Re: Problem with URIBL rules : false positive and not listed while mannually checking
On Monday, October 2, 2006, 5:39:02 AM, Fabien GARZIANO wrote: I'm getting strange result with my URIBL_* rules. I get some messages where theses rules score but I dont get no listing when I manually check with tools like http://www.rulesemporium.com/cgi-bin/uribl.cgi For example, I got a mail from one of our providers : westcon.fr (or weston.com). They provide us with nortel products (nortel.com or nortelnetworks.com). There Email contains 4 different uri (I dont list here the 'mailto:') : http://www.westcon.fr/ www.voicepoint.westcon.com https://app12.nortelnetworks.com/ ... www.nortel.com/spq-ppq I've tried each but I got 'not listed in multi.surbl.org and multi.surbl.com. Here's the score and detail from spamassassin : X-caliseo-MailScanner-SpamCheck: polluriel, SpamAssassin (score=6.133, requis 5.8, BAYES_00 -2.60, NO_REAL_NAME 0.01, URIBL_JP_SURBL 2.46, URIBL_PH_SURBL 2.00, URIBL_SC_SURBL 4.26) What version of SpamAssassin are you running? Versions before 3.1 have an infrequent DNS query bug: http://bugzilla.spamassassin.org/show_bug.cgi?id=3997 Another possibility is that there is a DNS proxy or DNS modification service like OpenDNS changing the DNS results in a way that's not compatible with SURBL applications: http://www.surbl.org/faq.html#opendns In any case, none of the domains mentioned are blacklisted, so there is a problem with your SpamAssassin or DNS. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: Non-blocklisted embedded URLs are getting hits on URIBL_AB_SURBL and URIBL_PH_SURBL in SpamAssassin 3.1.5
If it helps, here's what I wrote for the SURBL FAQ: http://www.surbl.org/faq.html#opendns I'm using OpenDNS and getting wrong answers to SURBL DNS queries OpenDNS is a service that changes the responses to some DNS queries in order to prevent users from visiting spam, phishing, etc., sites. It also has a typo correction feature that directs mistyped domain names to custom sites controlled by OpenDNS instead of sites controlled by typosquatters, phishers, etc. When using SURBLs with an OpenDNS nameserver it's important to disable the typo correction feature, or the responses to non-matching SURBL queries will be incorrect to a SURBL application. The reason is that the OpenDNS nameservers return an IP address of their own web site in those cases, and that modified IP address will have an incorrect effect on SURBL list identification that depends on where the bit patterns happen to be in the modified response. SURBLs will work with OpenDNS if their typo correction feature is disabled on servers or clients doing SURBL queries. Alternatively, consider using non-OpenDNS nameservers on those systems. Note also that SURBL applications may be incompatible with other DNS modification or proxy services that change the DNS query results of non-matches (NXDOMAIN results). Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Message Vs Batch mode processing ..
Thanks for the advice Theo .. I've registered with razor and am now reporting spam regularly and saving to folder 'Spam'. However, I'm a bit frustrated having to do this 'message by message' with downloads averaging around 1-200. I am impressed that Sylpheed-Claws-GTK2 (with SA ClamAV plugins) munches away at the whole downloaded batch and delivers it spam-free. I'd prefer to understand what is happening under the hood - could you point me in the direction of how I can do this via CLI with Mutt ? Cheers, -- Adam Bogacki, - email: afb(at)paradise.net.nz VoIP: sip:agike(at)ekiga.net [Zfone] Key: 0x4E553910 - DABB 4963 8973 7CCD 33C0 DC27 D7C5 F516 4E55 3910 Key Servers: hkp://pgp.mit.edu:1137 ldap://keyserver.pgp.com - signature.asc Description: Digital signature
RE: Stock spam in images
For Debian Users I've found the follow link, a step by step guide in order to implement FuzzyOCR and ImageInfo with spamassassin. http://www200.pair.com/mecham/spam/image_spam.html Andrea
Re: Non-blocklisted embedded URLs are getting hits on URIBL_AB_SURBL and URIBL_PH_SURBL in SpamAssassin 3.1.5
thanks Jeff! here's the new FAQ entry: http://wiki.apache.org/spamassassin/OpenDnsAndUribls feel free to modify, guys. --j. Jeff Chan writes: If it helps, here's what I wrote for the SURBL FAQ: http://www.surbl.org/faq.html#opendns I'm using OpenDNS and getting wrong answers to SURBL DNS queries OpenDNS is a service that changes the responses to some DNS queries in order to prevent users from visiting spam, phishing, etc., sites. It also has a typo correction feature that directs mistyped domain names to custom sites controlled by OpenDNS instead of sites controlled by typosquatters, phishers, etc. When using SURBLs with an OpenDNS nameserver it's important to disable the typo correction feature, or the responses to non-matching SURBL queries will be incorrect to a SURBL application. The reason is that the OpenDNS nameservers return an IP address of their own web site in those cases, and that modified IP address will have an incorrect effect on SURBL list identification that depends on where the bit patterns happen to be in the modified response. SURBLs will work with OpenDNS if their typo correction feature is disabled on servers or clients doing SURBL queries. Alternatively, consider using non-OpenDNS nameservers on those systems. Note also that SURBL applications may be incompatible with other DNS modification or proxy services that change the DNS query results of non-matches (NXDOMAIN results). Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
