Re: Spam Score Low

[John Andersen]

On Monday 11 September 2006 21:30, Jason Bennett wrote:
> If Network Tests means RBL's and Pyzor, they are on.  I don't have Razor
> or DCC - would that make a big difference here?
>
> Thanks
 
I think Razor would help you a lot in these cases.
Be sure to do proper configuration and adjust your 
SA config files to turn it on.

-- 
_
John Andersen


pgptFm6Lkhwod.pgp
Description: PGP signature

Re: Need help with SA and Received headers...

[thekillerbean]

Matthias Haegele-2 wrote:
> 
> 
> Perhaps a better solution would be to use the same antispam-checks at 
> your second box/mx?.
> 
> 

I have only one e-mail server is my domain - it is only used by 3 people at
any one time.  The secondary MX points to my ISP's email server and it
really only needs be used when my server is offline for whatever reason.  I
have no control of this server so I really can't do anything on it.

I guess my other option would to stop paying for mail relay to my ISP and
just live with lost email whenever my server happens to be offline for
whatever reason for an an extended periodof time.

Cheers,
tkb.

-- 
View this message in context: 
http://www.nabble.com/Need-help-with-SA-and-Received-headers...-tf2252268.html#a6259947
Sent from the SpamAssassin - Users forum at Nabble.com.

RE: Spam Score Low

[Jason Bennett]

If Network Tests means RBL's and Pyzor, they are on.  I don't have Razor
or DCC - would that make a big difference here?

Thanks

-Original Message-
From: John Andersen [mailto:[EMAIL PROTECTED] 
Sent: Monday, September 11, 2006 11:14 PM
To: users@spamassassin.apache.org
Subject: Re: Spam Score Low

Turn on network tests.  See wiki.


On Monday 11 September 2006 18:37, Jason Bennett wrote:
> Hi all, this particular piece of spam seems to generate a low score.
I
> am using most of the SARE rules including 70_sare_stocks.cf .  I'm
using
> SpamAssassin 3.1.5
>
>
>
> Any ideas?
>
>
>
> Thanks
>
>
>
> Jason
>
>
>
> I get this Spam Score: score=3.3 required=6.0
> tests=BAYES_50,FORGED_RCVD_HELO,SARE_FWDLOOK,SARE_LWHUGE
>
>
>
>
>
> H o t sotck a lert.
>
> This one is still climbling the sotck char ts a lert Breaking markett
> news report - T QWW. P K
>
>
>
> Lookup: TQ WW. P K
>
>
>
> Comppany Name: Talyor Aquaopnics Wolrdwide, Inc.
>
>
>
> Recently ttrading for:  0.40
>
>
>
> 6 Week Target: 1.25
>
>
>
> 6 Month Target:  4.97
>
>
>
> Rating:  Immediate b uy
>
>
>
> Expected: Steadily climb for the top
>
>
>
> Our featured coompany TQW W is a "Big Fish" in what so far has been a
> little pond. But all of that is going to change when Wall Street sees
> the growth they're experiencing.
>
>
>
> Whether you love fish, or vegetables, or don't care for either one, T
> QWW needs to be on your plate! Successs has already happened for
Tailor
> Made Fish Farms, the original comppany behind TQW W, as you can see by
> the stories on this page. Do your research, and find out why we think
> TQW W could increase as much as 400% or more in the next few weeks.
>
>
>
> If you've been fishing for a great opportunity, OTCP K: TQW W could be
> the best deal you've ever hooked!
>
>
>
> Talior Aquapnoics Wolrdwide, Inc. (OT CPK: T QWW) has developed an
easy
> to operate, land-based modular fish production system that is both
> sustainable and environmentally responsible. Production of
'year-round'
> premium quality fish and vegetables is achieved through compact and
> controlled production areas using much less water than conventional
> methods resulting in two crops from a single water uptake.
>
>
>
> This efficient combination of TQ WW's fish & vegetable production has
> two major advantages:
>
>
>
> We see the possibility of a 250% rise in the very near future, and
more
> may come after word spreads. Go with the flow - and b uy TQ WW when
the
> "tide" is low, then just wait for it to come in!
>
>
>
> Huge mooney from a companyy that satisfies ecological needs - there's
> something you don't see very often. TQW W is primed for huge
> international growth in the very near future, and as one of the most
> well-known players in the aquaponics field, T QWW will bring its
> industryy to new countries (and new investoors!).
>
>
>
> It seems like making moneyy with Aqauponics is as easy as shooting
fish
> in a barrel...and now you can ride the wave with TQW W!
>
>
>
> Don't delay - do your research on TQW W and contact your brooker
> immediateely!
>
>
>
> The time to get in on this great fish story is now!
>
>
>
> Taiolr Aqauponics Worldwdie, unlike many of its competitors, already
> successsfully operates a commerciial scale food production system.
>
>
>
> The upside for Aquaponics is uncharted, but huge revenues are already
> being derived from a Tailorr Aquuaponics combined Fish
Farming/Vegetable
> Farming venture in Australia. The research shows us that this is a
> stockk we want to acquire - and acquire a great deal of - before more
> news makes it across the Pacific.
>
>
>
> Remember, TQW W is on ttrack for increasses of 250%, 400% or more, but
> not many people know about it yet. That's why you need to do your
> research and make your p l a y today!
>
>
>
> Any of the above statements with respect to the future predications or
> goals and eve nts may be seen as only forward looking and nothing
else.
>
> All info rmation inside this emai l pertaining to any sort of
finaancial
> advice need to be understood as informatio n and not advice. None of
the
> infor mation above can be constructed as any sort of fiinan cial adv
> ice. This is a paiid advertisemment.

-- 
_
John Andersen

Re: Spam with score 0.1 are bypassing my mail filters.

[John Andersen]

See:
http://wiki.apache.org/spamassassin/TrustPath


On Monday 11 September 2006 15:54, kazabe wrote:
> Hi.
>
> Im detecting a lot messages passed by my mail filters.  Im using
> amavis+clamav+spamassassin.   When i evaluate the message, i found a
> very low score assigned by spamassassin!!.
>
> see that example:
>
> 
>
> Subject: Re [15]:
> X-Virus-Scanned: by amavisd-new at dominati.com.co
> X-Spam-Status: No, hits=-2.8 tagged_above=-999.0 required=2.0
> tests=ALL_TRUSTED
> X-Spam-Level:
>
> SB N S. P K -- SHALLBET'TER INDUSTR.IES INC.
> HOT ST.OCK ALE`RT - IN,VESTOR AL`ERT!
>
> Ther,e is a MASSI.VE PR ca'mpaign in proc'ess for t`his s'tock, get in
> earl'y on +mo.nday morni.ng.
>
> Our ob,jective he.re is to f`ind the n'eedle in the ha'ystack, the diam'ond
> in +the di.rt..
> and we b,elieve we'v`e b`een ve`ry success`ful in t`hat ob'jective wit,hh
> th`is +com`pany.
>
> SHA`LLBETTER INDUSTRI.ES INC (SBN S.PK)
>
> 
>
> why the hits are -2.8 ???  how can i prevent thats spam style?
>
> Thanks for your help.
>
> Regards.

-- 
_
John Andersen


pgp9VFFiEfoqM.pgp
Description: PGP signature

Re: Spam Score Low

[John Andersen]

Turn on network tests.  See wiki.


