Re: Spam levels up or down?
On Sat, 2 Sep 2006 22:13:28 -0400, David Cary Hart [EMAIL PROTECTED] wrote: On Sat, 02 Sep 2006 02:28:14 -0800, John Andersen [EMAIL PROTECTED] opined: The Register is running an article saying spam is back up to 81% of all email traffic due to newer versions of the Mocbot worm. If anything, my traffic has been less of late, and almost non-existant since in installed 3.1.5. http://www.theregister.com/2006/08/23/mocbot_worm_zombie_surge/ http://tqmcube.com/tide.php That tallies with what we're seeing. I guess jdow is 'in luck' at the moment. When I get a spare day or so I'll upgrade my charting to be a little more informative; I may even see about pulling in the other network stats and see they look combined. For now the numbers tend to speak for themselves. Nigel
Re: Re: Spam levels up or down?
On Sat, 2 Sep 2006 10:25:40 -0700 (PDT), John D. Hardin [EMAIL PROTECTED] wrote: On Sat, 2 Sep 2006, jdow wrote: Hm, I have a suspicion that the spam is being targeted quite differently then. Until the end of June I used to get about 250 to 300 spams a day. I am down to 90 to 150 per day now. It's unreal. Note that I am quite sincerely pleased by this development. ...you think maybe they are listwashing SA list members? I don't think so, very little of the spam is aimed at my address as published on the SA list (cue a flood) :-D
Re: Spam levels up or down?
On Sunday 03 September 2006 01:03, Nigel Frankcom wrote: On Sat, 2 Sep 2006 10:25:40 -0700 (PDT), John D. Hardin [EMAIL PROTECTED] wrote: On Sat, 2 Sep 2006, jdow wrote: Hm, I have a suspicion that the spam is being targeted quite differently then. Until the end of June I used to get about 250 to 300 spams a day. I am down to 90 to 150 per day now. It's unreal. Note that I am quite sincerely pleased by this development. ...you think maybe they are listwashing SA list members? I don't think so, very little of the spam is aimed at my address as published on the SA list (cue a flood) :-D Er, but wouldn't THAT be suggestive of ListWashing? -- _ John Andersen pgpOFXlGJ27aL.pgp Description: PGP signature
Re: OS X Server spam still getting through :-(
OK, but isn't spamd the settings file for spamassassin? How does spamassassin know how to work if spamd is not used when amavis is doing the routing? And if spamassissin is still the anti-spammer where do I tell it that it's not doing it's job properly? Thanks by the way for all the feedback so far. It's really encouraging to see people engaged and trying to help Mike John Andersen wrote: On Saturday 02 September 2006 15:18, mikemacfr wrote: I'm a bit confused? I thought amavis was the virus scanner bit? And spamassassin took care of the spam bit? Amavis is a router sort of. It takes mail from your mta, sends it thru one or more engines (spamassassin, antivirus, and some other more rarely used options) and then (optionally) hands it back to your MTA for delivery via yet another engine, procmail, cyrus, etc. Its glue-ware. -- _ John Andersen -- View this message in context: http://www.nabble.com/OS-X-Server-spam-still-getting-through-%3A-%28-tf2206629.html#a6120705 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: Spam levels up or down?
On Sun, 03 Sep 2006 01:10:25 -0800, John Andersen [EMAIL PROTECTED] wrote: On Sunday 03 September 2006 01:03, Nigel Frankcom wrote: On Sat, 2 Sep 2006 10:25:40 -0700 (PDT), John D. Hardin [EMAIL PROTECTED] wrote: On Sat, 2 Sep 2006, jdow wrote: Hm, I have a suspicion that the spam is being targeted quite differently then. Until the end of June I used to get about 250 to 300 spams a day. I am down to 90 to 150 per day now. It's unreal. Note that I am quite sincerely pleased by this development. ...you think maybe they are listwashing SA list members? I don't think so, very little of the spam is aimed at my address as published on the SA list (cue a flood) :-D Er, but wouldn't THAT be suggestive of ListWashing? Having now read up on listwashing, yes it's feasible. Perhaps I should get some of my worst hit users to post here :-D
Re: OS X Server spam still getting through :-(
John, I was just in on your post about spam levels. Do this stats from our server give you (or anyone else) any clue about whats causing spam to get through? http://65.170.183.59:16080/amavis-stats/ Mike John Andersen wrote: On Saturday 02 September 2006 15:18, mikemacfr wrote: I'm a bit confused? I thought amavis was the virus scanner bit? And spamassassin took care of the spam bit? Amavis is a router sort of. It takes mail from your mta, sends it thru one or more engines (spamassassin, antivirus, and some other more rarely used options) and then (optionally) hands it back to your MTA for delivery via yet another engine, procmail, cyrus, etc. Its glue-ware. -- _ John Andersen -- View this message in context: http://www.nabble.com/OS-X-Server-spam-still-getting-through-%3A-%28-tf2206629.html#a6120810 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: Spam levels up or down?
