Re: Custom Rule Filtering on X-Mailer Header Not Working

2006-08-23 Thread Loren Wilton

to whatever I want and when I use The Bat!, it too goes right through.

Any other ideas?


Restart spamd?  If it works in test and not in production...

BTW, you DO know that The Bat! is a perfectly legit (and very nice) mail 
program, don't you?  Lots of spammers abuse the name, but there are any 
number of people that use it to send real mail.  I mention that since the 
score I saw you assigning was pretty high.


   Loren



Re: SA settings

2006-08-23 Thread Loren Wilton
 I see.  The order is really directory order and not so much as file 
order.  All .cf files within each of the directories are read.


Not quite.  The files are read from each directory in the order of the file 
names, which is why many of the names start with numbers.  Obviously 
99anything.cf is going to be one of the last files processed from the 
directory it is in.

(However the directories are processed in a given order too.)

If you find something in one of the release directories that you feel you 
need to change, the thing to do is copy it into local.cf or something.cf in 
the /etc directory location.  The main problem with modifying it in the 
original location is that it will be overwritten at the next upgrade.


   Loren



low score spam

2006-08-23 Thread yossim

Hi forum,

recently i get a lot of spam emails with very low score mostly are text emails. How can i fine tune my SA in order to catch those emails?

here is an exmple:

Hi,
 
Not very good erecxction? You are welcome - http://pdahlmjr.com/l/
 
jockstrap or sporran woven out of, well possibly, his own hair. All of
it the color of rusty iron. I stepped forward and. bowed a little bow.
Iron John . . . ?



Reply-To: "Kellie Glassford" <[EMAIL PROTECTED]>
From: "Kellie Glassford" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: new sy
Date: Wed, 23 Aug 2006 00:01:47 -0700
MIME-Version: 1.0
X-yoursite-MailScanner-Information: Please contact the ISP for more information
X-yoursite-MailScanner-Information:X-yoursite-MailScanner: Found to be clean
X-yoursite-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.395,required 6.2, BAYES_20 -0.74, FORGED_RCVD_HELO 0.14,HTML_MESSAGE
	 1.00)
X-MailScanner-From: [EMAIL PROTECTED]


Thanks alot for your assitence,

Regards,

Yossi Mor

View this message in context: low score spam
Sent from the SpamAssassin - Users forum at Nabble.com.


Re: OCR plugin doesn't seem to work

2006-08-23 Thread decoder
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mike Pepe wrote:
 decoder wrote:

 Which OCR plugin are you using there? If it is the original
 OcrPlugin, then you might try FuzzyOcr instead. The original
 OcrPlugin was more proof-of-concept, and will cause you lots of
 headaches with the current image spam...

 I did upgrade to FuzzyOCR after I read your message. But, I don't
 think it's working- however other rules seem to be catching these
 stock gifs. Here's the headers from one of them:

 Content analysis details:   (10.6 points, 5.0 required)

 pts rule name  description  --
 -- 1.1
 EXTRA_MPART_TYPE   Header has extraneous Content-type:...type=
 entry 4.2 HELO_DYNAMIC_IPADDRRelay HELO'd using suspicious
 hostname (IP addr 1) 0.1 FORGED_RCVD_HELO   Received: contains
 a forged HELO 1.1 HTML_IMAGE_ONLY_32 BODY: HTML: images with
 2800-3200 bytes of words 0.4 HTML_30_40 BODY: Message
 is 30% to 40% HTML 1.0 BAYES_60   BODY: Bayesian spam
 probability is 60 to 80% [score: 0.7765] 0.0 HTML_MESSAGE
 BODY: HTML included in message 0.8 SARE_GIF_ATTACHFULL:
 Email has a inline gif 2.0 RCVD_IN_SORBS_DUL  RBL: SORBS: sent
 directly from dynamic IP address [71.197.31.248 listed in
 dnsbl.sorbs.net]

 I don't see OCR mentioned in there at all. I still don't think it's
  working.

 Spamassassin --lint doesn't indicate anything is wrong. How can I
 test it?

 -Mike


The download page of FuzzyOcr provides a sample-mails.tar.gz. It
contains some messages which should all get detected.


Chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE7BEyJQIKXnJyDxURAv18AKCg6TCSrH41ERtalz/H93/sqlsjXACdF5ue
FfD4tGxRS5cEWQ8of2aT/Co=
=xyHr
-END PGP SIGNATURE-



Re: low score spam

2006-08-23 Thread John Andersen
Well even your message scored pretty high here.  Were this mailing list
not whitelisted, it would have gone to /dev/null

Maybe you should turn on Network tests and configure Razor?




On Tuesday 22 August 2006 23:24, yossim wrote:
 Spam detection software, running on the system pen.homeip.net, has
 identified this incoming email as possible spam.  The original message
 has been attached to this so you can view it (if it isn't spam) or label
 similar future email.  If you have any questions, see
 The Administrator of that system for details.

 Content preview:  Hi forum, recently i get a lot of spam emails with very
   low score mostly are text emails. How can i fine tune my SA in order to
   catch those emails? here is an exmple: [...]

 Content analysis details:   (4.1 points, 3.9 required)

  pts rule name              description
  --
 -- -0.0 SPF_PASS          
     SPF: sender matches SPF record
 -2.6 BAYES_00               BODY: Bayesian spam probability is 0 to 1%
                             [score: 0.]
  0.0 HTML_MESSAGE           BODY: HTML included in message
  1.4 HTML_10_20             BODY: Message is 10% to 20% HTML
  1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
                             above 50%
                             [cf: 100]
  2.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
  3.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                             [cf: 100]
  1.0 URIBL_SBL              Contains an URL listed in the SBL blocklist
                             [URIs: pdahlmjr.com]
  3.0 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
                             [URIs: pdahlmjr.com]
 -6.1 AWL                    AWL: From: address is in the auto white-list

-- 
_
John Andersen


pgpky4n4e1JKe.pgp
Description: PGP signature


Re: low score spam

2006-08-23 Thread yossim

Hello John,

Thanks for your quick response.

I am not sure that i understand your answer. Sorry i am not so experinece
with SA.

The score that i got for that specific example was:

score=0.395,required 6.2,
 BAYES_20 -0.74, FORGED_RCVD_HELO 0.14,HTML_MESSAGE  1.00)

There are many calculation parameters that are missing beside RAZOR - why is
that.

Does Razor costs? and is there configuration doc to how to set it up?

Kindly regards,

Yossi



John Andersen wrote:
 
 Well even your message scored pretty high here.  Were this mailing list
 not whitelisted, it would have gone to /dev/null
 
 Maybe you should turn on Network tests and configure Razor?
 
 
 
 
 On Tuesday 22 August 2006 23:24, yossim wrote:
 Spam detection software, running on the system pen.homeip.net, has
 identified this incoming email as possible spam.  The original message
 has been attached to this so you can view it (if it isn't spam) or label
 similar future email.  If you have any questions, see
 The Administrator of that system for details.

 Content preview:  Hi forum, recently i get a lot of spam emails with very
   low score mostly are text emails. How can i fine tune my SA in order to
   catch those emails? here is an exmple: [...]

 Content analysis details:   (4.1 points, 3.9 required)

  pts rule name              description
  --
 -- -0.0 SPF_PASS        
  
     SPF: sender matches SPF record
 -2.6 BAYES_00               BODY: Bayesian spam probability is 0 to 1%
                             [score: 0.]
  0.0 HTML_MESSAGE           BODY: HTML included in message
  1.4 HTML_10_20             BODY: Message is 10% to 20% HTML
  1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
                             above 50%
                             [cf: 100]
  2.5 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
  3.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
                             [cf: 100]
  1.0 URIBL_SBL              Contains an URL listed in the SBL blocklist
                             [URIs: pdahlmjr.com]
  3.0 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
                             [URIs: pdahlmjr.com]
 -6.1 AWL                    AWL: From: address is in the auto white-list
 
 -- 
 _
 John Andersen
 
 

-- 
View this message in context: 
http://www.nabble.com/low-score-spam-tf2150828.html#a5940438
Sent from the SpamAssassin - Users forum at Nabble.com.



Re: low score spam

2006-08-23 Thread John Andersen
On Wednesday 23 August 2006 00:48, yossim wrote:
 Hello John,

 Thanks for your quick response.

 I am not sure that i understand your answer. Sorry i am not so experinece
 with SA.

 The score that i got for that specific example was:

 score=0.395,required 6.2,
  BAYES_20 -0.74, FORGED_RCVD_HELO 0.14,HTML_MESSAGE  1.00)

 There are many calculation parameters that are missing beside RAZOR - why
 is that.

 Does Razor costs? and is there configuration doc to how to set it up?

There are other network tests that you also are not using besides Razor.

Razor does not cost.  There are a ton of sources on how to set it up, not the 
least of which is the Razor site on sourceforge.  It takes a little messing 
around, maybe 5 minutes.

But your scores indicated that none of the network tests were being used.
run:
spamassassin --lint --debug
And review the output carefully (almost line by line) and you will see which 
tests are running and which are not.

-- 
_
John Andersen


pgpNAOil8BC9c.pgp
Description: PGP signature


Re: Formatting plugin report

2006-08-23 Thread Justin Mason

Daryl C. W. O'Shea writes:
 John D. Hardin wrote:
  On Tue, 22 Aug 2006, Matt Kettler wrote:
  John D. Hardin wrote:
  Coders (if any):
 
  Can anybody point me at a code sample showing how to get details into
  the report SUMMARY tag from within a plugin?
 
  Like the [IP address etc.] in this:
 
  *  1.0 RBL_PSBL_01 RBL: Mail client listed by psbl.surriel.com
  *  [64.8.111.2 listed in psbl.surriel.com]
 
  I can't seem to figure it out.
  I took a casual glance at the code, it seems to be related to the
  test_log subroutine, which populates test_log_msgs, that later
  gets added to the REPORT and SUMMARY.
  
  I got the same impression, but $self-test_log($msg); in the
  plugin does not do it. Perhaps I'm doing it in the wrong place, I'll
  keep at it.
 
 I don't recall much about this, but I used this sub in my SIQ plugin (in 
 my sandbox) to take care of this:
 
 sub _log_hit {
my ($self, $pms, $rulename, $text) = @_;
 
$pms-test_log ($text);
$pms-got_hit ($rulename, );
 }
 
 
 and then called _log_hit like this:
 
 $self-_log_hit($pms, $rule_name, SIQ: score: $results[4] 
 queried: . 
 $pms-{siq_domain}/$pms-{siq_ip});
 
 
 So basically, call $pms-test_log() and then call $pms-got_hit().

