any real downside to setting maxsize to 600Kbytes?

[Jason Haar]

I'm getting a small continual number of Asian spam coming in with
message sizes in the 400-500Kbyte range.

Obviously the default 250K size in spamc is too small and these drop
through the defenses.

Upping it to 600K typically pushes these spam into the 10+ score range,
but I'm concerned what impact that will have on our servers if I
defaulted to that. Is there a "rule of thumb" as to how much more
memory/resource such a change would make to a total system?

e.g. if it only means each spamd process took another 1Meg RAM each, I
would be quite happy. If it mean sometimes they will swallow 100M extra
RAM - then it probably isn't worth the hassle.

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: any real downside to setting maxsize to 600Kbytes?

[Nigel Frankcom]

On Mon, 16 Oct 2006 20:13:53 +1300, Jason Haar
<[EMAIL PROTECTED]> wrote:

>I'm getting a small continual number of Asian spam coming in with
>message sizes in the 400-500Kbyte range.
>
>Obviously the default 250K size in spamc is too small and these drop
>through the defenses.
>
>Upping it to 600K typically pushes these spam into the 10+ score range,
>but I'm concerned what impact that will have on our servers if I
>defaulted to that. Is there a "rule of thumb" as to how much more
>memory/resource such a change would make to a total system?
>
>e.g. if it only means each spamd process took another 1Meg RAM each, I
>would be quite happy. If it mean sometimes they will swallow 100M extra
>RAM - then it probably isn't worth the hassle.


A lot will depend on the amount of mail you are processing. I've had
my Max size increased for quite a while now and have noted no adverse
effects. Mail numbers here are typically 3k+ a day so not a huge
amount.

The SA server runs on CentOS 64 with a 1.7 Athlon and 1 GB ram.

HTH

Nigel

Spamd not killing children

[Chris Lear]

Subject sounds unpleasantly like incitement to filicide, for which I
apologise.

The problem I'm having is that spamd doesn't seem to be able to clean up
unwanted idle child processes.

Here's the logfile evidence:

Oct 16 00:12:59 marvin spamd[6351]: prefork: child states: III
Oct 16 00:13:09 marvin spamd[18043]: spamd: connection from localhost
[127.0.0.1] at port 35720
Oct 16 00:13:09 marvin spamd[18043]: spamd: setuid to spamd succeeded
Oct 16 00:13:09 marvin spamd[18043]: spamd: checking message
<[EMAIL PROTECTED]> for spamd:210
Oct 16 00:13:12 marvin spamd[25627]: spamd: connection from localhost
[127.0.0.1] at port 35722
Oct 16 00:13:12 marvin spamd[25627]: spamd: setuid to spamd succeeded
Oct 16 00:13:12 marvin spamd[25627]: spamd: checking message
<[EMAIL PROTECTED]> for spamd:210
Oct 16 00:13:14 marvin spamd[18043]: spamd: identified spam (29.7/5.0)
for spamd:210 in 5.3 seconds, 1545 bytes.
Oct 16 00:13:14 marvin spamd[18043]: spamd: result: Y 29 -
BAYES_99,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL
scantime=5.3,size=1545,user=spamd,uid=210,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=35720,mid=<[EMAIL
 PROTECTED]>,bayes=0.891,autolearn=spam
Oct 16 00:13:15 marvin spamd[6351]: prefork: child states: IBK
-^
[...] Time passes, and spamd continues to work [...]

Oct 16 10:18:00 marvin spamd[6351]: prefork: child states: IIKK
-^^

spamd seems to be trying to kill child processes to get the number of
threads down to 2. But for some (apparently unreported) reason the
threads don't die, and the server is slowly collecting children marked
as "K".

I recently upgraded spamassassin to 3.1.5, and I also installed
FuzzyOcr, which I suspect might be part of the problem.

Can anyone tell me a) what logs to look in to work out why this has
happened? (I've looked in the FuzzyOcr log, which does show some errors
and timeouts, but apparently none at relevant times), b) whether there's
anything I can do about it (I'll start by disabling FuzzyOcr, but I'd
like to use it), or c) whether there's a spamassassin bug?

I looked at the code in SpamdForkScaling.pm, and I see that there are 2
places where child processes are killed. In one place (sub
child_error_kill, line 134), there is a warn line if the kill fails. In
the other (sub need_to_del_server, line 732) there isn't.

Chris

Re: different BAYES_ value for same mail

[martin]

Bowie Bailey  BUC.com> writes:

> 
> 
> martin wrote:
> > Bowie Bailey  BUC.com> writes:
 
> They trained on similar email, but not quite the same.  There must
> have been something that caused them to go in different directions.
> Maybe you installed some extra rules on one of them.  Regardless, the
> databases are now different and at least one of them needs retraining.
> Alternately, you could always just copy over the database from the
> other server.  Then both systems would be identical.
> 
> BAYES_99 means that Bayes considers this mail 99% likely to be spam.
> 
 The config file for both spamassassin is the same, no extra rule added.
 Maybe better re-train the missed one.
 Thank for helping.

spamd and /root/.spamassassin: Permission denied

[nik600]

hi

i am running spamd with the following command:

spamd -D -q -H /tmp/

and then spamc with:

spamc -u [EMAIL PROTECTED] < mailfile

spamd retrives required_hits information for [EMAIL PROTECTED] in a
mysql database, and all works fine.

The problem is that i read this error in logs:

[5399] error: locker: safe_lock: cannot create tmp lockfile
/root/.spamassassin/auto-whitelist.lock.hostname.it.5399 for
/root/.spamassassin/auto-whitelist.lock: Permission denied
[5399] warn: auto-whitelist: open of auto-whitelist file failed:
locker: safe_lock: cannot create tmp lockfile
/root/.spamassassin/auto-whitelist.lock.hostname..it.5399 for
/root/.spamassassin/auto-whitelist.lock: Permission denied

spamd is running as root (is it correct?)

how can i tell to spamd to use the tmp directory instead the root's home?

thanks

False positive with FUZZY_PLEASE on this e-mail

[Michael Monnerie]

Hi, I've got a FP on this e-mail, it triggered FUZZY_PLEASE, but it's 
written in german, so there should be no PLEASE in it really. Maybe the 
rule could be enhanced?

mfg zmi

--  Forwarded message from [EMAIL PROTECTED]:  --

Subject: Das netbanking-Wertpapierservice ab 27.11.2006
Date: Freitag, 13. Oktober 2006 15:21

Sehr geehrter nettrading-Kunde,

wir informieren Sie heute auch per E-Mail über eine wichtige Neuheit:

Ab 25.11.2006 werden die Funktionen von www.nettrading.at nicht mehr
 angeboten.

Ihr Wertpapierdepot und alle nettrading-Funktionen finden Sie ab
 27.11.2006 im netbanking unter "Wertpapierservice". Damit wird der
 Online-Handel von Wertpapieren in der Erste Bank und  Sparkasse noch
 bequemer gestaltet.

So aktivieren Sie das neue Wertpapierservice:
- Steigen Sie ab 27.11.2006 auf www.sparkasse.at/netbanking mit Ihrer
 Verfügernummer und Ihrem netbanking-Passwort ein
- Rufen Sie Ihr Wertpapierdepot auf
- Wählen Sie das neue "Wertpapierservice" aus
- Folgen Sie den Anweisungen und bestätigen Sie mit TAC oder TAN

Benötigen Sie Hilfe bei der Aktivierung?
Unsere Spezialisten des netbanking-Helpdesk unterstützen Sie gerne:
E-Mail: [EMAIL PROTECTED]
Tel. 05 0100 - 50200
Fax 05 0100 9 - 50200

Mit freundlichen Grüßen
Ihr nettrading-Team

---

-- 
// Michael Monnerie, Ing.BSc-  http://it-management.at
// Tel: 0676/846914666.network.your.ideas.
// PGP Key:"curl -s http://zmi.at/zmi3.asc | gpg --import"
// Fingerprint: 44A3 C1EC B71E C71A B4C2  9AA6 C818 847C 55CB A4EE
// Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE


pgpYepRX7a3Ax.pgp
Description: PGP signature

Re: Any suggestions for 'postmaster' spams?

[Justin Mason]

Brian S. Meehan writes:
> It appears that my email address is now being used as a from address in
> many spam emails to many addresses. Over the past week, I have gotten 150+
> "postmaster: mail delivery failure" -each day-.
> 
> Does anyone have suggestions on how to handle this? They're all
> semi-standard 'delivery failure' or 'content blocked' notices, so I
> created filtering rules based on the subjectline to put them all into a
> folder. I don't think they should be marked as spam though because they're
> not.

Here's what I've been using:
http://wiki.apache.org/spamassassin/VBounceRuleset

Please let us know if it works OK for you -- there have been reports
of installation problems with 3.1.x.

--j.

Re: False positive with FUZZY_PLEASE on this e-mail

[Magnus Holmgren]

On Monday 16 October 2006 12:36, Michael Monnerie took the opportunity to say:
> Hi, I've got a FP on this e-mail, it triggered FUZZY_PLEASE, but it's
> written in german, so there should be no PLEASE in it really. Maybe the
> rule could be enhanced?
>
> mfg zmi
>
> --  Forwarded message from [EMAIL PROTECTED]:  --
>
> Subject: Das netbanking-Wertpapierservice ab 27.11.2006
> Date: Freitag, 13. Oktober 2006 15:21

It's triggering on "pierse". Apparently somebody thinks an "r" looks like 
an "a" (or, probably more correctly, found that many spammers make that 
substitution). Besides, why would anyone want to obfuscate the word "please" 
anyway? Except in certain phrases, maybe.

Perhaps some general rules should be made specific to English mail?

-- 
Magnus Holmgren[EMAIL PROTECTED]
   (No Cc of list mail needed, thanks)


pgpSovT3LDCxW.pgp
Description: PGP signature

Re: senders domain has MX or not?

[Benny Pedersen]

On Sun, October 15, 2006 23:33, mouss wrote:

> - you may also use the bougusmx list at rfc-ignorant, but this catches
> some legitimate (misconfigured) sites. so think twice before using it to
> reject at MTA level.

the miss configured sites my see the problem in logs ?

if i know a domain that is configured bad i would tell them to fix it so the
bogusmx can be removed

no ?

-- 
"This message was sent using 100% recycled spam mails."

ALL_TRUSTED creating a problem

[Suhas \(QualiSpace\)]

Hello,

 

Most of the spam emails are getting through due to ALL_TRUSTED.
If ALL_TRUSTED (is reducing the score) was not there then they might have
caught by SA. What can be the solution on this; I haven’t declared any
trusted networks yet and using the default setting. I am using SA 3.0.1. 

 

Would appreciate your feedback…

 

Warm Regards,

Suhas

System Administrator

QualiSpace - A
QuantumPages Enterprise

===

Tel India:
+91 (22) 6792 - 1480

Tel US:
+1 (614) 827 - 1224

Fax India:
+91 (22) 2530 - 3166

URL: http://www.qualispace.com


===

For Any Technical Query Please Use: http://helpdesk.qualispace.com 

QualiSpace Community Discussion forum: http://forum.qualispace.com 

 

Re: ALL_TRUSTED creating a problem

[Martin Hepworth]

Suhas (QualiSpace) wrote:

Hello,

 

Most of the spam emails are getting through due to ALL_TRUSTED. If 
ALL_TRUSTED (is reducing the score) was not there then they might have 
caught by SA. What can be the solution on this; I haven’t declared any 
trusted networks yet and using the default setting. I am using SA 3.0.1.


 


Would appreciate your feedback…

 


Warm Regards,

Suhas

System Administrator

*QualiSpace* - A QuantumPages Enterprise

===

Tel India: +91 (22) 6792 - 1480

Tel US: +1 (614) 827 - 1224

Fax India: +91 (22) 2530 - 3166

URL: http://www.qualispace.com 

===

For Any Technical Query Please Use: http://helpdesk.qualispace.com 



QualiSpace Community Discussion forum: http://forum.qualispace.com

 

You have to set the trusted_networks etc in order to get this working 
properly


--
Martin Hepworth
Senior Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.   

**

Re: ALL_TRUSTED creating a problem

[Magnus Holmgren]

On Monday 16 October 2006 13:32, Suhas (QualiSpace) took the opportunity to 
say:
> Most of the spam emails are getting through due to ALL_TRUSTED. If
> ALL_TRUSTED (is reducing the score) was not there then they might have
> caught by SA. What can be the solution on this; I haven't declared any
> trusted networks yet and using the default setting. I am using SA 3.0.1.

A list search for ALL_TRUSTED would have given you tons of hits. You could 
also have gone to the FAQ page and from there to the FixingErrors wiki page, 
where you'd find a reference to ALL_TRUSTED.

So see http://wiki.apache.org/spamassassin/FixingAllTrusted and 
http://wiki.apache.org/spamassassin/TrustPath.

-- 
Magnus Holmgren[EMAIL PROTECTED]
   (No Cc of list mail needed, thanks)


pgp229eMXdVYH.pgp
Description: PGP signature

RE: ALL_TRUSTED creating a problem

[Suhas \(QualiSpace\)]

Thanks everybody. 

I will fix it and see the results.