RE: rulesdujour
#Ronan McGlue wrote: can someone give me a listing of the latest timestamps regarding their rulesdujour updates? I've just noticed that none of the files have been updated on my machine since mid augaust... surely this isn't normal... No, it's fairly normal. SARE_STOCKS is the only one that is changing on a regular basis at the moment. Jul 25 12:00 70_sare_spoof.cf Aug 27 06:34 70_sare_whitelist_spf.cf Sep 22 17:00 70_sare_stocks.cf All the rest of mine go back to June or earlier. -- Bowie
SpamAssassin question
Hello, I am relatively new to SpamAssassin and I hope I am asking this question via the appropriate channel. If not, please let me know. I have been receiving spam email that is not getting caught by SpamAssassin and want to add a rule to catch it. These particular spam emails have the same URL which shows up in the body of the email many times - I have seen it repeated as many as 12 times. For example: http://www.thelevelgroup.net/9Lc591820lkc972ov63Ij142YOjd16uwEU102KFMp http://www.thelevelgroup.net/9Lc591820lkc972ov63Ij142YOjd16uwEU102KFMp http://www.thelevelgroup.net/9Lc591820lkc972ov63Ij142YOjd16uwEU102KFMp For this example, I know I can use a URI rule to check for thelevelgroup.net. But, what if the URL changes? I want to add a rule which will add points if any url shows up in the body of the email more than a certain number of times. I assume I need to set a variable then count the occurrences, but I do now know how to do this, or if it is even possible. I am currently using SpamAssassin v2.64. Thanks! John W Mickevich IBM eServer Certified Specialist i5 iSeries Technical Solution Designer V5R3 IBM eServer Certified Specialist iSeries Solution Sales V5R3 Computer Management Technologies An Employee Owned Company Phone: (989) 791-4860 ext 109 Email: [EMAIL PROTECTED]
Re: SpamAssassin question
You can't do what you want in 2.6x, at least without writing an eval rule in perl. I *think* they may have implemented counting rules fairly recently; but I'm not sure if that patch was ever released. In any case, you should be able to use network tests and SURBL in 2.64 and that will in all probability catch these just fine. Of course, upgrading to a more current version would be an even better idea - along with enabling network tests. Loren
RE: SpamAssassin question
Time for you to start using uribls. For SA 2.64 you'll need spamcopuri ( http://sourceforge.net/projects/spamcopuri/), and then check www.surbl.org for usage instructions. Better to upgrade to SA 3.1.5. http://www.rulesemporium.com/cgi-bin/uribl.cgireturns this for thelevelgroup.net: URIBL: multi.surbl.org: listed [Blocked, thelevelgroup.net on lists [jp], See: http://www.surbl.org/lists.html] URIBL: multi.uribl.com: listed [Blacklisted, see http://lookup.uribl.com/?domain=thelevelgroup.net] Cheers, Phil --Phil RandalNetwork EngineerHerefordshire CouncilHereford, UK From: John W Mickevich [mailto:[EMAIL PROTECTED] Sent: 03 October 2006 16:12To: users@spamassassin.apache.orgSubject: SpamAssassin question Hello, I am relatively new to SpamAssassin and I hope I am asking this question via the appropriate channel. If not, please let me know. I have been receiving spam email that is not getting caught by SpamAssassin and want to add a rule to catch it. These particular spam emails have the same URL which shows up in the body of the email many times - I have seen it repeated as many as 12 times. For example: http://www.thelevelgroup.net/9Lc591820lkc972ov63Ij142YOjd16uwEU102KFMp http://www.thelevelgroup.net/9Lc591820lkc972ov63Ij142YOjd16uwEU102KFMp http://www.thelevelgroup.net/9Lc591820lkc972ov63Ij142YOjd16uwEU102KFMp For this example, I know I can use a URI rule to check for thelevelgroup.net. But, what if the URL changes? I want to add a rule which will add points if any url shows up in the body of the email more than a certain number of times. I assume I need to set a variable then count the occurrences, but I do now know how to do this, or if it is even possible. I am currently using SpamAssassin v2.64. Thanks! John W Mickevich IBM eServer Certified Specialist i5 iSeries Technical Solution Designer V5R3 IBM eServer Certified Specialist iSeries Solution Sales V5R3 Computer Management Technologies An Employee Owned Company Phone: (989) 791-4860 ext 109 Email: [EMAIL PROTECTED]
RE: SpamAssassin question