Yep; got_hit() is the API that takes the logged text and adds it to
the report.  I think you can call test_log() multiple times.

We should probably document this ;)

--j.


Re: Formatting plugin report

2006-08-23 Thread Justin Mason

John D. Hardin writes:
 On Tue, 22 Aug 2006, Daryl C. W. O'Shea wrote:
 
   I took a casual glance at the code, it seems to be related to the
   test_log subroutine, which populates test_log_msgs, that later
   gets added to the REPORT and SUMMARY.
   
   I got the same impression, but $self-test_log($msg); in the
   plugin does not do it. Perhaps I'm doing it in the wrong place, I'll
   keep at it.
  
  I don't recall much about this, but I used this sub in my SIQ plugin (in 
  my sandbox) to take care of this:
  
  sub _log_hit {
 my ($self, $pms, $rulename, $text) = @_;
  
 $pms-test_log ($text);
 $pms-got_hit ($rulename, );
  }
 
 What finally worked for me was to call $pms-test_log(...) in the
 plugin eval routine. I'm modeling my plugin on the URICountry plugin,
 and the parsed_metadata() routine is *not* the place to call
 test_log()... :)

ah. yes, that's important ;)

--j.


Scoring Issue

2006-08-23 Thread aurora

Hi there,

Recently we have switched over how our emails get sent. Emails now get sent
from our server at the office, they then get scanned and routed through the
ISP's mail server and then get forwarded on to the end recipients server.

My question is: Due to the configuration, if a customer runs SpamAssasin
will it detect this as spam because it thinks the message is now being
relayed?

Basically, we now get alot of customers calling us saying that they have not
received our email and it's because it has been held on their spam server
with a score of 6, even though its a plain text email! We have only been
getting these issues since we have switched the configuration over.

If SpamAssasin doesn't increase the score due to this extra hop/relay, I can
discard this as being a cause of the problem.

Thanks in advance
-- 
View this message in context: 
http://www.nabble.com/Scoring-Issue-tf2151288.html#a5940861
Sent from the SpamAssassin - Users forum at Nabble.com.



Re: Scoring Issue

2006-08-23 Thread Duncan Hill
On Wednesday 23 August 2006 10:19, aurora wrote:
 Basically, we now get alot of customers calling us saying that they have
 not received our email and it's because it has been held on their spam
 server with a score of 6, even though its a plain text email! We have only
 been getting these issues since we have switched the configuration over.

 If SpamAssasin doesn't increase the score due to this extra hop/relay, I
 can discard this as being a cause of the problem.

Relaying itself is a fundemental part of how e-mail works, and when I last 
looked, SA doesn't hit you for doing that.

As the customers who are spam-quarantining for the rules that hit - you may 
find that a relay server is listed in a blacklist or similar.


Re: Scoring Issue

2006-08-23 Thread aurora



Duncan Hill wrote:
 
 On Wednesday 23 August 2006 10:19, aurora wrote:
 Basically, we now get alot of customers calling us saying that they have
 not received our email and it's because it has been held on their spam
 server with a score of 6, even though its a plain text email! We have
 only
 been getting these issues since we have switched the configuration over.

 If SpamAssasin doesn't increase the score due to this extra hop/relay, I
 can discard this as being a cause of the problem.
 
 Relaying itself is a fundemental part of how e-mail works, and when I last 
 looked, SA doesn't hit you for doing that.
 
 As the customers who are spam-quarantining for the rules that hit - you
 may 
 find that a relay server is listed in a blacklist or similar.
 
 

Hi Duncan, thanks for the quick response.

As I understand that relaying is a fundamental part of delivering an email,
I'm guessing this configuration is not normal. Our SMTP server hits the
ISP's SMTP server which then hits the customers SMTP/POP server. In most
cases, your SMTP server will just find a direct route to the destination
server and only the sending server and receiving server will be involved
without a server being in the middle, no?

Is it not classed as a form of open relaying, even though there is a form of
authentication (IP check) on it? Both our external IP and the ISP's email IP
are not listed on any blacklist (checked with dnsstuff.com).

Again, thanks for the quick reply, it's appreciated.
-- 
View this message in context: 
http://www.nabble.com/Scoring-Issue-tf2151288.html#a5941127
Sent from the SpamAssassin - Users forum at Nabble.com.



Re: Scoring Issue

2006-08-23 Thread Anthony Peacock

Hi,

aurora wrote:



Duncan Hill wrote:

On Wednesday 23 August 2006 10:19, aurora wrote:

Basically, we now get alot of customers calling us saying that they have
not received our email and it's because it has been held on their spam
server with a score of 6, even though its a plain text email! We have
only
been getting these issues since we have switched the configuration over.

If SpamAssasin doesn't increase the score due to this extra hop/relay, I
can discard this as being a cause of the problem.
Relaying itself is a fundemental part of how e-mail works, and when I last 
looked, SA doesn't hit you for doing that.


As the customers who are spam-quarantining for the rules that hit - you
may 
find that a relay server is listed in a blacklist or similar.





Hi Duncan, thanks for the quick response.

As I understand that relaying is a fundamental part of delivering an email,
I'm guessing this configuration is not normal. Our SMTP server hits the
ISP's SMTP server which then hits the customers SMTP/POP server. In most
cases, your SMTP server will just find a direct route to the destination
server and only the sending server and receiving server will be involved
without a server being in the middle, no?

Is it not classed as a form of open relaying, even though there is a form of
authentication (IP check) on it? Both our external IP and the ISP's email IP
are not listed on any blacklist (checked with dnsstuff.com).

Again, thanks for the quick reply, it's appreciated.


Your setup does not sound any different to many others.

We are shooting in the dark here, you need to ask your customers to 
provide you with the reasons that they blocked your messages.  As they 
are the ones that are blocking they are the only ones who can tell you 
what the reasons are.


If they are using SpamAssassin and they can provide you with the list of 
rules that hit your emails, then this list might be able to give you 
advice on how to stop this happening in the future.  Without that we are 
just guessing.


--
Anthony Peacock
CHIME, Royal Free  University College Medical School
WWW:http://www.chime.ucl.ac.uk/~rmhiajp/
If you have an apple and I have  an apple and we  exchange apples
then you and I will still each have  one apple. But  if you have an
idea and I have an idea and we exchange these ideas, then each of us
will have two ideas. -- George Bernard Shaw


Re: Scoring Issue

2006-08-23 Thread Duncan Hill
On Wednesday 23 August 2006 10:37, aurora wrote:

 ISP's SMTP server which then hits the customers SMTP/POP server. In most
 cases, your SMTP server will just find a direct route to the destination
 server and only the sending server and receiving server will be involved
 without a server being in the middle, no?

Eh - sort of.  Your SMTP relayhosts/smarthosts to your ISP.  The ISP server 
will usually do an MX query for the destination domain of the e-mail, and 
deliver to that server.  That server is not necessarily the post-box server - 
it may have to feed the mail to another server, and so on.

 Is it not classed as a form of open relaying, even though there is a form
 of authentication (IP check) on it? Both our external IP and the ISP's
 email IP are not listed on any blacklist (checked with dnsstuff.com).

No, smarthosting isn't open relaying.

While dnsstuff.com may not list them, I'd still ask the customer to get the 
rules that scored the e-mail high enough for quarantine.  Only by seeing the 
rule names will you be able to determine what characteristics of the e-mail 
are triggering the quarantine.


Re: Scoring Issue

2006-08-23 Thread aurora



Anthony Peacock wrote:
 
 Hi,
 
 aurora wrote:
 
 
 Duncan Hill wrote:
 On Wednesday 23 August 2006 10:19, aurora wrote:
 Basically, we now get alot of customers calling us saying that they
 have
 not received our email and it's because it has been held on their spam
 server with a score of 6, even though its a plain text email! We have
 only
 been getting these issues since we have switched the configuration
 over.

 If SpamAssasin doesn't increase the score due to this extra hop/relay,
 I
 can discard this as being a cause of the problem.
 Relaying itself is a fundemental part of how e-mail works, and when I
 last 
 looked, SA doesn't hit you for doing that.

 As the customers who are spam-quarantining for the rules that hit - you
 may 
 find that a relay server is listed in a blacklist or similar.


 
 Hi Duncan, thanks for the quick response.
 
 As I understand that relaying is a fundamental part of delivering an
 email,
 I'm guessing this configuration is not normal. Our SMTP server hits the
 ISP's SMTP server which then hits the customers SMTP/POP server. In most
 cases, your SMTP server will just find a direct route to the destination
 server and only the sending server and receiving server will be involved
 without a server being in the middle, no?
 
 Is it not classed as a form of open relaying, even though there is a form
 of
 authentication (IP check) on it? Both our external IP and the ISP's email
 IP
 are not listed on any blacklist (checked with dnsstuff.com).
 
 Again, thanks for the quick reply, it's appreciated.
 
 Your setup does not sound any different to many others.
 
 We are shooting in the dark here, you need to ask your customers to 
 provide you with the reasons that they blocked your messages.  As they 
 are the ones that are blocking they are the only ones who can tell you 
 what the reasons are.
 
 If they are using SpamAssassin and they can provide you with the list of 
 rules that hit your emails, then this list might be able to give you 
 advice on how to stop this happening in the future.  Without that we are 
 just guessing.
 
 -- 
 Anthony Peacock
 CHIME, Royal Free  University College Medical School
 WWW:http://www.chime.ucl.ac.uk/~rmhiajp/
 If you have an apple and I have  an apple and we  exchange apples
 then you and I will still each have  one apple. But  if you have an
 idea and I have an idea and we exchange these ideas, then each of us
 will have two ideas. -- George Bernard Shaw
 
 

Thanks for your help Duncan and Anthony, I shall discount this reason for
being the cause of the problem. I will try and get the scores from one of
our customers.

Have a good day!
-- 
View this message in context: 
http://www.nabble.com/Scoring-Issue-tf2151288.html#a5941449
Sent from the SpamAssassin - Users forum at Nabble.com.



Train from Outlook?

