Re: Re[2]: why this spam has a negative score?

2006-11-01 Thread Nigel Frankcom 
On Wed, 1 Nov 2006 08:56:07 +0100, [EMAIL PROTECTED] wrote:

>Dobrý den,
>24. ríjna 2006, 8:05:06, napsal jste:
>
>> [EMAIL PROTECTED] wrote to me off list:
>>> So, how whitelist the e-mail from users in my domain?
>
>> I'd be asking myself why there's a need to whitelist my own users. 
>> Afterall, if you have to whitelist them to avoid their messages being 
>> marked as spam, what do you expect is going to happen when their mail 
>> arrives at other domains?
>
>> In any case, you could use whitelist_from_rcvd, whitelist_from_spf 
>> whitelist_from_dkim or whitelist_from_dk.  Or don't even bother scanning
>> local mail.
>
>
>> Daryl
>
>I edit my local.cf to:
>
># This is the right place to customize your installation of SpamAssassin.
>#
># See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
># tweaked.
>#
>###
>#
># rewrite_header Subject *SPAM*
>rewrite_header Subject *SPAM*
># report_safe 1
># trusted_networks 212.17.35.
># lock_method flock
>whitelist_from  [EMAIL PROTECTED]
>trusted_networks 10.0.0/23 127/8
>whitelist_from_rcvd [EMAIL PROTECTED] muvalmez.cz
>##
>use_bayes 1
>bayes_auto_learn 1
># Enable or disable network checks
>skip_rbl_checks 0
>use_razor2  1
>#use_dcc 1
>use_pyzor   1
>
># Mail using languages used in these country codes will not be marked
># as being possibly spam in a foreign language.
># - czech english german polish russian slovak 
>ok_languagescs 
>
># Mail using locales used in these country codes will not be marked
># as being possibly spam in a foreign language.
>ok_locales  cs
>bayes_path /var/spool/spamassassin/bayes/bayes
>bayes_file_mode 0777
>
>although I find this spam with negative score:
>
>Return-Path: <[EMAIL PROTECTED]>
>X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on fw.muvalmez.cz
>X-Spam-Status: No, score=-80.4 required=5.0 tests=BAYES_50,EXTRA_MPART_TYPE,
>FROM_LOCAL_NOVOWEL,HELO_DYNAMIC_DHCP,HELO_DYNAMIC_IPADDR,HTML_90_100,
>HTML_IMAGE_ONLY_08,HTML_MESSAGE,MIME_HTML_MOSTLY,MY_CID_AND_CLOSING,
>MY_CID_AND_STYLE,SARE_GIF_ATTACH,SARE_GIF_STOX,UNPARSEABLE_RELAY,
>USER_IN_WHITELIST autolearn=no version=3.1.5
>X-Spam-Level: 
>X-Original-To: [EMAIL PROTECTED]
>Received: from adsl-074-246-243-216.sip.ard.bellsouth.net 
>(adsl-074-246-243-216.sip.ard.bellsouth.net [74.246.243.216])
>by fw.muvalmez.cz (Postfix) with ESMTP id 5DC9E2C092
>for <[EMAIL PROTECTED]>; Tue, 31 Oct 2006 22:17:37 +0100 (CET)
>Received: from mail.roschemanagement.de (port=15557 helo=hfksmjdhqtfa)
>by adsl-074-246-243-216.sip.ard.bellsouth.net with smtp
>id 46D6-mPwO8R8w-Hn4
>for [EMAIL PROTECTED]; Tue, 31 Oct 2006 16:17:39 -0500
>Message-ID: <[EMAIL PROTECTED]>
>From: "Ricky Martin" <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: your spiritual side of the rising in all, the.  I fuse a
>Date: Tue, 31 Oct 2006 16:17:39 -0500

You need to use whitelist_from_rcvd * muvalmez.cz (note the spaces)

With your current setting you are whitelisting anything that *says*
it's from muvalmez.cz rather than whitelist_from_rcvd which actually
checks the sending mailserver is valid for muvalmez.cz

HTH

Nigel

Re: Net::DNS and Perl 5.8.1

2006-11-01 Thread Nigel Frankcom 
On Wed, 1 Nov 2006 08:58:26 +0100, [EMAIL PROTECTED] wrote:

>It? possible on perl version 5.8.1 install the Net::DNS?
> [EMAIL PROTECTED]
> mailto:[EMAIL PROTECTED]

CPAN is the usual way to do it, tho iirc that has caused some problems
(it did here). I got round it by installing through yum (yum install
perl-Net-DNS) yum list all will show you what Perl modules are
available for installation through your set repos.