John W Mickevich wrote: Hello, I am relatively new to SpamAssassin and I hope I am asking this question via the appropriate channel. If not, please let me know. I have been receiving spam email that is not getting caught by SpamAssassin and want to add a rule to catch it. These particular spam emails have the same URL which shows up in the body of the email many times - I have seen it repeated as many as 12 times. For example: http://www.thelevelgroup.net/9Lc591820lkc972ov63Ij142YOjd16uwEU102KFMp http://www.thelevelgroup.net/9Lc591820lkc972ov63Ij142YOjd16uwEU102KFMp http://www.thelevelgroup.net/9Lc591820lkc972ov63Ij142YOjd16uwEU102KFMp For this example, I know I can use a URI rule to check for thelevelgroup.net. But, what if the URL changes? I want to add a rule which will add points if any url shows up in the body of the email more than a certain number of times. I assume I need to set a variable then count the occurrences, but I do now know how to do this, or if it is even possible. I am currently using SpamAssassin v2.64. Thanks! Step 1: Upgrade to a newer version of SA (3.1.5 is current) Step 2: Install Razor2 and URIBL This is the results of your email on my system: Content analysis details: (8.9 points, 5.0 required) pts rule name description -- -- 0.0 HTML_MESSAGE BODY: HTML included in message 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level above 50% [cf: 100] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 100] 3.0 URIBL_BLACKContains an URL listed in the URIBL blacklist [URIs: thelevelgroup.net] 3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist [URIs: thelevelgroup.net] -- Bowie
Re: SpamAssassin question
Loren Wilton writes: You can't do what you want in 2.6x, at least without writing an eval rule in perl. I *think* they may have implemented counting rules fairly recently; but I'm not sure if that patch was ever released. yep, tflags multiple support, in 3.2.0. --j.
Re: Delete all emails tagged by SA.
At 09:15 AM Tuesday, 10/3/2006, Shahzad Abid wrote -= I have SpamAssassin version 3.1.5 running on Perl version 5.8.5 on FC3. I want to delete all emails tagged by SA as spam. So what's stopping you? Do know however that SA will not process your mail in any way - all it is intended to do is identify spam. You will need to use something else in your arsenal to accomplish this. You should read this before you just start deleting unread emails: http://wiki.apache.org/spamassassin/DeletingAllMailsMarkedSpam Ed Kasky ~ Randomly Generated Quote (442 of 515): The best thing about the future is that it comes only one day at a time. -Abraham Lincoln (1809-1865)
Re: Q. about spam directed towards highest MX Record?
On Fri, 29 Sep 2006, Rob McEwen (PowerView Systems) wrote: Jon Trulson said: Hehe, that is an old spammer trick... Our secondary MX is pretty much 100% spam. I implemented greylisting on the secondary which reduced spam through it by about 99% :) The secondary does not do spam scanning, it's simply store and forward. Greylisting really helps in these cases. Jon, please tell me, what portion of your overall spams attempt to comes in through this secondary MX compared to all spam that you catch which are headed to your primary MX record. THAT is what I most wanted to know. Sorry, I missed that... It's hard to gauge right now as I've been running this setup for over a year. But, before greylisting was put into effect, I would say nearly 80% of our spam came through the secondary MX - it seemed to be the prefered mode of entry into our network. Most 'dictionary' type spam entered this way as well, since the MX did not have a list of valid users - it's only intended as an emergency backup after all. I highly recommend greylisting for secondary MX systems. :) Thanks! Rob McEwen PowerView Systems -- Jon Trulson mailto:[EMAIL PROTECTED] http://radscan.com/~jon #include std/disclaimer.h No Kill I -Horta
FuzzyOCR seems to not like gif and png
I have SA 3.1.4 and FuzzyOCR 2.3b installedI keep getting these messages in the log whenever I test any gif and png samples [2006-10-03 11:24:33] Unexpected error in pipe to external programs. Please check that all helper programs are installed and in the correct path. (Pipe Command /usr/local/netpbm/bin/giftopnm -, Pipe exit code 137 (), Temporary file: /tmp/.spamassassin5087MySEdftmp) [2006-10-03 11:25:14] Unexpected error in pipe to external programs. Please check that all helper programs are installed and in the correct path. (Pipe Command /usr/local/netpbm/bin/pngtopnm -, Pipe exit code 137 (), Temporary file: /tmp/.spamassassin5101jo7Qurtmp) I have the giftopnm and pngtopnm installed in /usr/local/netpbm/bin and have made the appropriate changes in the FuzzyOcr.cf From the FuzzyOcr.cf focr_bin_giftopnm /usr/local/netpbm/bin/giftopnm focr_bin_jpegtopnm /usr/local/netpbm/bin/jpegtopnm focr_bin_pngtopnm /usr/local/netpbm/bin/pngtopnm bash-3.00# which pngtopnm /usr/local/netpbm/bin/pngtopnm bash-3.00# which giftopnm /usr/local/netpbm/bin/giftopnm bash-3.00# Scanning the sample jpeg image seems to work just fineany idea what may be happening or any errors I have made? Lint works fine as well.