John Andersen writes: On Sunday 03 September 2006 01:03, Nigel Frankcom wrote: On Sat, 2 Sep 2006 10:25:40 -0700 (PDT), John D. Hardin [EMAIL PROTECTED] wrote: On Sat, 2 Sep 2006, jdow wrote: Hm, I have a suspicion that the spam is being targeted quite differently then. Until the end of June I used to get about 250 to 300 spams a day. I am down to 90 to 150 per day now. It's unreal. Note that I am quite sincerely pleased by this development. ...you think maybe they are listwashing SA list members? I don't think so, very little of the spam is aimed at my address as published on the SA list (cue a flood) :-D Er, but wouldn't THAT be suggestive of ListWashing? One thing I have noticed over time is that there can be major differences in spam levels for different addresses and different sites, even without list-washing. I think this is indicative that there are a smaller number of spam controlling groups controlling spam targeting and volume, but operating with huge bot armies -- so when one decides to stop spamming a particular site (due to spamtrap fears, for example), that can cause a huge reduction for that site. --j.
Re: Spam levels up or down?
From: Nigel Frankcom [EMAIL PROTECTED]
On Sun, 03 Sep 2006 01:10:25 -0800, John Andersen [EMAIL PROTECTED]
wrote:
On Sunday 03 September 2006 01:03, Nigel Frankcom wrote:
On Sat, 2 Sep 2006 10:25:40 -0700 (PDT), John D. Hardin
[EMAIL PROTECTED] wrote:
On Sat, 2 Sep 2006, jdow wrote:
Hm, I have a suspicion that the spam is being targeted quite
differently then. Until the end of June I used to get about 250 to
300 spams a day. I am down to 90 to 150 per day now. It's unreal.
Note that I am quite sincerely pleased by this development.
...you think maybe they are listwashing SA list members?
I don't think so, very little of the spam is aimed at my address as
published on the SA list (cue a flood) :-D
Er, but wouldn't THAT be suggestive of ListWashing?
Having now read up on listwashing, yes it's feasible. Perhaps I should
get some of my worst hit users to post here :-D
jdow At least one noted spammer seems to read this list or get
at least indirect word about it. I taunted him on the list about his
spams not quite reaching 100 points on small scores. Within a week I
got some 100 point on small score spams. Then he got back to business
instead of silliness. So did I.
{^_^}
Re: Spam levels up or down?
On Sun, 3 Sep 2006 04:22:07 -0700, jdow [EMAIL PROTECTED] wrote:
From: Nigel Frankcom [EMAIL PROTECTED]
On Sun, 03 Sep 2006 01:10:25 -0800, John Andersen [EMAIL PROTECTED]
wrote:
On Sunday 03 September 2006 01:03, Nigel Frankcom wrote:
On Sat, 2 Sep 2006 10:25:40 -0700 (PDT), John D. Hardin
[EMAIL PROTECTED] wrote:
On Sat, 2 Sep 2006, jdow wrote:
Hm, I have a suspicion that the spam is being targeted quite
differently then. Until the end of June I used to get about 250 to
300 spams a day. I am down to 90 to 150 per day now. It's unreal.
Note that I am quite sincerely pleased by this development.
...you think maybe they are listwashing SA list members?
I don't think so, very little of the spam is aimed at my address as
published on the SA list (cue a flood) :-D
Er, but wouldn't THAT be suggestive of ListWashing?
Having now read up on listwashing, yes it's feasible. Perhaps I should
get some of my worst hit users to post here :-D
jdow At least one noted spammer seems to read this list or get
at least indirect word about it. I taunted him on the list about his
spams not quite reaching 100 points on small scores. Within a week I
got some 100 point on small score spams. Then he got back to business
instead of silliness. So did I.
{^_^}
/me chuckles; that brings to mind poking rattlesnakes with sharp
pointy sticks; admittedly it'd be more fun poking the spammers with
sharp pointy sticks, but that's another sport entirely; it may even be
classed as public service or perhaps even pest control :-D
Live Messenger Invitation with forged Received header?
