Re: Any comments of the SpamHaus lawsuit?
Jason Haar wrote: I've been waiting for anyone else to bring it up - but no-one has. If Spamhaus lose this lawsuit (which they are ignoring as they are UK-based and this is some judge in Chicago), they may very well lose their ".ORG" domain - which would have a rather large impact on our Antispam scores for a start... http://www.ibtimes.com/articles/20061009/anti-spam-lawsuit.htm "Americans to arms" I say... Start sending "Internet for Dummies" to the judge for starters ;-) I'm not really sure it's such a big deal. Spamhaus will have to resort to their UK domain. One where the laws entirely protect them from this kind of harassment. We'll all switch to using that domain instead of the .org domain, when using/referencing their RBLs. Oh the horror. Meanwhile, the twit who sued them has wasted a bunch of court fees, and made only the slightest dent in their operations. And the UK gets to look good. And the US government gets to look stupid in front of the world court of opinion (like that's anything new, given our current administration). Where's the problem?
Re: Any comments of the SpamHaus lawsuit?
Hi, quite frankly: mis-listings occur but if a domain remains blacklisted after a court case, it must be for a reason :) As an email user, I dont want to have to find out that reason :( As a non-american, I can see this as a "vote with your feet" case stop buying US products Wolfgang Hamann
Can't install at AMD(x86_64) based at all..
Hello, I have sent before about "compile error at AMD(x86_64) based system. But this problem doesn't solve... Anyone who succeed to install and execute SA this system? ## below is my system linux kernel 2.6.x (centos 3.x or 4.x) CPU : AMD opteron perl : v5.8.5 or v5.8.0 All required perl modules installed I guess. spamassassin 3.1.x spamassassin rpm was not installed. result below after "perl Makefile.PL ; make" Mail-SpamAssassin-3.1.x]# make test PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t t/basic_lintok t/bayesdbm..ok 33/48sh: line 1: 28824 Segmentation fault /usr/bin/perl -T -w ../sa-learn -C log/test_rules_copy --siteconfigpath log/localrules.tmp -p log/test_default.cf --spam data/spam >log/bayes.34 # Failed test 34 in t/bayesdbm.t at line 182 Not found: Acted on message = 1 # Failed test 35 in t/SATest.pm at line 592 t/bayesdbm..NOK 35bayes: bayes db version 0 is not able to be used, aborting! at ../blib/lib/Mail/SpamAssassin/BayesStore/DBM.pm line 196. I have read thie link(http://wiki.apache.org/spamassassin/BayesUpgradeError) But I can't solve this problem... and I have tested other AMD 64 based system and the result was same... Is this a bug ??? I guess that bayes makes this compile problem... Then is there any method to disable bayes? Anyone who have installed well spamassassin at AMD 64 based system? installed modules Digest-1.15 cwd HTML-Tagset-3.10 Socket6-0.19 IO-Socket-INET6-2.51 razor-agents-sdk-2.07 razor-agents-2.82 Compress-Zlib-1.42 libwww-perl-5.805 Digest-HMAC-1.01 IO-Socket-INET6-2.51 IO-Socket-SSL-0.999 IO-Zlib-1.04 Net-CIDR-Lite-0.20 Net-IP-1.25 Net-DNS-0.58 Mail-SPF-Query-1.999.1 Sys-Hostname-Long-1.4 IP-Country-2.21 Net_SSLeay.pm-1.30 Getopt-Long-2.35_01 DBI-1.52 Archive-Tar-1.30 Net-Ident-1.20 DB_File-1.814 Please help me Thanks. _ 고.. 감.. 도.. 사.. 랑.. 만.. 들.. 기.. MSN 러브 http://www.msn.co.kr/love/
Re: Rulesemporium rules
On Tue, Oct 10, 2006 at 04:43:58PM -0400, Dan Horne wrote: > >> 10) Making top ten lists. > Hilarious. Can I subscribe to those top ten lists with RDJ? Are they going to be licensed with the Apache license? /me ducks -- Duncan Findlay pgpbI5yKn40MO.pgp Description: PGP signature
Re: Rulesemporium rules
Give Chris a break - sometimes we ALL just feel silly and have to vent.
{^_-}
- Original Message -
From: "Joe Zitnik" <[EMAIL PROTECTED]>
A simple no would have sufficed.
On 10/10/2006 at 4:25 PM, Chris Santerre
<[EMAIL PROTECTED]>
wrote:
-Original Message-
From: Joe Zitnik [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 10, 2006 1:39 PM
To: users@spamassassin.apache.org
Subject: Rulesemporium rules
Just out of curiosity, is there a reason why the updates on the
rulesmporium rules have dropped so drastically lately? I
understand
that the authors all have other things to do, and I am EXTREMELY
GRATEFUL for all their hard work. I was just wondering if there
were
any other reasons.
Many possible reasons:
1) I was pulling some ticks off my Siberian Husky.
2) Ninja Convention?
3) Hockey Season Started
4) Halloween costumes don't make themselves!
5) We're waiting for the Yankees head coach to be fired.
6) The Vista Beta is so secure it won't let us in our own machines!
7) We have not yet closed all the gates to Oblivion!
8) Apple Pickin!
9) 1 beer turned out to be 10!
10) Making top ten lists.
Thanks,
Chris Santerre
SysAdmin and Spamfighter
www.rulesemporium.com
www.uribl.com
Re: Any comments of the SpamHaus lawsuit?
Jason Haar wrote: I've been waiting for anyone else to bring it up - but no-one has. If Spamhaus lose this lawsuit (which they are ignoring as they are UK-based and this is some judge in Chicago), they may very well lose their ".ORG" domain - which would have a rather large impact on our Antispam scores for a start... http://www.ibtimes.com/articles/20061009/anti-spam-lawsuit.htm "Americans to arms" I say... Start sending "Internet for Dummies" to the judge for starters ;-) If it really came down to it, and they had to move the lists to their spamhaus.org.uk domain, it wouldn't take very long for us to make changes available via sa-update. Daryl
Any comments of the SpamHaus lawsuit?
I've been waiting for anyone else to bring it up - but no-one has. If Spamhaus lose this lawsuit (which they are ignoring as they are UK-based and this is some judge in Chicago), they may very well lose their ".ORG" domain - which would have a rather large impact on our Antispam scores for a start... http://www.ibtimes.com/articles/20061009/anti-spam-lawsuit.htm "Americans to arms" I say... Start sending "Internet for Dummies" to the judge for starters ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: Ideas
From: "Giampaolo Tomassoni" <[EMAIL PROTECTED]>
OMG, listen.
We setup regular mail server for companies (mostly exchange servers). Once
we setup the mail server I want to send an e-mail from that new mail server
to [EMAIL PROTECTED] I want that email run through all the
Spamassasin tests then sent back to me with all the rules that were
triggered etc in the body..
this domain and SPAM server would be used only for this purpose. So it
could not be used as a relay or anything like that.
Ah, that! That's just a matter of making a script to be scheduled at the
reception of an e-mail on a given account. Most mail servers do allow it.
Often, you may just do an alias in /etc/aliases where the right part is the
name of your script leaded by a '|' (pipe).
It's trivial to do with procmail. But I am ornery enough that based on
his initial note I ain't a gonna even think about helping him.
(Can you tell I am still pissed at millikin.edu who has what Robert
described initially setup and joejobbing innocent people, one of whom
was me? They are entirely blocked on my account now to /dev/null.)
{^_^}
Re: Ideas
If you do that you will get mugged, I promise. All you have to do is
bounce one to me and I'll crawl through the Ethernet cables, the
fiber optics, and all that crap so I can rip your throat out with
my bare teeth.
I hope that conveys the depths of depravity involved in the setup
you are proposing. There is no way on Earth you can track a spam
down to its original sender's ID and send it back.
Look up "Joe Job" on Google with and without the space. ALL the
headers in an Email which might give a hit to the original sender's
email address can be forged and almost without exception are forged
in spams.
{`,'}Bad BAD idea Robert.
- Original Message -
From: "Robert Swan" <[EMAIL PROTECTED]>
To: "SpamAssassin Users"
Sent: Tuesday, October 10, 2006 12:42
Subject: Ideas
Hi everyone, I am trying to setup a SPAM server to process incoming
email and then send it back to the original sender.
I have setup Spamassassin and Postfix (latest version), and they are
working great. I am trying to figure out how to get Postfix to
automatically send the "processed" e-mail back to the sender with all of
the processed info in it like below, any ideas??
Thanks in advance
Robert
Content analysis details: (1.2 points, -5.0 required)
pts rule name description
--
--
0.1 FH_MSGID_HUGE_40 FH_MSGID_HUGE_40
-0.0 SPF_PASS SPF: sender matches SPF record
0.6 HTML_SHORT_LENGTH BODY: HTML is extremely short
0.0 HTML_MESSAGE BODY: HTML included in message
0.5 DNS_FROM_RFC_ABUSE RBL: Envelope sender in
abuse.rfc-ignorant.org
The original message was not completely plain text.
