Can't get sa-learn to work

2006-09-07 Thread Al Smith 

Since upgrading to 3.1.5, I get this when trying to use sa-learn:

# sa-learn --showdots --spam --mbx spam
archive-iterator: unable to open spam.spam: No such file or directory
archive-iterator: unable to open spam.spam: No such file or directory
archive-iterator: unable to open spam.spam: No such file or directory
archive-iterator: unable to open spam.spam: No such file or directory
archive-iterator: unable to open spam.spam: No such file or directory
archive-iterator: unable to open spam.spam: No such file or directory
archive-iterator: unable to open spam.spam: No such file or directory
archive-iterator: unable to open spam.spam: No such file or directory
archive-iterator: unable to open spam.spam: No such file or directory
archive-iterator: unable to open spam.spam: No such file or directory
archive-iterator: unable to open spam.spam: No such file or directory
archive-iterator: unable to open spam.spam: No such file or directory
archive-iterator: unable to open spam.spam: No such file or directory

Learned tokens from 0 message(s) (0 message(s) examined)
#

Any ideas?
Al.


On Fri, 8 Sep 2006, Bo Mellberg wrote:


Theo Van Dinter skrev:

On Thu, Sep 07, 2006 at 11:27:36AM +0200, Bo Mellberg wrote:

max:/#sa-learn -D --sync

which would upgrade the db from version 0 to version 2.


FWIW, the upgrade occurs anytime a DB write is attempted, --sync just
forces a write.


OK. Got it.




[25567] dbg: bayes: found bayes db version 0
[25567] dbg: bayes: detected bayes db format 0, upgrading
[25567] dbg: bayes: upgrading database format from v0 to v2
[25567] dbg: locker: refresh_lock: refresh /root/.spamassassin/bayes.lock
[25567] dbg: locker: refresh_lock: refresh /root/.spamassassin/bayes.lock
[25567] dbg: locker: refresh_lock: refresh /root/.spamassassin/bayes.lock
[25567] dbg: locker: refresh_lock: refresh /root/.spamassassin/bayes.lock

The last row just keeps repeating itself until I ctrl-C out of it.


Nothing seems crazy so far -- the upgrade may take a long time if there
are a lot of tokens, so SA refreshes the lock periodically so it doesn't
loose it.


You were perfectly right! I waited some more and it actually finished:

[29404] dbg: locker: refresh_lock: refresh /root/.spamassassin/bayes.lock
[29404] dbg: locker: refresh_lock: refresh /root/.spamassassin/bayes.lock
[29404] dbg: locker: refresh_lock: refresh /root/.spamassassin/bayes.lock
[29404] dbg: locker: refresh_lock: refresh /root/.spamassassin/bayes.lock
[29404] dbg: bayes: upgraded database format from v2 to v3 in 89 seconds
[29404] dbg: locker: refresh_lock: refresh /root/.spamassassin/bayes.lock
[29404] dbg: bayes: expiry completed
[29404] dbg: bayes: untie-ing
[29404] dbg: bayes: untie-ing db_toks
[29404] dbg: bayes: untie-ing db_seen
[29404] dbg: bayes: files locked, now unlocking lock
[29404] dbg: locker: safe_unlock: unlink /root/.spamassassin/bayes.lock




What does "sa-learn --dump magic" say?



Well, before it didn't say anything, just complained about DB version 0, but 
now it gives me:


max:~# sa-learn --dump magic
0.000  0  3  0  non-token data: bayes db version
0.000  0  0  0  non-token data: nspam
0.000  0  0  0  non-token data: nham
0.000  0  0  0  non-token data: ntokens
0.000  0 1157694555  0  non-token data: oldest atime
0.000  0 1157694555  0  non-token data: newest atime
0.000  0 1157694555  0  non-token data: last journal sync 
atime

0.000  0 1157694555  0  non-token data: last expiry atime
0.000  0  0  0  non-token data: last expire atime 
delta
0.000  0  0  0  non-token data: last expire reduction 
count


So I guess I'm good. Thanks a bunch!

/Bo

Which DB is actually used?

2006-09-07 Thread Bo Mellberg 

I have SA 3.1.4 configured and running on Debian Sarge using apt-get.

I'm finding it hard to know what directory is actually used for the 
bayes-database:


max:~# ls /root/.spamassassin/ -al
total 2344
drwx--  2 root root4096 Sep  8 07:52 .
drwxr-xr-x 12 root root4096 Sep  5 09:37 ..
-rw---  1 root root   12288 Sep  4 14:20 auto-whitelist
-rw-rw-rw-  1 root root   6 Sep  4 14:20 auto-whitelist.mutex
-rw-rw-rw-  1 root root   13992 Sep  4 14:08 bayes.mutex
-rw---  1 root root  344064 Sep  4 14:05 bayes_seen
-rw---  1 root root 2605056 Sep  8 07:52 bayes_toks
-rw-r--r--  1 root root1487 Sep  4 14:20 user_prefs
max:~# ls /home/bosse/.spamassassin/ -al
total 4564
drwx--S--- 2 bosse bosse4096 Sep  7 10:35 .
drwxr-sr-x 5 bosse bosse4096 Aug 31 16:19 ..
-rw--- 1 root  bosse   12288 Sep  6 01:06 auto-whitelist
-rw--- 1 root  bosse   6 Sep  6 01:06 auto-whitelist.mutex
-rw-rw-rw- 1 bosse bosse   15282 Sep  6 01:06 bayes.mutex
-rw--- 1 root  bosse   86136 Sep  6 01:06 bayes_journal
-rw--- 1 bosse bosse  339968 Sep  6 01:06 bayes_seen
-rw--- 1 root  bosse 5255168 Sep  6 01:06 bayes_toks
-rw--- 1 root  bosse1165 Oct  2  2005 user_prefs
max:~# ls /var/spool/exim4/.spamassassin/ -al
total 3424
drwx-- 2 Debian-exim Debian-exim4096 Sep  8 08:04 .
drwxr-x--- 7 Debian-exim Debian-exim4096 Sep  5 15:54 ..
-rw--- 1 Debian-exim Debian-exim 1298432 Sep  8 08:04 auto-whitelist
-rw-rw-rw- 1 Debian-exim Debian-exim   6 Sep  4 14:15 
auto-whitelist.mutex

-rw-rw-rw- 1 Debian-exim Debian-exim   6 Sep  4 14:15 bayes.mutex
-rw--- 1 Debian-exim Debian-exim   64704 Sep  8 08:04 bayes_journal
-rw--- 1 Debian-exim Debian-exim  319488 Sep  8 08:04 bayes_seen
-rw--- 1 Debian-exim Debian-exim 2629632 Sep  8 08:04 bayes_toks
-rw-r--r-- 1 Debian-exim Debian-exim1175 Nov  1  2005 user_prefs

As you can see there are three directories which are all quite recently 
changed. How can I make sure that only one directory is used?


I would like to make SA site-wide, but the filtering is working really 
good right now so I'm afraid i'll break something. BTW, the user "bosse" 
is my own account used for my email.


* I just performed sa-learn --sync -D as root.
* I've never touched the exim directory, still it has the latest change 
date.


Thanks in advance.

/Bo

Re: Can't get sa-learn to work

2006-09-07 Thread Bo Mellberg 

Theo Van Dinter skrev:

On Thu, Sep 07, 2006 at 11:27:36AM +0200, Bo Mellberg wrote:

max:/#sa-learn -D --sync

which would upgrade the db from version 0 to version 2.


FWIW, the upgrade occurs anytime a DB write is attempted, --sync just
forces a write.


OK. Got it.




[25567] dbg: bayes: found bayes db version 0
[25567] dbg: bayes: detected bayes db format 0, upgrading
[25567] dbg: bayes: upgrading database format from v0 to v2
[25567] dbg: locker: refresh_lock: refresh /root/.spamassassin/bayes.lock
[25567] dbg: locker: refresh_lock: refresh /root/.spamassassin/bayes.lock
[25567] dbg: locker: refresh_lock: refresh /root/.spamassassin/bayes.lock
[25567] dbg: locker: refresh_lock: refresh /root/.spamassassin/bayes.lock

The last row just keeps repeating itself until I ctrl-C out of it.


Nothing seems crazy so far -- the upgrade may take a long time if there
are a lot of tokens, so SA refreshes the lock periodically so it doesn't
loose it.


