a web site advertising human growth hormone and testosterone treatment. These spams aren't firing on enough rules to be tagged by SpamAssassin. The URL changes often enough that the URIBL plugin doesn't catch a lot of them. Has anyone had more luck than me at stopping these emails? Andrew just wanted to see if you were still dreaming the notion of getting toned? I so want to be, that is why i am so joyous i chanced upon http://www.dontimesogooder.org/sk/ It was best decisevely having someone to support me out. to examine it, I found career that it was of the beasts rain again closing visit religious conviction, as much
Re: How can I (we) get rid of this?
In article [EMAIL PROTECTED], DAve [EMAIL PROTECTED] writes I really don't want to install X on my mailgateways. It would have to be as good as URIBL and SURBL before I would consider that. Is there a way around the dependencies? The FreeBSD port shows the following, xorg-libraries-6.9.0, ghostscript-gnu-7.07_15, teTeX-3.0_1, tcl-8.4.13_1 (TCL?), and all their dependancies. Plus a lot more. # cd /usr/ports/print/teTeX # make -DWITHOUT_X11 install clean # cd /usr/ports/graphics/gocr # make -DWITHOUT_X11 install clean No promises but I suspect that should install it without the unneeded X stuff :-) Kevin
Re: How can I (we) get rid of this?
On Tue, 22 Aug 2006, Kevin Golding wrote: In article [EMAIL PROTECTED], DAve [EMAIL PROTECTED] writes I really don't want to install X on my mailgateways. It would have to be as good as URIBL and SURBL before I would consider that. Is there a way around the dependencies? The FreeBSD port shows the following, xorg-libraries-6.9.0, ghostscript-gnu-7.07_15, teTeX-3.0_1, tcl-8.4.13_1 (TCL?), and all their dependancies. Plus a lot more. # cd /usr/ports/print/teTeX # make -DWITHOUT_X11 install clean # cd /usr/ports/graphics/gocr # make -DWITHOUT_X11 install clean No promises but I suspect that should install it without the unneeded X stuff :-) Kevin That would be correct. You can also use 'WITHOUT_X11=yes' instead of '-DWITHOUT_X11' as well (of course without the single quotes). -- This message was sent using 100% recycled electrons.
Re: Enumerating the robots?
DAve writes: jdow wrote: From: DAve [EMAIL PROTECTED] Loren Wilton wrote: It was mentioned that several people are getting hammered by world-wide robot attacks. I see from the little spam I get that there is a new spam sending tool for robots that is running a stock spam. I suspect the traffic is a combination of distributing the new spam tool and sending out the new spam. With all this traffic from robots, lots of people here must be getting quite a lot of information in their logs about connections from robots. I wonder if there would be value in a central database that attempts to enumerater the robots? Most of them are probably on dynamic ip. But if the sending IP and attempted connect time could be logged at many sites and combined, there would be fairly conclusive evidence that a given IP had been sending spam at a particular time. Perhaps that could be submitted to at least some of the more responsible service providers, and they could do something to track it back to a customer and send them an email that their machine is infected. (Or possibly be even more proactive, I suppose.) The database might also be usable in front door spam blocking. Most people probably shouldn't be accepting direct connections from dynamic ips on someone else's network, especially if that ip has a recent history of sending spam (say in the last 6 hours or so). It might be possible to make a server that could provide yes/no answers on whether the IP has sent spam in the last minute/hour/6 hours/day or so. I'd think that such a database could be built almost automatically. For instance, if you log the IPs of connection attempts that you reject for various problems, you could just harvest those IPs once an hour or so to some central site, no human judgement calls required. If the mail is accepted and gets a high SA score, and you can still determine the sending IP, then that might be automatically harvested also. Thoughts? Does somethign like this have any value? Loren Something like http://dhsield.org, but limited to email instead of all ports? Don't know. (Not going to click on THAT link. It looks like it might lead to a typo squatter potentially with malware. {^_-}) But I suspect the answer is yes. Hmmm, dsheild, dhsield, dshield, six of one half dozen of the other ;^) Anyway, it certainly would have value -- that's one of the input methods used to populate many of the DNSBLs. --j.
SA-LEARN Question
Hi,We have over 100 domains on a server, all of which are getting junk mail. SA 3.1.4 installed, but I don't think it's properly trained yet (even though I did upgrade from an earlier version).If I set up a [EMAIL PROTECTED] address and tell all my customers to forward the junk mail they get to that address, then run sa-learn on that mailbox, will that help, or, will it train SA that the users that forwarded the junk ARE the spammers and start to assign higher scores to legitimate customers?
Re: SA-LEARN Question
Christopher Mills wrote: Hi, We have over 100 domains on a server, all of which are getting junk mail. SA 3.1.4 installed, but I don't think it's properly trained yet (even though I did upgrade from an earlier version). If I set up a [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] address and tell all my customers to forward the junk mail they get to that address, then run sa-learn on that mailbox, will that help, or, will it train SA that the users that forwarded the junk ARE the spammers and start to assign higher scores to legitimate customers? If you forward the emails, this process will not work. You must either forward it as an attachment and then strip the attachment and run sa-learn on that or use some other method which preserves the original headers. How you do this depends largely on your setup. -Jim
RE: SA settings
Raymond Wan wrote: Not pertaining to Debian (I think)... I was wondering in what order are SA's settings read in. Is this correct: 1) /etc/spamassassin/init.pre 2) /etc/spamassassin/local.cf 3) /usr/share/spamassassin/*.cf 4) ~/.spamassassin/user_prefs Not quite. I believe the order is this: 1) /etc/spamassassin/*.pre 2a) /var/lib/spamassassin/3.001003/updates_spamassassin_org/*.cf (if the directory exists) 2b) /usr/share/spamassassin/*.cf (if the previous directory doesn't exist) 3) /etc/spamassassin/*.cf 4) ~/.spamassassin/user_prefs Note that only one of 2a and 2b will be read, never both. If you have run sa-update and created the updates directory, it will be used. Otherwise, the original rules directory will be used. I also have a v310.pre and a v312.pre in /etc/spamassassin/. As I am running v3.1.3, can I assume they are backups of init.pre? Nope, they are all different. v310.pre has plugin lines that were added in SA 3.1.0. v312.pre has plugin lines that were added in v3.1.2. They are all read and used by SA. I suppose if I change #1-#3, I have to restart the daemon, but not #4? Correct. The user_prefs files are read each time an email comes through for that user. I read in the FAQ that changes to #4 are not read by the SA daemon unless allow_user_rules is turned on. As the root user of a single-user system, should I turn it on (what is the reason for turning it off other than potentially slowing down the system; is there a security reason?) or should I move everything to #2? The user_prefs file is always read for configuration changes. allow_user_rules simply allows the users to create custom rules as well as making simple changes. The main reasons to leave user rules off is that they slow down the system and give the possibility of users writing bad rules. Everything possible should be in local.cf (or another cf file in that directory). The only thing that should be in user_prefs are settings that only apply to that one user. The only thing important in user_prefs is: # Speakers of Asian languages, like Chinese, Japanese and Korean, will almost # definitely want to uncomment the following lines. They will switch off some # rules that detect 8-bit characters, which commonly trigger on mails using CJK # character sets, or that assume a western-style charset is in use. # #score HTML_COMMENT_8BITS 0 score UPPERCASE_25_50 0 score UPPERCASE_50_75 0 score UPPERCASE_75_100 0 score OBSCURED_EMAIL 0 which I honestly don't know what it means... :) Scores for rules can be changed in user_prefs without enabling user rules. Setting the score to 0 disables the rule. This allows users to disable or lower the score of rules that they don't like. In this case, these are rules that commonly trigger on Asian language emails. So people who expect to see ham messages in those languages should uncomment those score lines to disable the tests. -- Bowie