Re: double letter porn
Chris, thanks for your detailed analysis! Please don't be discouraged, as you're generally on the right track, you just need to do some fine tuning. Since last spring, I've been running some word tests that include something similar to the obfuscation approach you've described, and have had good performance and excellent efficacy. >I downloaded the TREC corpus and generated a list of words that >commonly appeared in spam. I used the top 1000 most common words of >greater than four letters in the TREC spam that were NOT in the top >1000 most common >4 letter words in the TREC ham. That's a great approach for eliminating those found in Ham, however it may be weak at picking spam tokens, mostly due to spammer obfuscations. I would be VERY interested in seeing your word list. For your next iteration, perhaps use your de-obfuscation algorithm to find and merge matches in the initial spam list, then continue as before. That should somewhat improve the list quality. The length of your list is a big part of your performance issues. Do a careful manual review of the list, both reducing it and classifying tokens by type of spam they're most likely to occur in, for example: stock scams, fake degrees, sundry, and porn. What I do is group, then sub-group the tokens, with each sub-group having a different weighting, then score only if the total from any ONE entire group is high enough. Typically this means about 5 words need to hit. For example, my fake degrees group includes (among others): nonaccredited, bachelor, classroom, degree, doctorate, experience, graduation, mba, phd, prestigious, qualifications, university. Those are split into 4 different weighting sub-groups, with "nonaccredited" being by itself and having the highest weighting, and "university" having the lowest. I also score differently depending on the type of matching: exact, gappy, fuzzy. "Exact" is self explanatory, "gappy" looks for tokens divided only by whitespace and/or non-alphanumerics, and "fuzzy" is pretty much the algorithm you described (favors duplicated letters). There's an optional bonus score for matches that occur at the beginning of lines (which I only use for my stock group). The single most useful group uses "exact"+"gappy" tests on a set of stock symbol and scammer phone numbers. I typically check for new symbols daily, and update my list. This has all but eliminated text stock spams. I've implemented this all in a little filter (written in a compiled language) that runs after SA. Average run time JUST for word tests is about 60 milliseconds, using about 150-200 tokens. The code was written for clarity, so I'm sure I could speed that up some, but haven't had the incentive (yet). FP rate has been zero for the groups I've classified as reliable (stocks, degrees, porn), and very low for the more aggressive groups. Your system is much larger than mine, so not all of this would work as well for you, but I had to give you some encouragement. :) Thanks for the great algorithm description, including terminology. I'll review some of that the next time I tweak my tests. - "Chip"
Re: Ideas
Yes, right. But the abuser would simply forward an a-mail with sa scores to the fake originator of the triggering e-mail. I think that would be mostly useless to spammers. Also, if the '[EMAIL PROTECTED]' address is not too widely disclosed, there shouldn't be chance. Finally, if it becames to be abused, he would easily change address. It could be used for a DOS attack if nothing else. But most likely you would be forwarding blowback to the faked recipients, and they would start reporting you as a spammer. Which is what you would actually be in this case. The solutions of pre-enabling the sending howt in the loopback app, or having a very specific test message format, are your two best solutions. You should be able to have Procmail handle the second case all by itself. Maybe it could even do the first method; I don't know. Loren
Re: whitelist'd address but tagged spam
Chris wrote: > On Tuesday 10 October 2006 9:46 pm, Matt Kettler wrote: > >> Yes, whitelist_from_rcvd is a significantly better command to use. It >> takes two parameters, the email address, and part of a RDNS lookup of a >> host that delivered the mail. >> >> ie: >> whitelist_from_rcvd [EMAIL PROTECTED] xan.evi-inc.com >> or >> whitelist_from_rcvd [EMAIL PROTECTED] evi-inc.com >> > > Thanks Matt, so in my case it would be: > > whitelist_from_rcvd [EMAIL PROTECTED] yahoo.com > > That depends.. What's in the Received: header.. probably yahoo.com, but check to make sure. And if it fails to work properly, even if the Received: headers look right, check out: http://wiki.apache.org/spamassassin/TrustPath
Re: Ideas
Sooner or later (even by random blasting) some spammer is going to send mail to the thing, most probably with a forged From address. Then you will send that as blowback (quite possibly appropriately tagged as spam) back to the sucker that owns the From address. Not a real good thing to do. I see no problem with your configuration tester in concept, save the above. You can get around that by either having a very specifically-formatted mail that you send to the thing, and it will only respond to mails with that format. Or you could have some external path where you tell it the hostname that should be sending it mail, and it can ignore all of the stuff that comes in from the zombies. I suspect you can implement your loopback by having procmail call sendmail after running it through SA. But I'm not enough of a guru on either of these programs to tell you exactly how to do it. Loren - Original Message - From: Robert Swan To: SpamAssassin Users Sent: Tuesday, October 10, 2006 1:31 PM Subject: RE: Ideas OMG, listen. We setup regular mail server for companies (mostly exchange servers). Once we setup the mail server I want to send an e-mail from that new mail server to [EMAIL PROTECTED]. I want that email run through all the Spamassasin tests then sent back to me with all the rules that were triggered etc in the body.. this domain and SPAM server would be used only for this purpose. So it could not be used as a relay or anything like that Robert Peace he would say instead of goodbyepeace my brother. From: Chris Santerre [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 4:18 PMTo: Robert Swan; SpamAssassin UsersSubject: RE: Ideas Wait...what? You want to setup a server that sends spam? Why not just make an email address, stick it on the usenet and post to a few sites, have it get normal spam, and just test that one address? Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com -Original Message-From: Robert Swan [mailto:[EMAIL PROTECTED]Sent: Tuesday, October 10, 2006 3:56 PMTo: SpamAssassin UsersSubject: RE: Ideas I am trying to setup a SPAM server to test e-mail servers, whether they are setup correctly or not..we do mail server setups on a pretty large scale and am looking to test the servers once they are built and installed. Robert Peace he would say instead of goodbyepeace my brother. From: Giampaolo Tomassoni [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 3:53 PMTo: SpamAssassin UsersSubject: R: Ideas Hi everyone, I am trying to setup a SPAM server to process incoming email and then send it back to the original sender. You are going to do a spam server yourself: often the source e-mail is forged or is the somebody else's account... Spam messages often ask the user to click on a link, not to reply. ---Giampaolo Tomassoni - IT ConsultantPiazza VIII Aprile 1948, 4I-53044 Chiusi (SI) - ItalyPh: +39-0578-21100
Re: Rulesemporium rules
Just out of curiosity, is there a reason why the updates on the rulesmporium rules have dropped so drastically lately? I understand that the authors all have other things to do, and I am EXTREMELY GRATEFUL for all their hard work. I was just wondering if there were any other reasons. Nope, that's the reason. Bob was doing most of the updates and has the biggest masscheck corpus and automated scoring tools. He was doing most of the rule testing/merging/releasing. Unfortunately his $dayjob is now also eating virtually all of his time day and night, so he rarely gets time to do anything but work and sleep. The rest of us have also had similar problems, with work overcoming any useful part of our lives. A couple of us are still managing to update the stock rules. Which fortunately is one of the most active spam areas. Hopefully "life" will calm down in a while and we will be able to get time to do some useful stuff again. Loren
Re: whitelist'd address but tagged spam
On Tuesday 10 October 2006 9:46 pm, Matt Kettler wrote: > Chris wrote: > > On Tuesday 10 October 2006 9:15 pm, Matt Kettler wrote: > >> Chris wrote: > >>> Was it not checked because of the syntax of the whitelist_from? > >> > >> Yes, it's invalid to put anything but an email address after > >> whitelist_from. The "Brian Pollock" part is unacceptable. > >> > >>> whitelist_fromBrian Pollock <[EMAIL PROTECTED]> > >>> vs > >>> whitelist_from [EMAIL PROTECTED] > >>> > >>> For him I have his name as well as his email address < > > >>> > >>> Or am I screwed up here? > > > > Thanks Theo and Matt, I see my error now. Theo, is whitelist_from_rcvd > > then the correct syntax to use? > > Yes, whitelist_from_rcvd is a significantly better command to use. It > takes two parameters, the email address, and part of a RDNS lookup of a > host that delivered the mail. > > ie: > whitelist_from_rcvd [EMAIL PROTECTED] xan.evi-inc.com > or > whitelist_from_rcvd [EMAIL PROTECTED] evi-inc.com Thanks Matt, so in my case it would be: whitelist_from_rcvd [EMAIL PROTECTED] yahoo.com -- Chris pgpWrsNrFTI7i.pgp Description: PGP signature
Re: whitelist'd address but tagged spam
Chris wrote: > On Tuesday 10 October 2006 9:15 pm, Matt Kettler wrote: > >> Chris wrote: >> >>> Was it not checked because of the syntax of the whitelist_from? >>> >> Yes, it's invalid to put anything but an email address after >> whitelist_from. The "Brian Pollock" part is unacceptable. >> >> >>> whitelist_from Brian Pollock <[EMAIL PROTECTED]> >>> vs >>> whitelist_from [EMAIL PROTECTED] >>> >>> For him I have his name as well as his email address < > >>> >>> Or am I screwed up here? >>> > > Thanks Theo and Matt, I see my error now. Theo, is whitelist_from_rcvd then > the correct syntax to use? Yes, whitelist_from_rcvd is a significantly better command to use. It takes two parameters, the email address, and part of a RDNS lookup of a host that delivered the mail. ie: whitelist_from_rcvd [EMAIL PROTECTED] xan.evi-inc.com or whitelist_from_rcvd [EMAIL PROTECTED] evi-inc.com
Cert blacklisted.
Ok, how funny is this? Using the SA RFC checks, (specifically 50_scores.cf:score DNS_FROM_RFC_WHOIS 0 0.879 0 1.447) Cert themselves are blacklisted. (well, it looks like ANY .gov is blacklisted) Sorry guys and gals, we won't be getting that much 'important information for voters' this next month) Reminds me why SA is so powerful over just using blacklists (anyone want to use mine? blocked.secnap.net. I guarantee if you use it properly, you won't get any spam (you wont' get any email, google for blocked.secnap.net before using it) -- Michael Scheidell, CTO 561-999-5000, ext 1131 SECNAP Network Security Corporation Keep up to date with latest information on IT security: Real time security alerts: http://www.secnap.com/news
Re: whitelist'd address but tagged spam
On Tuesday 10 October 2006 9:15 pm, Matt Kettler wrote: > Chris wrote: > > Was it not checked because of the syntax of the whitelist_from? > > Yes, it's invalid to put anything but an email address after > whitelist_from. The "Brian Pollock" part is unacceptable. > > > whitelist_from Brian Pollock <[EMAIL PROTECTED]> > > vs > > whitelist_from [EMAIL PROTECTED] > > > > For him I have his name as well as his email address < > > > > > Or am I screwed up here? Thanks Theo and Matt, I see my error now. Theo, is whitelist_from_rcvd then the correct syntax to use? Thanks Chris -- Chris pgp4A9wPRVWvU.pgp Description: PGP signature
Re: whitelist'd address but tagged spam
Chris wrote: > > Was it not checked because of the syntax of the whitelist_from? > Yes, it's invalid to put anything but an email address after whitelist_from. The "Brian Pollock" part is unacceptable. > whitelist_fromBrian Pollock <[EMAIL PROTECTED]> > vs > whitelist_from [EMAIL PROTECTED] > > For him I have his name as well as his email address < > > > Or am I screwed up here? > > >
RE: Auto_increment vs SERIAL key types
> -Original Message- > From: SM [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 10, 2006 2:08 PM > To: SpamAssassin Users List > Subject: Re: Auto_increment vs SERIAL key types > > > At 06:14 10-10-2006, Michael Scheidell wrote: > >I am experimenting with mysql replication, and have done > some research > >on key collisions in the case of a 'load balancing' > situation (live sql > > [snip] > > > >My concern is over use of SERIAL keys in amavisd-new tables, vs > >AUTO_INCREMENT keys. (are SERIAL keys an alias for > AUTO_INCREMENT? Are > >SERIAL keys safe in replication situations?) > > It's an alias for BIGINT UNSIGNED NOT NULL AUTO_INCREMENT UNIQUE. Looks like with the bayes and awl collisions PROBABAL with live replication, its not such a great idea. (neither bayes now awl use serial. Other scheams may work, maybe with views in mysql 5, maybe create an underlying table with enough columns that replication won't break, and put in a view that SA wants to use.. Or hack SA? Maybe auto replicate the users preferences tables only? > > See auto_increment_increment and auto_increment_offset (MySQL 5.x). > > Regards, > -sm > >
Re: whitelist'd address but tagged spam
On Tue, Oct 10, 2006 at 09:03:08PM -0500, Chris wrote: > whitelist_fromBrian Pollock <[EMAIL PROTECTED]> whitelist_from (which you generally should avoid using) takes email addresses. SA won't parse the above line to get the email address out. > The from message header shows I've entered the right address: > From: Brian Pollock <[EMAIL PROTECTED]> You'd want "whitelist_from [EMAIL PROTECTED]". As has been noted numerous times, whitelist_from is easily forged, which is why it's generally not recommended to use. > Was it not checked because of the syntax of the whitelist_from? > > whitelist_fromBrian Pollock <[EMAIL PROTECTED]> > vs > whitelist_from [EMAIL PROTECTED] Yes. :) -- Randomly Selected Tagline: "If you're choking someone, and you remove your hand, you're going to get punched in the face."- Hal Stern pgpX3b4Ul0Ypn.pgp Description: PGP signature
RE: Auto_increment vs SERIAL key types
> -Original Message- > From: Giampaolo Tomassoni [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 10, 2006 3:25 PM > To: Michael Scheidell; SpamAssassin Users List > Subject: R: Auto_increment vs SERIAL key types > > Of course, the underlying sql engine has to support views (5.0, but I use 4.1) > and, most important, updates to a view. Maybe I'm wrong, but > this is something that mysql doesn't do. Besides, that's one > of the reasons for which I prefer much more postgresql. > But postgresql doen't support replication, does it? Oh, there seem to be a bunch of add on products, but that's not the same as postgres supporting it.