You were perfectly right! I waited some more and it actually finished:

[29404] dbg: locker: refresh_lock: refresh /root/.spamassassin/bayes.lock
[29404] dbg: locker: refresh_lock: refresh /root/.spamassassin/bayes.lock
[29404] dbg: locker: refresh_lock: refresh /root/.spamassassin/bayes.lock
[29404] dbg: locker: refresh_lock: refresh /root/.spamassassin/bayes.lock
[29404] dbg: bayes: upgraded database format from v2 to v3 in 89 seconds
[29404] dbg: locker: refresh_lock: refresh /root/.spamassassin/bayes.lock
[29404] dbg: bayes: expiry completed
[29404] dbg: bayes: untie-ing
[29404] dbg: bayes: untie-ing db_toks
[29404] dbg: bayes: untie-ing db_seen
[29404] dbg: bayes: files locked, now unlocking lock
[29404] dbg: locker: safe_unlock: unlink /root/.spamassassin/bayes.lock




What does "sa-learn --dump magic" say?



Well, before it didn't say anything, just complained about DB version 0, 
but now it gives me:


max:~# sa-learn --dump magic
0.000  0  3  0  non-token data: bayes db version
0.000  0  0  0  non-token data: nspam
0.000  0  0  0  non-token data: nham
0.000  0  0  0  non-token data: ntokens
0.000  0 1157694555  0  non-token data: oldest atime
0.000  0 1157694555  0  non-token data: newest atime
0.000  0 1157694555  0  non-token data: last journal 
sync atime

0.000  0 1157694555  0  non-token data: last expiry atime
0.000  0  0  0  non-token data: last expire 
atime delta
0.000  0  0  0  non-token data: last expire 
reduction count


So I guess I'm good. Thanks a bunch!

/Bo

site-wide config?

2006-09-07 Thread Russell Jones 



Sorry if this is covered somewhere in the 
documentation, and if so can someone be nice enough to point it to me :) I can't 
seem to locate it.
 
I would like to set spamassassin to use a site-wide 
configuration, so that when I tell it to sa-learn, it will apply what it learns 
to every single email account on the server.
 
If someone can point me to the documentation and/or 
examples of how to set this, I would be very grateful.
 
Thanks!

Re: Everything is being filtered

2006-09-07 Thread jdow 

From: "John D. Hardin" <[EMAIL PROTECTED]>


On Thu, 7 Sep 2006, Poohba wrote:


I don't know if this is the right place but I followed instructions from
http://www.atlantawebhost.com/articles/evolution_spamassassin.php and
everything is going to my spam folder.  The one difference is that this
version of Evolution has "Pipe to program" but other than that
everything is the same but EVERYTHING is moved.  How do I fix this?
I've even added my email address to the whitelist to test and that is
still being moved.


Find a message in your spam folder that is NOT spam, save it to a
file, and do this:

   spamassassin -e < WHATEVER_FILE > /dev/null; echo $?

what number does it display? The Evolution rule says to file the
message if that number is greater than zero.

You could also run

   spamassassin -t < WHATEVER_FILE

or

   spamassassin -D area=rules < WHATEVER_FILE

to see in detail what SA thinks of the message.


I've restarted spamassassin after making the changes
but that didn't seem to help.


Those instructions involve calling spamassassin directly for each
message, so "restarting spamassassin" won't affect it. It would have
to call spamc rather than spamassassin in order for the spamd daemon
to be used. Here's the command you'd pipe the message through in the
Evolution rule:

  spamc -c >/dev/null


IMAO *ANY* MTA that runs through SpamAssassin while the user is waiting
to read mail should be given the MiskaDOS disposal operation which ends
with driving a fire hardened oaken stake through the center of the last
disk in your possession that has the tool on it. The only sad thing is
that the lead foil for wrapping it before burial is hard to get these
days.

Run SpamAssassin in the background and read directly from DoveCot on
your own machine without SA the feed path. Otherwise you'll spend way
too much time sitting waiting for the mail to be displayed. At least
*I* have better things I can do with that time. (This is why I consider
web based email clients as being the spawn of the devil, a scheme to
rob me of some of the precious few remaining hours of my life. Erm, I'd
feel the same if I was 18, too. Glaciers melt faster than Web E-Mail.)

{^_^}

Re: Quarantined Spam.

2006-09-07 Thread Evan Platt 

At 08:50 PM 9/7/2006, you wrote:

Hi,

Is there anyway I can resend the emails which have been quarantined.
as some of the emails should not have been quarantined.

I'm using plesk 7.5 reloaded with spam assassin.


I don't know what Plesk is, but is plesk doing the quarantining?

Spamassassin isn't, so if you don't get an answer here, and plesk is 
what's doing the quarantining, you're probably better off asking in a 
plesk group.

Quarantined Spam.

2006-09-07 Thread Jared 








Hi,

 

Is there anyway I can resend the emails which
have been quarantined.

as some of the emails should not have been
quarantined.

 

I'm using plesk 7.5 reloaded with spam assassin.

 

Thanks
in advance.

 

 

 

Some Spam getting through

2006-09-07 Thread David Reta 








I am having an issue with spam not getting caught by the
filter.

 

The spam will score low initially but when I run it on the
quarantined message a minute later the message will score well over the
threshold.

 

I am using spamassassin 3.1.4 and it is being called through
mimedefang. I quarantine the message so I can keep a copy on the relay. I have
a bayes database that is shared over nfs. On this particular instance it looks
like the bayes test is skipped. Since I am using a bayes database that is
shared, could this be causing a timeout issue and if so how can I increase the
timeout so this does not occur?

 

Here is the MSG.0 File from the quarantine
directory

 

Content analysis details:   (3.6 points, 4.5
required)

 

 pts rule
name 
description

 --
--

 1.1
EXTRA_MPART_TYPE   Header has extraneous
Content-type:...type= entry

 0.1
FORGED_RCVD_HELO   Received: contains a
forged HELO

 0.4
HTML_30_40
BODY: Message is 30% to 40% HTML

 0.0
HTML_MESSAGE   BODY:
HTML included in message

 2.0 RCVD_IN_SORBS_DUL 
RBL: SORBS: sent directly from dynamic IP address

   
[85.99.173.13 listed in dnsbl.sorbs.net]

 

 3.647 4.5
EXTRA_MPART_TYPE,FORGED_RCVD_HELO,HTML_30_40,HTML_MESSAGE,RCVD_IN_SORBS_DUL

 

Here is the ourput from when I run it
manually a minute later.

 

[EMAIL PROTECTED] qdir-2006-09-07-15.33.07-001]$ spamassassin <
ENTIRE_MESSAGE | more 

Received: from localhost by mx1.narus.com

    with SpamAssassin
(version 3.1.5);

    Thu, 07 Sep 2006
16:40:58 -0700

From: "Hilda Crawford"
<[EMAIL PROTECTED]>

To: <[EMAIL PROTECTED]>

Subject: *SPAM* overrun arbitration

Date: Fri, 8 Sep 2006 01:26:17 +0300

Message-Id:
<[EMAIL PROTECTED]>

X-Spam-Flag: YES

X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on
mx1.narus.com

X-Spam-Level: ***

X-Spam-Status: Yes, score=7.1 required=4.5
tests=BAYES_99,EXTRA_MPART_TYPE,

   
FORGED_RCVD_HELO,HTML_30_40,HTML_MESSAGE,RCVD_IN_SORBS_DUL 

    autolearn=no
version=3.1.5

MIME-Version: 1.0

Content-Type: multipart/mixed;
boundary="--=_4500AE0A.1257C79C"

 

This is a multi-part message in MIME format.

 

=_4500AE0A.1257C79C

Content-Type: text/plain

Content-Disposition: inline

Content-Transfer-Encoding: 8bit

 

Spam detection software, running on the system
"mx1.narus.com", has

identified this incoming email as possible spam.  The
original message

has been attached to this so you can view it (if it isn't
spam) or label

similar future email.  If you have any questions, see

the administrator of that system for details.

 

Content preview:  It’s like a welter of wild
waters in the pitch dark; the

  sort of waters that he . The moment that man asked
where it was found, I

  was sure he knew were it was found. Let us turn to
the brighter topic of

  Mr Harker. What about the structure of the pier
underneath? But that

  doesn’t explain the change in him. And that is
by producing his

  Imaginary Man.
All his veneer of society suavity seemed to have

  vanished. But the dirty devil swears he’ll
succeed yet; shoot me and run

  off with my - never mind. It isn’t a very
creditable tale, even as he

  tells it. He wanted to work for his wife and not be
kept by her. It

  really seems to me as if he couldn’t have got
out that way. At any rate,

  to allow that he may have been drowned at sea. I knew
him well when we

  were children; we used to play over there on the
sands. But that doesn’t

  explain the change in him. If Dr Straker means
anything by his hints,

  they do matter. I waited; and I knew that they would
not come again.

