2 different scores?

[Evan Platt]

Ok, I've googled this, and perhaps I'm not searching with the right 
words or my search is too vague..


Running spamassassin on a os/x box,

SA is called from my procmail:

:0fw: spamassassin.lock
| spamc -s 512000
(Perhaps I have more than one spamc and I'm calling the wrong one?)

Just received a piece of spam with the below headers:

X-Spam-Checker-Version: SpamAssassin 3.1.6 (2006-10-03) on
www-espphotography-com.local
X-Spam-Level: **
X-Spam-Status: No, score=2.4 required=5.0 tests=HELO_DYNAMIC_HOME_NL,INFO_TLD,
UNPARSEABLE_RELAY autolearn=no version=3.1.6

(Partial, obviously).

Ran it through spamassassin on the command line:

-Spam-Checker-Version: SpamAssassin 3.1.6 (2006-10-03) on
www-espphotography-com.local
X-Spam-Level: 
X-Spam-Status: Yes, score=20.2 required=5.0 tests=HELO_DYNAMIC_HOME_NL,
INFO_TLD,RCVD_IN_SORBS_DUL,RCVD_IN_WHOIS_BOGONS,UNPARSEABLE_RELAY,
URIBL_AB_SURBL,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL
autolearn=spam version=3.1.6

Any hints of what to look for as to why mail being received isn't 
scoring all that well?


The crontab entry launched on startup is:

/opt/local/bin/spamd 



Any clues?

Thanks.

Evan 

RE: Upgrading from SpamAssassin 2.55

[Mark]

> -Original Message-
> From: Matt Kettler [mailto:[EMAIL PROTECTED]
> Sent: vrijdag 6 oktober 2006 4:33
> To: Mark
> Cc: users@spamassassin.apache.org
> Subject: Re: Upgrading from SpamAssassin 2.55

Wow; that was a very comprehensive and useful answer. :) Part of the
reason I've been postponing the upgrade is because my setup relies
on the -u functionality of spamc.

Thanks.

- Mark


> Mark wrote:
>
> > Hello,
> >
> > I'm finally upgrading from SpamAssassin 2.55 (tweaked
> > myself, over time)
> > to 3.1.6. I have a few questions regarding this upgrade.
> >
> > In the "old" SA, I had a file called ConfSourceSQL.pm, which did the
> > per-user stuff for MySQL. I cannot seem to find a similar file in
> > function. I see BayesStore/MySQL.pm, but that's not what
> > I'm looking for
> > (I just want the file that retrieves the per-user MySQL settings).
> >
> > I also read somewhere that you can no longer parse the -u
> > option to spamc.
> 
> Parse? or pass? You can still pass -u to spamc. That's not changed in
> any way I'm aware of from 2.55 to 3.1.6.
>
> According to the docs you shouldn't use -u to cause spamc's
> environment
> (ie: where ~/ is), but I say that's nothing but shenanigans. Your
> version of spamassassin says the same thing. Check the spamc
> manpage on
> your system..
>
> The spamc docs have claimed -u is "semi obsoleted"  and you should su
> first for a very long time. In fact, the docs for this
> argument haven't
> changed since at least 2.40. I say it's a crock.
>
> Someone implemented reading the current userid a long time
> ago and then
> updated the docs in order to proclaim this as the only proper way. As
> time has gone on, spamc -u has gotten more useful, not less. SA now
> supports virtual users who only have SQL stored configurations. How's
> that work if you shouldn't use -u?
>
> I'd ignore this aspect of the docs as outdated rubbish made by someone
> who envisioned the "new" feature as causing -u to eventually go away.
> That's never come to pass, and probably never will.
>
> That said, if your user is su'able, there's no reason to not
> su first..
> but you could use -u if you wanted.
>
> Some evidence:
>
> SA 2.40's spamc manpage (lifted from a freshly downloaded
> tarball from cpan)
> ---
> item -u username
>
> This argument has been semi-obsoleted. To have spamd use
> per-user-config
> files, run spamc as the user whose config files spamd should load. If
> you're
> running spamc as some other user, though, (eg. root, mail, nobody,
> cyrus, etc.)
> then you can still use this flag.
> ---
>
> SA 2.50's spamc man page (lifted from a local tarball)
> ---
> item -u username
>
> This argument has been semi-obsoleted. To have spamd use
> per-user-config
> files, run spamc as the user whose config files spamd should load. If
> you're
> running spamc as some other user, though, (eg. root, mail, nobody,
> cyrus, etc.)
> then you can still use this flag.
> ---
>
> SA 3.1.0's man page, lifted from
> http://spamassassin.apache.org/full/3.1.x/dist/doc/spamc.html
>
> ---
>
> **-u* /username/*
>
> This argument has been semi-obsoleted. To have spamd use
> per-user-config files, run spamc as the user whose config files
> spamd should load. If you're running spamc as some other user,
> though, (eg. root, mail, nobody, cyrus, etc.) then you
> can still use this flag.
>
> ---

dcc whiteclnt support broken in SA 3.1.x?