HTH

Nigel

Re: Re[2]: why this spam has a negative score?

2006-11-01 Thread Nigel Frankcom 
On Wed, 1 Nov 2006 08:56:07 +0100, [EMAIL PROTECTED] wrote:

>Dobrý den,
>24. ríjna 2006, 8:05:06, napsal jste:
>
>> [EMAIL PROTECTED] wrote to me off list:
>>> So, how whitelist the e-mail from users in my domain?
>
>> I'd be asking myself why there's a need to whitelist my own users. 
>> Afterall, if you have to whitelist them to avoid their messages being 
>> marked as spam, what do you expect is going to happen when their mail 
>> arrives at other domains?
>
>> In any case, you could use whitelist_from_rcvd, whitelist_from_spf 
>> whitelist_from_dkim or whitelist_from_dk.  Or don't even bother scanning
>> local mail.
>
>
>> Daryl
>
>I edit my local.cf to:
>
># This is the right place to customize your installation of SpamAssassin.
>#
># See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
># tweaked.
>#
>###
>#
># rewrite_header Subject *SPAM*
>rewrite_header Subject *SPAM*
># report_safe 1
># trusted_networks 212.17.35.
># lock_method flock
>whitelist_from  [EMAIL PROTECTED]
>trusted_networks 10.0.0/23 127/8
>whitelist_from_rcvd [EMAIL PROTECTED] muvalmez.cz
>##
>use_bayes 1
>bayes_auto_learn 1
># Enable or disable network checks
>skip_rbl_checks 0
>use_razor2  1
>#use_dcc 1
>use_pyzor   1
>
># Mail using languages used in these country codes will not be marked
># as being possibly spam in a foreign language.
># - czech english german polish russian slovak 
>ok_languagescs 
>
># Mail using locales used in these country codes will not be marked
># as being possibly spam in a foreign language.
>ok_locales  cs
>bayes_path /var/spool/spamassassin/bayes/bayes
>bayes_file_mode 0777
>
>although I find this spam with negative score:
>
>Return-Path: <[EMAIL PROTECTED]>
>X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on fw.muvalmez.cz
>X-Spam-Status: No, score=-80.4 required=5.0 tests=BAYES_50,EXTRA_MPART_TYPE,
>FROM_LOCAL_NOVOWEL,HELO_DYNAMIC_DHCP,HELO_DYNAMIC_IPADDR,HTML_90_100,
>HTML_IMAGE_ONLY_08,HTML_MESSAGE,MIME_HTML_MOSTLY,MY_CID_AND_CLOSING,
>MY_CID_AND_STYLE,SARE_GIF_ATTACH,SARE_GIF_STOX,UNPARSEABLE_RELAY,
>USER_IN_WHITELIST autolearn=no version=3.1.5
>X-Spam-Level: 
>X-Original-To: [EMAIL PROTECTED]
>Received: from adsl-074-246-243-216.sip.ard.bellsouth.net 
>(adsl-074-246-243-216.sip.ard.bellsouth.net [74.246.243.216])
>by fw.muvalmez.cz (Postfix) with ESMTP id 5DC9E2C092
>for <[EMAIL PROTECTED]>; Tue, 31 Oct 2006 22:17:37 +0100 (CET)
>Received: from mail.roschemanagement.de (port=15557 helo=hfksmjdhqtfa)
>by adsl-074-246-243-216.sip.ard.bellsouth.net with smtp
>id 46D6-mPwO8R8w-Hn4
>for [EMAIL PROTECTED]; Tue, 31 Oct 2006 16:17:39 -0500
>Message-ID: <[EMAIL PROTECTED]>
>From: "Ricky Martin" <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: your spiritual side of the rising in all, the.  I fuse a
>Date: Tue, 31 Oct 2006 16:17:39 -0500


Reading further through your mail rather than scanning it.. you would
need to replace...
whitelist_from_rcvd [EMAIL PROTECTED] muvalmez.cz
with
whitelist_from_rcvd * fw.muvalmez.cz

The info following the * needs to be the fqdn of your mailserver, not
your domain as you currently seem to have.

Sorry for the earlier confusion.