  It’s the only safe place to meet - if anything
is safe by this time. It

  really seems to me as if he couldn’t have got
out that way. And that is

  by producing his Imaginary Man. It isn’t a very
creditable tale, even as

  he tells it. BRAHAM BRUCE‘Dear me,’ said
Father Brown mildly. That is

  why I thought it so odd when the lawyer didn’t.
It may save a very

  tragic misunderstanding with somebody later on. Why
should he expect to

  meet the Inspector outside the Green Man? I guess all
you need to know

  about the story is this. For really, we don’t
know that the whole tale

  isn’t as false as a forgery. I will not trouble
you with what I felt

  about that. I can’t exactly say I’m
standing up for an old friend;

  because he isn’t even friendly. For really, we
don’t know that the whole

  tale isn’t as false as a forgery. In many, one
might almost fancy, it

  would be almost automatic. It’s simply stark
staring unreason; a big man

  vanishing like a bubble; nobody could possibly .
There was no man who

  had a more hearty and enduring appetite for doing
nothing. It really

  seems to me as if he [...] 

 

Content analysis details:   (7.1 points, 4.5
required)

 

 pts rule
name 
description

Re: [Bump] No log to syslog after upgrade

2006-09-07 Thread Stuart Johnston 

Kurt Buff wrote:

I've requested an account, and am waiting for the password.

I understand about command line tools and their use, but SA is a bit of a
special case, as it's used as more than simply a command line tool -
especially when you consider its use with Amavis, etc.


amavisd-new has its own logging facilities including the option to log to syslog or a separate log 
file.  There is also an option to log debugging output from SA.  You should ask on the amavis list 
if you need more details.

RE: [Bump] No log to syslog after upgrade

2006-09-07 Thread Kurt Buff 
Entered as # 5093.

| -Original Message-
| From: Kurt Buff 
| Sent: Thursday, September 07, 2006 14:27
| To: users@spamassassin.apache.org
| Subject: RE: [Bump] No log to syslog after upgrade
| 
| 
| I've requested an account, and am waiting for the password.
| 
| I understand about command line tools and their use, but SA 
| is a bit of a
| special case, as it's used as more than simply a command line tool -
| especially when you consider its use with Amavis, etc.
| 
| Kurt
| 
| | -Original Message-
| | From: Theo Van Dinter [mailto:[EMAIL PROTECTED]
| | Sent: Thursday, September 07, 2006 13:32
| | To: users@spamassassin.apache.org
| | Subject: Re: [Bump] No log to syslog after upgrade
| | 
| | 
| | On Thu, Sep 07, 2006 at 01:26:08PM -0700, Kurt Buff wrote:
| | > Perhaps an invocation flag could be added?
| | 
| | You can feel free to open an enhancement BZ ticket if you like.
| | Generally speaking commandline tools don't log to syslog though.
| | 
| | -- 
| | Randomly Generated Tagline:
| | If ignorance is bliss, why aren't more people happy?

Re: Whitelist ebay

2006-09-07 Thread OpenMacNews 

steven,


Lint keeps throwing out this line:

 whitelist_from_rcvd [EMAIL PROTECTED]

Is there something special about ebay?


you need a second parameter on that line.

from the man page ...

"whitelist_from_rcvd [EMAIL PROTECTED] sourceforge.net
   Use this to supplement the whitelist_from addresses with a check 
against the Received headers. The first parameter is the address to 
whitelist, and the second is a string to match the relay's rDNS.

"

richard
--

/"\
\ /  ASCII Ribbon Campaign
X   against HTML email, vCards
/ \  & micro$oft attachments

[GPG] OpenMacNews at gmail dot com
fingerprint: 50C9 1C46 2F8F DE42 2EDB  D460 95F7 DDBD 3671 08C6

Re: Whitelist ebay

2006-09-07 Thread Theo Van Dinter 
On Thu, Sep 07, 2006 at 04:48:02PM -0500, Steven Stern wrote:
> Lint keeps throwing out this line:
> 
> whitelist_from_rcvd [EMAIL PROTECTED]
> 
> Is there something special about ebay?

No, but you're missing the rest of the line.

perldoc Mail::SpamAssassin::Conf

-- 
Randomly Generated Tagline:
"To win, you must treat a pressure situation as an opportunity to succeed,
 not an opportunity to fail." - Gardner Dickinson


pgpQpDwsSz7l3.pgp
Description: PGP signature

Whitelist ebay

2006-09-07 Thread Steven Stern 

Lint keeps throwing out this line:

whitelist_from_rcvd [EMAIL PROTECTED]

Is there something special about ebay?

RE: [Bump] No log to syslog after upgrade

2006-09-07 Thread Kurt Buff 
I've requested an account, and am waiting for the password.

I understand about command line tools and their use, but SA is a bit of a
special case, as it's used as more than simply a command line tool -
especially when you consider its use with Amavis, etc.

Kurt

| -Original Message-
| From: Theo Van Dinter [mailto:[EMAIL PROTECTED]
| Sent: Thursday, September 07, 2006 13:32
| To: users@spamassassin.apache.org
| Subject: Re: [Bump] No log to syslog after upgrade
| 
| 
| On Thu, Sep 07, 2006 at 01:26:08PM -0700, Kurt Buff wrote:
| > Perhaps an invocation flag could be added?
| 
| You can feel free to open an enhancement BZ ticket if you like.
| Generally speaking commandline tools don't log to syslog though.
| 
| -- 
| Randomly Generated Tagline:
| If ignorance is bliss, why aren't more people happy?
|

Re: [Bump] No log to syslog after upgrade

2006-09-07 Thread Theo Van Dinter 
On Thu, Sep 07, 2006 at 01:26:08PM -0700, Kurt Buff wrote:
> Perhaps an invocation flag could be added?

You can feel free to open an enhancement BZ ticket if you like.
Generally speaking commandline tools don't log to syslog though.

-- 
Randomly Generated Tagline:
If ignorance is bliss, why aren't more people happy?


pgp3obpzE1wDb.pgp
Description: PGP signature

RE: [Bump] No log to syslog after upgrade

2006-09-07 Thread Kurt Buff 
| From: Theo Van Dinter [mailto:[EMAIL PROTECTED]
| On Thu, Sep 07, 2006 at 09:11:22AM -0700, John D. Hardin wrote:
| > > [server]spamassassin --lint -D
| > > [22110] dbg: logger: adding facilities: all
| > > [22110] dbg: logger: logging level is DBG
| > > 
| > 
| > Is your syslog daemon configured to discard debug-level messages?
| [...]
| 
| At last check, spamassassin doesn't log to syslog.  spamd does.

And that seems a bit silly, doesn't it? Or was there a good reason for that
decision?

Perhaps an invocation flag could be added?

Kurt

Re: sa-learn question

2006-09-07 Thread Theo Van Dinter 
On Thu, Sep 07, 2006 at 02:19:25PM -0500, EviL_SmUrF wrote:
> Quick question about spamassassin's sa-learn feature. I am running 
> spamassassin on a semi-large webhosting server, and I can't seem to find 
> rather or not when I run sa-learn, if what it learns it will apply to only 
> that email address it was ran on, or the entire domain, or all of the domains 
> hosted on the box. Example of what I am running:

It doesn't quite work like that.  sa-learn updates a database, the
recipient information doesn't really matter.  The tokens that are learned
will be used by what or who-ever you have configured to use that database
for scanning.

ie: If you have individual DBs per user, then the learning applies to
the user whose database you updated.  If you have a sitewide DB config,
then it'll be for all users.

-- 
Randomly Generated Tagline:
My wife and I were happy for years.  Then we met.


pgpRa9Tx6nyIX.pgp
Description: PGP signature

Re: Inconsistent Rules Firing

2006-09-07 Thread Michel Vaillancourt 
Bowie Bailey wrote:
> 
> Are you sure these messages are being scanned?  Take a look at the
> headers and see if there are X-Spam headers in both the marked and
> unmarked messages.  If so, post those headers here so we can see what
> is hitting.
> 
As I inidcated in the original mail... they are getting scored.  The 
headers are there.  However, the scores are VERY low compared to another 
similar one that arrives moments later.  I'll post back when I get a good 
comparison pair.

> You also may want to add this line to you local.cf file:
> 
> add_header all Report _REPORT_
> 
> This will add the report header listing the rule hits to all messages
> regardless of the score.  Restart spamd after making the change.
> 

Will do.  I'll post back with results.

-- 
--Michel Vaillancourt
Wolfstar Systems
www.wolfstar.ca

sa-learn question

2006-09-07 Thread EviL_SmUrF 



Heya guys! (and girls!)
 