2006-08-23 Thread Christopher Mills
Tell me something, is there a pluggin for outlook that would allow me to train spamassassin on the web server?Eg, messages come in, end up in my Junk Mail folder, can i somehow select them, and click a button with this 'addin' and have it find our web server and train spam assassin with the data in my local inbox? That would be a very cool addon if someone could develop it.



razor2 problems: corrupted regexp program at...

2006-08-23 Thread [EMAIL PROTECTED]
Sometimes i get this errors from spamd: 

Aug 23 08:48:15 dmz spamd[24977]: syslog() failed: corrupted regexp
program at /usr/lib/perl5/5.8.7/i586-linux-thread-multi/S
ys/Syslog.pm line 320.

Aug 23 08:48:16 dmz spamd[24977]: razor2 check skipped:  corrupted
regexp program at /usr/lib/perl5/site_perl/5.8.7/i586-linu
x-thread-multi/Razor2/Client/Core.pm line 1926.

So, i restart spamd and all errors gone 
Sometimes my spamd daemon down alone too

Any ideas? 




how to no delivery msg if spamc failed

2006-08-23 Thread [EMAIL PROTECTED]

Hi 

I'm using spamassassin + qmail-scanner

There is a way to tell qmail-scanner or spamassasin to NOT delivery mail
if spamc failed? 

This is beecause sometimes my spamd daemon goes down and all spam
messages are passed...

Any ideas?




Re: Train from Outlook?

2006-08-23 Thread Steven Stern
Christopher Mills wrote:
 Tell me something, is there a pluggin for outlook that would allow me to
 train spamassassin on the web server?
 Eg, messages come in, end up in my Junk Mail folder, can i somehow
 select them, and click a button with this 'addin' and have it find our
 web server and train spam assassin with the data in my local inbox? 
 That would be a very cool addon if someone could develop it.

Is Outlook talking to an Exchange server?  If so, see
http://sstern.ccim.com/index.php/2006/07/14/training-sitewide-spam-filters/

-- 

  Steve


Exim: spam acl condition: cannot parse spamd output

2006-08-23 Thread Johann Spies
I have just upgraded my Spamassassin on Debian Stable to 3.1.3
(backports) from 3.0.3 and I get this message in Exim's paniclog:

spam acl condition: cannot parse spamd output

That is not the case with every message.  Does 

My Exim4-acl's:


warn message = X-Spam-Score: $spam_score ($spam_bar)
  condition = ${if {$message_size}{100k}{1}{0}}
  hosts = ! +relay_from_hosts
  spam = spamd:true

warn message = X-Spam-Status: YES
  hosts = ! +relay_from_hosts
  condition = ${if {$message_size}{100k}{1}{0}}
  condition = ${if {$spam_score_int}{80}{1}{0}}
  spam = spamd:true

warn message = X-Spam-Status: NO
  hosts = ! +relay_from_hosts
  condition = ${if {$message_size}{100k}{1}{0}}
  condition = ${if {$spam_score_int}{80}{1}{0}}
  spam = spamd:true

warn message = X-Spam-Flag: YES
  hosts = ! +relay_from_hosts
  condition = ${if {$message_size}{100k}{1}{0}}
  condition = ${if {$spam_score_int}{80}{1}{0}}
  spam = spamd:true

warn message = X-Spam-Flag: NO
  hosts = ! +relay_from_hosts
  condition = ${if {$message_size}{100k}{1}{0}}
  condition = ${if {$spam_score_int}{80}{1}{0}}
  spam = spamd:true

warn message = X-Spam-Report: \n $spam_report
  hosts = ! +relay_from_hosts
  condition = ${if {$message_size}{100k}{1}{0}}
  spam = spamd:true


# reject messages that score more than 8
   deny message = Message viewed as spam. (scored $spam_score) \n \
 If you are convinced that it was not spam, please send \n \
 it again and this time CC it to [EMAIL PROTECTED] or \n \
 contact [EMAIL PROTECTED] to find out why it was marked as \n\
 spam.  The system administrator will require the following \n \
 information: sender address, recipient's address and time.
  hosts = ! +relay_from_hosts
 spam = spamd:true
  condition = ${if eq{$acl_m0}{t}{yes}{no}}
  condition = ${if {$message_size}{100k}{1}{0}}
  condition = ${if {$spam_score_int}{80}{1}{0}}
  log_message = SPAM: Message viewed as spam. (scored $spam_score)

  
Any idea what is causing this?

Regards
Johann
-- 
Johann Spies  Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch

 For God hath not appointed us to wrath, but to obtain 
  salvation by our Lord Jesus Christ, Who died for us, 
  that, whether we wake or sleep, we should live  
  together with him. 
 I Thessalonians 5:9,10 


Re: Exim: spam acl condition: cannot parse spamd output (more information)

2006-08-23 Thread Johann Spies
On Wed, Aug 23, 2006 at 02:28:38PM +0200, Johann Spies wrote:
 I have just upgraded my Spamassassin on Debian Stable to 3.1.3
 (backports) from 3.0.3 and I get this message in Exim's paniclog:
 
 spam acl condition: cannot parse spamd output

At the same time the /var/log/exim4/paniclog reports the above line, I
see the following in /var/log/mail.info:

Aug 23 13:17:48 mail2 spamd[23582]: child processing timeout at
/usr/sbin/spamd line 1086, GEN875
line 55245.
Aug 23 13:22:08 mail2 spamd[8182]: child processing timeout at
/usr/sbin/spamd line 1086, GEN1055
line 97113.
Aug 23 13:22:08 mail2 spamd[8182]: child processing timeout at
/usr/sbin/spamd line 1086, GEN1055
line 97113.
Aug 23 13:23:19 mail2 spamd[8706]: child processing timeout at
/usr/sbin/spamd line 1086, GEN1079

So it seems to be a spamd-problem.

Is this a known bug?

Regards
Johann
-- 
Johann Spies  Telefoon: 021-808 4036
Informasietegnologie, Universiteit van Stellenbosch

 For God hath not appointed us to wrath, but to obtain 
  salvation by our Lord Jesus Christ, Who died for us, 
  that, whether we wake or sleep, we should live  
  together with him. 
 I Thessalonians 5:9,10 


Re: Train from Outlook?

2006-08-23 Thread Stuart Johnston

Christopher Mills wrote:
Tell me something, is there a pluggin for outlook that would allow me to 
train spamassassin on the web server?
Eg, messages come in, end up in my Junk Mail folder, can i somehow 
select them, and click a button with this 'addin' and have it find our 
web server and train spam assassin with the data in my local inbox?  
That would be a very cool addon if someone could develop it.


There is a Summer of Code project for this but the guy's blog hasn't been 
updated in a while.


http://code.google.com/soc/asf/appinfo.html?csaid=DF01D8A7A5E102D7


How to whitelist_from ?

2006-08-23 Thread Philip Prindeville
Hmm  Maybe if I post with a more obvious subject line

What is the notation for writing a whitelist_from or whitelist_from_rcvd
when the sender is  ?  (As in MAIL FROM: )

Thanks,

-Philip


Philip Prindeville wrote:

Well, I have the following issue.  When I report abuse to [EMAIL PROTECTED],
they send me back an auto-generated email ticket with a broken Date: on
it (honestly, people, how hard is it to correctly format the date???).

They do this as  for the sending address.

How does one go about writing a whitelist_rcvd_from line for the empty
address

Aug 22 07:49:28 mail mimedefang.pl[458]: helo: dns-mx.noc.verio.net 
(129.250.49.11) said helo dns-mx.noc.verio.net
Aug 22 07:49:28 mail mimedefang.pl[458]: helo: whitelist dns-mx.noc.verio.net 
(129.250.49.11)
Aug 22 07:49:33 mail sendmail[472]: k7MDnN3u000472: from=, size=2062, 
class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=MTA-v4, 
relay=dns-mx.noc.verio.net [129.250.49.11]
Aug 22 07:49:34 mail mimedefang.pl[458]: k7MDnN3u000472: hits=5.164, req=5, 
names=AWL,INVALID_DATE,NO_REAL_NAME
Aug 22 07:49:34 mail mimedefang.pl[458]: 
MDLOG,k7MDnN3u000472,spam,5.164,129.250.49.11,,[EMAIL PROTECTED],Re: 
[NTT-C2755649Z] Phishing from 161.58.27.23
Aug 22 07:49:34 mail mimedefang.pl[458]: filter: k7MDnN3u000472:  bounce=1 
discard=1
Aug 22 07:49:34 mail mimedefang[4220]: k7MDnN3u000472: Bouncing because filter 
instructed us to
Aug 22 07:49:34 mail sendmail[472]: k7MDnN3u000472: Milter: data, reject=554 
5.7.1 Message rejected; scored too high on the Spam test.
Aug 22 07:49:34 mail sendmail[472]: k7MDnN3u000472: to=[EMAIL PROTECTED], 
delay=00:00:05, pri=32062, stat=Message rejected; scored too high on the Spam 
test.


  




RE: Train from Outlook?

2006-08-23 Thread Jean-Paul Natola








IMAP2MBOX



You take the mail from the junk folder ,
run imap2mbox, take that mbox file and use it to train SA 



But Im not sure what you are
referring to as far as the web server











From: Christopher
Mills [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 23, 2006
8:07 AM
To: users@spamassassin.apache.org
Subject: Train from Outlook?





Tell me something, is there a pluggin for outlook that would allow me
to train spamassassin on the web server?
Eg, messages come in, end up in my Junk Mail folder, can i somehow select them,
and click a button with this 'addin' and have it find our web server and train
spam assassin with the data in my local inbox? That would be a very cool
addon if someone could develop it. 








Re: Custom Rule Filtering on X-Mailer Header Not Working

2006-08-23 Thread John D. Hardin
On Tue, 22 Aug 2006, Loren Wilton wrote:

 BTW, you DO know that The Bat! is a perfectly legit (and very
 nice) mail program, don't you?  Lots of spammers abuse the name,
 but there are any number of people that use it to send real mail.  
 I mention that since the score I saw you assigning was pretty
 high.

In his initial post he *did* say he was willing to accept the
possibility of FPs.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The problem is when people look at Yahoo, slashdot, or groklaw and
  jump from obvious and correct observations like Oh my God, this
  place is teeming with utter morons to incorrect conclusions like
  there's nothing of value here.-- Al Petrofsky, in Y! SCOX
---
 27 days until Talk Like a Pirate day



SPF Scoring... SPF_NEUTRAL

2006-08-23 Thread Michael Grey










Has anyone experienced SPF_* rules not actually being scored
? 