whitelist'd address but tagged spam
As I was manually going through my spamfolder this evening I ran across a message from my son that was tagged as spam. I have a manual whitelist .cf file in /etc/mail/spamassassin and he is in the whitelist: whitelist_from Brian Pollock <[EMAIL PROTECTED]> The from message header shows I've entered the right address: From: Brian Pollock <[EMAIL PROTECTED]> I don't even see where a whitelist entry was checked: 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails 0.0 DK_POLICY_TESTING Domain Keys: policy says domain is testing DK 0.0 DK_SIGNED Domain Keys: message has an unverified signature -0.0 DK_VERIFIED Domain Keys: signature passes verification 1.5 BE_BOSS BODY: Be your own boss 0.0 HTML_MESSAGE BODY: HTML included in message 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5000] 1.4 HTML_10_20 BODY: Message is 10% to 20% HTML 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org 1.4 DNS_FROM_RFC_WHOIS RBL: Envelope sender in whois.rfc-ignorant.org 1.7 DNS_FROM_RFC_POST RBL: Envelope sender in postmaster.rfc-ignorant.org 1.0 SAGREY Adds 1.0 to spam from first-time senders Another non-spam message I've received that I have the from address in my whitelist was tagged correctly: whitelist_from [EMAIL PROTECTED] From: [EMAIL PROTECTED] X-Spam-Status: No, score=-102.7 required=5.0 tests=AWL,BAYES_00, DATE_IN_PAST_96_XX,DCC_CHECK,NO_REAL_NAME,USER_IN_WHITELIST autolearn=disabled version=3.1.5 BTW, this was from a message of 5 Oct, I've upgraded to 3.1.7 tonight. Was it not checked because of the syntax of the whitelist_from? whitelist_from Brian Pollock <[EMAIL PROTECTED]> vs whitelist_from [EMAIL PROTECTED] For him I have his name as well as his email address < > Or am I screwed up here? -- Chris pgpsBf6RXRb1P.pgp Description: PGP signature
Re: Ideas
On Oct 10, 2006, at 4:53 PM, Clifton Royston wrote:On Tue, Oct 10, 2006 at 04:31:54PM -0400, Robert Swan wrote: OMG, listen. We setup regular mail server for companies (mostly exchange servers). Once we setup the mail server I want to send an e-mail from that new mail server to [1][EMAIL PROTECTED]. I want that email run through all the Spamassasin tests then sent back to me with all the rules that were triggered etc in the body.. this domain and SPAM server would be used only for this purpose. So it could not be used as a relay or anything like that... Yes, but replying to sender is a terrible idea. Tremendous amountsof spam get sent to random addresses with a real person's addressforged into the header; with your planned setup, spam from thoseaddresses to your server would get mailed back to these innocentparties. To give you an idea, I had to permanently cancel some of the contactaddresses at my wife's professional organization because they had beenforged in spam runs over a period of weeks; her mailbox was gettinganywhere from dozens to hundreds of bounces from a single forgedcontact address. The idea of being able to get back a scored copy of a mail is fine inprinciple, but you need to work out something where it forwards it to afixed address at your server or something of the kind. That way if itgets spammed, it harms nobody but your server. -- CliftonQuite. I've blacklisted addresses that bounce improperly addressed spam to me. Doing this intentionally is a horrible idea.-- Jay ChandlerNetwork Administrator, Chapman University714-628-7249 / [EMAIL PROTECTED]"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never does quite what I want. I wish Christopher Robin was here." -- Peter Da Silva in a.s.r.
Re: Ideas
On Tue, Oct 10, 2006 at 04:31:54PM -0400, Robert Swan wrote: >OMG, listen. > >We setup regular mail server for companies (mostly exchange servers). >Once we setup the mail server I want to send an e-mail from that new >mail server to [EMAIL PROTECTED] I want that email run >through all the Spamassasin tests then sent back to me with all the >rules that were triggered etc in the body.. > >this domain and SPAM server would be used only for this purpose. So it >could not be used as a relay or anything like that... Yes, but replying to sender is a terrible idea. Tremendous amounts of spam get sent to random addresses with a real person's address forged into the header; with your planned setup, spam from those addresses to your server would get mailed back to these innocent parties. To give you an idea, I had to permanently cancel some of the contact addresses at my wife's professional organization because they had been forged in spam runs over a period of weeks; her mailbox was getting anywhere from dozens to hundreds of bounces from a single forged contact address. The idea of being able to get back a scored copy of a mail is fine in principle, but you need to work out something where it forwards it to a fixed address at your server or something of the kind. That way if it gets spammed, it harms nobody but your server. -- Clifton -- Clifton Royston -- [EMAIL PROTECTED] / [EMAIL PROTECTED] President - I and I Computing * http://www.iandicomputing.com/ Custom programming, network design, systems and network consulting services
RE: Ideas
Giampaolo Tomassoni wrote: > Yes, right. But the abuser would simply forward an a-mail with sa > scores to the fake originator of the triggering e-mail. I think that > would be mostly useless to spammers. To spammers, probably not. To mailbombers and other ne'er-do-wells, it's perfect. > Also, if the '[EMAIL PROTECTED]' > address is not too widely disclosed, there shouldn't be chance. I'd be surprised if a dictionary harvester didn't try test@, spam@, and any other dictionary word. They already check most common and not-so-common names. > Finally, if it becames to be abused, he would easily change address. He could, assuming he notices before too much abuse takes place. But by that time, other people have already been inconvenienced by it, and he might already be getting listed on blacklists besides. Why not solve the problem *before* it's a problem? It's very little extra effort, for something you won't have to worry about again. The "if it's abused, I'll change it" approach is more effort (watch those logs!) and more worry (is anyone abusing it yet?).
R: Ideas
> > this domain and SPAM server would be used only for this purpose > > If it's on the Internet, you cannot guarantee this. Spammers and other > evildoers are constantly scanning for abusable servers. It will be > found quickly, and as soon as someone finds out how to abuse it, it will > be abused. Yes, right. But the abuser would simply forward an a-mail with sa scores to the fake originator of the triggering e-mail. I think that would be mostly useless to spammers. Also, if the '[EMAIL PROTECTED]' address is not too widely disclosed, there shouldn't be chance. Finally, if it becames to be abused, he would easily change address. No, come on. It is not that bad. I guess that's having a look at some blacklist database would probably suffice, but why not... Anybody running something like this? giampaolo > > There are three solutions: > > 1) Ensure that this "Spam server" ONLY accepts connections from a very > small list of authorized computers. This means you will need to add the > IP address or domain name of every new server you set up into a > whitelist on this server. > > 2) Allow connections from anyone, but have "[EMAIL PROTECTED]" > forward to a single, consistent address (abandon the idea of sending the > results back to the sender). This is probably the lowest-maintenance > and most sane idea. > > 3) Do not expose the server to the internet at all. This is fine for > testing servers on your internal network, but obviously won't work if > you set up servers remotely and wish to test them. > > Regardless of all of this, however, **this is a question for your MTA > software's mailing list, not for SpamAssassin**. SA does not receive, > deliver, forward, send, or otherwise handle the transmission of email. > It only looks at messages and offers an opinion. It's up to your mail > software to determine what happens to that opinion.
Re: Rulesemporium rules
Joe Zitnik wrote: A simple no would have sufficed. But I so enjoyed the answer. What was the question again? DAve On 10/10/2006 at 4:25 PM, Chris Santerre <[EMAIL PROTECTED]> wrote: -Original Message- From: Joe Zitnik [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 1:39 PM To: users@spamassassin.apache.org Subject: Rulesemporium rules Just out of curiosity, is there a reason why the updates on the rulesmporium rules have dropped so drastically lately? I understand that the authors all have other things to do, and I am EXTREMELY GRATEFUL for all their hard work. I was just wondering if there were any other reasons. Many possible reasons: 1) I was pulling some ticks off my Siberian Husky. 2) Ninja Convention? 3) Hockey Season Started 4) Halloween costumes don't make themselves! 5) We're waiting for the Yankees head coach to be fired. 6) The Vista Beta is so secure it won't let us in our own machines! 7) We have not yet closed all the gates to Oblivion! 8) Apple Pickin! 9) 1 beer turned out to be 10! 10) Making top ten lists. Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
R: Ideas
OMG, listen. We setup regular mail server for companies (mostly exchange servers). Once we setup the mail server I want to send an e-mail from that new mail server to [EMAIL PROTECTED]. I want that email run through all the Spamassasin tests then sent back to me with all the rules that were triggered etc in the body.. this domain and SPAM server would be used only for this purpose. So it could not be used as a relay or anything like that… Ah, that! That's just a matter of making a script to be scheduled at the reception of an e-mail on a given account. Most mail servers do allow it. Often, you may just do an alias in /etc/aliases where the right part is the name of your script leaded by a '|' (pipe). ---Giampaolo Tomassoni - IT ConsultantPiazza VIII Aprile 1948, 4I-53044 Chiusi (SI) - ItalyPh: +39-0578-21100 Robert Peace he would say instead of goodbyepeace my brother. From: Chris Santerre [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 4:18 PMTo: Robert Swan; SpamAssassin UsersSubject: RE: Ideas Wait...what? You want to setup a server that sends spam? Why not just make an email address, stick it on the usenet and post to a few sites, have it get normal spam, and just test that one address? Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com -Original Message-From: Robert Swan [mailto:[EMAIL PROTECTED]Sent: Tuesday, October 10, 2006 3:56 PMTo: SpamAssassin UsersSubject: RE: Ideas I am trying to setup a SPAM server to test e-mail servers, whether they are setup correctly or not..we do mail server setups on a pretty large scale and am looking to test the servers once they are built and installed. Robert Peace he would say instead of goodbyepeace my brother. From: Giampaolo Tomassoni [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 3:53 PMTo: SpamAssassin UsersSubject: R: Ideas Hi everyone, I am trying to setup a SPAM server to process incoming email and then send it back to the original sender. You are going to do a spam server yourself: often the source e-mail is forged or is the somebody else's account... Spam messages often ask the user to click on a link, not to reply. ---Giampaolo Tomassoni - IT ConsultantPiazza VIII Aprile 1948, 4I-53044 Chiusi (SI) - ItalyPh: +39-0578-21100
RE: Ideas
Well that makes more sense. This really doesn't have anything to do with the servers you are setting up. Its just a simple SA server that scans and you check the account (or forward to yourself.). Just setup a simple server with SA. Turn reporting on. No biggie. --Chris -Original Message-From: Robert Swan [mailto:[EMAIL PROTECTED]Sent: Tuesday, October 10, 2006 4:32 PMTo: SpamAssassin UsersSubject: RE: Ideas OMG, listen. We setup regular mail server for companies (mostly exchange servers). Once we setup the mail server I want to send an e-mail from that new mail server to [EMAIL PROTECTED]. I want that email run through all the Spamassasin tests then sent back to me with all the rules that were triggered etc in the body.. this domain and SPAM server would be used only for this purpose. So it could not be used as a relay or anything like that... Robert Peace he would say instead of goodbyepeace my brother. From: Chris Santerre [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 4:18 PMTo: Robert Swan; SpamAssassin UsersSubject: RE: Ideas Wait...what? You want to setup a server that sends spam? Why not just make an email address, stick it on the usenet and post to a few sites, have it get normal spam, and just test that one address? Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com -Original Message-From: Robert Swan [mailto:[EMAIL PROTECTED]Sent: Tuesday, October 10, 2006 3:56 PMTo: SpamAssassin UsersSubject: RE: Ideas I am trying to setup a SPAM server to test e-mail servers, whether they are setup correctly or not..we do mail server setups on a pretty large scale and am looking to test the servers once they are built and installed. Robert Peace he would say instead of goodbyepeace my brother. From: Giampaolo Tomassoni [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 3:53 PMTo: SpamAssassin UsersSubject: R: Ideas Hi everyone, I am trying to setup a SPAM server to process incoming email and then send it back to the original sender. You are going to do a spam server yourself: often the source e-mail is forged or is the somebody else's account... Spam messages often ask the user to click on a link, not to reply. ---Giampaolo Tomassoni - IT ConsultantPiazza VIII Aprile 1948, 4I-53044 Chiusi (SI) - ItalyPh: +39-0578-21100
RE: Rulesemporium rules
>> 10) Making top ten lists. Hilarious. Can I subscribe to those top ten lists with RDJ? CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. SPAM-FREE 1.0(2476)
RE: Ideas
Robert Swan wrote: > Once we setup the mail server I want to send an e-mail from that > new mail server to [EMAIL PROTECTED] I want that email > run through all the Spamassasin tests then sent back to me with all > the rules that were triggered etc in the body.. Then mail sent to "[EMAIL PROTECTED]" needs to be forwarded to a different address. And since SpamAssassin does not handle any part of mail delivery, that's a question for your mail server's mailing list. > this domain and SPAM server would be used only for this purpose If it's on the Internet, you cannot guarantee this. Spammers and other evildoers are constantly scanning for abusable servers. It will be found quickly, and as soon as someone finds out how to abuse it, it will be abused. There are three solutions: 1) Ensure that this "Spam server" ONLY accepts connections from a very small list of authorized computers. This means you will need to add the IP address or domain name of every new server you set up into a whitelist on this server. 2) Allow connections from anyone, but have "[EMAIL PROTECTED]" forward to a single, consistent address (abandon the idea of sending the results back to the sender). This is probably the lowest-maintenance and most sane idea. 3) Do not expose the server to the internet at all. This is fine for testing servers on your internal network, but obviously won't work if you set up servers remotely and wish to test them. Regardless of all of this, however, **this is a question for your MTA software's mailing list, not for SpamAssassin**. SA does not receive, deliver, forward, send, or otherwise handle the transmission of email. It only looks at messages and offers an opinion. It's up to your mail software to determine what happens to that opinion.
