RE: SpamAssassin Coach - Outlook/Thunderbird Plugin
Did uninstall, outlook 2002, sp3, spamassassin coach buttons still on menu. Can't get rid of them.
Re: Bayes: 1 message, 2 results
Thanks jdow
Seems like you were right. My debug session was run as an
administrator but needed to be run as root. Now I just got to figure
out how my bayes database could get so sqewed.
I've got a global SPAM and HAM mailbox for our whole domain that our
users drop their false positives and negatives in. I run sa-learn on
them every other day. Since the HAM box hardly get any messages in it
i have used my own inbox, that I know is spam free, to learn as HAM.
Is that a correct way to do it? Could any of the headers that our MTA
is adding get counted as a valid tokens when I run sa-learn --spam?
Thomas Ericsson
31 aug 2006 kl. 04.56 skrev jdow:
From: Thomas Ericsson [EMAIL PROTECTED]
Hi
I've gotten a lot of low scoring bayes hits, especially BAYES_00,
so I figured the database is off. I ran sa-learn --clear to start
over, but I still get a lot of BAYES_00. I then ran spamassassin
-D --mbox BUNCHOFSPAM.mbox to see what gives. It turns out I get
a different result from when the mail was delivered in the first
place. Could it be that each mail get scanned more than one time?
Any ideas appreciated
Thomas
I would hazard a guess that two different Bayes databases were used,
one for actual reception and the other for your test. You might check
into that possibility. Be sure to run the spamassassin tests as the
same user which maintains the Bayes database you are trying to fix.
{^_^}
Re: Discourage broken content
From: Kris Deugau [EMAIL PROTECTED]
John Andersen wrote:
Mailscanner
... or any other mail-handling software...
has no business changing content.
... unless you explicitly configure it to do so. (ATTN: AVG for
Windows POP3/SMTP interface/hook authors, This Means You! Among others.)
Use POP3S. That is MUCH harder to place an AVG man in the middle
rewrite into.
{^_-}
RE: Very big auto-whitelist file
One more question in the same way : my bayes_seen file is quite huge too (about 160Mb) Googling around about this I saw there was some bugs with versions prior to 3.1 but despite I'm using version 3.1.1 (a bit late on upgrading too, I'm afraid :-\ ) I think there's something wrong here too... Is there a way to fix it or to trim the file ? Stephane -Message d'origine- De : Stéphane LEPREVOST [mailto:[EMAIL PROTECTED] Envoyé : jeudi 31 août 2006 22:39 À : 'users@spamassassin.apache.org' Objet : RE: Very big auto-whitelist file Thanks Kris for this usefull tool, I'll try it tommorow (and thanks to Roger too who noticed the existence of your tool) As you noticed, I get worried very very very late... But in fact I wasn't in charge of spamassassin when we first saw this growth, that's why I'm back on the problem only now... I guess I'll pay more attention to this now ;D Stephane -Message d'origine- De : Kris Deugau [mailto:[EMAIL PROTECTED] Envoyé : jeudi 31 août 2006 21:58 À : users@spamassassin.apache.org Objet : Re: Very big auto-whitelist file Roger Taranto wrote: There's an additional tool to run after you run check_whitelist. It's called trim_whitelist, and it compacts the db file. I can't remember where I found it, but you should be able to google for it. It should reduce the size of your db file quite a bit. That would be the ancient creaky tool I wrote ~2 years ago. g Make sure to read the notes and caveats regarding DB_File/AnyDBM_File. Google seems to have lost, or *very* heavily downrated, the direct link to the space I posted it (and a few other tools) to, so: http://www.deepnet.cx/~kdeugau/spamtools/ And I wrote it because of this exact problem of AWL files growing indefinitely... although I got worried around 5M instead of 1.2G. ;) -kgd
Re: SPF_SOFTFAIL but there's no SPF record
From: Jason Haar [EMAIL PROTECTED]
Daryl C. W. O'Shea wrote:
This happens when DNS queries timeout as the plugin defaults to
SOFTFAIL per the recommendation of the then current draft. I'm not
sure what the current experimental RFC says about it, but regardless,
we really need to assume that the domain isn't publishing SPF records.
I agree. I see this all the time - and it's because New Zealand is on
the end of a lng piece of wet string. Our latency leads to us
having DNS timeouts all the time. Timeouts should be treated as error
conditions - not decision making events :-)
A sad example: I have spamc running with a 30 sec max timeout. A good
20-30% of the spam reaching my Inbox now is due to spamd taking longer
than 30 seconds (i.e. spamc fails to return a score). Why does it take
so long? All those DNS lookups. If I run such failed mail back through
spamc a few minutes later, it gets to finish in under 30 secs (due to
DNS lookups now being in cache) and typically is picked as spam.
That's remarkably easy to do with procmail, you know. There was a
SpamAssassin bug that I worked around that way.
{o.o}
Re: The grey hats are at it in force
From: Chris [EMAIL PROTECTED]
This is even better than the last one:
I wonder if we are seeing warring blackhats rather than greyhats fighting
blackhats.
{^_^}
FuzzyOcr development/support stop for 7 weeks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello all, since I will have a very tight time schedule in the next 7 weeks for a project at the university, I will not be able to release any new versions of FuzzyOcr, fix bugs, reply to questions or give support. Instead of writing me, you can write to either this mailing list or the devel-spam mailing list and other people will try to answer your questions. Moderator privileges for the devel-spam mailing list will be given to some people that helped with the development earlier. Best regards, Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE9/pcJQIKXnJyDxURApkCAJ0eY0CdeN5ssYNTcMO0PSkU7V3hMgCfUxGF FcvWk8cr6/9VIEuKm+JRYjA= =ARBX -END PGP SIGNATURE-
Re: Spammed by Non-delivery-report? (someone is using my email to spam)
Rick Macdougall writes: John D. Hardin wrote: On Fri, 1 Sep 2006, Christian Purnomo wrote: I am having so much trouble at present that some people are using my email address to send their spam messages, in return I get hundreds and hundres of non-delivery email + other misc reply such as out of office. Good luck Christian, if you want some regex's to use to reject mail bounces I have a whack of them for use with qmail/simscan but they should be easily adaptable to other setups. There's also a very good ruleset I've been using for a while now, at http://svn.apache.org/repos/asf/spamassassin/rules/trunk/sandbox/jm/20_vbounce.cf It catches almost all my unwanted bounces. Requires a little hand-editing before it'll work, though, which is why it's not yet part of the default distro (I hope to have that fixed for 3.2.0). The problem is still volume, though -- if a spammer uses *just* your address on a large spam run, the massive volume of incoming bounces will quickly overwhelm most small mailserver setups. :( --j.