In the debug I see that it comes back as result: none
 shouldnt this come back as SPF_NEUTRAL ?





We are setting up SA with amavisd, and when running amavis
in debug mode

(amavisd u amavis g amavis debug-sa) I
can see it hit the spf checks; it comes back with



--- debug output ---

[2456] dbg: spf: checking HELO (helo=mail.yuki.com, ip=22.110.92.38)

[2456] dbg: spf: query for /22.110.92.38/mail.yuki.com:
result: none, comment: SPF: domain of sender mail.yuki.com does not designate
mailers

[2456] dbg: spf: checking EnvelopeFrom (helo=mail.yuki.com,
ip=22.110.92.38, [EMAIL PROTECTED])

[2456] dbg: spf: query for [EMAIL PROTECTED]/22.110.92.38/mail.yuki.com:
result: none, comment: SPF: domain of sender [EMAIL PROTECTED] does not designate
mailers





In SA local.cf I have tweaked the scores arbitrarily way up
to try to ensure that the scoring is substantial enough to guarantee notice



--- local.cf ---

score SPF_PASS 10

score SPF_HELO_PASS 10

score SPF_FAIL 12

score SPF_HELO_FAIL 13

score SPF_HELO_NEUTRAL 13

score SPF_HELO_SOFTFAIL 12 

score SPF_NEUTRAL 12

score SPF_SOFTFAIL 12



However, the header result in the email is :



--- email header ---

X-Spam-Status: No, score=2.047 tagged_above=-999
required=4.5

tests=[BAYES_50=0.001, RCVD_IN_SORBS_DUL=2.046]

X-Spam-Score: 2.047

X-Spam-Level: **



Still no hits Other score changes in local.cf are
effective; so if I modify RCVD_IN_SORBS_DUL= that change will be apparent in
the email header.



Any ideas ???




Many thanks.



Michael Grey
















Re: How to whitelist_from ?

2006-08-23 Thread John D. Hardin
On Wed, 23 Aug 2006, Philip Prindeville wrote:

 Hmm  Maybe if I post with a more obvious subject line
 
 What is the notation for writing a whitelist_from or
 whitelist_from_rcvd when the sender is  ?  (As in MAIL FROM:
 )

Are you sure you want to use that broad a brush? There is a *lot* of
garbage that is sent as faked mailer daemon bounces.

When dealing with a known correspondent's brokenness, it's safer to
focus your permissiveness rather tightly. Try a meta rule that matches
a Received: line on a bounce from them, add a rule that ANDs that meta
with the rule that fires on their malformed date, and score it to
cancel out the malformed date score.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The problem is when people look at Yahoo, slashdot, or groklaw and
  jump from obvious and correct observations like Oh my God, this
  place is teeming with utter morons to incorrect conclusions like
  there's nothing of value here.-- Al Petrofsky, in Y! SCOX
---
 27 days until Talk Like a Pirate day



Re: SPF Scoring... SPF_NEUTRAL

2006-08-23 Thread Noel Jones

On 8/23/06, Michael Grey [EMAIL PROTECTED] wrote:







Has anyone experienced SPF_* rules not actually being scored ?

In the debug I see that it comes back as 'result: none' – shouldn't this
come back as SPF_NEUTRAL ?




When the domain does not publish SPF records you get result: none.
Test with a domain that does publish SPF records.

--
Noel Jones


RE: SPF Scoring... SPF_NEUTRAL

2006-08-23 Thread Michael Grey

Since this is not a production system, we have had to do some MX magic on a
remote domain to push mail through this new system... that domain doesn't
have SPF enabled (curse you Network Solutions !) 

So the big question is really this : Should NONE get an SPF score ?

Thanks

Mike
-Original Message-
From: Noel Jones [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 23, 2006 9:17 AM
To: Michael Grey
Cc: users@spamassassin.apache.org
Subject: Re: SPF Scoring... SPF_NEUTRAL

On 8/23/06, Michael Grey [EMAIL PROTECTED] wrote:






 Has anyone experienced SPF_* rules not actually being scored ?

 In the debug I see that it comes back as 'result: none' - shouldn't this
 come back as SPF_NEUTRAL ?



When the domain does not publish SPF records you get result: none.
Test with a domain that does publish SPF records.

-- 
Noel Jones


Re: SPF Scoring... SPF_NEUTRAL

2006-08-23 Thread Gino Cerullo

On 23-Aug-06, at 12:45 PM, Michael Grey wrote:

Since this is not a production system, we have had to do some MX  
magic on a
remote domain to push mail through this new system... that domain  
doesn't

have SPF enabled (curse you Network Solutions !)

So the big question is really this : Should NONE get an SPF score ?


That is a matter of internal policy on your part. If you want to  
penalize domains for not having an SPF record you could give it a  
negative score. On the other hand, if you wish to reward them for not  
having an SPF record give them a positive score.


I believe the general consensus is to leave it alone. Especially  
since SPF is still quite new and still technically in an experimental  
stage.



--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON  M3M 1W6

416-247-7740





RE: SPF Scoring... SPF_NEUTRAL

2006-08-23 Thread Michael Grey
Sorry, I was too philosophical in my question... to rephrase;

In the standard SA config, should I expect to see an SPF_* rule hit returned
when the SPF return value is 'none' ?

Thanks

Mike

-Original Message-
From: Gino Cerullo [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 23, 2006 9:54 AM
To: users@spamassassin.apache.org
Subject: Re: SPF Scoring... SPF_NEUTRAL

On 23-Aug-06, at 12:45 PM, Michael Grey wrote:

 Since this is not a production system, we have had to do some MX  
 magic on a
 remote domain to push mail through this new system... that domain  
 doesn't
 have SPF enabled (curse you Network Solutions !)

 So the big question is really this : Should NONE get an SPF score ?

That is a matter of internal policy on your part. If you want to  
penalize domains for not having an SPF record you could give it a  
negative score. On the other hand, if you wish to reward them for not  
having an SPF record give them a positive score.

I believe the general consensus is to leave it alone. Especially  
since SPF is still quite new and still technically in an experimental  
stage.


--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON  M3M 1W6

416-247-7740





Re: SPF Scoring... SPF_NEUTRAL

2006-08-23 Thread John D. Hardin
On Wed, 23 Aug 2006, Gino Cerullo wrote:

  So the big question is really this : Should NONE get an SPF score ?
 
 That is a matter of internal policy on your part. If you want to
 penalize domains for not having an SPF record you could give it a
 negative score. On the other hand, if you wish to reward them for
 not having an SPF record give them a positive score.

I think you got that backwards.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The problem is when people look at Yahoo, slashdot, or groklaw and
  jump from obvious and correct observations like Oh my God, this
  place is teeming with utter morons to incorrect conclusions like
  there's nothing of value here.-- Al Petrofsky, in Y! SCOX
---
 27 days until Talk Like a Pirate day



Re: SPF Scoring... SPF_NEUTRAL

2006-08-23 Thread Gino Cerullo

On 23-Aug-06, at 1:09 PM, John D. Hardin wrote:


On Wed, 23 Aug 2006, Gino Cerullo wrote:

So the big question is really this : Should NONE get an SPF  
score ?


That is a matter of internal policy on your part. If you want to
penalize domains for not having an SPF record you could give it a
negative score. On the other hand, if you wish to reward them for
not having an SPF record give them a positive score.


I think you got that backwards.


U! Yeah, I think i did.

Okay just do what I meant but do it the other way around. ;-)


--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON  M3M 1W6

416-247-7740





Re: SPF Scoring... SPF_NEUTRAL

2006-08-23 Thread Gino Cerullo

On 23-Aug-06, at 1:01 PM, Michael Grey wrote:


Sorry, I was too philosophical in my question... to rephrase;

In the standard SA config, should I expect to see an SPF_* rule hit  
returned

when the SPF return value is 'none' ?


This is from the latest 50_scores.cf

# SPF
# Note that the benefit for a valid SPF record is deliberately  
minimal; it's
# likely that more spammers would quickly move to setting valid SPF  
records
# otherwise.  The penalties for an *incorrect* record, however, are  
large.  ;)

ifplugin Mail::SpamAssassin::Plugin::SPF
score SPF_PASS -0.001
score SPF_HELO_PASS -0.001
# gen:mutable
score SPF_FAIL 0 1.333 0 1.142
score SPF_HELO_FAIL 0
score SPF_HELO_NEUTRAL 0
score SPF_HELO_SOFTFAIL 0 2.078 0 2.432
score SPF_NEUTRAL 0 1.379 0 1.069
score SPF_SOFTFAIL 0 1.470 0 1.384
# /gen:mutable
endif # Mail::SpamAssassin::Plugin::SPF

So the answer to your question is no you shouldn't. Their is no score  
to cover NONE.



--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON  M3M 1W6

416-247-7740





RE: Train from Outlook?

2006-08-23 Thread Steven Manross
Matt Yackley wrote/co-authored (not sure which), a plugin for Outlook
that moves the messages to a public folder (spam and ham)..  Maybe he'll
share?
 
From there, a central server could attach to those public folders,
create RFC822 text files out of them, and then learn them via a simple
perl script  Which is what I do.

Steven




From: Jean-Paul Natola [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 23, 2006 8:02 AM
To: Christopher Mills; users@spamassassin.apache.org
Subject: RE: Train from Outlook?



IMAP2MBOX

 

You take the mail   from the junk folder , run imap2mbox, take
that mbox file  and use it to train SA -

 

But I'm not sure what you are referring to as far as the web
server

 



From: Christopher Mills
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 23, 2006 8:07 AM
To: users@spamassassin.apache.org
Subject: Train from Outlook?

 

Tell me something, is there a pluggin for outlook that would
allow me to train spamassassin on the web server?
Eg, messages come in, end up in my Junk Mail folder, can i
somehow select them, and click a button with this 'addin' and have it
find our web server and train spam assassin with the data in my local
inbox?  That would be a very cool addon if someone could develop it. 




RE: Train from Outlook?

2006-08-23 Thread Jean-Paul Natola
What I do here, is that I tell my users  to DRAG / MOVE  any spam into a
public folder,  then I run IMAP2MBOX  once that is done   I then train  SA
using the mbox file--

Fairly simple , just make sure the users do NOT FORWARD the messages to the
public folder

-Original Message-
From: Steven Manross [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 23, 2006 1:35 PM
To: Jean-Paul Natola; Christopher Mills; users@spamassassin.apache.org
Subject: RE: Train from Outlook?