Nigel

R: pyzor server address

2006-11-01 Thread Giampaolo Tomassoni 
> I have a simple question... someone know a good pyzor server?
> 
> Right now "pyzor discover" give me "66.250.40.33:24441"
> and a "pyzor ping" give me " 66.250.40.33:24441  TimeoutError:"
> 
> So I suppose this server is just dead...

Actually, I already heard this question and is probably better addressed to the 
pyzor list.

However, the fact is that the 66.250.40.33 seems to be a bit overwhelmed and 
just can't handle many of the requests it receives.

A new server had been setup (82.94.255.100:24441). The problem is that the 
pyzor project actually doesn't provide any mean to replicate the data among the 
two servers. However, efforts in this matter are going to be spent and it may 
be that a replicating layer will be available within weeks.

Actually, you have two options:

 a) manually change your server to 82.94.255.100:24441. If you choose this, 
expect to have
less spam reports from Pyzor: much less people uses 82.91.255.100;

 b) leave the servers file as is, lower the pyzor's timeout and increase the 
maximum retries:
I've been told that many short-time attempts are better that a single, 
long-lasting,
one. So, in your local.cf, try using something like:

use_pyzor 1
pyzor_timeout 3
pyzor_max 10

your mileage may vary.

If you like, there is also a third option which uses both servers. The SA patch 
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5148 is needed in order 
to adopt this.

Regards,

---
Giampaolo Tomassoni - IT Consultant
Piazza VIII Aprile 1948, 4
I-53044 Chiusi (SI) - Italy
Ph: +39-0578-21100

MAI inviare una e-mail a:
NEVER send an e-mail to:
 [EMAIL PROTECTED]

> 
> Thanks
> 
> Francois Rousseau

script for reporting and resending ham?

2006-11-01 Thread Leon Kolchinsky 
Hello All,

I'm running Cyrus as my IMAP server 
(Cyrus+Postfix+Amavis_ClamAV+Spamassassin+Web-Cyradm).

I've wrote a script for reporting spam to Razor DB and teaching with it 
Bayesian DB, revoking false positives from Razor DB and teaching Bayesian DB 
with false positives.

It looks like this (didn't test it yet, waiting for your suggestions), had to 
do it this way (for i in *.) cause Razor manual says that more than one 
non-mbox mail cannot be read from stdin: 


#!/bin/bash

###Razor stuff###

##Revoking
cd /ham_folder/
chmod 644 *.
for i in *.;
do
echo Revoking $i
su vscan -c "(/usr/lib/razor-revoke $i)"
done
echo Razor Revoke Completed!
###Reporting###
cd /spam_folder/
chmod 644 *.
for i in *.;
do
echo Reporting $i
su vscan -c "(/usr/lib/razor-report $i)"
done
echo Razor Reporting Completed!

###Bayesian stuff###
su vscan -c "(sa-learn --showdots --spam /spam_folder/)"
su vscan -c "(sa-learn --showdots --ham /ham_folder/"

###Cleaning spam folder from learned emails### su cyrus -c 
"(/usr/lib/cyrus/bin/ipurge -d0 -f user/spamkiller/spam)"

End of the script###


What I'm missing is a proper way of resending false positives (located now in 
/ham_folder/).
Should I also add the sender to a whitelist? If yes how?

How should I remove SA headers (how exactly?) and resend ham in the proper way?
Any sample code would be very welcome.
 


Best Regards
Leon Kolchinsky




Leon Kolchinsky

How do i catch this

2006-11-01 Thread Suhas \(QualiSpace\) 








Hi,

 

How do I catch these types of mails?

 

Received: from wk-2022
[125.92.211.28] by ourdomain.com
  (SMTPD-8.22) id AF800E44; Wed, 01 Nov 2006 01:32:32 -0500
Received: (qmail 1474 invoked by uid 0); Wed, 1 Nov 2006 14:30:22 -)
Received: from unknown (HELO evmneyumjf) (192.168.1.7)
  by 192.168.1.21 with SMTP; Wed, 1 Nov 2006 14:30:22 -
Date: Wed, 1 Nov 2006 14:25:22 +0800
From: adam <[EMAIL PROTECTED]>
Mime-Version: 1.0
To: [EMAIL PROTECTED]
Subject: This is not shown on TV.
Content-Type: multipart/mixed;
boundary="---D502AA0C7D660BFD"
Message-Id: <[EMAIL PROTECTED]>
X-Envelope-From:<[EMAIL PROTECTED]>
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on server1
X-Spam-Level: 
X-Spam-Status: No, score=4.0 required=4.5 tests=BAYES_80,RCVD_BY_IP,
SARE_GIF_ATTACH autolearn=no version=3.0.1
X-IMail-Queuename:<3f80014d1cb9>; Demo: 2006-11-30
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: U
X-UIDL: 460400970
X-IMail-ThreadID: 3f80014d1cb9 

 

This is not
shown on TV. 