Warm Regards,
Suhas
System Admin
QualiSpace - A QuantumPages Enterprise
===
Tel India: +91 (22) 6792 - 1480
Tel US: +1 (614) 827 - 1224
Fax India: +91 (22) 2530 - 3166
URL: http://www.qualispace.com 
===
For Any Technical Query Please Use: http://helpdesk.qualispace.com 
QualiSpace Community Discussion forum: http://forum.qualispace.com

-Original Message-
From: Magnus Holmgren [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 16, 2006 5:15 PM
To: users@spamassassin.apache.org
Subject: Re: ALL_TRUSTED creating a problem

On Monday 16 October 2006 13:32, Suhas (QualiSpace) took the opportunity to 
say:
> Most of the spam emails are getting through due to ALL_TRUSTED. If
> ALL_TRUSTED (is reducing the score) was not there then they might have
> caught by SA. What can be the solution on this; I haven't declared any
> trusted networks yet and using the default setting. I am using SA 3.0.1.

A list search for ALL_TRUSTED would have given you tons of hits. You could 
also have gone to the FAQ page and from there to the FixingErrors wiki page,

where you'd find a reference to ALL_TRUSTED.

So see http://wiki.apache.org/spamassassin/FixingAllTrusted and 
http://wiki.apache.org/spamassassin/TrustPath.

-- 
Magnus Holmgren[EMAIL PROTECTED]
   (No Cc of list mail needed, thanks)

How to disable autolearn for FuzzyOcr?

[Frank Bures]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

My apologies if this question has already been discussed here.  I have a 
feeling it was but I could not find anything in archives.
Question:
Is there a way to disable autolearn if the spam triggers FUZZY_OCR?
These spams usually contain lots of legitimately looking text and I worry 
about the possibility of Bayes poisoning.

Thanks


Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6
[EMAIL PROTECTED]
http://www.chem.utoronto.ca
PGP public key: http://pgp.mit.edu:11371/pks/lookup?op=index&search=Frank+Bures
-BEGIN PGP SIGNATURE-
Version: PGPfreeware 5.0 OS/2 for non-commercial use
Comment: PGP 5.0 for OS/2
Charset: cp850

wj8DBQFFM2qJih0Xdz1+w+wRAozwAJ94s9ng9urD/JlZ8YCFx4ll6qsfDwCdFe1r
nVAunbZ1NieS2kCCL6dMwkY=
=SR9x
-END PGP SIGNATURE-

R: How to disable autolearn for FuzzyOcr?

[Giampaolo Tomassoni]

> My apologies if this question has already been discussed here.  I have a 
> feeling it was but I could not find anything in archives.
> Question:
> Is there a way to disable autolearn if the spam triggers FUZZY_OCR?
> These spams usually contain lots of legitimately looking text and I worry 
> about the possibility of Bayes poisoning.

As far as I know, FuzzyOcr doesn't use bayes: it relies on its own database to 
store image hashes.

Giampaolo


> 
> Thanks
> 
> 
> Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6
> [EMAIL PROTECTED]
> http://www.chem.utoronto.ca
> PGP public key: 
> http://pgp.mit.edu:11371/pks/lookup?op=index&search=Frank+Bures
> -BEGIN PGP SIGNATURE-
> Version: PGPfreeware 5.0 OS/2 for non-commercial use
> Comment: PGP 5.0 for OS/2
> Charset: cp850
> 
> wj8DBQFFM2qJih0Xdz1+w+wRAozwAJ94s9ng9urD/JlZ8YCFx4ll6qsfDwCdFe1r
> nVAunbZ1NieS2kCCL6dMwkY=
> =SR9x
> -END PGP SIGNATURE-
> 
> 

Re: senders domain has MX or not?

[hamann . w]

On Sun, October 15, 2006 23:33, mouss wrote:

> - you may also use the bougusmx list at rfc-ignorant, but this catches
> some legitimate (misconfigured) sites. so think twice before using it t=
o
> reject at MTA level.

the miss configured sites my see the problem in logs ?

if i know a domain that is configured bad i would tell them to fix it so =
the
bogusmx can be removed

no ?

I had at least two domains recently that were misconfigured in a way that nobody
could ever send them mail. I finally mailed their dns provider :)

Wolfgang Hamann

Upgrading SpamAssassin

[Rod]

Hello,

I'm currently using SpamAssassin 3.0.2 and would like to upgrade to 
version 3.1.7. I would like to backup the currently installed version 
but I don't know where all of the files are stored. I would appreciate 
any input as to what files/directories to backup as well as any other 
advice.


I should note that the output of my spamassassin --version command is 
the following:


[EMAIL PROTECTED] spamassassin]# spamassassin --version
SpamAssassin version 3.0.2
 running on Perl version


Thanks for any help,
Rod

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Error WARNING!! Error in process_request eval block: /usr/sbin/spampd: write error acknowledging QUIT: Broken pipe

[Richmond Dyes]

I am running postfix on my emailserver with Vams antivirus.  I have put 
spamassassin on another pc and using spampd as my proxy, I am relaying 
email from postfix and vams to the spampd proxy back to the email 
server.  I keep getting the error below.  it doesn't seem to be 
affecting my email.
WARNING!! Error in process_request eval block: /usr/sbin/spampd: write 
error acknowledging QUIT: Broken pipe


From the Vams side I get the error.

The error is: max retry has exceeded

Action: failed

Mail details:

Any ideas?

Re: Upgrading SpamAssassin

[Matthias Haegele]

Rod schrieb:

Hello,

I'm currently using SpamAssassin 3.0.2 and would like to upgrade to 
version 3.1.7. I would like to backup the currently installed version 
but I don't know where all of the files are stored. I would appreciate 
any input as to what files/directories to backup as well as any other 
advice.


I should note that the output of my spamassassin --version command is 
the following:


[EMAIL PROTECTED] spamassassin]# spamassassin --version
SpamAssassin version 3.0.2
 running on Perl version



Which os/distro?

perhaps you want to read, the config-dirs should be mentioned there:
/usr/share/doc/spamassassin
man spamassassin

some directories are:

/etc/mail/spamassassin/
/etc/spamassassin/
/etc/default/spamassassin

...




Thanks for any help,
Rod


hth
MH (using Debian)

Re: Upgrading SpamAssassin

[Matthias Haegele]

Rod schrieb:

Hello,

I'm currently using SpamAssassin 3.0.2 and would like to upgrade to 
version 3.1.7. I would like to backup the currently installed version 
but I don't know where all of the files are stored. I would appreciate 
any input as to what files/directories to backup as well as any other 
advice.



[EMAIL PROTECTED] spamassassin]# spamassassin --version
SpamAssassin version 3.0.2
 running on Perl version


Perhaps you have to upgrade Perl too ...





perhaps this could help too:
http://spamassassin.apache.org/doc.html
http://svn.apache.org/repos/asf/spamassassin/branches/3.1/UPGRADE


Thanks for any help,
Rod


MH

Re: A problem with AWL

[Matt Kettler]

Chuck Payne wrote:
>
> Hi,

First, before I answer your question, some advice on posting:

 If you want people to read your posts, don't use reply to create a new
thread. I overlooked your message before because it was buried in the
"RE: Any comments of the SpamHaus lawsuit?" thread, which I've been
ignoring. Even if you change the subject line, a good mail client will
read the "In-Reply-To" header and associate your message with the one
you replied to.

For example, see the list archives:
http://thread.gmane.org/gmane.mail.spam.spamassassin.general/88044/focus=88044

See your message buried under all that junk? That's how an email client
that supports threading displayed your message. I personally use a
threaded reader so I can quickly omit chains of conversation I'm not
interested in. You got overlooked on my first pass through the list.
>
> I got a problem with a lot spam coming thru and it looks like the main
> reason is that AWL is on every test and when that is no there it give
> the e-mail negative points. How can I turn of AWL?
> And if I turn it off will effect domain and users on my list that I
> have that are whitelisted?

It is NOT a problem for the AWL to give spam negative points, or nonspam
positive points. As long as the message is still correctly categorized,
this is perfectly normal.
Read: http://wiki.apache.org/spamassassin/AwlWrongWay


That said, if you want to disable the AWL, how you disable the AWL
depends on what version of SpamAssassin you run.  Assuming you are using
SA 3.1.x:
edit /etc/mail/spamassassin/v310.pre and comment out the following line:
 loadplugin Mail::SpamAssassin::Plugin::AWL

Re: Upgrading SpamAssassin

[Rod]

Matthias Haegele wrote:

Rod schrieb:

Hello,

I'm currently using SpamAssassin 3.0.2 and would like to upgrade to 
version 3.1.7. I would like to backup the currently installed version 
but I don't know where all of the files are stored. I would 
appreciate any input as to what files/directories to backup as well 
as any other advice.


I should note that the output of my spamassassin --version command is 
the following:


[EMAIL PROTECTED] spamassassin]# spamassassin --version
SpamAssassin version 3.0.2
 running on Perl version



Which os/distro?

I'm running Red Hat 9 Linux


perhaps you want to read, the config-dirs should be mentioned there:
/usr/share/doc/spamassassin
man spamassassin

some directories are:

/etc/mail/spamassassin/
/etc/spamassassin/
/etc/default/spamassassin/
I have /etc/mail/spamassassin and /usr/share/spamassassin that I know I 
need to back up.


I see the binaries located in /usr/sbin/

/usr/sbin/spamassassin
/usr/sbin/spamc
/usr/sbin/spamd

Are there any other files or libraries that need to be backed up? I 
would like to be able to restore the currently running version of 
SpamAssassin in the event of problems with the latest release.


Thanks for your help,
Rod


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

No reporting methods available, -D 'hangs'?

[Evan Platt]

Ran spamassassin -r with a few pieces of spam, got the below output:

[21104] warn: reporter: SpamCop message older than 2 days, not reporting
[21104] warn: reporter: no reporting methods available, so couldn't report
[21104] warn: spamassassin: warning, unable to report message
[21104] warn: spamassassin: for more information, re-run with -D 
option to see debug output


Ran spamassassin -D, and it appears to 'hang',
# spamassassin -D
[22882] dbg: logger: adding facilities: all
[22882] dbg: logger: logging level is DBG
[22882] dbg: generic: SpamAssassin version 3.1.7
[22882] dbg: config: score set 0 chosen.
[22882] dbg: util: running in taint mode? yes
[22882] dbg: util: taint mode: deleting unsafe environment variables, 
resetting PATH

[22882] dbg: util: PATH included '/sw/bin', keeping
[22882] dbg: util: PATH included '/sw/sbin', keeping
[22882] dbg: util: PATH included '/usr/local/bin', keeping
[22882] dbg: util: PATH included '/opt/local/bin', keeping
[22882] dbg: util: PATH included '/usr/local/mysql/bin', keeping
[22882] dbg: util: PATH included '/usr/local/mysql', keeping
[22882] dbg: util: PATH included '/opt/local/bin', keeping
[22882] dbg: util: PATH included '/sw/share/phpmyadmin', which 
doesn't exist, dropping
[22882] dbg: util: PATH included '/usr/local/rrdtool-1.2.11/bin', 
which doesn't exist, dropping
[22882] dbg: util: PATH included '/sw/ImageMagick-6.2.4/bin', which 
doesn't exist, dropping

[22882] dbg: util: PATH included '/Library/Apache2/bin', keeping
[22882] dbg: util: PATH included '/bin/sbin', which doesn't exist, dropping
[22882] dbg: util: PATH included '/usr/bin', keeping
[22882] dbg: util: PATH included '/usr/sbin', keeping
[22882] dbg: util: PATH included '.', which is not absolute, dropping
[22882] dbg: util: PATH included '/bin', keeping
[22882] dbg: util: PATH included '/sbin', keeping
[22882] dbg: util: PATH included '/usr/bin', keeping
[22882] dbg: util: PATH included '/usr/sbin', keeping
[22882] dbg: util: PATH included '/usr/X11R6/bin', keeping
[22882] dbg: util: final PATH set to: 
/sw/bin:/sw/sbin:/usr/local/bin:/opt/local/bin:/usr/local/mysql/bin:/usr/local/mysql:/opt/local/bin:/Library/Apache2/bin:/usr/bin:/usr/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin

[22882] dbg: message:  MIME PARSER START 
[22882] dbg: message: main message type: text/plain
[22882] dbg: message: parsing normal part
[22882] dbg: message: added part, type: text/plain
[22882] dbg: message:  MIME PARSER END 
[22882] dbg: dns: is Net::DNS::Resolver available? yes
[22882] dbg: dns: Net::DNS version: 0.58


And it just stops. Hitting control c returns me to shell.

Any ideas?

Thanks.

Evan

RE: Any suggestions for 'postmaster' spams?

[R Lists06]

> 
> It appears that my email address is now being used as a from address in
> many spam emails to many addresses. Over the past week, I have gotten 150+
> "postmaster: mail delivery failure" -each day-.
> 
> Does anyone have suggestions on how to handle this? They're all
> semi-standard 'delivery failure' or 'content blocked' notices, so I
> created filtering rules based on the subjectline to put them all into a
> folder. I don't think they should be marked as spam though because they're
> not.
> 
> Thanks,
> Brian
> 

First suggestion, don't post to list with the email address you use for biz
or personal use.

Make another and use it for all lists. When you get spammed on it, change it
slightly, unsub the other and sub the new to all the lists you are on.

Also, if your MTA will accept an email to an email address that doesn't
exist, fix it so it doesn't.

Pry more yet escapes me now

 - rh

--
Robert - Abba Communications
   Computer & Internet Services
 (509) 624-7159 - www.abbacomm.net

FuzzyOCR (and gocr) can't detect HGH spams

[Peter H. Lemieux]

I get a lot of messages with a gif ad for HGH drugs with this image: 
http://www.crystalmail.net/hgh.gif.  FuzzyOCR doesn't return anything 
because gocr doesn't show any text.  I've tried various -i settings for 
gocr from 1 to 254 and get gibberish at all settings.