RE: SA-LEARN Question
Christopher Mills wrote: Hi, We have over 100 domains on a server, all of which are getting junk mail. SA 3.1.4 installed, but I don't think it's properly trained yet (even though I did upgrade from an earlier version). If I set up a [EMAIL PROTECTED] address and tell all my customers to forward the junk mail they get to that address, then run sa-learn on that mailbox, will that help, or, will it train SA that the users that forwarded the junk ARE the spammers and start to assign higher scores to legitimate customers? No, SA will learn that messages forwarded from your users are spam. As someone else pointed out, you need to find a method that preserves the original headers of the message. Forwarding the spam as an attachment and then stripping it out or copying it to a shared imap folder are two of the more common options. -- Bowie
Re: SA-LEARN Question
Jim Maul wrote: Christopher Mills wrote: Hi, We have over 100 domains on a server, all of which are getting junk mail. SA 3.1.4 installed, but I don't think it's properly trained yet (even though I did upgrade from an earlier version). If I set up a [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] address and tell all my customers to forward the junk mail they get to that address, then run sa-learn on that mailbox, will that help, or, will it train SA that the users that forwarded the junk ARE the spammers and start to assign higher scores to legitimate customers? If you forward the emails, this process will not work. You must either forward it as an attachment and then strip the attachment and run sa-learn on that or use some other method which preserves the original headers. How you do this depends largely on your setup. Here's a link describing how I use maildrop to deliver emails to special maildirs for processing by sa-learn. http://www.arda.homeunix.net/spamassassin.html#bayesian Andrew
Re: Feeding bayes outbounds
Well, that was part of my reason for doing it. My bayes is seriously skewed for the spam side, something like 4 to 1. The problem is I'm getting about 90% spam coming in, so it's difficult enough finding legitimate mail to feed it. I wasn't talking about feeding strictly outbounds, but using them as an additional source of ham. On 8/21/2006 at 6:20 PM, jdow [EMAIL PROTECTED] wrote: From: Joe Zitnik [EMAIL PROTECTED] Our scanning program has the ability to archive all e-mail, both inbound and outbound, which we have been doing for months now. Given that your outbound mail is almost certainly ham, the majority of it's content is going to be specific to our business sector, wouldn't feeding outbounds through bayes manually be a win win situation? Am I oversimplifying things, or am I missing something with that logic? If the terms in the outbound mail are likely to be the same as acceptable terms on the inbound mail that may be true. If your outbound mail you have captured is not all pure business it might reduce the Bayes accuracy somewhat. It might introduce a huge mismatch between ham and spam, also. And it might introduce potential issues with email privacy on the outgoing emails if you save them for a mass feed. {^_^}
Broken abuse auto-responders
Well, I have the following issue. When I report abuse to [EMAIL PROTECTED], they send me back an auto-generated email ticket with a broken Date: on it (honestly, people, how hard is it to correctly format the date???). They do this as for the sending address. How does one go about writing a whitelist_rcvd_from line for the empty address Aug 22 07:49:28 mail mimedefang.pl[458]: helo: dns-mx.noc.verio.net (129.250.49.11) said helo dns-mx.noc.verio.net Aug 22 07:49:28 mail mimedefang.pl[458]: helo: whitelist dns-mx.noc.verio.net (129.250.49.11) Aug 22 07:49:33 mail sendmail[472]: k7MDnN3u000472: from=, size=2062, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=MTA-v4, relay=dns-mx.noc.verio.net [129.250.49.11] Aug 22 07:49:34 mail mimedefang.pl[458]: k7MDnN3u000472: hits=5.164, req=5, names=AWL,INVALID_DATE,NO_REAL_NAME Aug 22 07:49:34 mail mimedefang.pl[458]: MDLOG,k7MDnN3u000472,spam,5.164,129.250.49.11,,[EMAIL PROTECTED],Re: [NTT-C2755649Z] Phishing from 161.58.27.23 Aug 22 07:49:34 mail mimedefang.pl[458]: filter: k7MDnN3u000472: bounce=1 discard=1 Aug 22 07:49:34 mail mimedefang[4220]: k7MDnN3u000472: Bouncing because filter instructed us to Aug 22 07:49:34 mail sendmail[472]: k7MDnN3u000472: Milter: data, reject=554 5.7.1 Message rejected; scored too high on the Spam test. Aug 22 07:49:34 mail sendmail[472]: k7MDnN3u000472: to=[EMAIL PROTECTED], delay=00:00:05, pri=32062, stat=Message rejected; scored too high on the Spam test.
Re: My Lint Output
On Tue, Aug 22, 2006 at 08:53:16AM -0500, Chris Mills (Chrysalis) wrote: [19782] warn: config: SpamAssassin failed to parse line, MY_DSL .85 is not valid for score, skipping: score MY_DSL .85 [19782] warn: config: SpamAssassin failed to parse line, AOL_DSL .25 is not valid for score, skipping: score AOL_DSL .25 [19782] warn: config: SpamAssassin failed to parse line, SARE_FROM_SPAM_WORD3 .75 is not valid for score, skipping: score SARE_FROM_SPAM_WORD3 .75 [19782] warn: config: SpamAssassin failed to parse line, SALES_REPLY .43 is not valid for score, skipping: score SALES_REPLY .43 Scores need to have a leading zero if less than 1, ie 0.43 and not .43. [19782] warn: config: failed to parse line, skipping: use_dcc 1 [19782] warn: config: failed to parse line, skipping: use_pyzor 1 [19782] warn: config: failed to parse, now a plugin, skipping: ok_languages all [19782] warn: config: failed to parse line, skipping: use_auto_whitelist 1 These are all handled by plugins, so you need to enable them if you want to use the config options. [19782] warn: config: SpamAssassin failed to parse line, no value provided for score, skipping: score RCVD_IN_SORBS_DNSBL A score needs to be on the score config line. [19782] warn: config: failed to parse line, skipping: auto_learn 1 auto_learn isn't a valid config option, perhaps you want bayes_auto_learn ? 1 is the default btw, so there's need to have this line. [19782] warn: config: warning: score set for non-existent rule SARE_FREE_WEBM_Kero [...] You have a large number of score lines for rules that don't exist in your installation. -- Randomly Generated Tagline: Why are Chinese fortune cookies written in English? pgpqMU8HO0hB4.pgp Description: PGP signature
Re: SA settings
On Tue, Aug 22, 2006 at 07:11:25PM +0900, Raymond Wan wrote: Not pertaining to Debian (I think)... I was wondering in what order are SA's settings read in. Is this correct: 1) /etc/spamassassin/init.pre 2) /etc/spamassassin/local.cf 3) /usr/share/spamassassin/*.cf 4) ~/.spamassassin/user_prefs You could just read the spamassassin documentation which talks about all of this. :) But to answer your question, it'd be 1, 3, 2, 4. I also have a v310.pre and a v312.pre in /etc/spamassassin/. As I am running v3.1.3, can I assume they are backups of init.pre? I suppose if I change #1-#3, I have to restart the daemon, but not #4? No, they aren't backups of init.pre, they're pre files that got added in 3.1.0 and 3.1.2. As for restarting, yes, that's correct. I read in the FAQ that changes to #4 are not read by the SA daemon unless allow_user_rules is turned on. As the root user of a single-user Not exactly, user_prefs is read, but some config options aren't allowed in user_prefs such as creating rules, etc. system, should I turn it on (what is the reason for turning it off other than potentially slowing down the system; is there a security reason?) or should I move everything to #2? If you don't need to enable it, don't enable it. The docs talk about this. score UPPERCASE_25_50 0 score UPPERCASE_50_75 0 score UPPERCASE_75_100 0 score OBSCURED_EMAIL 0 which I honestly don't know what it means... :) Those rules are being disabled. Though if you don't know what it means, why do you have the lines in your personal config? ;) -- Randomly Generated Tagline: I had a cat once... It tasted like chicken. pgpllqmk9luyp.pgp Description: PGP signature
Re: Enumerating the robots?