Matt Yackley wrote/co-authored (not sure which), a plugin for Outlook
that moves the messages to a public folder (spam and ham)..  Maybe he'll
share?
 
From there, a central server could attach to those public folders,
create RFC822 text files out of them, and then learn them via a simple
perl script  Which is what I do.

Steven




From: Jean-Paul Natola [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 23, 2006 8:02 AM
To: Christopher Mills; users@spamassassin.apache.org
Subject: RE: Train from Outlook?



IMAP2MBOX

 

You take the mail   from the junk folder , run imap2mbox, take
that mbox file  and use it to train SA -

 

But I'm not sure what you are referring to as far as the web
server

 



From: Christopher Mills
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 23, 2006 8:07 AM
To: users@spamassassin.apache.org
Subject: Train from Outlook?

 

Tell me something, is there a pluggin for outlook that would
allow me to train spamassassin on the web server?
Eg, messages come in, end up in my Junk Mail folder, can i
somehow select them, and click a button with this 'addin' and have it
find our web server and train spam assassin with the data in my local
inbox?  That would be a very cool addon if someone could develop it. 




RE: Train from Outlook?

2006-08-23 Thread Ray Dzek








Your timing is perfect. I just
implemented this yesterday!



The script you may be looking for is
imap-sa-learn.pl from: http://www.gagravarr.org/code/



The how-to is here: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200406.mbox/[EMAIL PROTECTED]



Users then drag (very important they drag
the message to the folder to preserve headers) the messages into the
appropriate public folder and are then processed by the script at the interval
you set with a cron job.



To fill in some of the missing blanks



You create 2 new public folders. The
how-to called them HAM and SPAM. All my users know what SPAM is, but
explaining the concept of HAM proved futile for some reason so I just renamed
the folder NOT-SPAM.



Create a spamassassin user in AD and
create an exchange mailbox. No mail is every sent to/from this user, it
is only so the user has access permissions to the mailboxes.



You may need to add a few perl modules to
get this to work. The main one is Mail::IMAPClient. So just CPAN
and then install Mail::IMAPClient 



The script is written with no-rebuild
and --rebuild which is depreciated in current versions of SA, so just edit the
script and change those to no-sync and sync otherwise the script
will throw errors when you run it. 



Add the script to crontab e so it
runs as often as you like. I run mine every hour. It automatically
grabs each message, processes it with sa-learn, and then deletes it from the
SPAM folder.



If all this is greek, let me know and I
will put together something a little more formal.



This method will not work for OWA since
you are not allowed to copy from your mailbox folders to a public folder in
OWA.











From: Christopher
Mills [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 23, 2006
5:07 AM
To: users@spamassassin.apache.org
Subject: Train from Outlook?





Tell me something, is there a pluggin for outlook that would allow me
to train spamassassin on the web server?
Eg, messages come in, end up in my Junk Mail folder, can i somehow select them,
and click a button with this 'addin' and have it find our web server and train
spam assassin with the data in my local inbox? That would be a very cool
addon if someone could develop it. 








RE: Train from Outlook?

2006-08-23 Thread Jean-Paul Natola








SLOW DOWN!! Thats sounds
like an awful lot when you can just let imap2mbox do it all.



Imap2mbox does everything for you , except
moving the messages to the folder



http://www.byteplant.com/support/nospamtoday/howtolearnexchange.html





http://www.byteplant.com/support/nospamtoday/contrib.html















From: Ray Dzek
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 23, 2006
3:10 PM
To: users@spamassassin.apache.org
Subject: RE: Train from Outlook?





Your timing is perfect. I just
implemented this yesterday!



The script you may be looking for is
imap-sa-learn.pl from: http://www.gagravarr.org/code/



The how-to is here: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200406.mbox/[EMAIL PROTECTED]



Users then drag (very important they drag
the message to the folder to preserve headers) the messages into the
appropriate public folder and are then processed by the script at the interval
you set with a cron job.



To fill in some of the missing
blanks



You create 2 new public folders. The
how-to called them HAM and SPAM. All my users know what SPAM is, but
explaining the concept of HAM proved futile for some reason so I just renamed
the folder NOT-SPAM.



Create a spamassassin user in AD and
create an exchange mailbox. No mail is every sent to/from this user, it
is only so the user has access permissions to the mailboxes.



You may need to add a few perl modules to
get this to work. The main one is Mail::IMAPClient. So just CPAN
and then install Mail::IMAPClient 



The script is written with
no-rebuild and --rebuild which is depreciated in current versions of SA,
so just edit the script and change those to no-sync and sync
otherwise the script will throw errors when you run it. 



Add the script to crontab e so it
runs as often as you like. I run mine every hour. It automatically
grabs each message, processes it with sa-learn, and then deletes it from the
SPAM folder.



If all this is greek, let me know and I
will put together something a little more formal.



This method will not work for OWA since
you are not allowed to copy from your mailbox folders to a public folder in
OWA.











From: Christopher
Mills [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 23, 2006
5:07 AM
To: users@spamassassin.apache.org
Subject: Train from Outlook?





Tell me something, is there a pluggin for outlook that would allow me
to train spamassassin on the web server?
Eg, messages come in, end up in my Junk Mail folder, can i somehow select them,
and click a button with this 'addin' and have it find our web server and train
spam assassin with the data in my local inbox? That would be a very cool
addon if someone could develop it. 








New major FuzzyOcr version: 2.3 (RC1)

2006-08-23 Thread decoder
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello,


I am proud to be able to announce a new release of FuzzyOcr with lots
of new features and changes.

You can download it at http://users.own-hero.net/~decoder/fuzzyocr/

Before installing this plugin, make sure to read the INSTALL file.

If you run into problems, make sure to read the FAQ file before
sending me or the list anything.

NOTE: Although this version has been tested for quite a while by
different people, and seems stable, it might still have bugs. I am not
responsible for any damage caused by this Plugin.

Changes made since 2.2beta1:

1) FuzzyOcr now allows you to do more than one scan on a picture.
This is useful to do several scans with different
settings//programs on the same image.
The results are combined.
For every word in the wordlist, it checks how many hits it gets in
each result and picks the highest match count as total count for this
word.
Here is how these scansets work:

Basically, each scanset is a single program, or a chain of
programs, that take PNM image input, and give out text.

Some examples:

Simplest scanset (only uses gocr, with default values): $gocr -i -
Another simple scanset (only uses gocr, but with different
grey threshold settings): $gocr -l 180 -i -
Advanced scanset (invokes pnmnorm and pnmquant to preprocess
the image): pnmnorm | pnmquant 3 | pnmnorm | $gocr -l 180 -i -


The last scanset will try to reduce the colors in the image to 3,
before using gocr on it.
Note that $gocr is replaced by the actual path+binary name of gocr
at runtime.

You can redirect the STDERR output of your custom programs to the
errfile that FuzzyOcr uses.
(This is useful because the STDERR is printed to logfile if a
scanset fails).
Here is an example:

pnmnorm 2$errfile | pnmquant 3 2$errfile | pnmnorm
2$errfile | $gocr -l 180 -i -


If this scanset now fails (which can happen if pnmquant is not
able to reduce the colors properly to 3),
then you'll see the errors in the logfile when using debug mode.
If not, tell me ;D

The default for this setting (focr_scansets), is to do 2 scans
(see the config file for details). To get back to one, use something like:

focr_scansets $gocr -i -

In the config file, you will also see the syntax for multiple
scansets (comma seperated) and more examples.

2) The whole tempfile system was rewritten.
FuzzyOcr now uses the internal SpamAssassin functions for
tmpfile/tmpdir generation (specification of a path for temporary files
is no longer needed/possible).
All files are properly unlinked now.

3) FuzzyOcr now supports interlaced gifs. They get converted to
non-interlaced ones and then processed.
If the interlaced image is corrupt, then it will not be scanned.
Instead, it will be scored with the corrupt image score only.
That is because of the limitation in giffix to fix interlaced
gifs. The corrupt image score has therefore been increased to 5 points.

4) FuzzyOcr now supports animated gifs. It has two ways to check them.
The first one is used, if the image contains less than x frames,
where x is the value specified by focr_gif_max_frames in the config.
The default is 5. In this method, imagemagick's convert is invoked
to put the images all together to a bigger image which contains all
frames.
Then it gets processed. The second method is used, if the image
has exactly or more frames than x.
 In this method, gifasm is used to split the image into files each
containing one frame (this happens in a tmpdir), then the biggest file
is picked for scanning.

Corrupt animated gifs are handled exactly as corrupt interlaced gifs.

5) FuzzyOcr now supports external wordlists. It has both a global
wordlist (which must be configured in the cf file) and a list based on
the user executing spamassassin/spamc.
Both lists allow comments in bash style (#comment and wordhere
#comment).
The personal list's relative (to the homedir) path and name can be
configured in the cf file.
The default is .spamassassin/fuzzyocr.words. Both global and
personal list are concatenated before scanning.
A sample wordlist is shipped within the tarball.

6) Spaces are now stripped from wordlist words and OCR results before
matching.
This increases the chances to hit, because gocr sometimes
recognizes lots of spaces where no spaces are (depends on font).

7) Logfile is now locked for exclusive writing when a message is
logged. Same applies for tmpfiles.
This ensure that spamd childs running at the same time don't
interfere.

8) An experimental MD5 database feature has been added (disabled by
default).
 It allows you to save MD5 hashes of already recognized images in
a database for a faster processing if the same image reaches you again.

8) Millions of bugfixes and rewrites ;) I can't enumerate them all :P


TODO:

-The second test for animated gifs is still a bit hacky... it

RE: Train from Outlook?

2006-08-23 Thread Ray Dzek








Imap2mbox resides on a windows server and
only converts the imap format into an mbox format. Reading the links you
provided there is an executable and external batch files to run on a windows
machine. So that would/could be a solution if your environment is windows
only. We are running a linux server with postfix + amavisd-new with SA
and ClamAV to pre-process mail coming into our Exchange server. The
solution I described is an all in one perl script that runs on the linux
server. Imap-sa-learn.pl reads directly from the SPAM and NO-SPAM folders
on the Exchange server, processes the messages, and removes them. There
are no extra processes that need to be run on the Exchange server itself.