RE: Very big auto-whitelist file
Well, a few more information : Output of sa-learn --dump magic -D : [22420] dbg: bayes: found bayes db version 3 [22420] dbg: bayes: DB journal sync: last sync: 1157102359 [22420] dbg: config: score set 3 chosen. 0.000 0 3 0 non-token data: bayes db version 0.000 01189366 0 non-token data: nspam 0.000 0 197582 0 non-token data: nham 0.000 0 387408 0 non-token data: ntokens 0.000 0 1157049872 0 non-token data: oldest atime 0.000 0 1157102360 0 non-token data: newest atime 0.000 0 1157102359 0 non-token data: last journal sync atime 0.000 0 1157093142 0 non-token data: last expiry atime 0.000 0 43200 0 non-token data: last expire atime delta 0.000 0 295143 0 non-token data: last expire reduction count [22420] dbg: bayes: untie-ing [22420] dbg: bayes: untie-ing db_toks [22420] dbg: bayes: untie-ing db_seen If I read well, there's 387408 tokens in the DB... Despite there's no bayes_expiry_max_db_size specified anywhere and the defalut value is 15 (??) Shall I issue a sa-learn --force-expire command ? Does it supposed to work ? Stephane -Message d'origine- De : Stéphane LEPREVOST [mailto:[EMAIL PROTECTED] Envoyé : vendredi 1 septembre 2006 10:18 À : 'users@spamassassin.apache.org' Objet : RE: Very big auto-whitelist file One more question in the same way : my bayes_seen file is quite huge too (about 160Mb) Googling around about this I saw there was some bugs with versions prior to 3.1 but despite I'm using version 3.1.1 (a bit late on upgrading too, I'm afraid :-\ ) I think there's something wrong here too... Is there a way to fix it or to trim the file ? Stephane -Message d'origine- De : Stéphane LEPREVOST [mailto:[EMAIL PROTECTED] Envoyé : jeudi 31 août 2006 22:39 À : 'users@spamassassin.apache.org' Objet : RE: Very big auto-whitelist file Thanks Kris for this usefull tool, I'll try it tommorow (and thanks to Roger too who noticed the existence of your tool) As you noticed, I get worried very very very late... But in fact I wasn't in charge of spamassassin when we first saw this growth, that's why I'm back on the problem only now... I guess I'll pay more attention to this now ;D Stephane -Message d'origine- De : Kris Deugau [mailto:[EMAIL PROTECTED] Envoyé : jeudi 31 août 2006 21:58 À : users@spamassassin.apache.org Objet : Re: Very big auto-whitelist file Roger Taranto wrote: There's an additional tool to run after you run check_whitelist. It's called trim_whitelist, and it compacts the db file. I can't remember where I found it, but you should be able to google for it. It should reduce the size of your db file quite a bit. That would be the ancient creaky tool I wrote ~2 years ago. g Make sure to read the notes and caveats regarding DB_File/AnyDBM_File. Google seems to have lost, or *very* heavily downrated, the direct link to the space I posted it (and a few other tools) to, so: http://www.deepnet.cx/~kdeugau/spamtools/ And I wrote it because of this exact problem of AWL files growing indefinitely... although I got worried around 5M instead of 1.2G. ;) -kgd
score question
Hi I sent a mail from my work account, which i have no control over, to my home account which i have full control over. I noticed that this check made up part of the score when it came in DNS_FROM_RFC_POST=1.708 Can anyone tell me what that check is checking as i think i may need to advise the mail admins here that something is up thanks
IO::Socket::INET6 problems
I'm trying to get IO::Socket::INET6 to install since I actually use IPv6.. But so far no luck, and I haven't found any cure when Googling around on the subject either. Anyone on the list who can help out? The output I get is this: CPAN.pm: Going to build M/MO/MONDEJAR/IO-Socket-INET6-2.51.tar.gz Checking if your kit is complete... Looks good Writing Makefile for IO::Socket::INET6 cp INET6.pm blib/lib/IO/Socket/INET6.pm Manifying blib/man3/IO::Socket::INET6.3pm /usr/bin/make -j3 -- OK Running make test PERL_DL_NONLAZY=1 /usr/bin/perl -MExtUtils::Command::MM -e test_harness(0, 'blib/lib', 'blib/arch') t/*.t t/io_multihomed6ok t/io_sock6..ok 11/20Died at t/io_sock6.t line 39, GEN5 line 2. t/io_sock6..dubious Test returned status 4 (wstat 1024, 0x400) DIED. FAILED tests 12-20 Failed 9/20 tests, 55.00% okay t/io_udp6...ok Failed Test Stat Wstat Total Fail List of Failed --- t/io_sock6.t4 102420 18 12-20 Failed 1/3 test scripts. 9/32 subtests failed. Files=3, Tests=32, 121 wallclock secs ( 0.16 cusr + 0.10 csys = 0.26 CPU) Failed 1/3 test programs. 9/32 subtests failed. make: *** [test_dynamic] Error 255 -- Anders Norrbring Norrbring Consulting
Strange SPF problem/wrong result
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, today I saw a strange SPF bug occuring. The original mail header was: Return-Path: [EMAIL PROTECTED] Received: from mail.cs.uni-sb.de (mail.cs.uni-sb.de [134.96.254.200]) by wjpserver.cs.uni-sb.de (8.12.11.20060308/8.12.11) with ESMTP id k7T8rU6P012050; Tue, 29 Aug 2006 10:53:30 +0200 Received: from mail-eur1.microsoft.com (mail-eur1.microsoft.com [213.199.128.139]) by mail.cs.uni-sb.de (8.13.8/2006081400) with ESMTP id k7T8rT98004989; Tue, 29 Aug 2006 10:53:29 +0200 (CEST) Received: from x.europe.corp.microsoft.com ([65.53.193.xxx]) by mail-eur1.microsoft.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 29 Aug 2006 09:53:29 +0100 (Some unrelated privacy details replaced with xxx). Now what SPF should do is (as far as I understood): - - Get the mail server that sent this (mail-eur1.microsoft.com) - - Check that its IP is in the allowed SPF record of microsoft.com This check passes as you can see here: http://www.dnsstuff.com/tools/spf.ch?server=microsoft.comip=213.199.128.139 Now SpamAssassin did something else, it took mail.cs.uni-sb.de as the mailserver that sent, and tried to match it against microsoft.com's SPF records which produced a SOFTFAIL: 1.4 SPF_SOFTFAIL Sending host does not match SPF-record (softfail) [SPF failed: Please see http://www.openspf.org/why.html?sender=xxx%40microsoft.comip=134.96.254.200receiver=This%20account%20is%20currently%20not%20available] 2.4 SPF_HELO_SOFTFAIL HELO-Name does not match SPF-record (softfail) [SPF failed: Please see http://www.openspf.org/why.html?sender=xxx%40microsoft.comip=134.96.254.200receiver=This%20account%20is%20currently%20not%20available] Can someone explain me this failure? Thanks Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE+BcYJQIKXnJyDxURAl22AJ9D1gsr9/mjmevWVe63mRcdOkeWqACgxYs8 S2NysNSm5mdscg2H2OsSsiI= =ghdo -END PGP SIGNATURE-
Re: score question
On Friday, September 1, 2006 at 10:15:40 AM, Tom confabulated: Hi I sent a mail from my work account, which i have no control over, to my home account which i have full control over. I noticed that this check made up part of the score when it came in DNS_FROM_RFC_POST=1.708 Can anyone tell me what that check is checking as i think i may need to advise the mail admins here that something is up thanks According to http://spamassassin.apache.org/tests_3_1_x.html, the test is for the postmaster.rfc-ignorant.org RBL. You should check to see if a postmaster account exists for the domain you used to send the message from work. You should then be able to visit the rfc-ignorant.org site and request removal from the list. -- This message was sent using 100% recycled electrons.