Re: Message Vs Batch mode processing ..
On Tue, Oct 03, 2006 at 08:59:08PM +1300, Adam Bogacki wrote: Thanks for the advice Theo .. I've registered with razor and am now reporting spam regularly and saving to folder 'Spam'. :) However, I'm a bit frustrated having to do this 'message by message' with downloads averaging around 1-200. I am impressed that Sylpheed-Claws-GTK2 (with SA ClamAV plugins) munches away at the whole downloaded batch and delivers it spam-free. I'd prefer to understand what is happening under the hood - could you point me in the direction of how I can do this via CLI with Mutt ? I'm not really sure what you're asking here. Doing batch processing isn't hard with SpamAssassin, do something like: spamassassin --mbox messages.mbox messages-out.mbox If you want to use spamc/spamd, you have to go per message since spamc only understands single messages. Ala: formail -s spamc messages.mbox messages-out.mbox If you want SA to run over a message, and then have some filtering going on (ie: spams to one folder, etc,) you'd have to do some kind of formail/procmail thing to break a mailbox apart, process it through SA, then filter it. -- Randomly Selected Tagline: Al is a very busy person, as is most everyone else on helpdesk. They might even be more busy than Microsoft engineers who have much higher salaries, and have time for nerf gun battles and pillow fights in the halls. - Paul English pgpRoQuFOVqup.pgp Description: PGP signature
perl hogging my memory?
Ok, I've googled and obviously I'm not finding the right solution.. But had to reinstall spamassassin on my os/x 10.4 box. Followed http://developer.apple.com/server/fighting_spam.html . But, my system is running out of memory, and it looks like Perl / spamassassin is the cause . I've omitted everything but the Perl and Spamassassin related entries: Load Avg: 1.97, 1.36, 0.78 CPU usage: 84.4% user, 15.6% sys, 0.0% idle SharedLibs: num = 106, resident = 3.54M code, 364K data, 780K LinkEdit MemRegions: num = 4984, resident = 217M + 1.37M private, 236M shared PhysMem: 44.7M wired, 307M active, 153M inactive, 506M used, 5.54M free VM: 4.00G + 79.0M 50554(137) pageins, 65232(79) pageouts PID COMMAND %CPU TIME #TH #PRTS #MREGS RPRVT RSHRD RSIZE VSIZE 448 spamc0.0% 0:00.00 11518 128K 268K- 396K 27.7M 447 procmail 0.0% 0:00.00 1 816 8K- 364K- 176K 26.7M 445 procmail 0.0% 0:00.02 11516 8K- 364K- 412K 26.7M 416 perl35.1% 0:10.60 110 391 30.4M 233M- 94.2M 391M 394 spamc0.0% 0:00.00 1151888K 268K- 356K 27.7M 393 procmail 0.0% 0:00.00 1 816 8K 316K- 172K 26.7M 391 procmail 0.0% 0:00.02 11516 8K 316K- 364K 26.7M 378 perl10.1% 0:48.50 110 388 150M+ 207M- 217M+ 391M 377 perl44.7% 1:18.63 110 388 26.3M 233M- 72.8M 391M 271 perl 0.0% 0:00.12 11043 1.93M 284K 1.07M 29.1M 65 perl 0.0% 3:41.24 115 387 1.43M- 233M- 56.9M- 391M So what did I do wrong that's causing a Perl process to take up 391 megs? Obviously, I'm only guessing it's spamassassin related, but that's the only thing I can think of using perl. And I see a few google reference to spamassassin and perl. Any other information I can provide, please let me know. Thanks. Evan
pyzor timeout
Hi, How does one decrease the default Pyzor timeout of five seconds? (without editing the source code :) ) Thanks Fletcher
Re: pyzor timeout
Fletcher Mattox wrote: Hi, How does one decrease the default Pyzor timeout of five seconds? (without editing the source code :) ) The Pyzor SpamAssassin plugin documentation seems to mention a pyzor_timeout option. Daryl
Re: [Devel-spam] {Spam?} ascii art spam and possible solution
On Tue, 3 Oct 2006, Randal, Phil wrote: Surely all you need to do is write a rule which gives style=FONT-SIZE: 4px (or a range of small font sizes) a biggish score? ah ustymm al td ep vhag su ga zeee ok yk ch eq jrg ymp fd vj tg yc jv yo vp km zgdadmrv dh kr lclyea fp wv ja au ln bh bn gmdu nw vs he kb ay nq ak fako lter pu kqvyfs pz ovsc dnoj combined with /\s(?:\S\S\s\s){7}/ maybe? -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Gun Control: The theory that a woman found dead in an alley, raped and strangled with her panty hose, is somehow morally superior to a woman explaining to police how her attacker got that fatal bullet wound. ---
RE: pyzor timeout
Hi, How does one decrease the default Pyzor timeout of five seconds? (without editing the source code :) ) Thanks Fletcher You might also get better response from the server at 82.94.255.100:24441 If you would like to try, edit your /path/to/.pyzor/servers file and replace the existing server (66.250.40.33:24441) with this. Check with 'pyzor ping' Gary V _ Share your special moments by uploading 500 photos per month to Windows Live Spaces http://clk.atdmt.com/MSN/go/msnnkwsp007001msn/direct/01/?href=http://www.get.live.com/spaces/features
Re: perl hogging my memory?
