Re: uridnsbl "error", "info" what?

2006-09-02 Thread Chris 
On Saturday 02 September 2006 8:46 am, SM wrote:
> At 20:22 01-09-2006, Chris wrote:
> >I've been testing OpenDNS tonight vice using Earthlinks DNS nameservers.
> >Looking at my hourly syslog snip, about half way through my NANAS run I
> >noticed the below entries.  First of all, what are these entries telling
>

> Turn off the "typo correction" feature of OpenDNS.
>
> Regards,
> -sm

Thanks, went there and did that, I'll see how it goes now. Odd also that 
after I went back and started using OpenDNS I finally got their 'welcome' 
page, then after a bit went back and got the 'oops' page. Seems to be 
working though, nslookup shows I'm using their nameservers.

-- 
Chris
22:40:55 up 16 days, 5:24, 1 user, load average: 0.89, 0.72, 0.52



pgpBxwW683pQt.pgp
Description: PGP signature

Re: Spam levels up or down?

2006-09-02 Thread David Cary Hart 
On Sat, 02 Sep 2006 02:28:14 -0800, John Andersen
<[EMAIL PROTECTED]> opined:
> The Register is running an article saying spam is back up to 81% of
> all email traffic due to newer versions of the Mocbot worm.
> 
> If anything, my traffic has been less of late, and almost
> non-existant since in installed 3.1.5.
> 
> http://www.theregister.com/2006/08/23/mocbot_worm_zombie_surge/

http://tqmcube.com/tide.php

-- 
Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com
   Don't Subsidize Criminals: http://boulderpledge.org

Re: OS X Server spam still getting through :-(

2006-09-02 Thread John Andersen 
On Saturday 02 September 2006 15:18, mikemacfr wrote:
> I'm a bit confused?
>
> I thought amavis was the virus scanner bit? And spamassassin took care of
> the spam bit?

Amavis is a router sort of.  

It takes mail from your mta, sends it thru one or more engines (spamassassin, 
antivirus, and some other more rarely used options) and then (optionally) 
hands it back to your MTA for delivery via yet another engine, procmail, 
cyrus, etc.

Its glue-ware.
-- 
_
John Andersen


pgprbiHuFQguI.pgp
Description: PGP signature

Re: OS X Server spam still getting through :-(

2006-09-02 Thread mikemacfr 

I'm a bit confused?

I thought amavis was the virus scanner bit? And spamassassin took care of
the spam bit?

Mike


Loren Wilton wrote:
> 
>> Edit your spamd start-up script, or start-up options file (depending on
>> which OS you're running, these may be different). There should be a -L or
>> --local switch in that file. Remove it to enable network tests.
>>
>> I have commented out this line in the spamd file and done a restart. So 
>> this
>> may have already helped some?
> 
> I'm not sure Amvis actually uses spamd, I think it calls the SA routines 
> directly.  If so there is no actual reason to run spamc/spamd on your 
> system.  Again, one of the Amivs people will know this for sure.  There
> may 
> be an equivalent "local only" setting for amvis in one of its config
> files.
> 
> If you start seeing hit information in your messages they will show 
> moderately well whether you are using network tests, since typically some
> of 
> the network test rule anmes should show up on almost any spam.
> 
> Loren
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/OS-X-Server-spam-still-getting-through-%3A-%28-tf2206629.html#a6117499
Sent from the SpamAssassin - Users forum at Nabble.com.

Re: OS X Server spam still getting through :-(

2006-09-02 Thread Loren Wilton 

Edit your spamd start-up script, or start-up options file (depending on
which OS you're running, these may be different). There should be a -L or
--local switch in that file. Remove it to enable network tests.

I have commented out this line in the spamd file and done a restart. So 
this

may have already helped some?


I'm not sure Amvis actually uses spamd, I think it calls the SA routines 
directly.  If so there is no actual reason to run spamc/spamd on your 
system.  Again, one of the Amivs people will know this for sure.  There may 
be an equivalent "local only" setting for amvis in one of its config files.


If you start seeing hit information in your messages they will show 
moderately well whether you are using network tests, since typically some of 
the network test rule anmes should show up on almost any spam.


   Loren

Re: OS X Server spam still getting through :-(

2006-09-02 Thread Bill Randle 
On Sat, 2006-09-02 at 12:49 -0700, mikemacfr wrote:
> Ok, one of the first replies to this thread pointed to:
> 
> Have you checked out http://wiki.apache.org/spamassassin/UsingSpamAssassin 
> ("Spam getting through?")? 
> 
> 
> Which I have looked at and saw the following there:
> 
> Edit your spamd start-up script, or start-up options file (depending on
> which OS you're running, these may be different). There should be a -L or
> --local switch in that file. Remove it to enable network tests.
> 
> I have commented out this line in the spamd file and done a restart. So this
> may have already helped some?