Quick question about spamassassin's sa-learn 
feature. I am running spamassassin on a semi-large webhosting server, and I 
can't seem to find rather or not when I run sa-learn, if what it learns it will 
apply to only that email address it was ran on, or the entire domain, or all of 
the domains hosted on the box. Example of what I am running:
 
sa-learn --no-sync --spam 
/home/username/Maildir/.INBOX.spam/cur
 
The ideal way I would like to do is setup a [EMAIL PROTECTED] email address, get that 
receiving a good amount of spam, and have spamassassin run on that account and 
when I seperate the ham from spam, have the information it learns from that 
account apply to EVERY account it checks.
 
It is running on CentOS 4.3. I am running 
spamassassin version 3.1.4. I am making use of spamd.
 
Thanks for your help!
 
 

Re: Everything is being filtered

2006-09-07 Thread John D. Hardin 
On Thu, 7 Sep 2006, Poohba wrote:

> I am not sure what's not working right.  I am using /usr/bin/spamc -e
> > /dev/null

The flag is "-c" if you are using spamc.

> That is actually the problem now that I looked at it and
> what you stated at the end.  when I changed it to -c I think it will
> work because when I did it on the commandline I got a 0 for you and 1
> for the spam.  Attention to details... ugh.  I apologize!

> $ spamassassin -e < spam2.txt > /dev/null; echo $? 
> 0
 
> $ spamassassin -e < spamassassin.txt > /dev/null; echo $?
> 0

That sounds like the bug in spamassassin -e handling, but the behavior
if that's the cause should be NOTHING gets put into the spam folder,
as it is misreporting spam as ham.

Check your evolution rule. Either evolution is misconfigured to treat
a return code of zero as a spam indicator, or it's not getting the
correct return code back when it tries to run SA.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Liberals love sex ed because it teaches kids to be safe around their
  sex organs. Conservatives love gun education because it teaches kids
  to be safe around guns. However, both believe that the other's
  education goals lead to dangers too terrible to contemplate.
---
 10 days until The 219th anniversary of the signing of the U.S. Constitution

Re: Everything is being filtered

2006-09-07 Thread Theo Van Dinter 
On Thu, Sep 07, 2006 at 02:43:00PM -0400, Poohba wrote:
> $ spamassassin -e < spam2.txt > /dev/null; echo $? 
> 0
> 
> $ spamassassin -t < spam2.txt
> X-Spam-Status: Yes, score=29.7 required=5.0 tests=FORGED_HOTMAIL_RCVD,
> autolearn=unavailable version=3.1.3

Yeah, that's the bug I was mentioning.  Upgrade to 3.1.4 or later.

-- 
Randomly Generated Tagline:
Stalin's grave is a Communist plot.


pgpbIWqE5VcUa.pgp
Description: PGP signature

Re: Everything is being filtered

2006-09-07 Thread Theo Van Dinter 
On Thu, Sep 07, 2006 at 11:44:36AM -0700, John D. Hardin wrote:
> But if it's always returning zero (not spam) that still doesn't
> explain why they are all being filed as spam...

I didn't say it did, just that there was a -e related bug.  I know nothing
about Evolution.

> Did that bug also affect "spamc -c"?

Nope, just "spamassassin -e".

-- 
Randomly Generated Tagline:
I'll play fair -- IF *I* get to make up the rules...


pgpmBwz1tnRBH.pgp
Description: PGP signature

Re: Everything is being filtered

2006-09-07 Thread John D. Hardin 
On Thu, 7 Sep 2006, Theo Van Dinter wrote:

> On Thu, Sep 07, 2006 at 02:27:02PM -0400, Poohba wrote:
> > I did your email, another email that should be spam and another that is
> > spam and they all returned 0.
> 
> You haven't mentioned what version of SA you're running.  There was
> a bug introducted in 3.1.2 and fixed in 3.1.4 which caused -e to not
> function properly.  fyi.

But if it's always returning zero (not spam) that still doesn't
explain why they are all being filed as spam...

Did that bug also affect "spamc -c"?

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Liberals love sex ed because it teaches kids to be safe around their
  sex organs. Conservatives love gun education because it teaches kids
  to be safe around guns. However, both believe that the other's
  education goals lead to dangers too terrible to contemplate.
---
 10 days until The 219th anniversary of the signing of the U.S. Constitution

Re: Everything is being filtered

2006-09-07 Thread John D. Hardin 
On Thu, 7 Sep 2006, Poohba wrote:

> I did your email, another email that should be spam and another
> that is spam and they all returned 0.

Verify this bit of your Evolution rule:

  d. Select "returns greater than" from the return drop down list.
  e. Set 0 to the number box.

Assuming SA is working correctly in the rule, then it *sounds* like
you may have selected "returns greater than OR EQUAL to 0" (assuming
that is an option - I don't have a copy of Evolution handy at the
moment).  <-- shot in the dark

You might also edit the evolution rule to redirect the output of
spamassassin somewhere besides the bitbucket, and see what it logs.
e.g.:

spamassassin -e >> /home/poohba~/evo-sa-results.log

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Liberals love sex ed because it teaches kids to be safe around their
  sex organs. Conservatives love gun education because it teaches kids
  to be safe around guns. However, both believe that the other's
  education goals lead to dangers too terrible to contemplate.
---
 10 days until The 219th anniversary of the signing of the U.S. Constitution

Re: Everything is being filtered

2006-09-07 Thread Poohba 
I am not sure what's not working right.  I am using /usr/bin/spamc -e
> /dev/null   That is actually the problem now that I looked at it and
what you stated at the end.  when I changed it to -c I think it will
work because when I did it on the commandline I got a 0 for you and 1
for the spam.  Attention to details... ugh.  I apologize!

$ spamassassin -e < spam2.txt > /dev/null; echo $? 
0

$ spamassassin -t < spam2.txt
>From [EMAIL PROTECTED] Thu Sep  7 11:19:51 2006
Return-Path: <[EMAIL PROTECTED]>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on
rob-campbell.com
X-Spam-Level: *
X-Spam-Status: Yes, score=29.7 required=5.0 tests=FORGED_HOTMAIL_RCVD,
FORGED_MSGID_HOTMAIL,HELO_DYNAMIC_IPADDR2,HTML_IMAGE_ONLY_12,
HTML_MESSAGE,HTML_SHORT_LINK_IMG_1,MIME_HTML_ONLY,

RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL,URIBL_AB_SURBL,URIBL_JP_SURBL,
URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL
autolearn=unavailable version=3.1.3


$ spamassassin -e < spamassassin.txt > /dev/null; echo $?
0

$ spamassassin -t < spamassassin.txt
>From [EMAIL PROTECTED] Thu Sep  7 14:21:13 2006
Return-Path: <[EMAIL PROTECTED]>
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on
rob-campbell.com
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=5.0 tests=none
autolearn=unavailable
version=3.1.3



On Thu, 2006-09-07 at 11:20 -0700, John D. Hardin wrote:
> On Thu, 7 Sep 2006, Poohba wrote:
> 
> > I don't know if this is the right place but I followed instructions from
> > http://www.atlantawebhost.com/articles/evolution_spamassassin.php and
> > everything is going to my spam folder.  The one difference is that this
> > version of Evolution has "Pipe to program" but other than that
> > everything is the same but EVERYTHING is moved.  How do I fix this?
> > I've even added my email address to the whitelist to test and that is
> > still being moved.
> 
> Find a message in your spam folder that is NOT spam, save it to a
> file, and do this:
> 
> spamassassin -e < WHATEVER_FILE > /dev/null; echo $?
> 
> what number does it display? The Evolution rule says to file the
> message if that number is greater than zero.
> 
> You could also run
> 
> spamassassin -t < WHATEVER_FILE
> 
> or
> 
> spamassassin -D area=rules < WHATEVER_FILE
> 
> to see in detail what SA thinks of the message.
> 
> > I've restarted spamassassin after making the changes
> > but that didn't seem to help.
> 
> Those instructions involve calling spamassassin directly for each
> message, so "restarting spamassassin" won't affect it. It would have
> to call spamc rather than spamassassin in order for the spamd daemon
> to be used. Here's the command you'd pipe the message through in the
> Evolution rule:
> 
>spamc -c >/dev/null
> 
> --
>  John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
>  [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
>  key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> ---
>   Liberals love sex ed because it teaches kids to be safe around their
>   sex organs. Conservatives love gun education because it teaches kids
>   to be safe around guns. However, both believe that the other's
>   education goals lead to dangers too terrible to contemplate.
> ---
>  10 days until The 219th anniversary of the signing of the U.S. Constitution

Re: Everything is being filtered

2006-09-07 Thread Theo Van Dinter 
On Thu, Sep 07, 2006 at 02:27:02PM -0400, Poohba wrote:
> I did your email, another email that should be spam and another that is
> spam and they all returned 0.

