Re: AWL confusion.. (drinking game)
Matt Kettler skrev: Anders Norrbring wrote: *sigh*.. do we really need to start a SpamAssassin-Users mailing list drinking game? For those not familiar, when you get home for the evening, sit down, with a beverage of your choice (milk, soda, coffee, wine, beer) and read the days mail for spamassassin-users. 3 drinks - Poster believes the name AWL is accurate, and wonders why they got a positive score. 1 drink - Poster asks a question answered by a wiki article Sure, go ahead... Or make a decent Wiki article index so it's possible to surf the wiki in a way that makes any sense. Now it's hard to find articles, the wiki search often returns no results, or even pages without relevance. While I'll agree the index needs some improvement, and the search does not work for many things, the default behavior if you type "awl" in the search box and hit enter yields: http://wiki.apache.org/spamassassin/?action=fullsearch&context=180&value=awl&titlesearch=Titles Which has AwlWrongWay as the first hit And going to the "CategoryFaq" link, under "starting points" on the index yields: http://wiki.apache.org/spamassassin/CategoryFaq Which has AwlWrongWay as the 6th entry. That said, http://wiki.apache.org/spamassassin/FrequentlyAskedQuestions really should link to http://wiki.apache.org/spamassassin/CategoryFaq True. Sadly enough, many people (me on that list) get so frustrated while trying to find out about specific topics that we simply turn elsewhere (like google) instead. Of course with loads of hits to hints, tips and tricks, which turns out to be worth as much as a sunlamp in Sahara when tested... Or we go asking stupid questions on the list. I'm very familiar with my old, but not so trustworthy anymore, SA 2.6.x and I got kindof confused by the many changed options and concepts in 3.1. Since I'm setting up a new mail gateway, there are a couple of options that need to interact, and with a documentation and wiki like the current SA, it turns into a annoying job to do it. I'm on to the AV scanning now, wish me luck.. Hehe. -- Anders Norrbring Norrbring Consulting
different rules for different virtual host
Hallo, and sorry for my bad english. I've a server debian with qmail and vpopmail. I use spamassassin to mark the spam mail. I invoke spamc from .qmail-default in every domain folder. This is the line I add to .qmail-default: /ussr/bin/spamc -f -t 20 Now, I want only for one subdomain that spamassassin mark the spam mails and move them in a subfolder. But, for all the other domains spamassassin has only to mark the mail. Can I add some rules to do this? Or spamassassin can have only one setting for all my subdomains??? Thanks
Re: different rules for different virtual host
From: <[EMAIL PROTECTED]>
Hallo,
and sorry for my bad english.
I've a server debian with qmail and vpopmail.
I use spamassassin to mark the spam mail.
I invoke spamc from .qmail-default in every domain folder.
This is the line I add to .qmail-default:
/ussr/bin/spamc -f -t 20
Now,
I want only for one subdomain that spamassassin mark the spam mails
and move them in a subfolder.
But, for all the other domains spamassassin has only to mark the mail.
Can I add some rules to do this?
Or spamassassin can have only one setting for all my subdomains???
SpamAssassin cannot and does not place mail in folders. That is
something to take up with the QMail people. All SpamAssassin does
do, and it does it well, is generate a score and some markups to
the message. It's up to the delivery agent to determine what to
do based on the markups and the score SpamAssassin delivers.
{^_^}
Re: SA-LEARN Question
Hello Christopher, Tuesday, August 22, 2006, 3:21:36 PM, you wrote: CM> Hi, CM> We have over 100 domains on a server, all of which are getting junk mail. SA CM> 3.1.4 installed, but I don't think it's properly trained yet (even though I CM> did upgrade from an earlier version). CM> If I set up a [EMAIL PROTECTED] address and tell all my customers to CM> forward the junk mail they get to that address, then run sa-learn on that CM> mailbox, will that help, or, will it train SA that the users that forwarded CM> the junk ARE the spammers and start to assign higher scores to legitimate CM> customers? Hi, I have qmail, SA and MUA is The Bat! I found that Redirect email is not good, as SA "think" about me as sender, but forward of spam to junk account is OK, it strip "forwarded by" headers and learn it. -- Best regards, Mikimailto:[EMAIL PROTECTED]
Sysread not ready
hello, These lines are logged every 5 minutes : Aug 30 12:19:02 srvmail spamd[2002]: prefork: periodic ping from spamd parent Aug 30 12:19:02 srvmail spamd[2002]: prefork: sysread(10) not ready, wait max 300 secs Aug 30 12:19:02 srvmail spamd[2001]: prefork: periodic ping from spamd parent Aug 30 12:19:02 srvmail spamd[2001]: prefork: sysread(9) not ready, wait max 300 secs I have no idea of what these lines mean ... Can some one help me please ? Thanks. -- Ced --
Re: Sysread not ready
Cedric BUSCHINI writes: >hello, > >These lines are logged every 5 minutes : >Aug 30 12:19:02 srvmail spamd[2002]: prefork: periodic ping from >spamd parent >Aug 30 12:19:02 srvmail spamd[2002]: prefork: sysread(10) not >ready, wait max 300 secs >Aug 30 12:19:02 srvmail spamd[2001]: prefork: periodic ping from >spamd parent >Aug 30 12:19:02 srvmail spamd[2001]: prefork: sysread(9) not >ready, wait max 300 secs > >I have no idea of what these lines mean ... > >Can some one help me please ? are you running with debugs on? This is normal behaviour. --j.
Problems after RulesDuJour
Hello there! After downloading and "installing" RulesDuJour" i get the following message: Any hints?: spamassassin --lint [568] warn: config: failed to parse line, skipping: rewrite_subject 1 I didnt implement rewrite_subject, only rewrite header iirc. [568] warn: config: warning: score set for non-existent rule RCVD_IN_URIBL_SBL [568] warn: lint: 2 issues detected, please rerun with debug enabled for more information Greetings and thx in advance MH System: Debian 3.1 spamassassin: Installed: 3.1.3-0bpo1 amavisd-new: Installed: 20030616p10-5 cat /etc/rulesdujour/config TRUSTED_RULESETS="TRIPWIRE SARE_ADULT SARE_OBFU0 SARE_OBFU1 SARE_URI0 SARE_URI1 ANTIDRUG SARE Evil Numbers SARE_EVILNUMBERS0 SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 BLACKLIST BLACKLIST_URI RANDOMVAL BOGUSVIRUS SARE_ADULT SARE_FRAUD SARE_FRAUD_PRE25X" # SA_DIR="/etc/mail/spamassassin" MAIL_ADDRESS="[EMAIL PROTECTED]"
Re: [Devel-spam] Hash Stats
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --[ UxBoD ]-- wrote:
> How many hits are you getting ?
>
> Database changed mysql> select count(*) from maillog where
> spamreport like '%FUZZY_OCR%' and date = '2006-08-29'; +--+
> | count(*) | +--+ | 385 | +--+ 1 row in set
> (0.10 sec)
>
> mysql> select count(*) from maillog where spamreport like
> '%FUZZY_OCR_KNOWN_HASH%' and date = '2006-08-29'; +--+ |
> count(*) | +--+ |1 | +--+ 1 row in set
> (0.05 sec)
>
> mysql> select count(*) from maillog where spamreport like
> '%FUZZY_OCR_CORRUPT%' and date = '2006-08-29'; +--+ |
> count(*) | +--+ | 298 | +--+ 1 row in set
> (0.05 sec)
>
> --[ UxBoD ]-- // PGP Key: "curl -s
> http://www.splatnix.net/uxbod.asc | gpg --import" // Fingerprint:
> 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8 // Keyserver:
> www.keyserver.net Key-ID: 0xE8E80CF8
>
>
Did you apply the patch I sent to the SA mailing list? There is a bug
in 2.3b which breaks the database completely. Please fix the
corresponding line:
line 492:
It says:
print DB "$score::$digest\n";
Should be:
print DB "${score}::${digest}\n";
As a result, the produced hashdb is corrupted, delete it and start
with a new one...
Chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFE9XUrJQIKXnJyDxURAoWOAJ9ej8U66qKCGiJSrPYM51ZP0WHGnQCfZWqa
8BxDIenQxw0JrGD/31hQshI=
=lDtr
-END PGP SIGNATURE-
Re: FuzzyOCR Install - Issues processing ONLY Gif images.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Michael Grey wrote:
>
>
> Installed FuzzyOCR and believe all the dependencies.
>
>
>
> Using the sample images I get a Pipe Error ONLY on gif images;
> resulting in no hits on FUZZY_OCR.
>
> Pipe Command "/usr/bin/giftopnm -"
>
>
>
> Giftopnm exists in that path.
>
>
>
> Running giftopnm on the command line seems to work with no errors,
> spitting out a binary file to stdout as expected.
>
>
>
> Any ideas of what might be missing ? ( Fedora Core 4 ).
>
You can try step by step debugging, first of all, what sample is
producing the error? (there are two gif samples).
If it doesn't work with the corrupted sample, try extracting the image
from that eml file (ripmime), then run the pipe manually:
cat filename.gif | giffix | giftopnm - > blah.gif
If that fails, try splitting the commands up and trace down which
binary causes the problem.
Chris
>
>
>
> Thanks?
>
>
> Michael Grey
>
>
>
>
>
>
>
>
>
>
>
> - log / reports -
>
>
>
> Corrupted-gif.eml
>
>
>
> pts rule name description
>
> --
> --
>
> 0.1 HTML_MESSAGE BODY: HTML included in message
>
> 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to
> 99%
>
> [score: 0.9694]
>
> 1.5 FUZZY_OCR_WRONG_CTYPE BODY: Mail contains an image with wrong
>
> content-type set
>
> Image has format "GIF" but content-type is
>
> "image/jpeg"
>
>
>
>
>
> [2006-08-29 19:20:00] Debug mode: Image has format "GIF" but
> content-type is "image/jpeg"
>
> [2006-08-29 19:20:01] Debug mode: Image is single non-interlaced...
>
>
> [2006-08-29 19:20:01] Unexpected error in pipe to external
> programs.
>
> Please check that all helper programs are installed and in the
> correct path.
>
> (Pipe Command "/usr/bin/giftopnm -", Pipe exit code 1 (""),
> Temporary file: "/tmp/.spamassassin23614sXR9Dltmp")
>
> [2006-08-29 19:20:01] Debug mode: FuzzyOcr ending successfully...
>
> bash-3.00$
>
>
>
>
>
>
>
>
>
> animated-gif.eml
>
>
>
> pts rule name description
>
> --
> --
>
> 0.7 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received:
> date
>
> 0.1 HTML_MESSAGE BODY: HTML included in message
>
> 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to
> 60%
>
> [score: 0.5000]
>
>
>
>
>
> [2006-08-29 19:22:12] Debug mode: Analyzing file with content-type
> "image/gif"
>
> [2006-08-29 19:22:12] Debug mode: Image is single non-interlaced...
>
>
> [2006-08-29 19:22:12] Unexpected error in pipe to external
> programs.
>
> Please check that all helper programs are installed and in the
> correct path.
>
> (Pipe Command "/usr/bin/giftopnm -", Pipe exit code 1 (""),
> Temporary file: "/tmp/.spamassassin23644bPPq3jtmp")
>
> [2006-08-29 19:22:12] Debug mode: FuzzyOcr ending successfully...
>
>
>
>
>
>
>
>
>
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFE9XXqJQIKXnJyDxURAuv0AKCNGLWfDNggpjyOLGLQiXQZHh4ukgCgtlBi
ptzwNcXJ4pIaQJGVhZ7yiKE=
=IH6h
-END PGP SIGNATURE-
Re: wrong ml, ignore ;)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
decoder wrote:
> --[ UxBoD ]-- wrote:
>>> How many hits are you getting ?
>>>
>>> Database changed mysql> select count(*) from maillog where
>>> spamreport like '%FUZZY_OCR%' and date = '2006-08-29';
>>> +--+ | count(*) | +--+ | 385 |
>>> +--+ 1 row in set (0.10 sec)
>>>
>>> mysql> select count(*) from maillog where spamreport like
>>> '%FUZZY_OCR_KNOWN_HASH%' and date = '2006-08-29'; +--+
>>> | count(*) | +--+ |1 | +--+ 1 row in
>>> set (0.05 sec)
>>>
>>> mysql> select count(*) from maillog where spamreport like
>>> '%FUZZY_OCR_CORRUPT%' and date = '2006-08-29'; +--+ |
>>> count(*) | +--+ | 298 | +--+ 1 row in set
>>> (0.05 sec)
>>>
>>> --[ UxBoD ]-- // PGP Key: "curl -s
>>> http://www.splatnix.net/uxbod.asc | gpg --import" //
>>> Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8
>>> // Keyserver: www.keyserver.net Key-ID:
>>> 0xE8E80CF8
>>>
>>>
>
> Did you apply the patch I sent to the SA mailing list? There is a
> bug in 2.3b which breaks the database completely. Please fix the
> corresponding line:
>
> line 492:
>
>
> It says:
>
> print DB "$score::$digest\n";
>
>
> Should be:
>
> print DB "${score}::${digest}\n";
>
>
>
> As a result, the produced hashdb is corrupted, delete it and start
> with a new one...
>
>
> Chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFE9XYVJQIKXnJyDxURAsR4AJ472simn6QDxPJOJiFMhgrWgJVNmgCgypsb
43SCSvXwBGAHNlTbJzrPKdE=
=Ez80
-END PGP SIGNATURE-
Re: Sysread not ready
Justin Mason wrote: Cedric BUSCHINI writes: hello, These lines are logged every 5 minutes : Aug 30 12:19:02 srvmail spamd[2002]: prefork: periodic ping from spamd parent Aug 30 12:19:02 srvmail spamd[2002]: prefork: sysread(10) not ready, wait max 300 secs Aug 30 12:19:02 srvmail spamd[2001]: prefork: periodic ping from spamd parent Aug 30 12:19:02 srvmail spamd[2001]: prefork: sysread(9) not ready, wait max 300 secs I have no idea of what these lines mean ... Can some one help me please ? are you running with debugs on? This is normal behaviour. --j. Justin, yes I m running in debug mode (spamd -d -s mail -D) so it s a normal behaviour ... I thought it was a "problem" thanks
Re: Hashcash
decoder wrote: Arik Raffael Funke wrote: decoder wrote: Arik Raffael Funke wrote: Hello, how does spamassassin handle hashcash? It is turned on by default, right? Yes but you still need to define your accept range as you tried to do above:) I am using v3.1.2 and have in init.pre "loadplugin Mail::SpamAssassin::Plugin::Hashcash". However, the hashcash contained in incoming mails seems to have been ignored. I added following to local.cf, but I am still out of luck: use_hashcash 1 hashcash_accept [EMAIL PROTECTED] try [EMAIL PROTECTED] That doesn't seem to help either. Any other ideas? Run with -D on a hashcash stamped message and check the output for relevant data.. I realised, that with spamassassin hashcash was honored but with spamc not... I had forgotten to restart the daemon! Thanks Chris!