Except if you're using amavisd-new, you don't use spamd unless you
have some strange configuration. You usually use one or the other
but not both.

-Bill

Re: OS X Server spam still getting through :-(

2006-09-02 Thread mikemacfr 

Ok, one of the first replies to this thread pointed to:

Have you checked out http://wiki.apache.org/spamassassin/UsingSpamAssassin 
("Spam getting through?")? 


Which I have looked at and saw the following there:

Edit your spamd start-up script, or start-up options file (depending on
which OS you're running, these may be different). There should be a -L or
--local switch in that file. Remove it to enable network tests.

I have commented out this line in the spamd file and done a restart. So this
may have already helped some?


Mike



Loren Wilton wrote:
> 
> Assuming you also restarted amvis so it will see  the change, you should
> now 
> be getting some more headers in your mail messages.  You should see
> headers 
> similar to the following in a typical non-spam mail:
> 
> X-Spam-Virus: No
> X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on
>  morticia.wizardess.wiz
> X-Spam-Level:
> X-Spam-Status: No, score=-95.6 required=4.6 
> tests=BAYES_50,DK_POLICY_SIGNSOME,
>  FM_NO_STYLE,HELO_EQ_DSL,HOST_EQ_DSL,HTML_10_20,HTML_FONT_BIG,
>  HTML_MESSAGE,SPF_PASS,USER_IN_WHITELIST autolearn=disabled
>  version=3.1.4
> 
> From the above you can see which tests hit on the mail. By implication you 
> can see what tests are running, and possibly which rules you have loded on 
> the system.  You can also detect some configuration errors that can lead
> to 
> spam leaking through.
> 
> When you see some of these for a spam that leaks through, post the full 
> thing including the headers and body.  I have a hunch you may not be
> running 
> network tests, and either aren't running Bayes or it is mistrained.  It is 
> possible you have a problem with the trust path, since that is a common 
> misconfiguration.  We will be able to tell that from the headers.
> 
> Loren
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/OS-X-Server-spam-still-getting-through-%3A-%28-tf2206629.html#a6115926
Sent from the SpamAssassin - Users forum at Nabble.com.

Re: Spam levels up or down?

2006-09-02 Thread jdow 

From: "John D. Hardin" <[EMAIL PROTECTED]>


On Sat, 2 Sep 2006, jdow wrote:


Hm, I have a suspicion that the spam is being targeted quite
differently then. Until the end of June I used to get about 250 to
300 spams a day. I am down to 90 to 150 per day now. It's unreal.
Note that I am quite sincerely pleased by this development.


...you think maybe they are listwashing SA list members?


It could be more material caught by AV programs as a percentage. I
do not see the viruses here.

{^_^}

Re: OS X Server spam still getting through :-(

2006-09-02 Thread Loren Wilton 
Assuming you also restarted amvis so it will see  the change, you should now 
be getting some more headers in your mail messages.  You should see headers 
similar to the following in a typical non-spam mail:


X-Spam-Virus: No
X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on
morticia.wizardess.wiz
X-Spam-Level:
X-Spam-Status: No, score=-95.6 required=4.6 
tests=BAYES_50,DK_POLICY_SIGNSOME,

FM_NO_STYLE,HELO_EQ_DSL,HOST_EQ_DSL,HTML_10_20,HTML_FONT_BIG,
HTML_MESSAGE,SPF_PASS,USER_IN_WHITELIST autolearn=disabled
version=3.1.4

From the above you can see which tests hit on the mail. By implication you 
can see what tests are running, and possibly which rules you have loded on 
the system.  You can also detect some configuration errors that can lead to 
spam leaking through.


When you see some of these for a spam that leaks through, post the full 
thing including the headers and body.  I have a hunch you may not be running 
network tests, and either aren't running Bayes or it is mistrained.  It is 
possible you have a problem with the trust path, since that is a common 
misconfiguration.  We will be able to tell that from the headers.


   Loren

RE: OS X Server spam still getting through :-(

2006-09-02 Thread Michael Scheidell 

> -Original Message-
> From: mikemacfr [mailto:[EMAIL PROTECTED] 
> Sent: Saturday, September 02, 2006 1:55 PM
> To: users@spamassassin.apache.org
> Subject: Re: OS X Server spam still getting through :-(


> (amavisd-new, port 10024)  with ESMTP id 26144-09; Sat,  2 

Another option, is there is an 'amavis-user@lists.sourceforge.net' list
just for amavisd-new.

Since there are subtle differences in setup, debugging, etc, you might
bring your questions there.

Main web site (with faq's, etc):

http://www.ijs.si/software/amavisd/
Sign up here:

Re: OS X Server spam still getting through :-(

2006-09-02 Thread mikemacfr 

OK, I've done that now and restarted the mail server and postfix.