You haven't mentioned what version of SA you're running.  There was
a bug introducted in 3.1.2 and fixed in 3.1.4 which caused -e to not
function properly.  fyi.

-- 
Randomly Generated Tagline:
"You're vegetarians! Who cares what you do?"
  --Leela


pgp3cU2zhsMDv.pgp
Description: PGP signature

Re: Everything is being filtered

2006-09-07 Thread John D. Hardin 
On Thu, 7 Sep 2006, Poohba wrote:

> I don't know if this is the right place but I followed instructions from
> http://www.atlantawebhost.com/articles/evolution_spamassassin.php and
> everything is going to my spam folder.  The one difference is that this
> version of Evolution has "Pipe to program" but other than that
> everything is the same but EVERYTHING is moved.  How do I fix this?
> I've even added my email address to the whitelist to test and that is
> still being moved.

Find a message in your spam folder that is NOT spam, save it to a
file, and do this:

spamassassin -e < WHATEVER_FILE > /dev/null; echo $?

what number does it display? The Evolution rule says to file the
message if that number is greater than zero.

You could also run

spamassassin -t < WHATEVER_FILE

or

spamassassin -D area=rules < WHATEVER_FILE

to see in detail what SA thinks of the message.

> I've restarted spamassassin after making the changes
> but that didn't seem to help.

Those instructions involve calling spamassassin directly for each
message, so "restarting spamassassin" won't affect it. It would have
to call spamc rather than spamassassin in order for the spamd daemon
to be used. Here's the command you'd pipe the message through in the
Evolution rule:

   spamc -c >/dev/null

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Liberals love sex ed because it teaches kids to be safe around their
  sex organs. Conservatives love gun education because it teaches kids
  to be safe around guns. However, both believe that the other's
  education goals lead to dangers too terrible to contemplate.
---
 10 days until The 219th anniversary of the signing of the U.S. Constitution

Re: Everything is being filtered

2006-09-07 Thread Poohba 
I did your email, another email that should be spam and another that is
spam and they all returned 0.

On Thu, 2006-09-07 at 11:20 -0700, John D. Hardin wrote:
> On Thu, 7 Sep 2006, Poohba wrote:
> 
> > I don't know if this is the right place but I followed instructions from
> > http://www.atlantawebhost.com/articles/evolution_spamassassin.php and
> > everything is going to my spam folder.  The one difference is that this
> > version of Evolution has "Pipe to program" but other than that
> > everything is the same but EVERYTHING is moved.  How do I fix this?
> > I've even added my email address to the whitelist to test and that is
> > still being moved.
> 
> Find a message in your spam folder that is NOT spam, save it to a
> file, and do this:
> 
> spamassassin -e < WHATEVER_FILE > /dev/null; echo $?
> 
> what number does it display? The Evolution rule says to file the
> message if that number is greater than zero.
> 
> You could also run
> 
> spamassassin -t < WHATEVER_FILE
> 
> or
> 
> spamassassin -D area=rules < WHATEVER_FILE
> 
> to see in detail what SA thinks of the message.
> 
> > I've restarted spamassassin after making the changes
> > but that didn't seem to help.
> 
> Those instructions involve calling spamassassin directly for each
> message, so "restarting spamassassin" won't affect it. It would have
> to call spamc rather than spamassassin in order for the spamd daemon
> to be used. Here's the command you'd pipe the message through in the
> Evolution rule:
> 
>spamc -c >/dev/null
> 
> --
>  John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
>  [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
>  key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> ---
>   Liberals love sex ed because it teaches kids to be safe around their
>   sex organs. Conservatives love gun education because it teaches kids
>   to be safe around guns. However, both believe that the other's
>   education goals lead to dangers too terrible to contemplate.
> ---
>  10 days until The 219th anniversary of the signing of the U.S. Constitution

Everything is being filtered

2006-09-07 Thread Poohba 
I don't know if this is the right place but I followed instructions from
http://www.atlantawebhost.com/articles/evolution_spamassassin.php and
everything is going to my spam folder.  The one difference is that this
version of Evolution has "Pipe to program" but other than that
everything is the same but EVERYTHING is moved.  How do I fix this?
I've even added my email address to the whitelist to test and that is
still being moved.  I've restarted spamassassin after making the changes
but that didn't seem to help.

Re: RPM -vs- CPAN install

2006-09-07 Thread Kenneth Porter 

Ah, I see you opened an issue against this:

Re: RPM -vs- CPAN install

2006-09-07 Thread Kenneth Porter 
--On Thursday, September 07, 2006 11:38 AM -0400 Theo Van Dinter 
<[EMAIL PROTECTED]> wrote:



To be honest, I'd be more partial to removing tools and contrib (and
masses and ...) from the tarball and make them available separately.
It'd be pretty easy IMO.

I believe that the vast majority of people don't use those directories
for anything, and since those directories don't change much and/or are
only used for development, why make everyone download it?


I'd be happy seeing them moved to their own tarball with its own spec file.

Re: [Bump] No log to syslog after upgrade

2006-09-07 Thread Theo Van Dinter 
On Thu, Sep 07, 2006 at 09:11:22AM -0700, John D. Hardin wrote:
> > [server]spamassassin --lint -D
> > [22110] dbg: logger: adding facilities: all
> > [22110] dbg: logger: logging level is DBG
> > 
> 
> Is your syslog daemon configured to discard debug-level messages?
[...]

At last check, spamassassin doesn't log to syslog.  spamd does.

-- 
Randomly Generated Tagline:
"... advise the users that although it can help, they are known problems ..."
- Stanislav Meduna


pgpUOy6qk5iRG.pgp
Description: PGP signature

RE: Inconsistent Rules Firing

2006-09-07 Thread Bowie Bailey 
Michel Vaillancourt wrote:
>   Recently several IMG spams and plain-text stock spams have been
> making it in unmarked.  However, they'll be right beside two more
> correctly identified.  What seems to be happening is that spamd isn't
> always firing all the rules that apply to the message, resulting in a
> score 8 or 9 spam arriving with a score of 4.something.
> 
>   When I "spamassassin -D --lint", the debug info always looks right
> about all the rules loading.  Suggestions as to where to start
> looking?  

Are you sure these messages are being scanned?  Take a look at the
headers and see if there are X-Spam headers in both the marked and
unmarked messages.  If so, post those headers here so we can see what
is hitting.

You also may want to add this line to you local.cf file:

add_header all Report _REPORT_

This will add the report header listing the rule hits to all messages
regardless of the score.  Restart spamd after making the change.

-- 
Bowie

Re: [Bump] No log to syslog after upgrade

2006-09-07 Thread John D. Hardin 
On Thu, 7 Sep 2006, Thomas Ericsson wrote:

> [server]spamassassin --lint -D
> [22110] dbg: logger: adding facilities: all
> [22110] dbg: logger: logging level is DBG
> 

Is your syslog daemon configured to discard debug-level messages?

Are the messages being logged to /var/log/message (or whatever your
default is) rather then mail.log?  

> > After our upgrade from SA 2.6.3 to SA 3.1.3 we do not get any logs  
> > written to /var/log/mail.log anymore. Any ideas why this could be?
> >
> > Here's our setup: OSX 10.3.9, Communigate 4.2.8, CGPSA 1.4, SA 3.1.3

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Liberals love sex ed because it teaches kids to be safe around their
  sex organs. Conservatives love gun education because it teaches kids
  to be safe around guns. However, both believe that the other's
  education goals lead to dangers too terrible to contemplate.
---
 10 days until The 219th anniversary of the signing of the U.S. Constitution

Re: Can't get sa-learn to work

2006-09-07 Thread Theo Van Dinter 
On Thu, Sep 07, 2006 at 11:27:36AM +0200, Bo Mellberg wrote:
> max:/#sa-learn -D --sync
> 
> which would upgrade the db from version 0 to version 2.

FWIW, the upgrade occurs anytime a DB write is attempted, --sync just
forces a write.

> [25567] dbg: bayes: found bayes db version 0
> [25567] dbg: bayes: detected bayes db format 0, upgrading
> [25567] dbg: bayes: upgrading database format from v0 to v2
> [25567] dbg: locker: refresh_lock: refresh /root/.spamassassin/bayes.lock
> [25567] dbg: locker: refresh_lock: refresh /root/.spamassassin/bayes.lock
> [25567] dbg: locker: refresh_lock: refresh /root/.spamassassin/bayes.lock
> [25567] dbg: locker: refresh_lock: refresh /root/.spamassassin/bayes.lock
> 
> The last row just keeps repeating itself until I ctrl-C out of it.