RE: Rulesemporium rules
Title: RE: Rulesemporium rules > > > Joe Zitnik wrote: > > A simple no would have sufficed. > > It wouldn't have been as amusing though :) LOL, Joe don't get upset. You obviously haven't seen enough of my posts to know what I'm like. :) We have been testing new stuff all the time. There just isn't much new to go on. I'm working on a set, but $dayjob is keeping me a bit busy. But rest assurd that the SARE people are always testing new ideas. --Chris
RE: Ideas
So, what is so hard about that? Just setup a server with SA, then $sa_tag_level_deflt = -100.0; Then pop out your emails to yourself. From: Robert Swan [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 4:32 PMTo: SpamAssassin UsersSubject: RE: Ideas OMG, listen. We setup regular mail server for companies (mostly exchange servers). Once we setup the mail server I want to send an e-mail from that new mail server to [EMAIL PROTECTED]. I want that email run through all the Spamassasin tests then sent back to me with all the rules that were triggered etc in the body.. this domain and SPAM server would be used only for this purpose. So it could not be used as a relay or anything like that… Robert Peace he would say instead of goodbyepeace my brother. From: Chris Santerre [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 4:18 PMTo: Robert Swan; SpamAssassin UsersSubject: RE: Ideas Wait...what? You want to setup a server that sends spam? Why not just make an email address, stick it on the usenet and post to a few sites, have it get normal spam, and just test that one address? Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com -Original Message-From: Robert Swan [mailto:[EMAIL PROTECTED]Sent: Tuesday, October 10, 2006 3:56 PMTo: SpamAssassin UsersSubject: RE: Ideas I am trying to setup a SPAM server to test e-mail servers, whether they are setup correctly or not..we do mail server setups on a pretty large scale and am looking to test the servers once they are built and installed. Robert Peace he would say instead of goodbyepeace my brother. From: Giampaolo Tomassoni [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 3:53 PMTo: SpamAssassin UsersSubject: R: Ideas Hi everyone, I am trying to setup a SPAM server to process incoming email and then send it back to the original sender. You are going to do a spam server yourself: often the source e-mail is forged or is the somebody else's account... Spam messages often ask the user to click on a link, not to reply. ---Giampaolo Tomassoni - IT ConsultantPiazza VIII Aprile 1948, 4I-53044 Chiusi (SI) - ItalyPh: +39-0578-21100
Re: no network tests
Toll, Eric wrote: hello list: I just set up a box who is: FreeBSD 6.1 Perl 5.8.7 Spamassassin 3.1.6 and when I: spamassassin -D --lint, I get the following: [67350] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [67350] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8ea1124) [67350] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [67350] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8f24638) [67350] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [67350] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x8eae7e8) [67350] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC [67350] dbg: dcc: local tests only, disabling DCC 3.1.6+ disables network tests during lint as they don't need to be run to confirm a working config. If you suspect problems with something a network test relies on (another Perl module, program, etc.) then running a test message through with debug enabled will provide you with the additional info. Daryl
Re: Rulesemporium rules
Joe Zitnik wrote: > A simple no would have sufficed. It wouldn't have been as amusing though :) -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239
RE: Rulesemporium rules
A simple no would have sufficed. >>> On 10/10/2006 at 4:25 PM, Chris Santerre <[EMAIL PROTECTED]> wrote: > >> -Original Message- >> From: Joe Zitnik [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, October 10, 2006 1:39 PM >> To: users@spamassassin.apache.org >> Subject: Rulesemporium rules >> >> >> Just out of curiosity, is there a reason why the updates on the >> rulesmporium rules have dropped so drastically lately? I understand >> that the authors all have other things to do, and I am EXTREMELY >> GRATEFUL for all their hard work. I was just wondering if there were >> any other reasons. > > Many possible reasons: > > 1) I was pulling some ticks off my Siberian Husky. > 2) Ninja Convention? > 3) Hockey Season Started > 4) Halloween costumes don't make themselves! > 5) We're waiting for the Yankees head coach to be fired. > 6) The Vista Beta is so secure it won't let us in our own machines! > 7) We have not yet closed all the gates to Oblivion! > 8) Apple Pickin! > 9) 1 beer turned out to be 10! > 10) Making top ten lists. > > Thanks, > > Chris Santerre > SysAdmin and Spamfighter > www.rulesemporium.com > www.uribl.com
RE: Ideas
OMG, listen. We setup regular mail server for companies (mostly exchange servers). Once we setup the mail server I want to send an e-mail from that new mail server to [EMAIL PROTECTED]. I want that email run through all the Spamassasin tests then sent back to me with all the rules that were triggered etc in the body.. this domain and SPAM server would be used only for this purpose. So it could not be used as a relay or anything like that… Robert Peace he would say instead of goodbyepeace my brother. From: Chris Santerre [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 4:18 PM To: Robert Swan; SpamAssassin Users Subject: RE: Ideas Wait...what? You want to setup a server that sends spam? Why not just make an email address, stick it on the usenet and post to a few sites, have it get normal spam, and just test that one address? Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com -Original Message- From: Robert Swan [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 3:56 PM To: SpamAssassin Users Subject: RE: Ideas I am trying to setup a SPAM server to test e-mail servers, whether they are setup correctly or not..we do mail server setups on a pretty large scale and am looking to test the servers once they are built and installed. Robert Peace he would say instead of goodbyepeace my brother. From: Giampaolo Tomassoni [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 3:53 PM To: SpamAssassin Users Subject: R: Ideas Hi everyone, I am trying to setup a SPAM server to process incoming email and then send it back to the original sender. You are going to do a spam server yourself: often the source e-mail is forged or is the somebody else's account... Spam messages often ask the user to click on a link, not to reply. --- Giampaolo Tomassoni - IT Consultant Piazza VIII Aprile 1948, 4 I-53044 Chiusi (SI) - Italy Ph: +39-0578-21100
RE: Rulesemporium rules
Title: RE: Rulesemporium rules > -Original Message- > From: Joe Zitnik [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, October 10, 2006 1:39 PM > To: users@spamassassin.apache.org > Subject: Rulesemporium rules > > > Just out of curiosity, is there a reason why the updates on the > rulesmporium rules have dropped so drastically lately? I understand > that the authors all have other things to do, and I am EXTREMELY > GRATEFUL for all their hard work. I was just wondering if there were > any other reasons. Many possible reasons: 1) I was pulling some ticks off my Siberian Husky. 2) Ninja Convention? 3) Hockey Season Started 4) Halloween costumes don't make themselves! 5) We're waiting for the Yankees head coach to be fired. 6) The Vista Beta is so secure it won't let us in our own machines! 7) We have not yet closed all the gates to Oblivion! 8) Apple Pickin! 9) 1 beer turned out to be 10! 10) Making top ten lists. Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com
R: Ideas
I am trying to setup a SPAM server to test e-mail servers, whether they are setup correctly or not..we do mail server setups on a pretty large scale and am looking to test the servers once they are built and installed. Robert Isn't it better to have a daily excerpt of /var/log/syslog or /var/log/mail automaticly sent to you by e-mail? If you send spam back to the (fake) sender, your servers are easily going to be enlisted in some blacklist... You may also get an e-mail for each spam or virus your boxes stop, if you prefer. Peace he would say instead of goodbyepeace my brother. From: Giampaolo Tomassoni [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 3:53 PMTo: SpamAssassin UsersSubject: R: Ideas Hi everyone, I am trying to setup a SPAM server to process incoming email and then send it back to the original sender. You are going to do a spam server yourself: often the source e-mail is forged or is the somebody else's account... Spam messages often ask the user to click on a link, not to reply. ---Giampaolo Tomassoni - IT ConsultantPiazza VIII Aprile 1948, 4I-53044 Chiusi (SI) - ItalyPh: +39-0578-21100
RE: Ideas
Wait...what? You want to setup a server that sends spam? Why not just make an email address, stick it on the usenet and post to a few sites, have it get normal spam, and just test that one address? Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com -Original Message-From: Robert Swan [mailto:[EMAIL PROTECTED]Sent: Tuesday, October 10, 2006 3:56 PMTo: SpamAssassin UsersSubject: RE: Ideas I am trying to setup a SPAM server to test e-mail servers, whether they are setup correctly or not..we do mail server setups on a pretty large scale and am looking to test the servers once they are built and installed. Robert Peace he would say instead of goodbyepeace my brother. From: Giampaolo Tomassoni [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 3:53 PMTo: SpamAssassin UsersSubject: R: Ideas Hi everyone, I am trying to setup a SPAM server to process incoming email and then send it back to the original sender. You are going to do a spam server yourself: often the source e-mail is forged or is the somebody else's account... Spam messages often ask the user to click on a link, not to reply. ---Giampaolo Tomassoni - IT ConsultantPiazza VIII Aprile 1948, 4I-53044 Chiusi (SI) - ItalyPh: +39-0578-21100
RE: Ideas
I am trying to setup a SPAM server to test e-mail servers, whether they are setup correctly or not..we do mail server setups on a pretty large scale and am looking to test the servers once they are built and installed. Robert Peace he would say instead of goodbyepeace my brother. From: Giampaolo Tomassoni [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 10, 2006 3:53 PM To: SpamAssassin Users Subject: R: Ideas Hi everyone, I am trying to setup a SPAM server to process incoming email and then send it back to the original sender. You are going to do a spam server yourself: often the source e-mail is forged or is the somebody else's account... Spam messages often ask the user to click on a link, not to reply. --- Giampaolo Tomassoni - IT Consultant Piazza VIII Aprile 1948, 4 I-53044 Chiusi (SI) - Italy Ph: +39-0578-21100
no network tests
hello list: I just set up a box who is: FreeBSD 6.1 Perl 5.8.7 Spamassassin 3.1.6 and when I: spamassassin -D --lint, I get the following: [67350] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [67350] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8ea1124) [67350] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [67350] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8f24638) [67350] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [67350] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x8eae7e8) [67350] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC [67350] dbg: dcc: local tests only, disabling DCC [67350] dbg: plugin: registered Mail::SpamAssassin::Plugin::DCC=HASH(0x8ef67b8) [67350] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC [67350] dbg: pyzor: local tests only, disabling Pyzor [67350] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0x8f422ec) [67350] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [67350] dbg: razor2: local tests only, skipping Razor [67350] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH(0x8f5434c) [67350] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC [67350] dbg: reporter: local tests only, disabling SpamCop Yet in v310.pre: # DCC - perform DCC message checks. # # DCC is disabled here because it is not open source. See the DCC # license for more details. # loadplugin Mail::SpamAssassin::Plugin::DCC use_dcc 1 # Pyzor - perform Pyzor message checks. # loadplugin Mail::SpamAssassin::Plugin::Pyzor use_pyzor 1 # Razor2 - perform Razor2 message checks. # loadplugin Mail::SpamAssassin::Plugin::Razor2 # SpamCop - perform SpamCop message reporting # loadplugin Mail::SpamAssassin::Plugin::SpamCop Any ideas? Thanks
R: Ideas
Hi everyone, I am trying to setup a SPAM server to process incoming email and then send it back to the original sender. You are going to do a spam server yourself: often the source e-mail is forged or is the somebody else's account... Spam messages often ask the user to click on a link, not to reply. ---Giampaolo Tomassoni - IT ConsultantPiazza VIII Aprile 1948, 4I-53044 Chiusi (SI) - ItalyPh: +39-0578-21100
Ideas
Hi everyone, I am trying to setup a SPAM server to process incoming email and then send it back to the original sender. I have setup Spamassassin and Postfix (latest version), and they are working great. I am trying to figure out how to get Postfix to automatically send the “processed” e-mail back to the sender with all of the processed info in it like below, any ideas?? Thanks in advance Robert Content analysis details: (1.2 points, -5.0 required) pts rule name description -- -- 0.1 FH_MSGID_HUGE_40 FH_MSGID_HUGE_40 -0.0 SPF_PASS SPF: sender matches SPF record 0.6 HTML_SHORT_LENGTH BODY: HTML is extremely short 0.0 HTML_MESSAGE BODY: HTML included in message 0.5 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org The original message was not completely plain text.