What next?

Mike


Bill Randle wrote:
> 
> On Sat, 2006-09-02 at 10:59 -0700, mikemacfr wrote:
>> This reads $sa_tag_level_deflt  = 2.0; # add spam info headers if at, or
>> above that level;
>> 
>> at the moment, so you want me to change 2.0 to -99?
> 
> Yes. At 2.0, it means that a spam will have to score 2.0 or greater
> before amavis logs the spam detection info.
> 
>   -Bill
> 
> 
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/OS-X-Server-spam-still-getting-through-%3A-%28-tf2206629.html#a6115563
Sent from the SpamAssassin - Users forum at Nabble.com.

Re: OS X Server spam still getting through :-(

2006-09-02 Thread Bill Randle 
On Sat, 2006-09-02 at 10:59 -0700, mikemacfr wrote:
> This reads $sa_tag_level_deflt  = 2.0; # add spam info headers if at, or
> above that level;
> 
> at the moment, so you want me to change 2.0 to -99?

Yes. At 2.0, it means that a spam will have to score 2.0 or greater
before amavis logs the spam detection info.

-Bill

Re: OS X Server spam still getting through :-(

2006-09-02 Thread mikemacfr 

This reads $sa_tag_level_deflt  = 2.0; # add spam info headers if at, or
above that level;

at the moment, so you want me to change 2.0 to -99?


Mike



Bill Randle wrote:
> 
> 
> Change $sa_tag_level_deflt to -99 in /etc/amavisd/amavisd.conf, or
> where ever the amavisd config file is located. This will report the
> SA info in the mail logs for any mail scored greater than -99.
> 
>   -Bill
> 
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/OS-X-Server-spam-still-getting-through-%3A-%28-tf2206629.html#a6115089
Sent from the SpamAssassin - Users forum at Nabble.com.

Re: OS X Server spam still getting through :-(

2006-09-02 Thread mikemacfr 

This is a typical spam mail:

Return-Path: <[EMAIL PROTECTED]>
Received: from murder ([unix socket])
 by powerconsult.no (Cyrus v2.2.12-OS X 10.4.0) with LMTPA;
 Sat, 02 Sep 2006 15:15:19 +0200
X-Sieve: CMU Sieve 2.2
Received: from localhost (localhost [127.0.0.1])
by powerconsult.no (Postfix) with ESMTP id 9EFEAAB1DCA;
Sat,  2 Sep 2006 15:15:19 +0200 (CEST)
Received: from powerconsult.no ([127.0.0.1])
 by localhost (mail.powerconsult.no [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 26144-09; Sat,  2 Sep 2006 15:15:07 +0200 (CEST)
Received: from aley.net (unknown [219.146.60.254])
by powerconsult.no (Postfix) with SMTP id 9E801AB1DB3;
Sat,  2 Sep 2006 15:14:57 +0200 (CEST)
Message-ID: <[EMAIL PROTECTED]>
Date: Sat, 02 Sep 2006 03:18:58 +0100
Reply-To: "jeane nelson" <[EMAIL PROTECTED]>
From: "jeane nelson" <[EMAIL PROTECTED]>
User-Agent: QUALCOMM Windows Eudora Version 6.0.0.22
X-Accept-Language: en-us
MIME-Version: 1.0
To: "Jesse Gonzalez" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Subject: FW:Do away with all you are indebted for without mailing another
cent
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
MTA-Interface: amavisd-new-2.3.3 (20050822) at mail.powerconsult.no
X-Spam-Scanned: using SpamAssassin 3.1.4 (2006-07-25) at
mail.powerconsult.no
X-Virus-Scanned: using Clamav 0.87.0 (2005-09-16) at mail.powerconsult.no


Clear of card bills immediately not even spending an other dime.  See the
details when ever you want.

P H O N E
1 314- 4--1--4--4 0 0 1

Meticulous info or to being to a standstill getting or to  postal address

"it's all right!" said hermione kindly, hurrying forward to help her. "here
.."   ."it is called hogwarts," said dumbledore. 
"well, there they go, and i think we're all surprised to see the team that
potter's put together this year. many thought, given ronald weasley's patchy
performance as keeper last year, that he might be off the team, but of
course, a close personal friendship with the captain does help. . . ." m1



What sort of spams are making it through?  Stock spams?  Or just all the 
usual stuff?  You may not be running any addon rule sets, and SA out of the 
box isn't as good as it could be against stock spams.

Loren



Mike
-- 
View this message in context: 
http://www.nabble.com/OS-X-Server-spam-still-getting-through-%3A-%28-tf2206629.html#a6115054
Sent from the SpamAssassin - Users forum at Nabble.com.