At 11:56 AM 10/3/2006, you wrote: have you looked at http://wiki.apache.org/spamassassin/OutOfMemoryProblems ? note especially the 'Heavyweight custom rules' section. Thanks much.. That was more or less it total 23996 56 70_sare_adult.cf48 70_sare_genlsubj3.cf 8 70_sare_header_x264_x30.cf 4 70_sare_html_eng.cf 96 70_sare_specific.cf12 70_sc_top200.cf 4708 blacklist-uri.cf 4 70_sare_bayes_poison_nxm.cf 32 70_sare_genlsubj_eng.cf 8 70_sare_header_x30.cf 4 70_sare_html_x30.cf 20 70_sare_spoof.cf 16 71_sare_bml_pre25x.cf 16652 blacklist.cf 24 70_sare_evilnum0.cf 8 70_sare_genlsubj_x30.cf 8 70_sare_highrisk.cf 156 70_sare_obfu.cf 28 70_sare_unsub.cf 20 71_sare_redirect_pre3.0.0.cf 108 bogus-virus-warnings.cf 4 70_sare_evilnum1.cf376 70_sare_header.cf 108 70_sare_html.cf52 70_sare_obfu0.cf20 70_sare_uri0.cf16 72_sare_bml_post25x.cf 4 init.pre 8 70_sare_evilnum2.cf124 70_sare_header0.cf 28 70_sare_html0.cf 108 70_sare_obfu1.cf24 70_sare_uri1.cf16 72_sare_redirect_post3.0.0.cf 4 local.cf 184 70_sare_genlsubj.cf144 70_sare_header1.cf 40 70_sare_html1.cf8 70_sare_obfu2.cf12 70_sare_uri3.cf12 99_sare_fraud_post25x.cf 8 random.cf 48 70_sare_genlsubj0.cf 108 70_sare_header2.cf 24 70_sare_html2.cf 16 70_sare_obfu3.cf 8 70_sare_uri_eng.cf 12 99_sare_fraud_pre25x.cf 56 tripwire.cf 76 70_sare_genlsubj1.cf88 70_sare_header3.cf 20 70_sare_html3.cf 16 70_sare_oem.cf 52 70_sare_whitelist.cf0 RulesDuJour/ 4 v310.pre 20 70_sare_genlsubj2.cf 8 70_sare_header_eng.cf 40 70_sare_html4.cf 20 70_sare_random.cf 40 70_sare_whitelist_pre30.cf 16 antidrug.cf4 v312.pre Removed blacklist-uri.cf and blacklist.cf Thanks. :) Evan
Moderator: User needs to be unsubscribed...
For every post, I'm getting: Subject: Autoreply from [EMAIL PROTECTED] (was Re:perl hogging my memory? ) Errors-To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Bonjour, Je suis en conges jusqu'au 23 octobre, pour toute demande veuillez contacter notre support technique. Cordialement Thanks. Evan
Re: Delete all emails tagged by SA.
Dear Ed Kasky Thanks for such a nice suggetion and guidance currently I am using qtrap for my Qmail Server. Is there any other tool available ? Shahzad Abid Ed Kasky At 09:15 AM Tuesday, 10/3/2006, Shahzad Abid wrote -= I have SpamAssassin version 3.1.5 running on Perl version 5.8.5 on FC3. I want to delete all emails tagged by SA as spam. So what's stopping you? Do know however that SA will not process your mail in any way - all it is intended to do is identify spam. You will need to use something else in your arsenal to accomplish this. You should read this before you just start deleting unread emails: http://wiki.apache.org/spamassassin/DeletingAllMailsMarkedSpam Ed Kasky ~ Randomly Generated Quote (442 of 515): The best thing about the future is that it comes only one day at a time. -Abraham Lincoln (1809-1865)
RE: pyzor timeout
Hi, How does one decrease the default Pyzor timeout of five seconds? (without editing the source code :) ) Thanks Fletcher You might also get better response from the server at 82.94.255.100:24441 If you would like to try, edit your /path/to/.pyzor/servers file and replace the existing server (66.250.40.33:24441) with this. Check with 'pyzor ping' I just did this to one of my servers: http://www200.pair.com/mecham/spam/pyzortest.txt Gary V _ Get today's hot entertainment gossip http://movies.msn.com/movies/hotgossip
Re: Moderator: User needs to be unsubscribed...