Re: Strange SPF problem/wrong result
it's trusted_networks -- SpamAssassin doesn't know that it can trust mail.cs.uni-sb.de. --j. decoder writes: today I saw a strange SPF bug occuring. The original mail header was: Return-Path: [EMAIL PROTECTED] Received: from mail.cs.uni-sb.de (mail.cs.uni-sb.de [134.96.254.200]) by wjpserver.cs.uni-sb.de (8.12.11.20060308/8.12.11) with ESMTP id k7T8rU6P012050; Tue, 29 Aug 2006 10:53:30 +0200 Received: from mail-eur1.microsoft.com (mail-eur1.microsoft.com [213.199.128.139]) by mail.cs.uni-sb.de (8.13.8/2006081400) with ESMTP id k7T8rT98004989; Tue, 29 Aug 2006 10:53:29 +0200 (CEST) Received: from x.europe.corp.microsoft.com ([65.53.193.xxx]) by mail-eur1.microsoft.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 29 Aug 2006 09:53:29 +0100 (Some unrelated privacy details replaced with xxx). Now what SPF should do is (as far as I understood): - - Get the mail server that sent this (mail-eur1.microsoft.com) - - Check that its IP is in the allowed SPF record of microsoft.com This check passes as you can see here: http://www.dnsstuff.com/tools/spf.ch?server=microsoft.comip=213.199.128.139 Now SpamAssassin did something else, it took mail.cs.uni-sb.de as the mailserver that sent, and tried to match it against microsoft.com's SPF records which produced a SOFTFAIL: 1.4 SPF_SOFTFAIL Sending host does not match SPF-record (softfail) [SPF failed: Please see http://www.openspf.org/why.html?sender=xxx%40microsoft.comip=134.96.254.200receiver=This%20account%20is%20currently%20not%20available] 2.4 SPF_HELO_SOFTFAIL HELO-Name does not match SPF-record (softfail) [SPF failed: Please see http://www.openspf.org/why.html?sender=xxx%40microsoft.comip=134.96.254.200receiver=This%20account%20is%20currently%20not%20available] Can someone explain me this failure? Thanks Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE+BcYJQIKXnJyDxURAl22AJ9D1gsr9/mjmevWVe63mRcdOkeWqACgxYs8 S2NysNSm5mdscg2H2OsSsiI= =ghdo -END PGP SIGNATURE-
Re: Strange SPF problem/wrong result
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 So adding the line trusted_networks 134.96.254.200 to local.cf will fix this problem and this mail would be recognized correctly (as in pass SPF) ? Thanks Chris Justin Mason wrote: it's trusted_networks -- SpamAssassin doesn't know that it can trust mail.cs.uni-sb.de. --j. decoder writes: today I saw a strange SPF bug occuring. The original mail header was: Return-Path: [EMAIL PROTECTED] Received: from mail.cs.uni-sb.de (mail.cs.uni-sb.de [134.96.254.200]) by wjpserver.cs.uni-sb.de (8.12.11.20060308/8.12.11) with ESMTP id k7T8rU6P012050; Tue, 29 Aug 2006 10:53:30 +0200 Received: from mail-eur1.microsoft.com (mail-eur1.microsoft.com [213.199.128.139]) by mail.cs.uni-sb.de (8.13.8/2006081400) with ESMTP id k7T8rT98004989; Tue, 29 Aug 2006 10:53:29 +0200 (CEST) Received: from x.europe.corp.microsoft.com ([65.53.193.xxx]) by mail-eur1.microsoft.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 29 Aug 2006 09:53:29 +0100 (Some unrelated privacy details replaced with xxx). Now what SPF should do is (as far as I understood): - - Get the mail server that sent this (mail-eur1.microsoft.com) - - Check that its IP is in the allowed SPF record of microsoft.com This check passes as you can see here: http://www.dnsstuff.com/tools/spf.ch?server=microsoft.comip=213.199.128.139 Now SpamAssassin did something else, it took mail.cs.uni-sb.de as the mailserver that sent, and tried to match it against microsoft.com's SPF records which produced a SOFTFAIL: 1.4 SPF_SOFTFAIL Sending host does not match SPF-record (softfail) [SPF failed: Please see http://www.openspf.org/why.html?sender=xxx%40microsoft.comip=134.96.254.200receiver=This%20account%20is%20currently%20not%20available] 2.4 SPF_HELO_SOFTFAIL HELO-Name does not match SPF-record (softfail) [SPF failed: Please see http://www.openspf.org/why.html?sender=xxx%40microsoft.comip=134.96.254.200receiver=This%20account%20is%20currently%20not%20available] Can someone explain me this failure? Thanks Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE+BcYJQIKXnJyDxURAl22AJ9D1gsr9/mjmevWVe63mRcdOkeWqACgxYs8 S2NysNSm5mdscg2H2OsSsiI= =ghdo -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE+BxWJQIKXnJyDxURAhQ1AKCsicr906Fy7RkBZtU3TduR/cgFHgCfWJGe 2KZKNwn4ZfYBx4yh/xUwoHw= =AtZw -END PGP SIGNATURE-
Re: Strange SPF problem/wrong result
give it a try, anyway ;) you can see what SpamAssassin thinks of the relays in the message, using spamassassin -D -L -t message and reading the debug lines output. more info: http://wiki.apache.org/spamassassin/TrustPath http://wiki.apache.org/spamassassin/TrustedRelays --j. decoder writes: So adding the line trusted_networks 134.96.254.200 to local.cf will fix this problem and this mail would be recognized correctly (as in pass SPF) ? Thanks Chris Justin Mason wrote: it's trusted_networks -- SpamAssassin doesn't know that it can trust mail.cs.uni-sb.de. --j. decoder writes: today I saw a strange SPF bug occuring. The original mail header was: Return-Path: [EMAIL PROTECTED] Received: from mail.cs.uni-sb.de (mail.cs.uni-sb.de [134.96.254.200]) by wjpserver.cs.uni-sb.de (8.12.11.20060308/8.12.11) with ESMTP id k7T8rU6P012050; Tue, 29 Aug 2006 10:53:30 +0200 Received: from mail-eur1.microsoft.com (mail-eur1.microsoft.com [213.199.128.139]) by mail.cs.uni-sb.de (8.13.8/2006081400) with ESMTP id k7T8rT98004989; Tue, 29 Aug 2006 10:53:29 +0200 (CEST) Received: from x.europe.corp.microsoft.com ([65.53.193.xxx]) by mail-eur1.microsoft.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 29 Aug 2006 09:53:29 +0100 (Some unrelated privacy details replaced with xxx). Now what SPF should do is (as far as I understood): - - Get the mail server that sent this (mail-eur1.microsoft.com) - - Check that its IP is in the allowed SPF record of microsoft.com This check passes as you can see here: http://www.dnsstuff.com/tools/spf.ch?server=microsoft.comip=213.199.128.139 Now SpamAssassin did something else, it took mail.cs.uni-sb.de as the mailserver that sent, and tried to match it against microsoft.com's SPF records which produced a SOFTFAIL: 1.4 SPF_SOFTFAIL Sending host does not match SPF-record (softfail) [SPF failed: Please see http://www.openspf.org/why.html?sender=xxx%40microsoft.comip=134.96.254.200receiver=This%20account%20is%20currently%20not%20available] 2.4 SPF_HELO_SOFTFAIL HELO-Name does not match SPF-record (softfail) [SPF failed: Please see http://www.openspf.org/why.html?sender=xxx%40microsoft.comip=134.96.254.200receiver=This%20account%20is%20currently%20not%20available] Can someone explain me this failure? Thanks Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE+BcYJQIKXnJyDxURAl22AJ9D1gsr9/mjmevWVe63mRcdOkeWqACgxYs8 S2NysNSm5mdscg2H2OsSsiI= =ghdo -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE+BxWJQIKXnJyDxURAhQ1AKCsicr906Fy7RkBZtU3TduR/cgFHgCfWJGe 2KZKNwn4ZfYBx4yh/xUwoHw= =AtZw -END PGP SIGNATURE-
Re: Strange SPF problem/wrong result
On 1-Sep-06, at 7:18 AM, decoder wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, today I saw a strange SPF bug occuring. The original mail header was: Return-Path: [EMAIL PROTECTED] Received: from mail.cs.uni-sb.de (mail.cs.uni-sb.de [134.96.254.200]) by wjpserver.cs.uni-sb.de (8.12.11.20060308/8.12.11) with ESMTP id k7T8rU6P012050; Tue, 29 Aug 2006 10:53:30 +0200 Received: from mail-eur1.microsoft.com (mail-eur1.microsoft.com [213.199.128.139]) by mail.cs.uni-sb.de (8.13.8/2006081400) with ESMTP id k7T8rT98004989; Tue, 29 Aug 2006 10:53:29 +0200 (CEST) Received: from x.europe.corp.microsoft.com ([65.53.193.xxx]) by mail-eur1.microsoft.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 29 Aug 2006 09:53:29 +0100 (Some unrelated privacy details replaced with xxx). Now what SPF should do is (as far as I understood): - - Get the mail server that sent this (mail-eur1.microsoft.com) - - Check that its IP is in the allowed SPF record of microsoft.com This check passes as you can see here: http://www.dnsstuff.com/tools/spf.ch? server=microsoft.comip=213.199.128.139 Now SpamAssassin did something else, it took mail.cs.uni-sb.de as the mailserver that sent, and tried to match it against microsoft.com's SPF records which produced a SOFTFAIL: 1.4 SPF_SOFTFAIL Sending host does not match SPF-record (softfail) [SPF failed: Please see http://www.openspf.org/why.html?sender=xxx% 40microsoft.comip=134.96.254.200receiver=This%20account%20is% 20currently%20not%20available] 2.4 SPF_HELO_SOFTFAIL HELO-Name does not match SPF-record (softfail) [SPF failed: Please see http://www.openspf.org/why.html?sender=xxx% 40microsoft.comip=134.96.254.200receiver=This%20account%20is% 20currently%20not%20available] Can someone explain me this failure? Spamassassin gave the correct result. It compared the IP address of the last received server mail.cs.uni-sb.de (mail.cs.uni-sb.de [134.96.254.200]) against the SPF record for Microsoft and did not see a match. Result SOFTFAIL Why do you think it should compare to mail-eur1.microsoft.com (mail- eur1.microsoft.com [213.199.128.139]). SPF compares the IP address of the last server to handle the message before it was handed off to a server on your receiving end. If the message was sent to someone who is using forwarding and forwarded through mail.cs.uni-sb.de (mail.cs.uni-sb.de [134.96.254.200]) then this would explain the SOFTFAIL. Forwarding breaks SPF. -- Gino Cerullo Pixel Point Studios 21 Chesham Drive Toronto, ON M3M 1W6 416-247-7740 smime.p7s Description: S/MIME cryptographic signature