R: Auto_increment vs SERIAL key types
> Another issue may be AWL files, (I suppose a spamassassin question > also?). Every 'new' ip/email incoming will create a new PRIMARY KEY > (username,email,ip). If two connections, one on each box, first one > wins, replication stops and you need to manually issue a bunch of > commands to skip (two?) transactions and restart slave. To my opinion, the best way to implement awl is to have a table for each server which is basicly one-way replicated (from the only originating server to the others in the cluster). The table is to be made up of the fields timestamp, username, email, ip, and score. Please note I sayd just "score", not "count" + "totscore". Then, the database may offer a view which merges the tables replicated from the various servers (the one "managed" by the server and the ones managed by the other servers) in such a way that spamassassin may simply access it like a "standard" awl table. Ie, something like: select username, email, ip, count(*) as count, sum(score) as totscore from ( select username, email, ip, score from awl0 union all select username, email, ip, score from awl1 ... union all select username, email, ip, score from awlN ) group by username, mail, ip The view should be made in such a way that an insert or an update into it would automatically trigger an insert in the awl table managed by the server. Of course, the underlying sql engine has to support views and, most important, updates to a view. Maybe I'm wrong, but this is something that mysql doesn't do. Besides, that's one of the reasons for which I prefer much more postgresql. You may see that the timestamp field is defined but never used. The idea is that the timestamp field is meant to record the time at which a new entry entered into the database. This way one may also implement some methods to delete "stale" entries. Ie.: suppose a source (email+ip pair) was used to send mostly ham and it did does for, say, one year. It may have reached a very high totscore and count. Well, now suppose your reliable source started sending a lot of spam. Would you like to have to wait a month or so before its whitelistening score would start to lower enough to allow the spam detector not to pass that stuff? Well, no. One may, in example, have a sql script run, say, hourly from a cron job which deletes awl entries older than, say, three months. Do you like it? --- Giampaolo Tomassoni - IT Consultant Piazza VIII Aprile 1948, 4 I-53044 Chiusi (SI) - Italy Ph: +39-0578-21100
R: Auto_increment vs SERIAL key types
> > ...omissis... > > it did does for, say, one year. It may have reached a very high Of course, "high" is instead "low"... > totscore and count. Well, now suppose your reliable source > started sending a lot of spam. Would you like to have to wait a > month or so before its whitelistening score would start to lower Of course, "lower" is instead "increase". > enough to allow the spam detector not to pass that stuff? Well, > no. One may, in example, have a sql script run, say, hourly from > a cron job which deletes awl entries older than, say, three months.
Re: Auto_increment vs SERIAL key types
At 06:14 10-10-2006, Michael Scheidell wrote: I am experimenting with mysql replication, and have done some research on key collisions in the case of a 'load balancing' situation (live sql [snip] My concern is over use of SERIAL keys in amavisd-new tables, vs AUTO_INCREMENT keys. (are SERIAL keys an alias for AUTO_INCREMENT? Are SERIAL keys safe in replication situations?) It's an alias for BIGINT UNSIGNED NOT NULL AUTO_INCREMENT UNIQUE. See auto_increment_increment and auto_increment_offset (MySQL 5.x). Regards, -sm
spamassassin 3.1.7 make weirdness
Hi, I'm installing the new spamassassin 3.1.7 on an SGI (IRIX 64 version 6.5). I ran into a problem running 'make' on the distribution. Where make would not properly create the first file file (Dns.pm, I believe). Using GNU's make instead of SGI's make alleviated the problem. Don't know if that indicates a bug in the perl makefile maker or in SGI's make. I hope someone else finds this useful. -Greg Zornetzer
Rulesemporium rules
Just out of curiosity, is there a reason why the updates on the rulesmporium rules have dropped so drastically lately? I understand that the authors all have other things to do, and I am EXTREMELY GRATEFUL for all their hard work. I was just wondering if there were any other reasons.
RE: Image Spam Detection
Marc Perkel wrote: > I notice that a lot of images spam has a structure where in the source > the fake text is at the top and the image code is at the bottom but it > is made to appear so that the image is at the top and the text is at > the bottom. Seems to me that this should be something we could test > for? Take a look at the FuzzyOCR plugin. -- Bowie
RE: RE: 2 different scores?
Evan Platt wrote: > At 12:58 PM 10/9/2006, you wrote: > > > Network tests are definitely missing. There are two ways to turn > > off network tests. The first is with the '-L' option to spamd. The > > second is with config options in local.cf. Using the config options > > should affect both spamd and spamassassin, so based on the > > behavior, I would say that it looks like you still have the '-L' > > option on spamd. Or else they are reading their configuration from > > different directories. > > My local.cf is pretty basic. Nothing in there about network tests or > disabling them. > > > > One thing you can do is to add the '-D' option to spamd. This will > > cause it to log lots of debugging stuff that may help you figure out > > why it is not running network tests. This will be written to syslog > > by default. This will log LOTS of stuff, so you may want to turn it > > on, let one or two messages come through, and then turn it off > > again. You can then read through the debug info and look for > > problems. If you can't see anything wrong, post it here and see if > > we can. > > > > http://www.espphotography.com/debug.txt > > From my untrained eye, it looks like one message did get the tests, > one didn't? It looks to me like both messages ran the tests. [1041] dbg: uridnsbl: done waiting for URIDNSBL lookups to complete [1041] dbg: uridnsbl: aborting remaining lookups There seems to be a timeout issue. Is there something that might be blocking your DNS lookups? Also... [1041] dbg: spf: cannot load or create Mail::SPF::Query module This indicates that SPF checking is enabled, but you have not installed the Perl module for it. You need to install Mail::SPF::Query in order to take advantage of SPF. [1041] dbg: pyzor: pyzor is not available: no pyzor executable found Pyzor is enabled, but it is not installed. If you want to use it, you will need to download and install the pyzor program. -- Bowie
Re: subscribing to the users list documentation
Email Lists wrote: > > Personally, I would make it stand out in a different yet better way... it > isn't like I didn't look for it for 15 minutes and I quit being "stupid" > years ago... > > Or so I thought ;-) > Its a WIKI!!! Make it better!! Michael
RE: subscribing to the users list documentation
-> -> What is wrong with the following instructions taken from : -> -> http://wiki.apache.org/spamassassin/MailingLists -> -> "Subscription: send mail to users-subscribe -at- spamassassin.apache.org -> Unsubscribe: send mail to users-unsubscribe -at- spamassassin.apache.org" -> -> -> -- -> Anthony Peacock My fault, that blah at blahblahblah stuff just doesn't jump out at me and even though it is bold and large, the stuff below it gets my attention more because they are www "links... Can anyone relate? Personally, I would make it stand out in a different yet better way... it isn't like I didn't look for it for 15 minutes and I quit being "stupid" years ago... Or so I thought ;-) - rh -- Robert - Abba Communications Computer & Internet Services (509) 624-7159 - www.abbacomm.net
RE: use of ram after upgrade
I've try it, but now I've the follow use: Tasks: 83 total, 2 running, 81 sleeping, 0 stopped, 0 zombie Cpu0 : 0.0% user, 1.3% system, 1.7% nice, 97.0% idle Cpu1 : 0.0% user, 1.3% system, 0.0% nice, 98.7% idle Cpu2 : 0.0% user, 0.0% system, 1.3% nice, 98.7% idle Cpu3 : 0.0% user, 0.0% system, 98.7% nice, 1.3% idle Mem: 6206432k total, 909444k used, 5296988k free, 117224k buffers Swap: 284k total, 7856k used, 1992228k free,70724k cached PID PPID PR NI S #C RES SHR SWAP TIME COMMAND 15404 15386 15 10 S 1 354m 33m0 5:29 spamd child 15405 15386 19 10 R 2 176m 34m0 4:33 spamd child 15626 15386 14 10 S 0 88m 36m0 0:22 spamd child 15645 15386 15 10 S 3 85m 36m0 0:07 spamd child 15386 1 15 10 S 2 73m 36m0 0:03 /usr/sbin/spamd > -Original Message- > From: Dave Pooser [mailto:[EMAIL PROTECTED] > Sent: martedì 10 ottobre 2006 18.09 > To: users@spamassassin.apache.org > Subject: Re: use of ram after upgrade > > > 4.7M Oct 10 03:00 blacklist-uri.cf > > Remove this and use URI blacklists instead. Notice how this > rule's size is orders of magnitude greater than any of the > others you listed? Same goes for its RAM footprint. > -- > Dave Pooser > Cat-Herder-in-Chief, Pooserville.com > "...Life is not a journey to the grave with the intention of > arriving safely in one pretty and well-preserved piece, but > to slide across the finish line broadside, thoroughly used > up, worn out, leaking oil, and shouting GERONIMO!!!" -- Bill McKenna > > >
more than one X-Spam-Flag
Hello list, I use a mailrelay with postfix, amavis-new 2.3.3 and spamassassin. Is it possible that amavis add a "X-Spam-Flag" for every time that the mail goes through it? Usally amavis will overwrite the "X-Spam-Flag" if the mail passes amavis a second time. But I need a second "X-Spam-Flag". Know anybody a way how I can realize that? Greetings Stefan
Re: double letter porn
hi Chris -- Sorry to hear it didn't work out -- but thanks for the great analysis! --j. Chris St. Pierre writes: > If anyone's curious, I did some followup research on the ideas below > and found them to be, generally, totally unfeasable. > > I downloaded the TREC corpus and generated a list of words that > commonly appeared in spam. I used the top 1000 most common words of > greater than four letters in the TREC spam that were NOT in the top > 1000 most common >4 letter words in the TREC ham. > > I then did two sets of tests on a few sample hams and spams, and the > results convinced me that it was not even necessary to run the tests > on the whole corpus. > > For each message, I compared each word of greater than four letters > with each word in my spam wordlist with the Wagner-Fischer distance, a > slightly modified Levenshtein distance. With W-F, I was able to give > greater weight to letter replacements, so "viagna" would be further > from "viagra" than, say, "viagrra." I also compared the Metaphone > representation of each word of >4 letters with the Metaphone hashes of > each word in my spam wordlist, again with Wagner-Fischer. I discarded > those distances that were too high and then computed a score for each > message with the following formula: > > ^ 2 / ( + 1) + > ^ 2 / ( + 1) > > I ran this on the first ten spams and hams in the corpus. The mean > score for spams was 365.7 and the median was 12.5; the mean score for > hams was 3715.565 and the median was 1103.6. More than anything, the > results seem to indicate the length of the message rather than the > spamminess. > > Processor time was also a problem; the largest message scanned took > over 23 minutes to process. The quickest was under 3 seconds, but the > average was around 45 seconds, with ham taking much longer to process > than spam. > > Running either test individually -- the plain text W-F distance or the > metaphone W-F distance -- did not show an appreciable improvement in > the accuracy of the algorithm, although the processing time improved. > > It's too bad this won't work, although if someone else wants to take a > crack at it, I'd be happy to share my code, word lists, etc. > > Chris St. Pierre > Unix Systems Administrator > Nebraska Wesleyan University > > On Thu, 5 Oct 2006, Chris St. Pierre wrote: > > >One thing I've wondered/thought about is using the Levenshtein > >difference between the words in an email and a list of spam words > >(ideally pulled from the bayes db). In this case, all of the > >misspelled words in that sample have a L-distance of 1 from the real > >word -- in other words, they're *very* close. > > > >I think the problem would be that this would consume tons of > >resources. Anything else, though, would be susceptible to other typo > >attacks. For instance, say you took each email, and replaced all > >doubled letters with single letters, it wouldn't be long before you > >were getting spam advertising "analr bictches" or the like. > > > >Chris St. Pierre > >Unix Systems Administrator > >Nebraska Wesleyan University > > > >On Wed, 4 Oct 2006, Eric A. Hall wrote: > > > >> > >>On 10/4/2006 5:57 PM, Richard Doyle wrote: > >>> I've been getting lots of porn site spam containing words with doubled > >>> letters, like this one: > >> > >>> Can anybody suggest a rule or ruleset to catch these double-letter > >>> obfuscations? I'm using Spamassassin 3.1.4. > >> > >>You'd probably need to write a plug-in that used some kind of > >>typo-matching logic to find porno words. > >> > >>Would be a good plug-in actually. Get busy :) > >> > >>-- > >>Eric A. Hallhttp://www.ehsco.com/ > >>Internet Core Protocols http://www.oreilly.com/catalog/coreprot/ > >> > >