I need some help with understanding why some of the below rules triggered on these headers.. Received: from baym-sm1.msgr.hotmail.com ([207.46.1.190]) by mail.mydomain.com with esmtp (envelope-from [EMAIL PROTECTED]) id 1GJcP7-00063q-JH for [EMAIL PROTECTED]; Sat, 02 Sep 2006 22:47:53 +0200 Received: from mail pickup service by baym-sm1.msgr.hotmail.com with Microsoft SMTPSVC; Sat, 2 Sep 2006 13:47:45 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=_=_NextPart_001_2QAIHCIKEOG.9E6CG57B Date: Sat, 02 Sep 2006 13:41:39 Pacific Daylight Time From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] X-MSMessengerInvitationMailTemplateVersion: 2.9.12.5.0.02 Message-ID: [EMAIL PROTECTED] 2.2 INVALID_DATE Invalid Date: header (not RFC 2822) 0.8 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date 2.3 FORGED_HOTMAIL_RCVDForged hotmail.com 'Received:' header found 0.3 MIME_BOUND_NEXTPARTSpam tool pattern in MIME boundary Why does SA 3.1.3 think that the hotmail.com Received header is forged? As far as I can see it seems alright.. Pacific Daylight Time is perhaps not the right way to describe the timezone, or is it? And Spam tool pattern in MIME boundary, what's that by the way? Regards, Andreas
Re: OS X Server spam still getting through :-(
OK, but isn't spamd the settings file for spamassassin? How does spamassassin know how to work if spamd is not used when amavis is doing the routing? And if spamassissin is still the anti-spammer where do I tell it that it's not doing SA is a really big bunch of perl modules that process one mail message at a time. spamassassin is simply a perl wrapper script that will cause all of these modules to come into existance and filter exactly one message. Amvis-New, and several other tools, are also either written in perl or can call perl modules directly. So what Amvis-New does is it internally instantiates all of the perl modules that comprise the guts of spamassassin. It then takes a mail message, hands it to the SA modules, tells the modules to do their thing, and then pulls the result back out of the modules. It looks at the result (spam/not spam and the hit level) compares that to Amvis' internal setting for spam level, and based on that decides whether to send the original message through and discard the SA result, or whether to discard the original and use the SA result. Now, instantiating all of the perl modules that make up SA is a resource-consuming activity, and if you have a lot of mail it will eat your server alive. So spamc and spamd came into existance. Spamd is a perl script that instantiates an instance of SA as a server of sorts. You can pass it a mail message, it will process it and return the results to you. But it keeps the SA instance around to process another message, just like Amvis is doing internally. Spamc is the client that passes a mail message to spamd and gets the results back. The end result in this case is you would either be using spamc/spamd, or you would be using Amvis-New, but typically not both. In either case you are using the perl modules that comprise SA, but they are instantiated in different processes. SA uses a number of configuration files, and they can live in several places. There are two main default locations, but these locations can be overridden by passing paths to SA when it is instantiated. These locations contain a number of *.cf files and several *.pre files. There might also be some user_prefs files around. Most of the pre and cf files are part of the SA install and contain the stock rules and settings. There is local.cf and possibly some others that contain the local tuning settings. Typcailly when installing SA you need to look at the *.pre files that contain LoadPlugin lines, and make sure that the ones you want are uncommented. Many tests will be disabled if the plugins that implement them are commented out. Then you also need to set up some basic configuration in local.cf. That will configure SA itself. As you have already found though, Amvis itself has some configuration lines that ALSO control how SA will work in that environment. I suspect many of these options are equivalent to the command line options on spamd. So the long answer to your question is there are several places to look. The main ones will be local.cf, *.pre, and whatever settings Amvis has. Loren
Re: OS X Server spam still getting through :-(
Do this stats from our server give you (or anyone else) any clue about whats causing spam to get through? http://65.170.183.59:16080/amavis-stats/ This can only be a guess without more data. However it is obvious your mail volume is up greatly in the past two months, and the spam detection rate is also down. Now your previous volume indicates that something like 80% of the mail is ham. I don't know if that is true, or if SA has been missing 50% of the spam all along. In any case SA is now only catching about 50% of what it was before, and probably a bunch of that increased mail volume is also spam. Assuming no other system changes, this tells me that the makeup of the spam has changed and your SA hasn't kept up with those changes. The two major changes in spam recently have been a huge increase in stock spams, and a huge increase in image spams, most of which are also stock spams. The stock SA rules aren't real good at catching either of these. Some addon rulesets from www.rulesemproium.com will catch a good many of the stock (and other) spams quite well. There is a new OCR plugin for SA, FuzzyOCR, that is still somewhat experimental, but the few dozen people using it are really happy with the results for the most part. It is a little bit of work to install because it requires a number of pieces to work. The rulesemporium rules are easy to install. You might also have some other problems with your configuration and trust paths that could really be hurting SA's detection rate. We can't tell that without seeing some actual hit information from a few mails that made it through. Loren
Re: Live Messenger Invitation with forged Received header?
From: Andreas Pettersson [EMAIL PROTECTED]
I need some help with understanding why some of the below rules
triggered on these headers..