Re: IO::Socket::INET6 problems
On Fri, 01 Sep 2006 12:43:36 +0200, Anders Norrbring [EMAIL PROTECTED] wrote: I'm trying to get IO::Socket::INET6 to install since I actually use IPv6.. But so far no luck, and I haven't found any cure when Googling around on the subject either. Anyone on the list who can help out? The output I get is this: I've had similar problems on CentOS, I eventually installed it via yum instead.. yum install perl-IO-Socket-INET6.noarch That worked for me on CentOS 64 32 bit. HTH Nigel
Re: Strange SPF problem/wrong result
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gino Cerullo wrote: On 1-Sep-06, at 7:18 AM, decoder wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, today I saw a strange SPF bug occuring. The original mail header was: Return-Path: [EMAIL PROTECTED] Received: from mail.cs.uni-sb.de (mail.cs.uni-sb.de [134.96.254.200]) by wjpserver.cs.uni-sb.de (8.12.11.20060308/8.12.11) with ESMTP id k7T8rU6P012050; Tue, 29 Aug 2006 10:53:30 +0200 Received: from mail-eur1.microsoft.com (mail-eur1.microsoft.com [213.199.128.139]) by mail.cs.uni-sb.de (8.13.8/2006081400) with ESMTP id k7T8rT98004989; Tue, 29 Aug 2006 10:53:29 +0200 (CEST) Received: from x.europe.corp.microsoft.com ([65.53.193.xxx]) by mail-eur1.microsoft.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 29 Aug 2006 09:53:29 +0100 (Some unrelated privacy details replaced with xxx). Now what SPF should do is (as far as I understood): - - Get the mail server that sent this (mail-eur1.microsoft.com) - - Check that its IP is in the allowed SPF record of microsoft.com This check passes as you can see here: http://www.dnsstuff.com/tools/spf.ch?server=microsoft.comip=213.199.128.139 Now SpamAssassin did something else, it took mail.cs.uni-sb.de as the mailserver that sent, and tried to match it against microsoft.com's SPF records which produced a SOFTFAIL: 1.4 SPF_SOFTFAIL Sending host does not match SPF-record (softfail) [SPF failed: Please see http://www.openspf.org/why.html?sender=xxx%40microsoft.comip=134.96.254.200receiver=This%20account%20is%20currently%20not%20available] 2.4 SPF_HELO_SOFTFAIL HELO-Name does not match SPF-record (softfail) [SPF failed: Please see http://www.openspf.org/why.html?sender=xxx%40microsoft.comip=134.96.254.200receiver=This%20account%20is%20currently%20not%20available] Can someone explain me this failure? Spamassassin gave the correct result. It compared the IP address of the last received server mail.cs.uni-sb.de (mail.cs.uni-sb.de [134.96.254.200]) against the SPF record for Microsoft and did not see a match. Result SOFTFAIL Why do you think it should compare to mail-eur1.microsoft.com (mail-eur1.microsoft.com [213.199.128.139]). SPF compares the IP address of the last server to handle the message before it was handed off to a server on your receiving end. If the message was sent to someone who is using forwarding and forwarded through mail.cs.uni-sb.de (mail.cs.uni-sb.de [134.96.254.200]) then this would explain the SOFTFAIL. Forwarding breaks SPF. This is no real forwarding, but all mail for us gets received by that server first, and this server passes it to us. This is a common structure for a bigger mail setup. The trusted_networks option solved my problems, but it should definetly be included in the wiki somewhere. Maybe we should add a note about trusted_networks being important for SPF in the install manual where SPF installation is explained Chris -- Gino Cerullo Pixel Point Studios 21 Chesham Drive Toronto, ON M3M 1W6 416-247-7740 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE+C2ZJQIKXnJyDxURAp3eAJ9qvVbNz2OaPygoLghms+3KiPc1SQCgpCpD splrSRz31hg6UjCgJPWVKhY= =Sb9E -END PGP SIGNATURE-
Re: IO::Socket::INET6 problems
Nigel Frankcom skrev: On Fri, 01 Sep 2006 12:43:36 +0200, Anders Norrbring [EMAIL PROTECTED] wrote: I'm trying to get IO::Socket::INET6 to install since I actually use IPv6.. But so far no luck, and I haven't found any cure when Googling around on the subject either. Anyone on the list who can help out? The output I get is this: I've had similar problems on CentOS, I eventually installed it via yum instead.. yum install perl-IO-Socket-INET6.noarch That worked for me on CentOS 64 32 bit. Thanks.. I was just plain stupid not to think of that it's included in the SuSE distribution. Geee.. ;) Installed, verified and running now from the dist-dvd. -- Anders Norrbring Norrbring Consulting
RE: SpamAssassin Coach - Outlook/Thunderbird Plugin
Will Duff wrote: Hi everyone, I've been working with SpamAssassin for the course of Google's Summer of Code to create 'SpamAssassin Coach' - an add-in available for Mozilla Thunderbird and Microsoft Outlook. The purpose of the add-in is to allow users to report spam and ham to SpamAssassin right from their inbox. Both add-ins are now functional, so I am asking for testers to provide feedback, bug reports and the like. If you would like to test an add-in, you can download SpamAssassin Coach from my SourceForge.net page at http://sourceforge.net/projects/soc2006spamd/. Feel free to add bug reports, feature requests or email me directly at willduff *AT* gmail.com. I hope that SpamAssassin Coach can grow to be an important tool for SpamAssassin users. Thanks for any help! For more information about SpamAssassin Coach, please refer to the following links: SourceForge.net Project: http://sourceforge.net/projects/soc2006spamd/ Google Summer of Code Application Info: http://code.google.com/soc/asf/appinfo.html?csaid=DF01D8A7A5E102D7 Interesting idea, but I need to see some documentation on how it works before I'm going to download and install it. -- Bowie
RE: Hacked E-Trade Phishing Site
Chris wrote:
On Thursday 31 August 2006 7:54 pm, David B Funk wrote:
On Wed, 30 Aug 2006, jdow wrote:
From: Evan Platt [EMAIL PROTECTED]
At 04:02 PM 8/30/2006, you wrote:
Check at the top of this E-trade Phishing site:
http://196.1.161.115/e/t/user/login/
I get it but I don't get it. I could understand if it was an
image, but that's TEXT.
Cluless phisher?
18:00:23 up 13 days, 43 min, 1 user, load average: 0.39,
0.34, 0.30
Must not be running a Windoze box eh?
You did not read the very top line.
{^_^} - did a wget and read the html. There is an interesting
h1 line. And it appears most people will miss it.
revisited it, the black-hat mostly fixed the grey-hat's damage. ;
Maybe they'll start a black-hat/grey-hat war :)
Looks like it's been hacked again. :)
--
Bowie
Re: Hacked E-Trade Phishing Site
On 1-Sep-06, at 9:12 AM, Bowie Bailey wrote:
Chris wrote:
On Thursday 31 August 2006 7:54 pm, David B Funk wrote:
On Wed, 30 Aug 2006, jdow wrote:
From: Evan Platt [EMAIL PROTECTED]
At 04:02 PM 8/30/2006, you wrote:
Check at the top of this E-trade Phishing site:
http://196.1.161.115/e/t/user/login/
I get it but I don't get it. I could understand if it was an
image, but that's TEXT.
Cluless phisher?
18:00:23 up 13 days, 43 min, 1 user, load average: 0.39,
0.34, 0.30
Must not be running a Windoze box eh?
You did not read the very top line.
{^_^} - did a wget and read the html. There is an interesting
h1 line. And it appears most people will miss it.
revisited it, the black-hat mostly fixed the grey-hat's damage. ;
Maybe they'll start a black-hat/grey-hat war :)
Looks like it's been hacked again. :)
And he's signed his work this time.
Hail 'The Fat Bastard Controller' :P Whooop!
--
Gino Cerullo
Pixel Point Studios
21 Chesham Drive
Toronto, ON M3M 1W6
416-247-7740
smime.p7s
Description: S/MIME cryptographic signature
RE: Hacked E-Trade Phishing Site
Title: RE: Hacked E-Trade Phishing Site
-Original Message-
From: Gino Cerullo [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 01, 2006 9:25 AM
To: users@spamassassin.apache.org
Subject: Re: Hacked E-Trade Phishing Site
On 1-Sep-06, at 9:12 AM, Bowie Bailey wrote:
Chris wrote:
On Thursday 31 August 2006 7:54 pm, David B Funk wrote:
On Wed, 30 Aug 2006, jdow wrote:
From: Evan Platt [EMAIL PROTECTED]
At 04:02 PM 8/30/2006, you wrote:
Check at the top of this E-trade Phishing site:
http://196.1.161.115/e/t/user/login/
I get it but I don't get it. I could understand if it was an
image, but that's TEXT.