Nothing seems crazy so far -- the upgrade may take a long time if there
are a lot of tokens, so SA refreshes the lock periodically so it doesn't
loose it.

What does "sa-learn --dump magic" say?

-- 
Randomly Generated Tagline:
"Today is going to be one of those days, isn't it?  Wait a minute... It's 
 4pm... It *IS* one of those days..." - Theo


pgpNIUeAeYfY8.pgp
Description: PGP signature

Inconsistent Rules Firing

2006-09-07 Thread Michel Vaillancourt 

Recently several IMG spams and plain-text stock spams have been making 
it in unmarked.  However, they'll be right beside two more correctly 
identified.  What seems to be happening is that spamd isn't always firing all 
the rules that apply to the message, resulting in a score 8 or 9 spam arriving 
with a score of 4.something.

When I "spamassassin -D --lint", the debug info always looks right 
about all the rules loading.  Suggestions as to where to start looking?
-- 
--Michel Vaillancourt
Wolfstar Systems
www.wolfstar.ca

Re: RPM -vs- CPAN install

2006-09-07 Thread Theo Van Dinter 
On Thu, Sep 07, 2006 at 06:08:27AM -0700, Kenneth Porter wrote:
> How about adding a -contrib or -tools sub-package to the "official" spec 
> file? If they're included in the tarball, then they should make it out to 
> an RPM binary.

To be honest, I'd be more partial to removing tools and contrib (and
masses and ...) from the tarball and make them available separately.
It'd be pretty easy IMO.

I believe that the vast majority of people don't use those directories
for anything, and since those directories don't change much and/or are
only used for development, why make everyone download it?

-- 
Randomly Generated Tagline:
The court finds everyone to be in contempt (including himself :-), and
 orders everyone sentenced to five years hard labor.  (Working on Perl,
 of course.)
  -- Larry Wall in <[EMAIL PROTECTED]>


pgp6PPBkud4p8.pgp
Description: PGP signature

Re: URIBL false matches

2006-09-07 Thread John D. Hardin 
On Thu, 7 Sep 2006, Mark G. Thomas wrote:

> Does anyone have suggestions other than discontinuing use of the
> URIBL or using a much lower score?  Is there some way to fix this
> code to make it more resilient to Lotus Notes text mangling?  Is
> there some easy way I can exclude just the one domain name
> "ng.com" from being looked up at all, but otherwise still use the
> URIBL?

Don't touch the URIBL rules at all.

Create a __LOTUS_NOTES rule that hits for message processed by Notes -
there is probably something in the headers that you can look for.

Then you can:

(1) add a small negative score for that alone - not recommended, too
easy to forge,

or

(2) combine it with other rules, e.g. the URIBL hits, to offset the
score, e.g.

   meta  LOTUS_URIBL_FP  __LOTUS_NOTES && (URIBL_WS_SURBL || ... )
   score LOTUS_URBIL_FP  -2.00

If it is consistently happening to just one domain then you could also
look for the mangled domain (e.g. "/\bng\.com\b/i") to reduce the
false positives for this adjustment:

   meta  LOTUS_URIBL_FP  __LOTUS_NOTES && __CHOPPED_DOMAIN &&
(URIBL_WS_SURBL || ... )

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Liberals love sex ed because it teaches kids to be safe around their
  sex organs. Conservatives love gun education because it teaches kids
  to be safe around guns. However, both believe that the other's
  education goals lead to dangers too terrible to contemplate.
---
 10 days until The 219th anniversary of the signing of the U.S. Constitution

RE: URIBL false matches

2006-09-07 Thread John D. Hardin 
On Thu, 7 Sep 2006, Rosenbaum, Larry M. wrote:

> uridnsbl_skip_domain ng.com

{raspberry}

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Liberals love sex ed because it teaches kids to be safe around their
  sex organs. Conservatives love gun education because it teaches kids
  to be safe around guns. However, both believe that the other's
  education goals lead to dangers too terrible to contemplate.
---
 10 days until The 219th anniversary of the signing of the U.S. Constitution

Re: RPM -vs- CPAN install

2006-09-07 Thread John D. Hardin 
On Thu, 7 Sep 2006, Kenneth Porter wrote:

> --On Wednesday, September 06, 2006 9:53 PM -0400 Theo Van Dinter 
> <[EMAIL PROTECTED]> wrote:
> 
> > If you modify the spec file it can, but generally speaking you can just
> > grab the tools out of the tarball.  IMO, the tools should end up in
> > contrib since we don't actually support them.
> 
> How about adding a -contrib or -tools sub-package to the "official" spec 
> file? If they're included in the tarball, then they should make it out to 
> an RPM binary.

+1

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Liberals love sex ed because it teaches kids to be safe around their
  sex organs. Conservatives love gun education because it teaches kids
  to be safe around guns. However, both believe that the other's
  education goals lead to dangers too terrible to contemplate.
---
 10 days until The 219th anniversary of the signing of the U.S. Constitution

RE: URIBL false matches

2006-09-07 Thread Rosenbaum, Larry M. 
> From: Mark G. Thomas [mailto:[EMAIL PROTECTED]
> 
> Hi,
> 
> I have a problem with incorrect URIBL hits on incoming forwarded
messages
> that have been mangled by Lotus Notes.
> 
> I have a customer with the domain name "Yimaging.com".
> (Not really "Y").
> 
> "ng.com" is on the URIBL blacklist.  I think for awhile it has been
> removed, but it's there again now.
> ...
> Is there some
> easy way I can exclude just the one domain name "ng.com" from being
looked
> up at all, but otherwise still use the URIBL?

uridnsbl_skip_domain ng.com

URIBL false matches

2006-09-07 Thread Mark G. Thomas 
Hi,

I have a problem with incorrect URIBL hits on incoming forwarded messages 
that have been mangled by Lotus Notes.

I have a customer with the domain name "Yimaging.com".
(Not really "Y").

"ng.com" is on the URIBL blacklist.  I think for awhile it has been
removed, but it's there again now.

Although my customer does not use Notes, when an outside correspondent
does, sometimes the forwarded/replied message comes back containing
ascii text like this, complete with the "|, +, -, >" symbols, as follows:

|-+>
| |   "Smith, Fred"|
| |   <[EMAIL PROTECTED]|
| |   ng.com>  |
| ||
| |   30/08/2006 09:55 |
|-+>

This unfortunately matches on "ng.com".

In other messages, this mangled forwarded text ends up more like this,
with the same problem.  Sometimes messages are forwarded from one to
another person externally, then eventually back to the original sender,
at which point my system treats them as spam.

=20 >=
--|
=20 |=
=20 |
=20 |   To:   "Smith, Fred" <[EMAIL PROTECTED]
ng.com>@[EMAIL PROTECTED] |
=20 |   cc:  =
=20 |
=20 |   Subject:   Fw: message subject line here but has been removed=
selection   |
=20 >=
--|


Does anyone have suggestions other than discontinuing use of the URIBL 
or using a much lower score?  Is there some way to fix this code to 
make it more resilient to Lotus Notes text mangling?  Is there some
easy way I can exclude just the one domain name "ng.com" from being looked 
up at all, but otherwise still use the URIBL?

Mark


-- 
Mark G. Thomas ([EMAIL PROTECTED])
voice: 215-591-3695
http://www.misty.com/  http://mail-cleaner.com/

Re: Spamd child states?

2006-09-07 Thread John Horne 
On Wed, 2006-09-06 at 17:17 +0100, John Horne wrote:
> > 
> I get the feeling that something is wrong here. I have restarted SA, and
> grepped the log file. It shows:
> 
> ===
> prefork: child states: BI
> prefork: child states: BB
> prefork: child states: BBB
> prefork: child states: 
> prefork: child states: S
> prefork: child states: II
> prefork: child states: IBBBII
> prefork: child states: IIBBIK
> prefork: child states: IIIBKK
> prefork: child states: IIKIKK
> prefork: child states: IB
> prefork: child states: II
> prefork: child states: BB
> prefork: child states: BBB
>
[snipped]

I investigated this further last night when our server was less busy.
Below is the message I sent to Justin Mason explaining what I think is
happening. The problem lies with SElinux. Under FC4 I cannot see
anything I can turn on/off in selinux to resolve this, so we will need
to run the server with selinux disabled. I suspect selinux needs a
little tweak to allow both SA and selinux to run.