Re: OS X Server spam still getting through :-(

2006-09-02 Thread Bill Randle 
On Sat, 2006-09-02 at 09:59 -0700, Loren Wilton wrote:
> > In the meantime ere is the mail I got based on your reply!
> 
> > MTA-Interface: amavisd-new-2.3.3 (20050822) at mail.powerconsult.no
> > X-Spam-Scanned: using SpamAssassin 3.1.4 (2006-07-25) at
> >  mail.powerconsult.no
> 
> It looks like you are using amvis-new to integrate SA in to the mail chain. 
>
> There is a way to change the amvis config to get around this, but I'm not an 
> Amvis person and can't help you.  You could probably find it with 
> considerable effort searching the archives, but someone else that knows 
> amvis will likely respond soon.

Change $sa_tag_level_deflt to -99 in /etc/amavisd/amavisd.conf, or
where ever the amavisd config file is located. This will report the
SA info in the mail logs for any mail scored greater than -99.

-Bill

Re: Spam levels up or down?

2006-09-02 Thread John D. Hardin 
On Sat, 2 Sep 2006, jdow wrote:

> Hm, I have a suspicion that the spam is being targeted quite
> differently then. Until the end of June I used to get about 250 to
> 300 spams a day. I am down to 90 to 150 per day now. It's unreal.
> Note that I am quite sincerely pleased by this development.

...you think maybe they are listwashing SA list members?

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 Windows and its users got mentioned at home today, after my wife the
 psych major brought up Seligman's theory of "learned helplessness."
 -- Dan Birchall in a.s.r
---
 15 days until The 219th anniversary of the signing of the U.S. Constitution

Re: OS X Server spam still getting through :-(

2006-09-02 Thread Loren Wilton 

In the meantime ere is the mail I got based on your reply!



MTA-Interface: amavisd-new-2.3.3 (20050822) at mail.powerconsult.no
X-Spam-Scanned: using SpamAssassin 3.1.4 (2006-07-25) at
 mail.powerconsult.no


It looks like you are using amvis-new to integrate SA in to the mail chain. 
One of its unfortunate effects for debugging is that it doesn't actually 
include the mail output from SA if SA decides that it isn't spam.  So we 
have lost all indications of which rules hit and what didn't hit on the 
mail, and are only left with Amvis' indication that the mail was in fact 
scanned.


There is a way to change the amvis config to get around this, but I'm not an 
Amvis person and can't help you.  You could probably find it with 
considerable effort searching the archives, but someone else that knows 
amvis will likely respond soon.


What sort of spams are making it through?  Stock spams?  Or just all the 
usual stuff?  You may not be running any addon rule sets, and SA out of the 
box isn't as good as it could be against stock spams.


   Loren

Re: Spam levels up or down?

2006-09-02 Thread jdow 

From: <[EMAIL PROTECTED]>



From: "Nigel Frankcom" <[EMAIL PROTECTED]>
On Sat, 02 Sep 2006 02:28:14 -0800, John Andersen <[EMAIL PROTECTED]>
wrote:


The Register is running an article saying spam is back up to 81% of all
email traffic due to newer versions of the Mocbot worm.

If anything, my traffic has been less of late, and almost non-existant
since in installed 3.1.5.

http://www.theregister.com/2006/08/23/mocbot_worm_zombie_surge/


I'd agree with el reg, we've seen a large rise in spam and viruses of
late and we are not a large org by any means.

http://www.blue-canoe.com/stats/index.php?D1=9

Nigel

Hm, I have a suspicion that the spam is being targeted quite differently
then. Until the end of June I used to get about 250 to 300 spams a day.
I am down to 90 to 150 per day now. It's unreal. Note that I am quite
sincerely pleased by this development.

{^_^}


I see an increase in messages with non existent sender domain as well assome new
bcc-addressed stuff


I am counting only my own email and have Earthlink's anti-virus inline
before the email even gets to me. If the composition of the email and
the modus of attack has changed that more or less explains the huge
drop that happened over the weekend before the Fourth of July.
{^_^}

RE: Invalid date header

2006-09-02 Thread Michael Scheidell 


> -Original Message-
> From: Andreas Pettersson [mailto:[EMAIL PROTECTED] 
> Sent: Saturday, September 02, 2006 11:52 AM
> To: SpamAssassin
> Subject: Invalid date header
> 
> 
> Hi. I got a mail with this Date header:
> Date: 
> 
> which triggered this rule:
> 2.2 INVALID_DATEInvalid Date: header (not RFC 2822)
> 
> What's wrong with it?  The <> ?

Yes

Invalid date header

2006-09-02 Thread Andreas Pettersson 

Hi. I got a mail with this Date header:
Date: 

which triggered this rule:
2.2 INVALID_DATEInvalid Date: header (not RFC 2822)

What's wrong with it?  The <> ?