Cluless phisher?
18:00:23 up 13 days, 43 min, 1 user, load average: 0.39,
0.34, 0.30
Must not be running a Windoze box eh?
You did not read the very top line.
{^_^} - did a wget and read the html. There is an interesting
h1 line. And it appears most people will miss it.
revisited it, the black-hat mostly fixed the grey-hat's
damage. ;
Maybe they'll start a black-hat/grey-hat war :)
Looks like it's been hacked again. :)
And he's signed his work this time.
Hail 'The Fat Bastard Controller' :P Whooop!
Thats awesome! ROFL! Phisher prbly didn't pay the hacker enough and now he's gone hog wild.
--Chris
Re: Strange SPF problem/wrong result
Return-Path: [EMAIL PROTECTED] Received: from mail.cs.uni-sb.de (mail.cs.uni-sb.de [134.96.254.200]) by wjpserver.cs.uni-sb.de (8.12.11.20060308/8.12.11) with ESMTP id k7T8rU6P012050; Tue, 29 Aug 2006 10:53:30 +0200 Received: from mail-eur1.microsoft.com (mail-eur1.microsoft.com [213.199.128.139]) by mail.cs.uni-sb.de (8.13.8/2006081400) with ESMTP id k7T8rT98004989; Tue, 29 Aug 2006 10:53:29 +0200 (CEST) snip This is no real forwarding, but all mail for us gets received by that server first, and this server passes it to us. This is a common structure for a bigger mail setup. The trusted_networks option solved my problems, but it should definetly be included in the wiki somewhere. Maybe we should add a note about trusted_networks being important for SPF in the install manual where SPF installation is explained snip If 134.96.254.200 is accepting mails for you then you must do all SPF checks on that host. SPF checks dont work unless you do the checks on the receiving host. Thanks Ram
Re: SpamAssassin Coach - Outlook/Thunderbird Plugin
Bowie Bailey writes: Will Duff wrote: Hi everyone, I've been working with SpamAssassin for the course of Google's Summer of Code to create 'SpamAssassin Coach' - an add-in available for Mozilla Thunderbird and Microsoft Outlook. The purpose of the add-in is to allow users to report spam and ham to SpamAssassin right from their inbox. Both add-ins are now functional, so I am asking for testers to provide feedback, bug reports and the like. If you would like to test an add-in, you can download SpamAssassin Coach from my SourceForge.net page at http://sourceforge.net/projects/soc2006spamd/. Feel free to add bug reports, feature requests or email me directly at willduff *AT* gmail.com. I hope that SpamAssassin Coach can grow to be an important tool for SpamAssassin users. Thanks for any help! For more information about SpamAssassin Coach, please refer to the following links: SourceForge.net Project: http://sourceforge.net/projects/soc2006spamd/ Google Summer of Code Application Info: http://code.google.com/soc/asf/appinfo.html?csaid=DF01D8A7A5E102D7 Interesting idea, but I need to see some documentation on how it works before I'm going to download and install it. Well, it looks like the source is available at http://svn.sourceforge.net/viewvc/soc2006spamd/ . This is great -- thanks Will -- it's great to have tools like these finally available under an open source license! --j.
Re: Strange SPF problem/wrong result
Ramprasad writes: Return-Path: [EMAIL PROTECTED] Received: from mail.cs.uni-sb.de (mail.cs.uni-sb.de [134.96.254.200]) by wjpserver.cs.uni-sb.de (8.12.11.20060308/8.12.11) with ESMTP id k7T8rU6P012050; Tue, 29 Aug 2006 10:53:30 +0200 Received: from mail-eur1.microsoft.com (mail-eur1.microsoft.com [213.199.128.139]) by mail.cs.uni-sb.de (8.13.8/2006081400) with ESMTP id k7T8rT98004989; Tue, 29 Aug 2006 10:53:29 +0200 (CEST) snip This is no real forwarding, but all mail for us gets received by that server first, and this server passes it to us. This is a common structure for a bigger mail setup. The trusted_networks option solved my problems, but it should definetly be included in the wiki somewhere. Maybe we should add a note about trusted_networks being important for SPF in the install manual where SPF installation is explained snip If 134.96.254.200 is accepting mails for you then you must do all SPF checks on that host. SPF checks dont work unless you do the checks on the receiving host. Got a source for that? First I've heard of it... --j.
Re: Strange SPF problem/wrong result
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ramprasad wrote: Return-Path: [EMAIL PROTECTED] Received: from mail.cs.uni-sb.de (mail.cs.uni-sb.de [134.96.254.200]) by wjpserver.cs.uni-sb.de (8.12.11.20060308/8.12.11) with ESMTP id k7T8rU6P012050; Tue, 29 Aug 2006 10:53:30 +0200 Received: from mail-eur1.microsoft.com (mail-eur1.microsoft.com [213.199.128.139]) by mail.cs.uni-sb.de (8.13.8/2006081400) with ESMTP id k7T8rT98004989; Tue, 29 Aug 2006 10:53:29 +0200 (CEST) snip This is no real forwarding, but all mail for us gets received by that server first, and this server passes it to us. This is a common structure for a bigger mail setup. The trusted_networks option solved my problems, but it should definetly be included in the wiki somewhere. Maybe we should add a note about trusted_networks being important for SPF in the install manual where SPF installation is explained snip If 134.96.254.200 is accepting mails for you then you must do all SPF checks on that host. SPF checks dont work unless you do the checks on the receiving host. In a big infrastructure, this is hardly possible. This mailserver is not under our control but belongs to the University directly, not to our chair. Chris Thanks Ram -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE+ELcJQIKXnJyDxURAn12AJ9OSP19czmLi1KNEmunB37WkWC75wCffMa4 15iEKJqbZOzSycS3nwn4RKU= =4Exp -END PGP SIGNATURE-
RE: SpamAssassin Coach - Outlook/Thunderbird Plugin
RE: SpamAssassin Coach - Outlook/Thunderbird Plugin Any chance that an Outlook Express version might be forthcoming? I know that many of the Unix admins on this list hate any thing Microsoft produces and probably especially Outlook Express... but the fact is that a very large percentage of people use Outlook Express and it would be great to have a SpamAssassin Coach for Outlook Express as well. --Rob McEwen
Re: SpamAssassin Coach - Outlook/Thunderbird Plugin
Rob McEwen writes: RE: SpamAssassin Coach - Outlook/Thunderbird Plugin Any chance that an Outlook Express version might be forthcoming? I know that many of the Unix admins on this list hate any thing Microsoft produces and probably especially Outlook Express... but the fact is that a very large percentage of people use Outlook Express and it would be great to have a SpamAssassin Coach for Outlook Express as well. in my experience, the problem is that OE mangles the message too much. --j.