On Monday 11 September 2006 18:37, Jason Bennett wrote:
> Hi all, this particular piece of spam seems to generate a low score.  I
> am using most of the SARE rules including 70_sare_stocks.cf .  I'm using
> SpamAssassin 3.1.5
>
>
>
> Any ideas?
>
>
>
> Thanks
>
>
>
> Jason
>
>
>
> I get this Spam Score: score=3.3 required=6.0
> tests=BAYES_50,FORGED_RCVD_HELO,SARE_FWDLOOK,SARE_LWHUGE
>
>
>
>
>
> H o t sotck a lert.
>
> This one is still climbling the sotck char ts a lert Breaking markett
> news report - T QWW. P K
>
>
>
> Lookup: TQ WW. P K
>
>
>
> Comppany Name: Talyor Aquaopnics Wolrdwide, Inc.
>
>
>
> Recently ttrading for:  0.40
>
>
>
> 6 Week Target: 1.25
>
>
>
> 6 Month Target:  4.97
>
>
>
> Rating:  Immediate b uy
>
>
>
> Expected: Steadily climb for the top
>
>
>
> Our featured coompany TQW W is a "Big Fish" in what so far has been a
> little pond. But all of that is going to change when Wall Street sees
> the growth they're experiencing.
>
>
>
> Whether you love fish, or vegetables, or don't care for either one, T
> QWW needs to be on your plate! Successs has already happened for Tailor
> Made Fish Farms, the original comppany behind TQW W, as you can see by
> the stories on this page. Do your research, and find out why we think
> TQW W could increase as much as 400% or more in the next few weeks.
>
>
>
> If you've been fishing for a great opportunity, OTCP K: TQW W could be
> the best deal you've ever hooked!
>
>
>
> Talior Aquapnoics Wolrdwide, Inc. (OT CPK: T QWW) has developed an easy
> to operate, land-based modular fish production system that is both
> sustainable and environmentally responsible. Production of 'year-round'
> premium quality fish and vegetables is achieved through compact and
> controlled production areas using much less water than conventional
> methods resulting in two crops from a single water uptake.
>
>
>
> This efficient combination of TQ WW's fish & vegetable production has
> two major advantages:
>
>
>
> We see the possibility of a 250% rise in the very near future, and more
> may come after word spreads. Go with the flow - and b uy TQ WW when the
> "tide" is low, then just wait for it to come in!
>
>
>
> Huge mooney from a companyy that satisfies ecological needs - there's
> something you don't see very often. TQW W is primed for huge
> international growth in the very near future, and as one of the most
> well-known players in the aquaponics field, T QWW will bring its
> industryy to new countries (and new investoors!).
>
>
>
> It seems like making moneyy with Aqauponics is as easy as shooting fish
> in a barrel...and now you can ride the wave with TQW W!
>
>
>
> Don't delay - do your research on TQW W and contact your brooker
> immediateely!
>
>
>
> The time to get in on this great fish story is now!
>
>
>
> Taiolr Aqauponics Worldwdie, unlike many of its competitors, already
> successsfully operates a commerciial scale food production system.
>
>
>
> The upside for Aquaponics is uncharted, but huge revenues are already
> being derived from a Tailorr Aquuaponics combined Fish Farming/Vegetable
> Farming venture in Australia. The research shows us that this is a
> stockk we want to acquire - and acquire a great deal of - before more
> news makes it across the Pacific.
>
>
>
> Remember, TQW W is on ttrack for increasses of 250%, 400% or more, but
> not many people know about it yet. That's why you need to do your
> research and make your p l a y today!
>
>
>
> Any of the above statements with respect to the future predications or
> goals and eve nts may be seen as only forward looking and nothing else.
>
> All info rmation inside this emai l pertaining to any sort of finaancial
> advice need to be understood as informatio n and not advice. None of the
> infor mation above can be constructed as any sort of fiinan cial adv
> ice. This is a paiid advertisemment.

-- 
_
John Andersen


pgpPx1QzNqt4c.pgp
Description: PGP signature

Re: פריצת דרך מאתגרת

[Robert Nicholson]

You may have misunderstand but that's the point.

The message was _not_ being filtered out like it should be and that  
was because of the very generic /WINDOWS/ match.


so that method doesn't really obey the locales you have set.

when I take out the generic /WINDOWS/ match it does then screen it out.

or rather is tagged against the rule.

On Sep 11, 2006, at 8:40 AM, David Baron wrote:


Local for HEBREW is not in this list.


Windows-1255

and apparently with locales

DB<6> x @locales
0  'en'
1  'th'
2  'it'
3  'en_US'

Mail::SpamAssassin::Locales::is_charset_ok_for_locales($1, @locales)

returns true

Mail::SpamAssassin::Locales::is_charset_ok_for_locales(/home/robert/
lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Locales.pm:91):
91:   return 1 if ($cs =~ /^WINDOWS/);  # argh, Windows

what?

On Sep 10, 2006, at 4:38 PM, Robert Nicholson wrote:

Why didn't foreign charset rules catch this?

Begin forwarded message:

From: [EMAIL PROTECTED]
Date: September 10, 2006 2:17:51 PM CDT
To: [EMAIL PROTECTED]
Subject: פריצת דרך מאתגרת
X-Spam-Dcc: : grub.camros.com 1113; Body=5 Fuz1=5 Fuz2=3
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on
grub.camros.com
X-Spam-Level: *
X-Spam-Status: Yes, score=5.7 required=0.6
tests=BAYES_95,FRONTPAGE,
HTML_90_100,HTML_IMAGE_RATIO_02,HTML_MESSAGE,HTML_TITLE_SUBJ_DIFF,
MIME_HTML_ONLY,NO_REAL_NAME,UNPARSEABLE_RELAY autolearn=no
version=3.1.1
X-Spam-Report: *  1.0 NO_REAL_NAME From: does not include a real
name *  0.0 UNPARSEABLE_RELAY Informational: message has
unparseable relay *  lines *  0.5 HTML_IMAGE_RATIO_02 BODY:
HTML has a low ratio of text to image *  area *  0.1
HTML_90_100 BODY: Message is 90% to 100% HTML *  0.0 HTML_MESSAGE
BODY: HTML included in message *  3.0 BAYES_95 BODY: Bayesian spam
probability is 95 to 99% *  [score: 0.9667] *  0.0
MIME_HTML_ONLY BODY: Message only has text/html MIME parts *  0.9
FRONTPAGE RAW: Frontpage used to create the message *  0.3
HTML_TITLE_SUBJ_DIFF HTML_TITLE_SUBJ_DIFF
Received: (qmail 10557 invoked from network); 10 Sep 2006 18:17:08
-
Received: from  (HELO kini12.com) (208.53.131.241) by 64.34.193.12
with SMTP; 10 Sep 2006 18:17:08 -
Message-Id: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/html; charset="windows-1255"
Content-Transfer-Encoding: quoted-printable
Lines: 124




להגיע למיליון לקוחות ?גם אתם רוצים
נא לחצו כאן


מתנצלים אם גרמנו להפרעה, להסרה
מרשימת הדיוורנמען נכבד, אנו לחץ

להסרה לחצו כאן

Spam Score Low

[Jason Bennett]

Hi all, this particular piece of spam seems to generate a
low score.  I am using most of the SARE rules including 70_sare_stocks.cf .  I’m
using SpamAssassin 3.1.5

 

Any ideas?

 

Thanks

 

Jason

 

I get this Spam Score: score=3.3 required=6.0
tests=BAYES_50,FORGED_RCVD_HELO,SARE_FWDLOOK,SARE_LWHUGE

 

 

H o t sotck a lert.

This one is still climbling
the sotck char ts a lert Breaking markett news report - T QWW. P K 

 

Lookup: TQ WW. P K

 

Comppany Name: Talyor
Aquaopnics Wolrdwide, Inc.

 

Recently ttrading for:  0.40

 

6 Week Target: 1.25

 

6 Month Target:  4.97

 

Rating:  Immediate b uy

 

Expected: Steadily climb for
the top

 

Our featured coompany TQW W
is a “Big Fish” in what so far has been a little pond. But all of
that is going to change when Wall Street sees the growth they’re
experiencing.

 

Whether you love fish, or
vegetables, or don’t care for either one, T QWW needs to be on your
plate! Successs has already happened for Tailor Made Fish Farms, the original
comppany behind TQW W, as you can see by the stories on this page. Do your
research, and find out why we think TQW W could increase as much as 400% or
more in the next few weeks.

 

If you’ve been fishing
for a great opportunity, OTCP K: TQW W could be the best deal you’ve ever
hooked!

 

Talior Aquapnoics Wolrdwide,
Inc. (OT CPK: T QWW) has developed an easy to operate, land-based modular fish
production system that is both sustainable and environmentally responsible.
Production of ‘year-round’ premium quality fish and vegetables is
achieved through compact and controlled production areas using much less water
than conventional methods resulting in two crops from a single water uptake.

 

This efficient combination
of TQ WW's fish & vegetable production has two major advantages: 

 

We see the possibility of a
250% rise in the very near future, and more may come after word spreads. Go
with the flow – and b uy TQ WW when the
“tide” is low, then just wait for it to come in! 

 

Huge mooney from a companyy
that satisfies ecological needs –
there’s something you don’t see very often. TQW W is primed for
huge international growth in the very near future, and as one of the most
well-known players in the aquaponics field, T QWW will bring its industryy to
new countries (and new investoors!). 

 

It seems like making moneyy
with Aqauponics is as easy as shooting fish in a barrel…and now you can
ride the wave with TQW W!

 

Don’t delay –
do your research on TQW W and contact your brooker immediateely!

 

The time to get in on this
great fish story is now! 

 

Taiolr Aqauponics Worldwdie,
unlike many of its competitors, already successsfully operates a commerciial
scale food production system. 

 

The upside for Aquaponics is
uncharted, but huge revenues are already being derived from a Tailorr
Aquuaponics combined Fish Farming/Vegetable Farming venture in Australia. The
research shows us that this is a stockk we want to acquire –
and acquire a great deal of –
before more news makes it across the Pacific. 

 

Remember, TQW W is on ttrack
for increasses of 250%, 400% or more, but not many people know about it yet.
That’s why you need to do your research and make your p l a y today! 

 

Any of the above statements
with respect to the future predications or goals and eve nts may be seen as
only forward looking and nothing else. 

All info rmation inside this
emai l pertaining to any sort of finaancial advice need to be understood as
informatio n and not advice. None of the infor mation above can be constructed
as any sort of fiinan cial adv ice. This is a paiid advertisemment.