Regards,
Andreas

Re: Spam levels up or down?

2006-09-02 Thread hamann . w 


>From: "Nigel Frankcom" <[EMAIL PROTECTED]>
>On Sat, 02 Sep 2006 02:28:14 -0800, John Andersen <[EMAIL PROTECTED]>
>wrote:
>
>>The Register is running an article saying spam is back up to 81% of all
>>email traffic due to newer versions of the Mocbot worm.
>>
>>If anything, my traffic has been less of late, and almost non-existant
>>since in installed 3.1.5.
>>
>>http://www.theregister.com/2006/08/23/mocbot_worm_zombie_surge/
>
>I'd agree with el reg, we've seen a large rise in spam and viruses of
>late and we are not a large org by any means.
>
>http://www.blue-canoe.com/stats/index.php?D1=9
>
>Nigel
>
>Hm, I have a suspicion that the spam is being targeted quite differently
>then. Until the end of June I used to get about 250 to 300 spams a day.
>I am down to 90 to 150 per day now. It's unreal. Note that I am quite
>sincerely pleased by this development.
>
>{^_^}

I see an increase in messages with non existent sender domain as well assome new
bcc-addressed stuff

Wolfgang Hamann

Re: new problem after upgrade perl modeul to 3.1.4(from 3.1.2)

2006-09-02 Thread Theo Van Dinter 
On Sat, Sep 02, 2006 at 04:10:45AM -0700, Linda Walsh wrote:
> Am I missing some needed configuration somewhere, or is the
> above a problem? 
> 
> It seems to be happening with every message.

It's a bug in Text::Wrap.  See
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5056

-- 
Randomly Generated Tagline:
"Windows 95 is the only true Operating System -- it does whatever it wants.
 All others should be called Co-Operating Systems." - Unknown


pgpQ7BxpSiX0Q.pgp
Description: PGP signature

Re: Spam levels up or down?

2006-09-02 Thread Nigel Frankcom 
On Sat, 2 Sep 2006 06:15:28 -0700, "jdow" <[EMAIL PROTECTED]> wrote:

>From: "Nigel Frankcom" <[EMAIL PROTECTED]>
>On Sat, 02 Sep 2006 02:28:14 -0800, John Andersen <[EMAIL PROTECTED]>
>wrote:
>
>>The Register is running an article saying spam is back up to 81% of all
>>email traffic due to newer versions of the Mocbot worm.
>>
>>If anything, my traffic has been less of late, and almost non-existant
>>since in installed 3.1.5.
>>
>>http://www.theregister.com/2006/08/23/mocbot_worm_zombie_surge/
>
>I'd agree with el reg, we've seen a large rise in spam and viruses of
>late and we are not a large org by any means.
>
>http://www.blue-canoe.com/stats/index.php?D1=9
>
>Nigel
>
>Hm, I have a suspicion that the spam is being targeted quite differently
>then. Until the end of June I used to get about 250 to 300 spams a day.
>I am down to 90 to 150 per day now. It's unreal. Note that I am quite
>sincerely pleased by this development.
>
>{^_^}

Targeted at a few domains, yes, I'd agree. That said there's a group
of 5 networks that work together, we are all seeing similar. I'm
getting hit the least. As you can see from the numbers the RBL's deal
with most of it and SA only see's a relatively small percentage.

One notable feature last month was the large increase in viruses. The
single instance of Infected and rejected are related, as is Autoban,
though autoban also deals with dictionary attacks and repeat spammers.
Send (n) mails to fake addy's or (n) spam and you end up in there.

That approach has helped to keep the load on the SA machines
manageable.

All of the above aside, I'm at a loss as to why some of our domains
are hit so hard; the vast majority of that spam is aimed at 6 or 7
domains. Failover is a big attractor, we've combated that by keeping
local copies of the users on all machines so that only mail to real
users is accepted.

I did note a major drop of in June/July, but silly season (august)
brought it all back to 'normal'

It's quite scary to see just how much rubbish is being dealt with by
both the server and SA - I raise my hat to both, between them they
make my life a hell of a lot easier :-D

Kind regards

Nigel

Re: uridnsbl "error", "info" what?

2006-09-02 Thread SM 

At 20:22 01-09-2006, Chris wrote:

I've been testing OpenDNS tonight vice using Earthlinks DNS nameservers.
Looking at my hourly syslog snip, about half way through my NANAS run I
noticed the below entries.  First of all, what are these entries telling

[snip]


Sep  1 21:51:25 localhost spamd[10939]: uridnsbl: bogus rr for
domain=spamhaus.org, rule=URIBL_XS_SURBL, id=8876
rr=spamhaus.org.xs.surbl.org. 1 IN A 208.67.219.40
at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/URIDNSBL.pm line
626.


Turn off the "typo correction" feature of OpenDNS.