Re: SpamAssassin Coach - Outlook/Thunderbird Plugin
Rob McEwen wrote: RE: SpamAssassin Coach - Outlook/Thunderbird Plugin Any chance that an Outlook Express version might be forthcoming? I know that many of the Unix admins on this list hate any thing Microsoft produces and probably especially Outlook Express... but the fact is that a very large percentage of people use Outlook Express and it would be great to have a SpamAssassin Coach for Outlook Express as well. --Rob McEwen Hi, I don't believe OE has an API accessible like LookOut and Thunderbird do. I think it's the same story as the razor tools for LookOut that aren't available to OE. Regards, Rick
Re: SpamAssassin Coach - Outlook/Thunderbird Plugin
On Fri, Sep 01, 2006 at 03:44:03PM +0100, Justin Mason wrote: Any chance that an Outlook Express version might be forthcoming? in my experience, the problem is that OE mangles the message too much. Does OE even allow for plugins? -- Randomly Generated Tagline: If firefighters fight fire, and crimefighters fight crime, what do freedomfighters fight? pgprNlmjuB35e.pgp Description: PGP signature
RE: SpamAssassin Coach - Outlook/Thunderbird Plugin
in my experience, the problem is that OE mangles the message too much. I disagree... but don't take my word for it... double check this yourself... When you are viewing a message in Outlook Express, if you right click on the message, click properties from the drop-down, click the details tab, and then click the message source button, a text window comes up which contains EXACTLY the same thing as the text file on the server before being downloaded into Outlook Express. Also, if you drag-N-drop a file out of Outlook into the file system and then open that file up in a text editor, again, you get EXACTLY what was on the server. In fact, it is the full version of Outlook which mangles things... you get a boatload of crap when you try these same things in the full version of Outlook. However, as I understand it, Outlook contains a functional and accessible API whereas Outlook Express does NOT. I think that is the difference and why these things are easier for Outlook than for Outlook Express. But I also have heard of some third party DLLs which provide an API for Outlook Express to give it an accessible API much like Outlook since this is not provide by Microsoft. Let me know if I'm wrong about any of this. I hope this helps! --Rob McEwen
Re: SpamAssassin Coach - Outlook/Thunderbird Plugin
on 'forget', did you mean for these to product different header lines? TELL SPAMC/1.3 Content-length: 2214 User: [EMAIL PROTECTED] Message-class: spam Set: local TELL SPAMC/1.3 Content-length: 3245 User: [EMAIL PROTECTED] Remove: local or is the Message-class: ham missing? (I don't know the protocol, I am just working on a 'sa-coachd' for people with amavisd-new, open up a socket, listen for valid stuff. May put in some ip address/tcpd stuff) -- Michael Scheidell, CTO SECNAP Network Security / www.secnap.com [EMAIL PROTECTED] / 1+561-999-5000, x 1131
Re: Strange SPF problem/wrong result
At 05:54 01-09-2006, decoder wrote: This is no real forwarding, but all mail for us gets received by that server first, and this server passes it to us. This is a common structure for a bigger mail setup. The trusted_networks option solved my problems, but it should definetly be included in the wiki somewhere. Maybe we should add a note about trusted_networks being important for SPF in the install manual where SPF installation is explained The concept is the same as forwarding. Maybe you shouldn't be running any SPF tests in such a setup. Regards, -sm
Re: source SENDER authentication ? (as opposed to SPF HOST authentication)
Are there any SA methods that allow verification of the ‘sender’ of an email ? I am aware of SPF which can confirm that a host at ip address x.x.x.x is authorized to send mail as from domain “A”, but how about a means to confirm that [EMAIL PROTECTED] actually is a real user before accepting mail from him ? Exim can do that in the ACL rules using a verify=sender clause.I use that, and a few other checks, to identify probable spam that can be rejected without bothering to pass it through SpamAssassin.(And with Exim, it is easy to do the rejection while the SMTP connection is still open.) http://www.exim.org/ Note that it doesn't actually verify whether or not the sender exists; but whether that address is likely to accept a non-delivery notice. -Pat
Re: Strange SPF problem/wrong result
decoder wrote: The trusted_networks option solved my problems, but it should definetly be included in the wiki somewhere. How about this page: http://wiki.apache.org/spamassassin/TrustPath The common symptoms of a broken Trust path include: * ALL_TRUSTED matching spam email from the outside or other untrusted mail. * Dialup/Dynamic IP RBLs misfiring for properly relayed mail. * Dialup/Dynamic IP RBLs not catching direct-delivered mail. * whitelist_from_rcvd fails to match. * SPF tests misfiring (failing when they should pass and vice versa) -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Strange SPF problem/wrong result
On Friday 01 September 2006 16:14, Ramprasad took the opportunity to say: This is no real forwarding, but all mail for us gets received by that server first, and this server passes it to us. This is a common structure for a bigger mail setup. The trusted_networks option solved my problems, but it should definetly be included in the wiki somewhere. Maybe we should add a note about trusted_networks being important for SPF in the install manual where SPF installation is explained snip If 134.96.254.200 is accepting mails for you then you must do all SPF checks on that host. SPF checks dont work unless you do the checks on the receiving host. SPF checks work (since the information needed is included in a Received: line that can be trusted), but you can't reject mail at SMTP time based on the result. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpcu7X6lj37J.pgp Description: PGP signature
Re: Strange SPF problem/wrong result
On Friday 01 September 2006 13:41, decoder took the opportunity to say: So adding the line trusted_networks 134.96.254.200 to local.cf will fix this problem and this mail would be recognized correctly (as in pass SPF) ? If 134.96.254.200 is the MX for your domain, then it should even be in internal_networks (which default to trusted_networks, however). -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpv6eBFhyFku.pgp Description: PGP signature
Re: catching fake usernames?
On Thu, August 31, 2006 05:41, Rick Roe wrote: like there should be a simpler, more automatic way to do this. Am I missing something? in postfix main.cf smtpd_reject_unlisted_sender = yes In exim.conf, somewhere in acl_check_rcpt: require verify = sender
Troubleshooting Spamassassin
**warning message from newbie**I've inherited an installation of SA version 3.0.1 on an OS X server (10.4) and it does not seem to be working properly. It's running with Communigate as the mail server. It seems to be scanning the messages, it is adding the headers like this: X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham version=3.0.1 X-Tff-Cgpsa-Version: 1.4 X-Tff-Cgpsa-Filter: ScannedSo it's up and running, right? But it is not flagging any messages that are spam. Most messages have headers like the one above: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham version=3.0.1Which seem to me like it is not even testing it. Most messages come in with a score of 0.0, even if the message is clearly spam. The highest I've seen so far is a score of 3.9 which still is not high enough to get SA to mark it as spam. My question is how do I troubleshoot this to figure out why the spam is not getting tested properly?Thank you,Ben || [EMAIL PROTECTED]|| || BIAS IT|| Berkley Integrated Audio Software, Inc.|| http://www.bias-inc.com|| Phone : +1.707.782.1866|| FAX : +1.707.782.1874|| Literature/Direct Sales: +1.800.775.BIAS|| +1.707.782.1866 (intl)
Re: breaking out: thinking abt the 'sa-update *VS* rdj' thread .. .
Wow... This mail has been sitting in my draft folder for a while, so I figured I ought to get it out. On Wed, Aug 16, 2006 at 12:24:04PM -0400, Chris Santerre wrote: I got nothing but love for you, so here goes ;) .. :) Chris! I'm surprised to hear you spreading this misinformation. I don't really see how the project's rule development is a clusterfsck. People commit rules for testing, they get tested, if they're good they're put in an update. What's the problem? 1) Manpower. You just don't have enough people devoted to rules. Not your fault. And solving this, would not help. Beacuse of #2... 