... To: users@spamassassin.apache.org From: Evan Platt [EMAIL PROTECTED] Subject: Moderator: User needs to be unsubscribed... ... For every post, I'm getting: Subject: Autoreply from [EMAIL PROTECTED] (was Re:perl hogging my memory? ) Errors-To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Bonjour, Je suis en conges jusqu'au 23 octobre, pour toute demande veuillez contacter notre support technique. Cordialement Thanks. Evan See thread - Tom Van Overbeke is out of the office This message is the auto-reply from the auto-forward to [EMAIL PROTECTED] that is occuring - Seems they are on vacation too. Paul Shupak [EMAIL PROTECTED]
Re: [Devel-spam] {Spam?} ascii art spam and possible solution
On Tue, October 3, 2006 21:44, John D. Hardin wrote: Surely all you need to do is write a rule which gives combined with /\s(?:\S\S\s\s){7}/ maybe? tripwire.cf -- This message was sent using 100% recycled spam mails.
Re: pyzor timeout
On Tue, October 3, 2006 20:55, Fletcher Mattox wrote: How does one decrease the default Pyzor timeout of five seconds? (without editing the source code :) ) perldoc Mail::SpamAssassin::Plugin::Pyzor -- This message was sent using 100% recycled spam mails.
Re: Delete all emails tagged by SA.
Not sure about Qmail - I use procmail as our MDA... At 12:49 PM Tuesday, 10/3/2006, Shahzad Abid wrote -= Dear Ed Kasky Thanks for such a nice suggetion and guidance currently I am using qtrap for my Qmail Server. Is there any other tool available ? Shahzad Abid Ed Kasky At 09:15 AM Tuesday, 10/3/2006, Shahzad Abid wrote -= I have SpamAssassin version 3.1.5 running on Perl version 5.8.5 on FC3. I want to delete all emails tagged by SA as spam. So what's stopping you? Do know however that SA will not process your mail in any way - all it is intended to do is identify spam. You will need to use something else in your arsenal to accomplish this. You should read this before you just start deleting unread emails: http://wiki.apache.org/spamassassin/DeletingAllMailsMarkedSpam Ed Kasky ~ Randomly Generated Quote (442 of 515): The best thing about the future is that it comes only one day at a time. -Abraham Lincoln (1809-1865) Ed Kasky ~ Randomly Generated Quote (15 of 515): All the president is, is a glorified public relations man who spends his time flattering, kissing, and kicking people to get them to do what they are supposed to do anyway. --Harry S Truman
Spamassassin Rules
Lately, I am getting lots of similar emails that I want caught as Spam but are not. These are like: Subject: Pharmacy -- where the word pharmacy is missed spelled in many different methods. Subject: ... My Name Subject: ... My home address I send these to Bayes for learning nightly, but they are still not flagged. Are there rules that should catch this type of Spam? Do not I need change some configuration info? Am I doing something wrong? I am currently running versions: Spamassassin: 3.0.4; Mimedefang: 2.52; Perl: 5.8.3 Thanks, Mike
Re: perl hogging my memory?
Woot!! Thank you Justin and the rest of the Wiki crew for putting that up! I was getting tired of writing the Are you using sa-blacklist.cf? email over, and over again. Justin Mason wrote: have you looked at http://wiki.apache.org/spamassassin/OutOfMemoryProblems ? note especially the 'Heavyweight custom rules' section. --j. Evan Platt writes: Ok, I've googled and obviously I'm not finding the right solution.. But had to reinstall spamassassin on my os/x 10.4 box. Followed http://developer.apple.com/server/fighting_spam.html . But, my system is running out of memory, and it looks like Perl / spamassassin is the cause . I've omitted everything but the Perl and Spamassassin related entries: Load Avg: 1.97, 1.36, 0.78 CPU usage: 84.4% user, 15.6% sys, 0.0% idle SharedLibs: num = 106, resident = 3.54M code, 364K data, 780K LinkEdit MemRegions: num = 4984, resident = 217M + 1.37M private, 236M shared PhysMem: 44.7M wired, 307M active, 153M inactive, 506M used, 5.54M free VM: 4.00G + 79.0M 50554(137) pageins, 65232(79) pageouts PID COMMAND %CPU TIME #TH #PRTS #MREGS RPRVT RSHRD RSIZE VSIZE 448 spamc0.0% 0:00.00 11518 128K 268K- 396K 27.7M 447 procmail 0.0% 0:00.00 1 816 8K- 364K- 176K 26.7M 445 procmail 0.0% 0:00.02 11516 8K- 364K- 412K 26.7M 416 perl35.1% 0:10.60 110 391 30.4M 233M- 94.2M 391M 394 spamc0.0% 0:00.00 1151888K 268K- 356K 27.7M 393 procmail 0.0% 0:00.00 1 816 8K 316K- 172K 26.7M 391 procmail 0.0% 0:00.02 11516 8K 316K- 364K 26.7M 378 perl10.1% 0:48.50 110 388 150M+ 207M- 217M+ 391M 377 perl44.7% 1:18.63 110 388 26.3M 233M- 72.8M 391M 271 perl 0.0% 0:00.12 11043 1.93M 284K 1.07M 29.1M 65 perl 0.0% 3:41.24 115 387 1.43M- 233M- 56.9M- 391M So what did I do wrong that's causing a Perl process to take up 391 megs? Obviously, I'm only guessing it's spamassassin related, but that's the only thing I can think of using perl. And I see a few google reference to spamassassin and perl. Any other information I can provide, please let me know. Thanks. Evan