[Matt Kettler]

I recently have been fighting with making DCC work properly on a SA
3.1.x install.

I have several high-volume mailing lists, that repeatedly hit DCC, so I
did what every good DCC user should do. I added an "ok" for the envelope
from to my whiteclnt file, make sure dccifd was using it, and reloaded
dccifd.

Next message from that list, still tagged by DCC.

So I tried received, still no go.

Looking at the code, the evelope_from will *never* work, because SA
passes an empty string as the envelope sender in sub dccifd_lookup.

# send the options and other parameters to the daemon
$sock->print("header " . $opts . "\n") || dbg("dcc: failed write")
&& die; # options
$sock->print($client . "\n") || dbg("dcc: failed write") && die; #
client
$sock->print($helo . "\n") || dbg("dcc: failed write") && die; #
HELO value
$sock->print("\n") || dbg("dcc: failed write") && die; # sender
$sock->print("unknown\r\n") || dbg("dcc: failed write") && die; #
recipients
$sock->print("\n") || dbg("dcc: failed write") && die; # recipients

However, the received one should work. in check_dcc, both the first
external host and it's RDNS name are added to $client, so that should be
getting to dccifd.

What's going on? What magic do I need to make whiteclnt work properly in
a SA 3.1.x environment when using dccifd?

Re: Upgrading from SpamAssassin 2.55

[Matt Kettler]

Mark wrote:
> Hello,
>
> I'm finally upgrading from SpamAssassin 2.55 (tweaked myself, over time)
> to 3.1.6. I have a few questions regarding this upgrade.
>
> In the "old" SA, I had a file called ConfSourceSQL.pm, which did the
> per-user stuff for MySQL. I cannot seem to find a similar file in
> function. I see BayesStore/MySQL.pm, but that's not what I'm looking for
> (I just want the file that retrieves the per-user MySQL settings).
>
> I also read somewhere that you can no longer parse the -u option to spamc.
>   
Parse? or pass? You can still pass -u to spamc. That's not changed in
any way I'm aware of from 2.55 to 3.1.6.

According to the docs you shouldn't use -u to cause spamc's environment
(ie: where ~/ is), but I say that's nothing but shenanigans. Your
version of spamassassin says the same thing. Check the spamc manpage on
your system..

The spamc docs have claimed -u is "semi obsoleted"  and you should su
first for a very long time. In fact, the docs for this argument haven't
changed since at least 2.40. I say it's a crock.

Someone implemented reading the current userid a long time ago and then
updated the docs in order to proclaim this as the only proper way. As
time has gone on, spamc -u has gotten more useful, not less.  SA now
supports virtual users who only have SQL stored configurations. How's
that work if you shouldn't use -u?

I'd ignore this aspect of the docs as outdated rubbish made by someone
who envisioned the "new" feature as causing -u to eventually go away.
That's never come to pass, and probably never will.

That said, if your user is su'able, there's no reason to not su first..
but you could use -u if you wanted.


Some evidence:

SA 2.40's spamc manpage (lifted from a freshly downloaded tarball from cpan)
---
item -u username

This argument has been semi-obsoleted.  To have spamd use per-user-config
files, run spamc as the user whose config files spamd should load.  If
you're
running spamc as some other user, though, (eg. root, mail, nobody,
cyrus, etc.)
then you can still use this flag.
---

SA 2.50's spamc man page (lifted from a local tarball)
---
item -u username

This argument has been semi-obsoleted.  To have spamd use per-user-config
files, run spamc as the user whose config files spamd should load.  If
you're
running spamc as some other user, though, (eg. root, mail, nobody,
cyrus, etc.)
then you can still use this flag.
---

SA 3.1.0's man page, lifted from
http://spamassassin.apache.org/full/3.1.x/dist/doc/spamc.html

---

**-u* /username/*

This argument has been semi-obsoleted. To have spamd use
per-user-config files, run spamc as the user whose config files
spamd should load. If you're running spamc as some other user,
though, (eg. root, mail, nobody, cyrus, etc.) then you can still use
this flag.