Re: AWL confusion.. (drinking game)
Matt Kettler wrote: Anders Norrbring wrote: *sigh*.. do we really need to start a SpamAssassin-Users mailing list drinking game? For those not familiar, when you get home for the evening, sit down, with a beverage of your choice (milk, soda, coffee, wine, beer) and read the days mail for spamassassin-users. 3 drinks - Poster believes the name AWL is accurate, and wonders why they got a positive score. 1 drink - Poster asks a question answered by a wiki article Sure, go ahead... Or make a decent Wiki article index so it's possible to surf the wiki in a way that makes any sense. Now it's hard to find articles, the wiki search often returns no results, or even pages without relevance. While I'll agree the index needs some improvement, and the search does not work for many things, the default behavior if you type "awl" in the search box and hit enter yields: http://wiki.apache.org/spamassassin/?action=fullsearch&context=180&value=awl&titlesearch=Titles Which has AwlWrongWay as the first hit And going to the "CategoryFaq" link, under "starting points" on the index yields: http://wiki.apache.org/spamassassin/CategoryFaq Which has AwlWrongWay as the 6th entry. That said, http://wiki.apache.org/spamassassin/FrequentlyAskedQuestions really should link to http://wiki.apache.org/spamassassin/CategoryFaq Wikis are evil, they remind me of the old faq-o-matic, ugh. That is just my opinion, and opinions are like... well you know. The problem with searching is that someone new to a product doesn't always know what to search for. Many times I have had our support guys pass an issue on to me and I found the solution first try in Yahoo Search. The difference was I searched on "wigit rotation knob" and they searched on 'turning wigitknob left". In your example "autowhitelist low score" returns nothing useful, nor does "change awl score" or "awl score too high". Not everyone would try just entering "awl". Certainly after most people have gotten eighty-two-hundred-bazillion hits on a search engine, 99% of which are unrelated, by using a simplistic search. Folks learn to be very specific when searching. Maybe each article on the wiki should be indexed to a specific config option, or options? Just a thought. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: Perfect spamassassin setup?
On Tue, 29 Aug 2006, jdow wrote:
From: "Stuart Johnston" <[EMAIL PROTECTED]>
Eric Persson wrote:
Is there any project that combines the strength of spamassassin, mysql
and a good webinterface to act as a antispamfrontend of a "normal"
mailserver?
Thanks,
Eric
http://www.maiamailguard.com/
"...web-based interface..." is where it lost me on the first line of
text. I will not voluntarily use web-based email interfaces. They are
the direct spawn of Satan.
{^_^}
I've personally used Maia at my company, filtering email for about 450
users. It did a great job filtering (of course, since it uses SA on the
back-end) and the UI was clean and intuitive. I found it a touch rough in
a few minor places, but all the issues I had are already fixed in CVS.
The install wasn't for the novice, but the install doc did a pretty good
job of detailing what needed to be done.
--
Burton Windle [EMAIL PROTECTED]
RE: AWL confusion.. (drinking game)
Title: RE: AWL confusion.. (drinking game) I thought these two had made it into the Wiki :) Its SATALK comedy gold! >-Original Message- >From: guenther [mailto:[EMAIL PROTECTED]] >Sent: Thursday, May 26, 2005 2:52 PM >To: Craig Jackson >Cc: users@spamassassin.apache.org >Subject: Re: Adjusting the AWL value > > >On Thu, 2005-05-26 at 12:55 -0500, Craig Jackson wrote: >> Hi, >> I'd like to change/reset-to-zero the autowhite list value >for a sender. >> I read the man page (Mail::Spamassassin::Autowhitelist) but don't >> comprehend the syntax. >> >> Can someone give me a hint? > >Rather than Mail::Spamassassin::Autowhitelist you likely want 'man >spamassassin'. :) > >See --remove-from-whitelist and --remove-addr-from-whitelist options. >You can provide the email address alone or feed it the respective mail. > >HTH Remember, most of us call it A.S.S now, instead of AWL. Average Scoring System. To remove someone from your ASS, you simply use the commands listed by guenther above. IMHO, these commands should be updated to keep continuity with the idea that the ASS is not just white. I recommend: --remove-from-my-ass and --remove-addr-from-ass That should work perfectly. --Chris >Andy Jezierski wrote: > >> >> I like it! And since the scores can shift over time, you'd probably >> want people to check them every now and then so you could >tell them to >> >> Keep Intercepting Suspected Spam Monitor Your Average >Scoring System
Re: Perfect spamassassin setup?
jdow wrote: From: "Stuart Johnston" <[EMAIL PROTECTED]> Eric Persson wrote: This might be a shot in the dark, but after running a patched qmail, qmailscanner with spamassassin and mysqlsupport for a while and a selfdeveloped webinterface, we've started to look around what others are using? Is there any project that combines the strength of spamassassin, mysql and a good webinterface to act as a antispamfrontend of a "normal" mailserver? Any suggestions, in terms of packages or bundled systems is appreciated. Preferrably open source and free to use. Thanks, Eric http://www.maiamailguard.com/ "...web-based interface..." is where it lost me on the first line of text. I will not voluntarily use web-based email interfaces. They are the direct spawn of Satan. Well that's fine but I was not recommending Maia to *you*. I was recommending it to Eric Persson who specifically asked for "a good webinterface".
SQL connection problems(remote vs local)
I've been trying to get SA to use a per user settings with Bayes/AWL. I've been having a strange issue where I want to connect to a remote DB server and not a local server but AWL/Bayes doesn't seem to work. This is my settings: user_scores_dsn DBI:mysql:postfix:10.2.0.54 user_scores_sql_usernameuser user_scores_sql_passwordpass bayes_store_module Mail::SpamAssassin::BayesStore::SQL bayes_sql_dsn DBI:mysql:email:10.2.0.54 bayes_sql_username user bayes_sql_password pass auto_whitelist_factory Mail::SpamAssassin::SQLBasedAddrList user_awl_dsnDBI:mysql:email:10.2.0.54 user_awl_sql_username user user_awl_sql_password pass The weird part is the regular per-user basis works fine with the remote database but the bayes and AWL try to connect to localhost(10.2.0.57). If i setup a local mysql server and use the login/password it has no problems. This is what I get in spamd debug mode: [14577] dbg: auto-whitelist: sql-based unable to connect to database (DBI:mysql:email:10.2.0.54) : Access denied for user 'user'@'10.2.0.57' (using password: YES) This is SpamAssassin Server version 3.1.4 running on Perl 5.8.5 -- View this message in context: http://www.nabble.com/SQL-connection-problems%28remote-vs-local%29-tf2190427.html#a6060567 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: Rawbody problems
On Wed, Aug 30, 2006 at 08:21:00AM +0200, Sven Riedel wrote:
> > > rawbody htmlobscu2 />\s*\w\s*<\//
>
> So in principle you don't need to escape the carets?
FWIW, you would have to escape carets ("^") because it has a special
meaning in regular expression. However, "<" and ">" aren't carets and
you don't need to escape them. :)
--
Randomly Generated Tagline:
Real Time, adj.:
Here and now, as opposed to fake time, which only occurs there and then.
pgpFN1pqxYo4w.pgp
Description: PGP signature
RE: FuzzyOCR Install - Issues processing ONLY Gif images.
I did have libungif installed, but the rpm doesn't add some of the needed
support that libungif-progs provides. That did the trick.
Thanks !
Michael Grey
-Original Message-
From: Tim Litwiller [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 29, 2006 8:29 PM
To: users@spamassassin.apache.org
Subject: Re: FuzzyOCR Install - Issues processing ONLY Gif images.
try changing your time out from 10 seconds to 15 or 20 and verify that
giffix is installed and working correctly.
libungif-utils rpm on fedora
Michael Grey wrote:
>
> Installed FuzzyOCR and believe all the dependencies.
>
> Using the sample images I get a Pipe Error ONLY on gif images;
> resulting in no hits on FUZZY_OCR.
>
> Pipe Command "/usr/bin/giftopnm -"
>
> Giftopnm exists in that path.
>
> Running giftopnm on the command line seems to work with no errors,
> spitting out a binary file to stdout as expected.
>
> Any ideas of what might be missing ? ( Fedora Core 4 ).
>
> Thanks...
>
>
> Michael Grey
>
> - log / reports -
>
> Corrupted-gif.eml
>
> pts rule name description
>
> --
> --
>
> 0.1 HTML_MESSAGE BODY: HTML included in message
>
> 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99%
>
> [score: 0.9694]
>
> 1.5 FUZZY_OCR_WRONG_CTYPE BODY: Mail contains an image with wrong
>
> content-type set
>
> Image has format "GIF" but content-type is
>
> "image/jpeg"
>
> [2006-08-29 19:20:00] Debug mode: Image has format "GIF" but
> content-type is "image/jpeg"
>
> [2006-08-29 19:20:01] Debug mode: Image is single non-interlaced...