For instance, 'gocr -i 180 hgh.gif' yields:

lI__c_tc)r _rc_hc_rihc_Ll _cnLl .h1c_Llic_;cll_ _u__c_c __ihc LI
 l c htc)hlc_rc)c_c_ B llr_ll l hc r_cp_


_ t4 __cc_'un ic) __'ri_c _ hH3s, t_k   _ ,r o_E,y _h K E,_
_ ,_ics r _ sncu)._r. t.ihk). lhirkrr x_))  '   gg __, r
_ Krvc)_H t)r r_irk cct .__ _
 O _' Y O ___ TE_ E
 _Lncl nLnn __ mc)R hnrtb

Results at other -i settings are about the same.

System is CentOS 4.3
gocr is at version 0.37 (from rpmforge)
netpbm is version 10.25

Any hints?

Peter

Re: No reporting methods available, -D 'hangs'?

[Theo Van Dinter]

On Mon, Oct 16, 2006 at 07:40:11AM -0700, Evan Platt wrote:
> [21104] warn: reporter: SpamCop message older than 2 days, not reporting
> [21104] warn: reporter: no reporting methods available, so couldn't report
> [21104] warn: spamassassin: warning, unable to report message
> [21104] warn: spamassassin: for more information, re-run with -D 
> option to see debug output

It says that, assuming there'll be more information available with -D.  In
this case, the fact that the mail is > 2d old is the information you need.

> Ran spamassassin -D, and it appears to 'hang',
> # spamassassin -D

Less of a hang, more of a "waiting for input".  :)

> Any ideas?

Give it some input?  In this case, since you're trying to get debug
information on a report run, add in -D to the report commandline...

-- 
Randomly Selected Tagline:
"See, that's the advantage of running OS/2 ...  Viruses don't support it."
  - Theo talking to Rob


pgpOf2QCabOyM.pgp
Description: PGP signature

Re: Error WARNING!! Error in process_request eval block: /usr/sbin/spampd: write error acknowledging QUIT: Broken pipe

[Theo Van Dinter]

On Mon, Oct 16, 2006 at 09:16:39AM -0400, Richmond Dyes wrote:
> spamassassin on another pc and using spampd as my proxy, I am relaying 
[...]
> Any ideas?

Since spampd is not part of SpamAssassin, I'd suggest asking on their
mailing list.

-- 
Randomly Selected Tagline:
What is the difference between a Turing machine and the modern computer?
 It's the same as that between Hillary's ascent of Everest and the
 establishment of a Hilton on its peak.


pgpG7VgXvsNhn.pgp
Description: PGP signature

RE: Any suggestions for 'postmaster' spams?

[Mark]

> -Original Message-
> From: R Lists06 [mailto:[EMAIL PROTECTED] 
> Sent: maandag 16 oktober 2006 16:54
> To: users@spamassassin.apache.org
> Subject: RE: Any suggestions for 'postmaster' spams?
> 
> 
> Does anyone have suggestions on how to handle this? They're all
> semi-standard 'delivery failure' or 'content blocked' notices, so I
> created filtering rules based on the subjectline to put them all into
> a folder. I don't think they should be marked as spam though because
> they're not.

You could use SRS to sign outgoing envelope-from addresses (like I do).
And then run SRS checks on the return. Guaranteed to stop ALL fake DSN
messages. No false positives, ever. If you're running sendmail, have a
look at:

http://www.srs-socketmap.info/

Signing envelope-from addresses, however you wind up doing it, is really
the best protection.

- Mark

RE: How to disable autolearn for FuzzyOcr?

[Chandler, Jay]

-Original Message-
From: Giampaolo Tomassoni [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 16, 2006 5:26 AM
To: users@spamassassin.apache.org
Subject: R: How to disable autolearn for FuzzyOcr?

>> My apologies if this question has already been discussed here.  I
have a 
>> feeling it was but I could not find anything in archives.
>> Question:
>> Is there a way to disable autolearn if the spam triggers FUZZY_OCR?
>> These spams usually contain lots of legitimately looking text and I
worry 
>> about the possibility of Bayes poisoning.

>As far as I know, FuzzyOcr doesn't use bayes: it relies on its own
database >to store image hashes.

>Giampaolo


I think what the original poster was asking was how to make the
gibberish bodies not get Bayes scanned, so as to not pollute the
database with text that isn't spammy.

-- 
Jay Chandler
Network Administrator, Chapman University
714.628.7249 / [EMAIL PROTECTED]
Ethernet, n.  What one uses to catch the Etherbunny.

RE: How to disable autolearn for FuzzyOcr?

[Frank Bures]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, 16 Oct 2006 08:46:17 -0700, Chandler, Jay wrote:

>-Original Message-
>From: Giampaolo Tomassoni [mailto:[EMAIL PROTECTED] 
>Sent: Monday, October 16, 2006 5:26 AM
>To: users@spamassassin.apache.org
>Subject: R: How to disable autolearn for FuzzyOcr?
>
>>> My apologies if this question has already been discussed here.  I
>have a 
>>> feeling it was but I could not find anything in archives.
>>> Question:
>>> Is there a way to disable autolearn if the spam triggers FUZZY_OCR?
>>> These spams usually contain lots of legitimately looking text and I
>worry 
>>> about the possibility of Bayes poisoning.
>
>>As far as I know, FuzzyOcr doesn't use bayes: it relies on its own
>database >to store image hashes.
>
>>Giampaolo
>
>
>I think what the original poster was asking was how to make the
>gibberish bodies not get Bayes scanned, so as to not pollute the
>database with text that isn't spammy.


Exactly my point.


Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6
[EMAIL PROTECTED]
http://www.chem.utoronto.ca
PGP public key: http://pgp.mit.edu:11371/pks/lookup?op=index&search=Frank+Bures
-BEGIN PGP SIGNATURE-
Version: PGPfreeware 5.0 OS/2 for non-commercial use
Comment: PGP 5.0 for OS/2
Charset: cp850

wj8DBQFFM5xBih0Xdz1+w+wRAiUMAKCsCnEEpaigF9yXF7zJ9TlkDWnhewCeOH0f
AUh+03j4WI2Dq9mdkWx+6WY=
=GTof
-END PGP SIGNATURE-

JD_ rule set?

[benthere-nine]

jdow wrote:
> 
> From: "Scott Friedman" <[EMAIL PROTECTED]>
> 
>> Has anyone figured a good recipe for blocking these type of spam yet?
>> 
>> I get 3-5 per day to each user on my mail server.
>> 
>> Thanks
>> 
>> 
>> 
>>  Original Message 
>> Subject: Re: Work has been closed permanently
>> Date: Sun, 15 Oct 2006 21:28:50 +0600
>> From: Leslie Hilton <[EMAIL PROTECTED]>
>> To: <[EMAIL PROTECTED]>
>> 
>> 
>> 
>> Attention  ,
>> 
>> Find out how to generate 1.5 - 3.5k per day from your home.
>> 
>> 800.671.9007
>> 
>> Phone me at my number if you can return calls.
>> 
>> Thanks Alot,
>> Leslie Hilton
> 
> The lowest scoring one of those puppies to hit here ran up a score
> of 7.3:
> -1.5 JD_SENDER_RELAYGood list with Sender header
>  0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some
> mails
>  3.0 BAYES_95   BODY: Bayesian spam probability is 95 to 99%
> [score: 0.9771]
>  0.0 JD_VHI_BAYES   JD_VHI_BAYES
>  0.0 JD_HI_BAYESJD_HI_BAYES
>  3.8 JD_HI_BAYES_LKML   LKML likely spam
>  2.0 JD_VHI_BAYES_LKML  LKML very likely spam
> 

Which rule set are the JD_ scores from?

Thanks,

[EMAIL PROTECTED]
-- 
View this message in context: 
http://www.nabble.com/Been-getting-alot-of-these-lately..-anyone-else--tf2447268.html#a6837212
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Been getting alot of these lately.. anyone else?

[Sandy S]

Found a bunch of these in my mailbox this morning, too.  This rule seems to
catch them all so far (until the spammer changes his wording)

body WORK_FROM_HOME_BA /(?:Learn|Find out) how to (?:make|generate) 1.5 -
3.5k (?:daily|(?:per|a) day) from (?:your )?(?:home|house)/i
score WORK_FROM_HOME_BA 4

Sandy
- Original Message - 
From: "Scott Friedman" <[EMAIL PROTECTED]>
To: 
Sent: Sunday, October 15, 2006 10:29 AM
Subject: Been getting alot of these lately.. anyone else?


> Has anyone figured a good recipe for blocking these type of spam yet?
>
> I get 3-5 per day to each user on my mail server.
>
> Thanks
>
>
>
>  Original Message 
> Subject: Re: Work has been closed permanently
> Date: Sun, 15 Oct 2006 21:28:50 +0600
> From: Leslie Hilton <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
>
>
>
> Attention  ,
>
> Find out how to generate 1.5 - 3.5k per day from your home.
>
> 800.671.9007
>
> Phone me at my number if you can return calls.
>
> Thanks Alot,
> Leslie Hilton
>
>
>
>
>
>

Re: Increase in Spam

[Jo Rhett]

Steve Lake wrote:
Oh, this sounds spectacular.  One question.  Is there a port on 
Freebsd for this?  I don't see one offhand.  If there is, then that 
would assume that all the other necessary ports are present as well.  If 
not, it'll be a royal b trying to get the nix versions installed 
instead if no freebsd ported versions are available.  :(


So go make one :-)  It's easy enough.

--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: How to disable autolearn for FuzzyOcr?

[D . J .]

>I think what the original poster was asking was how to make the>gibberish bodies not get Bayes scanned, so as to not pollute the
>database with text that isn't spammy.Exactly my point.Slightly off topic here, but I have a dumb question.  If you get a message with obvious bayes poison, what *should* you do?  Do you remove the poison and classify, or do you just not classify that message?

Re: How to disable autolearn for FuzzyOcr?

[Jim Maul]

D.J. wrote:

 >I think what the original poster was asking was how to make the
 >gibberish bodies not get Bayes scanned, so as to not pollute the
 >database with text that isn't spammy.


Exactly my point.


Slightly off topic here, but I have a dumb question.  If you get a 
message with obvious bayes poison, what *should* you do?  Do you remove 
the poison and classify, or do you just not classify that message?


I train it just like you would any other message - especially since many 
get autolearned.  The 'poison' doesnt seem to have much of an affect. 
If anything, its a good spam indicator.


-Jim

RE: How to disable autolearn for FuzzyOcr?

[John D. Hardin]

On Mon, 16 Oct 2006, Frank Bures wrote:

> On Mon, 16 Oct 2006 08:46:17 -0700, Chandler, Jay wrote:
> 
> >I think what the original poster was asking was how to make the
> >gibberish bodies not get Bayes scanned, so as to not pollute the
> >database with text that isn't spammy.
> 
> Exactly my point.

Do an archive search for the last week, there was some discussion of
this by myself and others.

Summary: no native support. There is a plugin that allows you to tag a
rule with a flag that will suppress autolearn if the rule is hit.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...the Fates notice those who buy chainsaws...
  -- www.darwinawards.com
---
 15 days until Halloween

Re: Any comments of the SpamHaus lawsuit?

[Jo Rhett]

Bill Horne wrote:
> If this company succeeds in cutting off spamhaus's domain, the
> Cartooney letters will start to be real. At that point, the options
> open to the army of private citizens who've been fighting spam
...etc

I'm sorry, I've watched this thread go longer and longer about all the 
potential damage, and this is getting silly.  All that SPEWS has to do 
if they *must* be compliant (which I doubt) is to create a separate 
domain for US users that is compliant with the lawsuit.  Put up 
something saying "this list is for US users "in compliance with ..."


Nobody will use the US list, but they are compliant with the judgement 
for all US users, which is all the US court has authority for.


--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: A problem with AWL

[Jo Rhett]

Chuck Payne wrote:
I got a problem with a lot spam coming thru and it looks like the main 
reason is that AWL is on every test and when that is no there it give 
the e-mail negative points. How can I turn of AWL?
And if I turn it off will effect domain and users on my list that I have 
that are whitelisted?


AWL has no relationship to the normal whitelist.  But you really don't 
want it turned off, you want to fix the reasons why spam from these 
parties is getting good scores on the first attempt...


FYI: PLEASE!! don't reply to a message and change the subject.  Your 
message got threaded in with the previous topic.  On most days, I ignore 
any such messages.  The vast majority of other smart people do the same. 
 To start a new thread, use "Compose Mail To" or whatever your client 
has...




--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: Any comments of the SpamHaus lawsuit?

[Jo Rhett]

Christopher Martin wrote:

Really, the idea that a US courts can order an international organisation,
like InterNIC (that's the Inter- bit of InterNIC), to deregister a domain is


Sorry, you lost me right there.  That's not where the name derived from 
originally.  Unless you were kidding, and I missed a smiley somewhere 
that showed that you knew better.


--
Jo Rhett
Network/Software Engineer
Net Consonance

Domain names (Was: Any comments of the SpamHaus lawsuit?)

[Jo Rhett]

Bookworm wrote:
Just as a FYI, .com, .org, .edu, .mil, .gov, and .net were developed by 
the US when DNS was first being conceptualized.   There were enough 
computers on the (D)ARPNET backbone that it was getting confusing to 
track hosts files.  At that point, there wasn't a .us, .au, .gb, .de, or 
the others.  Those came slightly later.

 (trimmed)

Incorrect.  .us has existed for nearly as long, but had really a fixed 
3-layer structure that prevented most people from using it.  The three 
layers only had structure for states, cities, etc.