---




> I cannot say I like that. I have an LDA that runs as root (of course),
> that calls spamc for the user associated with the recipient in question.
> One could make a system call, like this:
>
> system ("/usr/bin/su $user -c /path-to-spamc");
>
> But that only works for users who have actual shell accounts (most of my
> users just have mail accounts). But I rather have the -u option to spamc
> back. :) So, any way to call spamc for separate users with a "fixed" UID?
>
> Thanks,
>
> - Mark
>
>
>   

Re: double letter porn

[jdow]

Addition of a Soundex module for seeing if words "sound" like the
words given negative scores in SpamAssassin might be an interesting
trick.
{^_^}
- Original Message - 
From: "Chris St. Pierre" <[EMAIL PROTECTED]>




One thing I've wondered/thought about is using the Levenshtein
difference between the words in an email and a list of spam words
(ideally pulled from the bayes db).  In this case, all of the
misspelled words in that sample have a L-distance of 1 from the real
word -- in other words, they're *very* close.

I think the problem would be that this would consume tons of
resources.  Anything else, though, would be susceptible to other typo
attacks.  For instance, say you took each email, and replaced all
doubled letters with single letters, it wouldn't be long before you
were getting spam advertising "analr bictches" or the like.

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University

On Wed, 4 Oct 2006, Eric A. Hall wrote:



On 10/4/2006 5:57 PM, Richard Doyle wrote:

I've been getting lots of porn site spam containing words with doubled
letters, like this one:



Can anybody suggest a rule or ruleset to catch these double-letter
obfuscations? I'm using Spamassassin 3.1.4.


You'd probably need to write a plug-in that used some kind of
typo-matching logic to find porno words.

Would be a good plug-in actually. Get busy :)

--
Eric A. Hallhttp://www.ehsco.com/
Internet Core Protocols  http://www.oreilly.com/catalog/coreprot/

Upgrading from SpamAssassin 2.55

[Mark]

Hello,

I'm finally upgrading from SpamAssassin 2.55 (tweaked myself, over time)
to 3.1.6. I have a few questions regarding this upgrade.

In the "old" SA, I had a file called ConfSourceSQL.pm, which did the
per-user stuff for MySQL. I cannot seem to find a similar file in
function. I see BayesStore/MySQL.pm, but that's not what I'm looking for
(I just want the file that retrieves the per-user MySQL settings).

I also read somewhere that you can no longer parse the -u option to spamc.
I cannot say I like that. I have an LDA that runs as root (of course),
that calls spamc for the user associated with the recipient in question.
One could make a system call, like this:

system ("/usr/bin/su $user -c /path-to-spamc");

But that only works for users who have actual shell accounts (most of my
users just have mail accounts). But I rather have the -u option to spamc
back. :) So, any way to call spamc for separate users with a "fixed" UID?

Thanks,

- Mark

Re: On spamassassin usage, from an sa ignoramus

[Loren Wilton]

So I started running fetchmail as a cron job from each mail server.
This seems to work fine.
What puzzles me is that I never saw this suggested anywhere.
Am I missing some obvious alternative?


Nope, this is a moderately standard way to do this.  Fetchmail->procmail->SA 
(spamc/spamd)->delivery stuff.


It has been discussed, but not a lot.  Most perople on the list seem to be 
running Big Machines and would be on the feeding end of the pop3 link, so 
they don't have much use fo r this sort of solution.  There are probably 
half a dozen perople (including myself) on the list that do this.


   Loren

Re: ANNOUNCE: Apache SpamAssassin 3.1.6 available!

[Evan Platt]

At 10:56 AM 10/5/2006, you wrote:

Apache SpamAssassin 3.1.6 is now available!  This is a maintenance
release of the 3.1.x branch.

Downloads are available from:
  http://spamassassin.apache.org/downloads.cgi?update=200610050918



from http://spamassassin.apache.org/downloads.cgi?update=200610050918
the tar.gz link,
http://apache.cs.utah.edu/spamassassin/source/Mail-SpamAssassin-3.1.6.tar.gz

gives a 404?

Evan 

Re: double letter porn

[Evan Platt]

At 01:22 PM 10/5/2006, you wrote:

I think the problem would be that this would consume tons of
resources.  Anything else, though, would be susceptible to other typo
attacks.  For instance, say you took each email, and replaced all
doubled letters with single letters, it wouldn't be long before you
were getting spam advertising "analr bictches" or the like.


Fortunately, we've gotten to the point where spammers have to 
misspell everything for their spam to get through, or basically 
include NOTHING but a hyperlink, or both. For example, I see quite a 
bit of crap with

"Hi.

ViiiIaaaAgGGRAAA
CIIIAAALLLIS

http://www.blahblah.com";

of couse, I disable HTML and all that crap, so the spam could look 
'normal' in HTML.


Then of course, there's the totally misspelled crap, "We offar tawp 
kwality roooleks washes".

RE: double letter porn

[Chris St. Pierre]

On Thu, 5 Oct 2006, Bowie Bailey wrote:
>
>I would think the problem with computing distances is preventing false
>matches on normal words.  Consider these:
>
>hunt
>shot
>dice
>fits
>
>These are all a distance of 1 from words you might want to look for.