 

 

 

 

Re: Bayes test in spamassassin.bat

[jdow]

As someone else replied - you MUST run spamassassin -t and sa-learn
as the same user that owns the BAYES database. You have enough
strange stuff in the box I'm not sure what user that might be. But
I bet you could dig through configuration files to find out how
spamc or spamassassin is run and as which user. Then you can train
as THAT user. and get it all together. Clearly the user it runs
as cannot find a trained Bayes database or cannot gain write
permission so that it can auto-train.

{^_^}
- Original Message - 
From: "Floyd" <[EMAIL PROTECTED]>


Ok here is the message again for those who found the previous post
unclearsorry about that

I have an exchange 2000 server and I am using spamassassin to filter the
mail. I am using the exchange sink written by
Chris Lewis to filter mail on each incoming message. The problem i have is
that it gives me a low spam score on spam mail because it
does not include the bayes_XX tests. Here is an example from the log file

XSpamStatus: No, score=0.0 required=6.0 tests=AWL,HTML_MESSAGE
autolearn=disabled version=3.1.4

If I run the same mail message through spamassassin -t in a MS Command
Terminal, it gives me a different spam score since it includes the bayes_XX
test

X-Spam-Status: No, score=-2.0 required=6.0 tests=BAYES_00,HTML_40_50,
HTML_MESSAGE,HTML_TEXT_AFTER_BODY autolearn=disabled version=3.1.4

Why is that so? Is there a setting that I have missed somewhere??

I deleted my bayes database thru sa-learn -- clear and restablished it by
learning the 4000 hams and 1000 spams that I have collected.

I am running my exchange server with full rights and logged on as
administrator. There are no other user home folders on this system except
for the administrator's!!!



jdow wrote:


Regardless - clean up that original message and resend. It is utterly
unreadable.

{^_^}
- Original Message - 
From: "Floyd" <[EMAIL PROTECTED]>


I am trying this without an MUA. I am using Dos to check the headers of
the
incoming mail with spamassassin.

Usually I use MS Outlook but in this case I am checking the headers on
the
server. There is no mail client on the server.


Raul Dias wrote:


Hi,

What MUA are you using?

Your MUA seems to be unable to send HTML mail, so I suggest you
configure it to send only text/plain formatted text.

[]s
Raul Dias

On Mon, 2006-09-11 at 07:50 -0700, Floyd wrote:

Hi, I am using Spamassassin with Exchange and i noticed I was getting
different scores using spamassassin.bat(There was a previous post by
me to this question) I have done some addtional tests and I noticed
that when spamassassin.bat is run automatically on every incoming
message there are no tests for bayes e.g Start - ID:  PreFile: C:\ESA
\NEW\msg060911101328_51EC4.in.eml PostFile: C:\ESA\NEW
\msg060911101328_51EC4.out.eml SpamAssassin:C:\PERL\BIN
\SPAMASSASSIN.BAT "C:\ESA\NEW\msg060911101328_51EC4.in.eml" "C:\ESA
\NEW\msg060911101328_51EC4.out.eml" SpamAssassin result: 0 Checking
for PERL in Path... Reloading Stream... Reading OUT file XSpamFlag:
XSpamStatus: No, score=0.0 required=6.0 tests=AWL,HTML_MESSAGE
autolearn=disabled version=3.1.4 Added header
urn:schemas:mailheader:X-Spam-Checker-Version SpamAssassin 3.1.4
(2006-07-25) Exchange SpamAssassin Sink (www.christopherlewis.com)
1.2.76 on myserver SPAM: False SpamAssassin Value: 0 File:
msg060911101328_51EC4 Moving to HAM : End But when I run
spamassassin.bat manually there is a test for bayes in addition to the
other testse.g. X-Spam-Checker-Version: SpamAssassin 3.1.4
(2006-07-25) on my server X-Spam-Level: X-Spam-Status: No, score=-2.0
required=6.0 tests=BAYES_00,HTML_40_50,
HTML_MESSAGE,HTML_TEXT_AFTER_BODY autolearn=disabled version=3.1.4
thread-index: AcbVrHRGLevRi+gCSJenNtqXgv1xTA== Could someone please
help me with this is there a setting somewhere i missed in local.cf
maybe?? Thanks for your help in advance

__
View this message in context: Bayes test in spamassassin.bat
Sent from the SpamAssassin - Users forum at Nabble.com.






--
View this message in context:
http://www.nabble.com/Bayes-test-in-spamassassin.bat-tf2252897.html#a6252631
Sent from the SpamAssassin - Users forum at Nabble.com.






--
View this message in context: 
http://www.nabble.com/Bayes-test-in-spamassassin.bat-tf2252897.html#a6258337
Sent from the SpamAssassin - Users forum at Nabble.com. 

Re: Spam with score 0.1 are bypassing my mail filters.

[jdow]

From: "kazabe" <[EMAIL PROTECTED]>


Hi.

Im detecting a lot messages passed by my mail filters.  Im using
amavis+clamav+spamassassin.   When i evaluate the message, i found a
very low score assigned by spamassassin!!.

see that example:



Subject: Re [15]:
X-Virus-Scanned: by amavisd-new at dominati.com.co
X-Spam-Status: No, hits=-2.8 tagged_above=-999.0 required=2.0
   tests=ALL_TRUSTED


Look up ALL_TRUSTED on the wiki. You have it setup wrong.

{^_^}

Re: Bayes test in spamassassin.bat

[Floyd]

Ok here is the message again for those who found the previous post
unclearsorry about that

I have an exchange 2000 server and I am using spamassassin to filter the
mail. I am using the exchange sink written by
Chris Lewis to filter mail on each incoming message. The problem i have is
that it gives me a low spam score on spam mail because it
does not include the bayes_XX tests. Here is an example from the log file 

XSpamStatus: No, score=0.0 required=6.0 tests=AWL,HTML_MESSAGE
autolearn=disabled version=3.1.4

If I run the same mail message through spamassassin -t in a MS Command
Terminal, it gives me a different spam score since it includes the bayes_XX
test

X-Spam-Status: No, score=-2.0 required=6.0 tests=BAYES_00,HTML_40_50,
HTML_MESSAGE,HTML_TEXT_AFTER_BODY autolearn=disabled version=3.1.4

Why is that so? Is there a setting that I have missed somewhere??

I deleted my bayes database thru sa-learn -- clear and restablished it by
learning the 4000 hams and 1000 spams that I have collected. 

I am running my exchange server with full rights and logged on as
administrator. There are no other user home folders on this system except
for the administrator's!!!



jdow wrote:
> 
> Regardless - clean up that original message and resend. It is utterly
> unreadable.
> 
> {^_^}
> - Original Message - 
> From: "Floyd" <[EMAIL PROTECTED]>
>>
>> I am trying this without an MUA. I am using Dos to check the headers of
>> the
>> incoming mail with spamassassin.
>>
>> Usually I use MS Outlook but in this case I am checking the headers on
>> the
>> server. There is no mail client on the server.
>>
>>
>> Raul Dias wrote:
>>>
>>> Hi,
>>>
>>> What MUA are you using?
>>>
>>> Your MUA seems to be unable to send HTML mail, so I suggest you
>>> configure it to send only text/plain formatted text.
>>>
>>> []s
>>> Raul Dias
>>>
>>> On Mon, 2006-09-11 at 07:50 -0700, Floyd wrote:
 Hi, I am using Spamassassin with Exchange and i noticed I was getting
 different scores using spamassassin.bat(There was a previous post by
 me to this question) I have done some addtional tests and I noticed
 that when spamassassin.bat is run automatically on every incoming
 message there are no tests for bayes e.g Start - ID:  PreFile: C:\ESA
 \NEW\msg060911101328_51EC4.in.eml PostFile: C:\ESA\NEW
 \msg060911101328_51EC4.out.eml SpamAssassin:C:\PERL\BIN
 \SPAMASSASSIN.BAT "C:\ESA\NEW\msg060911101328_51EC4.in.eml" "C:\ESA
 \NEW\msg060911101328_51EC4.out.eml" SpamAssassin result: 0 Checking
 for PERL in Path... Reloading Stream... Reading OUT file XSpamFlag:
 XSpamStatus: No, score=0.0 required=6.0 tests=AWL,HTML_MESSAGE
 autolearn=disabled version=3.1.4 Added header
 urn:schemas:mailheader:X-Spam-Checker-Version SpamAssassin 3.1.4
 (2006-07-25) Exchange SpamAssassin Sink (www.christopherlewis.com)
 1.2.76 on myserver SPAM: False SpamAssassin Value: 0 File:
 msg060911101328_51EC4 Moving to HAM : End But when I run
 spamassassin.bat manually there is a test for bayes in addition to the
 other testse.g. X-Spam-Checker-Version: SpamAssassin 3.1.4
 (2006-07-25) on my server X-Spam-Level: X-Spam-Status: No, score=-2.0
 required=6.0 tests=BAYES_00,HTML_40_50,
 HTML_MESSAGE,HTML_TEXT_AFTER_BODY autolearn=disabled version=3.1.4
 thread-index: AcbVrHRGLevRi+gCSJenNtqXgv1xTA== Could someone please
 help me with this is there a setting somewhere i missed in local.cf
 maybe?? Thanks for your help in advance

 __
 View this message in context: Bayes test in spamassassin.bat
 Sent from the SpamAssassin - Users forum at Nabble.com.
>>>
>>>
>>>
>>
>> -- 
>> View this message in context: 
>> http://www.nabble.com/Bayes-test-in-spamassassin.bat-tf2252897.html#a6252631
>> Sent from the SpamAssassin - Users forum at Nabble.com. 
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Bayes-test-in-spamassassin.bat-tf2252897.html#a6258337
Sent from the SpamAssassin - Users forum at Nabble.com.