> Hello,
> 
> I noticed that always the first 2 child processes started remained
> working okay. I assume that these 2 were related to the --min-children
> and --min-spare options. All the children options, except
> --max-children, are default in our configuration. However, any
> subsequent child process started falls in to the 'K' state and seems
> to remain there.
> 
> Our servers are quieter at this time of night (midnight!), so I
> straced the master process after killing all the children again. The
> spamd maillog shows (using tail -f maillog|grep 'spawned child'):
> 
> 
> Sep  7 00:20:42 tracy spamd[1666]: spamd: server successfully spawned
> child process, pid 16267
> Sep  7 00:20:42 tracy spamd[1666]: spamd: server successfully spawned
> child process, pid 16268
> Sep  7 00:21:36 tracy spamd[1666]: spamd: server successfully spawned
> child process, pid 16341
> 
> 
> 
> The attached log shows, for pid 16341, that the kill call gives an
> error - Operation not permitted. This explains why the child is not
> killed, but not as to why the op is not permitted.
> 
> The server is running Fedora Core 4 Linux, and has SElinux enabled. I
> temporarily disabled selinux, and that seems to have resolved the
> problem. An strace at the time (not attached) shows:
> 
>[pid  1666] kill(19990, SIGINT) = 0
> 
> No error message. Also the maillog shows:
> 
> ===
> Sep  7 00:46:07 tracy spamd[1666]: prefork: child states: BB
> Sep  7 00:46:07 tracy spamd[1666]: prefork: child states: BBI
> Sep  7 00:46:09 tracy spamd[1666]: prefork: child states: IBI
> Sep  7 00:46:09 tracy spamd[1666]: prefork: child states: III
> Sep  7 00:46:09 tracy spamd[1666]: prefork: child states: II
> ===
> 
> As can be seen the new children process is successfully killed off.
> 
> So I guess now I need to see what it actually is in selinux that is
> stopping the master process from killing of its child processes. That
> can wait till tomorrow.


John.

-- 
---
John Horne, University of Plymouth, UK  Tel: +44 (0)1752 233914
E-mail: [EMAIL PROTECTED]   Fax: +44 (0)1752 233839

Re: RPM -vs- CPAN install

2006-09-07 Thread jdow 

From: "Bart Schaefer" <[EMAIL PROTECTED]>


On 9/6/06, jdow <[EMAIL PROTECTED]> wrote:

From: "Bart Schaefer" <[EMAIL PROTECTED]>

> The rpmforge project packages the tools as a separate RPM, named,
> surprisingly enough, spamassassin-tools.

And then one distro spamassassin-tools was no longer present.


I'm not sure what you mean.  "yum list spamassassin" shows me:

Installed Packages
spamassassin.i3863.1.5-1.el4.rf installed
Available Packages
spamassassin-tools.i386  3.1.5-1.el4.rf rpmforge


Maybe it is in extras now.


If you're talking about RedHat, no, it's not in extras.  They don't
provide it at all, unless as part of the source RPM.  However, as they
also don't provide anything newer than 3.0.6, I've already gone
looking elsewhere, in this case rpmforge.net.


This lack has left me distrustful of distros of late. I've noticed that
they all leave little things out of what they package.


Mostly I suspect they leave out things about which they're concerned
there may be even the slightest possibility of licensing or copyrigh
hassles.


IMAO they are deficient if they do not include the tools in the
standard yum setup:

Available Packages
spamassassin.i386 3.0.6-1.fc4 legacy-updates

And with the FC5 I am experimenting with I got the same kind of
response but with a later SpamAssassin.

I suspected one could get it elsewhere. But having to go look for
it is annoying.

{^_^}

Re: RPM -vs- CPAN install

2006-09-07 Thread Kenneth Porter 
--On Wednesday, September 06, 2006 1:46 PM -0400 Joey <[EMAIL PROTECTED]> 
wrote:



is there any real advantage to using cpan or source code over rpms, if I
don't really do any code modifications etc to spamassasin?


RPM and CPAN are packaging systems, and each uses its own database to 
remember what you install on your system. Neither system knows about the 
other, so if you let one system mess with the files owned by the other, you 
can really confuse things.


Both systems build from source. With SA, you can build your own RPM from 
the source tarball using the command given on the download page. It does 
the same things you would do if you built from source, but also wraps up 
the result in a binary RPM package.


You can also use the SA RPM provided by your distro vendor, but these tend 
to lag behind the upstream RPM. Some distros are faster than others at 
keeping up with upstream packages, and may include some distro-specific 
patches. I don't believe Fedora's packages differ much from SA's packages, 
and I've been happy with using the SA RPM I build from the official tarball.

Re: RPM -vs- CPAN install

2006-09-07 Thread Kenneth Porter 
--On Wednesday, September 06, 2006 9:53 PM -0400 Theo Van Dinter 
<[EMAIL PROTECTED]> wrote:



If you modify the spec file it can, but generally speaking you can just
grab the tools out of the tarball.  IMO, the tools should end up in
contrib since we don't actually support them.


How about adding a -contrib or -tools sub-package to the "official" spec 
file? If they're included in the tarball, then they should make it out to 
an RPM binary.

RE: RBL Rules Misfiring

2006-09-07 Thread Bowie Bailey 
Daryl C. W. O'Shea wrote:
> [sent to just me, BTW]

Must have hit the wrong reply button...

> Bowie Bailey wrote:
> > Daryl C. W. O'Shea wrote:
> > > Bowie Bailey wrote:
> > > 
> > > > You should also list any other mail servers that accept mail for
> > > > your domain.  This includes email gateways and relays under your
> > > > control. This can also include your ISP's mailservers, but if
> > > > you do that, make sure to specify internal_networks separately
> > > > and leave the ISP's servers out of that one.
> > > Your ISP's mail servers, if they are accepting mail on your
> > > behalf, need to be included in your internal_networks too.
> > > 
> > > ANY server from an MX accepting mail on your behalf all the way to
> > > your SA machine need to be both trusted and internal.
> > 
> > An ISP's mailserver frequently also accepts direct connections from
> > their user's dialup systems.  You can only put them in the internal
> > list if you are sure they don't do this or if they include the
> > authentication info in the received header.  Otherwise, you will get
> > RBL hits (from the dialup IP lists) on any email from the ISP's
> > other customers.
> 
> Nope, you still need to include them in internal_networks, otherwise
> tests that rely on knowing exactly where the hand off from the sender
> to the receiver is won't work (like SPF based whitelists) and will
> probably trigger FPs (like SPF_FAIL).
> 
> If an ISP is small enough that is uses the same server for MSA and MX
> functions then they're most certainly small enough that you can easily
> include their entire netblocks in trusted/internal networks too.
> 
> Again, if you want SA to function (the most) correctly, you need to
> include all hosts from your MX to the SA machine in trusted and
> internal networks.

>From the man page:
Trusted relays that accept mail directly from dial-up connections
should not be listed in "internal_networks". List them only in
"trusted_networks".

And the caveat that is not in the man page:
... unless all MSA traffic is authenticated and the authentication
information is in the headers.

My point was simply that you need to be careful.  Since that server is
not under your control, you need to make sure you know what it is
doing so you know the right place to list it.

-- 
Bowie

Re: How remove vigra gif message ?

2006-09-07 Thread Christopher X. Candreva 
On Thu, 24 Aug 2006, Philippe Couas wrote:

> How could i remover theses messages ?

Sorry for the late reply, I just received notice from the list today that we 
had been 'bouncing' messages.

We rejected this because I have a ClamAV MD5 signature for this image. While 
most images morph, this particular one for whatever reason doesn't. My 
ClamAV sig for this is blocking a few hundred a day.

Anyone using ClamAV can reject these before they ever get to SpamAssasin and 
save some CPU cycles. The signature line is:

25dbdaf1d2a93ab1075161a283e7e245:17940:CXC.ImageSpam.Stock13

Feel free to change the name to whatever you like locally. I have no idea 
why I called this Stock13 at the time.

(If you don't already have one, create a .hdb file where the main/daily.cvd
files are, such as ImageSpam.hdb  . If you installed from source this will 
be in /usr/local/share/clamav . If you didn't -- you're on your own. :-)

-Chris


==
Chris Candreva  -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/

[Bump] No log to syslog after upgrade

2006-09-07 Thread Thomas Ericsson 

Still not resolved. Any help appreciated.

Could this be of help?

[server]spamassassin --lint -D
[22110] dbg: logger: adding facilities: all
[22110] dbg: logger: logging level is DBG



TIA
Thomas


After our upgrade from SA 2.6.3 to SA 3.1.3 we do not get any logs  
written to /var/log/mail.log anymore. Any ideas why this could be?