Heh, good examples.

While that's true, you probably wouldn't score something based on just
one or two hits.  It'd be sort of like weighted bayes -- each hit
would get scored based on the length of the target word and the
closeness of the hit, and that would create a composite score for the
message.  You would then do SA scoring based on this composite.

So, to use a completely spurious example, let's assume that each word
points equal to (length of target / distance).  So this message:

"We went on a hunt, and then shot some dice."

Might have three hits: hunt, shot, and dice.  (Although I'm not sure
you'd want to match either shot or dice.)  That would give it a score
of 12.

The example message earlier had at least six misspelled words:  orrgy,
pornn, bitchees, annal, orgiees, and ssex.  That would give a
composite score of 26.  Your breaking point would be somewhere between
12 and 26.

In reality, I think you'd want to use an exponential scale for the
length, so that a six-letter word counts for (e.g.) twice as much as a
five-letter word.  If we did that -- word score = (length of target ^
2 / distance) -- then the innocent sample message would score a 48 and
the guilty sample would score a 118, yet a larger gap
(magnitude-wise).

Another option would be to use a combination of Levenshtein distance
and an algorithm like metaphone for representing the pronunciation of
a word.  So levenshtein(metaphone("orgy", "orrgy")) == 0, but
levenshtein(metaphone("dice", "dick")) == 1.

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University

RE: double letter porn

[Bowie Bailey]

Chris St. Pierre wrote:
> One thing I've wondered/thought about is using the Levenshtein
> difference between the words in an email and a list of spam words
> (ideally pulled from the bayes db).  In this case, all of the
> misspelled words in that sample have a L-distance of 1 from the real
> word -- in other words, they're *very* close.
> 
> I think the problem would be that this would consume tons of
> resources.  Anything else, though, would be susceptible to other typo
> attacks.  For instance, say you took each email, and replaced all
> doubled letters with single letters, it wouldn't be long before you
> were getting spam advertising "analr bictches" or the like.

I would think the problem with computing distances is preventing false
matches on normal words.  Consider these:

hunt
shot
dice
fits

These are all a distance of 1 from words you might want to look for.

-- 
Bowie

Re: double letter porn

[Chris St. Pierre]

One thing I've wondered/thought about is using the Levenshtein
difference between the words in an email and a list of spam words
(ideally pulled from the bayes db).  In this case, all of the
misspelled words in that sample have a L-distance of 1 from the real
word -- in other words, they're *very* close.

I think the problem would be that this would consume tons of
resources.  Anything else, though, would be susceptible to other typo
attacks.  For instance, say you took each email, and replaced all
doubled letters with single letters, it wouldn't be long before you
were getting spam advertising "analr bictches" or the like.

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University

On Wed, 4 Oct 2006, Eric A. Hall wrote:

>
>On 10/4/2006 5:57 PM, Richard Doyle wrote:
>> I've been getting lots of porn site spam containing words with doubled
>> letters, like this one:
>
>> Can anybody suggest a rule or ruleset to catch these double-letter
>> obfuscations? I'm using Spamassassin 3.1.4.
>
>You'd probably need to write a plug-in that used some kind of
>typo-matching logic to find porno words.
>
>Would be a good plug-in actually. Get busy :)
>
>-- 
>Eric A. Hallhttp://www.ehsco.com/
>Internet Core Protocols  http://www.oreilly.com/catalog/coreprot/
>

Re: 3.1.6, local scores, and sa-update

[Daryl C. W. O'Shea]

Daryl C. W. O'Shea wrote:

For now you'll have to disable the score lines while you do sa-update. 
Temporarily renaming whatever.cf to whatever.cf-disabled is probably the 
easiest way to go about it.


BTW, you could also delete or comment out the "exit 2;" around line 375 
of sa-update.


Daryl

Re: bayes_toks.expire.... can I delete these?

[Derek Catanzaro]

Matt Kettler wrote:


That's *enormous* for bayes_toks. It should be something on the order of
10-20 megs with the default bayes_expiry_max_db_size settings.

Since your bayes DB has so many excess tokens, it may take sa-learn
--force-expire a VERY long time to actually do the expire. Bayes Expiry
performance doesn't seem to scale very well to large databases when
you're using db files.

Try kicking it off again. If you're concerned it's hung, do two things:

1) add -D to the command line to turn on the debug output. Use this to
make sure it's not getting hung up trying to get a lock. If it cant' get
a file lock you'll see it retrying constantly. Based on the journal sync
message below, it probably didn't get hung here, but it's still useful
to see the debug output in this case.

2) use another terminal to check the .expire file. *after* the debug
tells you SA has figured out a good atime, it should start writing to
this file. It should keep slowly growing in size, so you can use this to
check if it's still working away.