Re: FuzzyOCR seems to not like gif and png
There are newer versions of FuzzyOCR that probably fix or at least get around this. A lot of image spam mails have broken images in them, and this messes up a lot of stuff. The latest versions use ImageMagic. This is reputedly hard to install on many systems. But if you can get it installed it seems to work much better in terms of the images that it can handle. You might want to join the FuzzyOCR mailing list: List-Id: devel-spam.lists.own-hero.netList-Unsubscribe: http://lists.own-hero.net/mailman/listinfo/devel-spam,mailto:[EMAIL PROTECTED]List-Archive: http://lists.own-hero.net/mailman/private/devel-spamList-Post: mailto:[EMAIL PROTECTED]List-Help: mailto:[EMAIL PROTECTED]List-Subscribe: http://lists.own-hero.net/mailman/listinfo/devel-spam,mailto:[EMAIL PROTECTED] If you search the list archive you will see a number of posts on the current release and where to get it. I think the current version is something like J. Loren
Re: rulesdujour
#Ronan McGlue wrote: can someone give me a listing of the latest timestamps regarding their rulesdujour updates? I've just noticed that none of the files have been updated on my machine since mid augaust... surely this isn't normal... thanks Ronan I just updated antidrug this past weekend. However, if you're using SA 3.0.0 or newer you should NOT be using antidrug anyway.
Re: Spamassassin Rules
Are there rules that should catch this type of Spam? Do not I need change some configuration info? Am I doing something wrong? Yes. And probably yes. If you don't have network rules enabled you should enable them. The URIBL-type rules will probably catch the vast majority of this junk. Most of the mis-spelled pharma stuff I get scores around 50. Loren
Re: Delete all emails tagged by SA.
Shahzad Abid wrote: Dear Ed Kasky Thanks for such a nice suggetion and guidance currently I am using qtrap for my Qmail Server. Is there any other tool available ? Shahzad Abid You obviously haven't read the information on qmail-scanner. If you add the ST patch to qmail-scanner, you can have a sa-delete variable, which defines the spam score above tagged that you delete the messages. I have a 'base' spam score of 5 - that gets marked. At 14, it gets deleted - sa-delete=9 BW
Re: pyzor timeout
Fletcher Mattox wrote: Hi, How does one decrease the default Pyzor timeout of five seconds? (without editing the source code :) ) Read the docs for the pyzor plugin: http://spamassassin.apache.org/full/3.1.x/dist/doc/Mail_SpamAssassin_Plugin_Pyzor.html As Stuart already pointed out it is: pyzor_timeout 1 But in general, you'll find the options for a plugin in the plugin's docs, not the main Conf docs.
HELO test rule-writing questions
Hi all, I'm trying to write some SA rules for additional tests on the connecting mailserver's SMTP HELO string, and I have some questions about how to do it. Should I send them to this list or to the dev list? Assuming it's this list, one of the things I'm trying to do is assign a modest score to helo strings containing a bracketed IP address. (This is technically valid in SMTP.) I've read through some of the tests in 20_fake_helo_tests.cf, and it appears they rely on SA's parsing code creating a kind of magic pseudo-header X-Spam-Relays-Untrusted containing a string with the helo and other data? I'm not sure I get the point of the recurring [^\]]+ bits in the examples I looked at. So would a test for a bracketed IP address look like this? # [60.222.35.88] header HELO_BRACKETED_IP X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\[\d+\.\d+\.\d+\.\d+\][^\]]+ auth= /i I want to distinguish this case from a bare IP address (invalid!) which I also want to look at and score: # [60.222.35.88] header HELO_BARE_IP X-Spam-Relays-Untrusted =~ /^[^\]]+ helo=\d+\.\d+\.\d+\.\d+[^\]]+ auth= /i -- Clifton -- Clifton Royston -- [EMAIL PROTECTED] / [EMAIL PROTECTED] President - I and I Computing * http://www.iandicomputing.com/ Custom programming, network design, systems and network consulting services
Score=x ?