>
> [2006-08-29 19:20:01] Unexpected error in pipe to external programs.
>
> Please check that all helper programs are installed and in the correct
> path.
>
> (Pipe Command "/usr/bin/giftopnm -", Pipe exit code 1 (""), Temporary
> file: "/tmp/.spamassassin23614sXR9Dltmp")
>
> [2006-08-29 19:20:01] Debug mode: FuzzyOcr ending successfully...
>
> bash-3.00$
>
> animated-gif.eml
>
> pts rule name description
>
> --
> --
>
> 0.7 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date
>
> 0.1 HTML_MESSAGE BODY: HTML included in message
>
> 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
>
> [score: 0.5000]
>
> [2006-08-29 19:22:12] Debug mode: Analyzing file with content-type
> "image/gif"
>
> [2006-08-29 19:22:12] Debug mode: Image is single non-interlaced...
>
> [2006-08-29 19:22:12] Unexpected error in pipe to external programs.
>
> Please check that all helper programs are installed and in the correct
> path.
>
> (Pipe Command "/usr/bin/giftopnm -", Pipe exit code 1 (""), Temporary
> file: "/tmp/.spamassassin23644bPPq3jtmp")
>
> [2006-08-29 19:22:12] Debug mode: FuzzyOcr ending successfully...
>
ANNOUNCE: Apache SpamAssassin 3.1.5 available!
Apache SpamAssassin 3.1.5 is now available! This is a maintainance release of the 3.1.x branch. Downloads are available from: http://spamassassin.apache.org/downloads.cgi?update=20060830 The release file will also be available via CPAN in the near future. md5sum of archive files: ae8734220ef82bbb1872f64dbf9c0995 Mail-SpamAssassin-3.1.5.tar.bz2 19d2e76d7759083343d63e61e6e29739 Mail-SpamAssassin-3.1.5.tar.gz 87bd540428116d6339322fef51b0c4eb Mail-SpamAssassin-3.1.5.zip sha1sum of archive files: 9c9bcf4098c2b3418d5ea9ba69d1dcdfa255a819 Mail-SpamAssassin-3.1.5.tar.bz2 672399ab2e600ba2ae19d71f77974dc27512e837 Mail-SpamAssassin-3.1.5.tar.gz 9350e298c04d04b755640fa3ec2b5633755f93ad Mail-SpamAssassin-3.1.5.zip The release files also have a .asc accompanying them. The file serves as an external GPG signature for the given release file. The signing key is available via the wwwkeys.pgp.net key server, as well as http://spamassassin.apache.org/released/GPG-SIGNING-KEY The key information is: pub 1024D/265FA05B 2003-06-09 SpamAssassin Signing Key <[EMAIL PROTECTED]> Key fingerprint = 26C9 00A4 6DD4 0CD5 AD24 F6D7 DEE0 1987 265F A05B 3.1.5 includes a large number of bug fixes and documentation updates. Here is an abbreviated changelog (since 3.1.4) for major updates (see the Changes file for a complete list): - bug 4952: set a default value for DEF_RULES_DIR, LOCAL_RULES_DIR, and LOCAL_STATE_DIR. This allows third-party code which hasn't been updated to deal with LOCAL_STATE_DIR to still use updates. - bug 5065: implement DomainKeys whitelisting (whitelist_from_dk) - bug 5034: fix endless loop in Mail::SpamAssassin::Client, possible from bad input or network error - bug 4843: skip text/calendar parts when generating body text for processing - bug 5022: recognize Received header from a local command line call to sendmail - bug 5018: update RegistrarBoundaries with new list of 2TLDs - bug 4981: remove urirhssub support for regexp subrule from URIDNSBL plugin - bug 5049: handle comments and extra whitespace in sa-update config files. also, fix an error during channel name validation. - bug 5030: sa-update couldn't run GPG if the path to the binary had a space in it - bug 4737: when rewriting headers, strip out leading spaces to better allow filtering by some MUAs - bug 4848: fix Pyzor, DCC, and SpamCop plugins to properly have a configuration pointer for things like their 'dont_report_to_...' option - bug 4492: the parameters to bayes_ignore_header were treated case sensitively - license text changed in source files, in accordance with new ASF policy: http://www.apache.org/legal/src-headers.html - a bunch of documentation updates and fixes -- Randomly Generated Tagline: "Always bear in mind that your own resolution to succeed is more important than any other."- Abraham Lincoln pgpE9giy3UQAk.pgp Description: PGP signature
Re: SARE sa-update channels available!
70_sare_whitelist_spf.cf has now been updated to include the necessary ifplugin line so it can now be updated via sa-update using the 70_sare_whitelist_spf.cf.sare.sa-update.dostech.net channel. Regards, Daryl Daryl C. W. O'Shea wrote: I noticed a number of people have been trying to update the 70_sare_whitelist_spf.cf ruleset. In case any one had missed it mentioned in this thread, the ruleset is broken upstream (it's missing some required ifplugin lines) so updating that ruleset/channel will fail until it is fixed. Daryl On 8/13/2006 4:19 AM, Daryl C. W. O'Shea wrote: Hello all, For those of you interested in SpamAssassin's sa-update, I've created sa-update channels for all of the rules found at the SpamAssassin Rules Emporium website (http://www.rulesemporium.com/rules.htm). Brief directions for use are as follows: - download the channels' GPG key from: http://daryl.dostech.ca/sa-update/sare/GPG.KEY - import that key into sa-update's keyring: sa-update --import GPG.KEY - add the channels you want to a channel file (text file): updates.spamassassin.org 70_sare_adult.cf.sare.sa-update.dostech.net 70_sare_spoof.cf.sare.sa-update.dostech.net etc... - run sa-update -- tell it to use your channel file and to trust the channels' GPG key: sa-update --channelfile your-channel-file.txt --gpgkey 856AA88A Slightly more verbose directions are available here: http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt Also note that you'll want to remove any of the SARE rulesets updated above from your local site directory (often /etc/mail/spamassassin/) to keep them from overriding the ones installed by sa-update. Regards, Daryl
SA seems to be ignoring "bayes_sql_override_username"
Hi
I have written a application that is using the "read_scoreonly_config"
command to load user configurations.
./scorefile
score BAYES_00 -6.00
score BAYES_99 6.00
bayes_sql_override_username USER
$spamtest->compile_now(0);
$spamtest->read_scoreonly_config("scorefile");
The output generated shows a BAYES_99 hit with the score of 6.00 (the
default is 4.00) however it is still using "root" as the username for
the sql queries.
http://mail-archives.apache.org/mod_mbox/spamassassin-dev/200404.mbox/[EMAIL
PROTECTED]
seems to imply that "bayes_sql_override_username" should be a valid
option but this doesn't seem to be working
Any suggestions?
regards
Matt
Re: Perfect spamassassin setup?