I will kick off sa-learn --force-expire during off peak hours and see 
how it goes.  Email has been backing up for the past couple of days 
during peak hours, the only way for me to relieve the back up has been 
to disable spamassassin in the MailScanner.conf (Use SpamAssassin= no).  
After disabling SA, mail routes quickly but obviously this leaves me 
wide open for spam.  Earlier today I just figured I would run 
SpamAssassin but disable bayes and see how mail performance would work, 
and it is working good now.  So I at least have SA running but bayes is 
disabled.  I will work on getting the bayes db squared away and turn 
bayes back on once I have it under control.

I've since found that 120 seconds wasn't adequate for situations where
there were a lot of tokens to expire. While 120 made this problem less
frequent, it didn't go away. Hence my current recommendations vary from
5 to 10 minutes.
  
I kicked up the spamassassin timout to 300.  With bayes disabled this 
should be sufficient.  I will address the timeout parameter if I have 
issues after enabling bayes again.


Thanks again,
Derek

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: 3.1.6, local scores, and sa-update

[Daryl C. W. O'Shea]

Stuart Johnston wrote:


Could you just add appropriate ifplugin lines for a more permanent fix?


Unfortunately, no.  Everything in the local site config dir is loaded, 
including the pre files.  The default rules aren't loaded though... a 
poor attempt at not bothering to lint rules that are never going to be 
used after the update. :(


Daryl

Re: 3.1.6, local scores, and sa-update

[Stuart Johnston]

Daryl C. W. O'Shea wrote:

Mike Grau wrote:

Since upgrading to SpamAssassin 3.1.6, running sa-update yields

# sa-update
config: warning: score set for non-existent rule BAYES_50
config: warning: score set for non-existent rule BAYES_05

...

error: lint check of current site config failed, cannot continue.


I assume this is because sa-update now "include local site config in
sa-update lint checks".

Previously I've set some custom scores for stock rules in
/etc/mail/spamassassin/whatever.cf
without changing the rule definitions or descriptions. Can I not do this
and need to define the "body BAYES_99" and "describe BAYES_99" in
wahtever.cf also, or is this a bug in sa-update?


Sigh.  None of the machines I tested the change on redefined any scores. 
 I forgot that this actually causes an error and not info, so I didn't 
even think of trying it.


For now you'll have to disable the score lines while you do sa-update. 
Temporarily renaming whatever.cf to whatever.cf-disabled is probably the 
easiest way to go about it.


Could you just add appropriate ifplugin lines for a more permanent fix?

Re: 3.1.6, local scores, and sa-update

[John Andersen]

On Thursday 05 October 2006 11:31, Daryl C. W. O'Shea wrote:
> > Previously I've set some custom scores for stock rules in
> > /etc/mail/spamassassin/whatever.cf
> > without changing the rule definitions or descriptions. Can I not do this
> > and need to define the "body BAYES_99" and "describe BAYES_99" in
> > wahtever.cf also, or is this a bug in sa-update?
>
> Sigh.  None of the machines I tested the change on redefined any scores.
>   I forgot that this actually causes an error and not info, so I didn't
> even think of trying it.

I'm pretty sure this is going to be a major problem for many many sites.
Lots of people are running various specialized rules in separate .cf files.

-- 
_
John Andersen


pgpGpy4JKAKVy.pgp
Description: PGP signature

Re: 3.1.6, local scores, and sa-update

[Daryl C. W. O'Shea]

Mike Grau wrote:

Since upgrading to SpamAssassin 3.1.6, running sa-update yields

# sa-update
config: warning: score set for non-existent rule BAYES_50
config: warning: score set for non-existent rule BAYES_05

...

error: lint check of current site config failed, cannot continue.


I assume this is because sa-update now "include local site config in
sa-update lint checks".

Previously I've set some custom scores for stock rules in
/etc/mail/spamassassin/whatever.cf
without changing the rule definitions or descriptions. Can I not do this
and need to define the "body BAYES_99" and "describe BAYES_99" in
wahtever.cf also, or is this a bug in sa-update?


Sigh.  None of the machines I tested the change on redefined any scores. 
 I forgot that this actually causes an error and not info, so I didn't 
even think of trying it.


For now you'll have to disable the score lines while you do sa-update. 
Temporarily renaming whatever.cf to whatever.cf-disabled is probably the 
easiest way to go about it.



Daryl

Re: OT - verify addresses

[hamann . w]

Hi,

I was not really aware of probes before I noticed a few sites that probe the 
sender before
accepting mail.
This led me to the idea of verifying myself, in a different context: people 
place orders on a webbsite,
and leave an emailaddress for order confirmation and shipping details
I had implemented a domain check since a long time (some people just write 
@hotmail
and hope that an operator completes it for them) but still get about half a 
dozen
failed addresses - often the spelling error is obvious.