Spam with score 0.1 are bypassing my mail filters.

[kazabe]

Hi.

Im detecting a lot messages passed by my mail filters.  Im using
amavis+clamav+spamassassin.   When i evaluate the message, i found a
very low score assigned by spamassassin!!.

see that example:



Subject: Re [15]:
X-Virus-Scanned: by amavisd-new at dominati.com.co
X-Spam-Status: No, hits=-2.8 tagged_above=-999.0 required=2.0
   tests=ALL_TRUSTED
X-Spam-Level:

SB N S. P K -- SHALLBET'TER INDUSTR.IES INC.
HOT ST.OCK ALE`RT - IN,VESTOR AL`ERT!

Ther,e is a MASSI.VE PR ca'mpaign in proc'ess for t`his s'tock, get in earl'y on
+mo.nday morni.ng.

Our ob,jective he.re is to f`ind the n'eedle in the ha'ystack, the diam'ond in
+the di.rt..
and we b,elieve we'v`e b`een ve`ry success`ful in t`hat ob'jective wit,hh th`is
+com`pany.

SHA`LLBETTER INDUSTRI.ES INC (SBN S.PK)



why the hits are -2.8 ???  how can i prevent thats spam style?

Thanks for your help.

Regards.

--
"Imagination is more important than knowlege"
A.E.

Re: postcard exploit email

[Logan Shaw]

On Mon, 11 Sep 2006, Raul Dias wrote:

Card or some service from company FooBar which has domain FooBar.com,
the link is something like:
http://www.foobar.somehost.com/view_yourcard_online.php

Somehost.com is something really short, some times www.foobar.com.b.fm .

A way to fight this would either tracing the real domain in the main and
where the link is pointing (e.g. foobar.com vs foobar.com.b.fm), but
this could cause more FP than help, _me _sa thinks.

  ^^^

Jar Jar, is that you?

  - Logan

Re: Another SARE channel with the most used rules available

[Michael Schaap]

On 10-Sep-2006 8:32, [EMAIL PROTECTED] wrote:


 > Any chance of adding support for 3.1.5? (Currently fails with "dns:
 > query failed: 5.1.3.saupdates.openprotect.*com* => NXDOMAIN".)

We've already added txt record for the 3.1.5 release and it should work now.



Thanks.  Indeed, it works fine now.

 - Michael

Re: postcard exploit email

[Raul Dias]

On Mon, 2006-09-11 at 19:13 +, [EMAIL PROTECTED] wrote:

> Hi,
> 
> possible problem: if the erver actually runs windows, the link could be some 
> kind of cgi
> rather than an executable

Just for the record, this kind of email is really common in pt_BR.
It is really common to link to a php page.

What I usually see:

Card or some service from company FooBar which has domain FooBar.com,
the link is something like:
http://www.foobar.somehost.com/view_yourcard_online.php

Somehost.com is something really short, some times www.foobar.com.b.fm .

A way to fight this would either tracing the real domain in the main and
where the link is pointing (e.g. foobar.com vs foobar.com.b.fm), but
this could cause more FP than help, _me _sa thinks.

Another way is thru SURBL, but the host can change faster than SURBL.

[]s
Raul Dias

Re: postcard exploit email

[John D. Hardin]

On Mon, 11 Sep 2006, jdow wrote:

> Maybe you need ClamAssassin? ClamAv is an anti-virus program.
> SpamAssassin is an anti-spam program.

Point taken.

> - Original Message - 
> From: "John D. Hardin" <[EMAIL PROTECTED]>
> >
> > Maybe we need a base rule for URL links directly to executable
> > content...
> >
> >  > href="http://www.canaltv.org/postcard.gif.exe";>http://www.e-cards.com/view/CR3090Ztyw5g527673XzW

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  People seem to have this obsession with objects and tools as being
  dangerous in and of themselves, as though a weapon will act of its
  own accord to cause harm. A weapon is just a force multiplier. It's
  *humans* that are (or are not) dangerous.
---
 6 days until The 219th anniversary of the signing of the U.S. Constitution

Re: postcard exploit email

[jdow]

Maybe you need ClamAssassin? ClamAv is an anti-virus program.
SpamAssassin is an anti-spam program. Use the anti-virus program
for anti-virus activity. And with ClamAssassin you can do that
from within SpamAssassin and give the ClamAv hit a "killer"
score. Or you could have procmail or equivalent detect the ClamAV
score and divert the mail.

{^_^}
- Original Message - 
From: "John D. Hardin" <[EMAIL PROTECTED]>


Maybe we need a base rule for URL links directly to executable
content...

href="http://www.canaltv.org/postcard.gif.exe";>http://www.e-cards.com/view/CR3090Ztyw5g527673XzW

Re: Bayes test in spamassassin.bat

[Stuart Johnston]

The most common cause for this type of problem is that your mail server is not running as the same 
user as when you are testing or learning.  IOW, it can't find the bayes DB.


Floyd wrote:
Hi, I am using Spamassassin with Exchange and i noticed I was getting 
different scores using spamassassin.bat(There was a previous post by me 
to this question) I have done some addtional tests and I noticed that 
when spamassassin.bat is run automatically on every incoming message 
there are no tests for bayes e.g Start - ID: PreFile: 
C:\ESA\NEW\msg060911101328_51EC4.in.eml PostFile: 
C:\ESA\NEW\msg060911101328_51EC4.out.eml 
SpamAssassin:C:\PERL\BIN\SPAMASSASSIN.BAT 
"C:\ESA\NEW\msg060911101328_51EC4.in.eml" 
"C:\ESA\NEW\msg060911101328_51EC4.out.eml" SpamAssassin result: 0 
Checking for PERL in Path... Reloading Stream... Reading OUT file 
XSpamFlag: XSpamStatus: No, score=0.0 required=6.0 
*tests=AWL,HTML_MESSAGE * autolearn=disabled version=3.1.4 Added header 
urn:schemas:mailheader:X-Spam-Checker-Version SpamAssassin 3.1.4 
(2006-07-25) Exchange SpamAssassin Sink (www.christopherlewis.com) 
1.2.76 on myserver SPAM: False SpamAssassin Value: 0 File: 
msg060911101328_51EC4 Moving to HAM : End But when I run 
spamassassin.bat manually there is a test for bayes in addition to the 
other testse.g. X-Spam-Checker-Version: SpamAssassin 3.1.4 
(2006-07-25) on my server X-Spam-Level: X-Spam-Status: No, score=-2.0 
required=6.0 tests=*BAYES_00*,HTML_40_50, 
HTML_MESSAGE,HTML_TEXT_AFTER_BODY autolearn=disabled version=3.1.4 
thread-index: AcbVrHRGLevRi+gCSJenNtqXgv1xTA== Could someone please help 
me with this is there a setting somewhere i missed in local.cf maybe?? 
Thanks for your help in advance


View this message in context: Bayes test in spamassassin.bat 

Sent from the SpamAssassin - Users 
 forum at Nabble.com.

Re: postcard exploit email

[John D. Hardin]

On Mon, 11 Sep 2006, Kelson wrote:

> In fact, if you're retrieving content over the web, the link
> doesn't even have to tell you the double extension.  The link
> could be to a redirect script, or to a download script that
> provides a content-disposition header:
> 
> http://server/path/to/evil/but/innocuous/looking/file

Well, yes, the worm/virus author putting the *real* executable
extension into the link URI *is* a low-hanging-fruit assumption.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  People seem to have this obsession with objects and tools as being
  dangerous in and of themselves, as though a weapon will act of its
  own accord to cause harm. A weapon is just a force multiplier. It's
  *humans* that are (or are not) dangerous.
---
 6 days until The 219th anniversary of the signing of the U.S. Constitution

Re: Bayes Test runs sometimes and sometimes it doesn't

[jdow]

I am thinking BAYES is not even trained or that you have it turned off
in some configuration somewhere.

{^_^}
- Original Message - 
From: "David Reta" <[EMAIL PROTECTED]>



I am running spamassassin 3.1.5 which is being called from mimedefang. I
am using bayes over nfs which is shared between 2 mail relays.



We have been having some issues with some spam getting through. I did
some investigating and found out that the spam that is getting through
is not running the bayes test. Even if nothing in the bayes database is
found shouldn't at least BAYES_00 show up?



Do you think maybe that the bayes might be timing out? If so how can the
timeout be increased. Any ideas will help.