Re: use of ram after upgrade
> 4.7M Oct 10 03:00 blacklist-uri.cf Remove this and use URI blacklists instead. Notice how this rule's size is orders of magnitude greater than any of the others you listed? Same goes for its RAM footprint. -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com "...Life is not a journey to the grave with the intention of arriving safely in one pretty and well-preserved piece, but to slide across the finish line broadside, thoroughly used up, worn out, leaking oil, and shouting GERONIMO!!!" -- Bill McKenna
Hostmonster and SpamAssassin
Help, I recently moved my hosting from Dreamhost.com to Hostmonster.com. When I was at Dreamhost, I was able to load a local copy of SpamAssassin and configure it to use Bayesian and DNS filtering which worked wonderfully well. Now at Hostmonster, they have version 3.1.4 installed but I do not know how to configure the SpamAssassin to properly filter my e-mail. Before on Dreamhost, I would let my spam build up in the Trash folder and once a week, I would have SpamAssassin learn the spam from the trash using a MySQL database. I learned to do this by following detailed instruction at http://www.unsaturated.com/projects.spamassassinMySQL.html. What questions do I need to ask my host provider to see if I can help filter my e-mail? The SpamAssassin 3.1.4 is server wide, are there local features that I can add to it to help fight all of this spam? My experience level is low but I am familiar with logging into my shell (SSH) with Putty and working my way around UNIX or Linux a little bit. Thank you, Keith
use of ram after upgrade
Hi I have upgraded my spamassassin to version 3.1.7 and after the restart of the process I have saw an increment of the use of the ram. I use the default rules of the spamassassin and the following rules: 53K Apr 20 11:00 70_sare_adult.cf 3.8K Jun 2 2005 70_sare_bayes_poison_nxm.cf 24K Oct 5 2005 70_sare_evilnum0.cf 1.6K Jun 2 2005 70_sare_evilnum1.cf 6.9K Jun 2 2005 70_sare_evilnum2.cf 184K Dec 27 2005 70_sare_genlsubj.cf 32K Dec 27 2005 70_sare_genlsubj_eng.cf 376K Oct 30 2005 70_sare_header.cf 8.0K May 21 22:00 70_sare_header_eng.cf 4.4K Jun 2 2005 70_sare_highrisk.cf 105K Jun 4 07:00 70_sare_html.cf 39K Jun 4 07:00 70_sare_html4.cf 3.1K Jun 4 07:00 70_sare_html_eng.cf 155K Oct 1 2005 70_sare_obfu.cf 6.0K Oct 1 2005 70_sare_obfu2.cf 14K Oct 1 2005 70_sare_obfu3.cf 13K Dec 27 2005 70_sare_oem.cf 18K Dec 12 2005 70_sare_random.cf 96K May 28 05:00 70_sare_specific.cf 20K Jul 25 18:00 70_sare_spoof.cf 54K Sep 22 23:00 70_sare_stocks.cf 25K Nov 12 2005 70_sare_unsub.cf 18K Oct 5 2005 70_sare_uri0.cf 24K Oct 11 2005 70_sare_uri1.cf 8.4K Oct 5 2005 70_sare_uri3.cf 5.0K Oct 5 2005 70_sare_uri_eng.cf 49K May 16 05:00 70_sare_whitelist.cf 8.8K Sep 25 19:00 70_sc_top200.cf 104K Jul 31 00:50 70_zmi_german.cf 13K Jun 2 2005 72_sare_bml_post25x.cf 16K May 16 05:00 72_sare_redirect_post3.0.0.cf 79K Sep 25 19:00 88_FVGT_body.cf 50K Aug 27 12:34 88_FVGT_headers.cf 16K Apr 25 17:00 88_FVGT_rawbody.cf 57K Jul 31 20:00 88_FVGT_subject.cf 18K Jul 6 18:00 88_FVGT_uri.cf 55K Jun 2 2005 99_FVGT_Tripwire.cf 12K Jun 2 2005 99_FVGT_meta.cf 776 Sep 29 12:09 99_blacklist_arthis.cf 26K Sep 14 14:19 99_jam.cf 2.0K Sep 14 15:31 99_jam_virus.cf 10K Jun 2 2005 99_sare_fraud_post25x.cf 9.7K Oct 9 08:15 99_whitelist_arthis.cf 5.3K Oct 4 21:54 FuzzyOcr.cf 415 Oct 3 10:15 FuzzyOcr.words 4.7M Oct 10 03:00 blacklist-uri.cf 108K Dec 15 2005 bogus-virus-warnings.cf 23K Jun 2 2005 chickenpox.cf 4.6K Aug 6 03:57 imageinfo.cf 946 Sep 15 07:50 init.pre 1.5K Oct 1 10:39 local.cf 2.2K Sep 21 11:26 mime_validate.cf 4.8K May 25 2004 random.cf 55K Jun 2 2005 tripwire.cf 2.3K Oct 3 10:30 v310.pre 806 Sep 15 09:29 v312.pre 3.8K Jun 2 2005 weeds.cf Bellow I've cut a part of top command on my server. Tasks: 93 total, 1 running, 91 sleeping, 0 stopped, 1 zombie Cpu0 : 0.0% user, 0.3% system, 6.0% nice, 93.7% idle Cpu1 : 0.0% user, 0.0% system, 0.0% nice, 100.0% idle Cpu2 : 0.3% user, 1.3% system, 12.6% nice, 85.8% idle Cpu3 : 0.3% user, 0.7% system, 4.3% nice, 94.7% idle Mem: 6206432k total, 1103800k used, 5102632k free, 108804k buffers Swap: 284k total, 7856k used, 1992228k free,65000k cached PID PPID PR NI S #C RES SHR SWAP TIME COMMAND 12411 7632 15 10 S 0 335m 75m0 0:10 spamd child 7719 7632 15 10 S 0 180m 76m0 0:38 spamd child 14332 7632 15 10 S 0 173m 77m0 0:33 spamd child 14365 7632 15 10 S 1 161m 78m0 0:19 spamd child 14665 7632 17 10 D 3 153m 78m0 0:02 spamd child 14684 7632 14 10 S 0 150m 95m0 0:00 spamd child 7632 1 15 10 S 3 149m 95m0 0:12 /usr/sbin/spamd It's a rules problem? Andrea
Re: double letter porn
If anyone's curious, I did some followup research on the ideas below and found them to be, generally, totally unfeasable. I downloaded the TREC corpus and generated a list of words that commonly appeared in spam. I used the top 1000 most common words of greater than four letters in the TREC spam that were NOT in the top 1000 most common >4 letter words in the TREC ham. I then did two sets of tests on a few sample hams and spams, and the results convinced me that it was not even necessary to run the tests on the whole corpus. For each message, I compared each word of greater than four letters with each word in my spam wordlist with the Wagner-Fischer distance, a slightly modified Levenshtein distance. With W-F, I was able to give greater weight to letter replacements, so "viagna" would be further from "viagra" than, say, "viagrra." I also compared the Metaphone representation of each word of >4 letters with the Metaphone hashes of each word in my spam wordlist, again with Wagner-Fischer. I discarded those distances that were too high and then computed a score for each message with the following formula: ^ 2 / ( + 1) + ^ 2 / ( + 1) I ran this on the first ten spams and hams in the corpus. The mean score for spams was 365.7 and the median was 12.5; the mean score for hams was 3715.565 and the median was 1103.6. More than anything, the results seem to indicate the length of the message rather than the spamminess. Processor time was also a problem; the largest message scanned took over 23 minutes to process. The quickest was under 3 seconds, but the average was around 45 seconds, with ham taking much longer to process than spam. Running either test individually -- the plain text W-F distance or the metaphone W-F distance -- did not show an appreciable improvement in the accuracy of the algorithm, although the processing time improved. It's too bad this won't work, although if someone else wants to take a crack at it, I'd be happy to share my code, word lists, etc. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University On Thu, 5 Oct 2006, Chris St. Pierre wrote: >One thing I've wondered/thought about is using the Levenshtein >difference between the words in an email and a list of spam words >(ideally pulled from the bayes db). In this case, all of the >misspelled words in that sample have a L-distance of 1 from the real >word -- in other words, they're *very* close. > >I think the problem would be that this would consume tons of >resources. Anything else, though, would be susceptible to other typo >attacks. For instance, say you took each email, and replaced all >doubled letters with single letters, it wouldn't be long before you >were getting spam advertising "analr bictches" or the like. > >Chris St. Pierre >Unix Systems Administrator >Nebraska Wesleyan University > >On Wed, 4 Oct 2006, Eric A. Hall wrote: > >> >>On 10/4/2006 5:57 PM, Richard Doyle wrote: >>> I've been getting lots of porn site spam containing words with doubled >>> letters, like this one: >> >>> Can anybody suggest a rule or ruleset to catch these double-letter >>> obfuscations? I'm using Spamassassin 3.1.4. >> >>You'd probably need to write a plug-in that used some kind of >>typo-matching logic to find porno words. >> >>Would be a good plug-in actually. Get busy :) >> >>-- >>Eric A. Hallhttp://www.ehsco.com/ >>Internet Core Protocols http://www.oreilly.com/catalog/coreprot/ >> >
Re: subscribing to the users list documentation
Hi, Email Lists wrote: Greetings I was looking for specifics in subscribing to this list... So I looked at the webpages and nothing tells me specifically how, that I might share it on another list where people are asking questions that should possibly be asked here. Can someone fix the looping webpages between http://spamassassin.apache.org/ and the wiki it never seems to show how to get on the users list. Kinda takes you from one place to the other without ever telling you... shows how to get on all other kinds of email lists though Anyways, thanks... obviously I am on it, yet I got the info off another list... What is wrong with the following instructions taken from : http://wiki.apache.org/spamassassin/MailingLists "Subscription: send mail to users-subscribe -at- spamassassin.apache.org Unsubscribe: send mail to users-unsubscribe -at- spamassassin.apache.org" -- Anthony Peacock CHIME, Royal Free & University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ "If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas." -- George Bernard Shaw
subscribing to the users list documentation
Greetings I was looking for specifics in subscribing to this list... So I looked at the webpages and nothing tells me specifically how, that I might share it on another list where people are asking questions that should possibly be asked here. Can someone fix the looping webpages between http://spamassassin.apache.org/ and the wiki it never seems to show how to get on the users list. Kinda takes you from one place to the other without ever telling you... shows how to get on all other kinds of email lists though Anyways, thanks... obviously I am on it, yet I got the info off another list... Thanks - rh -- Robert - Abba Communications Computer & Internet Services (509) 624-7159 - www.abbacomm.net
RE: Google toolbar's whitelist
Not until secnap.com and jmason.org are in there :-)
Re: How do I use size of mail in a ruleset
On Tue, Oct 10, 2006 at 12:39:16PM +0530, Ramprasad wrote: > I want to use size of mail in a custom ruleset. > Can I get this as any parameter. Can someone please give me an example You'd have to define "size of a mail" (the whole mail? headers? body? decoded body? rendered body? text/non-text?) and then write a plugin to look that up and return the appropriate true/false value for the rule. -- Randomly Selected Tagline: "This is a beta release of Red Hat Linux. It is not intended for mission critical applications. It's not even intended for non-mission critical applications. Important data should not be entrusted to Wolverine, as it may eat it and make loud belching noises." - RedHat Beta release "Wolverine" pgpJTOKA1HAIt.pgp Description: PGP signature
Google toolbar's whitelist
I'm sure someone will find this useful: http://sb.google.com/safebrowsing/update?version=goog-white-domain:1:-1 found via http://blog.outer-court.com/forum/67024.html , --j.