It meant to simplify, but it mostly confused non-techy people.  Only 
recently was .us normalized so that it could be used by .us companies.


--
Jo Rhett
Network/Software Engineer
Net Consonance

Problem with local.cf file processing

[Robert Fargher]

Hi,

  I'm running Spamassassin 3.14 on a Fedora Core 5 mail server and am 
experiencing a puzzling problem.  In a nutshell, the local.cf file doesn't 
seem to be processed properly and I can't figure out 
why.  "spamassassin --lint" runs without errors

  We're getting complaints from some of our clients, who have opted out of 
spam processing, that their mail is still being processed.  Those clients are 
listed below in the whitelist_to and all_spam_to lines.

  The  "whitelist_from [EMAIL PROTECTED]" record used to be near the bottom 
of the whitelist_from records and didn't work there.  It was moved near the 
top and started working!  So that would indicate that there is a problem 
somewhere in these records but I'm damned if I can see 
it.  "spamassassin --lint" runs without errors.   Following Linus' Law, I'm 
hoping that more eyes than mine can spot what's going wrong.

  Multiple pints of Guinness will be provided to whomever manages to tell me 
where the screw-up occurs.  To be collected in Vancouver, B.C. (which stands 
for Bring Cash, BTW, not British Columbia! :-)

--
Thanks!
Rob


-- contents of  /etc/mail/spamassassin/local.cf

rewrite_header subject *SPAM*
report_safe 1
trusted_networks 192.168.222.
#auto_whitelist_path /etc/mail/spamassassin/auto_whitelist
use_auto_whitelist 0
use_bayes 0
add_header  spam Report _REPORT_
required_score 4.1

whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from *elcosystems.com
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from *stockhouse.ca
whitelist_from *stockhouse.com
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]
whitelist_from [EMAIL PROTECTED]


# entries for sites and addresses that are opting out of the filtering
whitelist_to [EMAIL PROTECTED]
whitelist_to [EMAIL PROTECTED]
whitelist_to [EMAIL PROTECTED]
whitelist_to [EMAIL PROTECTED]
whitelist_to [EMAIL PROTECTED]
whitelist_to [EMAIL PROTECTED]
whitelist_to [EMAIL PROTECTED]
whitelist_to [EMAIL PROTECTED]
whitelist_to [EMAIL PROTECTED]
whitelist_to [EMAIL PROTECTED]
whitelist_to [EMAIL PROTECTED]
whitelist_to [EMAIL PROTECTED]
whitelist_to [EMAIL PROTECTED]

all_spam_to [EMAIL PROTECTED]
all_spam_to [EMAIL PROTECTED]
all_spam_to [EMAIL PROTECTED]
all_spam_to [EMAIL PROTECTED]


# Specific blacklist entries
blacklist_from [EMAIL PROTECTED]

Re: Any suggestions for 'postmaster' spams?

[Jo Rhett]

Brian S. Meehan wrote:

It appears that my email address is now being used as a from address in
many spam emails to many addresses. Over the past week, I have gotten 150+
"postmaster: mail delivery failure" -each day-.

Does anyone have suggestions on how to handle this? 


Yes.  Implement SPF and DKIM policies to tell other sites how to 
interpret your mail.  Right now, implementing both is good for 70% of 
the backscatter.


--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: Problem with local.cf file processing

[John D. Hardin]

On Mon, 16 Oct 2006, Robert Fargher wrote:

>   We're getting complaints from some of our clients, who have
> opted out of spam processing, that their mail is still being
> processed.  Those clients are listed below in the whitelist_to and
> all_spam_to lines.

How are you hooking SA into your mail system? If you're using
procmail, the it'd be much easier to put a file test in procmail than
fiddling around with the SA config. Then to opt a user out you'd just
drop a file in the user's home directory.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...the Fates notice those who buy chainsaws...
  -- www.darwinawards.com
---
 15 days until Halloween

Re: Any suggestions for 'postmaster' spams?

[Jo Rhett]

jdow wrote:

Not much you can do about it other than find a shotgun, go find the


Please educate yourself before answering something like this.  If you 
don't know the answer, perhaps it is best to sit quietly and wait for 
someone else to answer instead?


The following two technologies greatly reduce the acceptance of forged 
spam, and thus reduce the backscatter too.


  http://www.openspf.org/
  http://mipassoc.org/dkim/

There's also a ruleset for detecting forged bouncebacks, but it needs to 
be rewritten if you're hosting multiple domains.  Hopefully the author 
will get to that, or I might submit a patch eventually :-)


--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: Any suggestions for 'postmaster' spams?

[Jo Rhett]

Benny Pedersen wrote:

On Mon, October 16, 2006 00:16, Brian S. Meehan wrote:

It appears that my email address is now being used as a from address in
many spam emails to many addresses. Over the past week, I have gotten 150+
"postmaster: mail delivery failure" -each day-.


is it with enveloppe from [EMAIL PROTECTED] ?

if yes, make postfix reject FROM: postmaster will solve it nicely

pcre_reject_no_real_user_map.pcre:
/[EMAIL PROTECTED]/ REJECT Postmasters is nice

main.cf:
smtpd_sender_restrictions =
 ...
 check_sender_access pcre:/etc/postfix/pcre_reject_no_real_user_map.pcre
 ...

do not make it to the recipient !


I'm not a postfix user, so clue me in.  Doesn't this prevent local 
bounce messages from being delivered?


I also believe that the original post was about backscatter, not forged 
postmaster mail.


--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: Any suggestions for 'postmaster' spams?

[Jo Rhett]

R Lists06 wrote:

First suggestion, don't post to list with the email address you use for biz
or personal use.

Make another and use it for all lists. When you get spammed on it, change it
slightly, unsub the other and sub the new to all the lists you are on.


Uh.  Yeah.  Is it just me, or are all the dumb answers coming up today?

Or, perhaps, run spamassassin and don't worry about changing your e-mail 
constantly?  Duh?


--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: ALL_TRUSTED creating a problem

[Jo Rhett]

Magnus Holmgren wrote:
A list search for ALL_TRUSTED would have given you tons of hits. You could 
also have gone to the FAQ page and from there to the FixingErrors wiki page, 
where you'd find a reference to ALL_TRUSTED.


Magnus, to be fair - the search will tell you that autodetection should 
work unless you are behind a NAT.  So a person who believes that without 
testing won't realize that they're looking at the problem.


The autodetection is totally broken actually, and needs to be fixed.

I've added a comment to the Wiki to let people know about this.

--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: Any suggestions for 'postmaster' spams?

[Justin Mason]

Jo Rhett writes:
> jdow wrote:
> > Not much you can do about it other than find a shotgun, go find the
> 
> Please educate yourself before answering something like this.  If you 
> don't know the answer, perhaps it is best to sit quietly and wait for 
> someone else to answer instead?
> 
> The following two technologies greatly reduce the acceptance of forged 
> spam, and thus reduce the backscatter too.
> 
>http://www.openspf.org/
>http://mipassoc.org/dkim/
> 
> There's also a ruleset for detecting forged bouncebacks, but it needs to 
> be rewritten if you're hosting multiple domains.  Hopefully the author 
> will get to that, or I might submit a patch eventually :-)

do you mean the one I posted about earlier, or the original?

--j.

Vbounce (Was: Any suggestions for 'postmaster' spams?)

[Jo Rhett]

Justin Mason wrote:

do you mean the one I posted about earlier, or the original?


Sorry, I haven't looked at it in a while and wouldn't remember.

Looking at yours - why don't use use the global parameters that specify 
trusted header hosts instead of adding your own?  I can't think of a 
time I would trust the headers from a host, but wouldn't trust it for 
bounces...


Also, I think (I don't have time to read the ruleset in detail right 
now) that it seems a bit harsh.  The goal would be to identify only 
backscatter right?  It seems likely to hit almost every bounce, yes?


--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: Concerned with scores for from rfc-ignorant.org

[Jo Rhett]

John Andersen wrote:

On Thursday 12 October 2006 14:54, John Rudd wrote:

That rule has a 3.2 value because the 3.2 value is
accurate to differentiating spam vs ham in the corpus.  Therefore, the
score is appropriate.


No, its not accurate.

The rule is in-discriminant as to content.  It flags ham with the same score
as spam.  Therefore by definition it is in-discriminant, and thus useless
as in the prediction of ham vs spam.

Zero that rule's score, and your false positives will fall, but your false 
negatives will not increase.  The rule unfairly targets ham.


That's completely untrue, comparing my ham and spam.  Not just mostly 
untrue, but absolutely and completely untrue.  I got two HAM messages 
with this set (but only this and not enough to filter on) and nearly 
every spam either had this or was picked up by SPF or DKIM rules (was a 
forged mail from a domain which had a postmaster)


And John, there are metrics used to test this.  Implement the testing 
environment for yourself, and come up with real metrics before saying 
this kind of absolute-statement-no-caveat nonsense.


--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: Vbounce (Was: Any suggestions for 'postmaster' spams?)

[Justin Mason]

Jo Rhett writes:
> Justin Mason wrote:
> > do you mean the one I posted about earlier, or the original?
> 
> Sorry, I haven't looked at it in a while and wouldn't remember.
> 
> Looking at yours - why don't use use the global parameters that specify 
> trusted header hosts instead of adding your own?  I can't think of a 
> time I would trust the headers from a host, but wouldn't trust it for 
> bounces...

Tried, and it didn't work. :(  Unfortunately, trusted_networks etc.
is built on the IP address of trusted net ranges -- and that info
doesn't appear reliably in most bounce DSNs.   (I think there's
a bugzilla item with more info.)

> Also, I think (I don't have time to read the ruleset in detail right 
> now) that it seems a bit harsh.  The goal would be to identify only 
> backscatter right?  It seems likely to hit almost every bounce, yes?

it'll hit every bounce, and the MY_SERVERS_FOUND rule then rescues
the "legit" bounces from that set.

--j.

Re: How to disable autolearn for FuzzyOcr?

[D . J .]

> Slightly off topic here, but I have a dumb question.  If you get a> message with obvious bayes poison, what *should* you do?  Do you remove
> the poison and classify, or do you just not classify that message?I train it just like you would any other message - especially since manyget autolearned.  The 'poison' doesnt seem to have much of an affect.
If anything, its a good spam indicator.-JimOK, Just wanted to double-check.  I actually manually train all of our spam here, we have autolearn off.

FW: Spamd not killing children

[Diffenderfer, Randy]

Folks,

I, too, have been having somewhat similar issues with 3.1.7.  On a RH ES
3.0u7  box, kernel 2.4.21-40.ELsmp, I see these symptoms in syslog
(spamd running with "-s local2"):

Oct 14 21:42:01 samler1 spamd[18694]: prefork: child states: III
Oct 14 21:42:01 samler1 spamd[14338]: spamd: connection from
localhost.localdomain [127.0.0.1] at port 60505
Oct 14 21:42:01 samler1 spamd[14338]: spamd: processing message
<[EMAIL PROTECTED]> for mailadm:500
Oct 14 21:42:01 samler1 spamd[14338]: spamd: clean message (0.0/5.0) for
mailadm:500 in 0.046 seconds, 2059 bytes.
Oct 14 21:42:01 samler1 spamd[14338]: spamd: result: . 0 - HTML_MESSAGE
scantime=0.046,size=2059,user=mailadm,uid=500,required_score=5.0,rhost=l
ocalhost.localdomain,raddr=127.0.0.1,rport=60505,mid=<01c6f014$365c5
[EMAIL PROTECTED]>,autolearn=disabled
Oct 14 21:47:02 samler1 spamd[18328]: prefork: sysread(8) failed after
300 secs at
/usr/local/spam/lib/perl5/site_perl/5.6.2/Mail/SpamAssassin/SpamdForkSca
ling.pm line 561.
Oct 14 21:47:02 samler1 spamd[14338]: prefork: sysread(7) failed after
300 secs at
/usr/local/spam/lib/perl5/site_perl/5.6.2/Mail/SpamAssassin/SpamdForkSca
ling.pm line 561.

spamd's 2 kids are both marked defunct in a 'ps', and spamd processing
is effectively *stopped*.  This isn't a good thing -- a 'kill -9' and
spamd restart is necessary to get things running again.

What do I start to look at?

rnd

-Original Message-
From: Chris Lear [mailto:[EMAIL PROTECTED] 
Sent: Monday, October 16, 2006 5:32 AM
To: SpamAssassin
Subject: Spamd not killing children


Subject sounds unpleasantly like incitement to filicide, for which I
apologise.

The problem I'm having is that spamd doesn't seem to be able to clean up
unwanted idle child processes.

Here's the logfile evidence:

Oct 16 00:12:59 marvin spamd[6351]: prefork: child states: III Oct 16
00:13:09 marvin spamd[18043]: spamd: connection from localhost
[127.0.0.1] at port 35720 Oct 16 00:13:09 marvin spamd[18043]: spamd:
setuid to spamd succeeded Oct 16 00:13:09 marvin spamd[18043]: spamd:
checking message <[EMAIL PROTECTED]> for spamd:210 Oct 16
00:13:12 marvin spamd[25627]: spamd: connection from localhost
[127.0.0.1] at port 35722 Oct 16 00:13:12 marvin spamd[25627]: spamd:
setuid to spamd succeeded Oct 16 00:13:12 marvin spamd[25627]: spamd:
checking message <[EMAIL PROTECTED]> for spamd:210 Oct 16
00:13:14 marvin spamd[18043]: spamd: identified spam (29.7/5.0) for
spamd:210 in 5.3 seconds, 1545 bytes. Oct 16 00:13:14 marvin
spamd[18043]: spamd: result: Y 29 -
BAYES_99,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANG
E_E8_51_100,RAZOR2_CHECK,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL
_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL
scantime=5.3,size=1545,user=spamd,uid=210,required_score=5.0,rhost=local
host,raddr=127.0.0.1,rport=35720,mid=<[EMAIL PROTECTED]>,ba
yes=0.891,autolearn=spam
Oct 16 00:13:15 marvin spamd[6351]: prefork: child states: IBK
-^
[...] Time passes, and spamd continues to work [...]