Regards,
-sm

Re: Please sanity check these ideas for rules.

2006-09-02 Thread mouss 

Michael W Cocke wrote:

I've got every ruleset & blacklist available and I'm still getting
buried - the bayes poison in all of the recent spam has wrecked that.
Does anyone see a reason why I can't assume messages with blank
subjects are junk? 


(counter) examples are available on this list (see a message sent on 
2006/07/27) and on other lists. I've also seen many corportae mail with 
empty subject (forgotten, or considered irrelevant by the sender). It 
even happens to me from time to time (delete the subject to replace it, 
then see an error in the body, switch to correct the body, then forget 
that the subject was deleted).


you'd better look for other patterns. If your bayes isn't performing 
well, trash it and retrain SA using manually inspected mail. This should 
cut a lot of spam.


Also, if you receive legitimate mail that has spam patterns 
(really-opt-in newsletters), you'd better create special addresses to 
subscribe these, and not use these addresses for bayes training.



 Also, I've got an idea about maybe doing an
nslookup on the envelope sender domain and junking anything without an
entry.  I'm probably missing something that I should consider,
especially on that last one.  Would anyone care to educate me what I'm
missing?
  
you can reject senders if domain doesn't exist for sure. do this in your 
MTA. your MTA should return a temp failure in case of dns temp failures 
though. and you'd better get your DNS setup correctly working (have a 
cache dns on your mail server or on another box with good connectivity.

Re: Spam levels up or down?

2006-09-02 Thread jdow 

From: "Nigel Frankcom" <[EMAIL PROTECTED]>
On Sat, 02 Sep 2006 02:28:14 -0800, John Andersen <[EMAIL PROTECTED]>
wrote:


The Register is running an article saying spam is back up to 81% of all
email traffic due to newer versions of the Mocbot worm.

If anything, my traffic has been less of late, and almost non-existant
since in installed 3.1.5.

http://www.theregister.com/2006/08/23/mocbot_worm_zombie_surge/


I'd agree with el reg, we've seen a large rise in spam and viruses of
late and we are not a large org by any means.

http://www.blue-canoe.com/stats/index.php?D1=9

Nigel

Hm, I have a suspicion that the spam is being targeted quite differently
then. Until the end of June I used to get about 250 to 300 spams a day.
I am down to 90 to 150 per day now. It's unreal. Note that I am quite
sincerely pleased by this development.

{^_^}

Re: OS X Server spam still getting through :-(

2006-09-02 Thread mikemacfr 

OK, I'll take a look!


In the meantime ere is the mail I got based on your reply!

(By the way er du Norsk?)


Mike

Return-Path: <[EMAIL PROTECTED]>
Received: from murder ([unix socket])
 by powerconsult.no (Cyrus v2.2.12-OS X 10.4.0) with LMTPA;
 Sat, 02 Sep 2006 13:54:16 +0200
X-Sieve: CMU Sieve 2.2
Received: from localhost (localhost [127.0.0.1])
by powerconsult.no (Postfix) with ESMTP id 8EB27AB131B
for <[EMAIL PROTECTED]>; Sat,  2 Sep 2006 13:54:16 +0200 (CEST)
Received: from powerconsult.no ([127.0.0.1])
 by localhost (mail.powerconsult.no [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 25230-12 for <[EMAIL PROTECTED]>;
 Sat,  2 Sep 2006 13:54:04 +0200 (CEST)
Received: from talk.nabble.com (www.nabble.com [72.21.53.35])
by powerconsult.no (Postfix) with ESMTP id 04BEEAB12FB
for <[EMAIL PROTECTED]>; Sat,  2 Sep 2006 13:54:04 +0200 (CEST)
Received: from [72.21.53.38] (helo=jubjub.nabble.com)
by talk.nabble.com with esmtp (Exim 4.50)
id 1GJU4Z-00054X-Jb
for [EMAIL PROTECTED]; Sat, 02 Sep 2006 04:54:03 -0700
Message-ID: <[EMAIL PROTECTED]>
Date: Sat, 2 Sep 2006 04:54:03 -0700 (PDT)
From: Nabble Alerts <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: OS X Server spam still getting through :-(
MIME-Version: 1.0
Content-Type: multipart/alternative; 
boundary="=_Part_543_9535095.1157198043606"
MTA-Interface: amavisd-new-2.3.3 (20050822) at mail.powerconsult.no
X-Spam-Scanned: using SpamAssassin 3.1.4 (2006-07-25) at
mail.powerconsult.no
X-Virus-Scanned: using Clamav 0.87.0 (2005-09-16) at mail.powerconsult.no

--=_Part_543_9535095.1157198043606
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit


Nabble email alert: 
New reply to your post "OS X Server spam still getting through :-("
Re: OS X Server spam still getting through :-( - 3 star
On Saturday 02 September 2006 12:31, mikemacfr took the opportunity to say:
> I'm completely new to this list and am not a UNIX person.
>
> I have ...
by Magnus Holmgren on 2006-09-02 in the SpamAssassin - Users forum:
http://www.nabble.com/OS-X-Server-spam-still-getting-through-%3A-%28-tf2206629.html#a6111933

Delete this alert:
http://www.nabble.com/alerts/DeleteReplyAlert.jtp?post=6111393&p=1511302

---
DO NOT REPLY TO THIS E-MAIL.