On Mon, 21 Aug 2006, Loren Wilton wrote: From: Loren Wilton [EMAIL PROTECTED] Resent-From: [EMAIL PROTECTED] To: SpamAssassin Users List users@spamassassin.apache.org Resent-To: [EMAIL PROTECTED] Date: Mon, 21 Aug 2006 01:09:37 -0700 Resent-Date: Mon, 21 Aug 2006 09:11:20 +0100 (BST) Subject: Enumerating the robots? X-Spam-Score: -2.0 (--) It was mentioned that several people are getting hammered by world-wide robot attacks. I see from the little spam I get that there is a new spam sending tool for robots that is running a stock spam. I suspect the traffic is a combination of distributing the new spam tool and sending out the new spam. With all this traffic from robots, lots of people here must be getting quite a lot of information in their logs about connections from robots. I wonder if there would be value in a central database that attempts to enumerater the robots? I reject a lot of connections using simple HELO tests etc. For example: 2006-08-22 14:47:33 H=(138.38.32.20) [85.95.65.33] I=[138.38.32.20]:25 F=[EMAIL PROTECTED] rejected RCPT [EMAIL PROTECTED]: Imposters are persona non grata. In this case the connecting IP [85.95.65.33] announced itself as the IP address [138.38.32.20] of the server to which it was connecting. The envelope sender [EMAIL PROTECTED] almost certainly means this was an attempt to send a phishing scam. Other tricks used include connecting IPs announcing themselves as as one of the email domains handled by the server to which they're connecting: 2006-08-22 15:00:08 H=(bath.ac.uk) [201.217.19.209] I=[138.38.32.20]:25 F=[EMAIL PROTECTED] rejected RCPT [EMAIL PROTECTED]: Charlatan, how can you be bath.ac.uk ? And there seems to be a lot of machines out there that think they're called friend. I'm more than happy to reject stuff using such simple tests[1]. But placing the connecting IPs in a database is a different matter. You might wish to set standards for inclusion. My kill 'em all, let God decide attitude might not be acceptable to some. [1] Many such hosts may well be in some of the RBLs I use. I don't know. These cheap test are run before examining any of the RBLs I use. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101
RE: SA-LEARN Question
Wouldnt forwarding strip away header info that is used to train spam? From: Christopher Mills [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 22, 2006 9:22 AM To: users@spamassassin.apache.org Subject: SA-LEARN Question Hi, We have over 100 domains on a server, all of which are getting junk mail. SA 3.1.4 installed, but I don't think it's properly trained yet (even though I did upgrade from an earlier version). If I set up a [EMAIL PROTECTED] address and tell all my customers to forward the junk mail they get to that address, then run sa-learn on that mailbox, will that help, or, will it train SA that the users that forwarded the junk ARE the spammers and start to assign higher scores to legitimate customers?
Re: Should this hit more rules?
http://rulesemporium.com/rules/99_FVGT_meta.cf http://www.rulesemporium.com/rules/88_FVGT_body.cf Fred writes good rules. ;-) Loren Indeed! Score on the stoopid spam example in my earlier post jumped up nicely. Thanks, Fred. This post inspired me to try Fred's rules (as found on rulesemporium.com) out; after about 30 hours of testing I just removed them because of the large number of FPs. I hate to throw the baby out with the bathwater, though-- is there anyplace these rules are documented so I can get an idea of which (if any) might be keepers for me? My Perl-fu is weak enough that just reading the rules text isn't necessarily helpful. -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com Someone once asked me if I had learned anything from going to war so many times. My reply: Yes, I learned how to cry. -- War correspondent Joe Galloway
Older rules causing problems...but which ones?
When I start spamassassin, I'm getting these types of errors in my mail log: Aug 22 09:36:55 eisenhower spamd[96202]: rules: meta test SARE_HEAD_8BIT_NOSPM has undefined dependency '__SARE_HEAD_8BIT_DATE' Aug 22 09:36:55 eisenhower spamd[96202]: rules: meta test SARE_HEAD_8BIT_NOSPM has undefined dependency '__SARE_HEAD_8BIT_RECV' Aug 22 09:36:55 eisenhower spamd[96202]: rules: meta test SARE_MULT_RATW_03 has undefined dependency '__SARE_MULT_RATW_03E' Aug 22 09:36:55 eisenhower spamd[96202]: rules: meta test DRUGS_ERECTILE has undefined dependency '__DRUGS_ERECTILE7' Aug 22 09:36:55 eisenhower spamd[96202]: rules: meta test SARE_SPEC_PROLEO_M2a has dependency 'MIME_QP_LONG_LINE' with a zero score Aug 22 09:36:55 eisenhower spamd[96202]: rules: meta test SARE_MSGID_LONG40 has undefined dependency '__SARE_MSGID_LONG50' Aug 22 09:36:55 eisenhower spamd[96202]: rules: meta test SARE_MSGID_LONG40 has undefined dependency '__SARE_MSGID_LONG55' Aug 22 09:36:55 eisenhower spamd[96202]: rules: meta test SARE_MSGID_LONG40 has undefined dependency '__SARE_MSGID_LONG65' Aug 22 09:36:55 eisenhower spamd[96202]: rules: meta test SARE_MSGID_LONG40 has undefined dependency '__SARE_MSGID_LONG75' Aug 22 09:36:55 eisenhower spamd[96202]: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG50' Aug 22 09:36:55 eisenhower spamd[96202]: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG55' Aug 22 09:36:55 eisenhower spamd[96202]: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG65' Aug 22 09:36:55 eisenhower spamd[96202]: rules: meta test SARE_MSGID_LONG45 has undefined dependency '__SARE_MSGID_LONG75' Aug 22 09:36:55 eisenhower spamd[96202]: rules: meta test VIRUS_WARNING_DOOM_BNC has undefined dependency 'VIRUS_WARNING_MYDOOM4' Aug 22 09:36:55 eisenhower spamd[96202]: rules: meta test FP_MIXED_PORN3 has undefined dependency 'FP_PENETRATION' Aug 22 09:36:55 eisenhower spamd[96202]: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_XMAIL_SUSP2' Aug 22 09:36:55 eisenhower spamd[96202]: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_HEAD_XAUTH_WARN' So, when I ty to run: Spamassassin -D to see what is going on, it just stops at this point: [96288] dbg: logger: adding facilities: all [96288] dbg: logger: logging level is DBG [96288] dbg: generic: SpamAssassin version 3.1.4 [96288] dbg: config: score set 0 chosen. [96288] dbg: util: running in taint mode? yes [96288] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [96288] dbg: util: PATH included '/sbin', keeping [96288] dbg: util: PATH included '/usr/sbin', keeping [96288] dbg: util: PATH included '/bin', keeping [96288] dbg: util: PATH included '/usr/bin', keeping [96288] dbg: util: PATH included '/usr/local/sbin', keeping [96288] dbg: util: PATH included '/usr/local/bin', keeping [96288] dbg: util: PATH included '/usr/X11R6/bin', keeping [96288] dbg: util: final PATH set to: /sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin [96288] dbg: message: MIME PARSER START [96288] dbg: message: main message type: text/plain [96288] dbg: message: parsing normal part [96288] dbg: message: added part, type: text/plain [96288] dbg: message: MIME PARSER END [96288] dbg: dns: is Net::DNS::Resolver available? yes [96288] dbg: dns: Net::DNS version: 0.58 I'm not sure what is going on. SA starts, stops and seems to work just fine. I suspect there are some older rules somewhere causing some problems, but I can't figure out where. -- Mike Loiterman GrantAdler Tel: 630-302-4944 Fax: 773-442-0992 Email: [EMAIL PROTECTED] PGP Key: 0xD1B9D18E
Re: Formatting plugin report
On Tue, 22 Aug 2006, Matt Kettler wrote: John D. Hardin wrote: Coders (if any): Can anybody point me at a code sample showing how to get details into the report SUMMARY tag from within a plugin? Like the [IP address etc.] in this: * 1.0 RBL_PSBL_01 RBL: Mail client listed by psbl.surriel.com * [64.8.111.2 listed in psbl.surriel.com] I can't seem to figure it out. I took a casual glance at the code, it seems to be related to the test_log subroutine, which populates test_log_msgs, that later gets added to the REPORT and SUMMARY. I got the same impression, but $self-test_log($msg); in the plugin does not do it. Perhaps I'm doing it in the wrong place, I'll keep at it. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If someone has a gun and is trying to kill you, it would be reasonable to shoot back with your own gun. -- the Dalai Lama, May 15, 2001 --- 28 days until Talk Like a Pirate day
Re: Older rules causing problems...but which ones?