So  

If you are running linux in front of your
Exchange server  my solution works.

If you are running SA on a windows box 
your solution works.











From: Jean-Paul Natola
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 23, 2006
12:24 PM
To: users@spamassassin.apache.org
Subject: RE: Train from Outlook?





SLOW DOWN!! Thats
sounds like an awful lot when you can just let imap2mbox do it all.



Imap2mbox does everything for you , except
moving the messages to the folder



http://www.byteplant.com/support/nospamtoday/howtolearnexchange.html





http://www.byteplant.com/support/nospamtoday/contrib.html















From: Ray Dzek [mailto:[EMAIL PROTECTED]

Sent: Wednesday, August 23, 2006
3:10 PM
To: users@spamassassin.apache.org
Subject: RE: Train from Outlook?





Your timing is perfect. I just
implemented this yesterday!



The script you may be looking for is
imap-sa-learn.pl from: http://www.gagravarr.org/code/



The how-to is here: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200406.mbox/[EMAIL PROTECTED]



Users then drag (very important they drag
the message to the folder to preserve headers) the messages into the
appropriate public folder and are then processed by the script at the interval
you set with a cron job.



To fill in some of the missing
blanks



You create 2 new public folders. The
how-to called them HAM and SPAM. All my users know what SPAM is, but
explaining the concept of HAM proved futile for some reason so I just renamed
the folder NOT-SPAM.



Create a spamassassin user in AD and
create an exchange mailbox. No mail is every sent to/from this user, it
is only so the user has access permissions to the mailboxes.



You may need to add a few perl modules to
get this to work. The main one is Mail::IMAPClient. So just CPAN
and then install Mail::IMAPClient 



The script is written with
no-rebuild and --rebuild which is depreciated in current versions of SA,
so just edit the script and change those to no-sync and sync
otherwise the script will throw errors when you run it. 



Add the script to crontab e so it
runs as often as you like. I run mine every hour. It automatically
grabs each message, processes it with sa-learn, and then deletes it from the
SPAM folder.



If all this is greek, let me know and I
will put together something a little more formal.



This method will not work for OWA since
you are not allowed to copy from your mailbox folders to a public folder in
OWA.











From: Christopher Mills
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 23, 2006
5:07 AM
To: users@spamassassin.apache.org
Subject: Train from Outlook?





Tell me something, is there a pluggin for outlook that would allow me
to train spamassassin on the web server?
Eg, messages come in, end up in my Junk Mail folder, can i somehow select them,
and click a button with this 'addin' and have it find our web server and train
spam assassin with the data in my local inbox? That would be a very cool
addon if someone could develop it. 








RBL Rules Misfiring

2006-08-23 Thread D . J .
Hello all.I searched my archive of the list, and couldn't find a similar issue. This is probably something I've misconfigured, but here goes. Running SA 3.14 via the Mail::SpamAssassin Perl plugin from amavisd-new. Have been running into a problem where some dynamic RBL lists are firing just because the IP is in the headers, not necessarily because it's the IP talking to my MTA. They are indeed IPs in the list but shouldn't be firing because they're really using their ISP's mail servers as you can see later in the headers. I'm *really* hoping this isn't intended operation and it's just something I've blundered somehow. Below is a piece of one of the message notifications I receive. I've been watching this on a couple small domains I own before putting it on our main one, and it's a good thing!
Thanks in advance for the help.- D.J.Content analysis details: (10.9 points, 5.0 required)
pts rule name description
 -- 
--
1.4 MSGID_FROM_MTA_ID Message-Id for external message added 
locally
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 
60%
 [score: 0.4964]
2.2 RCVD_IN_SORBS_SOCKS RBL: SORBS: sender is open SOCKS proxy 
server
 [24.140.8.46 listed in dnsbl.sorbs.net]
2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP 
address
 [24.140.8.46 listed in dnsbl.sorbs.net]
2.6 RCVD_IN_DSBL RBL: Received via a relay in 
list.dsbl.org
 [http://dsbl.org/listing?24.140.8.46]
0.7 RCVD_IN_NJABL_PROXY RBL: NJABL: sender is an open proxy
 [24.140.8.46 listed in 
combined.njabl.org]
1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local 
SMTP
 [24.140.8.46 listed in 
combined.njabl.org]
1.8 MISSING_SUBJECT Missing Subject: header
-1.8 AWL AWL: From: address is in the auto 
white-list
Return-Path: protected
Received: from smtp-1.sssnet.com (nat-147.sssnet.com [24.140.1.147])
by test.sssnet.com (Postfix) with ESMTP id 
663292B803E
for protected; Wed, 23 Aug 
2006 14:58:41 -0400 (EDT)
Received: (qmail 11376 invoked by uid 507); 23 Aug 2006 18:58:42 
-
Received: from 24.140.8.46 by smtp-1.sssnet.com (envelope-from 
protected, uid 501) with qmail-scanner-1.25st 
(clamdscan: 0.88.2/1715. spamassassin: 3.0.3. perlscan: 1.25st. 
Clear:RC:1(24.140.8.46):SA:0(1.2/14.0):. 
Processed in 0.727458 secs); 23 Aug 2006 18:58:42 -
X-Spam-Status: No, hits=1.2 required=14.0
X-Spam-Level: +
Received: from cable-8-46.sssnet.com (HELO SERVER) ([24.140.8.46])
 (envelope-sender protected)
 by 0 (qmail-ldap-1.03) with SMTP
 for protected; 23 Aug 2006 18:58:41 
-
From: Sue Repp protected
To: 'Mary Richardson' protected
Subject: 
Date: Wed, 23 Aug 2006 14:58:53 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary==_NextPart_000__01C6C6C4.ABD60F20
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: AcbG5izxOwnp3dUpR7iOx6AZ33ceQQ==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
X-Qmail-Scanner-Message-ID: 
[EMAIL PROTECTED]
Message-Id: [EMAIL PROTECTED]


analysing the logs

2006-08-23 Thread Nick Rout
Using spamd started from .procmailrc, it logs to syslog and ends up in
/var/log/mail.log, along with postfix's log and courier-imap's log.

How can I get some analysis of this?, eg positives per day, etc.

Have googled a bit, and looked in the archives, a lot of people talk
about their stats, not many messages show the commands they use to get
them!
-- 
Nick Rout [EMAIL PROTECTED]



Re: USER_IN_WHITELIST problem

2006-08-23 Thread Kelson

Nick Rout wrote:

So I take it USER_IN_WHITELIST also checks Return-Path? I wonder where
Return-Path is being set? Is it likely to be set by the spammer? Or is
my system adding it in somewhere (probably in error).


Return-Path is usually added by the receiving system, and contains the 
envelope sender of the message.  So effectively, it's set by the sender.


It can legitimately disagree with the value in the From header.  A 
perfect example would be this message right here.  From will contain my 
email address, but Return-Path will contain an address managed by the 
mailing list software at spamassassin.apache.org


--
Kelson Vibber
SpeedGate Communications www.speed.net


RE: Train from Outlook?

2006-08-23 Thread Jean-Paul Natola








My setup is 



FREEBSD 5.4 SA EXIM CLAMAV filters
all incoming mail, once SA  CLAMAV clean
the mail it goes to exchange



The imap2mbox DOES NOT run on the exchange
server, I run from my pc as follows



D:\imap2mboximap2mbox.exe
--path=public folders/ --folder=1spam --username=xx --pass=x



That gives me the mbox I use to train sa- 



sa-learn --spam --mbox export.mbox



Nevertheless better to have multiple ways
to skin the cat 



I like this method because it does not
require me to install anything at all on either server











From: Ray Dzek
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 23, 2006
4:41 PM
To: users@spamassassin.apache.org
Subject: RE: Train from Outlook?





Imap2mbox resides on a windows server and
only converts the imap format into an mbox format. Reading the links you
provided there is an executable and external batch files to run on a windows
machine. So that would/could be a solution
if your environment is windows only. We are running a linux server with
postfix + amavisd-new with SA and ClamAV to pre-process mail coming into our
Exchange server. The solution
I described is an all in one perl script that runs on the linux server.
Imap-sa-learn.pl reads directly from the SPAM and NO-SPAM folders on the
Exchange server, processes the messages, and removes them. There are no
extra processes that need to be run on the Exchange server itself.



So  

If you are running linux in front of your Exchange
server  my solution works.

If you are running SA on a windows box
 your solution works.











From: Jean-Paul Natola
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 23, 2006
12:24 PM
To: users@spamassassin.apache.org
Subject: RE: Train from Outlook?





SLOW DOWN!! Thats
sounds like an awful lot when you can just let imap2mbox do it all.



Imap2mbox does everything for you , except
moving the messages to the folder



http://www.byteplant.com/support/nospamtoday/howtolearnexchange.html





http://www.byteplant.com/support/nospamtoday/contrib.html















From: Ray Dzek [mailto:[EMAIL PROTECTED]

Sent: Wednesday, August 23, 2006
3:10 PM
To: users@spamassassin.apache.org
Subject: RE: Train from Outlook?





Your timing is perfect. I just
implemented this yesterday!



The script you may be looking for is
imap-sa-learn.pl from: http://www.gagravarr.org/code/



The how-to is here: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200406.mbox/[EMAIL PROTECTED]



Users then drag (very important they drag
the message to the folder to preserve headers) the messages into the appropriate
public folder and are then processed by the script at the interval you set with
a cron job.



To fill in some of the missing
blanks



You create 2 new public folders. The
how-to called them HAM and SPAM. All my users know what SPAM is, but explaining
the concept of HAM proved futile for some reason so I just renamed the folder
NOT-SPAM.



Create a spamassassin user in AD and
create an exchange mailbox. No mail is every sent to/from this user, it
is only so the user has access permissions to the mailboxes.



You may need to add a few perl modules to
get this to work. The main one is Mail::IMAPClient. So just CPAN
and then install Mail::IMAPClient 



The script is written with
no-rebuild and --rebuild which is depreciated in current versions of SA,
so just edit the script and change those to no-sync and sync
otherwise the script will throw errors when you run it. 



Add the script to crontab e so it
runs as often as you like. I run mine every hour. It automatically
grabs each message, processes it with sa-learn, and then deletes it from the
SPAM folder.



If all this is greek, let me know and I
will put together something a little more formal.



This method will not work for OWA since
you are not allowed to copy from your mailbox folders to a public folder in
OWA.