2) Open community. By nature the SA project has to be open. That means public corpus, public discussion lists, and public test results. SARE woould not be as good if we had spammers watching our every move. MAJOR things we do MUST remain private. Our good results, the rules, are made public. And we offer them to anyone. Well, I don't think that's really true at all. A lot of things are public, some things aren't. For instance, we *don't* have a public corpus. Each person's corpus is private, and they just send in the mass-check results, which are public, but there's not a lot of information one can get out of that IMO. Test rules are public, which may or may not be problematic -- but since the goal is to have the rule made public in the end anyway, I'm not sure there's too much of an issue here. Generally speaking if test rules are good they should be published pretty quickly, so new rules still have an impact, even if spammers actively pay attention to development and adjust their mails accordingly. Based on current results, that doesn't seem to happen a lot. (currently, people tend to come up with test rules based on their own private tests on their own corpus -- when something looks good, it gets committed for wider testing, so rule development is still semi-private since the method for what rules to write is personal.) But since SARE's inception, you can't honestly tell me that SA has kept up with SARE's output. Be it quantity or quality. I actually couldn't tell you, I specifically ignore SARE's non-donated rules, and I have no insight into the development process used. But for what end? SARE gives you our best rules to be added. So what would we gain by becoming part of SA. Seems we would lose more having to be more open about what we do. I have thoughts about this at the end, but as far as I can see: the main project gets stronger meaning the community is better served, and there's really no downside. So why not? open corpus vs closed. Live feed testing vs overnight GA runs. No public eyes in our discussion lists. Incredibly easy rule testing tools vs GA runs. People in different parts of the industry more inclined to help and provide info simply because of anonimity. Cross project benefits, again due to anonimity. live vs overnight mass-check runs (the GA was the tool used to generate scores in the 2.x days, replaced by the perceptron -- which we don't run nightly, or weekly, etc. but that's another discussion,) is really just a matter of putting in some effort to be able to do it. We chose nightly and weekly because it seemed to be quick enough to test new rules and be able to get them out, and slow enough that it doesn't necessarily scare people away from volunteering. public discussion lists -- not all of our lists are public, and the others are generally invite-only. though we don't generally have a lot of those, and most conversation happens in personal mails anyway. incredibly easy rule testing tools vs GA runs -- I don't know what you guys have (is there something easier/less involved than running the rules over messages and looking at the results?), but if it's better than what's in the project currently, why not contribute it? people in different ... anonimity -- sure, though that's possible either way. I really don't see the issue here. The question might be, what exactly does the SA project want of SARE? All we have to offer is rules, and we already give those up freely. In short, I'd like to see our two groups merge. There are several issues here: 1) Having multiple organizations providing rules is confusing/annoying to users, as has been discussed previously on this list. 2) Duplicated effort. Why have multiple people working on multiple rules that do the same thing? That's inefficient in various ways. 3) The SA project can't take the rules from SARE's site, they have to be contributed. That doesn't actually happen very often. Most (all?) of the SARE people who currently have commit access to the SA project haven't made commits in a long time, if ever. 4) The SA project, as previous discussed, no longer has the manpower to deal with both the engine and the rules with the detail and attention that they deserve. This is bad. 5) Last, and perhaps most importantly, the SA project is the foundation of the
Re: File mode set incorrectly
It is 3.1.4. Theo Van Dinter-2 wrote: On Thu, Aug 31, 2006 at 12:32:37PM -0700, Albert Poon wrote: I know I don't need setting 0777 on them, and 0666 is fine for me. But for the auto_whitelist, I can't set to 0666, it only turns to 0640. What version are you running? There were some issues with AWL perms until it was fixed in 3.1.4. -- Randomly Generated Tagline: A low yield atomic bomb is like being a bit pregnant. -- View this message in context: http://www.nabble.com/File-mode-set-incorrectly-tf2194216.html#a6107054 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: File mode set incorrectly
Hrm. In that case, I'd say open a BZ ticket (http://bugzilla.spamassassin.org/) and we'll see about reproducing/fixing it. On Fri, Sep 01, 2006 at 03:11:24PM -0700, Albert Poon wrote: It is 3.1.4. Theo Van Dinter-2 wrote: On Thu, Aug 31, 2006 at 12:32:37PM -0700, Albert Poon wrote: I know I don't need setting 0777 on them, and 0666 is fine for me. But for the auto_whitelist, I can't set to 0666, it only turns to 0640. What version are you running? There were some issues with AWL perms until it was fixed in 3.1.4. -- Randomly Generated Tagline: A low yield atomic bomb is like being a bit pregnant. -- View this message in context: http://www.nabble.com/File-mode-set-incorrectly-tf2194216.html#a6107054 Sent from the SpamAssassin - Users forum at Nabble.com. -- Randomly Generated Tagline: dy/dx = dy/du * du/dv * dv/dx ... Have some fun! - Prof. Branche pgptOZR61CtXE.pgp Description: PGP signature
Re: SpamAssassin Coach - Outlook/Thunderbird Plugin
Thanks all for the already valuable feedback and support! To answer some questions: On 8/31/06, Doc Schneider [EMAIL PROTECTED] wrote: Couple of commments. right clicking on a message doesn't give any option to report as ham or spam I think this would be a valuable option. Secondly, I use multiple imap servers and accounts all within the same T-bird. But, unless I missed it, your options only allow things to be reported to one SA (on 127.0.0.1 by default). Does it save other servers for reporting to? Might also be worth it to add this to the tools menu? Good ideas. I've added the ability to right-click an individual message and support for reporting to multiple servers on my TO DO list. On 8/31/06, Rick Macdougall [EMAIL PROTECTED] wrote: 1) I can't find a readme or notes file 2) You should mention somewhere that the -l switch is needed to spamd (it's not mentioned in the Mail::SpamAssassin or Mail::SpamAssassin::Conf or the Wiki. Source files and README available at: http://svn.sourceforge.net/viewvc/soc2006spamd/. I was unaware that the -l switch was needed, but I'll add it into the README. On 8/31/06, Michael Scheidell [EMAIL PROTECTED] wrote: Since this is google/summer of code stuff, its licensed under BSD2.0, right? If someone wanted to add on to code, say to add 'whitelist sender', 'blacklist sender', and 'report spam', the sources will be published, right? This project is licensed under the Apache License Version 2.0. If you would like to contribute to this project, please feel free. I can even add you as a developer to the SourceForge project. However, as far as I know, there is no protocol to add a whitelist or blacklist sender. On 9/1/06, Michael Scheidell [EMAIL PROTECTED] wrote: XP sp2, outlook 2002, sp2. Upon leaving outlook, get ok disconnection popup. Did uninstall, outlook 2002, sp3, spamassassin coach buttons still on menu. Can't get rid of them. Sorry, that was an old debug message I accidentally left in. I removed it from the latest source files, but I'm not able to compile a new Outlook binary just yet. The SpamAssassin Coach button remaining in the toolbar is a known bug (see the README). To remove it, just reset the toolbar. There are a lot of small problems with the Outlook version. My hope is to port the entire add-in from C# to Visual Basic to get rid of many of the bugs. On 9/1/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I am using it now I have noticed that it doesn't seem to work with outlook 2003 service pack 2 but service pack 1 is fine. What exactly doesn't work? Is the toolbar there but it doesn't report any spam? Please provide more details and I'll gladly look into it. On 9/1/06, Chr. v. Stuckrad [EMAIL PROTECTED] wrote: Do you see a chance to backport(or just 'allow') it for firefox down to Version 1.0.4? The extension model was changed with the release of Firefox/Thunderbird version 1.5. I'll look into possibly creating a seperate extension for Thunderbird 1.0. On 9/1/06, Michael Scheidell [EMAIL PROTECTED] wrote: Thurderbird version hangs thunderbird on my mac. highlight 'learn as spam' drop down 'options box' enter something in options box (username, change ip address) you can't get out of it. There is no close box, nothing. Its actually not hanging, all you have to do is hit Escape. For the life of me, I couldn't figure out how to get OK/Cancel buttons on the Mac version! The code is the same for all platforms, but in Windows there are OK/Cancel buttons and in the Mac version there are not. If anyone can get to the bottom of this, please let me know. On 9/1/06, Michael Scheidell [EMAIL PROTECTED] wrote: on 'forget', did you mean for these to product different header lines? TELL SPAMC/1.3 Content-length: 2214 User: [EMAIL PROTECTED] Message-class: spam Set: local TELL SPAMC/1.3 Content-length: 3245 User: [EMAIL PROTECTED] Remove: local I'm not exactly sure what to make of this. The spamd protocol is available for viewing at http://svn.apache.org/viewvc/spamassassin/trunk/spamd/PROTOCOL?view=markup. Once again, thanks for all of your support! Will Duff
Re: SpamAssassin Coach - Outlook/Thunderbird Plugin
in my experience, the problem is that OE mangles the message too much. Eh? I think you are thinking of Outlook. OE doesn't seem to touch the message, or at least the 'view message source' window can accurately reconstruct it. (Which is easy to get to, unlike Outlook itself where it is usually completely unavailable or very hidden.) Loren
Re: SpamAssassin Coach - Outlook/Thunderbird Plugin
I don't believe OE has an API accessible like LookOut and Thunderbird do. It doesn't. But that doesn't mean its impossible to do, just harder. The PGP stuff has a plugin for OE that allows it to sign messages after you compose them, adn to encrypt and decrypt messages. It also adds menus and toolbars to deal with this stuff easily. The code to deal with that stuff is ugly, but it is on SourceForge (or some such) and I think is GPL. It probably wouldn't be all THAT hard to take the PGP interface code and strip it down for some other use such as this. Loren
RE: SpamAssassin Coach - Outlook/Thunderbird Plugin