Received: from baym-sm1.msgr.hotmail.com ([207.46.1.190])
by mail.mydomain.com with esmtp
(envelope-from [EMAIL PROTECTED])
id 1GJcP7-00063q-JH
for [EMAIL PROTECTED]; Sat, 02 Sep 2006 22:47:53 +0200
Received: from mail pickup service by baym-sm1.msgr.hotmail.com with
Microsoft SMTPSVC;
Sat, 2 Sep 2006 13:47:45 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=_=_NextPart_001_2QAIHCIKEOG.9E6CG57B
Date: Sat, 02 Sep 2006 13:41:39 Pacific Daylight Time
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
X-MSMessengerInvitationMailTemplateVersion: 2.9.12.5.0.02
Message-ID: [EMAIL PROTECTED]
2.2 INVALID_DATE Invalid Date: header (not RFC 2822)
0.8 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date
2.3 FORGED_HOTMAIL_RCVDForged hotmail.com 'Received:' header found
0.3 MIME_BOUND_NEXTPARTSpam tool pattern in MIME boundary
Why does SA 3.1.3 think that the hotmail.com Received header is forged?
As far as I can see it seems alright..
Pacific Daylight Time is perhaps not the right way to describe the
timezone, or is it?
It is not. And the bad date format is usually a very good spamsign.
Someboty ought to beat them about the virtual head and shoulders to
get it fixed. Of course, if they don't care about the issue why should
we care about them?
And Spam tool pattern in MIME boundary, what's that by the way?
A MINE boundary declaration that is in a format that is typically
spam. Maybe the used a spam engine to send their invitations?
{^_^}
RE: Running on Debian stable
Hi Folks, Just came across this thread in the archives, and I have the same basic question re. upgrading to a newer version of spamassassin on Debian stable. But... unlike Raymond Wan, I'm accessing spamassassin with postfix and amavisd-new. The current install is already set up to run razor, pyzor, and dcc. So... from previous messages, I've gathered that the basic upgrade approach is to do: apt-get -t sarge-backports install spamassassin (unless I want to get a bit more aggressive and install from cpan). Is there anything different I need to do or watch out for regarding being wired in through amavisd-new - particularly since amavisd manages some of the configuration for spamassassin? What about the wiring/configuration for razor, pyzor, or dcc (new registration or anything)? And.. if I go the cpan route, anything else to watch out for (e.g., does it install in different places that the .deb package)? Thanks very much, Miles Fidelman
RE: Running on Debian stable
Hi Folks, Just came across this thread in the archives, and I have the same basic question re. upgrading to a newer version of spamassassin on Debian stable. But... unlike Raymond Wan, I'm accessing spamassassin with postfix and amavisd-new. The current install is already set up to run razor, pyzor, and dcc. So... from previous messages, I've gathered that the basic upgrade approach is to do: apt-get -t sarge-backports install spamassassin (unless I want to get a bit more aggressive and install from cpan). You should also be able to install from testing without upgrading libc6 and the kernel if you use the correct syntax: simulate it first: apt-get -s install spamassassin/testing then remove -s to install I like the sarge-backports idea best as this time. Is there anything different I need to do or watch out for regarding being wired in through amavisd-new - particularly since amavisd manages some of the configuration for spamassassin? If you install 3.1.4, you need to patch amavisd-new so it finds new rules downloaded via sa-update. No need to do this if you get 3.1.5 http://www200.pair.com/mecham/spam/p3.txt What about the wiring/configuration for razor, pyzor, or dcc (new registration or anything)? No changes. Other than after install make sure you edit v310.pre to enable needed plugins (the dcc plugin is disabled). And.. if I go the cpan route, anything else to watch out for (e.g., does it install in different places that the .deb package)? Thanks very much, Miles Fidelman I would advise against installing from CPAN or source unless you --purge remove spamassassin before you do. This of course would require you to completely reconfigure spamassassin (you could of course make copies of configuration files and move them out of /etc/spamassassin before you begin). Yes, it installs in different places. Mixing installation methods is a recipe for problem soup. Gary V _ Get the new Windows Live Messenger! http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-ussource=wlmailtagline
Blog Blaster spams
Just got a spam for a blog spamming tool named Blog Blaster. It
didn't score high enough to be auto-discarded, so I added some rules.