Re: Need help with several things in SA
On Tue, October 10, 2006 12:38 am, Steve Lake said: > Ok, I've got several pesky problems that won't go away and I need some > help. On some emails it automatically flags some as ham and says > "autolearn=ham" and others that say "autolearn=no". I'm guessing that > the autolearn feature isn't always working. Is there a way I can > completely turn it off? I know there used to be a way, but I can't > figure it out in the newer version. Autolearn tries very hard to make sure the message is definitively ham or spam before learning it. A lot of low-scoring emails are not autolearned therefore; this is normal and expected. Of course, learning them would help. ;) As for turning it off: there is a config parameter called 'bayes_auto_learn'. The default is 1. Set it to 0 to turn autolearn off. Daniel T. Staal --- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. ---
Re: blacklist_to does not work?
Komandur N Kannan wrote: > Hello, > > We use MDaemon mail server with SA. I wanted to block certain > recepient addresses from being receiving email. So I added this > address as "blacklist_to" in local.cf file. However this does not seem > to have any effect. Alt-n advised me to use this forum which should > hopefully provide a solution. Well, this won't work based on the recipient unless your MTA inserts clues in the Received: headers. In general, this will only work if the message's To: or Cc: header contains the stated address. So, if you've blacklist_to'ed [EMAIL PROTECTED], that account can still receive email without being tagged as spam, provided it's effectively "bcc'ed" to them, and not addressed To: or Cc: them in the headers. A much more effective way would be to configure the MTA to just refuse to accept mail for that user at the transport level. (provided it's not an RFC required address like postmaster, abuse, etc) That said, if that's not much help, I'll admit I have no significant knowledge of MDaemon. MDaemon is a commercial product with it's own support. I have very little idea of how MDaemon works, or how it has integrated SA, and I'm not sure if it really is technically SpamAssassin anymore, or a "derivative work". For example, my first questions of a normal unix platform SA user would be: what file did you add this to? /etc/mail/spamassassin/local.cf? a user_prefs? Which user? Do you use spamd? Did you restart it? However, I don't know if those questions are even applicable to MDaemon, and I doubt they would make much sense to you. I'd suggest trying MDaemon's support, unless you happen to bump into someone on this list who happens to be familiar with MDaemon's quirks.
Re: sa-update and 'doesnotexist'
Ben Lentz <[EMAIL PROTECTED]> writes: So, as you might guess, I'm confused. sa-update was, to my knowledge, working in 3.1.3, but with 3.1.6 it seems that it's having a tough time finding my sys rules directory. I apologize if I'm being thick about this, but any pointers and/or enlightenment would be greatly appreciated. I'm guessing I'm going to start digging into some changelogs to see what I've been missing out on since July. :-) Upgrade to 3.1.7 which has been released to fix that very bug. Thanks! I was just made aware of this about 15 minutes ago (thanks Larry). But because I couldn't find 3.1.7 on CPAN yet, so I: curl 'http://issues.apache.org/SpamAssassin/attachment.cgi?id=3712&action=view' | sed -e 's/sa-update\.raw/sa-update/g' | patch -d /usr/bin -p0
Re: sa-update and 'doesnotexist'
Ben Lentz <[EMAIL PROTECTED]> writes: > So, as you might guess, I'm confused. sa-update was, to my knowledge, > working in 3.1.3, but with 3.1.6 it seems that it's having a tough > time finding my sys rules directory. > > I apologize if I'm being thick about this, but any pointers and/or > enlightenment would be greatly appreciated. I'm guessing I'm going to > start digging into some changelogs to see what I've been missing out > on since July. :-) Upgrade to 3.1.7 which has been released to fix that very bug.
RE: sa-update and 'doesnotexist'
> From: Ben Lentz [mailto:[EMAIL PROTECTED] > > Greetings, List! > I just upgraded from sa 3.1.3 to sa 3.1.6 and am having some weird > problems with sa-update that I've never seen before. It would seem that > my sys rules/default rules directory (/usr/share/spamassassin) is not > being loaded by sa-update's internal lint test, but that my site rules > directory (/etc/mail/spamassassin) is. And because by site rules > directory has references to things in my sys rules directory, sa-update > refuses to run because it thinks my rules are borked. Really, it's just > not reading what's there. This is a known bug in 3.1.6. It is fixed in 3.1.7, which was just released today.
sa-update and 'doesnotexist'
Greetings, List!
I just upgraded from sa 3.1.3 to sa 3.1.6 and am having some weird
problems with sa-update that I've never seen before. It would seem that
my sys rules/default rules directory (/usr/share/spamassassin) is not
being loaded by sa-update's internal lint test, but that my site rules
directory (/etc/mail/spamassassin) is. And because by site rules
directory has references to things in my sys rules directory, sa-update
refuses to run because it thinks my rules are borked. Really, it's just
not reading what's there.
Testing my rule set with spamassassin --lint and/or spamd -p 1234 -D
shows no errors, and aside from sa-update being broken, the upgrade has
gone quite smoothly.
When running sa-update in debug mode, I noticed this, which is where I
think things must be going awry:
[20368] dbg: config: using "/etc/mail/spamassassin" for site rules pre files
[20368] dbg: config: read file /etc/mail/spamassassin/init.pre
[20368] dbg: config: using "/usr/share/spamassassin/doesnotexist" for
sys rules pre files
[20368] dbg: config: using "/usr/share/spamassassin/doesnotexist" for
default rules dir
[20368] dbg: config: using "/etc/mail/spamassassin" for site rules dir
/usr/share/spamassassin/doesnotexist? WTF? Silly sa-update, that's where
all my goodies are.
I found the string 'doesnotexist' hard coded in /usr/bin/sa-update, twice:
sub lint_check_dir {
my $dir = shift;
# due to the Logger module's globalness (all M::SA objects share the same
# Logger setup), we can't change the debug level here to only include
# "config" or otherwise be more terse. :(
my $spamtest = new Mail::SpamAssassin( {
rules_filename => $dir,
userprefs_filename => File::Spec->catfile($dir, "doesnotexist"),
So, as you might guess, I'm confused. sa-update was, to my knowledge,
working in 3.1.3, but with 3.1.6 it seems that it's having a tough time
finding my sys rules directory.
I apologize if I'm being thick about this, but any pointers and/or
enlightenment would be greatly appreciated. I'm guessing I'm going to
start digging into some changelogs to see what I've been missing out on
since July. :-)
Re: bayes corruption: 'no such file or directory'
[EMAIL PROTECTED] wrote: > Hi, > > Since upgrading our mail relay to solaris 10 and all the latest gratest > spamassassin / mimedefang / sendmail versions, i'm faced with curious > bayes db corruption happening after approx. 1 day: > > i've got these parameters set: in sa-mimedefang.cf: > > use_bayes 1 > bayes_auto_learn 1 > bayes_path /var/spool/MIMEDefang-bayes/bayes > bayes_file_mode 0666 > You want 0777, not 0666 here. This can be used to create directories and SA needs the "x" bit on those. Also, this isn't really a mode specifier, it's a mask, so the database files themselves will still be created 666. (Check the docs, note the default is 0700 not 0600.) > > This is the contents of the bayes directory: > > -bash-3.00# ls -la /var/spool/MIMEDefang-bayes/ > total 37588 > drwxr-xr-x 2 defang defang 512 Oct 10 09:38 . > drwxr-xr-x 15 root bin 512 Sep 19 07:55 .. > -rw-rw-rw- 1 defang defang114608 Oct 10 04:56 bayes_journal > -rw-rw-rw- 1 defang defang 2613248 Oct 10 05:08 bayes_seen > -rw-rw-rw- 1 defang defang 20946944 Oct 10 09:38 bayes_toks > Your problem appears to be that the MIMEDefang-bayes directory is 755 permisions, not 777. > > Does anyone use an sql backend instead of the berkely flat file db ? Is it > faster / slower ? > The SQL backend is significantly faster. http://wiki.apache.org/spamassassin/BayesBenchmarkResults Note that SDBM is also faster than berkely, and I use that myself. My only problem with it was some minor issues with the dump/restore process that forced me to rename a file to make it work properly.
Create SpamD on Win32 problems
I am trying to get SpamD running with SpamAssassin 3.1.6 and Active Perl 5.8.8. I have carefully following the guidlines from - http://wiki.apache.org/spamassassin/SpamdOnWindows I now get the following error: D:\IMail>spamd [2260] error: logger: syslog initialization failed [2260] warn: logger: failed to add syslog method [2260] info: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' [2260] warn: No such signal: SIGUSR2 at D:\Perl\bin\spamd.bat line 755. [2260] info: spamd: server started on port 783/tcp (running version 3.1.6) [2260] info: spamd: server pid: 2260 [2260] error: backchannel: set non-blocking failed: Bad file descriptor at D:\Perl\site\lib/Mail/SpamAssassin/SubProcBackChannel.pm line 78. backchannel: set non-blocking failed: Bad file descriptor at D:\Perl\site\lib/Mail/SpamAssassin/SubProcBackChannel.pm line 78. I'm not sure what to do. Any help would be appreciated. -- View this message in context: http://www.nabble.com/Create-SpamD-on-Win32-problems-tf2416631.html#a6736316 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Auto_increment vs SERIAL key types
Michael Scheidell wrote: > I am experimenting with mysql replication, and have done some research > on key collisions in the case of a 'load balancing' situation (live sql > servers running on each amavisd server), using either same mx weight, or > VRRP/CARP, heartbeat, virtual ip type setups. 'random' smtp connections > could hit each server, and each server has a local mysql DB, in a dual > master/slave replication setup. (updates to either db propagate to the > other, works fine, creates lots of traffic, so maybe use a second nic > and an xover cable..) > > > > Another issue may be AWL files, (I suppose a spamassassin question > also?). Every 'new' ip/email incoming will create a new PRIMARY KEY > (username,email,ip). If two connections, one on each box, first one > wins, replication stops and you need to manually issue a bunch of > commands to skip (two?) transactions and restart slave. > > and I suppose the Bayesian files also: "duplicate key exists" - I could go in and stop the slave, delete rows similar to the token, start the slave again, and usually it would move on but due to not being able to correctly copy and paste the binary data to search with, sometimes 0 rows would be deleted and sometimes hundreds would be deleted. This probably had some effect on the quality of the filtering so I gave up on this approach. http://ckdake.com/node/64 -- Michael Scheidell, CTO SECNAP Network Security / www.secnap.com [EMAIL PROTECTED] / 1+561-999-5000, x 1131
Auto_increment vs SERIAL key types
I am experimenting with mysql replication, and have done some research on key collisions in the case of a 'load balancing' situation (live sql servers running on each amavisd server), using either same mx weight, or VRRP/CARP, heartbeat, virtual ip type setups. 'random' smtp connections could hit each server, and each server has a local mysql DB, in a dual master/slave replication setup. (updates to either db propagate to the other, works fine, creates lots of traffic, so maybe use a second nic and an xover cable..) My concern is over use of SERIAL keys in amavisd-new tables, vs AUTO_INCREMENT keys. (are SERIAL keys an alias for AUTO_INCREMENT? Are SERIAL keys safe in replication situations?) I have seen documentation saying that 'auto_increment' works as expected in replication situations, but can't find any information on SERIAL keys. http://www.weberdev.com/Manuals/MySQL3.X_4.X/replication.html#replicatio n-features Another issue may be AWL files, (I suppose a spamassassin question also?). Every 'new' ip/email incoming will create a new PRIMARY KEY (username,email,ip). If two connections, one on each box, first one wins, replication stops and you need to manually issue a bunch of commands to skip (two?) transactions and restart slave. --slave-skip-errors=[err_code1,err_code2,... | all] Normally, replication stops when an error occurs, which gives you the opportunity to resolve the inconsistency in the data manually. This option tells the slave SQL thread to continue replication when a statement returns any of the errors listed in the option value. Do not use this option unless you fully understand why you are getting errors. If there are no bugs in your replication setup and client programs, and no bugs in MySQL itself, an error that stops replication should never occur. Indiscriminate use of this option results in slaves becoming hopelessly out of sync with the master, with you having no idea why this has occurred I am using Innodb DB type on Freebsd5, and mysql 4.1.20ish. -- Michael Scheidell, CTO 561-999-5000, ext 1131 SECNAP Network Security Corporation Keep up to date with latest information on IT security: Real time security alerts: http://www.secnap.com/news