Oct 16 10:18:00 marvin spamd[6351]: prefork: child states: IIKK
-^^

spamd seems to be trying to kill child processes to get the number of
threads down to 2. But for some (apparently unreported) reason the
threads don't die, and the server is slowly collecting children marked
as "K".

I recently upgraded spamassassin to 3.1.5, and I also installed
FuzzyOcr, which I suspect might be part of the problem.

Can anyone tell me a) what logs to look in to work out why this has
happened? (I've looked in the FuzzyOcr log, which does show some errors
and timeouts, but apparently none at relevant times), b) whether there's
anything I can do about it (I'll start by disabling FuzzyOcr, but I'd
like to use it), or c) whether there's a spamassassin bug?

I looked at the code in SpamdForkScaling.pm, and I see that there are 2
places where child processes are killed. In one place (sub
child_error_kill, line 134), there is a warn line if the kill fails. In
the other (sub need_to_del_server, line 732) there isn't.

Chris

Re: Concerned with scores for from rfc-ignorant.org

[John Andersen]

On Monday 16 October 2006 10:11, Jo Rhett wrote:
> I got two HAM messages
> with this set (but only this and not enough to filter on) and nearly
> every spam either had this or was picked up by SPF or DKIM rules (was a
> forged mail from a domain which had a postmaster)

Thanks for proving my point.

If the score for this rule was not enough to filter ham on it 
didn't contribute to the spam filtering materially either.

Your spam would have been caught without this rule.

-- 
_
John Andersen

Re: Vbounce (Was: Any suggestions for 'postmaster' spams?)

[Jo Rhett]

Justin Mason wrote:

Jo Rhett writes:

Justin Mason wrote:

do you mean the one I posted about earlier, or the original?

Sorry, I haven't looked at it in a while and wouldn't remember.

Looking at yours - why don't use use the global parameters that specify 
trusted header hosts instead of adding your own?  I can't think of a 
time I would trust the headers from a host, but wouldn't trust it for 
bounces...


Tried, and it didn't work. :(  Unfortunately, trusted_networks etc.
is built on the IP address of trusted net ranges -- and that info
doesn't appear reliably in most bounce DSNs.   (I think there's
a bugzilla item with more info.)

Also, I think (I don't have time to read the ruleset in detail right 
now) that it seems a bit harsh.  The goal would be to identify only 
backscatter right?  It seems likely to hit almost every bounce, yes?


it'll hit every bounce, and the MY_SERVERS_FOUND rule then rescues
the "legit" bounces from that set.


yeah, I thought so.  It seems too simple for anything but single-domain 
servers. (or at least single-organization servers)


I'll poke at it later and see if I can think up a better way to handle 
this.  I'd include SPF results etc if I can reuse that information from 
the previous tests...


--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: How to filter these spam messages

[John D. Hardin]

On Sun, 15 Oct 2006, Billy Huddleston wrote:

> Won't work for my use.. Running SA for ISP..  Way too many
> people.. Way too much volume..  People upset at the time delays
> already.. which ar under 2 - 10 minutes.. Go Figure.

Adjust their expectations. Email is *not* IM.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...the Fates notice those who buy chainsaws...
  -- www.darwinawards.com
---
 15 days until Halloween

Re: Vbounce (Was: Any suggestions for 'postmaster' spams?)

[Justin Mason]

Jo Rhett writes:
> Justin Mason wrote:
> > Jo Rhett writes:
> >> Justin Mason wrote:
> >>> do you mean the one I posted about earlier, or the original?
> >> Sorry, I haven't looked at it in a while and wouldn't remember.
> >>
> >> Looking at yours - why don't use use the global parameters that specify 
> >> trusted header hosts instead of adding your own?  I can't think of a 
> >> time I would trust the headers from a host, but wouldn't trust it for 
> >> bounces...
> > 
> > Tried, and it didn't work. :(  Unfortunately, trusted_networks etc.
> > is built on the IP address of trusted net ranges -- and that info
> > doesn't appear reliably in most bounce DSNs.   (I think there's
> > a bugzilla item with more info.)
> > 
> >> Also, I think (I don't have time to read the ruleset in detail right 
> >> now) that it seems a bit harsh.  The goal would be to identify only 
> >> backscatter right?  It seems likely to hit almost every bounce, yes?
> > 
> > it'll hit every bounce, and the MY_SERVERS_FOUND rule then rescues
> > the "legit" bounces from that set.
> 
> yeah, I thought so.  It seems too simple for anything but single-domain 
> servers. (or at least single-organization servers)

why?  Can you not simply list all the outgoing relays for the
organizations/domains, or even a pattern that matches all of their
names?  How many outgoing relays do you have?  (I'm not sure I
understand the problem here.)

> I'll poke at it later and see if I can think up a better way to handle 
> this.  I'd include SPF results etc if I can reuse that information from 
> the previous tests...

That would be nifty, if possible.

--j.

Re: FW: Spamd not killing children

[Daryl C. W. O'Shea]

Diffenderfer, Randy wrote:

Folks,

I, too, have been having somewhat similar issues with 3.1.7.  On a RH ES
3.0u7  box, kernel 2.4.21-40.ELsmp, I see these symptoms in syslog
(spamd running with "-s local2"):

Oct 14 21:42:01 samler1 spamd[18694]: prefork: child states: III
Oct 14 21:42:01 samler1 spamd[14338]: spamd: connection from
localhost.localdomain [127.0.0.1] at port 60505
Oct 14 21:42:01 samler1 spamd[14338]: spamd: processing message
<[EMAIL PROTECTED]> for mailadm:500
Oct 14 21:42:01 samler1 spamd[14338]: spamd: clean message (0.0/5.0) for
mailadm:500 in 0.046 seconds, 2059 bytes.
Oct 14 21:42:01 samler1 spamd[14338]: spamd: result: . 0 - HTML_MESSAGE
scantime=0.046,size=2059,user=mailadm,uid=500,required_score=5.0,rhost=l
ocalhost.localdomain,raddr=127.0.0.1,rport=60505,mid=<01c6f014$365c5
[EMAIL PROTECTED]>,autolearn=disabled
Oct 14 21:47:02 samler1 spamd[18328]: prefork: sysread(8) failed after
300 secs at
/usr/local/spam/lib/perl5/site_perl/5.6.2/Mail/SpamAssassin/SpamdForkSca
ling.pm line 561.
Oct 14 21:47:02 samler1 spamd[14338]: prefork: sysread(7) failed after
300 secs at
/usr/local/spam/lib/perl5/site_perl/5.6.2/Mail/SpamAssassin/SpamdForkSca
ling.pm line 561.

spamd's 2 kids are both marked defunct in a 'ps', and spamd processing
is effectively *stopped*.  This isn't a good thing -- a 'kill -9' and
spamd restart is necessary to get things running again.

What do I start to look at?

rnd


This looks like bug 4476.

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4476


Daryl

Re: Any suggestions for 'postmaster' spams?

[John D. Hardin]

On Mon, 16 Oct 2006, Jo Rhett wrote:

> jdow wrote:
> > Not much you can do about it other than find a shotgun, go find the
> 
> Please educate yourself before answering something like this.  If
> you don't know the answer, perhaps it is best to sit quietly and
> wait for someone else to answer instead?

Okay, I'll answer.

I am convinced that spam (in all its forms) will continue to be a
problem until spammers start dying for what they are doing. That will
change the risk/benefit analysis rather strongly towards the negative.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...the Fates notice those who buy chainsaws...
  -- www.darwinawards.com
---
 15 days until Halloween

I'm getting killed with spammers

[Debbie D]

I am a learn as I go type of hosting.. my server with cpanel exim SA and 
ClamAV does a good job for the most part but since last Monday I have been 
getting major issues.. I do read this list when I have time or remember to 
do so but more importantly when issues crop up, sometimes I get it, 
sometimes you guys are so far over my head I want to run screaming from the 
PC..

I need some help here..

Last Mon, Tues & Wed I had severe inflow of spam, always at 12.30p EST, Wed 
it didn't stop till almost 5p. The server seems to not be very cooperative 
when the queue grows over 200 or so.

I have max child set to 15 (up from 5) and not sure what else I can offer in 
the way of what you need to know to help me, but if you tell me where to 
look I can spout what you need.

The install is out of the box with few if any mods except exim does have the 
dictionary attack, I run BFD and APF

I do not believe I have been hacked into.. I DO read the logwatch daily and 
do poke around looking for dropped files on a semi regular basis..

this high amount of spam, (BTW scoring at 20-well over 1000) is killing the 
loads and I have screaming clients..

Just this afternoon (again around 12.30) it loaded up again with 312 mails.. 
the web based control panel was reacting so slow I would get 3 new ones for 
every one I managed to delete or deliver (I could not just delete the queue 
because some were actually valid mails in there) Server loads rose to well 
over 30, I shut exim - but cpanel was so kind to automagically restart it 
every time.. tried a reboot from ssh but that just hung.. the tech peeps did 
it from their end it it worked and brought the loads down so I could delete 
faster than they came in and now we're back to normal loads and queue

I did upgrade to SA 3.1.7 last week - Wed night after a long day of battling 
the loads.. and that seemed to go well

suggestions? Offers of help???

thanks

Re: Concerned with scores for from rfc-ignorant.org

[Jo Rhett]

On Monday 16 October 2006 10:11, Jo Rhett wrote:

I got two HAM messages
with this set (but only this and not enough to filter on) and nearly
every spam either had this or was picked up by SPF or DKIM rules (was a
forged mail from a domain which had a postmaster)


John Andersen wrote:

Thanks for proving my point.

If the score for this rule was not enough to filter ham on it 
didn't contribute to the spam filtering materially either.


None of the rules which triggered on any of my spam was enough by itself 
to catch it.  That's not how spamassassin works.  And I'm sure you know 
this.


Sorry, I didn't realize you were trolling.

--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: How to filter these spam messages

[Logan Shaw]

On Mon, 16 Oct 2006, John D. Hardin wrote:

On Sun, 15 Oct 2006, Billy Huddleston wrote:



Won't work for my use.. Running SA for ISP..  Way too many
people.. Way too much volume..  People upset at the time delays
already.. which ar under 2 - 10 minutes.. Go Figure.



Adjust their expectations. Email is *not* IM.


I guess the problem with being an ISP is that there would be
other ISPs who would be willing to not try to adjust their
expectations and instead promise them super-speedy e-mail
delivery in all cases.  The fact that it isn't possible to
deliver on that promise might not matter if they still manage
to take away your customers.  :-)

The point being that even though e-mail isn't IM, if people
expect you to get as close to IM as possible, then you probably
have to do that if you want to keep your customers.  So it's
kinda a moot point.

  - Logan

RE: Any suggestions for 'postmaster' spams?

[R Lists06]

> 
> Uh.  Yeah.  Is it just me, or are all the dumb answers coming up today?
> 
> Or, perhaps, run spamassassin and don't worry about changing your e-mail
> constantly?  Duh?
> 
> --
> Jo Rhett
> Network/Software Engineer
> Net Consonance

It's you Jo.

Yet we apologize Jo, we are all having a really difficult time trying to
live up to your standards but we are trying real hard though Jo...

 - rh

--
Robert - Abba Communications
   Computer & Internet Services
 (509) 624-7159 - www.abbacomm.net

Re: Any suggestions for 'postmaster' spams?

[Jo Rhett]

John D. Hardin wrote:

On Mon, 16 Oct 2006, Jo Rhett wrote:
I am convinced that spam (in all its forms) will continue to be a
problem until spammers start dying for what they are doing. That will
change the risk/benefit analysis rather strongly towards the negative.


So join WhackASpammer.  You make a micropayment for each spam you 
receive from a spammer.  When $50k has been reached for any given 
spammer, they are whacked.  :-)



NOTE: THIS IS A JOKE.  I keep meaning to register the domain and put up 
a spoof site, but I haven't had the time to make sure I can't be sued 
for doing this


--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: I'm getting killed with spammers

[Daniel T. Staal]

On Mon, October 16, 2006 2:28 pm, Debbie D said:

> this high amount of spam, (BTW scoring at 20-well over 1000) is killing
> the loads and I have screaming clients..
>
> Just this afternoon (again around 12.30) it loaded up again with 312
> mails.. the web based control panel was reacting so slow I would get 3
> new ones for every one I managed to delete or deliver (I could not just
> delete the queue because some were actually valid mails in there) Server
> loads rose to well over 30, I shut exim - but cpanel was so kind to
> automagically restart it every time.. tried a reboot from ssh but that
> just hung.. the tech peeps did it from their end it it worked and brought
> the loads down so I could delete faster than they came in and now we're
> back to normal loads and queue
>
> I did upgrade to SA 3.1.7 last week - Wed night after a long day of
> battling the loads.. and that seemed to go well
>
> suggestions? Offers of help???

At this point, you probably need to find some way to blacklist part of
that load, to keep your server from dealing with it.  It may be possible
to improve SA performance so that you can survive the onslaught, but SA
does mean that your server has to do something with each email it scans.

A 'quick fix' would actually be to turn SA off.  The (spam) messages will
all go through, but it should mean less load on your system.