As for lots of probes: I have implemented non-linear tarpitting which seems to 
do a good job

Wolfgang Hamann 

>> 
>> 
>> Nigel Frankcom wrote:
>> > On Thu, 05 Oct 2006 12:32:07 +0200, [EMAIL PROTECTED] wrote:
>> > 
>> >> back a few years, some mail servers (e.g. qmail) disabled the verify 
>> >> command
>> >> to avoid address probing - and as a consequence would send bounces.
>> >> Nowadays, the majority of mail servers (apart from aol :) rejects unknown
>> >> users with a 5xx response to RCPT TO and thereby re-enables verification.
>> >> Apart from tarpitting too many recipients, what is common practice for
>> >> a server that detects verification attempts (i.e. successful rcpt followed
>> >> by quit)  ignore, blacklist, other?
>> 
>> Block the IP for a while. OSSEC HIDS, http://ossec.net/ or something 
>> similar can block the IP using iptables or hosts.deny. It will 
>> automatically un-block after a configurable time period. Useful for 
>> web/smtp/ftp/etc.. attacks also.
>> 
>> Ken A.
>> Pacific.Net
>> 
>> 
>> >>
>> >> Wolfgang Hamann
>> > 
>> > 
>> > I can't speak for others, but our server policy is to allow (n)
>> > probes; should they all prove to be bad addresses the IP is banned for
>> > 24 hours. The probes don't all have to come at once, just from the
>> > same IP within any 24 hour period. This system works very well for
>> > dictionary attacks as well.
>> > 
>> > Nigel
>> > 
>> 

Re: On spamassassin usage, from an sa ignoramus

[John Andersen]

On Thursday 05 October 2006 07:41, Timothy Murphy wrote:

> So I started running fetchmail as a cron job from each mail server.
> This seems to work fine.
> What puzzles me is that I never saw this suggested anywhere.
> Am I missing some obvious alternative?

I suggest you will wait several minutes in either case.

Side note:  First, be sure you look carefully at the Kmail setup.  Given
free reign it will find every spam solution on your box and send the mail
thru all of them.  Set it to pick ONE, preferably SA, IMHO, and it will
be faster.

Fetchmail simply gets the mail in the background and hands it off to what
ever you wish, such as procmail, or sendmail, etc. which in turn can call SA 
for you. But the time to process is the same, its just that you are not
waiting for kmail to finish.

Further, fetchmail is a daemon, and not intended to be run from
a cronjob.  Start it at boot, and leave it running.

By the way, I use this method as well, on several sites where mail
must be popped, and its pretty reliable.

-- 
_
John Andersen


pgpKE4ODhVasV.pgp
Description: PGP signature

3.1.6, local scores, and sa-update

[Mike Grau]

Since upgrading to SpamAssassin 3.1.6, running sa-update yields

# sa-update
config: warning: score set for non-existent rule BAYES_50
config: warning: score set for non-existent rule BAYES_05
config: warning: score set for non-existent rule BAYES_00
config: warning: score set for non-existent rule BAYES_40
config: warning: score set for non-existent rule BAYES_60
config: warning: score set for non-existent rule BAYES_95
config: warning: score set for non-existent rule BAYES_99
config: warning: score set for non-existent rule BAYES_20
config: warning: score set for non-existent rule BAYES_80
.
.
.
error: lint check of current site config failed, cannot continue.


I assume this is because sa-update now "include local site config in
sa-update lint checks".

Previously I've set some custom scores for stock rules in
/etc/mail/spamassassin/whatever.cf
without changing the rule definitions or descriptions. Can I not do this
and need to define the "body BAYES_99" and "describe BAYES_99" in
wahtever.cf also, or is this a bug in sa-update?

Thanks!
-- Mike

ANNOUNCE: Apache SpamAssassin 3.1.6 available!

[Daryl C. W. O'Shea]

Apache SpamAssassin 3.1.6 is now available!  This is a maintenance
release of the 3.1.x branch.

Downloads are available from:
  http://spamassassin.apache.org/downloads.cgi?update=200610050918

The release file will also be available via CPAN in the near future.

md5sum of archive files:

  1cf43cea76e30aec6983cdbfe2e08316  Mail-SpamAssassin-3.1.6.tar.bz2
  a0acc5e63a5e3401d039cd05cd189b96  Mail-SpamAssassin-3.1.6.tar.gz
  aac75c43ef9a74df4c100e8a7e37a5fd  Mail-SpamAssassin-3.1.6.zip

sha1sum of archive files:
  16575633e60177733069c1681d6bf9528c076274  Mail-SpamAssassin-3.1.6.tar.bz2
  fbf7e7aac113313da3f7357260d1a295ff275eef  Mail-SpamAssassin-3.1.6.tar.gz
  779ea2f5174de766405bdaa6d378ed6e7a749526  Mail-SpamAssassin-3.1.6.zip