On Tue, Aug 22, 2006 at 09:55:05AM -0500, Mike Loiterman wrote: Spamassassin -D to see what is going on, it just stops at this point: [...] Try spamassassin -D --lint. Otherwise, SA sits there looking for a message on STDIN. -- Randomly Generated Tagline: Auribus teneo lupum. [I hold a wolf by the ears.] [Boy, it *sounds* good. But what does it *mean*?] pgp07t0QXfSDw.pgp Description: PGP signature
Re: SA settings
Hi Theo, On Tue, 22 Aug 2006, Theo Van Dinter wrote: 1) /etc/spamassassin/init.pre 2) /etc/spamassassin/local.cf 3) /usr/share/spamassassin/*.cf 4) ~/.spamassassin/user_prefs You could just read the spamassassin documentation which talks about all of this. :) But to answer your question, it'd be 1, 3, 2, 4. Ah, sorry. I guess I didn't go through the documentation well enough. Thank you for answering my query! I also have a v310.pre and a v312.pre in /etc/spamassassin/. As I am running v3.1.3, can I assume they are backups of init.pre? I suppose if I change #1-#3, I have to restart the daemon, but not #4? No, they aren't backups of init.pre, they're pre files that got added in 3.1.0 and 3.1.2. Oh? You mean they're cummulative? When you upgrade to a new version, the new init.pre doesn't include the old ones? score UPPERCASE_25_50 0 score UPPERCASE_50_75 0 score UPPERCASE_75_100 0 score OBSCURED_EMAIL 0 which I honestly don't know what it means... :) Those rules are being disabled. Though if you don't know what it means, why do you have the lines in your personal config? ;) Well, in user_prefs, above these lines, it says: # Speakers of Asian languages, like Chinese, Japanese and Korean, will almost # definitely want to uncomment the following lines. They will switch off some # rules that detect 8-bit characters, which commonly trigger on mails using CJK # character sets, or that assume a western-style charset is in use. As I receive e-mails in Japanese every day, I just thought I should do what it says. But yes, without reading more than what these comments say. I'll read about what they say before enabling them, then. Thanks! Ray
Re: SA settings
On Wed, Aug 23, 2006 at 12:27:44AM +0900, Raymond Wan wrote: No, they aren't backups of init.pre, they're pre files that got added in 3.1.0 and 3.1.2. Oh? You mean they're cummulative? When you upgrade to a new version, the new init.pre doesn't include the old ones? Yes and no. The pre files are cumulative, in the same way that cf files are -- they're all read in. However, there is no new init.pre file. The issue being that people change init.pre, so a new install can't just overwrite the file since it'll destroy the changes, and it also can't just create a init.pre.new since potentially important new plugins won't be loaded. So we just create a new v###.pre file for any release that has new plugins. -- Randomly Generated Tagline: This is a kinder, gentler Federal Bureau of Investigation ... - Jim Duncan pgpeWqpJQnCiF.pgp Description: PGP signature
Re: SA-LEARN Question
Bowie Bailey wrote: Christopher Mills wrote: Hi, We have over 100 domains on a server, all of which are getting junk mail. SA 3.1.4 installed, but I don't think it's properly trained yet (even though I did upgrade from an earlier version). If I set up a [EMAIL PROTECTED] address and tell all my customers to forward the junk mail they get to that address, then run sa-learn on that mailbox, will that help, or, will it train SA that the users that forwarded the junk ARE the spammers and start to assign higher scores to legitimate customers? No, SA will learn that messages forwarded from your users are spam. As someone else pointed out, you need to find a method that preserves the original headers of the message. Forwarding the spam as an attachment and then stripping it out or copying it to a shared imap folder are two of the more common options. I have similar, albiet smaller, environment. What I've done is asked my users who want to help to have a ConfirmedSpam folder in their IMAP directory. Every night I cron-job a LOCATE for that folder and then tell sa-learn to learn those emails. Then I empty the mail dir to start fresh for the next day. It works like a charm. -- --Michel Vaillancourt Wolfstar Systems www.wolfstar.ca
Re: Feeding bayes outbounds
On Mon, 21 Aug 2006, jdow wrote: From: Joe Zitnik [EMAIL PROTECTED] Our scanning program has the ability to archive all e-mail, both inbound and outbound, which we have been doing for months now. Given that your outbound mail is almost certainly ham, the majority of it's content is going to be specific to our business sector, wouldn't feeding outbounds through bayes manually be a win win situation? Am I oversimplifying things, or am I missing something with that logic? If the terms in the outbound mail are likely to be the same as acceptable terms on the inbound mail that may be true. There will be a strong correlation, because most users tend to quote the entire e-mail when they reply. Granted, this only affects replies, but if someone is quoting a message you sent to them, Bayes is probably right to score that as ham. - Logan
Autolearn is OFF
All my headers say autolearn=no, yet, i have in my local.cf both of these settings:bayes_auto_learn 1auto_learn 1neither one works with or without the other it seems. Am I doing something wrong?
Re: Autolearn is OFF
On Tue, Aug 22, 2006 at 10:44:36AM -0500, Christopher Mills wrote: All my headers say autolearn=no, yet, i have in my local.cf both of these settings: bayes_auto_learn 1 auto_learn 1 neither one works with or without the other it seems. Am I doing something wrong? http://wiki.apache.org/spamassassin/AutolearningNotWorking BTW, bayes_auto_learn 1 is the default, and auto_learn isn't a valid config option anymore. -- Randomly Generated Tagline: But let me tell you, the slim lazy Homer you knew is dead. Now I'm a big fat dynamo. -- Homer Simpson King-Size Homer pgp6RWVXoooYf.pgp Description: PGP signature
CGI DDoS Data File
We experienced an intentional GCI flood over several days. These IPs are infected (or participated voluntarily in a DDoS). If this of of use to anyone, it includes the IP and host name. http://tqmcube.com/files/ddos-data.bz2 This is an incomplete list of unique IPs that were participants. Some of these IPs hit us several hundred times each. Oh, and I added a new zone - EXPLOIT.TQMCUBE.COM to one of the mirrors (primarily for the removal script to query). If it's of any practical value, feel free. All of these are already included in the spam list anyway. As you might expect - many are also dynamic. BTW, this had no negative impact - whatsoever - on the blacklist or its distribution. -- Black Hole: The Effect of Administering a DNSBL Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com Don't Subsidize Criminals: http://boulderpledge.org
Re: animated GIF spam
On Mon, 21 Aug 2006, John Rudd wrote: On Aug 21, 2006, at 10:13 PM, Chip M. wrote: While skimming thru my daily rejected spam pile, did a double take when a GIF spam seemed to blink at me. Thought it was a sw glitch at first... then realized the sneaky Borg had adapted again. Took a look at the frames in PaintShopPro's AnimationShop, and the first three are all but blank (wee bit of noise), followed by the payload. Given the way the GIF format works, that is actually a reasonable way to inject salt into a given image to throw off checksumming. (If only the programmer who is doing the technical end of this would get a real job instead of working for a spammer...) For animated, is there a clean break between frames of animation, something that netpbm or whatever can easily identify and break out into individual images? Yes, briefly, the GIF format is a sequence of chunks. Before any image data comes along, a chunk defines the overall size of the GIF (sort of the size of the canvas), and then you can have a series of other chunks. One type of chunk says draw this image on the virtual canvas at these coordinates using this palette and another says delay this long. Putting these two types of chunks together in the right sequence gives the ability to do animations. (It also, incidentally, gives you the ability to do full 24-bit color. Few people know GIF is actually capable of this. But even though it is capable, it is a hack, and very wasteful of space, so maybe that's for the better.) It would be CPU intensive, but the right way to fight it might be to run the FuzzyOCR on each frame. And/or have a setting for maximum frames to process, and if the GIF goes over that number of frames, give it a huge spam score. Yeah, that is a bit tricky. I can think of a way to do a denial-of-service attack against the run it on each frame approach, but I won't share what that is. In theory, if that happens, one could write a plugin to examine the internal structure of the GIF and detect that. The one thing that would be important to guard against is suddenly flagging all animated GIFs as spam. Although I think they're really tacky and annoying, that doesn't mean that they are actually spam. For interlaced ... I have no idea. Depends a lot on how the interlaced images are stored, I guess. And whether or not netpbm can generate the final image for processing, instead of having to work on the interlaced data. I'm pretty sure it should be able to. If I recall correctly, interlaced GIFs just have the rows in a different order. It should be no problem to get the full image. - Logan
Re: SA-LEARN Question
On Tuesday 22 August 2006 16:31, Jean-Paul Natola took the opportunity to say: Wouldn't forwarding strip away header info that is used to train spam? It depends on the MUA. Some MUAs, like MS Outlook (who would've guessed?) (at least Outlook 2000), mangle the mail even when forwarding as an attachment. Well-behaved MUAs preserve everything when forwarding as an attachment, but then you need to extract that attachment. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpNXFe7znmAg.pgp Description: PGP signature
RE: How can I (we) get rid of this?