From: Christopher
Mills [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 23, 2006
5:07 AM
To: users@spamassassin.apache.org
Subject: Train from Outlook?





Tell me something, is there a pluggin for outlook that would allow me
to train spamassassin on the web server?
Eg, messages come in, end up in my Junk Mail folder, can i somehow select them,
and click a button with this 'addin' and have it find our web server and train
spam assassin with the data in my local inbox? That would be a very cool
addon if someone could develop it. 








Re: USER_IN_WHITELIST problem

2006-08-23 Thread Nick Rout

On Wed, 23 Aug 2006 14:49:19 -0700
Kelson wrote:

 Nick Rout wrote:
  So I take it USER_IN_WHITELIST also checks Return-Path? I wonder where
  Return-Path is being set? Is it likely to be set by the spammer? Or is
  my system adding it in somewhere (probably in error).
 
 Return-Path is usually added by the receiving system, and contains the 
 envelope sender of the message.  So effectively, it's set by the sender.
 
 It can legitimately disagree with the value in the From header.  A 
 perfect example would be this message right here.  From will contain my 
 email address, but Return-Path will contain an address managed by the 
 mailing list software at spamassassin.apache.org

Thank you for that, it helps fill in the picture in my fuzzy old brain.
Cheers.

-- 
Nick Rout [EMAIL PROTECTED]



Another SARE channel with the most used rules available

2006-08-23 Thread [EMAIL PROTECTED]




Hi,

This is to notify you about another SARE channel with the most used
rules available as a single channel. If you're not the type to try
every single rule in SARE and manually select them, you can instead use
this single channel instead.

OpenProtect's Sa-update channel for SARE

 Sa-update, as the linked page says is a way to
download new rules from different places called channels. 

 We guys at OpenProtect
have created a channel which contains the recommended rules in the SARE - SpamAssassin
Rules Emporium. This way, rules can be updated easily using
sa-update, which ships with SA versions above 3.0. 
Steps to use our channel
 Follow the steps below to have our channel working on your mail
server or any computer with SA  3.0 installed on it. 

  
Have gnupg installed, if you wish to check the channel files
against our signature. 
  
  
 Run the command gpg --keyserver pgp.mit.edu --recv-keys
BDE9DC10 to import our public key from the mit keyserver. The
output should look like: 
 gpg: requesting key BDE9DC10 from hkp server
pgp.mit.edu 
gpg: key BDE9DC10: public key "Opencomputing Technologies (Key to sign
all files from openprotect.com) " imported 
gpg: Total number processed: 1 
gpg: imported: 1 
  
   Now, copy the trusted public keys from root to SA by running the
command cp -f /root/.gnupg/pubring.gpg
/etc/spamassassin/sa-update-keys/pubring.gpg 
  
Another way to import our public key is get the gpg file and
import it
manually using sa-update and gpg. The commands are wget
http://saupdates.openprotect.com/pub.gpg. 
Now, import by running the command sa-update --import pub.gpg
which should return without any error or output messages. 
This isn't the preferred way, as the gpg file could be corrupted or
tampered with, if our server is hacked. 
  
   Now schedule daily downloads of rules from this channel using
cron using the command sa-update --gpgkey
D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel
saupdates.openprotect.com, where the 40 digit hex is our public key
fingerprint and the channel is the URL from which to download the
rules. 
The rules should be installed at /var/lib/spamassassin/
directory and SA will use all these rules by default. 
   If you don't have gpg or don't want to check against our
signature, you can add the --nogpg option to the above
sa-update command to skip gpg signature checks.


Note that only rules with high hit ratio and low false positives, like
70_sare_uri0.cf are used, instead of the 1,2,3 etc rules which have
high FPs and don't hit on too many spam mails anyway. Rules are linted
before entering the channel, so it's assured to work on any SA from
3.0.0 onwards to 3.1.4.

Let me know of any feedback that you might have about this channel.


cheers,
skar.
-- 
OpenProtect - The email virus/spam filter
http://openprotect.com





Filtering Aliases/Forwarders

2006-08-23 Thread DuBois, Joseph



Well 
met,

Just activated 
SpamAssassin on my website (by my web hosting provider) and wanted to do some 
simple tests which I read from the Wiki site and FAQ. When it didn't run I 
opened a ticket with my provider and he said he didn't support it and I needed 
to find help else where. So here I am. Right now, I'm just trying some simple 
tests to get my Aliases/Forwarders (which get sent through my site) and 
forwarded onto my ISP providers email account.

i.e. a public email 
[EMAIL PROTECTED] would get 
forwarded onto my local isp provider at verizon, or comcast depending on who I 
have for a particular month, so that way I don't have to change my email every 
month.

So for my test, I 
set up the following basic local rules in ~/.spamassassin/user_prefs 
file.

I assume this would 
take any email with the word spam in the BODY or test in SUBJECT and rewrite the 
SUBJECT with the new HEADER. But for some reason itdoesnot appear to 
be working.
body LOCAL_DEMONSTRATION_RULE /spam/score 
LOCAL_DEMONSTRATION_RULE 6.0describe 
LOCAL_DEMONSTRATION_RULE This is a simple 
test ruleheader LOCAL_DEMONSTRATION_SUBJECT 
Subject =~ /\btest\b/iscore 
LOCAL_DEMONSTRATION_SUBJECT 
2required_score5rewrite_header subject * Rated SPAM: Junk 
This! *


Does it not work for 
Aliases/Forwarders? Do you have to have a special Client? I am using BAT by 
RitLABs, and/or Webbrowser.

Thanks!
Joseph 
DuBois, Lead Application SpecialistApplication Standards  
Specialty ProjectsChildren's Hospital Boston[EMAIL PROTECTED]



Re: RBL Rules Misfiring

2006-08-23 Thread Stuart Johnston

As a quick guess, you probably need to fix your Trust Path:

http://wiki.apache.org/spamassassin/TrustPath

D.J. wrote:

Hello all.

I searched my archive of the list, and couldn't find a similar issue.  
This is probably something I've misconfigured, but here goes.  Running 
SA 3.14 via the Mail::SpamAssassin Perl plugin from amavisd-new.  Have 
been running into a problem where some dynamic RBL lists are firing just 
because the IP is in the headers, not necessarily because it's the IP 
talking to my MTA.  They are indeed IPs in the list but shouldn't be 
firing because they're really using their ISP's mail servers as you can 
see later in the headers.  I'm *really* hoping this isn't intended 
operation and it's just something I've blundered somehow.  Below is a 
piece of one of the message notifications I receive.  I've been watching 
this on a couple small domains I own before putting it on our main one, 
and it's a good thing!


Thanks in advance for the help.

- D.J.


Content analysis details:   (10.9 points, 5.0 required)

 pts rule name  description
 -- 
--

 1.4 MSGID_FROM_MTA_ID  Message-Id for external message added locally
-0.0 SPF_PASS   SPF: sender matches SPF record
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
[score: 0.4964]
 2.2 RCVD_IN_SORBS_SOCKSRBL: SORBS: sender is open SOCKS proxy server
[24.140.8.46 http://24.140.8.46 listed in 
dnsbl.sorbs.net http://dnsbl.sorbs.net]
 2.0 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP 
address
[24.140.8.46 http://24.140.8.46 listed in 
dnsbl.sorbs.net http://dnsbl.sorbs.net]
 2.6 RCVD_IN_DSBL   RBL: Received via a relay in list.dsbl.org 
http://list.dsbl.org

[http://dsbl.org/listing?24.140.8.46]
 0.7 RCVD_IN_NJABL_PROXYRBL: NJABL: sender is an open proxy
[24.140.8.46 http://24.140.8.46 listed in 
combined.njabl.org http://combined.njabl.org]

 1.9 RCVD_IN_NJABL_DUL  RBL: NJABL: dialup sender did non-local SMTP
[24.140.8.46 http://24.140.8.46 listed in 
combined.njabl.org http://combined.njabl.org]

 1.8 MISSING_SUBJECTMissing Subject: header
-1.8 AWLAWL: From: address is in the auto white-list

Return-Path: protected
Received: from smtp-1.sssnet.com http://smtp-1.sssnet.com 
(nat-147.sssnet.com http://nat-147.sssnet.com [24.140.1.147 
http://24.140.1.147])
by test.sssnet.com http://test.sssnet.com (Postfix) with ESMTP 
id 663292B803E

for protected; Wed, 23 Aug 2006 14:58:41 -0400 (EDT)
Received: (qmail 11376 invoked by uid 507); 23 Aug 2006 18:58:42 -
Received: from 24.140.8.46 http://24.140.8.46 by smtp-1.sssnet.com 
http://smtp-1.sssnet.com (envelope-from protected, uid 501) with 
qmail-scanner-1.25st
 (clamdscan: 0.88.2/1715. spamassassin: 3.0.3. perlscan: 1.25st. 
 Clear:RC:1(24.140.8.46 http://24.140.8.46):SA:0(1.2/14.0):.

 Processed in 0.727458 secs); 23 Aug 2006 18:58:42 -
X-Spam-Status: No, hits=1.2 required=14.0
X-Spam-Level: +
Received: from cable-8-46.sssnet.com http://cable-8-46.sssnet.com 
(HELO SERVER) ([24.140.8.46 http://24.140.8.46])

  (envelope-sender protected)
  by 0 (qmail-ldap-1.03) with SMTP
  for protected; 23 Aug 2006 18:58:41 -
From: Sue Repp protected
To: 'Mary Richardson' protected
Subject:
Date: Wed, 23 Aug 2006 14:58:53 -0400
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary==_NextPart_000__01C6C6C4.ABD60F20
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: AcbG5izxOwnp3dUpR7iOx6AZ33ceQQ==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
X-Qmail-Scanner-Message-ID: [EMAIL PROTECTED] 
mailto:[EMAIL PROTECTED]
Message-Id: [EMAIL PROTECTED] 
mailto:[EMAIL PROTECTED]







Re: analysing the logs

2006-08-23 Thread jdow

From: Nick Rout [EMAIL PROTECTED]


Using spamd started from .procmailrc, it logs to syslog and ends up in
/var/log/mail.log, along with postfix's log and courier-imap's log.

How can I get some analysis of this?, eg positives per day, etc.

Have googled a bit, and looked in the archives, a lot of people talk
about their stats, not many messages show the commands they use to get
them!