The release files also have a .asc accompanying them.  The file serves
as an external GPG signature for the given release file.  The signing
key is available via the wwwkeys.pgp.net key server, as well as
http://spamassassin.apache.org/released/GPG-SIGNING-KEY

The key information is:

pub  1024D/265FA05B 2003-06-09 SpamAssassin Signing Key
<[EMAIL PROTECTED]>
 Key fingerprint = 26C9 00A4 6DD4 0CD5 AD24  F6D7 DEE0 1987 265F A05B

3.1.6 includes a large number of bug fixes and documentation updates.
Here is an abbreviated changelog (since 3.1.5) for major updates (see
the Changes file for a complete list):

- bug 4940: fixes to bug in date handling affecting DATE_IN_FUTURE_*
  and DATE_IN_PAST_* rules when more than one Resent-Date header is
  present
- bug 5044: include local site config in sa-update lint checks
- bug 5081: fix race condition in spamd preforking code that sometimes
  left one child process running after SIGHUPing spamd
- bug 5076: unescape hash characters in the config
- bug 5077: fix false SPF_SOFTFAIL's when SPF queries timeout
- bug 5080: update RCVD_ILLEGAL_IP evaltest to properly deal with 127/8
- bug 5089: enable adding headers with single digit zero value
- bug 5098: add support for ecelerity Received headers
- bug 5101: fix a bug, introduced in 3.1.5, in mbx code
- bug 5105: M::SA::Client doesn't always catch failed connection to
  spamd, fixed

Re: OT - verify addresses

[Ken A]

Nigel Frankcom wrote:

On Thu, 05 Oct 2006 12:32:07 +0200, [EMAIL PROTECTED] wrote:


back a few years, some mail servers (e.g. qmail) disabled the verify command
to avoid address probing - and as a consequence would send bounces.
Nowadays, the majority of mail servers (apart from aol :) rejects unknown
users with a 5xx response to RCPT TO and thereby re-enables verification.
Apart from tarpitting too many recipients, what is common practice for
a server that detects verification attempts (i.e. successful rcpt followed
by quit)  ignore, blacklist, other?


Block the IP for a while. OSSEC HIDS, http://ossec.net/ or something 
similar can block the IP using iptables or hosts.deny. It will 
automatically un-block after a configurable time period. Useful for 
web/smtp/ftp/etc.. attacks also.


Ken A.
Pacific.Net




Wolfgang Hamann



I can't speak for others, but our server policy is to allow (n)
probes; should they all prove to be bad addresses the IP is banned for
24 hours. The probes don't all have to come at once, just from the
same IP within any 24 hour period. This system works very well for
dictionary attacks as well.

Nigel

On spamassassin usage, from an sa ignoramus

[Timothy Murphy]

I receive email on my desktop from 3 pop3 servers
(for example, pop.gmail.com).
I usually read it from there on my laptop.

I'm running Fedora-5 with KDE, and use kmail for email.

I tried running the Tools=>Anti-Spam Wizard in kmail
but found this was fairly disastrous,
as it runs spamc on each email it fetches,
which meant I had to wait several minutes after starting kmai
before I could read any mail.

So I started running fetchmail as a cron job from each mail server.
This seems to work fine.
What puzzles me is that I never saw this suggested anywhere.
Am I missing some obvious alternative?

-- 
Timothy Murphy  
e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland

Re: light-grey listing..? lkml filter probs & catching too much ham.

[Loren Wilton]

Simplest solution might be to manually "whitelist" the mailing list, not by 
using a whitelist rule and getting -100 points, but by writing a rule of 
your own and giving it maybe -5 points.  This is about equivalent to your 
idea of raising the spam threshold by 5 points.


   Loren

R: switching from global bayes to per-user bayes

[Giampaolo Tomassoni]

> I am looking into switching from a global bayes/awl/setting environment
> to a per-user environment with MySQL as a backend.
> 
> 
> Would anyone care to offer an opinion as to whether and/or to what
> degree this might make in overall effectiveness?  Anyone back up that
> opinion with cold hard facts?
> 
> Will I be able to migrate small sets of users from global to per-user or
> will I have to make the jump for all my end-users/domains at once?

I have a suggestion to spare for the "setting" environment which works pretty 
well to me and would avoid the per-user/global question.

My amavis settings are in a postgres db in which each organization (more or 
less = domain) has a schema. Each organization has a table with user-defined 
settings. My public schema (i.e.: the default one) has a table too with 
organizational settings. Also, the public schema has a view which is the mean 
by which I get the amavis settings for a given user. It attempts fetching the 
per-user settings table in the organizational schema and, if they are missing, 
it attempts fetching the per-organization settings. If this too are missing, it 
uses some default which may be tought as "local" (ie.: server-wide) settings.