Look through the spam sent in those bursts and see if there is any way you
can identify them *quickly*, preferably by IP addresses.  Then block them
so your server doesn't have to deal with them.

Daniel T. Staal

---
This email copyright the author.  Unless otherwise noted, you
are expressly allowed to retransmit, quote, or otherwise use
the contents for non-commercial purposes.  This copyright will
expire 5 years after the author's death, or in 30 years,
whichever is longer, unless such a period is in excess of
local copyright law.
---

Re: I'm getting killed with spammers

[Logan Shaw]

On Mon, 16 Oct 2006, Debbie D wrote:

I have max child set to 15 (up from 5) and not sure what else I can offer in
the way of what you need to know to help me, but if you tell me where to
look I can spout what you need.

:
:

Just this afternoon (again around 12.30) it loaded up again with 312 mails..
the web based control panel was reacting so slow I would get 3 new ones for
every one I managed to delete or deliver (I could not just delete the queue
because some were actually valid mails in there) Server loads rose to well
over 30, I shut exim


You probably have max children set too high.  When a big
bunch of messages come in, they all run, you don't have
enough memory, and your system starts swapping like crazy.
That brings everything on your server to a near halt.
It reduces throughput, which means you get a backlog, which
means you get stuck in this state because all the children
stay active hogging RAM and trying to process the backlog.

The solution is to either expand the RAM so the system can
really handle that many active children at once, or set the
maximum number of children to something much lower.  Try 2
or 3 even.  It seems like more children would mean more work
getting done, and that's true, but it's only true up to a point,
and you've passed that point.

  - Logan

Re: Vbounce (Was: Any suggestions for 'postmaster' spams?)

[Jo Rhett]

Justin Mason wrote:

why?  Can you not simply list all the outgoing relays for the
organizations/domains, or even a pattern that matches all of their
names?  How many outgoing relays do you have?  (I'm not sure I
understand the problem here.)


Okay, let's go with my personal colo box.  It's the simplest.   I can't 
imagine trying this on a production mail server.


There are 24 domains here.
* 7 are mine or under my control and origin only here.  No problem.
* 12 or so I know enough about to make some reasonable guesses.
* 5 domains I know nearly nothing about.

And seriously, these are all domains of close personal friends.

AND of those 24 domains, almost *EVERY* one of them has someone in the 
domain who is sending mail via their ISP either because they are forced 
to, they want to for some misguided reason, or they are just too inept 
to change their mail server settings.


This makes source sending address information difficult to detect using 
manually configured host headers.


I'd rather use SPF and/or DKIM information (or any other information we 
can determine dynamically) to determine if the message was originally a 
forgery.


This has the dual added benefit of providing backscatter protection only 
for the domains who are protecting others against their forgeries.


--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: How to filter these spam messages

[Jo Rhett]

Logan Shaw wrote:

I guess the problem with being an ISP is that there would be
other ISPs who would be willing to not try to adjust their
expectations and instead promise them super-speedy e-mail
delivery in all cases.  The fact that it isn't possible to
deliver on that promise might not matter if they still manage
to take away your customers.  :-)


Exactly so.  At an ISP I did some work for, I used to argue this until 
people very reasonably pointed out that yahoo mail got delivered faster, 
and it was free.


Yahoo averages ~2 minutes for mail delivery.  That sets the bar for 
anyone who is trying to sell their mail services.


--
Jo Rhett
Network/Software Engineer
Net Consonance

RE: I'm getting killed with spammers

[R Lists06]

> 
> I need some help here..
> 
> Last Mon, Tues & Wed I had severe inflow of spam, always at 12.30p EST,
> Wed
> it didn't stop till almost 5p. The server seems to not be very cooperative
> when the queue grows over 200 or so.
> 
> I have max child set to 15 (up from 5) and not sure what else I can offer
> in
> the way of what you need to know to help me, but if you tell me where to
> look I can spout what you need.
> 
> The install is out of the box with few if any mods except exim does have
> the
> dictionary attack, I run BFD and APF
> 
> I do not believe I have been hacked into.. I DO read the logwatch daily
> and
> do poke around looking for dropped files on a semi regular basis..
> 
> this high amount of spam, (BTW scoring at 20-well over 1000) is killing
> the
> loads and I have screaming clients..
> 
> Just this afternoon (again around 12.30) it loaded up again with 312
> mails..
> the web based control panel was reacting so slow I would get 3 new ones
> for
> every one I managed to delete or deliver (I could not just delete the
> queue
> because some were actually valid mails in there) Server loads rose to well
> over 30, I shut exim - but cpanel was so kind to automagically restart it
> every time.. tried a reboot from ssh but that just hung.. the tech peeps
> did
> it from their end it it worked and brought the loads down so I could
> delete
> faster than they came in and now we're back to normal loads and queue
> 
> I did upgrade to SA 3.1.7 last week - Wed night after a long day of
> battling
> the loads.. and that seemed to go well
> 
> suggestions? Offers of help???
> 
> thanks

Debbie,

Is the mail legitimate email?

Meaning does the email come from wherever to *valid email addresses* on the
server or do you have a system that will catch everything at the smtp level
and then sort it out later?

If your server catches everything, the smtp gate should probably be
fortified with greylisting and invalid email address rejection first.

There is not enough other info for me to recommend further... 

Thanks and kind regards,

 - rh

--
Robert - Abba Communications
   Computer & Internet Services
 (509) 624-7159 - www.abbacomm.net

Re: Concerned with scores for from rfc-ignorant.org

[John Rudd]

John Andersen wrote:

On Monday 16 October 2006 10:11, Jo Rhett wrote:

I got two HAM messages
with this set (but only this and not enough to filter on) and nearly
every spam either had this or was picked up by SPF or DKIM rules (was a
forged mail from a domain which had a postmaster)


Thanks for proving my point.

If the score for this rule was not enough to filter ham on it 
didn't contribute to the spam filtering materially either.


That makes no sense at all.

Most of the SA rules I've seen are of the same nature: if you trigger 
JUST that rule, it wont say the message is spam.  That doesn't mean, 
even remotely, that it doesn't contribute to the spam filtering.


And he did say it contributed to other spam filtering (which had 1 of 3 
characteristics: RFCI, SPF, or DKIM).

Re: How to filter these spam messages

[Jim Maul]

Jo Rhett wrote:

Logan Shaw wrote:

I guess the problem with being an ISP is that there would be
other ISPs who would be willing to not try to adjust their
expectations and instead promise them super-speedy e-mail
delivery in all cases.  The fact that it isn't possible to
deliver on that promise might not matter if they still manage
to take away your customers.  :-)


Exactly so.  At an ISP I did some work for, I used to argue this until 
people very reasonably pointed out that yahoo mail got delivered faster, 
and it was free.


Yahoo averages ~2 minutes for mail delivery.  That sets the bar for 
anyone who is trying to sell their mail services.




And, oddly enough, mail coming FROM yahoo can sometimes take up to an 
hour to hit my server after the person has hit send.  Im still trying to 
figure that one out..


-Jim

RE: Any suggestions for 'postmaster' spams?

[R Lists06]

> 
> Okay, I'll answer.
> 
> I am convinced that spam (in all its forms) will continue to be a
> problem until spammers start dying for what they are doing. That will
> change the risk/benefit analysis rather strongly towards the negative.
> 
> --
>  John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/

Either that or the powers that be will try to regulate it so that you have
to pay to license an email server and they will control *everything* about
connectivity with giant firewalls kinda like some countries already try or
do. 

Whatever brings in the most money and power...

 - rh

--
Robert - Abba Communications
   Computer & Internet Services
 (509) 624-7159 - www.abbacomm.net

Re: Problem with local.cf file processing

[Robert Fargher]

>On Mon, 16 Oct 2006, Robert Fargher wrote:
>>   We're getting complaints from some of our clients, who have
>> opted out of spam processing, that their mail is still being
>> processed.  Those clients are listed below in the whitelist_to and
>> all_spam_to lines.
>
>How are you hooking SA into your mail system? If you're using
>procmail, the it'd be much easier to put a file test in procmail than
>fiddling around with the SA config. Then to opt a user out you'd just
>drop a file in the user's home directory.

  Yes, SA is being invoked via procmail and I have thought of that.  But in 
doing it that way, I don't learn what is wrong and how to avoid similar 
problems in the future.

--
Cheers,
Rob

Re: Should I upgrade to 3.1.6?

[John Thompson]

On 2006-10-16, John Andersen <[EMAIL PROTECTED]> wrote:

> On Sunday 15 October 2006 19:08, John Thompson wrote:
>  
>> If you have 3.1.5 working well I wouldn't bother. Besides, 3.1.7 is out
>> already to address some 3.1.6 "oops" issues, but it hasn't made it into
>> the FreeBSD ports tree yet.

> Why does it have to be in the ports tree?  Does the CPAN version
> not run on FreeBSD?  

Just for consistency's sake. The ports system sometimes gets confused if 
you have a mix of ports and cpan installed packages. 

-- 

John ([EMAIL PROTECTED])

Re: How to disable autolearn for FuzzyOcr?

[Marc Perkel]

What need to be done with messages that are spam is to only learn the 
headers and not the body of the message. What needs to be done is some 
detection of deliberate bayes poisoning and removal of the poison before 
larning.

Re: How to disable autolearn for FuzzyOcr?

[Marc Perkel]

John D. Hardin wrote:

  On Mon, 16 Oct 2006, Frank Bures wrote:

  
  
On Mon, 16 Oct 2006 08:46:17 -0700, Chandler, Jay wrote:



  I think what the original poster was asking was how to make the
gibberish bodies not get Bayes scanned, so as to not pollute the
database with text that isn't spammy.
  

Exactly my point.

  
  
Do an archive search for the last week, there was some discussion of
this by myself and others.

Summary: no native support. There is a plugin that allows you to tag a
rule with a flag that will suppress autolearn if the rule is hit.


  


I think rather than suppress autolearn it sould just suppress autolearn
of the body of the message and still learn the headers.

Re: How to filter these spam messages

[Billy Huddleston]

Yup.. and it sucks.. I get a 10 minute delay, and my phone starts ringing
off the hook.  I've had to beef up our spamassassin engines at least 3 times
in the past 18 months to handle the load..  and now getting these stupid
text only 3 or 4 line emails that hard very difficult to block.. Greylisting
just isn't a option that I'm willing to do if it's simply refusing to take
delivery of the message on the first go around..

Thanks, Billy

- Original Message - 
From: "Jo Rhett" <[EMAIL PROTECTED]>

To: "Logan Shaw" <[EMAIL PROTECTED]>
Cc: 
Sent: Monday, October 16, 2006 2:47 PM
Subject: Re: How to filter these spam messages



Logan Shaw wrote:

I guess the problem with being an ISP is that there would be
other ISPs who would be willing to not try to adjust their
expectations and instead promise them super-speedy e-mail
delivery in all cases.  The fact that it isn't possible to
deliver on that promise might not matter if they still manage
to take away your customers.  :-)


Exactly so.  At an ISP I did some work for, I used to argue this until 
people very reasonably pointed out that yahoo mail got delivered faster, 
and it was free.


Yahoo averages ~2 minutes for mail delivery.  That sets the bar for anyone 
who is trying to sell their mail services.


--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: Any suggestions for 'postmaster' spams?

[John D. Hardin]

On Mon, 16 Oct 2006, Jo Rhett wrote:

> John D. Hardin wrote:
> > On Mon, 16 Oct 2006, Jo Rhett wrote:
> > I am convinced that spam (in all its forms) will continue to be a
> > problem until spammers start dying for what they are doing. That will
> > change the risk/benefit analysis rather strongly towards the negative.
> 
> So join WhackASpammer.  You make a micropayment for each spam you 
> receive from a spammer.  When $50k has been reached for any given 
> spammer, they are whacked.  :-)

ROFL! Love it!

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...the Fates notice those who buy chainsaws...
  -- www.darwinawards.com
---
 15 days until Halloween

Re: How to disable autolearn for FuzzyOcr?

[Daniel T. Staal]

On Mon, October 16, 2006 3:07 pm, Marc Perkel said:
> What need to be done with messages that are spam is to only learn the
> headers and not the body of the message. What needs to be done is some
> detection of deliberate bayes poisoning and removal of the poison before
> larning.

In all honesty: Why?  Bayes, by design, handles that by learning any of
the words that are preferentially in spam or ham, and tossing the rest. 
It is highly unlikely that their attempts at poisoning the database are
going to do anything other than give them a *higher* spam score, and not
affecting your ham much or at all.

Even if you could decide which words would be bayes-poison, it would vary
by each email and each user/database.

Ignore it.  Let Bayes do what it is supposed to do.  The only thing I've
seen that is at all effective against SA's Bayes implementation is empty
messages.  Which are pretty useless, and screenable with other rules.

Daniel T. Staal

---
This email copyright the author.  Unless otherwise noted, you
are expressly allowed to retransmit, quote, or otherwise use
the contents for non-commercial purposes.  This copyright will
expire 5 years after the author's death, or in 30 years,
whichever is longer, unless such a period is in excess of
local copyright law.
---

Re: FW: Spamd not killing children

[Daryl C. W. O'Shea]

Diffenderfer, Randy wrote:

Well, if it is, they think it is fixed... :-)


I'm not sure why Duncan originally marked the bug as a dupe of 4370, but 
I closed bug 4476 since (i) I couldn't reproduce it on my system after 
reporting it and (ii) no-one else had reported having problems.  A lot 
of spamd fixes went in around that time, we assumed it to be fixed.