Stuart Johnston wrote: > jdow wrote: >> From: "Stuart Johnston" <[EMAIL PROTECTED]> >>> Eric Persson wrote: This might be a shot in the dark, but after running a patched qmail, qmailscanner with spamassassin and mysqlsupport for a while and a selfdeveloped webinterface, we've started to look around what others are using? Is there any project that combines the strength of spamassassin, mysql and a good webinterface to act as a antispamfrontend of a "normal" mailserver? Any suggestions, in terms of packages or bundled systems is appreciated. Preferrably open source and free to use. Thanks, Eric >>> >>> http://www.maiamailguard.com/ >> >> "...web-based interface..." is where it lost me on the first line of >> text. I will not voluntarily use web-based email interfaces. They are >> the direct spawn of Satan. > > Well that's fine but I was not recommending Maia to *you*. I was > recommending it to Eric Persson who specifically asked for "a good > webinterface". And I'm thankful for that, it seems like most people recommend maia mailguard, and as someone else pointed out I where looking for an administrative webinterface for SA. For webmailinterface I tend to use squirrelmail, which tends to be a nightmare to develop addons to, probably since its a work of satan. :) I'm impressed by the developers of squirrelmail how they can navigate their way around that bloat of code. :) /eric
Re: problem with RX subjects
Thank you for that hint, however I still only get about 50% hit on such messages. Using the rule Mr -=W=- ( :-) ) provided, and rewriting it to : header LOCAL_RX_SUBJECT Subject =~ /[a-z](RX)[a-z]/ I feel confident that this rule will not cause false positives. The Subject must contain RX with one letter on each side non-capital. The subject is always something like : paRXhu oaRXmy xyRXda I still however only add 5 points (required 6 for subject rewriting), theese mails are always in some of the SARE rules causing two or three points. Regards Paul On Tuesday 29 August 2006 21:28, John D. Hardin wrote: > On Tue, 29 Aug 2006, Paul Tenfjord wrote: > > I am using the following SARE rulesets : > > TRUSTED_RULESETS="SARE_STOCKS TRIPWIRE SARE_ADULT SARE_OBFU0 SARE_OBFU1 > > SARE_URI0 SARE_URI1 SARE_REDIRECT_POST300 SARE_SPECIFIC SARE_FRAUD > > SARE_OEM" They have not once detected this type of spam, do have a set > > that actually do? > > You might try the GENLSUBJ sets. GENLSUBJ0 has some "RX" rules. > > -- > John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ > [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] > key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > --- > The difference is that Unix has had thirty years of technical > types demanding basic functionality of it. And the Macintosh has > had fifteen years of interface fascist users shaping its progress. > Windows has the hairpin turns of the Microsoft marketing machine > and that's all.-- Red Drag Diva > --- > 21 days until Talk Like a Pirate day
Re: problem with RX subjects
On Wed, Aug 30, 2006 at 05:47:38PM +0200, Paul Tenfjord wrote: > header LOCAL_RX_SUBJECT Subject =~ /[a-z](RX)[a-z]/ (ignoring anything else in this subject) There's no reason to capture the string "RX", so you can remove the parens. -- Randomly Generated Tagline: "It's not that we're afraid ... Far from it ... It's just that we have this thing about death ... it's not us." - Space Balls pgpPyFScIe9lG.pgp Description: PGP signature
Re: Perfect spamassassin setup?
On Tue, 29 Aug 2006, jdow wrote: > "...web-based interface..." is where it lost me on the first line of > text. I will not voluntarily use web-based email interfaces. They are > the direct spawn of Satan. ...so what is MS Exchange's web email interface? Spawn of Satan^2 (which is nicely alliterative to boot)? -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- So Microsoft's invented the ASCII equivalent to ugly ink spots that appear on your letter when your pen is malfunctioning. -- Greg Andrews, about Microsoft's way to encode apostrophes --- 20 days until Talk Like a Pirate day
Bayes: 1 message, 2 results
Hi I've gotten a lot of low scoring bayes hits, especially BAYES_00, so I figured the database is off. I ran sa-learn --clear to start over, but I still get a lot of BAYES_00. I then ran spamassassin -D --mbox BUNCHOFSPAM.mbox to see what gives. It turns out I get a different result from when the mail was delivered in the first place. Could it be that each mail get scanned more than one time? Any ideas appreciated Thomas Here's our setup: OSX 10.3.9, Communigate 4.2.8, CGPSA 1.4, SA 3.1.3 Here's the mail scanned with the debug option: - Received: from localhost by server.fido.se with SpamAssassin (version 3.1.3); Wed, 30 Aug 2006 12:29:46 +0200 From: "Martin Powell" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: *SPAM* Hello Date: Wed, 30 Aug 2006 11:58:13 +0800 Message-Id: <[EMAIL PROTECTED]> X-Spam-Status: Yes, score=8.1 required=4.0 tests=BAYES_99,FIDO_Stocks, HTML_MESSAGE,SUB_HELLO autolearn=no version=3.1.3 X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on server.fido.se X-Spam-Flag: YES X-Spam-Level: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--=_44F5689A.21A84765" - Here's what got delivered in the first place - Return-Path: <[EMAIL PROTECTED]> Received: by fido.se (CommuniGate Pro PIPE 4.2.8) with PIPE id 5044955; Wed, 30 Aug 2006 05:59:13 +0200 X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on server.fido.se X-Spam-Level: ** X-Spam-Status: No, score=2.0 required=4.0 tests=BAYES_00,FIDO_Stocks, HTML_MESSAGE,SUB_HELLO autolearn=no version=3.1.3 Received: from [124.129.63.126] (HELO localhost) by fido.se (CommuniGate Pro SMTP 4.2.8) with SMTP id 5044963 for [EMAIL PROTECTED]; Wed, 30 Aug 2006 05:58:49 +0200 Message-ID: <[EMAIL PROTECTED]> From: "Martin Powell" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Hello Date: Wed, 30 Aug 2006 11:58:13 +0800 MIME-Version: 1.0 Content-Type: multipart/related; boundary="=_NextPart_000_0001_01C6CBE7.C0D97B00" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 X-TFF-CGPSA-Version: 1.4 X-TFF-CGPSA-Filter: Scanned -
source SENDER authentication ? (as opposed to SPF HOST authentication)
Are there any SA methods that allow verification of the ‘sender’ of an email ? I am aware of SPF which can confirm that a host at ip address x.x.x.x is authorized to send mail as from domain “A”, but how about a means to confirm that ‘[EMAIL PROTECTED]’ actually is a real user before accepting mail from him ? Thanks Michael Grey
Re: source SENDER authentication ? (as opposed to SPF HOST authentication)
On Wed, Aug 30, 2006 at 10:10:00AM -0700, Michael Grey wrote: > I am aware of SPF which can confirm that a host at ip address x.x.x.x is > authorized to send mail as from domain "A", but how about a means to confirm > that '[EMAIL PROTECTED]' actually is a real user before accepting mail > from him ? The short answer is that there's no way to do that in general, regardless of SA, so no. -- Randomly Generated Tagline: You recoil from the crude; you tend naturally toward the exquisite. pgpd9ytY2E3x9.pgp Description: PGP signature
Re: source SENDER authentication ? (as opposed to SPF HOST authentication)
On 30-Aug-06, at 1:10 PM, Michael Grey wrote:Are there any SA methods that allow verification of the ‘sender’ of an email ? I am aware of SPF which can confirm that a host at ip address x.x.x.x is authorized to send mail as from domain “A”, but how about a means to confirm that ‘[EMAIL PROTECTED]’ actually is a real user before accepting mail from him ?I don't believe SA can do that as it's a content filter. Some MTAs can do this and this is were you want those kinds of verifications to happen, before DATA. The problem is that if you do it for every address you will get false positives, especially from sources like mailing lists, news & info subscriptions, etc., and you'll find yourself whitelisting alot. I actually do this using Postfix but I use a table of 'frequently forged domains' whose addresses are verified before they are allowed to pass on to the content filters. --Gino CerulloPixel Point Studios21 Chesham DriveToronto, ON M3M 1W6416-247-7740 smime.p7s Description: S/MIME cryptographic signature
Re: source SENDER authentication ? (as opposed to SPF HOST authentication)
Theo Van Dinter wrote: > On Wed, Aug 30, 2006 at 10:10:00AM -0700, Michael Grey wrote: >> I am aware of SPF which can confirm that a host at ip address x.x.x.x is >> authorized to send mail as from domain "A", but how about a means to confirm >> that '[EMAIL PROTECTED]' actually is a real user before accepting mail >> from him ? > > The short answer is that there's no way to do that in general, regardless > of SA, so no. > There is a way to do it, but someone more skilled at PERL than I would have to carve it... you actually open an SMTP conversation with "REMOTE_DOMAIN.com" a la: Connected to mail.wolfstar.ca. Escape character is '^]'. 220 ext1.wolfstar.ca ESMTP Postfix (Debian/GNU) EHLO spamTest.bot 250-ext1.wolfstar.ca 250-PIPELINING 250-SIZE 10240 250-ETRN 250 8BITMIME MAIL FROM: [EMAIL PROTECTED] 250 Ok RCPT TO: [EMAIL PROTECTED] 554 <[EMAIL PROTECTED]>: Relay access denied ... trap that "5xx" return, and you know its a bogus sender. The plug-in adds 2 points to the score. Get a "250 Ok" back, and you are likely "safe"... score 0. -- --Michel Vaillancourt Wolfstar Systems www.wolfstar.ca
Re: source SENDER authentication ? (as opposed to SPF HOST authentication)
Gino Cerullo writes: > part 1.2 text/plain1027 > On 30-Aug-06, at 1:10 PM, Michael Grey wrote: > > > Are there any SA methods that allow verification of the sender of > > an email ? > > > > I am aware of SPF which can confirm that a host at ip address > > x.x.x.x is authorized to send mail as from domain A, but how > > about a means to confirm that [EMAIL PROTECTED] actually is a > > real user before accepting mail from him ? > > > I don't believe SA can do that as it's a content filter. Some MTAs > can do this and this is were you want those kinds of verifications to > happen, before DATA. The problem is that if you do it for every > address you will get false positives, especially from sources like > mailing lists, news & info subscriptions, etc., and you'll find > yourself whitelisting alot. > > I actually do this using Postfix but I use a table of 'frequently > forged domains' whose addresses are verified before they are allowed > to pass on to the content filters. It's also worth noting that doing this is counterproductive in an overall strategy sense, since it drives the spammers to simply use known-valid third-party addresses -- such as random addrs from their target address list -- as the forged source of the spam. The end result for us end users, is a massive increase in "spam blowback", which is what we've seen since those MTAs implemented it. :( --j.