I case anybody else is interested:
describe BBLAST_01 Blog Blaster
body BBLAST_01 /Blog\s+Blaster/
scoreBBLAST_01 1.00
describe BBLAST_02 Blog Blaster your ad
body BBLAST_02 /Blog\s+Blaster\s.{0,80}\syour\s+(?:ad|website)/i
scoreBBLAST_02 1.00
describe BBLAST_03 Blog Blaster advertising
body BBLAST_03 /advertis.{0,80}Blog\s+Blaster/i
scoreBBLAST_03 1.00
describe BBLAST_04 Blog Blaster volume
body BBLAST_04 /Blog\s+Blaster\s.{0,80}\s+(?:thousand|million)/i
scoreBBLAST_04 1.00
describe BBLAST_H_01 Blog Blaster From
header BBLAST_H_01 From =~ /blogblast/i
scoreBBLAST_H_01 1.00
describe BBLAST_H_02 Blog Blaster Reply-To
header BBLAST_H_02 Reply-To =~ /blogblast/i
scoreBBLAST_H_02 1.00
--
John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
...to announce there must be no criticism of the President or to
stand by the President right or wrong is not only unpatriotic and
servile, but is morally treasonous to the American public.
-- Theodore Roosevelt, 1918
---
14 days until The 219th anniversary of the signing of the U.S. Constitution
Re: Running on Debian stable
Thanks Gary! Any advantages to installing from testing? Seems like backports would be just a bit safer. Miles Gary V wrote: Hi Folks, Just came across this thread in the archives, and I have the same basic question re. upgrading to a newer version of spamassassin on Debian stable. But... unlike Raymond Wan, I'm accessing spamassassin with postfix and amavisd-new. The current install is already set up to run razor, pyzor, and dcc. So... from previous messages, I've gathered that the basic upgrade approach is to do: apt-get -t sarge-backports install spamassassin (unless I want to get a bit more aggressive and install from cpan). You should also be able to install from testing without upgrading libc6 and the kernel if you use the correct syntax: simulate it first: apt-get -s install spamassassin/testing then remove -s to install I like the sarge-backports idea best as this time. Is there anything different I need to do or watch out for regarding being wired in through amavisd-new - particularly since amavisd manages some of the configuration for spamassassin? If you install 3.1.4, you need to patch amavisd-new so it finds new rules downloaded via sa-update. No need to do this if you get 3.1.5 http://www200.pair.com/mecham/spam/p3.txt What about the wiring/configuration for razor, pyzor, or dcc (new registration or anything)? No changes. Other than after install make sure you edit v310.pre to enable needed plugins (the dcc plugin is disabled). And.. if I go the cpan route, anything else to watch out for (e.g., does it install in different places that the .deb package)? Thanks very much, Miles Fidelman I would advise against installing from CPAN or source unless you --purge remove spamassassin before you do. This of course would require you to completely reconfigure spamassassin (you could of course make copies of configuration files and move them out of /etc/spamassassin before you begin). Yes, it installs in different places. Mixing installation methods is a recipe for problem soup. Gary V _ Get the new Windows Live Messenger! http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-ussource=wlmailtagline
Re: OS X Server spam still getting through :-(
On Sunday 03 September 2006 01:14, mikemacfr wrote: OK, but isn't spamd the settings file for spamassassin? No. How does spamassassin know how to work if spamd is not used when amavis is doing the routing? Amavis calls spamassassin directly. Mike, with all due respect, these questions show you have not read one word of the documentation. -- _ John Andersen pgpDqaG32SQtl.pgp Description: PGP signature
Re: Running on Debian stable
Miles Fidelman wrote: Any advantages to installing from testing? Seems like backports would be just a bit safer. Since there is a good backport available and maintained there is really no advantage to pulling in the testing version. The backport one would be safer in the sense of being less likely to have your system get into a confusing state of mismatched packages, in the case of inadvertantly pulling in more than you expected from Testing. Bob
Re: catching fake usernames?
Rick Roe wrote: I get a lot of spam whose From addresses are users that don't exist on my system (random names like [EMAIL PROTECTED], [EMAIL PROTECTED], etc). I recently set up a scheme to manually blacklist all From addresses on my domains and un-blacklist the fifty or so real addresses mail can legitimately come from (the system aliases like postmaster, daemon, and so forth, and a small handful of real users each with a handful of aliases), using blacklist_from and unblacklist_from in the local config file. when you say From addresses, do you mean envelope senders or From headers? - if envelope senders, configure your MTA to reject such mail. In postfix, smtpd_recipient_restrictions = ... reject_unlisted_sender ... will do. similar checks are available in other open source MTAs. - if From headers, then whether to reject at MTA time or not is your choice. purists don't like rejecting based on headers unless they break smtp rules, which is not the case here. with postfix, you'd need a policy_service (or a milter) or a proxy_filter (header checks won't help as you can't list all invalid addresses). This is a rather fragile system, though -- anytime I go to add any new users or aliases, I'll have to edit my local.cf files to match. My user population is rather static, so it's not a big deal, but it seems like there should be a simpler, more automatic way to do this. Am I missing something? write a script to update the rule file, and make it called by your user creation tool.