Re: Mail Backing up while SpamAssassin is in Use
Matt Kettler wrote: jdow wrote: From: "Derek Catanzaro" <[EMAIL PROTECTED]> Matt Kettler wrote: Derek Catanzaro wrote: I have been having issues with mail backing up on and off over the past week. I am using MailScanner with SpamAssassin. This morning for example, I had roughly 500 messages waiting in /var/spool/mqueue.in and that number had increased to about 2200 in less than an hour. I then tell MailScanner to stop using SpamAssassin to try and identify if the problem is with SpamAssassin or not and now I'm back down to less than 50 messages waiting in the queue in less than a matter of 10 -15 minutes. So obviously this tells me something is going on with SpamAssassin. I ran "spamassassin --lint -D" and I did not notice any problems with the output other than a dcc timeout. Then again, spamassassin has always worked well for me so I may be missing something in the output because I have really never had to troubleshoot this kind of issue with spamassassin. The recent changes I have made to try and combat the problem is to disable bayes and I turned off the auto expire for the bayes tokens just to make sure that wasn't slowing things down. I am running a local caching name server so I do not believe this to be a DNS timing issue. I can provide my spamassassin --lint -D output if anyone is interested. Fedora Core 1 SpamAssassin 3.1.0 MailScanner 4.49.7 sendmail 8.13.5 Thanks, Derek What's your memory load look like? (ie: run the "free" command). Have you recently added any add-on rulesets? Do you have a whole pile of bayes_toks files suffixed with a process ID and "expire" laying around in your bayes directory? Here are the results of the "free" command with spamassassin running: total used free sharedbuffers cached Mem: 20685042041572 26932 0 242712 60556 -/+ buffers/cache:1738304 330200 Swap: 1831912 585441773368 Results of "free" command without spamassassin running: free total used free sharedbuffers cached Mem: 20685041712204 356300 0 244080 73944 -/+ buffers/cache:1394180 674324 Swap: 1831912 71721824740 Subtract at least 1 from the number of children you allow for spamassassin if you can. (I don't know how mailscanner works.) Going into swap with SpamAssassin is pure poison. I'd have to agree.. either that or move SA, or some other part of that box's load off somewhere else. I'd generally consider the numbers you're posting for the box without SA as running as being a "healthy but fully loaded" server. Thanks for the suggestions. I will try reducing the number of children. The issue that was caused yesterday was due do dcc timeouts. I disabled the dcc checks and mail was routing in a timely manner, the backup went away. This morning I'm stuck with the same thing again, but now pyzor and dcc are timing out. These inconsistencies are really nerve racking. I have had this system running for a couple of years now and have not run into these problems and all of a sudden within the last week this occurs. I have checked with my WAN group and no firewall rules have been changed. They are allowing the ports for pyzor, razor, and dcc (as well as DNS and SMTP) so I'm at a loss If you folks experience timout issues with dcc or pyzor does it cause a backup with your mail or am I the only one (I don't think I would be)? Thanks, Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Bypassing e-mails with spamlovers
Hi list, i want to bypass mails, so Amavis takes no effect by receive e-mail from a special domain. In the file amavis.conf, i take the option read_hash(\%spam_lovers, ‘/var/lib/amavis/spamlovers’); /var/lib/amavis/spamlovers: à [EMAIL PROTECTED] (one address per line) But this does not work. It’s curious, I use this same option for the whitelist and blacklist and this works fine. Here my Facts: Debian 3.1 (2.6.8-3), Amavisd-new 20030616p10-5, spamassassin 3.1.4. Has everyone an idea, what is the problem? Thanks Chris
Image Spam Detection
I notice that a lot of images spam has a structure where in the source the fake text is at the top and the image code is at the bottom but it is made to appear so that the image is at the top and the text is at the bottom. Seems to me that this should be something we could test for?
ANNOUNCE: Apache SpamAssassin 3.1.7 available!
Apache SpamAssassin 3.1.7 is now available! This is a maintenance release of the 3.1.x branch. Downloads will be available from: http://spamassassin.apache.org/downloads.cgi?update=200610100328 Note that it may take a hour or two for mirrors to update. The release files will also be available via CPAN in the near future. md5sum of archive files: 77242e45baa7e2b418e4d3f22a86a69e Mail-SpamAssassin-3.1.7.tar.bz2 4b342c63949d47f3ce56b3fc1c8881c1 Mail-SpamAssassin-3.1.7.tar.gz b62794d50e0921dbb9f5211a65e4dc0e Mail-SpamAssassin-3.1.7.zip sha1sum of archive files: 6660dd3aa87f4ddd3ba9b19cf232dd006c6e8219 Mail-SpamAssassin-3.1.7.tar.bz2 3d31eff0eb9a158fab308958d65cdca81b8944bc Mail-SpamAssassin-3.1.7.tar.gz 7a882fcf4e253c9c020278f126b783ab41fe31d5 Mail-SpamAssassin-3.1.7.zip The release files also have a .asc accompanying them. The file serves as an external GPG signature for the given release file. The signing key is available via the wwwkeys.pgp.net key server, as well as http://spamassassin.apache.org/released/GPG-SIGNING-KEY The key information is: pub 1024D/265FA05B 2003-06-09 SpamAssassin Signing Key <[EMAIL PROTECTED]> Key fingerprint = 26C9 00A4 6DD4 0CD5 AD24 F6D7 DEE0 1987 265F A05B 3.1.7 is a "quick-fix" release; it contains only a fix for one bug, introduced accidentally in 3.1.6: - bug 5119: if admins had set rule scores in the site configuration in /etc, sa-update would fail. Back out this change
blacklist_to does not work?
Hello, We use MDaemon mail server with SA. I wanted to block certain recepient addresses from being receiving email. So I added this address as "blacklist_to" in local.cf file. However this does not seem to have any effect. Alt-n advised me to use this forum which should hopefully provide a solution. Any assistance would be much appreciated. Thank you Kannan *** K N Kannan Manager - IT & Communications Seven Seas Shipchandlers/Group P O Box 5592 Dubai United Arab Emirates Ph : +971 4 8033 300, Fax +971 4 8033 309 Mobile: +971 50 4551920 URL : http://www.sevenseasgroup.com/ *** = THIS EMAIL IS CONFIDENTIAL AND COULD BE PROTECTED BY LEGAL PRIVILEGE. IF YOU ARE NOT THE INTENDED RECIPIENT, YOU SHOULD NOT COPY IT, RE-TRANSMIT IT, USE IT OR DISCLOSE ITS CONTENTS, AND SHOULD RETURN IT TO THE SENDER IMMEDIATELY AND DELETE YOUR COPY FROM THE SYSTEM. =
Re: Mail server performance problems. Possible SA slow down?
On Mon, 2006-10-09 at 11:43 -0400, Rob McEwen (PowerView Systems) wrote: > > The last few weeks I have noted (angry users calling me by phone) that > > the server is really slow. > > Don't know for sure, but I suspect slower than usual Razor and/or DCC servers? > > --Rob McEwen > I second that. Razor had been killing our servers too last 4-5 days. With no razor checks things are much better now. I want really to run a local pyzord now Thanks Ram
bayes corruption: 'no such file or directory'
Hi, Since upgrading our mail relay to solaris 10 and all the latest gratest spamassassin / mimedefang / sendmail versions, i'm faced with curious bayes db corruption happening after approx. 1 day: i've got these parameters set: in sa-mimedefang.cf: use_bayes 1 bayes_auto_learn 1 bayes_path /var/spool/MIMEDefang-bayes/bayes bayes_file_mode 0666 #auto_learn_threshold_nonspam 0.1 #auto_learn_threshold_spam 6 bayes_auto_expire 1 bayes_expiry_max_db_size 10 #bayes_journal_min_size 10240 #bayes_journal_max 512 bayes_learn_to_journal 1 bayes_min_ham_num 100 bayes_min_spam_num 100 lock_method flock (I tried with commenting it out, same problem) These never gave us problems on solaris9 / same setup (mimedefang / sendmail /spamassassin) the sort of errors I am seeing are: Oct 9 19:29:37 mx1 mimedefang-multiplexor[2101]: [ID 980602 mail.info] Slave 24 stderr: locker: safe_ lock: unlink of temp lock /var/spool/MIMEDefang-bayes/bayes.lock.mx1.vxxa.be.2101 failed: No such file or directory Oct 9 19:29:37 mx1 mimedefang-multiplexor[2101]: [ID 980602 mail.info] Slave 24 stderr: bayes: cannot open bayes databases /var/spool/MIMEDefang-bayes/bayes_* R/W: lock failed: No such file or directory Oct 9 19:29:37 mx1 mimedefang-multiplexor[2101]: [ID 980602 mail.info] Slave 25 stderr: Use of uninit ialized value in numeric gt (>) at /usr/perl5/site_perl/5.8.4/Mail/SpamAssassin/Locker/UnixNFSSafe.pm line 95. Oct 9 20:46:30 mx1 mimedefang-multiplexor[2101]: [ID 980602 mail.info] Slave 23 stderr: locker: safe_ lock: unlink of temp lock /var/spool/MIMEDefang-bayes/bayes.lock.mx1.vxxa.be.2101 failed: No such file or directory Oct 9 20:46:30 mx1 mimedefang-multiplexor[2101]: [ID 980602 mail.info] Slave 23 stderr: bayes: failed rename /var/spool/MIMEDefang-bayes/bayes_journal to /var/spool/MIMEDefang-bayes/bayes_journal.old etc. right now, the only errors i am seeing are: Oct 10 09:37:38 mx1 mimedefang-multiplexor[2101]: [ID 980602 mail.info] Slave 5 stderr: bayes: cannot open bayes databases /var/spool/MIMEDefang-bayes/bayes_* R/O: tie failed: No such file or directory Oct 10 09:37:38 mx1 mimedefang-multiplexor[2101]: [ID 980602 mail.info] Slave 8 stderr: bayes: cannot open bayes databases /var/spool/MIMEDefang-bayes/bayes_* R/W: tie failed: No such file or directory This is the contents of the bayes directory: -bash-3.00# ls -la /var/spool/MIMEDefang-bayes/ total 37588 drwxr-xr-x 2 defang defang 512 Oct 10 09:38 . drwxr-xr-x 15 root bin 512 Sep 19 07:55 .. -rw-rw-rw- 1 defang defang114608 Oct 10 04:56 bayes_journal -rw-rw-rw- 1 defang defang 2613248 Oct 10 05:08 bayes_seen -rw-rw-rw- 1 defang defang 20946944 Oct 10 09:38 bayes_toks Does anyone use an sql backend instead of the berkely flat file db ? Is it faster / slower ? thanks for your input, i'd really appreciate it because no bayes is bad, lots of spam gets through... tom.
How do I use size of mail in a ruleset
I want to use size of mail in a custom ruleset. Can I get this as any parameter. Can someone please give me an example Thanks Ram
RE: Need help with several things in SA
Thanks Matt for this long explanation. I agree with the fact that you should avoid raising rules score or think twice before doing it. A lot of trouble may appear with a rule with a to high score. I got in trouble at the beginning with that. I raised some scores very high (more than 20), and I got AWL (see http://wiki.apache.org/spamassassin/AutoWhitelist) running. When I realized I made a mistake with that scores, I lowered them down. But AWL kept on score high, logically ... Now I think the only score rules I change are RBL, URIBL etc. And I check my bayes scoring regulary ... By the way, anyone knows where I can find an explanation for each rules of the default sa ruleset ? I know, most of the time, the title or desc are explicit, but sometimes not. I've search (maybe not enough) the Wiki but didnt found ... thanks > -Message d'origine- > 2) finding and testing some of the add-on rulesets to expand > the diversity of rules in your SA set. Generally speaking, > you'll get fewer FPs from 2 rules that score 2.5 each on a > particular spam than you will from 1 rule scoring 5.0. > > >