RE: source SENDER authentication ? (as opposed to SPF HOST authentication)
Yes, I tend to agree with this... the reason why many POP servers reply to VRFY with 'You can try...' instead of a yes or no. Unfortunately I am not the one driving this requirement ;) I like Michel Vaillancourt's idea - if it has to be done. I appreciate everyone's feedback to this question. Michael Grey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 30, 2006 10:44 AM To: Gino Cerullo Cc: users@spamassassin.apache.org Subject: Re: source SENDER authentication ? (as opposed to SPF HOST authentication) Gino Cerullo writes: > part 1.2 text/plain1027 > On 30-Aug-06, at 1:10 PM, Michael Grey wrote: > > > Are there any SA methods that allow verification of the 'sender' of > > an email ? > > > > I am aware of SPF which can confirm that a host at ip address > > x.x.x.x is authorized to send mail as from domain "A", but how > > about a means to confirm that '[EMAIL PROTECTED]' actually is a > > real user before accepting mail from him ? > > > I don't believe SA can do that as it's a content filter. Some MTAs > can do this and this is were you want those kinds of verifications to > happen, before DATA. The problem is that if you do it for every > address you will get false positives, especially from sources like > mailing lists, news & info subscriptions, etc., and you'll find > yourself whitelisting alot. > > I actually do this using Postfix but I use a table of 'frequently > forged domains' whose addresses are verified before they are allowed > to pass on to the content filters. It's also worth noting that doing this is counterproductive in an overall strategy sense, since it drives the spammers to simply use known-valid third-party addresses -- such as random addrs from their target address list -- as the forged source of the spam. The end result for us end users, is a massive increase in "spam blowback", which is what we've seen since those MTAs implemented it. :( --j.
Re: problem with RX subjects
On Wednesday 30 August 2006 17:55, Theo Van Dinter wrote: > On Wed, Aug 30, 2006 at 05:47:38PM +0200, Paul Tenfjord wrote: > > header LOCAL_RX_SUBJECT Subject =~ /[a-z](RX)[a-z]/ > > (ignoring anything else in this subject) > There's no reason to capture the string "RX", so you can remove the > parens. Right. Thanks pgp0ETR1UByHU.pgp Description: PGP signature
Re: problem with RX subjects
header LOCAL_RX_SUBJECT Subject =~ /[a-z](RX)[a-z]/ Take the parends out. They aren't doing anything for you, and since they are a capturing group they will really slow things down. Loren
Re: source SENDER authentication ? (as opposed to SPF HOST authentication)
On 30-Aug-06, at 1:44 PM, Justin Mason wrote: Gino Cerullo writes: part 1.2 text/plain1027 On 30-Aug-06, at 1:10 PM, Michael Grey wrote: Are there any SA methods that allow verification of the ‘sender’ of an email ? I am aware of SPF which can confirm that a host at ip address x.x.x.x is authorized to send mail as from domain “A”, but how about a means to confirm that [EMAIL PROTECTED] actually is a real user before accepting mail from him ? I don't believe SA can do that as it's a content filter. Some MTAs can do this and this is were you want those kinds of verifications to happen, before DATA. The problem is that if you do it for every address you will get false positives, especially from sources like mailing lists, news & info subscriptions, etc., and you'll find yourself whitelisting alot. I actually do this using Postfix but I use a table of 'frequently forged domains' whose addresses are verified before they are allowed to pass on to the content filters. It's also worth noting that doing this is counterproductive in an overall strategy sense, since it drives the spammers to simply use known-valid third-party addresses -- such as random addrs from their target address list -- as the forged source of the spam. The end result for us end users, is a massive increase in "spam blowback", which is what we've seen since those MTAs implemented it. :( Unfortunate but SPF would prevent that as well. If everyone just used SPF, none of this would be a problem. -- Gino Cerullo Pixel Point Studios 21 Chesham Drive Toronto, ON M3M 1W6 416-247-7740 smime.p7s Description: S/MIME cryptographic signature
Re: source SENDER authentication ? (as opposed to SPF HOST authentication)
On Wed, Aug 30, 2006 at 01:37:37PM -0400, Michel Vaillancourt wrote: > > The short answer is that there's no way to do that in general, regardless > > of SA, so no. > > There is a way to do it, but someone more skilled at PERL than I would > have to carve it... you actually open an SMTP conversation with > "REMOTE_DOMAIN.com" a la: > > RCPT TO: [EMAIL PROTECTED] > 554 <[EMAIL PROTECTED]>: Relay access denied > > ... trap that "5xx" return, and you know its a bogus sender. The > plug-in adds 2 points to the score. > Get a "250 Ok" back, and you are likely "safe"... score 0. That *may* tell you whether or not a sender is valid -- what if the server is just blocking you? What if there's a misconfiguration for a minute? What if RCPT TO works but it turns out the server would have denied you after DATA instead? What if the server is a relay which accepts all mails for a domain regardless of whether or not the downstream server will accept it? What if the email address is not a user and only receives mails (ie: spamtraps, etc.) There is no way to solve this definitively based on current protocols/etc. You can try to make assumptions with things like VRFY (most people just disable that), RCPT TO, etc, but it doesn't necessarily mean anything wrt spam. For instance, if I was going to spam people and a "sender verification" system was in use widely, I'd just start using random addresses from my list to send to other people -- if I paid attention to those that are accepted at RCPT TO, versus those that don't, then I bypass your system trivially. -- Randomly Generated Tagline: "Klingon function calls do not have 'parameters' - they have 'arguments' - and they ALWAYS WIN THEM." - Klingon Programmer's Manual pgp6jI0yYqMrv.pgp Description: PGP signature
RE: source SENDER authentication ? (as opposed to SPF HOST authentication)
At 10:55 30-08-2006, Michael Grey wrote: I like Michel Vaillancourt's idea - if it has to be done. There are milters and MTAs that can do that. It's not a good idea as it can cause a denial of service. Regards, -sm
Hacked E-Trade Phishing Site
Check at the top of this E-trade Phishing site: http://196.1.161.115/e/t/user/login/ -- Chris 18:00:23 up 13 days, 43 min, 1 user, load average: 0.39, 0.34, 0.30 pgpwkpAaQ7uzj.pgp Description: PGP signature
Re: Hacked E-Trade Phishing Site
At 04:02 PM 8/30/2006, you wrote: Check at the top of this E-trade Phishing site: http://196.1.161.115/e/t/user/login/ I get it but I don't get it. I could understand if it was an image, but that's TEXT. Cluless phisher? 18:00:23 up 13 days, 43 min, 1 user, load average: 0.39, 0.34, 0.30 Must not be running a Windoze box eh?