But, I agree with the "looks like" part!  As far as their strace request
goes -- right.  This is a loaded system; strace wouldn't be feasible
really, as I can't reproduce this at will.  It has happened twice in
about 4 days though.  That is pain enough.


Well, if you can't help debug it, and no-one else apparently can you're 
left with two workable choices that I can see:


 - switch to using round-robin... if your system is so busy you're 
probably better off that way anyway; or


 - use my check_spamd script (found in contrib/ in 3.1.6+ tarballs) to 
monitor spamd and restart it when necessary (script in some kill -9 to 
clobber it when it fails to stop)



Daryl

Re: How to filter these spam messages

[Simon]

I reviewed greylisting as a solution in the past, we couldn't accept it due to

delay and I also read not all email servers will resend properly. So there is a

chance few legitimate emails will never get redelivered. When you are running

a business shop, such delays or exceptions are not permitted.



I believe it should be very easy to write a rule set for these "work from home",

stock, mortgage, etc... short spam emails, I just don't have the expertise to do

it right.



-Simon



On Mon, 16 Oct 2006 15:06:34 -0400, Billy Huddleston wrote:



>Yup.. and it sucks.. I get a 10 minute delay, and my phone starts ringing

>off the hook.  I've had to beef up our spamassassin engines at least 3 times

>in the past 18 months to handle the load..  and now getting these stupid

>text only 3 or 4 line emails that hard very difficult to block.. Greylisting

>just isn't a option that I'm willing to do if it's simply refusing to take

>delivery of the message on the first go around..

>

>Thanks, Billy

>

>- Original Message - 

>From: "Jo Rhett" <[EMAIL PROTECTED]>

>To: "Logan Shaw" <[EMAIL PROTECTED]>

>Cc: 

>Sent: Monday, October 16, 2006 2:47 PM

>Subject: Re: How to filter these spam messages

>

>

>> Logan Shaw wrote:

>>> I guess the problem with being an ISP is that there would be

>>> other ISPs who would be willing to not try to adjust their

>>> expectations and instead promise them super-speedy e-mail

>>> delivery in all cases.  The fact that it isn't possible to

>>> deliver on that promise might not matter if they still manage

>>> to take away your customers.  :-)

>>

>> Exactly so.  At an ISP I did some work for, I used to argue this until 

>> people very reasonably pointed out that yahoo mail got delivered faster, 

>> and it was free.

>>

>> Yahoo averages ~2 minutes for mail delivery.  That sets the bar for anyone 

>> who is trying to sell their mail services.

>>

>> -- 

>> Jo Rhett

>> Network/Software Engineer

>> Net Consonance

>> 

>

>

>

RE: How to filter these spam messages

[R Lists06]

 

 



 


I reviewed greylisting as a solution in the past, we couldn't accept it due to
delay and I also read not all email servers will resend properly. So there is a
chance few legitimate emails will never get redelivered. When you are running
a business shop, such delays or exceptions are not permitted.

I believe it should be very easy to write a rule set for these "work from
home",
stock, mortgage, etc... short spam emails, I just don't have the expertise to
do
it right.

-Simon






I understand everyone has to make
decisions and deal with it… yet…

 

A minute or two delay from grelisting
matters that much

 

Do you really want email from a server
that doesn’t work right or isn’t administered as best it can be?

 

That is kinda why greylisting exists…
to elimitate bursty worthless email…

 

And most people doing business want to use
the phone or meet in person to close sales properly.

 

 - rh

--
Robert - Abba Communications
   Computer & Internet Services
 (509) 624-7159 - www.abbacomm.net

 

RE: How to filter these spam messages

[Daniel T. Staal]

I'm not the orginal poster, but...

On Mon, October 16, 2006 3:43 pm, R Lists06 said:

> Do you really want email from a server that doesn't work right or isn't
> administered as best it can be?

I want every legitimate email sent to me.  Period.  No matter how it was
sent; the sender of the email may have no idea their sysadmin is
braindead.

> That is kinda why greylisting exists. to elimitate bursty worthless email.
>
> And most people doing business want to use the phone or meet in person to
> close sales properly.

True, to close sales.  But they often open sales via email.  And if you
don't get that email, you'll never get a chance to close the sale at all.

Daniel T. Staal

---
This email copyright the author.  Unless otherwise noted, you
are expressly allowed to retransmit, quote, or otherwise use
the contents for non-commercial purposes.  This copyright will
expire 5 years after the author's death, or in 30 years,
whichever is longer, unless such a period is in excess of
local copyright law.
---

false positive on citibank e-mail

[Jo Rhett]

Included below is a legitimate e-mail on a legitimate payment that I did 
make.


I've looked at the rule, and I can't figure out why it failed.

 Original Message 
Return-Path:<[EMAIL PROTECTED]>
Received:   from triceratops.lizardarts.com ([unix socket]) by
triceratops.lizardarts.com (Cyrus v2.3.7) with LMTPA; Mon, 16 Oct 2006
12:28:46 -0700
X-Sieve:CMU Sieve 2.3
X-Virus-Scanned:amavisd-new at netconsonance.com
X-Spam-Flag:YES
X-Spam-Score:   4.012
X-Spam-Level:   
X-Spam-Status:  Yes, score=4.012 tagged_above=-999 required=4
tests=[AWL=-4.520, DNS_FROM_RFC_ABUSE=0.479, FROM_EXCESS_BASE64=1.052,
HTML_MESSAGE=0.001, NO_RECEIVED=2, NO_RELAYS=1, SARE_FORGED_CITI=4,
SUBJECT_EXCESS_BASE64=0]
Received:   from bigfootinteractive.com (arm184.bigfootinteractive.com
[206.132.3.184]) by triceratops.lizardarts.com (8.13.8/8.13.8) with SMTP
id k9GJSgjH051843 for <[EMAIL PROTECTED]>; Mon, 16 Oct 2006 12:28:43
-0700 (PDT) (envelope-from [EMAIL PROTECTED])
Reply-To:   [EMAIL PROTECTED]
Bounces_to: [EMAIL PROTECTED]
Message-ID:
<[EMAIL PROTECTED]>
X-BFI:  T9TH054F119A6D9697126D82D3CB60
Date:   Mon, 16 Oct 2006 15:26:53 EDT
From:   Citi Cards <[EMAIL PROTECTED]>
Subject:Your online activity confirmation
To: [EMAIL PROTECTED]
MIME-Version:   1.0
Content-Type:   multipart/alternative;
boundary="ABCD-T9TH054F119A6D9697126D82D3CB60-EFGH"



   
*Email Security Zone
: JO RHETT*
For your account ending in *SNIP*

Add [EMAIL PROTECTED] to your address book to ensure delivery.


Dear JO RHETT,

This email confirms the following action(s) completed at Account Online 
for your Citi Cards account ending in *SNIP*.

See detail(s) below:

# *Click-to-Pay Payment Confirmation:*
An online payment in the amount of $1,487.11 is scheduled to post
to your Citi card account on October 13, 2006. The payment will be made
by electronic transfer from your designated bank account. Please
keep the following confirmation number for your records: 122144156497088.

/Note: If you performed multiple activities at Account Online within
the past 48 hours you may receive confirmations separately./

We appreciate the opportunity to serve you. Quality service and your
security is top of mind at Citi. If any of the above information is
inaccurate, please contact us immediately at 800-347-4934.

Visit us anytime at www.citicards.com
 to review
your recent account activity or update your account information.


Privacy  |
Security 
_Email Preferences_
Your Citi Cards is issued by Citibank (South Dakota), N.A.. If you'd
like to refine the types of email messages you receive, or if you'd
prefer to stop receiving email from us, please go to:
http://www.email.citicards.com


_Help / Contact Us_
If you have questions about your account, please use our secure message
center by signing on at www.citicards.com
 and choosing
"Contact Us" from the "Help / Contact Us" menu. You can also call the
customer service phone number on the back of your card.

© 2006 Citibank (South Dakota), N.A.
All rights reserved.
Citi, Citibank, Citi with Arc Design, and Live richly are registered
service marks of Citigroup Inc.

Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117

--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: How to filter these spam messages

[Jo Rhett]

On Mon, October 16, 2006 3:43 pm, R Lists06 said:

Do you really want email from a server that doesn't work right or isn't
administered as best it can be?


Daniel T. Staal wrote:

I want every legitimate email sent to me.  Period.  No matter how it was
sent; the sender of the email may have no idea their sysadmin is
braindead.


That makes sense.  And that's why you can modify the scores locally.

The vast majority of spamassassin users feel otherwise, which is why it 
is defaulted on.


--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: How to filter these spam messages

[Simon]

I'm not sure what you have defaulted on, but majority of clients I deal with 
will
not accept delayed  or missing emails. This is why greylisting is not an option
for a lot of us. At most, I see greylisting acceptable for noncommercial 
clients,
if that, to whom email isn't crucial part of their job.

Spamassassin has rules for majority of emails, so I don't see what's so 
difficult
about adding more rules to combat these new breed of spam.

-Simon

On Mon, 16 Oct 2006 13:12:27 -0700, Jo Rhett wrote:

>> On Mon, October 16, 2006 3:43 pm, R Lists06 said:
>>> Do you really want email from a server that doesn't work right or isn't
>>> administered as best it can be?
>
>Daniel T. Staal wrote:
>> I want every legitimate email sent to me.  Period.  No matter how it was
>> sent; the sender of the email may have no idea their sysadmin is
>> braindead.
>
>That makes sense.  And that's why you can modify the scores locally.
>
>The vast majority of spamassassin users feel otherwise, which is why it 
>is defaulted on.
>
>-- 
>Jo Rhett
>Network/Software Engineer
>Net Consonance
>
>

Re: How to filter these spam messages

[David Morton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On Oct 16, 2006, at 1:47 PM, Jo Rhett wrote:


Logan Shaw wrote:

I guess the problem with being an ISP is that there would be
other ISPs who would be willing to not try to adjust their
expectations and instead promise them super-speedy e-mail
delivery in all cases.  The fact that it isn't possible to
deliver on that promise might not matter if they still manage
to take away your customers.  :-)


Exactly so.  At an ISP I did some work for, I used to argue this  
until people very reasonably pointed out that yahoo mail got  
delivered faster, and it was free.


Yahoo averages ~2 minutes for mail delivery.  That sets the bar for  
anyone who is trying to sell their mail services.


OTOH, in my experience, the few customers who were so concerned about  
such things also tended to be a drain on support resources in other  
ways too, and losing them to another ISP was was actually profitable.


Besides, with most SA deployments, the filtering job can easily scale  
horizontally which will bring that time to delivery down.



David Morton
Maia Mailguard http://www.maiamailguard.com
[EMAIL PROTECTED]



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFFM+sWUy30ODPkzl0RAiu3AKDDNkumsnhaLynE6VLF3+ED67TApgCfQPUO
9Y7YXrDh+zd9GiedTLIFREE=
=d+1o
-END PGP SIGNATURE-

Re: How to filter these spam messages

[David Morton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On Oct 16, 2006, at 2:27 PM, Simon wrote:



I reviewed greylisting as a solution in the past, we couldn't  
accept it due to
delay and I also read not all email servers will resend properly.  
So there is a
chance few legitimate emails will never get redelivered. When you  
are running

a business shop, such delays or exceptions are not permitted.


Fortune 500's are greylisting...  so why is it not acceptable?   
Really, you should try it for a bit and see if it really works.


sqlgrey keeps a list of sites/addresses that have proven themselves  
good, and so over time it delays less legit email.  It also has a  
list of known sites that are broken to whitelist.


When I implemented greylisting for one site, they called in the next  
morning sure that email was broken.  But after poring through the  
logs, we determined that the real issue was simply that they didn't  
get any legit email all night, and all the usual spam had been turned  
away.  Once business hours opened up, their clients started emailing  
them, and the legit messages came right in.


It also reduces the load on the SA servers, which makes the delivery  
time quicker.  In my experience, greylisting averages out better. :)



David Morton
Maia Mailguard http://www.maiamailguard.com
[EMAIL PROTECTED]



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFFM+2UUy30ODPkzl0RAr/vAJ4wljyZWdo06dS9Fzz9P0jh+yx6EACeP+eG
+yZEokUZiRBQ4hkz5kDT0hk=
=xwin
-END PGP SIGNATURE-

RE: false positive on citibank e-mail

[Coffey, Neal]

Jo Rhett wrote:
> Included below is a legitimate e-mail on a legitimate payment that I
> did make.
> 
> I've looked at the rule, and I can't figure out why it failed.
> 

Well, partly it failed because you set your limit to 4 instead of 5.
You take a risk of false positives by doing that, since the rulesets are
optimised with a score of 5 in mind.

However, the "real" culprit seems to be SARE_FORGED_CITI, which is
defined thusly:

---
header   __RCVD_CITIBNK Received =~
/(?:citi(?:bank|cards|corp|bankcards)|acxiom|c2it)\.com/i
header   __FROM_CITIBNK From =~ /citi(?:bank)?\.com/i
uri  __URI_CITIBNK  /citi(?:bank)?\.com/i
meta SARE_FORGED_CITI   (__FROM_CITIBNK && __URI_CITIBNK &&
!__RCVD_CITIBNK)
---

We see this in your headers from that email...

> Received: from bigfootinteractive.com
(arm184.bigfootinteractive.com
> [206.132.3.184]) by triceratops.lizardarts.com (8.13.8/8.13.8)

...and come to the conclusion that this email does, in fact, have forged
Citibank headers.  In this case, it's a legitimate email, but it's still
forged. Shame on Citibank.