-Original Message- From: Will Duff [mailto:[EMAIL PROTECTED] Sent: Friday, September 01, 2006 6:40 PM To: users@spamassassin.apache.org Subject: Re: SpamAssassin Coach - Outlook/Thunderbird Plugin Thanks all for the already valuable feedback and support! To answer some questions: On 8/31/06, Michael Scheidell [EMAIL PROTECTED] wrote: Since this is google/summer of code stuff, its licensed under BSD2.0, right? If someone wanted to add on to code, say to add 'whitelist sender', 'blacklist sender', and 'report spam', the sources will be published, right? This project is licensed under the Apache License Version 2.0. If you would like to contribute to this project, please feel free. I can even add you as a developer to the SourceForge project. I do have a 'sa-learnd' that looks like it at least works with the thunderbird version. This is only needed for someone running amavisd-new as it doesn't run spamd. However, as far as I know, there is no protocol to add a whitelist or blacklist sender. From spamassassin -h: I was hoping same in spamd the 'AWL' (auto white/blacklist in SA), maybe not. --add-addr-to-whitelist=addr Add addr to persistent address whitelist --add-addr-to-blacklist=addr Add addr to persistent address blacklist --remove-addr-from-whitelist=addr Remove addr from persistent address list On 9/1/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I am using it now I have noticed that it doesn't seem to work with outlook 2003 service pack 2 but service pack 1 is fine. What exactly doesn't work? Is the toolbar there but it doesn't report any spam? Please provide more details and I'll gladly look into it. I also found that three instances of outlook 'didn't work' Ie, I could drop options down, fill them out, but when I 'report as spam/ham/revoke' it didn't matter, 'nothing happened' Also noticed that even if the ip was set wrong, there were no error messages. No status, no feedback. As in nothing at all. Tcpdump listing on the socket, or even nc -l 783 showed no attempt to even connect. Not sure what was happeing, but three different outlooks' nothing happened. You might want to check the status of the server when someone changed options: The PING command does not actually trigger any spam checking, and (as with SKIP) no additional input is expected. It returns a simple confirmation response, like this: SPAMD/1.2 0 PONG This facility may be useful for monitoring programs which wish to check that the daemon is alive and providing at least a basic response within a reasonable time frame. Also, this looks promissing for future versions: To report a spam message: TELL SPAMC/1.3 Message-class: spam Set: local, remove Its actually not hanging, all you have to do is hit Escape. For the life of me, I couldn't figure out how to get OK/Cancel buttons on the Mac version! The code is the same for all platforms, but in Windows there are OK/Cancel buttons and in the Mac version there are not. If anyone can get to the bottom of this, please let me know. I haven't done any 'aqua' programming, but all the mac 'info/option' boxes there are three buttons in the title frame. On 9/1/06, Michael Scheidell [EMAIL PROTECTED] wrote: on 'forget', did you mean for these to product different header lines? TELL SPAMC/1.3 Content-length: 2214 User: [EMAIL PROTECTED] Message-class: spam Set: local TELL SPAMC/1.3 Content-length: 3245 User: [EMAIL PROTECTED] Remove: local I'm not exactly sure what to make of this. The spamd protocol is available for viewing at http://svn.apache.org/viewvc/spamassassin/trunk/spamd/PROTOCOL ?view=markup. I guess 'message-class:' is not needed for remove. Also also note some 'local' and 'remote' options. For reporting. I have attached a apache 2.0 class license to a file I'll send next. It isn't complete, doesn't implement everything that sa coach should implement (like the ping/pong, sounds like a good idea!) It doesn't yet implement: (guess I will have to fire up a spamd to reverse engineer it) Set and Remove and will return two possible headers, DidSet and DidRemove which indicate which action was taken. It is up to the caller to determine if the proper action happened. Here are some examples:
Re: SpamAssassin Coach - Outlook/Thunderbird Plugin
Title: Re: SpamAssassin Coach - Outlook/Thunderbird Plugin Justin Mason wrote: Bowie Bailey writes: Will Duff wrote: Hi everyone, I've been working with SpamAssassin for the course of Google's Summer of Code to create 'SpamAssassin Coach' - an add-in available for Mozilla Thunderbird and Microsoft Outlook. The purpose of the add-in is to allow users to report spam and ham to SpamAssassin right from their inbox. Both add-ins are now functional, so I am asking for testers to provide feedback, bug reports and the like. If you would like to test an add-in, you can download SpamAssassin Coach from my SourceForge.net page at http://sourceforge.net/projects/soc2006spamd/. Feel free to add bug reports, feature requests or email me directly at willduff *AT* gmail.com. http://sourceforge.net/projects/soc2006spamd/ Google Summer of Code Application Info: http://code.google.com/soc/asf/appinfo.html?csaid=DF01D8A7A5E102D7 Interesting idea, but I need to see some documentation on how it works before I'm going to download and install it. Well, it looks like the source is available at http://svn.sourceforge.net/viewvc/soc2006spamd/ . This is great -- thanks Will -- it's great to have tools like these finally available under an open source license! I have source to sa-learnd to contribute under APACHE license 2.0. It is for amavisd-new users who want to try this. (you start sa-learnd instead of spamd) SEEMS to work. any takers? seems work (ok, with one issue during installation on thunderbird) --j.
Re: SpamAssassin Coach - Outlook/Thunderbird Plugin
this is really promising, but i think it sort of points out some deficiencies in the current state of handling sa things from the client side. i'm wondering if it would make sense to create a separate learner server that deals with this stuff, with this server calling the training routines. on the other hand i wonder if the real solution is something like imap protocol extensions for: learn as spam learn as ham learn as whitelisted address learn as blacklisted address (anything else?) ...and count on server vendors to integrate with spamassassin. this would have the advantage of not having to write a server (or deal with ssl, security, etc.), and not requiring users to configure their connection to the spam sver, but it also puts a dependency on server authors out there. -faisal
uridnsbl error, info what?
I've been testing OpenDNS tonight vice using Earthlinks DNS nameservers. Looking at my hourly syslog snip, about half way through my NANAS run I noticed the below entries. First of all, what are these entries telling me? Secondly, if this is an error in the uridnsbl plug-in is it possibly caused by the change in nameservers? I did notice that my report time per message was a bit slower tonight than usual, its usually about 3.1-3.5secs/report, whereas tonight it was about 4.8/report. Sep 1 21:51:25 localhost spamd[10939]: uridnsbl: bogus rr for domain=spamhaus.org, rule=URIBL_XS_SURBL, id=8876 rr=spamhaus.org.xs.surbl.org. 1 IN A 208.67.219.40 at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 626. Sep 1 21:51:25 localhost spamd[10939]: uridnsbl: bogus rr for domain=otwaloow.com, rule=URIBL_XS_SURBL, id=8880 rr=otwaloow.com.xs.surbl.org. 1 IN A 208.67.219.40 at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 626. Sep 1 21:51:25 localhost spamd[10939]: uridnsbl: bogus rr: domain=senderbase.org, zone=multi.uribl.com., id=8871 rr=senderbase.org.multi.uribl.com. 1 IN A 208.67.219.40 at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 638. Thanks for any guidance. -- Chris 22:14:47 up 15 days, 4:58, 1 user, load average: 0.02, 0.16, 0.45 pgpGUme3RNh1W.pgp Description: PGP signature
Re: uridnsbl error, info what?
On Fri, Sep 01, 2006 at 10:22:42PM -0500, Chris wrote: First of all, what are these entries telling me? Secondly, if this is an error in the uridnsbl plug-in is it possibly caused by the change in nameservers? The error is saying that it's looking for a 127/8 result, but it gets 208.67.219.40 (which resolves to a *.opendns.com name btw). So I would say that yes, the problems are related to changing your nameservers. -- Randomly Generated Tagline: There's not much you can do to ruin strips of marinated boneless chicken breast sauteed with onions and green peppers. - the Center for Science in the Public Interest about Chicken Fajitas pgp74knuwCOp2.pgp Description: PGP signature
Antidrug.cf, call to cease RDJ updates.
Although not yet definite, I am likely switching ISPs starting next Friday. It is my intent to keep the Comcast account active for about 4 weeks as a fall-back if the new ISP doesn't work out. However, this means antidrug.cf will be moving, and at some point after I shut down the account the web hosting will become inactive. It also means that eventually someone else might get assigned the same username. This person could possibly pick up on the fact that their account is being accessed by auto-updaters and attempt to publish a rule file of a hostile nature (ie: beneficial to spammers, or attempting to exploit the rule parser). So, here's your first (of 3) warning to disable RDJ for antidrug until the move is completed. (If you have SA 3.0.0 or higher you shouldn't be using antidrug.cf anyway). I will post another warning 2 weeks before I disconnect the account. By that time I should also have the new home for antidrug set up and will post that link. At 1 week prior, I will post a third warning, and change the file to a file that will cause errors when loaded into SA and contain warning text telling them what's going on. I know it's not very nice, but RDJ should roll the file back just fine, and I really want to make sure folks know to stop auto-updating. I'm significantly more concerned about leaving folks vulnerable to an untrusted person adding hostile rules to their config than any chance of RDJ screwing up the roll-back. (For reference, I'm switching to Verizon FIOS. FIOS is the only other practical service available at my address besides Comcast cable. Satellite, dialup or 640k DSL with twice-daily service outages due to poor line quality are also options, but all impractical. And yes, I know Verizon is a bunch of evil, greedy bastards with horrible customer service, loads of spambots on their lines, and a tendency to spam their own customers. All of the same is true of Comcast, and at least Verizon is a bit cheaper and possibly less prone to 2-week outages following thunderstorms.)