Re: Hacked E-Trade Phishing Site
> Check at the top of this E-trade Phishing site: > > http://196.1.161.115/e/t/user/login/ That's brilliant. Looks like there's a creative grey-hat out there somewhere. Also interesting - the login form itself is a flash app. I haven't seen that before (but I don't check many of them out, either...). St-
Re: Hacked E-Trade Phishing Site
??? wrote: Check at the top of this E-trade Phishing site: http://196.1.161.115/e/t/user/login/ On Wed, 30 Aug 2006, Steve Thomas wrote: That's brilliant. Looks like there's a creative grey-hat out there somewhere. Also interesting - the login form itself is a flash app. I haven't seen that before (but I don't check many of them out, either...). I didn't notice that login form, but then I have the flashblock firefox extension, so it didn't load. I was wondering why they'd have a phishing web site with no login form... My guess is that the flash login form is an easy way to collect the data, send it off somewhere else, then pass it through to the real site. - Logan
Re: Hacked E-Trade Phishing Site
On Wednesday 30 August 2006 6:08 pm, Evan Platt wrote: > At 04:02 PM 8/30/2006, you wrote: > >Check at the top of this E-trade Phishing site: > > > >http://196.1.161.115/e/t/user/login/ > > I get it but I don't get it. I could understand if it was an image, > but that's TEXT. > > Cluless phisher? > > >18:00:23 up 13 days, 43 min, 1 user, load average: 0.39, 0.34, 0.30 > > Must not be running a Windoze box eh? Uh, no, I haven't in over four years now. -- Chris 19:21:51 up 13 days, 2:05, 1 user, load average: 0.12, 0.12, 0.12 pgprJUvnlyFjP.pgp Description: PGP signature
Re: source SENDER authentication ? (as opposed to SPF HOST authentication)
On Wed, August 30, 2006 19:37, Michel Vaillancourt wrote: > to carve it... you actually open an SMTP conversation with > ... trap that "5xx" return, and you know its a bogus sender. > The plug-in adds 2 points to the score. > Get a "250 Ok" back, and you are likely "safe"... score 0. sendmail -bv [EMAIL PROTECTED] -- "This message was sent using 100% recycled spam mails."
Re: source SENDER authentication ? (as opposed to SPF HOST authentication)
On Wed, August 30, 2006 19:44, Justin Mason wrote: > list -- as the forged source of the spam. The end result for us end > users, is a massive increase in "spam blowback", which is what we've > seen since those MTAs implemented it. :( spf solves that -- "This message was sent using 100% recycled spam mails."
Re: Bayes: 1 message, 2 results
From: "Thomas Ericsson" <[EMAIL PROTECTED]>
Hi
I've gotten a lot of low scoring bayes hits, especially BAYES_00, so
I figured the database is off. I ran sa-learn --clear to start over,
but I still get a lot of BAYES_00. I then ran spamassassin -D --mbox
BUNCHOFSPAM.mbox to see what gives. It turns out I get a different
result from when the mail was delivered in the first place. Could it
be that each mail get scanned more than one time? Any ideas appreciated
Thomas
I would hazard a guess that two different Bayes databases were used,
one for actual reception and the other for your test. You might check
into that possibility. Be sure to run the spamassassin tests as the
same "user" which maintains the Bayes database you are trying to fix.
{^_^}
Re: Hacked E-Trade Phishing Site
From: "Evan Platt" <[EMAIL PROTECTED]>
At 04:02 PM 8/30/2006, you wrote:
Check at the top of this E-trade Phishing site:
http://196.1.161.115/e/t/user/login/
I get it but I don't get it. I could understand if it was an image,
but that's TEXT.
Cluless phisher?
18:00:23 up 13 days, 43 min, 1 user, load average: 0.39, 0.34, 0.30
Must not be running a Windoze box eh?
You did not read the very top line.
{^_^} <- did a wget and read the html. There is an interesting
line. And it appears most people will miss it.
File mode set incorrectly
My box is FreeBSD 6.1-I386 and my SA is installed from ports. (MIMEDefang + SA + ClamAV) The combination is running as "mailnull" and I have changed the owner of the related directories accordingly. My problem is, both auto_whitelist_file_mode and bayes_file_mode cannot be set correctly, and they have different problem: For bayes_file_mode, I set to 0777, but the output is only 0666. If I set to 0700, it turns out to be 0600. For auto_whitelist_file_mode, no matter what I set, it only becomes 0640. Since they are installed from ports and most of the settings are default value, I bet I am not the only one facing the problem. Anyone? -- View this message in context: http://www.nabble.com/File-mode-set-incorrectly-tf2194216.html#a6072550 Sent from the SpamAssassin - Users forum at Nabble.com.
catching fake usernames?
I get a lot of spam whose From addresses are users that don't exist on my system (random names like [EMAIL PROTECTED], [EMAIL PROTECTED], etc). I recently set up a scheme to manually blacklist all From addresses on my domains and un-blacklist the fifty or so "real" addresses mail can legitimately come from (the system aliases like postmaster, daemon, and so forth, and a small handful of real users each with a handful of aliases), using blacklist_from and unblacklist_from in the local config file. This is a rather fragile system, though -- anytime I go to add any new users or aliases, I'll have to edit my local.cf files to match. My user population is rather static, so it's not a big deal, but it seems like there should be a simpler, more automatic way to do this. Am I missing something?
Re: catching fake usernames?
Your MTA should be doing this job and not SA IMHO. - Original Message - From: "Rick Roe" <[EMAIL PROTECTED]> To: Sent: Wednesday, August 30, 2006 9:41 PM Subject: catching fake usernames? |I get a lot of spam whose From addresses are users that don't exist on | my system (random names like [EMAIL PROTECTED], [EMAIL PROTECTED], etc). | I recently set up a scheme to manually blacklist all From addresses on | my domains and un-blacklist the fifty or so "real" addresses mail can | legitimately come from (the system aliases like postmaster, daemon, | and so forth, and a small handful of real users each with a handful of | aliases), using blacklist_from and unblacklist_from in the local | config file. | | This is a rather fragile system, though -- anytime I go to add any new | users or aliases, I'll have to edit my local.cf files to match. My | user population is rather static, so it's not a big deal, but it seems | like there should be a simpler, more automatic way to do this. Am I | missing something? | |
Re: catching fake usernames?
On Wed, Aug 30, 2006 at 08:41:37PM -0700, Rick Roe wrote: > I get a lot of spam whose From addresses are users that don't exist on > my system (random names like [EMAIL PROTECTED], [EMAIL PROTECTED], etc). [...] > Am I missing something? Typically it's easiest (and standard) to simply not accept mail for non-existant users in the first place. Is there a reason you've setup your system that way? -- Randomly Generated Tagline: The descent to Hades is the same from every place. -- Anaxagoras pgpeH1vIWk854.pgp Description: PGP signature
Re: catching fake usernames?
On 30-Aug-06, at 11:41 PM, Rick Roe wrote: I get a lot of spam whose From addresses are users that don't exist on my system (random names like [EMAIL PROTECTED], [EMAIL PROTECTED], etc). I recently set up a scheme to manually blacklist all From addresses on my domains and un-blacklist the fifty or so "real" addresses mail can legitimately come from (the system aliases like postmaster, daemon, and so forth, and a small handful of real users each with a handful of aliases), using blacklist_from and unblacklist_from in the local config file. This is a rather fragile system, though -- anytime I go to add any new users or aliases, I'll have to edit my local.cf files to match. My user population is rather static, so it's not a big deal, but it seems like there should be a simpler, more automatic way to do this. Am I missing something? SPF will address this at the MTA. Depending on your MTA you may be able to address this by checking against the user database but I wouldn't do it in SpamAssasin. It's a content filter, it shouldn't be verifying user accounts for this purpose. -- Gino Cerullo Pixel Point Studios 21 Chesham Drive Toronto, ON M3M 1W6 416-247-7740 smime.p7s Description: S/MIME cryptographic signature
Re: catching fake usernames?