I did find this three-layers way of handling settings pretty useful: a user 
wants to get .exe attachments without having them wrapped into a warning 
message? Put a record in the per-user table. An org wants to have treats 
reported to a specific user? Tell it to the per-organization table.

However, I don't have bayes data on the db (it's in the global bdb). This is 
because most of my customers use pop3 to download messages, so I have quite no 
way to train bayes efficently. Do I?

Also, awl settings are in a database only to ease their adjustment (and, in 
future, replication), but are global as well: I'm serving small communities in 
my town, so often a source ip/e-mail scores may be reasonably used for all my 
potential destinators.

Cheers,

giampaolo


> I'd like to preload the bayes db for each user so that's it's 'primed'
> and ready to do.  Obviously, it would be preferable to preload with
> their specific mail but is it possible to feed bayes for each user with
> a generic set of spam/ham?
> 

Re: OT - verify addresses

[Jack L. Stone]

At 11:48 AM 10.5.2006 +0100, Nigel Frankcom wrote:
>On Thu, 05 Oct 2006 12:32:07 +0200, [EMAIL PROTECTED] wrote:
>
>I can't speak for others, but our server policy is to allow (n)
>probes; should they all prove to be bad addresses the IP is banned for
>24 hours. The probes don't all have to come at once, just from the
>same IP within any 24 hour period. This system works very well for
>dictionary attacks as well.
>
>Nigel
>

Nigel: Where & how do you set that probe -- ?? I like the sounds of that.

Thanks!

(^_^)
Happy trails,
Jack L. Stone

System Admin
Sage-american

Re: switching from global bayes to per-user bayes

[Adam Lanier]

No comments whatsoever?


signature.asc
Description: This is a digitally signed message part

Re: FuzzyOCR request

[decoder]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Duncan Hill wrote:
> On Wednesday 04 October 2006 22:23, Alan Munday wrote:
>
>> I've been following your developments and looking at how to
>> integrate with my (few) systems. But as I don't have a test
>> environment (until I have built a VMWare one) I was cautious at
>> trying this with one of the live box's. Zero scoring seemed to be
>> a good way round this.
>
> SA treats a 0-scored rule as a rule that must not be run.
FuzzyOcr does not use a standard rule to score but does the scoring
itself.

But to the main subject:

I haven't tried it out, but to archieve a zero score, you could as
well try to set the scores that are configurable to 0, or to a very
small amount... Also I recommend only using 2.3b in production
environments :)

Best regards,

Chris
>
> Score at 0.01 and the rule will fire, but should have a
> non-significant impact.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFJO0cJQIKXnJyDxURAoIdAJ94WXbh/azaNswXjxRNT4R38yBFUACfeSdY
1axXA+NqRmcW2TTnOy2OV1o=
=Awmk
-END PGP SIGNATURE-

Re: OT - verify addresses

[Nigel Frankcom]

On Thu, 05 Oct 2006 12:32:07 +0200, [EMAIL PROTECTED] wrote:

>back a few years, some mail servers (e.g. qmail) disabled the verify command
>to avoid address probing - and as a consequence would send bounces.
>Nowadays, the majority of mail servers (apart from aol :) rejects unknown
>users with a 5xx response to RCPT TO and thereby re-enables verification.
>Apart from tarpitting too many recipients, what is common practice for
>a server that detects verification attempts (i.e. successful rcpt followed
>by quit)  ignore, blacklist, other?
>
>Wolfgang Hamann


I can't speak for others, but our server policy is to allow (n)
probes; should they all prove to be bad addresses the IP is banned for
24 hours. The probes don't all have to come at once, just from the
same IP within any 24 hour period. This system works very well for
dictionary attacks as well.

Nigel

OT - verify addresses

[hamann . w]

back a few years, some mail servers (e.g. qmail) disabled the verify command
to avoid address probing - and as a consequence would send bounces.
Nowadays, the majority of mail servers (apart from aol :) rejects unknown
users with a 5xx response to RCPT TO and thereby re-enables verification.
Apart from tarpitting too many recipients, what is common practice for
a server that detects verification attempts (i.e. successful rcpt followed
by quit)  ignore, blacklist, other?

Wolfgang Hamann

Re: FuzzyOCR request

[Duncan Hill]

On Wednesday 04 October 2006 22:23, Alan Munday wrote:

> I've been following your developments and looking at how to integrate with
> my (few) systems. But as I don't have a test environment (until I have
> built a VMWare one) I was cautious at trying this with one of the live
> box's. Zero scoring seemed to be a good way round this.

SA treats a 0-scored rule as a rule that must not be run.

Score at 0.01 and the rule will fire, but should have a non-significant 
impact.