My suggestion for working around this?  Create a meta rule that negates
SARE_FORGED_CITI.

header   __FROM_CITI_BFI  Received =~ /bigfootinteractive\.com/I
meta CITI_FROM_BFI(SARE_FORGED_CITI && __FROM_CITI_BFI)
scoreCITI_FROM_BFI-4.0
describe CITI_FROM_BFICitiBank tells BFI to forge their headers

(Side note: Times I mistyped "BFI" as "BIF" -- about 10)

You could probably also rewrite SARE_FORGED_CITI, but that might break
if the author of the SARE ruleset changes it behind the scenes in a
later release.

Re: Vbounce (Was: Any suggestions for 'postmaster' spams?)

[Justin Mason]

Ah, I see.

Nope, I can't think of any way to (a) allow users to send via their own
choice of outgoing relay, (b) without any prior knowledge at the sending
end, (c) without sending-side code changes *and* (d) catch backscatter
without catching "real" bounces.  This ruleset does require knowledge
of what outgoing relays are used.

Using SPF or DKIM won't work, because the bounces won't contain enough
information for them.

BATV is the only option in that case.

--j.

Jo Rhett writes:
> Justin Mason wrote:
> > why?  Can you not simply list all the outgoing relays for the
> > organizations/domains, or even a pattern that matches all of their
> > names?  How many outgoing relays do you have?  (I'm not sure I
> > understand the problem here.)
> 
> Okay, let's go with my personal colo box.  It's the simplest.   I can't 
> imagine trying this on a production mail server.
> 
> There are 24 domains here.
> * 7 are mine or under my control and origin only here.  No problem.
> * 12 or so I know enough about to make some reasonable guesses.
> * 5 domains I know nearly nothing about.
> 
> And seriously, these are all domains of close personal friends.
> 
> AND of those 24 domains, almost *EVERY* one of them has someone in the 
> domain who is sending mail via their ISP either because they are forced 
> to, they want to for some misguided reason, or they are just too inept 
> to change their mail server settings.
> 
> This makes source sending address information difficult to detect using 
> manually configured host headers.
> 
> I'd rather use SPF and/or DKIM information (or any other information we 
> can determine dynamically) to determine if the message was originally a 
> forgery.
> 
> This has the dual added benefit of providing backscatter protection only 
> for the domains who are protecting others against their forgeries.
> 
> -- 
> Jo Rhett
> Network/Software Engineer
> Net Consonance

Re: false positive on citibank e-mail

[Jo Rhett]

Coffey, Neal wrote:

Well, partly it failed because you set your limit to 4 instead of 5.
You take a risk of false positives by doing that, since the rulesets are
optimised with a score of 5 in mind.
However, the "real" culprit seems to be SARE_FORGED_CITI, which is
defined thusly:


I'm sorry, apparently I wasn't technical enough.  Yes, I can read.  And 
I already opened up and looked at the rule, and I can't figure out why 
it failed.  Please skip the duh answers.


And god no, I never use 5 as the tag level.  Hell, I run 2.9 on a number 
of my accounts...  Don't try to make something that is an adjustable 
user policy into a Don't Change This.



---
header   __RCVD_CITIBNK Received =~
/(?:citi(?:bank|cards|corp|bankcards)|acxiom|c2it)\.com/i
header   __FROM_CITIBNK From =~ /citi(?:bank)?\.com/i
uri  __URI_CITIBNK  /citi(?:bank)?\.com/i
meta SARE_FORGED_CITI   (__FROM_CITIBNK && __URI_CITIBNK &&
!__RCVD_CITIBNK)
---

We see this in your headers from that email...


Received:   from bigfootinteractive.com

(arm184.bigfootinteractive.com

[206.132.3.184]) by triceratops.lizardarts.com (8.13.8/8.13.8)


...and come to the conclusion that this email does, in fact, have forged
Citibank headers.  In this case, it's a legitimate email, but it's still
forged. Shame on Citibank.


That's not the RCVD_CITIBNK rule I'm using.  I have the latest, which is 
200607251600.cf.  The latest rule is


  meta __RCVD_CITIBNK (__RCVD_CITIBNK_A || __RCVD_CITIBNK_B || 
__RCVD_CHASE_B)


RCVD_CHASE_B (which should probably be renamed RCVD_BIGFOOT) is

  header   __RCVD_CHASE_B Received =~ /\bbigfootinteractive\.com/i

And thus, the rule should not match.  Which is why this confused me.


My suggestion for working around this?  Create a meta rule that negates
SARE_FORGED_CITI.


No, the real fix is for the rule to work.  Don't add breakage to breakage.

--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: Vbounce (Was: Any suggestions for 'postmaster' spams?)

[Jo Rhett]

Justin Mason wrote:

Ah, I see.

Nope, I can't think of any way to (a) allow users to send via their own
choice of outgoing relay, (b) without any prior knowledge at the sending
end, (c) without sending-side code changes *and* (d) catch backscatter
without catching "real" bounces.  This ruleset does require knowledge
of what outgoing relays are used.

Using SPF or DKIM won't work, because the bounces won't contain enough
information for them.


Sure they do!  Well, sorry, real bounces with DSN information will. 
Frankly, I have a local rule to dump any postfix bullshit replies.  I've 
been tempted to report them to SpamCop (who will accept those 
complaints, I know, we get them on our colo customers all the time)


--
Jo Rhett
Network/Software Engineer
Net Consonance

What's with UCEPROTECT List?

[Marc Perkel]

I'm having problems with my spam filtering servers getting listed on 
UCEPROTECT and can't figure out why. Is anyone familiar with how this 
blacklist works and what I need to do to not get listed?


They seem to hate sender verification - but I'm not going to give that 
up. What do I need to block to make my servers not show up on their 
list? This is getting to be more than annoying. What domains do they 
control so I can not trigger them?

Re: false positive on citibank e-mail

[Daryl C. W. O'Shea]

Jo Rhett wrote:
Included below is a legitimate e-mail on a legitimate payment that I did 
make.


I've looked at the rule, and I can't figure out why it failed.


After unwrapping the mail included in your message body, I can't 
reproduce this under SA 3.1.8-r454679 using the ruleset 
70_sare_spoof_cf_sare_sa-update_dostech_net/200607251600.cf.


If you can provide a copy that triggers this in an attachment I'll take 
another look.



Daryl

Re: How to disable autolearn for FuzzyOcr?

[Marc Perkel]

Daniel T. Staal wrote:

  On Mon, October 16, 2006 3:07 pm, Marc Perkel said:
  
  
What need to be done with messages that are spam is to only learn the
headers and not the body of the message. What needs to be done is some
detection of deliberate bayes poisoning and removal of the poison before
larning.

  
  
In all honesty: Why?  Bayes, by design, handles that by learning any of
the words that are preferentially in spam or ham, and tossing the rest. 
It is highly unlikely that their attempts at poisoning the database are
going to do anything other than give them a *higher* spam score, and not
affecting your ham much or at all.

Even if you could decide which words would be bayes-poison, it would vary
by each email and each user/database.

Ignore it.  Let Bayes do what it is supposed to do.  The only thing I've
seen that is at all effective against SA's Bayes implementation is empty
messages.  Which are pretty useless, and screenable with other rules.


  


On my system I was getting so much poison email that it had actually
reversd the bayes filter where nonspam was getting a 1.0 score and spam
was getting a 0. 

Re: senders domain has MX or not?

[mouss]

Benny Pedersen wrote:

On Sun, October 15, 2006 23:33, mouss wrote:

  

- you may also use the bougusmx list at rfc-ignorant, but this catches
some legitimate (misconfigured) sites. so think twice before using it to
reject at MTA level.



the miss configured sites my see the problem in logs ?
  
These people manage to send mail to a lot of other domains. if you tell 
them they are misconfigured, they will ignore you ("hey boy, our mail is 
sent to N sites without a problem. if there's a problem, it's yours").

if i know a domain that is configured bad i would tell them to fix it so the
bogusmx can be removed

no ?

  


if you're ready to spend your life parsing logs, go. if you wanna get a 
"better" life, find better ways to fight spam. it's all about 
costs/benefits. There are really too many misconfigured sites. For my 
own mail, I can block a lot of this. but for other users, I can only 
give them the choice to decide.

Spamassassin test fail

[Gerhard Mourani]

Hello,

I'm running the tests that come with Spamassassin and get some error on 
some of them and would like to know if someone in this list could help 
me understand why those tests fail and how to fix then (if possible).


Here the failling tests:

t/dnsbl.Not found: P_2 =  
 [127.0.0.4]

# Failed test 1 in t/SATest.pm at line 592
   Not found: P_7 =  

t/dnsbl.NOK 1# Failed test 2 in t/SATest.pm at line 
592 fail #2
   Not found: P_4 =   
[127.0.0.1]
t/dnsbl.NOK 2# Failed test 3 in t/SATest.pm at line 
592 fail #3
   Not found: P_3 =   
[127.0.0.12]
t/dnsbl.NOK 3# Failed test 4 in t/SATest.pm at line 
592 fail #4
   Not found: P_5 =  
 [127.0.0.1]
t/dnsbl.NOK 4# Failed test 5 in t/SATest.pm at line 
592 fail #5
   Not found: P_1 =   
[127.0.0.2]
t/dnsbl.NOK 5# Failed test 6 in t/SATest.pm at line 
592 fail #6
   Not found: P_6 =   
[127.0.0.2]
t/dnsbl.NOK 6# Failed test 7 in t/SATest.pm at line 
592 fail #7

   Not found: P_15 =  DNSBL_RHS
t/dnsbl.NOK 7# Failed test 8 in t/SATest.pm at line 
592 fail #8

   Not found: P_17 =  DNSBL_SB_FLOAT
t/dnsbl.NOK 8# Failed test 9 in t/SATest.pm at line 
592 fail #9

   Not found: P_18 =  DNSBL_SB_STR
t/dnsbl.NOK 9# Failed test 10 in t/SATest.pm at line 
592 fail #10

   Not found: P_16 =  DNSBL_SB_TIME
t/dnsbl.NOK 10# Failed test 11 in t/SATest.pm at 
line 592 fail #11

   Not found: P_10 =  DNSBL_TEST_DYNAMIC
t/dnsbl.NOK 11# Failed test 12 in t/SATest.pm at 
line 592 fail #12

   Not found: P_12 =  DNSBL_TEST_RELAY
t/dnsbl.NOK 12# Failed test 13 in t/SATest.pm at 
line 592 fail #13

   Not found: P_11 =  DNSBL_TEST_SPAM
t/dnsbl.NOK 13# Failed test 14 in t/SATest.pm at 
line 592 fail #14

   Not found: P_8 =  DNSBL_TEST_TOP
t/dnsbl.NOK 14# Failed test 15 in t/SATest.pm at 
line 592 fail #15

   Not found: P_9 =  DNSBL_TEST_WHITELIST
t/dnsbl.NOK 15# Failed test 16 in t/SATest.pm at 
line 592 fail #16

   Not found: P_14 =  DNSBL_TXT_RE
t/dnsbl.NOK 16# Failed test 17 in t/SATest.pm at 
line 592 fail #17

   Not found: P_13 =  DNSBL_TXT_TOP
t/dnsbl.NOK 17# Failed test 18 in t/SATest.pm at 
line 592 fail #18
t/dnsbl.FAILED tests 
1-18   
   Failed 18/23 tests, 21.74% okay


Spamassassin version is -> 3.1.7

Thanks,

Re: Spamassassin test fail

[Theo Van Dinter]

On Mon, Oct 16, 2006 at 06:58:45PM -0400, Gerhard Mourani wrote:
> Here the failling tests:
> 
> t/dnsbl.Not found: P_2 =  
>  [127.0.0.4]
> # Failed test 1 in t/SATest.pm at line 592
>Not found: P_7 =  
> 

If you run "host 134.88.73.210.dnsbltest.spamassassin.org" does it return
anything?  Do you have Net::DNS installed, and is it an appropriate version?

-- 
Randomly Selected Tagline:
A mother pampering a child is raising a serpent.


pgpcQAkCZLCs1.pgp
Description: PGP signature

Re: false positive on citibank e-mail

[Jo Rhett]

Daryl C. W. O'Shea wrote:

Jo Rhett wrote:
Included below is a legitimate e-mail on a legitimate payment that I 
did make.


I've looked at the rule, and I can't figure out why it failed.


After unwrapping the mail included in your message body, I can't 
reproduce this under SA 3.1.8-r454679 using the ruleset 
70_sare_spoof_cf_sare_sa-update_dostech_net/200607251600.cf.


If you can provide a copy that triggers this in an attachment I'll take 
another look.


Yeah, I was eyeballing it but couldn't figure it out either.  Very odd.

Is there any part of this rule that might be affected by using Amavisd 
or testing via Milter?  (I do both)


Unrelated, but might I suggest for readability that next time you do an 
update, change CHASE_B to BIGFOOT or something?


--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: Spamassassin test fail

[Gerhard Mourani]

Theo Van Dinter wrote:

On Mon, Oct 16, 2006 at 06:58:45PM -0400, Gerhard Mourani wrote:
  

Here the failling tests:

t/dnsbl.Not found: P_2 =  
 [127.0.0.4]

# Failed test 1 in t/SATest.pm at line 592
   Not found: P_7 =  




If you run "host 134.88.73.210.dnsbltest.spamassassin.org" does it return
anything?  Do you have Net::DNS installed, and is it an appropriate version?

  

Hello Theo,

Net-DNS version is -> 0.53
[EMAIL PROTECTED] ~]$ host 134.88.73.210.dnsbltest.spamassassin.org
134.88.73.210.dnsbltest.spamassassin.org has address 127.0.0.4