Replies sent to this address are not read or processed.
If you want to respond to a Nabble post for which you received this alert,
please go to the Nabble website:
http://www.nabble.com/OS-X-Server-spam-still-getting-through-%3A-%28-tf2206629.html#a6111933


--=_Part_543_9535095.1157198043606
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit


Nabble email alert
New reply to your post OS X Server spam still getting through :-(

http://www.nabble.com/OS-X-Server-spam-still-getting-through-%3A-%28-tf2206629.html#a6111933
Re: OS X Server spam still getting through :-(  - 3 star
On Saturday 02 September 2006 12:31, mikemacfr took the opportunity to say:
> I'm completely new to this list and am not a UNIX person.
>
> I have ...
by Magnus Holmgren on 2006-09-02 in the SpamAssassin - Users
forum

http://www.nabble.com/alerts/DeleteReplyAlert.jtp?post=6111393&p=1511302
Delete  this alert.



DO NOT REPLY TO THIS E-MAIL.
Replies sent to this address are not read or processed.
If you want to respond to a Nabble post for which you received this alert,
please go to the 
http://www.nabble.com/OS-X-Server-spam-still-getting-through-%3A-%28-tf2206629.html#a6111933
Nabble website .



--=_Part_543_9535095.1157198043606--




Magnus Holmgren wrote:
> 
> On Saturday 02 September 2006 12:31, mikemacfr took the opportunity to
> say:
>> I'm completely new to this list and am not a UNIX person.
>>
>> I have SpamAssassin 3.1.4 installed on our mail server together with
>> Squirrel and Amavis-new.
>>
>> Spam is still getting through at an unacceptable rate and I haven't got a
>> clue how fault find
>> what's going wrong?
> 
> Have you checked out http://wiki.apache.org/spamassassin/UsingSpamAssassin 
> ("Spam getting through?")?
> 
> If you need more help you can attach one or two spam mails for us to
> analyze.
> 
> -- 
> Magnus Holmgren[EMAIL PROTECTED]
>(No Cc of list mail needed, thanks)
> 
> 

-- 
View this message in context: 
http://www.nabble.com/OS-X-Server-spam-still-getting-through-%3A-%28-tf2206629.html#a6112023
Sent from the SpamAssassin - Users forum at Nabble.com.

Re: OS X Server spam still getting through :-(

2006-09-02 Thread Magnus Holmgren 
On Saturday 02 September 2006 12:31, mikemacfr took the opportunity to say:
> I'm completely new to this list and am not a UNIX person.
>
> I have SpamAssassin 3.1.4 installed on our mail server together with
> Squirrel and Amavis-new.
>
> Spam is still getting through at an unacceptable rate and I haven't got a
> clue how fault find
> what's going wrong?

Have you checked out http://wiki.apache.org/spamassassin/UsingSpamAssassin 
("Spam getting through?")?

If you need more help you can attach one or two spam mails for us to analyze.

-- 
Magnus Holmgren[EMAIL PROTECTED]
   (No Cc of list mail needed, thanks)


pgpFBKlq4EeGv.pgp
Description: PGP signature

Re: Spam levels up or down?

2006-09-02 Thread Nigel Frankcom 
On Sat, 02 Sep 2006 02:28:14 -0800, John Andersen <[EMAIL PROTECTED]>
wrote:

>The Register is running an article saying spam is back up to 81% of all
>email traffic due to newer versions of the Mocbot worm.
>
>If anything, my traffic has been less of late, and almost non-existant
>since in installed 3.1.5.
>
>http://www.theregister.com/2006/08/23/mocbot_worm_zombie_surge/

I'd agree with el reg, we've seen a large rise in spam and viruses of
late and we are not a large org by any means.

http://www.blue-canoe.com/stats/index.php?D1=9

Nigel

new problem after upgrade perl modeul to 3.1.4(from 3.1.2)

2006-09-02 Thread Linda Walsh 

I just updated to a newer version of spamassin a few days ago.