-Original Message- From: Theo Van Dinter [mailto:[EMAIL PROTECTED] Sent: Monday, August 21, 2006 12:50 PM To: users@spamassassin.apache.org Subject: Re: How can I (we) get rid of this? On Mon, Aug 21, 2006 at 11:52:04AM -0400, Jean-Paul Natola wrote: I'm getting an error when attempting to run sa-update Can't locate Archive/Tar.pm in @INC (@INC contains: [...] Did you install the sa-update required modules, as listed in the INSTALL doc? (Archive::Tar, LWP, IO::Zlib) -- Randomly Generated Tagline: First they ignore you, then they laugh at you, then they fight you, then you win. - Gandhi Ok I have installed the indicated modules , now I get a sa-update: importing default keyring to '/usr/local/etc/mail/spamassassin//sa-update-keys'... fatal: couldn't find GPG in $PATH
Re: SA logging options wrong uid Debian-exim sa-stats
On Monday 21 August 2006 22:21, Stefan Bauer took the opportunity to say: iam using Debian with Spamassasin 3.1.1-1 and exim 4.62. Iam looking forward to use sa-stats[1] with the stats from spamassasin from /var/log/exim4/mainlog.log like: Aug 21 17:58:51 main spamd[4064]: spamd: result: . -1 - AWL,BAYES_00 scantime=2.3,size=5146,user=Debian-exim,uid=104,required_score=3.0,rhost=lo calhost. localdomain,raddr=127.0.0.1,rport=49475,mid=[EMAIL PROTECTED] .de,rmid= [EMAIL PROTECTED],bayes=1.11668452262847e-11,autolearn=no this works but not very well. Spamassasin logs to the file above but the user=Debian-exim part is always Debian-exim. How can i setup Spamamsassin to log the files or deliver the files under the uid of the user who received the mails? This is an Exim question, which you should ask exim-users@exim.org or [EMAIL PROTECTED] about. Running sa-stats only let me get stats[2] for the user Debian-exim which lists all mails. So my question is how can i negotiate SA to deliver the mails under the UID of the users to get usable logs? It depends on how you call SpamAssassin from Exim, which in turn partly depends on whether you want personal user preferences or not. With sa-exim you can't. With the exiscan ACL condition (spam = user) you can, but you have to make special arrangements to unambiguously decide which user to scan for if there are many recipients. If you call SA late in the delivery process, for instance as a transport filter, once for each recipient, then it's easy. So please come to the Exim mailing lists and describe your setup in more detail. [1] http://david.hexstream.co.uk/scripts/sa-stats/sa-stats.pl.html [2] http://www.plzk.de/stats/spam -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgp6G55dVZIMj.pgp Description: PGP signature
Re: How can I (we) get rid of this?
On Tue, Aug 22, 2006 at 02:01:38PM -0400, Jean-Paul Natola wrote: Ok I have installed the indicated modules , now I get a sa-update: importing default keyring to '/usr/local/etc/mail/spamassassin//sa-update-keys'... fatal: couldn't find GPG in $PATH If you don't have GPG (GnuPG) installed, you'll want to run with --nogpg. This is less secure, but will work. -- Randomly Generated Tagline: You tell 'em Moon, You're out all night. pgpIHv89mCY3i.pgp Description: PGP signature
RE: How can I (we) get rid of this?
-Original Message- From: Theo Van Dinter [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 22, 2006 2:07 PM To: users@spamassassin.apache.org Subject: Re: How can I (we) get rid of this? On Tue, Aug 22, 2006 at 02:01:38PM -0400, Jean-Paul Natola wrote: Ok I have installed the indicated modules , now I get a sa-update: importing default keyring to '/usr/local/etc/mail/spamassassin//sa-update-keys'... fatal: couldn't find GPG in $PATH If you don't have GPG (GnuPG) installed, you'll want to run with --nogpg. This is less secure, but will work. -- Randomly Generated Tagline: You tell 'em Moon, You're out all night. I will do that , do you recommend installing GPG?
Re: SA-LEARN Question
On 22-Aug-06, at 1:57 PM, Magnus Holmgren wrote: On Tuesday 22 August 2006 16:31, Jean-Paul Natola took the opportunity to say: Wouldn't forwarding strip away header info that is used to train spam? It depends on the MUA. Some MUAs, like MS Outlook (who would've guessed?) (at least Outlook 2000), mangle the mail even when forwarding as an attachment. Well-behaved MUAs preserve everything when forwarding as an attachment, but then you need to extract that attachment. I've been told to, and do use, Redirect instead of Forward when sending spam to a common mailbox for sa-learn. -- Gino Cerullo Pixel Point Studios 21 Chesham Drive Toronto, ON M3M 1W6 416-247-7740 smime.p7s Description: S/MIME cryptographic signature
Re: How can I (we) get rid of this?
On Aug 21, 2006, at 11:04 AM, Stuart Johnston wrote: Anders Norrbring wrote: Hiya all! I'm getting really sick on recieving 10-100 of the attached mails every day. Any suggestions on how to get rid of them? Apparently my Amavis-new and SpamAssassin only tags them from 0 to 1.6 points. FuzzyOCR, ImageInfo, SARE, sa-update. Well sa-update and SARE (at least the sets I use -- you should be more specific) don't help. smime.p7s Description: S/MIME cryptographic signature
Re: How can I (we) get rid of this?
On Aug 21, 2006, at 9:55 PM, DAve wrote: Is there a way around the dependencies? The FreeBSD port shows the following, xorg-libraries-6.9.0, ghostscript-gnu-7.07_15, teTeX-3.0_1, tcl-8.4.13_1 (TCL?), and all their dependancies. Plus a lot more. which port? i can't find fuzzyocr port in freebsd collection. in any case, usually if you set WITHOUT_X11=YES in /etc/make.conf you usually don't get the X dependencies when building ports. Sometimes you also have to set WITHOUT_GUI=YES also. smime.p7s Description: S/MIME cryptographic signature
Re: How can I (we) get rid of this?