Re: catching fake usernames?
John Andersen wrote: On Wednesday 30 August 2006 21:25, Benny Pedersen wrote: On Thu, August 31, 2006 05:41, Rick Roe wrote: like there should be a simpler, more automatic way to do this. Am I missing something? in postfix main.cf smtpd_reject_unlisted_sender = yes Won't work if ONE of the recipients is real... OP is talking about _sender_ . so Benny's rule works if OP means envelope sender (in contrast to From header).
Re: Running on Debian stable
Miles Fidelman wrote: Any advantages to installing from testing? Seems like backports would be just a bit safer. Since there is a good backport available and maintained there is really no advantage to pulling in the testing version. The backport one would be safer in the sense of being less likely to have your system get into a confusing state of mismatched packages, in the case of inadvertantly pulling in more than you expected from Testing. Bob I agree. The only advantage as of today is sarge-backports is at 3.1.3 and test/unstable is at 3.1.4. Hopefully that will not be the case for long, and when sarge-backports gets a little more up to date, upgrading from this point is trivial. Gary V _ All-in-one security and maintenance for your PC. Get a free 90-day trial! http://www.windowsonecare.com/trial.aspx?sc_cid=msn_hotmail
Re: Running on Debian stable
Am 04.09.2006 um 01:51 schrieb Gary V: Since there is a good backport available and maintained there is really no advantage to pulling in the testing version. The backport one would be safer in the sense of being less likely to have your system get into a confusing state of mismatched packages, in the case of inadvertantly pulling in more than you expected from Testing. Bob I agree. The only advantage as of today is sarge-backports is at 3.1.3 and test/unstable is at 3.1.4. Hopefully that will not be the case for long, and when sarge-backports gets a little more up to date, upgrading from this point is trivial. Gary V Debian Volatile Sloppy repository happily serves a SA 3.1.4 .deb + spamc The package is backport aimed for Sarge, so trivial upgrade. see: http://www.debian.org/devel/debian-volatile/ for volatile policy. http://www.debian.org/devel/debian-volatile/volatile-mirrors for a mirror near you. Do some apt-pinning to integrate. Jules
Re: Running on Debian stable
I agree. The only advantage as of today is sarge-backports is at 3.1.3 and test/unstable is at 3.1.4. Hopefully that will not be the case for long, and when sarge-backports gets a little more up to date, upgrading from this point is trivial. Gary V Debian Volatile Sloppy repository happily serves a SA 3.1.4 .deb + spamc The package is backport aimed for Sarge, so trivial upgrade. see: http://www.debian.org/devel/debian-volatile/ for volatile policy. http://www.debian.org/devel/debian-volatile/volatile-mirrors for a mirror near you. Do some apt-pinning to integrate. Jules But doesn't the name Volatile Sloppy give you pause, as it does me? :) That's almost like saying we're not even sure if it's spamassassin you would be getting... lol or maybe: Let's let Mikey try it. He'll eat anything. In reality, for spamassassin it's probably just as stable as anything else. Sloppy looks pretty much like the same concept as unstable, but built for use with stable. I do use clamav from volatile myself however, without pause. Gary V _ Get real-time traffic reports with Windows Live Local Search http://local.live.com/default.aspx?v=2cp=42.336065~-109.392273style=rlvl=4scene=3712634trfc=1
problem with ImageInfo
hi, I placed 70_imageinfo.cf in the spamassassin directory and got the error message of: failed to create instance of plugin Mail::SpamAssassin::Plugin::ImageInfo: Can't locate object method new via package Mail::SpamAssassin::Plugin::ImageInfo (perhaps you forgot to load Mail::SpamAssassin::Plugin::ImageInfo?) at (eval 183) line 1. So I put the ImageInfo.pm file in the spamassassin directory and made sure that in the init.pre I have loadplugin Mail::SpamAssassin::Plugin::ImageInfo But then I got a slew of error messages, such as: [20537] warn: Subroutine new redefined at /etc/mail/spamassassin/ImageInfo.pm line 68. [20537] warn: Subroutine _get_images redefined at /etc/mail/spamassassin/ImageInfo.pm line 193. [20537] warn: Subroutine image_named redefined at /etc/mail/spamassassin/ImageInfo.pm line 230. [20537] warn: Subroutine image_count redefined at /etc/mail/spamassassin/ImageInfo.pm line 246. [20537] warn: Subroutine pixel_coverage redefined at /etc/mail/spamassassin/ImageInfo.pm line 262. [20537] warn: Subroutine image_to_text_ratio redefined at /etc/mail/spamassassin/ImageInfo.pm line 278. [20537] warn: Subroutine image_size_exact redefined at /etc/mail/spamassassin/ImageInfo.pm line 300. [20537] warn: Subroutine image_size_range redefined at /etc/mail/spamassassin/ImageInfo.pm line 316. [20537] warn: Subroutine result_check redefined at /etc/mail/spamassassin/ImageInfo.pm line 344. What am I doing wrong? ___ Sent by ePrompter, the premier email notification software. Free download at http://www.ePrompter.com.