Here is the output of the MSG.0 file from the quarantined message. As
you can see the bayes test is not run. I ran the message manually as the
same user that runs mimedefang which is shown right after and the Bayes
test is run.



Content analysis details:   (36.8 points, 4.0 required)



pts rule name  description

 --
--

2.7 SUBJECT_SEXUAL Subject indicates sexually-explicit content

1.5 RCVD_NUMERIC_HELO  Received: contains an IP address used for
HELO

0.0 UNPARSEABLE_RELAY  Informational: message has unparseable relay
lines

1.8 FORGED_YAHOO_RCVD  'From' yahoo.com does not match 'Received'
headers

0.5 PORN_15BODY: Possible porn - various types of
feline

1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level

   above 50%

   [cf: 100]

0.5 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)

0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%

   [cf: 100]

0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in
abuse.rfc-ignorant.org

1.4 DNS_FROM_RFC_WHOIS RBL: Envelope sender in
whois.rfc-ignorant.org

2.2 RCVD_IN_WHOIS_INVALID  RBL: CompleteWhois: sender on invalid IP
block

   [61.75.153.64 listed in
combined-HIB.dnsiplists.completewhois.com]

3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL

   [61.75.153.64 listed in
sbl-xbl.spamhaus.org]

1.7 DNS_FROM_RFC_POST  RBL: Envelope sender in

   postmaster.rfc-ignorant.org

1.6 URIBL_SBL  Contains an URL listed in the SBL blocklist

   [URIs: chags.ph]

3.8 URIBL_AB_SURBL Contains an URL listed in the AB SURBL
blocklist

   [URIs: chags.ph]

4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
blocklist

   [URIs: chags.ph]

2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
blocklist

   [URIs: chags.ph]

4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
blocklist

   [URIs: chags.ph]

2.1 REPTO_QUOTE_YAHOO  Yahoo! doesn't do quoting like this



Run manually as same user



Content analysis details:   (30.8 points, 4.0 required)



pts rule name  description

 --
--

2.7 SUBJECT_SEXUAL Subject indicates sexually-explicit content

0.0 UNPARSEABLE_RELAY  Informational: message has unparseable relay
lines

1.8 FORGED_YAHOO_RCVD  'From' yahoo.com does not match 'Received'
headers

0.5 PORN_15BODY: Possible porn - various types of
feline

5.0 BAYES_99   BODY: Bayesian spam probability is 99 to
100%

   [score: 1.]

1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level

   above 50%

   [cf: 100]

0.5 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)

0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%

   [cf: 100]

1.6 URIBL_SBL  Contains an URL listed in the SBL blocklist

   [URIs: razwe.li]

3.8 URIBL_AB_SURBL Contains an URL listed in the AB SURBL
blocklist

   [URIs: chags.ph]

4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
blocklist

   [URIs: chags.ph razwe.li]

2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
blocklist

   [URIs: chags.ph razwe.li]

4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
blocklist

   [URIs: chags.ph]

2.1 REPTO_QUOTE_YAHOO  Yahoo! doesn't do quoting like this



Thanks,
David



This email and attachments may contain Narus, Inc. confidential material. If you are not 
the intended recipient, contact the sender immediately and delete all instances of this 
email and attachments.

Re: Bayes test in spamassassin.bat

[jdow]

Regardless - clean up that original message and resend. It is utterly
unreadable.

{^_^}
- Original Message - 
From: "Floyd" <[EMAIL PROTECTED]>


I am trying this without an MUA. I am using Dos to check the headers of the
incoming mail with spamassassin.

Usually I use MS Outlook but in this case I am checking the headers on the
server. There is no mail client on the server.


Raul Dias wrote:


Hi,

What MUA are you using?

Your MUA seems to be unable to send HTML mail, so I suggest you
configure it to send only text/plain formatted text.

[]s
Raul Dias

On Mon, 2006-09-11 at 07:50 -0700, Floyd wrote:

Hi, I am using Spamassassin with Exchange and i noticed I was getting
different scores using spamassassin.bat(There was a previous post by
me to this question) I have done some addtional tests and I noticed
that when spamassassin.bat is run automatically on every incoming
message there are no tests for bayes e.g Start - ID:  PreFile: C:\ESA
\NEW\msg060911101328_51EC4.in.eml PostFile: C:\ESA\NEW
\msg060911101328_51EC4.out.eml SpamAssassin:C:\PERL\BIN
\SPAMASSASSIN.BAT "C:\ESA\NEW\msg060911101328_51EC4.in.eml" "C:\ESA
\NEW\msg060911101328_51EC4.out.eml" SpamAssassin result: 0 Checking
for PERL in Path... Reloading Stream... Reading OUT file XSpamFlag:
XSpamStatus: No, score=0.0 required=6.0 tests=AWL,HTML_MESSAGE
autolearn=disabled version=3.1.4 Added header
urn:schemas:mailheader:X-Spam-Checker-Version SpamAssassin 3.1.4
(2006-07-25) Exchange SpamAssassin Sink (www.christopherlewis.com)
1.2.76 on myserver SPAM: False SpamAssassin Value: 0 File:
msg060911101328_51EC4 Moving to HAM : End But when I run
spamassassin.bat manually there is a test for bayes in addition to the
other testse.g. X-Spam-Checker-Version: SpamAssassin 3.1.4
(2006-07-25) on my server X-Spam-Level: X-Spam-Status: No, score=-2.0
required=6.0 tests=BAYES_00,HTML_40_50,
HTML_MESSAGE,HTML_TEXT_AFTER_BODY autolearn=disabled version=3.1.4
thread-index: AcbVrHRGLevRi+gCSJenNtqXgv1xTA== Could someone please
help me with this is there a setting somewhere i missed in local.cf
maybe?? Thanks for your help in advance

__
View this message in context: Bayes test in spamassassin.bat
Sent from the SpamAssassin - Users forum at Nabble.com.






--
View this message in context: 
http://www.nabble.com/Bayes-test-in-spamassassin.bat-tf2252897.html#a6252631
Sent from the SpamAssassin - Users forum at Nabble.com. 

Re: postcard exploit email

[Kelson]

Kenneth Porter wrote:
--On Monday, September 11, 2006 8:12 AM -0700 "John D. Hardin" 
<[EMAIL PROTECTED]> wrote:



Maybe we need a base rule for URL links directly to executable
content...


MIMEDefang rejects content with executable extensions. The list of 
extensions is configurable. (.com is a pain because it also appears in 
domain names which are commonly used as part of filenames, like "report 
on my domain example.com.doc".)


In this case, though, it's not an attachment, so MD won't reject it. 
It's an ordinary link in an HTML part to the offending file:


http://server/path/to/evil/file";>Blah blah

It doesn't even have to be in HTML.  It could be a URL in a plaintext 
email, and many clients will convert it to a clickable URL:


http://server/path/to/evil/file

In fact, if you're retrieving content over the web, the link doesn't 
even have to tell you the double extension.  The link could be to a 
redirect script, or to a download script that provides a 
content-disposition header:


http://server/path/to/evil/but/innocuous/looking/file

--
Kelson Vibber
SpeedGate Communications 

Re: postcard exploit email

[Kenneth Porter]

--On Monday, September 11, 2006 8:12 AM -0700 "John D. Hardin" 
<[EMAIL PROTECTED]> wrote:



Maybe we need a base rule for URL links directly to executable
content...


MIMEDefang rejects content with executable extensions. The list of 
extensions is configurable. (.com is a pain because it also appears in 
domain names which are commonly used as part of filenames, like "report on 
my domain example.com.doc".)

Re: Customizing RBL and SURBL lists

[D . J .]

Why go to all the trouble of rewriting/editing rules when it'd be a loteasier to maintain by just delegating the appropriate zones to your own
DNSBL server?DarylLOL!!!  You know, sometimes you can't see the forest for the trees.  This is exactly what I'm trying to pull off, and it's a heck of a lot easier to pop an entry into dnscache to forward requests to my server than to go thorugh figuring out the arcane logic of writing rules for DNSBL's.  Thanks for putting me on the right path!

Re: postcard exploit email

[hamann . w]

>> 
>> On Mon, September 11, 2006 18:15, John D. Hardin wrote:
>> 
>> > Probably not, as you'd have to visit the link to get something for the
>> > virus checker to check. On the server side, it'd have to follow the
>> > like to download the executable to scan, and I *really* doubt anyone
>> > would want their mail gateway to be doing *that*.
>> 
>> why not ?
>> 
>> clamav pics it up as
>> 
>> Virus scanner output:
>>   p006: Trojan.Dropper.Delf FOUND
>>   p004: Trojan.IRCBot-96 FOUND
>>   p002: Trojan.IRCBot-arc FOUND
>> 
>> > This is more a security policy issue - "I don't want to accept email
>> > with links directly to executable content". Hence an SA rule.
>> 
>> SA is not a virus scanner, but there could be a rule for dobbel extensions
>> 
>> -- 
>> "This message was sent using 100% recycled spam mails."
>> 
>> 
Hi,

possible problem: if the erver actually runs windows, the link could be some 
kind of cgi
rather than an executable

double extension are a clear warning,though

Wolfgang Hamann

Re: Inetesting new URI ploy

[Evan Platt]

At 11:54 AM 9/11/2006, you wrote:

Just came across one of these in a spam message:

bang Locals @ www.nowdatenow. com oopsy no space before com

Oh what will they try next...?