Vivek Khera wrote: On Aug 21, 2006, at 11:04 AM, Stuart Johnston wrote: Anders Norrbring wrote: Hiya all! I'm getting really sick on recieving 10-100 of the attached mails every day. Any suggestions on how to get rid of them? Apparently my Amavis-new and SpamAssassin only tags them from 0 to 1.6 points. FuzzyOCR, ImageInfo, SARE, sa-update. Well sa-update and SARE (at least the sets I use -- you should be more specific) don't help. The specific message that was posted hit for me on: SARE_OBFU_SOFT from 70_sare_obfu.cf SARE_GIF_ATTACH from 70_sare_stocks.cf TVD_FW_GRAPHIC_ID3 from sa-update
RE: Custom Rule Filtering on X-Mailer Header Not Working
Thank you very much for the suggestion, but I should have mentioned earlier that I had already tried that. I actually now have it without the question mark and the messages from The Bat! keep flowing right through. Here is what I now have, which to me, should match: header SPAM_BAT X-Mailer =~ /The Bat/I I'm really beginning to think there is something wrong with the code. I even have a utility where I can change the X-Mailer header of a test message to whatever I want and when I use The Bat!, it too goes right through. Any other ideas? -Original Message- From: jdow [mailto:[EMAIL PROTECTED] Sent: Monday, August 21, 2006 5:16 PM To: users@spamassassin.apache.org Subject: Re: Custom Rule Filtering on X-Mailer Header Not Working From: Kyle Harris [EMAIL PROTECTED] I'm having some difficulty getting a simple custom rule to work based on the X-Mailer used. Here is the custom rule: header SPAM_BAT X-Mailer =~ /The Bat!/i header SPAM_BAT X-Mailer =~ /The Bat\!/i Try that. {^_^}
Re: animated GIF spam
--On Tuesday, August 22, 2006 1:07 AM -0500 Chip M. [EMAIL PROTECTED] wrote: For interlaced ... I have no idea. Depends a lot on how the interlaced images are stored, I guess. Yes, exactly. Until there's samples, I'm not going to worry about it. There's also progressive JPEG. http://www.faqs.org/faqs/jpeg-faq/part1/section-11.html http://en.wikipedia.org/wiki/JPEG http://en.wikipedia.org/wiki/JPEG_2000
Re: Custom Rule Filtering on X-Mailer Header Not Working
On Tue, Aug 22, 2006 at 03:16:07PM -0500, Kyle Harris wrote: header SPAM_BAT X-Mailer =~ /The Bat/I a capital I isn't valid. I'm really beginning to think there is something wrong with the code. I even have a utility where I can change the X-Mailer header of a test message to whatever I want and when I use The Bat!, it too goes right through. Is there a reason you aren't using the already included rule: header __THEBAT_MUA X-Mailer =~ /The Bat!/ and BTW, The Bat is a valid Windows MUA, it doesn't necessary only send spam. -- Randomly Generated Tagline: How you look depends on where you go. pgpN4YM2NDn2e.pgp Description: PGP signature
RE: SA settings
Raymond Wan wrote: Hi Theo, On Tue, 22 Aug 2006, Theo Van Dinter wrote: score UPPERCASE_25_50 0 score UPPERCASE_50_75 0 score UPPERCASE_75_100 0 score OBSCURED_EMAIL 0 which I honestly don't know what it means... :) Those rules are being disabled. Though if you don't know what it means, why do you have the lines in your personal config? ;) Well, in user_prefs, above these lines, it says: # Speakers of Asian languages, like Chinese, Japanese and Korean, will almost # definitely want to uncomment the following lines. They will switch off some # rules that detect 8-bit characters, which commonly trigger on mails using CJK # character sets, or that assume a western-style charset is in use. As I receive e-mails in Japanese every day, I just thought I should do what it says. But yes, without reading more than what these comments say. I'll read about what they say before enabling them, then. Thanks! If you receive email in Japanese, then do what it says and uncomment those lines. Those rules are designed to work on western character sets and do not work properly with Asian character sets. -- Bowie
RE: SA-LEARN Question
Michel Vaillancourt wrote: Bowie Bailey wrote: Christopher Mills wrote: Hi, We have over 100 domains on a server, all of which are getting junk mail. SA 3.1.4 installed, but I don't think it's properly trained yet (even though I did upgrade from an earlier version). If I set up a [EMAIL PROTECTED] address and tell all my customers to forward the junk mail they get to that address, then run sa-learn on that mailbox, will that help, or, will it train SA that the users that forwarded the junk ARE the spammers and start to assign higher scores to legitimate customers? No, SA will learn that messages forwarded from your users are spam. As someone else pointed out, you need to find a method that preserves the original headers of the message. Forwarding the spam as an attachment and then stripping it out or copying it to a shared imap folder are two of the more common options. I have similar, albiet smaller, environment. What I've done is asked my users who want to help to have a ConfirmedSpam folder in their IMAP directory. Every night I cron-job a LOCATE for that folder and then tell sa-learn to learn those emails. Then I empty the mail dir to start fresh for the next day. It works like a charm. For balanced learning, you should also have a ConfirmedHam folder so that you can learn from both ham and spam. -- Bowie
Re: animated GIF spam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kenneth Porter wrote: --On Tuesday, August 22, 2006 1:07 AM -0500 Chip M. [EMAIL PROTECTED] wrote: For interlaced ... I have no idea. Depends a lot on how the interlaced images are stored, I guess. Yes, exactly. Until there's samples, I'm not going to worry about it. There's also progressive JPEG. http://www.faqs.org/faqs/jpeg-faq/part1/section-11.html http://en.wikipedia.org/wiki/JPEG http://en.wikipedia.org/wiki/JPEG_2000 These do not pose a problem currently, FuzzyOcr can handle them as far as I am aware. Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE64DZJQIKXnJyDxURApmqAJ45da6se7aCswGQQtwOo6slEXESTACfeMIq wYoVzlsgoebqByqdT3+ZrP4= =BClH -END PGP SIGNATURE-
USER_IN_WHITELIST problem
Hi, I am new to this list and certainly not a SA expert, however I have moderate experience in general linux issues and mailer issues. I am getting a series of messages allowed through on the basis of USER_IN_WHITELIST. I have searched the mailing list archive and pored over my setup files and just cannot understand why these messages are getting marked USER_IN_WHITELIST. The headers are below, my (perhaps limited) understanding is: (1) that USER_IN_WHITELIST has nothing to do with bayes or AWL So I am ignoring them. (2) I have checked the .cf files in /usr/share/spamassassin, /etc/spamassassin/ and ~nick/.spamassassin/ and cannot see any reason why [EMAIL PROTECTED] should be getting whitelisted (or indeed any of the other users in this series of emails) (3) the X-Spam-* headers seem to be written by my machine (rather than being forged, if that were possible) (4) SA is launched out of spamd/spamc via ~/.procmailrc on gentoo linux. The MTA is postfix and the SA version is 3.1.3. Can anyone help me with where to look next? Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.3-gr0 (2006-06-01) on www.rout.co.nz X-Spam-Level: X-Spam-Status: No, score=-88.6 required=5.5 tests=AWL,BAYES_99, HTML_IMAGE_ONLY_04,HTML_MESSAGE,HTML_SHORT_LENGTH,MIME_HTML_ONLY, MSGID_SPAM_LETTERS,USER_IN_WHITELIST autolearn=no version=3.1.3-gr0 X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from Trishamobile.net (unknown [196.36.9.186]) by www.rout.co.nz (Postfix) with SMTP id 7169A19DA6 for [EMAIL PROTECTED]; Tue, 22 Aug 2006 20:38:17 +1200 (NZST) Date: Tue, 22 Aug 2006 10:41:19 +0200 To: Nick [EMAIL PROTECTED] From: Lee [EMAIL PROTECTED] Subject: Judith Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=ntrgncacgcywucwiohzd -- Nick Rout [EMAIL PROTECTED]
Re: USER_IN_WHITELIST problem
Nick Rout wrote: Hi, I am new to this list and certainly not a SA expert, however I have moderate experience in general linux issues and mailer issues. I am getting a series of messages allowed through on the basis of USER_IN_WHITELIST. I have searched the mailing list archive and pored over my setup files and just cannot understand why these messages are getting marked USER_IN_WHITELIST. The headers are below, my (perhaps limited) understanding is: (1) that USER_IN_WHITELIST has nothing to do with bayes or AWL So I am ignoring them. (2) I have checked the .cf files in /usr/share/spamassassin, /etc/spamassassin/ and ~nick/.spamassassin/ and cannot see any reason why [EMAIL PROTECTED] should be getting whitelisted (or indeed any of the other users in this series of emails) (3) the X-Spam-* headers seem to be written by my machine (rather than being forged, if that were possible) (4) SA is launched out of spamd/spamc via ~/.procmailrc on gentoo linux. The MTA is postfix and the SA version is 3.1.3. Can anyone help me with where to look next? Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.3-gr0 (2006-06-01) on www.rout.co.nz X-Spam-Level: X-Spam-Status: No, score=-88.6 required=5.5 tests=AWL,BAYES_99, HTML_IMAGE_ONLY_04,HTML_MESSAGE,HTML_SHORT_LENGTH,MIME_HTML_ONLY, MSGID_SPAM_LETTERS,USER_IN_WHITELIST autolearn=no version=3.1.3-gr0 The return-path looks a little iffy to me, have you white listed yourself or your domain ? (hint: not a good idea). Regards, Rick