Re: Running on Debian stable
Hi Folks, So far, so good - thanks for all the input! I did the basic upgrade from backports, reloaded amavis and postfix, and all seems to be working just fine (note that I discovered that I also had to upgrade spamc, separately, from backports). One follow-up question: Gary V wrote: If you install 3.1.4, you need to patch amavisd-new so it finds new rules downloaded via sa-update. No need to do this if you get 3.1.5 http://www200.pair.com/mecham/spam/p3.txt Looks like backports is only at 3.1.3, and the directions at http://www200.pair.com/mecham/spam/p3.txt are just a bit sparse. Can anyone provide just a little more advice - specifically vis-a-vis 3.1.3? Thanks again, Miles
Sa-learn --ham vs spamassassin -report
I am working an a program that accepts spamassassin 'TELL' (learning) reports (see the new 'spamassassin coach' for outlook and thunderbird) Sa coach sends stream to spamd with 'TELL' protocol. It then calls the equivalent of 'spamassassin -r' (for spam) or '-z for ham' or -f for forget. Do I need to call sa-learn --ham and sa-learn --spam also? If I call sa-learn --ham or --spam INSTEAD OF, I lose the ability to report to DCC,razor,spamcop.,pyzor, etc. So, is spamassassin -r a superset of sa-learn --spam? Or do I need to run them both to get the local Bayesian table updated? It looks like spamassassin -r touches the Bayesian files, but doesn't update them: (Thanks to Gary V for looking at this for me) Also, my program does change user to amavis (reported via top, and ps-aux, and verified by ownership of files it creates, but it still tries to use /root/.spamassassin/user_prefs (which it can't create as user amavis! And I needed to start program as root to use port 783, I use spamassassin -xr and it doesn't try to create /root/.spamassassin) sfa:~# ls -l /var/lib/amavis/.spamassassin/ total 40 -rwxr-x--- 1 amavis amavis 12288 2006-08-19 20:51 auto-whitelist -rw-rw-rw- 1 amavis amavis12 2006-08-27 12:18 bayes.mutex -rw--- 1 amavis amavis 12288 2006-08-26 18:18 bayes_seen -rw--- 1 amavis amavis 12288 2006-08-27 12:18 bayes_toks -rwxr-x--- 1 amavis amavis 1487 2006-08-19 20:51 user_prefs sfa:~# su amavis -c 'spamassassin -r email.txt' [2762] warn: reporter: SpamCop message older than 2 days, not reporting 1 message(s) examined. sfa:~# ls -l /var/lib/amavis/.spamassassin/ total 40 -rwxr-x--- 1 amavis amavis 12288 2006-08-19 20:51 auto-whitelist -rw-rw-rw- 1 amavis amavis12 2006-09-03 10:52 bayes.mutex -rw--- 1 amavis amavis 12288 2006-09-03 10:51 bayes_seen -rw--- 1 amavis amavis 12288 2006-09-03 10:51 bayes_toks -rwxr-x--- 1 amavis amavis 1487 2006-08-19 20:51 user_prefs sfa:~# su amavis -c 'sa-learn --spam email.txt' Learned tokens from 1 message(s) (1 message(s) examined) sfa:~# ls -l /var/lib/amavis/.spamassassin/ total 52 -rwxr-x--- 1 amavis amavis 12288 2006-08-19 20:51 auto-whitelist -rw-rw-rw- 1 amavis amavis15 2006-09-03 10:53 bayes.mutex -rw--- 1 amavis amavis 12288 2006-09-03 10:53 bayes_seen -rw--- 1 amavis amavis 24576 2006-09-03 10:53 bayes_toks -rwxr-x--- 1 amavis amavis 1487 2006-08-19 20:51 user_prefs Looks like spamassassin -r is needed to report spam, but sa-learn --spam is needed to train the baysian filters? -- Michael Scheidell, CTO SECNAP Network Security 561-999-5000 x 1131 www.secnap.com
Re: Running on Debian stable
Hi Folks, So far, so good - thanks for all the input! I did the basic upgrade from backports, reloaded amavis and postfix, and all seems to be working just fine (note that I discovered that I also had to upgrade spamc, separately, from backports). One follow-up question: Gary V wrote: If you install 3.1.4, you need to patch amavisd-new so it finds new rules downloaded via sa-update. No need to do this if you get 3.1.5 http://www200.pair.com/mecham/spam/p3.txt Looks like backports is only at 3.1.3, and the directions at http://www200.pair.com/mecham/spam/p3.txt are just a bit sparse. Can anyone provide just a little more advice - specifically vis-a-vis 3.1.3? Thanks again, Miles The patch is for newer versions of amavisd-new. You can manually add the necessary line. edit /usr/sbin/amavisd-new and locate the line that reads: # LOCAL_RULES_DIR = '/etc/mail/spamassassin', and just below it, add this: LOCAL_STATE_DIR = '/var/lib', At some point in the future you will upgrade to 3.1.5, when you do, this will no longer be necessary. Gary V _ Check the weather nationwide with MSN Search: Try it now! http://search.msn.com/results.aspx?q=weatherFORM=WLMTAG
Re: Running on Debian stable
Found it, changed it, seems to work like a charm. Now let's see if the new rules actually catch more spam than the basic stable install. :-) Thanks again Miles Gary V wrote: The patch is for newer versions of amavisd-new. You can manually add the necessary line. edit /usr/sbin/amavisd-new and locate the line that reads: # LOCAL_RULES_DIR = '/etc/mail/spamassassin', and just below it, add this: LOCAL_STATE_DIR = '/var/lib', At some point in the future you will upgrade to 3.1.5, when you do, this will no longer be necessary.