Oh I've seen plenty that require wayyy too much work. The average 
1d10t that would click on spam links would never figure out what to 
do.. I mean heck, one if I recall was http : // www dot spammeddomain dot com

Yea...

Re: Bayes test in spamassassin.bat

[Floyd]

I am trying this without an MUA. I am using Dos to check the headers of the
incoming mail with spamassassin. 

Usually I use MS Outlook but in this case I am checking the headers on the
server. There is no mail client on the server. 


Raul Dias wrote:
> 
> Hi,
> 
> What MUA are you using?
> 
> Your MUA seems to be unable to send HTML mail, so I suggest you
> configure it to send only text/plain formatted text.
> 
> []s
> Raul Dias
> 
> On Mon, 2006-09-11 at 07:50 -0700, Floyd wrote:
>> Hi, I am using Spamassassin with Exchange and i noticed I was getting
>> different scores using spamassassin.bat(There was a previous post by
>> me to this question) I have done some addtional tests and I noticed
>> that when spamassassin.bat is run automatically on every incoming
>> message there are no tests for bayes e.g Start - ID:  PreFile: C:\ESA
>> \NEW\msg060911101328_51EC4.in.eml PostFile: C:\ESA\NEW
>> \msg060911101328_51EC4.out.eml SpamAssassin:C:\PERL\BIN
>> \SPAMASSASSIN.BAT "C:\ESA\NEW\msg060911101328_51EC4.in.eml" "C:\ESA
>> \NEW\msg060911101328_51EC4.out.eml" SpamAssassin result: 0 Checking
>> for PERL in Path... Reloading Stream... Reading OUT file XSpamFlag:
>> XSpamStatus: No, score=0.0 required=6.0 tests=AWL,HTML_MESSAGE
>> autolearn=disabled version=3.1.4 Added header
>> urn:schemas:mailheader:X-Spam-Checker-Version SpamAssassin 3.1.4
>> (2006-07-25) Exchange SpamAssassin Sink (www.christopherlewis.com)
>> 1.2.76 on myserver SPAM: False SpamAssassin Value: 0 File:
>> msg060911101328_51EC4 Moving to HAM : End But when I run
>> spamassassin.bat manually there is a test for bayes in addition to the
>> other testse.g. X-Spam-Checker-Version: SpamAssassin 3.1.4
>> (2006-07-25) on my server X-Spam-Level: X-Spam-Status: No, score=-2.0
>> required=6.0 tests=BAYES_00,HTML_40_50,
>> HTML_MESSAGE,HTML_TEXT_AFTER_BODY autolearn=disabled version=3.1.4
>> thread-index: AcbVrHRGLevRi+gCSJenNtqXgv1xTA== Could someone please
>> help me with this is there a setting somewhere i missed in local.cf
>> maybe?? Thanks for your help in advance 
>> 
>> __
>> View this message in context: Bayes test in spamassassin.bat
>> Sent from the SpamAssassin - Users forum at Nabble.com.
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Bayes-test-in-spamassassin.bat-tf2252897.html#a6252631
Sent from the SpamAssassin - Users forum at Nabble.com.

Inetesting new URI ploy

[Bill Landry]

Just came across one of these in a spam message:

bang Locals @ www.nowdatenow. com oopsy no space before com

Oh what will they try next...?

Bill

Re: Bayes test in spamassassin.bat

[Raul Dias]

Hi,

What MUA are you using?

Your MUA seems to be unable to send HTML mail, so I suggest you
configure it to send only text/plain formatted text.

[]s
Raul Dias

On Mon, 2006-09-11 at 07:50 -0700, Floyd wrote:
> Hi, I am using Spamassassin with Exchange and i noticed I was getting
> different scores using spamassassin.bat(There was a previous post by
> me to this question) I have done some addtional tests and I noticed
> that when spamassassin.bat is run automatically on every incoming
> message there are no tests for bayes e.g Start - ID:  PreFile: C:\ESA
> \NEW\msg060911101328_51EC4.in.eml PostFile: C:\ESA\NEW
> \msg060911101328_51EC4.out.eml SpamAssassin:C:\PERL\BIN
> \SPAMASSASSIN.BAT "C:\ESA\NEW\msg060911101328_51EC4.in.eml" "C:\ESA
> \NEW\msg060911101328_51EC4.out.eml" SpamAssassin result: 0 Checking
> for PERL in Path... Reloading Stream... Reading OUT file XSpamFlag:
> XSpamStatus: No, score=0.0 required=6.0 tests=AWL,HTML_MESSAGE
> autolearn=disabled version=3.1.4 Added header
> urn:schemas:mailheader:X-Spam-Checker-Version SpamAssassin 3.1.4
> (2006-07-25) Exchange SpamAssassin Sink (www.christopherlewis.com)
> 1.2.76 on myserver SPAM: False SpamAssassin Value: 0 File:
> msg060911101328_51EC4 Moving to HAM : End But when I run
> spamassassin.bat manually there is a test for bayes in addition to the
> other testse.g. X-Spam-Checker-Version: SpamAssassin 3.1.4
> (2006-07-25) on my server X-Spam-Level: X-Spam-Status: No, score=-2.0
> required=6.0 tests=BAYES_00,HTML_40_50,
> HTML_MESSAGE,HTML_TEXT_AFTER_BODY autolearn=disabled version=3.1.4
> thread-index: AcbVrHRGLevRi+gCSJenNtqXgv1xTA== Could someone please
> help me with this is there a setting somewhere i missed in local.cf
> maybe?? Thanks for your help in advance 
> 
> __
> View this message in context: Bayes test in spamassassin.bat
> Sent from the SpamAssassin - Users forum at Nabble.com.

Re: postcard exploit email

[Benny Pedersen]

On Mon, September 11, 2006 18:15, John D. Hardin wrote:

> Probably not, as you'd have to visit the link to get something for the
> virus checker to check. On the server side, it'd have to follow the
> like to download the executable to scan, and I *really* doubt anyone
> would want their mail gateway to be doing *that*.

why not ?

clamav pics it up as

Virus scanner output:
  p006: Trojan.Dropper.Delf FOUND
  p004: Trojan.IRCBot-96 FOUND
  p002: Trojan.IRCBot-arc FOUND

> This is more a security policy issue - "I don't want to accept email
> with links directly to executable content". Hence an SA rule.

SA is not a virus scanner, but there could be a rule for dobbel extensions

-- 
"This message was sent using 100% recycled spam mails."

Bayes Test runs sometimes and sometimes it doesn't

[David Reta]

I am running spamassassin 3.1.5 which is being called from mimedefang.
I am using bayes over nfs which is shared between 2 mail relays. 

 

We have been having some issues with some spam getting
through. I did some investigating and found out that the spam that is getting
through is not running the bayes test. Even if nothing in the bayes database is
found shouldn’t at least BAYES_00 show up? 

 

Do you think maybe that the bayes might be timing out? If so
how can the timeout be increased. Any ideas will help.

 

Here is the output of the MSG.0 file from the quarantined message.
As you can see the bayes test is not run. I ran the message manually as the
same user that runs mimedefang which is shown right after and the Bayes test is
run.

 

Content analysis details:   (36.8 points, 4.0
required)

 

 pts rule
name 
description

 --
--

 2.7
SUBJECT_SEXUAL Subject
indicates sexually-explicit content

 1.5 RCVD_NUMERIC_HELO 
Received: contains an IP address used for HELO

 0.0 UNPARSEABLE_RELAY 
Informational: message has unparseable relay lines

 1.8 FORGED_YAHOO_RCVD 
'From' yahoo.com does not match 'Received' headers

 0.5
PORN_15   
BODY: Possible porn - various types of feline

 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8
confidence level

   
above 50%

   
[cf: 100]

 0.5
RAZOR2_CHECK   Listed
in Razor2 (http://razor.sf.net/)

 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence
level above 50%

   
[cf: 100]

 0.2 DNS_FROM_RFC_ABUSE RBL:
Envelope sender in abuse.rfc-ignorant.org

 1.4 DNS_FROM_RFC_WHOIS RBL:
Envelope sender in whois.rfc-ignorant.org

 2.2 RCVD_IN_WHOIS_INVALID  RBL: CompleteWhois:
sender on invalid IP block

   
[61.75.153.64 listed in combined-HIB.dnsiplists.completewhois.com]

 3.9
RCVD_IN_XBL   
RBL: Received via a relay in Spamhaus XBL

   
[61.75.153.64 listed in sbl-xbl.spamhaus.org]