Since then I'm getting regular error messages in my spamlog:
Sep  2 03:46:03 Ishtar spamd[13106]: (?:(?<=[\s,]))* matches null string 
many times in regex; marked by <-- HERE in m/\G(?:(?<=[\s,]))* <-- HERE 
\Z/ at /usr/lib/perl5/5.8.8/Text/Wrap.pm line 46.
Sep  2 03:49:04 Ishtar spamd[13087]: (?:(?<=[\s,]))* matches null string 
many times in regex; marked by <-- HERE in m/\G(?:(?<=[\s,]))* <-- HERE 
\Z/ at /usr/lib/perl5/5.8.8/Text/Wrap.pm line 46.
Sep  2 03:52:02 Ishtar spamd[13443]: (?:(?<=[\s,]))* matches null string 
many times in regex; marked by <-- HERE in m/\G(?:(?<=[\s,]))* <-- HERE 
\Z/ at /usr/lib/perl5/5.8.8/Text/Wrap.pm line 46.

...etc..etc...


Am I missing some needed configuration somewhere, or is the
above a problem? 


It seems to be happening with every message.

Um...is this like "unsolicited reporting of a bogus condition" and would 
it fall into syslog-spam? :-)


tnx,
Linda

OS X Server spam still getting through :-(

2006-09-02 Thread mikemacfr 

I'm completely new to this list and am not a UNIX person.

I have SpamAssassin 3.1.4 installed on our mail server together with
Squirrel and Amavis-new.

Spam is still getting through at an unacceptable rate and I haven't got a
clue how fault find
what's going wrong?

Is there anyone who could help me with this?

Mike
-- 
View this message in context: 
http://www.nabble.com/OS-X-Server-spam-still-getting-through-%3A-%28-tf2206629.html#a6111393
Sent from the SpamAssassin - Users forum at Nabble.com.

Spam levels up or down?

2006-09-02 Thread John Andersen 
The Register is running an article saying spam is back up to 81% of all
email traffic due to newer versions of the Mocbot worm.

If anything, my traffic has been less of late, and almost non-existant
since in installed 3.1.5.

http://www.theregister.com/2006/08/23/mocbot_worm_zombie_surge/
-- 
_
John Andersen


pgpjX6YKOwL8V.pgp
Description: PGP signature

Re: uridnsbl "error", "info" what?

2006-09-02 Thread Jeff Chan 
On Friday, September 1, 2006, 8:22:42 PM, Chris Chris wrote:
> I've been testing OpenDNS tonight vice using Earthlinks DNS nameservers.  
> Looking at my hourly syslog snip, about half way through my NANAS run I 
> noticed the below entries.  First of all, what are these entries telling 
> me? Secondly, if this is an error in the uridnsbl plug-in is it possibly 
> caused by the change in nameservers?  I did notice that my report time per 
> message was a bit slower tonight than usual, its usually about 
> 3.1-3.5secs/report, whereas tonight it was about 4.8/report.

> Sep  1 21:51:25 localhost spamd[10939]: uridnsbl: bogus rr for 
> domain=spamhaus.org, rule=URIBL_XS_SURBL, id=8876 
> rr=spamhaus.org.xs.surbl.org. 1 IN A 208.67.219.40 
> at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 
> 626. 
> Sep  1 21:51:25 localhost spamd[10939]: uridnsbl: bogus rr for 
> domain=otwaloow.com, rule=URIBL_XS_SURBL, id=8880 
> rr=otwaloow.com.xs.surbl.org. 1 IN A 208.67.219.40 
> at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 
> 626. 

BTW, please stop using xs.surbl.org until you hear otherwise.
It's a test list that's sort of napping now.

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

moving the bayesian database and auto whitelist to a new cerver?

2006-09-02 Thread Nick Rout 
I am moving my email to a new server. How do I ensure that the procmail 
bayseian database and auto whitelist for each user is moved too?

Should I just copy ~/.spamassassin/* for each user?

Here is the contents for my ~/.spamassassin/

[EMAIL PROTECTED] ~/.spamassassin $ ls -l
total 37636
-rw---  1 nick users 5386240 Sep  2 19:16 auto-whitelist
-rw---  2 nick users 7107377 Jan 11  2005 auto-whitelist.dir
-rw---  2 nick users 7107377 Jan 11  2005 auto-whitelist.pag
-rw---  1 nick users 105 Jan 10  2005 bayes.lock.www.rout.co.nz.11956
-rw---  1 nick users   73344 Sep  2 19:16 bayes_journal
-rw---  1 nick users 5472256 Sep  2 17:49 bayes_seen
-rw---  1 nick users 5410816 Sep  2 17:49 bayes_toks
-rw-r--r--  1 nick users 5206016 Jan 10  2005 old_bayes_seen
-rw-r--r--  1 nick users 5206016 Jan 10  2005 old_bayes_toks
-rw-r--r--  1 nick users  344064 Jan 10  2005 old_bayes_toks.new
-rw-r--r--  1 nick users1165 Feb  9  2004 user_prefs