Re: Running on Debian stable
Found it, changed it, seems to work like a charm. Now let's see if the new rules actually catch more spam than the basic stable install. :-) Thanks again Miles I never took the time to set up RulesDuJour or study which SARE rules might be the most appropriate for me. This thread was just what I needed to grab the SARE rules that give low false positives in a simple manner. You might like it too. http://marc.theaimsgroup.com/?l=spamassassin-usersm=115637139728022 I created a little script and made a crontab entry to run it each day (this will wrap). /usr/sbin/custom-update #!/bin/sh sa-update sa-update --gpgkey D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel saupdates.openprotect.com spamassassin --lint /etc/init.d/amavis restart Gary V _ Get the new Windows Live Messenger! http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-ussource=wlmailtagline
Re: Sa-learn --ham vs spamassassin -report
On Sun, Sep 03, 2006 at 10:27:55PM -0400, Michael Scheidell wrote: Sa coach sends stream to spamd with 'TELL' protocol. It then calls the equivalent of 'spamassassin -r' (for spam) or '-z for ham' or -f for forget. Do I need to call sa-learn --ham and sa-learn --spam also? No. If I call sa-learn --ham or --spam INSTEAD OF, I lose the ability to report to DCC,razor,spamcop.,pyzor, etc. Well, you don't lose the ability to report to those, you just won't be reporting to those at that point. So, is spamassassin -r a superset of sa-learn --spam? Or do I need to run them both to get the local Bayesian table updated? No. From the man page: [...] -r, --report [...] The message will also be submitted to SpamAssassin’s learning systems; currently this is the internal Bayesian statistical-filtering system (the BAYES rules). (Note that if you only want to perform statistical learning, and do not want to report mail to third-par- ties, you should use the sa-learn command directly instead.) [...] -- Randomly Generated Tagline: Zapp: She's built like a steak house but she handles like a bistro. pgpwvX73k22uL.pgp Description: PGP signature
Re: Spammed by Non-delivery-report? (someone is using my email to spam)
: On Fri, 1 Sep 2006, Christian Purnomo wrote: : : I am having so much trouble at present that some people are using my : email address to send their spam messages, in return I get hundreds and : hundres of non-delivery email + other misc reply such as out of office. Thanks All who have responded to my initial inquiry. I have implemented openspf and it looks it has dropped the number of bounces significantly. There are still a few coming through, is there any other methods that I can use to clean up the uncaught mess? Justin has recommended http://svn.apache.org/repos/asf/spamassassin/rules/trunk/sandbox/jm/20_vbounce.cf which sounds reasonable to me. Thanks Christian
Re: catching fake usernames?
Rick Roe wrote: I get a lot of spam whose From addresses are users that don't exist on my system (random names like [EMAIL PROTECTED], [EMAIL PROTECTED], etc). I recently set up a scheme to manually blacklist all From addresses on my domains and un-blacklist the fifty or so real addresses mail can legitimately come from (the system aliases like postmaster, daemon, and so forth, and a small handful of real users each with a handful of aliases), using blacklist_from and unblacklist_from in the local config file. Hi, if a ender is your domain but the mail comes from outside, it should be authenticated whether it goes to a local or remote address. I know that MS lookback tries to be extra smart and refuses to auth in that case, but there are other mail clients ... Wolfgang Hamann