 1.7 DNS_FROM_RFC_POST 
RBL: Envelope sender in

 
  postmaster.rfc-ignorant.org

 1.6
URIBL_SBL 
Contains an URL listed in the SBL blocklist

   
[URIs: chags.ph]

 3.8
URIBL_AB_SURBL Contains an URL
listed in the AB SURBL blocklist

   
[URIs:
chags.ph]

 4.1
URIBL_JP_SURBL Contains an URL
listed in the JP SURBL blocklist

   
[URIs: chags.ph]

 2.1
URIBL_WS_SURBL Contains an URL
listed in the WS SURBL blocklist

   
[URIs: chags.ph]

 4.5
URIBL_SC_SURBL Contains an URL
listed in the SC SURBL blocklist

   
[URIs: chags.ph]

 2.1 REPTO_QUOTE_YAHOO 
Yahoo! doesn't do quoting like this

 

Run manually as same user

 

Content analysis details:   (30.8 points, 4.0
required)

 

 pts rule
name 
description

 --
--

 2.7
SUBJECT_SEXUAL Subject
indicates sexually-explicit content

 0.0 UNPARSEABLE_RELAY 
Informational: message has unparseable relay lines

 1.8 FORGED_YAHOO_RCVD 
'From' yahoo.com does not match 'Received' headers

 0.5
PORN_15   
BODY: Possible porn - various types of feline

 5.0
BAYES_99  
BODY: Bayesian spam probability is 99 to 100%

   
[score: 1.]

 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8
confidence level

   
above 50%

   
[cf: 100]

 0.5
RAZOR2_CHECK   Listed
in Razor2 (http://razor.sf.net/)

 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence
level above 50%

   
[cf: 100]

 1.6
URIBL_SBL 
Contains an URL listed in the SBL blocklist

 
  [URIs:
razwe.li]

 3.8
URIBL_AB_SURBL Contains an URL
listed in the AB SURBL blocklist

   
[URIs: chags.ph]

 4.1
URIBL_JP_SURBL Contains an URL
listed in the JP SURBL blocklist

 
  [URIs: chags.ph razwe.li]

 2.1
URIBL_WS_SURBL Contains an URL
listed in the WS SURBL blocklist

   
[URIs: chags.ph razwe.li]

 4.5
URIBL_SC_SURBL Contains an URL
listed in the SC SURBL blocklist

   
[URIs:
chags.ph]

 2.1 REPTO_QUOTE_YAHOO 
Yahoo! doesn't do quoting like this

 

Thanks,
David




This email and attachments may contain Narus, Inc. confidential material. If you are not the intended recipient, contact the sender immediately and delete all instances of this email and attachments.

Re: postcard exploit email

[David B Funk]

On Mon, 11 Sep 2006, John D. Hardin wrote:

>
> Maybe we need a base rule for URL links directly to executable
> content...
>
>  href="http://www.canaltv.org/postcard.gif.exe";>http://www.e-cards.com/view/CR3090Ztyw5g527673XzW

You mean like:

 uri __L_AUNT_EDNA1  m!\b(?:postcards?\.gif\.exe|/postcard\.exe)!i
 full __L_AUNT_EDNA2 m!\bpostcards?\.gif\.exe"!i
 meta L_AUNT_EDNA( __L_AUNT_EDNA1 || __L_AUNT_EDNA2 )
 describe L_AUNT_EDNAAunt Edna postcard virus spam
 score L_AUNT_EDNA   9.0

Specific to the "Aunt Edna" viri but generalizable. Warning, it
could have FPs.


-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: postcard exploit email

[Kelson]

Sietse van Zanen wrote:
And correct me if I'm wrong, but isn't ClamAV able to recursively scan 
URL's contained within e-mails?


Yes, with the MailFollowURLs option.  Thankfully, it's disabled by default.

Aside from increasing bandwidth use, exposing the virus checker to 
potential DOS conditions, and exposing the mail server to potential 
malware, there are plenty of URLs which perform actions that the user 
might want to have some say in, such as:


- Unsubscribe links
- Web bugs
- Survey results
- Moderation decisions (click URL A to accept, URL B to reject)

and so on.

--
Kelson Vibber
SpeedGate Communications 

RE: postcard exploit email

[Sietse van Zanen]

Yes, there are content scanning engines which can do this. They are usually based on ICAP or Checkpoints CVP. McAfee and TrendMicro supply such software. But it remains to be seen whether these interoperate with your MTA.
 
And correct me if I'm wrong, but isn't ClamAV able to recursively scan URL's contained within e-mails?
 
-Sietse


From: John D. HardinSent: Mon 11-Sep-06 18:15To: David BaronCc: users@spamassassin.apache.orgSubject: Re: postcard exploit email
On Mon, 11 Sep 2006, David Baron wrote:

> On Monday 11 September 2006 18:12, John D. Hardin wrote:
> > Maybe we need a base rule for URL links directly to executable
> > content...
> >
> >  > href="">http://www.e-cards.com/view/
> >CR3090Ztyw5g527673XzW
>
> Any virus checkers pick this up?

Probably not, as you'd have to visit the link to get something for the
virus checker to check. On the server side, it'd have to follow the
like to download the executable to scan, and I *really* doubt anyone
would want their mail gateway to be doing *that*.

This is more a security policy issue - "I don't want to accept email
with links directly to executable content". Hence an SA rule.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 A weapons registration phase ... 4) allows for a degree of control
 to be exercised during the collection phase; 5) assists in the
 planning of the collection phase; ...
  -- the UN, who "doesn't want to confiscate guns"
---
 6 days until The 219th anniversary of the signing of the U.S. Constitution

Re: postcard exploit email

[John D. Hardin]

On Mon, 11 Sep 2006, David Baron wrote:

> On Monday 11 September 2006 18:12, John D. Hardin wrote:
> > Maybe we need a base rule for URL links directly to executable
> > content...
> >
> >  > href="http://www.canaltv.org/postcard.gif.exe";>http://www.e-cards.com/view/
> >CR3090Ztyw5g527673XzW
>
> Any virus checkers pick this up?

Probably not, as you'd have to visit the link to get something for the
virus checker to check. On the server side, it'd have to follow the
like to download the executable to scan, and I *really* doubt anyone
would want their mail gateway to be doing *that*.

This is more a security policy issue - "I don't want to accept email
with links directly to executable content". Hence an SA rule.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 A weapons registration phase ... 4) allows for a degree of control
 to be exercised during the collection phase; 5) assists in the
 planning of the collection phase; ...
  -- the UN, who "doesn't want to confiscate guns"
---
 6 days until The 219th anniversary of the signing of the U.S. Constitution

Re: Animated graphics display a subliminal message to manipulate stock market

[Kelson]

Michael Scheidell wrote:

Found this one post:  guess we should look for BUY!! in the animated
gif?


Previously seen, with sample images and comments that do some analysis 
of the technique, at 
http://www.jgc.org/blog/2006/09/subliminal-advertising-in-spam.html


It's basically a variation on the technique we've started seeing where a 
spammer inserts a couple of frames of static to throw off OCR scanners. 
 Someone decided to use more text instead of just confetti.


It should be noted that, at least in those messages, the "BUY!" frames 
were long enough to register consciously, and therefore don't really 
qualify as "subliminal."  One commenter points out that there is a lower 
limit to how quickly a GIF frame can disappear... and it's above the 
"subliminal" limit.


Not that whether it's actually subliminal or not has any bearing on 
whether it's a useful spam-sign, of course!


--
Kelson Vibber
SpeedGate Communications 

Re: postcard exploit email

[David Baron]

On Monday 11 September 2006 18:12, John D. Hardin wrote:
> Maybe we need a base rule for URL links directly to executable
> content...
>
>  href="http://www.canaltv.org/postcard.gif.exe";>http://www.e-cards.com/view/
>CR3090Ztyw5g527673XzW
>
Any virus checkers pick this up?

Been getting a lot of "postcards" lately.

postcard exploit email

[John D. Hardin]

Maybe we need a base rule for URL links directly to executable
content...

http://www.canaltv.org/postcard.gif.exe";>http://www.e-cards.com/view/CR3090Ztyw5g527673XzW

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 A weapons registration phase ... 4) allows for a degree of control
 to be exercised during the collection phase; 5) assists in the
 planning of the collection phase; ...
  -- the UN, who "doesn't want to confiscate guns"
---
 6 days until The 219th anniversary of the signing of the U.S. Constitution

Re: Inconsistent Rules Firing

[Michel Vaillancourt]

Michel Vaillancourt wrote:
> Bowie Bailey wrote:
>> Are you sure these messages are being scanned?  Take a look at the
>> headers and see if there are X-Spam headers in both the marked and
>> unmarked messages.  If so, post those headers here so we can see what
>> is hitting.
>>
>   As I inidcated in the original mail... they are getting scored.  The 
> headers are there.  However, the scores are VERY low compared to another 
> similar one that arrives moments later.  I'll post back when I get a good 
> comparison pair.
> 
>> You also may want to add this line to you local.cf file:
>>
>> add_header all Report _REPORT_
>>
>> This will add the report header listing the rule hits to all messages
>> regardless of the score.  Restart spamd after making the change.
>>
> 
>   Will do.  I'll post back with results.
> 

It turns out that the issue was *not* spamassasin.  Due to a quirk in 
my mail routing, some messages were "skipping" the primary mail exchanger and 
going to one of my other machines which was running a less "loaded" version of 
SA.  Once that was corrected, all started behaving correctly.