Here's our setup: OSX 10.3.9, Communigate 4.2.8, CGPSA 1.4, SA 3.1.3

Thomas Ericsson

Re: Where to install imageinfo.pm?

2006-09-07 Thread Benny Pedersen 

On Thu, September 7, 2006 12:09, BG Mahesh wrote:

> Line 141 reads,
> dbg("imageinfo: gif image ".($part->{'name'} ? $part->{'name'} : '')." is
> $height x $width pixels ($area pixels sq.), with $c
> olor_table_size color table");

unwrap this line so its just one line

> What could I be doing wrong?

problem might be that the perl file is wrapped lines

-- 
"This message was sent using 100% recycled spam mails."

Re: Where to install imageinfo.pm?

2006-09-07 Thread BG Mahesh 
On 8/25/06, Kenneth Porter <[EMAIL PROTECTED]> wrote:
--On Thursday, August 24, 2006 2:12 PM +0530 BG Mahesh <[EMAIL PROTECTED]>wrote:> I am using SA-3.1.4. I am in the process of installing> 
http://www.rulesemporium.com/plugins.htm> Where do I install> ImageInfo.pm[which
> directory]?On Fedora I put mine in /etc/mail/spamassassin/plugins, and added the pathto the end of the load line in init.pre:loadplugin Mail::SpamAssassin::Plugin::ImageInfo/etc/mail/spamassassin/plugins/ImageInfo.pm
The error I get for "spamassassin --lint" is,[EMAIL PROTECTED] spamassassin]# spamassassin --lint
[11752] warn: plugin: failed to parse plugin /etc/mail/spamassassin/plugins/ImageInfo.pm: Global symbol "$c" requires explicit package name at /etc/mail/spamassassin/plugins/ImageInfo.pm line 141.[11752] warn: plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::ImageInfo: Can't locate object method "new" via package "Mail::SpamAssassin::Plugin::ImageInfo" at /etc/mail/spamassassin/plugins/ImageInfo.pm line 103.
Line 141 reads,dbg("imageinfo: gif image
".($part->{'name'} ? $part->{'name'} : '')." is $height x $width
pixels ($area pixels sq.), with $color_table_size color table");Line 103 reads,
  my $self = $class->SUPER::new($mailsaobject); What could I be doing wrong? -- --B.G. Maheshhttp://www.greynium.com/
http://www.oneindia.in/http://www.click.in/ - Free Indian Classifieds

Can't get sa-learn to work

2006-09-07 Thread Bo Mellberg 

Hi all!

New to SA and to this list, I have a problem with the bayes DB learning 
process. I'm running Debian Sarge, with the latest sa-exim and 
spamassassin 3.1.4 from apt-get.


I first tried:

max:/#sa-learn --spam ~/Maildir/.MissedSpam/cur

but it complained on the db version. Reading up on that, somone suggested:

max:/#sa-learn -D --sync

which would upgrade the db from version 0 to version 2.

This is the output:

max:~/.spamassassin# sa-learn --sync -D
[25567] dbg: logger: adding facilities: all
[25567] dbg: logger: logging level is DBG
[25567] dbg: generic: SpamAssassin version 3.1.4
[25567] dbg: config: score set 0 chosen.
[25567] dbg: util: running in taint mode? yes
[25567] dbg: util: taint mode: deleting unsafe environment variables, 
resetting PATH
[25567] dbg: util: PATH included '/usr/exim/bin', which doesn't exist, 
dropping

[25567] dbg: util: PATH included '/usr/local/sbin', keeping
[25567] dbg: util: PATH included '/usr/local/bin', keeping
[25567] dbg: util: PATH included '/usr/sbin', keeping
[25567] dbg: util: PATH included '/usr/bin', keeping
[25567] dbg: util: PATH included '/sbin', keeping
[25567] dbg: util: PATH included '/bin', keeping
[25567] dbg: util: PATH included '/usr/bin/X11', keeping
[25567] dbg: util: final PATH set to: 
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11

[25567] dbg: message:  MIME PARSER START 
[25567] dbg: message: main message type: text/plain
[25567] dbg: message: parsing normal part
[25567] dbg: message: added part, type: text/plain
[25567] dbg: message:  MIME PARSER END 
[25567] dbg: dns: is Net::DNS::Resolver available? yes
[25567] dbg: dns: Net::DNS version: 0.57
[25567] dbg: config: using "/etc/spamassassin" for site rules pre files
[25567] dbg: config: read file /etc/spamassassin/init.pre
[25567] dbg: config: read file /etc/spamassassin/v310.pre
[25567] dbg: config: read file /etc/spamassassin/v312.pre
[25567] dbg: config: using "/usr/share/spamassassin" for sys rules pre files
[25567] dbg: config: using "/usr/share/spamassassin" for default rules dir
[25567] dbg: config: read file /usr/share/spamassassin/10_misc.cf
[25567] dbg: config: read file /usr/share/spamassassin/20_advance_fee.cf
[25567] dbg: config: read file /usr/share/spamassassin/20_anti_ratware.cf
[25567] dbg: config: read file /usr/share/spamassassin/20_body_tests.cf
[25567] dbg: config: read file /usr/share/spamassassin/20_compensate.cf
[25567] dbg: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf
[25567] dbg: config: read file /usr/share/spamassassin/20_drugs.cf
[25567] dbg: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf
[25567] dbg: config: read file /usr/share/spamassassin/20_head_tests.cf
[25567] dbg: config: read file /usr/share/spamassassin/20_html_tests.cf
[25567] dbg: config: read file /usr/share/spamassassin/20_meta_tests.cf
[25567] dbg: config: read file /usr/share/spamassassin/20_net_tests.cf
[25567] dbg: config: read file /usr/share/spamassassin/20_phrases.cf
[25567] dbg: config: read file /usr/share/spamassassin/20_porn.cf
[25567] dbg: config: read file /usr/share/spamassassin/20_ratware.cf
[25567] dbg: config: read file /usr/share/spamassassin/20_uri_tests.cf
[25567] dbg: config: read file /usr/share/spamassassin/23_bayes.cf
[25567] dbg: config: read file /usr/share/spamassassin/25_accessdb.cf
[25567] dbg: config: read file /usr/share/spamassassin/25_antivirus.cf
[25567] dbg: config: read file /usr/share/spamassassin/25_body_tests_es.cf
[25567] dbg: config: read file /usr/share/spamassassin/25_body_tests_pl.cf
[25567] dbg: config: read file /usr/share/spamassassin/25_dcc.cf
[25567] dbg: config: read file /usr/share/spamassassin/25_dkim.cf
[25567] dbg: config: read file /usr/share/spamassassin/25_domainkeys.cf
[25567] dbg: config: read file /usr/share/spamassassin/25_hashcash.cf
[25567] dbg: config: read file /usr/share/spamassassin/25_pyzor.cf
[25567] dbg: config: read file /usr/share/spamassassin/25_razor2.cf
[25567] dbg: config: read file /usr/share/spamassassin/25_replace.cf
[25567] dbg: config: read file /usr/share/spamassassin/25_spf.cf
[25567] dbg: config: read file /usr/share/spamassassin/25_textcat.cf
[25567] dbg: config: read file /usr/share/spamassassin/25_uribl.cf
[25567] dbg: config: read file /usr/share/spamassassin/30_text_de.cf
[25567] dbg: config: read file /usr/share/spamassassin/30_text_fr.cf
[25567] dbg: config: read file /usr/share/spamassassin/30_text_it.cf
[25567] dbg: config: read file /usr/share/spamassassin/30_text_nl.cf
[25567] dbg: config: read file /usr/share/spamassassin/30_text_pl.cf
[25567] dbg: config: read file /usr/share/spamassassin/30_text_pt_br.cf
[25567] dbg: config: read file /usr/share/spamassassin/50_scores.cf
[25567] dbg: config: read file /usr/share/spamassassin/60_awl.cf
[25567] dbg: config: read file /usr/share/spamassassin/60_whitelist.cf
[25567] dbg: config: read file /usr/share/spamassassin/60_whitelist_dkim.cf
[25567] dbg: config: read file /usr/shar

Re: I'm a bit confused on this one

2006-09-07 Thread Duncan Hill 
On Thursday 07 September 2006 01:58, Chris wrote:
> See the headers below, it 'appears' to me that this message went through
> the spammers isp before being sent to me or is this just another spammers
> 'game'?

More inclined to think it's a botnet, and that the bot was either forced to 
use the relay, or scraped the details from the mail client.

Or it faked them.  Hard to tell, as you don't know anything about the validity 
before Earthlink received it.