Theo Van Dinter wrote: > On Wed, Aug 30, 2006 at 08:41:37PM -0700, Rick Roe wrote: > >> I get a lot of spam whose From addresses are users that don't exist on >> my system (random names like [EMAIL PROTECTED], [EMAIL PROTECTED], etc). >> > [...] > >> Am I missing something? >> > > Typically it's easiest (and standard) to simply not accept mail for > non-existant users in the first place. Is there a reason you've setup your > system that way? > > Erm, Theo, he said *From* users that don't exist, not To users that don't exist.. (ie: forged From: [EMAIL PROTECTED] To: [EMAIL PROTECTED]) There are two solutions I can think of. One is to publish a SPF record for your own domain, and use a SPF milter. The other is to use a tool that does really good in-order access control lists to your MTA. milter-greylist, while designed for greylisting, has grown to have a quite flexible ACL system. Using it you could "whitelist" all your local IPs that legitamately generate mail with your domain, then follow it up by blacklisting anything else that claims to be from the local domain.
Network Test Timeouts
I am running spamassassin 3.1.4 on Fedora Core 5. My DNSBL tests, pyzor and SPF all seem to time out far too often. However, URIBL seems to be working just fine. I am running Net::DNS .58. Occassionally some of the DNS tests will not time out, but the results (if any) do not score (when using spamd anway). This also appears to be the case with pyzor. I see no errors of note when running spamd -D. Everything else (rules, URIBL, Fuzzy OCR seems to be working fine). Anyone have any input? I am a relative newbie to Fedora and am ripping my hair out.Thank You -- View this message in context: http://www.nabble.com/Network-Test-Timeouts-tf2194401.html#a6073004 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: catching fake usernames?
On Thu, August 31, 2006 05:41, Rick Roe wrote: > like there should be a simpler, more automatic way to do this. Am I > missing something? in postfix main.cf smtpd_reject_unlisted_sender = yes -- "This message was sent using 100% recycled spam mails."
Re: catching fake usernames?
On Wednesday 30 August 2006 19:56, Theo Van Dinter wrote: > On Wed, Aug 30, 2006 at 08:41:37PM -0700, Rick Roe wrote: > > I get a lot of spam whose From addresses are users that don't exist on > > my system (random names like [EMAIL PROTECTED], [EMAIL PROTECTED], etc). > > [...] > > > Am I missing something? > > Typically it's easiest (and standard) to simply not accept mail for > non-existant users in the first place. Is there a reason you've setup your > system that way? The problem is that if ONE of the names is a real user, the mail has to be passed thru, and the MTA will do so. However, any mail with a totally bogus user as a CC name or just ONE of the recipients is a strong candidate for spam. The more recipients, the stronger the candidacy. -- _ John Andersen pgpUEPJDdZrAl.pgp Description: PGP signature
Re: catching fake usernames?
On Wednesday 30 August 2006 21:25, Benny Pedersen wrote: > On Thu, August 31, 2006 05:41, Rick Roe wrote: > > like there should be a simpler, more automatic way to do this. Am I > > missing something? > > in postfix main.cf > > smtpd_reject_unlisted_sender = yes Won't work if ONE of the recipients is real... -- _ John Andersen pgp9RVTjvaSlA.pgp Description: PGP signature
Re: catching fake usernames?
On Thu, August 31, 2006 07:24, John Andersen wrote: > Won't work if ONE of the recipients is real... still better then nothing, spf or sender access can take the rest, but since i still not using spf in mta its needed to be done as a restriction class in postfix could be a sender class that reject if client ip is not auth problem is just not as big here to make it needed spamassassin have an accessdb plugin btw, just wish it handlede other db olso -- "This message was sent using 100% recycled spam mails."
RBL and blackholes.us.
Hi All: These days, I found that many outbond messages of my server were blocked by blackholes.us. I checked all my IPs and found so many of them listed in this list. There are many email servers use the list as rbl straitly, Although it says: "Blackholes.us does not list spammers, spam supporters, or vulernable hosts (open relays/proxies) at the present time. The data published here is not indended for use as any kind of anti-spam "solution," although it can be helpful as part of a larger system." So, Can anybody give me some advice how to remove my IPs from it quickly? -- Xueron Nee <[EMAIL PROTECTED]>
SPF Failing for this list mail
Hi, One mail for this list got into my quarantine. I was surprised since I had spf_whitelist 'ed spamassassin.apache.org I went thru the logs , got this Aug 30 03:20:27 rs14 MailScanner[25502]: Message 747B1441F1.64958 from 209.237.227.199 (dev-return-27257- [EMAIL PROTECTED]) to netcore.co.in is spam, CTSCORE : 0 REFID: [str=0001.0A090202.44F4B55B.008B:SCFONLINE515039,ss=1,fgs=0], SpamAssassin (score=6.776, required 5, BAYES_00 -2.60, DRUGS_ERECTILE 0.49, DRUGS_ERECTILE_OBFU 2.41, FUZZY_VPILL 0.92, MANGLED_VIAGRA 2.50, SARE_OBFU_VIAGRA 1.67, SPF_SOFTFAIL 1.38) Aug 30 03:20:27 rs14 MailScanner[25502]: Spam Actions: message 747B1441F1.64958 actions are store -- Anyone else seen this Thanks Ram
Re: RBL and blackholes.us.
On Wednesday 30 August 2006 22:15, Xueron Nee wrote: > Hi All: > > These days, I found that many outbond messages of my server were blocked > by blackholes.us. I checked all my IPs and found so many of them listed > in this list. > > There are many email servers use the list as rbl straitly, Although it > says: "Blackholes.us does not list spammers, spam supporters, or > vulernable hosts (open relays/proxies) at the present time. The data > published here is not indended for use as any kind of anti-spam > "solution," although it can be helpful as part of a larger system." > > So, Can anybody give me some advice how to remove my IPs from it quickly? Seems to me that they have removal procedures on the site. First you might want to FIND OUT why your servers are listed. Are there perhaps some compromised machines forwarding mail thru your mail servers? You said: "I checked all my IPs and found so many of them listed in this list." How many mail servers do you have? Or were these not ALL mail servers? If they were not mail servers, then it sound EVEN MORE like compromised machines sending email via some bot. If its any consolation, large ISPs with millions of subscribers get blackholed there all the time, and are constantly fighting them. It seems collective punishment is politically incorrect in all areas of human discourse except fighting spam. My ISP had their primary server blackholed last week, cutting of about 75% of Alaska from sending mail to many sites. I suspect the bot nets have started relaying thru the ISPs mail systems rather than going direct, and perhaps purposely sending mail to honeypots via ISP MTAs simply to poison the blackhole lists. -- _ John Andersen pgpKXgtbzztVQ.pgp Description: PGP signature
Re: File mode set incorrectly
On Thursday 31 August 2006 05:33, Albert Poon took the opportunity to say: > My box is FreeBSD 6.1-I386 and my SA is installed from ports. (MIMEDefang + > SA + ClamAV) > The combination is running as "mailnull" and I have changed the owner of > the related directories accordingly. > > My problem is, both auto_whitelist_file_mode and bayes_file_mode cannot be > set correctly, and they have different problem: > > For bayes_file_mode, I set to 0777, but the output is only 0666. If I set > to 0700, it turns out to be 0600. That's by design. The mode is used as is (e.g. 0700) for any directories that need to be created, but for the files the x bits are masked off. Why would you want the databases to be executable? > For auto_whitelist_file_mode, no matter what I set, it only becomes 0640. The same should be true for this one. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpFvn750K7gl.pgp Description: PGP signature