Re: USER_IN_WHITELIST problem
Nick Rout wrote: Hi, I am new to this list and certainly not a SA expert, however I have moderate experience in general linux issues and mailer issues. I am getting a series of messages allowed through on the basis of USER_IN_WHITELIST. I have searched the mailing list archive and pored over my setup files and just cannot understand why these messages are getting marked USER_IN_WHITELIST. The headers are below, my (perhaps limited) understanding is: (1) that USER_IN_WHITELIST has nothing to do with bayes or AWL So I am ignoring them. (2) I have checked the .cf files in /usr/share/spamassassin, /etc/spamassassin/ and ~nick/.spamassassin/ and cannot see any reason why [EMAIL PROTECTED] should be getting whitelisted (or indeed any of the other users in this series of emails) (3) the X-Spam-* headers seem to be written by my machine (rather than being forged, if that were possible) (4) SA is launched out of spamd/spamc via ~/.procmailrc on gentoo linux. The MTA is postfix and the SA version is 3.1.3. Can anyone help me with where to look next? Return-Path: [EMAIL PROTECTED] snip The user being whitelisted is most likely you [EMAIL PROTECTED]. You've probably whitelisted yourself using an unauthenticated method (whitelist_from) which is never a good thing. Daryl
Re: Custom Rule Filtering on X-Mailer Header Not Working
Did you do something utterly reckless and give it a score? And you want lower case i, I believe. Also be sure to restart any daemonized SpamAssassin when you make changes. And for that matter WHERE do you have the rule? If it's not in the same place as local.cf then it probably won't get run unless you allow_user_rules 1 and have it in ~/user_prefs everywhere it needs to be. {o.o} - Original Message - From: Kyle Harris [EMAIL PROTECTED] Thank you very much for the suggestion, but I should have mentioned earlier that I had already tried that. I actually now have it without the question mark and the messages from The Bat! keep flowing right through. Here is what I now have, which to me, should match: header SPAM_BAT X-Mailer =~ /The Bat/I I'm really beginning to think there is something wrong with the code. I even have a utility where I can change the X-Mailer header of a test message to whatever I want and when I use The Bat!, it too goes right through. Any other ideas? -Original Message- From: jdow [mailto:[EMAIL PROTECTED] Sent: Monday, August 21, 2006 5:16 PM To: users@spamassassin.apache.org Subject: Re: Custom Rule Filtering on X-Mailer Header Not Working From: Kyle Harris [EMAIL PROTECTED] I'm having some difficulty getting a simple custom rule to work based on the X-Mailer used. Here is the custom rule: header SPAM_BAT X-Mailer =~ /The Bat!/i header SPAM_BAT X-Mailer =~ /The Bat\!/i Try that. {^_^}
Re: Formatting plugin report
John D. Hardin wrote: On Tue, 22 Aug 2006, Matt Kettler wrote: John D. Hardin wrote: Coders (if any): Can anybody point me at a code sample showing how to get details into the report SUMMARY tag from within a plugin? Like the [IP address etc.] in this: * 1.0 RBL_PSBL_01 RBL: Mail client listed by psbl.surriel.com * [64.8.111.2 listed in psbl.surriel.com] I can't seem to figure it out. I took a casual glance at the code, it seems to be related to the test_log subroutine, which populates test_log_msgs, that later gets added to the REPORT and SUMMARY. I got the same impression, but $self-test_log($msg); in the plugin does not do it. Perhaps I'm doing it in the wrong place, I'll keep at it. I don't recall much about this, but I used this sub in my SIQ plugin (in my sandbox) to take care of this: sub _log_hit { my ($self, $pms, $rulename, $text) = @_; $pms-test_log ($text); $pms-got_hit ($rulename, ); } and then called _log_hit like this: $self-_log_hit($pms, $rule_name, SIQ: score: $results[4] queried: . $pms-{siq_domain}/$pms-{siq_ip}); So basically, call $pms-test_log() and then call $pms-got_hit(). Daryl
Re: Older rules causing problems...but which ones?
From: Mike Loiterman [EMAIL PROTECTED] Aug 22 09:36:55 eisenhower spamd[96202]: rules: meta test SARE_HEAD_8BIT_NOSPM has undefined dependency '__SARE_HEAD_8BIT_DATE' grep SARE_HEAD_8BIT_NOSPM /etc/mail/spamassassin/*.cf Modify the location to match your reality if needed. {^_^}
Re: USER_IN_WHITELIST problem
On Tue, 22 Aug 2006 19:58:59 -0400 Rick Macdougall wrote: Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.3-gr0 (2006-06-01) on www.rout.co.nz X-Spam-Level: X-Spam-Status: No, score=-88.6 required=5.5 tests=AWL,BAYES_99, HTML_IMAGE_ONLY_04,HTML_MESSAGE,HTML_SHORT_LENGTH,MIME_HTML_ONLY, MSGID_SPAM_LETTERS,USER_IN_WHITELIST autolearn=no version=3.1.3-gr0 The return-path looks a little iffy to me, have you white listed yourself or your domain ? (hint: not a good idea). Regards, Rick Thanks, quick reply! (Thanks too Daryl, also quick) So I take it USER_IN_WHITELIST also checks Return-Path? I wonder where Return-Path is being set? Is it likely to be set by the spammer? Or is my system adding it in somewhere (probably in error). Anyway, yes I did whitelist my domain owing to a few false positives, (my wife asking about money or s** or both?) Whitelisting seemed the obvious but clearly wrong idea. The relevantt line will be this one in /etc/spamassassin/local.cf: whitelist_from [EMAIL PROTECTED] (yep thats my domain) So is there any better way to do it? (Clearly there will be, but I don't yet know what it is, your further help will be appreciated) -- Nick Rout [EMAIL PROTECTED]
Re: Custom Rule Filtering on X-Mailer Header Not Working
On Aug 22, 2006, at 17:06, jdow wrote: Did you do something utterly reckless and give it a score? Give it a score!? You sure do live dangerously!
Re: USER_IN_WHITELIST problem
Nick Rout wrote: On Tue, 22 Aug 2006 19:58:59 -0400 Thanks, quick reply! (Thanks too Daryl, also quick) So I take it USER_IN_WHITELIST also checks Return-Path? I wonder where Return-Path is being set? Is it likely to be set by the spammer? Or is my system adding it in somewhere (probably in error). Anyway, yes I did whitelist my domain owing to a few false positives, (my wife asking about money or s** or both?) Whitelisting seemed the obvious but clearly wrong idea. The relevantt line will be this one in /etc/spamassassin/local.cf: whitelist_from [EMAIL PROTECTED] (yep thats my domain) So is there any better way to do it? (Clearly there will be, but I don't yet know what it is, your further help will be appreciated) Hi, You probably want to look at Mail::SpamAssassin::Conf whitelist_from_rcvd [EMAIL PROTECTED] sourceforge.net Use this to supplement the whitelist_from addresses with a check against the Received headers. The first parameter is the address to whitelist, and the second is a string to match the relay's rDNS. This string is matched against the reverse DNS lookup used during the handover from the internet to your internal network's mail exchangers. It can either be the full hostname, or the domain component of that hostname. In other words, if the host that connected to your MX had an IP address that mapped to 'send-inghost.spamassassin.org', you should specify sendinghost.spamas-sassin.org or just spamassassin.org here. Although if your wife is emailing you about sex and money in the same email.. well, I just won't go there :)) Regards, Rick
Re: USER_IN_WHITELIST problem
From: Nick Rout [EMAIL PROTECTED] On Tue, 22 Aug 2006 19:58:59 -0400 Rick Macdougall wrote: Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.3-gr0 (2006-06-01) on www.rout.co.nz X-Spam-Level: X-Spam-Status: No, score=-88.6 required=5.5 tests=AWL,BAYES_99, HTML_IMAGE_ONLY_04,HTML_MESSAGE,HTML_SHORT_LENGTH,MIME_HTML_ONLY, MSGID_SPAM_LETTERS,USER_IN_WHITELIST autolearn=no version=3.1.3-gr0 The return-path looks a little iffy to me, have you white listed yourself or your domain ? (hint: not a good idea). Regards, Rick Thanks, quick reply! (Thanks too Daryl, also quick) So I take it USER_IN_WHITELIST also checks Return-Path? I wonder where Return-Path is being set? Is it likely to be set by the spammer? Or is my system adding it in somewhere (probably in error). Anyway, yes I did whitelist my domain owing to a few false positives, (my wife asking about money or s** or both?) Whitelisting seemed the obvious but clearly wrong idea. The relevantt line will be this one in /etc/spamassassin/local.cf: whitelist_from [EMAIL PROTECTED] (yep thats my domain) So is there any better way to do it? (Clearly there will be, but I don't yet know what it is, your further help will be appreciated) man Mail::SpamAssassin::Conf Look for 'whitelist_from_rcvd'. It will be your friend here, perhaps. But one wonders why you must whitelist your own domain {^_^}