My first clue was when the "add_header" didn't change anything on some 
of the incoming traffic...  I started digging deeper.  Thanks for the help and 
suggestions, all.

-- 
--Michel Vaillancourt
Wolfstar Systems
www.wolfstar.ca

Bayes test in spamassassin.bat

[Floyd]

Hi,

I am using Spamassassin with Exchange and i noticed I was getting different scores using spamassassin.bat(There was a previous post by me to this question)

I have done some addtional tests and I noticed that when spamassassin.bat is run automatically on every incoming message there are no tests for bayes e.g

 Start - ID: <[EMAIL PROTECTED]>
 PreFile:  C:\ESA\NEW\msg060911101328_51EC4.in.eml	 PostFile:  C:\ESA\NEW\msg060911101328_51EC4.out.eml  SpamAssassin:C:\PERL\BIN\SPAMASSASSIN.BAT   "C:\ESA\NEW\msg060911101328_51EC4.in.eml"  "C:\ESA\NEW\msg060911101328_51EC4.out.eml"
 SpamAssassin result: 0
 Checking for PERL in Path...
 Reloading Stream...
 Reading OUT file
 XSpamFlag:
 XSpamStatus:  No, score=0.0 required=6.0 tests=AWL,HTML_MESSAGE 	autolearn=disabled version=3.1.4
 Added header urn:schemas:mailheader:X-Spam-Checker-Version SpamAssassin 3.1.4 (2006-07-25) Exchange SpamAssassin Sink (www.christopherlewis.com) 1.2.76 on myserver
 SPAM: False  SpamAssassin Value: 0 File: msg060911101328_51EC4
 Moving to HAM
 : End

But when I run spamassassin.bat manually there is a test for bayes in addition to the other testse.g.

X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on my server
X-Spam-Level:
X-Spam-Status: No, score=-2.0 required=6.0 tests=BAYES_00,HTML_40_50,
HTML_MESSAGE,HTML_TEXT_AFTER_BODY autolearn=disabled version=3.1.4
thread-index: AcbVrHRGLevRi+gCSJenNtqXgv1xTA==


Could someone please help me with this is there a setting somewhere i missed in local.cf maybe??

Thanks for your help in advance


View this message in context: Bayes test in spamassassin.bat
Sent from the SpamAssassin - Users forum at Nabble.com.

Re: Need help with SA and Received headers...

[Matthias Haegele]

thekillerbean schrieb:

SPAM is finding it's way into my inbox and I believe it's because SPAMMERs
have started using my low priority MX record which relays e-mail for my
domain through my ISP - for those situations when my server is offline. 


afaik: this is a common method, use the backup-mx cause they (spammers) 
hope to meet less restrictive "antispam-measures"

there.


When I run the an IP address in the second Received: header against the
www.dnsstuff.com site it fails nearly all tests!




How then can I configure Sendmai and/or SpamAssassin to do its checks
against this second Received: header when the connecting host is my ISP mail
server?


Perhaps a better solution would be to use the same antispam-checks at 
your second box/mx?.



Cheers and tia,
tkb.


hth
MH

Re: פריצת דרך מאתגרת

[David Baron]

Local for HEBREW is not in this list.

> Windows-1255
>
> and apparently with locales
>
> DB<6> x @locales
> 0  'en'
> 1  'th'
> 2  'it'
> 3  'en_US'
>
> Mail::SpamAssassin::Locales::is_charset_ok_for_locales($1, @locales)
>
> returns true
>
> Mail::SpamAssassin::Locales::is_charset_ok_for_locales(/home/robert/
> lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Locales.pm:91):
> 91:   return 1 if ($cs =~ /^WINDOWS/);  # argh, Windows
>
> what?
>
> On Sep 10, 2006, at 4:38 PM, Robert Nicholson wrote:
> > Why didn't foreign charset rules catch this?
> >
> > Begin forwarded message:
> >> From: [EMAIL PROTECTED]
> >> Date: September 10, 2006 2:17:51 PM CDT
> >> To: [EMAIL PROTECTED]
> >> Subject: פריצת דרך מאתגרת
> >> X-Spam-Dcc: : grub.camros.com 1113; Body=5 Fuz1=5 Fuz2=3
> >> X-Spam-Flag: YES
> >> X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on
> >> grub.camros.com
> >> X-Spam-Level: *
> >> X-Spam-Status: Yes, score=5.7 required=0.6
> >> tests=BAYES_95,FRONTPAGE,
> >> HTML_90_100,HTML_IMAGE_RATIO_02,HTML_MESSAGE,HTML_TITLE_SUBJ_DIFF,
> >> MIME_HTML_ONLY,NO_REAL_NAME,UNPARSEABLE_RELAY autolearn=no
> >> version=3.1.1
> >> X-Spam-Report: *  1.0 NO_REAL_NAME From: does not include a real
> >> name *  0.0 UNPARSEABLE_RELAY Informational: message has
> >> unparseable relay *  lines *  0.5 HTML_IMAGE_RATIO_02 BODY:
> >> HTML has a low ratio of text to image *  area *  0.1
> >> HTML_90_100 BODY: Message is 90% to 100% HTML *  0.0 HTML_MESSAGE
> >> BODY: HTML included in message *  3.0 BAYES_95 BODY: Bayesian spam
> >> probability is 95 to 99% *  [score: 0.9667] *  0.0
> >> MIME_HTML_ONLY BODY: Message only has text/html MIME parts *  0.9
> >> FRONTPAGE RAW: Frontpage used to create the message *  0.3
> >> HTML_TITLE_SUBJ_DIFF HTML_TITLE_SUBJ_DIFF
> >> Received: (qmail 10557 invoked from network); 10 Sep 2006 18:17:08
> >> -
> >> Received: from  (HELO kini12.com) (208.53.131.241) by 64.34.193.12
> >> with SMTP; 10 Sep 2006 18:17:08 -
> >> Message-Id: <[EMAIL PROTECTED]>
> >> Mime-Version: 1.0
> >> Content-Type: text/html; charset="windows-1255"
> >> Content-Transfer-Encoding: quoted-printable
> >> Lines: 124
> >>
> >>
> >>
> >>
> >> להגיע למיליון לקוחות ?גם אתם רוצים
> >> נא לחצו כאן
> >>
> >>
> >> מתנצלים אם גרמנו להפרעה, להסרה
> >> מרשימת הדיוורנמען נכבד, אנו לחץ
> >>
> >> להסרה לחצו כאן

Need help with SA and Received headers...

[thekillerbean]

SPAM is finding it's way into my inbox and I believe it's because SPAMMERs
have started using my low priority MX record which relays e-mail for my
domain through my ISP - for those situations when my server is offline. 
When I run the an IP address in the second Received: header against the
www.dnsstuff.com site it fails nearly all tests!

How then can I configure Sendmai and/or SpamAssassin to do its checks
against this second Received: header when the connecting host is my ISP mail
server?

Cheers and tia,
tkb.

-- 
View this message in context: 
http://www.nabble.com/Need-help-with-SA-and-Received-headers...-tf2252268.html#a6246248
Sent from the SpamAssassin - Users forum at Nabble.com.

filtering by time

[Toni Casueps]

I receive some spam messages that I don't know how to make spamassassin 
"assassinate" them... they are very well done and I can't do much to stop 
them. Some of them arrive at night time, having been sent from countries 
with different time zones, so I have thought of making a rule that adds some 
points if the message arrives between, say, 1:00 and 6:00  (I should set it 
from 21:00 to 8:00 since this is an office and I don't think someone is 
going to send anything work-related at this time, but just to be careful... 
).
Do you know how can this be done? Do you think it could give too many false 
positives?

Re: pyzor: check failed: internal error

[John Horne]

On Sat, 2006-09-09 at 12:58 -0500, John Thompson wrote:
>
> Ok, this suggests that the error producing the internal error messages 
> at that time was patched with pyzor-0.4.0. I'm running pyzor-0.4.0_4, 
> which presumably includes the needed patch.
> 
Not necessarily. Pyzor 0.4.0 from original source does not include the
mentioned patches (obviously). Likewise, running pyzor
(pyzor-0.4.0-9.fc4) under FC4 does not include the patches (neither as
far as I can see will the upcoming FC6). However, Debian pyzor seems to
be patched. You'll need to check the FreeBSD source of your running
version to see if it has the patches applied.

Having said all that, under FC4 pyzor (patched) still seems to show
these errors.



John.

-- 
---
John Horne, University of Plymouth, UK  Tel: +44 (0)1752 233914
E-mail: [EMAIL PROTECTED]   Fax: +44 (0)1752 233839