If you have a normal distro the nice set of tools that comes with
SpamAssassin are likely not there. With a cpan install there are
some interesting tools in /usr/share/doc/spamassassin/tools/.

A different tool, sadly named the same as one of the official tools,
that I like better was done by Dallas Engelken. It is carefully hidden
where nobody can find it at:
http://www.rulesemporium.com/programs/sa-stats.txt

Rename it to goodsa-stats.pl or something. It is quite informative
about what rules are hitting on ham or spam.

{^_^}


Re: Filtering Aliases/Forwarders

2006-08-23 Thread jdow

Joseph, may I make a slight suggestion for you?

For the rewrite try something about the same size that makes eyeball
filtering ham out of the spam folder much easier:
rewrite_header subject * Rated SPAM: _SCORE(00) *

Then the header subject will start with something like this:
* Rated SPAM: 019.8 *. It'll be followed by the original subject, of
course. You filter to spam if * Rated SPAM: is seen. And you can sort
by subject to bring the low scores to the top.

And for demonstration or test rules I'd use low scores unless you
specifically wanted to see a hit. Then I'd search for something
gibberish in the text. Hm, actually I wonder if gibberish itself
would be a safe rule for testing. It almost never appears in normal
mail and spammers USUALLY are averse to calling their mail gibberish.
So {^_-} The scores I use run for rule testing are in the 0.001
to 0.1 range. Once the look good I give them real scores.


{^_^}   Joanne
- Original Message - 
From: DuBois, Joseph [EMAIL PROTECTED]



Well met,

Just activated SpamAssassin on my website (by my web hosting provider)
and wanted to do some simple tests which I read from the Wiki site and
FAQ. When it didn't run I opened a ticket with my provider and he said
he didn't support it and I needed to find help else where. So here I am.
Right now, I'm just trying some simple tests to get my
Aliases/Forwarders (which get sent through my site) and forwarded onto
my ISP providers email account.

i.e. a public email [EMAIL PROTECTED] would get forwarded onto my
local isp provider at verizon, or comcast depending on who I have for a
particular month, so that way I don't have to change my email every
month.

So for my test, I set up the following basic local rules in
~/.spamassassin/user_prefs file.

I assume this would take any email with the word spam in the BODY or
test in SUBJECT and rewrite the SUBJECT with the new HEADER. But for
some reason it does not appear to be working.

body LOCAL_DEMONSTRATION_RULE   /spam/
score LOCAL_DEMONSTRATION_RULE 6.0
describe LOCAL_DEMONSTRATION_RULE   This is a simple test rule
header LOCAL_DEMONSTRATION_SUBJECT  Subject =~ /\btest\b/i
score LOCAL_DEMONSTRATION_SUBJECT   2
required_score  5
rewrite_header subject * Rated SPAM: Junk This! *


Does it not work for Aliases/Forwarders? Do you have to have a special
Client? I am using BAT by RitLABs, and/or Webbrowser.

Thanks!

Joseph DuBois, Lead Application Specialist
Application Standards  Specialty Projects
Children's Hospital Boston
[EMAIL PROTECTED]







sa-learn -q patch in FreeBSD

2006-08-23 Thread Justin Mason
anyone know what this is/does?

  http://cia.navi.cx/stats/project/FreeBSD/.message/32ba98d/xml

--j.


Re: How to whitelist_from ?

2006-08-23 Thread Philip Prindeville
John D. Hardin wrote:

On Wed, 23 Aug 2006, Philip Prindeville wrote:

  

Hmm  Maybe if I post with a more obvious subject line

What is the notation for writing a whitelist_from or
whitelist_from_rcvd when the sender is  ?  (As in MAIL FROM:
)



Are you sure you want to use that broad a brush? There is a *lot* of
garbage that is sent as faked mailer daemon bounces.
  


Well, yes, especially since the IP address of the sender is reserved for
a machine that does ticketing and auto-replies exclusively (I was going
to use whitelist_from_rcvd and not just whitelist_from).

When dealing with a known correspondent's brokenness, it's safer to
focus your permissiveness rather tightly. Try a meta rule that matches
a Received: line on a bounce from them, add a rule that ANDs that meta
with the rule that fires on their malformed date, and score it to
cancel out the malformed date score.
  


I'm not ready to work that hard...

I'd rather catch the broken email, point it out to them, have them fix it,
and then remove the whitelisting when they've fixed their agent.

-Philip




Re: How to whitelist_from ?

2006-08-23 Thread John D. Hardin
On Wed, 23 Aug 2006, Philip Prindeville wrote:

 John D. Hardin wrote:
 
 On Wed, 23 Aug 2006, Philip Prindeville wrote:
 
 What is the notation for writing a whitelist_from or
 whitelist_from_rcvd when the sender is  ?  (As in MAIL FROM:
 )
 
 Are you sure you want to use that broad a brush? There is a *lot* of
 garbage that is sent as faked mailer daemon bounces.
 
 Well, yes, especially since the IP address of the sender is
 reserved for a machine that does ticketing and auto-replies
 exclusively (I was going to use whitelist_from_rcvd and not just
 whitelist_from).

Ah, okay, whitelist_from_rcvd is a good way to focus that. (assuming
 even works...)

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The problem is when people look at Yahoo, slashdot, or groklaw and
  jump from obvious and correct observations like Oh my God, this
  place is teeming with utter morons to incorrect conclusions like
  there's nothing of value here.-- Al Petrofsky, in Y! SCOX
---
 27 days until Talk Like a Pirate day



phishing reports to [EMAIL PROTECTED] bouncing

2006-08-23 Thread Chris
I don't know if anyone other than me does this but thought I'd ask if anyone 
else is having problems with them. I keep getting these bounces, but not on 
all messages:

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  [EMAIL PROTECTED]
    (ultimately generated from [EMAIL PROTECTED])
    SMTP error from remote mail server after end of data:
    host mail0.ciphertrust.net [207.59.224.200]: 554 Transaction Failed Spam 
Message not queued.

I sent a message to the only contact listed which is 
[EMAIL PROTECTED] and since then I'm getting this, again not 
from all reports sent, just some:

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  [EMAIL PROTECTED]
    (ultimately generated from [EMAIL PROTECTED])
    SMTP error from remote mail server after RCPT 
TO:[EMAIL PROTECTED]:
    host smtp.netwin.co.nz [216.65.64.228]: 550 This user's mailbox is full 
([EMAIL PROTECTED]) - Try again later

Just wondering if anyone else is seeing this.

-- 
Chris
20:04:28 up 6 days, 2:47, 1 user, load average: 0.13, 0.38, 0.41


pgpZHEGwiYqhP.pgp
Description: PGP signature


SpamAss-Milter

2006-08-23 Thread Christopher Mills
Hi people, Have any of you used the SpamAss-Milter ?I am still having hell getting all our inbound mail into spamassassin. Mail going to local mailboxes gets scanned, but if they are being forwarded to external addresses (like 
[EMAIL PROTECTED]) are not. This is frustrating the hell out of me because there seems to be such horrible documentation for this issue. If 
SpamAss-Milter works, then I don't even know how to implement it server-wide vs. on a per user basis, or if it will even work at all.This entire spam issue is wasting so much of my time!


lint undefined dependencies?

2006-08-23 Thread lists

Hey list,

Sorry if this has been covered before.  We recently upgraded to SA  
3.14 - and I today ran a

spamassassin -D --lint
to check everything.  I saw several lines like the following:

[31579] info: rules: meta test DIGEST_MULTIPLE has undefined  
dependency 'PYZOR_CHECK'


So, does this undefined dependency break the whole meta rule?  Can I  
ignore these?


thanks,
devin


Re: lint undefined dependencies?

2006-08-23 Thread Theo Van Dinter
On Wed, Aug 23, 2006 at 06:33:03PM -0700, [EMAIL PROTECTED] wrote:
 Sorry if this has been covered before.  We recently upgraded to SA  
 3.14 - and I today ran a

it has. :)

 [31579] info: rules: meta test DIGEST_MULTIPLE has undefined  
 dependency 'PYZOR_CHECK'
 
 So, does this undefined dependency break the whole meta rule?  Can I  
 ignore these?

No and yes.  It's an informational message, not an error. :)

-- 
Randomly Generated Tagline:
Relationships are hard. It's like a full-time job, and we should treat
 it like one. If your boyfriend or girlfriend wants to leave you, they
 should give you two weeks' notice. There should be severance pay, and
 before they leave you, they should have to find you a temp.
  - Bob Ettinger


pgpWirdJEaQ9Z.pgp
Description: PGP signature


Re: SpamAss-Milter

2006-08-23 Thread jdow

From: Christopher Mills [EMAIL PROTECTED]


Hi people,
Have any of you used the
SpamAss-Milterhttp://www.sendmail.com/partners/milter/milter.detail/#SpamAss-Milter?
I am still having hell getting all our inbound mail into spamassassin. Mail
going to local mailboxes gets scanned, but if they are being forwarded to
external addresses (like [EMAIL PROTECTED]) are not. This is frustrating the
hell out of me because there seems to be such horrible documentation for
this issue. If 
SpamAss-Milterhttp://www.sendmail.com/partners/milter/milter.detail/#SpamAss-Milterworks,

then I don't even know how to implement it server-wide vs. on a per
user basis, or if it will even work at all.
This entire spam issue is wasting so much of my time!


At an educated guess your problem is in the mailer not the MDA. Study
it, diagram the message flow, and discover where the MDA is not getting
called on message relays. Then figure out how to insert the filter
into the flow.

{^_^} 



bayes autolearn acting up

2006-08-23 Thread lists
Hello,Since upgrading to 3.14, when I turn on bayes auto-learn with:bayes_auto_learn	1and I set the learn boundaries with:bayes_auto_learn_threshold_nonspam    -3.5bayes_auto_learn_threshold_spam       15.5I get unexpected auto-learning.  Example:  I just saw a spam come through that scored 9.9, which is enough for it to be tagged as spam, but it should not be auto-learned as spam.  But, in the header it clearly reads:X-Spam-Status: Yes, score=9.9 required=5.0 tests=AWL,BAYES_99, DATE_IN_PAST_03_06,DCC_CHECK,DIGEST_MULTIPLE,HTML_40_50,HTML_MESSAGE, MIME_HTML_ONLY,RAZOR2_CHECK,RCVD_IN_WHOIS_INVALID autolearn=spam version=3.1.4Any ideas?Thanks,Devin