Re: Custom Rule Filtering on X-Mailer Header Not Working
From: John Rudd [EMAIL PROTECTED] On Aug 22, 2006, at 17:06, jdow wrote: Did you do something utterly reckless and give it a score? Give it a score!? You sure do live dangerously! If you did give it a score and made the score zero for safe testing the rule will never run. A score of 0.001 or something like that is worlds more effective. {o.o}
Re: OCR plugin doesn't seem to work
decoder wrote: Which OCR plugin are you using there? If it is the original OcrPlugin, then you might try FuzzyOcr instead. The original OcrPlugin was more proof-of-concept, and will cause you lots of headaches with the current image spam... I did upgrade to FuzzyOCR after I read your message. But, I don't think it's working- however other rules seem to be catching these stock gifs. Here's the headers from one of them: Content analysis details: (10.6 points, 5.0 required) pts rule name description -- -- 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry 4.2 HELO_DYNAMIC_IPADDRRelay HELO'd using suspicious hostname (IP addr 1) 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 1.1 HTML_IMAGE_ONLY_32 BODY: HTML: images with 2800-3200 bytes of words 0.4 HTML_30_40 BODY: Message is 30% to 40% HTML 1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80% [score: 0.7765] 0.0 HTML_MESSAGE BODY: HTML included in message 0.8 SARE_GIF_ATTACHFULL: Email has a inline gif 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [71.197.31.248 listed in dnsbl.sorbs.net] I don't see OCR mentioned in there at all. I still don't think it's working. Spamassassin --lint doesn't indicate anything is wrong. How can I test it? -Mike
RE: SA settings
Hi Bowie, On Tue, 22 Aug 2006, Bowie Bailey wrote: Raymond Wan wrote: 1) /etc/spamassassin/*.pre 2a) /var/lib/spamassassin/3.001003/updates_spamassassin_org/*.cf (if the directory exists) 2b) /usr/share/spamassassin/*.cf (if the previous directory doesn't exist) 3) /etc/spamassassin/*.cf 4) ~/.spamassassin/user_prefs Note that only one of 2a and 2b will be read, never both. If you have run sa-update and created the updates directory, it will be used. Otherwise, the original rules directory will be used. Ah, thank you for that! I actually modified the CONTACTADDRESS in /usr/share/spamassassin/10... and the change didn't take into effect. I didn't know why and just presumed I got the syntax wrong. I didn't realize there was another set of files elsewhere and that my change in /usr/share/spamassasin were pointless. The user_prefs file is always read for configuration changes. allow_user_rules simply allows the users to create custom rules as well as making simple changes. The main reasons to leave user rules off is that they slow down the system and give the possibility of users writing bad rules. I see. So it really is an efficiency issue and not so much a security issue. I forgot to mention that I'm running a single-user Debian system (one user account, one root). But good to know if I ever manage a system with more user accounts. Everything possible should be in local.cf (or another cf file in that directory). The only thing that should be in user_prefs are settings that only apply to that one user. Ok...centralized at the local.cf file. Also, since it is loaded last (but before the user_prefs file), it can undo some of the things that the previous .cf files did...such as setting the contact address. Scores for rules can be changed in user_prefs without enabling user rules. Setting the score to 0 disables the rule. This allows users to disable or lower the score of rules that they don't like. In this case, these are rules that commonly trigger on Asian language emails. So people who expect to see ham messages in those languages should uncomment those score lines to disable the tests. Ok, thanks for your detailed explanation. I read in the documentation that somethings the user cannot do, and I was wondering why these lines were in user_prefs. I now see the difference between enabling a rule (which will add execution time cost) and disabling or reducing the score of a rule that root had enabled. Thanks also for your next post. Yes, I do get Japanese e-mails every day. I'll be sure to have them enabled. Ray
Re: Formatting plugin report
On Tue, 22 Aug 2006, Daryl C. W. O'Shea wrote: I took a casual glance at the code, it seems to be related to the test_log subroutine, which populates test_log_msgs, that later gets added to the REPORT and SUMMARY. I got the same impression, but $self-test_log($msg); in the plugin does not do it. Perhaps I'm doing it in the wrong place, I'll keep at it. I don't recall much about this, but I used this sub in my SIQ plugin (in my sandbox) to take care of this: sub _log_hit { my ($self, $pms, $rulename, $text) = @_; $pms-test_log ($text); $pms-got_hit ($rulename, ); } What finally worked for me was to call $pms-test_log(...) in the plugin eval routine. I'm modeling my plugin on the URICountry plugin, and the parsed_metadata() routine is *not* the place to call test_log()... :) -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Taking my gun away because I *might* shoot someone is like cutting my tongue out because I *might* yell Fire! in a crowded theater. -- Peter Venetoklis --- 28 days until Talk Like a Pirate day
Re: SA settings
From: Raymond Wan [EMAIL PROTECTED] Hi Bowie, On Tue, 22 Aug 2006, Bowie Bailey wrote: Raymond Wan wrote: 1) /etc/spamassassin/*.pre 2a) /var/lib/spamassassin/3.001003/updates_spamassassin_org/*.cf (if the directory exists) 2b) /usr/share/spamassassin/*.cf (if the previous directory doesn't exist) 3) /etc/spamassassin/*.cf 4) ~/.spamassassin/user_prefs Note that only one of 2a and 2b will be read, never both. If you have run sa-update and created the updates directory, it will be used. Otherwise, the original rules directory will be used. Ah, thank you for that! I actually modified the CONTACTADDRESS in /usr/share/spamassassin/10... and the change didn't take into effect. I didn't know why and just presumed I got the syntax wrong. I didn't realize there was another set of files elsewhere and that my change in /usr/share/spamassasin were pointless. Never change /etc/share/spamassassin or the /var/lib/spamassassin directories. Always change /etc/spamassassin/ or /etc/mail/spamassassin as appropriate for your install. You can override values set earlier with new ones. That change should probably be made in local.cf or maybe better a new 99_local.cf of your own. The user_prefs file is always read for configuration changes. allow_user_rules simply allows the users to create custom rules as well as making simple changes. The main reasons to leave user rules off is that they slow down the system and give the possibility of users writing bad rules. I see. So it really is an efficiency issue and not so much a security issue. I forgot to mention that I'm running a single-user Debian system (one user account, one root). But good to know if I ever manage a system with more user accounts. Everything possible should be in local.cf (or another cf file in that directory). The only thing that should be in user_prefs are settings that only apply to that one user. Ok...centralized at the local.cf file. Also, since it is loaded last (but before the user_prefs file), it can undo some of the things that the previous .cf files did...such as setting the contact address. Well, there was a bit of a mis-statement there. All system wide configuration rule type settings should be in files named with a .cf on the end such as the example I gave above, 99_local.cf, and located in the same directory as local.cf. The rules in that directory, usually /etc/spamassassin or /etc/mail/spamassassin, are read in alphabetical order. So a 50_local.cf might contain a value that is overridden in 65_local.cf or MyRules.cf. SA rule sets and SARE rule sets use the two digit and underscore prefix convention to assure the read order for rules and scores. {^_^}
Re: SA settings
Hi jdow, On Tue, 22 Aug 2006, jdow wrote: Never change /etc/share/spamassassin or the /var/lib/spamassassin directories. Always change /etc/spamassassin/ or /etc/mail/spamassassin as appropriate for your install. You can override values set earlier with new ones. That change should probably be made in local.cf or maybe better a new 99_local.cf of your own. Ah, thanks for this. I always make changes in /etc files...for some reason, I just thought SA was an exception to the rule. I've changed them back. I read report_contact changes the person to contact...so I thought I should grep through the cf files to find where it occurs and change the text that follows it. Wrong thing to do... Thanks for correcting me! Well, there was a bit of a mis-statement there. All system wide configuration rule type settings should be in files named with a .cf on the end such as the example I gave above, 99_local.cf, I see. The order is really directory order and not so much as file order. All .cf files within each of the directories are read. Thanks! Ray