I've seen a couple of mails come through lately with score=x. Perhaps there have been some coming in all along like that and I haven't noticed it. What does score=x mean? Thanks, Mike X-Virus-Scanned: amavisd-new at cajuninc.com X-Spam-Score: - X-Spam-Level: X-Spam-Status: No, score=x tagged_above=-999 required=5 tests=[] Received: from moe.cajuninc.com ([127.0.0.1]) by localhost (moe.cajuninc.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uJfhQbv7NXdm for [EMAIL PROTECTED]; Tue, 3 Oct 2006 10:58:26 -0500 (EST) Received: from moe.cajuninc.com (moe.cajuninc.com [127.0.0.1]) by moe.cajuninc.com (Postfix) with ESMTP id A602F640189 for [EMAIL PROTECTED]; Tue, 3 Oct 2006 10:58:07 -0500 (EST) -- IBM: Insultingly Boring Microcomputers 22:55:01 up 13 days, 4:29, 8 users, load average: 0.51, 0.27, 0.20 Linux Registered User #241685 http://counter.li.org
Re: Score=x ?
On Tue, Oct 03, 2006 at 10:59:40PM -0500, M.Lewis wrote: I've seen a couple of mails come through lately with score=x. Perhaps there have been some coming in all along like that and I haven't noticed it. What does score=x mean? X-Spam-Status: No, score=x tagged_above=-999 required=5 tests=[] Received: from moe.cajuninc.com ([127.0.0.1]) by localhost (moe.cajuninc.com [127.0.0.1]) (amavisd-new, port 10024) [...] amavis is doing the markup, so I would ask them. -- Randomly Selected Tagline: fail(Language designer not persuaded);# :-) -- Larry Wall in [EMAIL PROTECTED] pgpjbeYgr4aG0.pgp Description: PGP signature
Re: Score=x ?
Matt Kettler wrote: That's an amavis thing, but I presume it means there is no score (ie: SA did not completely analyze the message, so no score was computed). This could mean message was not fed to spamassassin (due to hard whitelist or bypass_spam_checks), or amavis timed-out the spamassassin process (which is very likely to happen if your sa_timeout is less than 120, and you are using bayes). That said, you'd have to ask someone who knows amavisd-new. I don't. But that's my best educated guess. I hope it helps some. Thanks Matt. You could be right. I don't know. I will ask on Amavis list as Theo suggested. M M.Lewis wrote: I've seen a couple of mails come through lately with score=x. Perhaps there have been some coming in all along like that and I haven't noticed it. What does score=x mean? Thanks, Mike X-Virus-Scanned: amavisd-new at cajuninc.com X-Spam-Score: - X-Spam-Level: X-Spam-Status: No, score=x tagged_above=-999 required=5 tests=[] Received: from moe.cajuninc.com ([127.0.0.1]) by localhost (moe.cajuninc.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uJfhQbv7NXdm for [EMAIL PROTECTED]; Tue, 3 Oct 2006 10:58:26 -0500 (EST) Received: from moe.cajuninc.com (moe.cajuninc.com [127.0.0.1]) by moe.cajuninc.com (Postfix) with ESMTP id A602F640189 for [EMAIL PROTECTED]; Tue, 3 Oct 2006 10:58:07 -0500 (EST) -- As far as we know, our computer has never had an undetected error. - Weisert 23:25:01 up 13 days, 4:59, 8 users, load average: 0.07, 0.24, 0.39 Linux Registered User #241685 http://counter.li.org
What's the best method to use SA?
Hello. I have used SA using with procmail. and clamav + sendmail(libmilter) against virus. But I have found that other related solutions like http://www.mailscanner.info/ or http://www.amavis.org/. I don't know what's the difference or better between SA using procmail or above solutions. more fast or more effective?? Anyone who uses above solutions? Thanks... _ 책상위에 다리 올리고 느긋하게 즐긴다... MSN 온라인 상영관 http://vod.msn.co.kr
Re: Score=x ?
That's an amavis thing, but I presume it means there is no score (ie: SA did not completely analyze the message, so no score was computed). This could mean message was not fed to spamassassin (due to hard whitelist or bypass_spam_checks), or amavis timed-out the spamassassin process (which is very likely to happen if your sa_timeout is less than 120, and you are using bayes). That said, you'd have to ask someone who knows amavisd-new. I don't. But that's my best educated guess. I hope it helps some. M.Lewis wrote: I've seen a couple of mails come through lately with score=x. Perhaps there have been some coming in all along like that and I haven't noticed it. What does score=x mean? Thanks, Mike X-Virus-Scanned: amavisd-new at cajuninc.com X-Spam-Score: - X-Spam-Level: X-Spam-Status: No, score=x tagged_above=-999 required=5 tests=[] Received: from moe.cajuninc.com ([127.0.0.1]) by localhost (moe.cajuninc.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uJfhQbv7NXdm for [EMAIL PROTECTED]; Tue, 3 Oct 2006 10:58:26 -0500 (EST) Received: from moe.cajuninc.com (moe.cajuninc.com [127.0.0.1]) by moe.cajuninc.com (Postfix) with ESMTP id A602F640189 for [EMAIL PROTECTED]; Tue, 3 Oct 2006 10:58:07 -0500 (EST)