Received: from w01
[211.22.72.223] by ourdomain.com
  (SMTPD-8.22) id A16706AC; Wed, 01 Nov 2006 00:32:23 -0500
Received: (qmail 1096 invoked by uid 0); Wed, 1 Nov 2006 13:31:11 -)
Received: from unknown (HELO txsjre) (192.168.1.23)
  by 192.168.1.101 with SMTP; Wed, 1 Nov 2006 13:31:11 -
Date: Wed, 1 Nov 2006 13:23:11 +0800
From: claudia adams <[EMAIL PROTECTED]>
Mime-Version: 1.0
To: [EMAIL PROTECTED]
Subject: Livan War real pictures.
Content-Type: multipart/mixed;
boundary="---C5F64F487E86CFDA"
Message-Id: <[EMAIL PROTECTED]>
X-Envelope-From:<[EMAIL PROTECTED]>
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on server1
X-Spam-Level: 
X-Spam-Status: No, score=4.0 required=4.5 tests=BAYES_95,RCVD_BY_IP 
autolearn=no version=3.0.1
X-IMail-Queuename:<3166016ef8c3>; Demo: 2006-11-30
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: U
X-UIDL: 460400944
X-IMail-ThreadID: 3166016ef8c3 



From: claudia
adams <[EMAIL PROTECTED]>  

To:
[EMAIL PROTECTED]

CC: 

Date: Wed, 1 Nov
2006 13:23:11 +0800

Subject: Livan
War real pictures. 

 

 



 

Livan War real
pictures.

 

Warm Regards,

Suhas

System Administrator

QualiSpace - A
QuantumPages Enterprise

===

Tel India:
+91 (22) 6792 - 1480

Tel US:
+1 (614) 827 - 1224

Fax India:
+91 (22) 2530 - 3166

URL: http://www.qualispace.com


===

For Any Technical Query Please Use: http://helpdesk.qualispace.com 

QualiSpace Community Discussion forum: http://forum.qualispace.com 

 

Re: How do i catch this

2006-11-01 Thread Duncan Hill 
On Wed, November 1, 2006 09:27, Suhas \(QualiSpace\) wrote:

> How do I catch these types of mails?
>
> Received: from wk-2022 [125.92.211.28] by ourdomain.com

Don't accept mail from non-fully-qualified HELOs ?

Re: How do i catch this

2006-11-01 Thread Alan Premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Suhas (QualiSpace) wrote:
> Hi,
> 
>  
> 
> How do I catch these types of mails?
> 
>  
> 
> Received: from wk-2022 [125.92.211.28] by ourdomain.com
>   (SMTPD-8.22) id AF800E44; Wed, 01 Nov 2006 01:32:32 -0500
> Received: (qmail 1474 invoked by uid 0); Wed, 1 Nov 2006 14:30:22 -)
> Received: from unknown (HELO evmneyumjf) (192.168.1.7)
>   by 192.168.1.21 with SMTP; Wed, 1 Nov 2006 14:30:22 -
> Date: Wed, 1 Nov 2006 14:25:22 +0800
> From: adam <[EMAIL PROTECTED]>
>   PROTECTED]>
> Mime-Version: 1.0
> To: [EMAIL PROTECTED]
> Subject: This is not shown on TV.
> Content-Type: multipart/mixed;
> boundary="---D502AA0C7D660BFD"
> Message-Id: <[EMAIL PROTECTED]>
>   PROTECTED]>
> X-Envelope-From:<[EMAIL PROTECTED]>
>   PROTECTED]>
> X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on server1
> X-Spam-Level: 
> X-Spam-Status: No, score=4.0 required=4.5 tests=BAYES_80,RCVD_BY_IP,
> SARE_GIF_ATTACH autolearn=no version=3.0.1

You're getting really close, I bet if you turned on network tests you'd
be fine.  You may also want to look into setting up DCC and/or Razor as
well.

HTH

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFSGqGE2gsBSKjZHQRAqJ5AJ4w9uOGii11hsaiweqKbIvthah3qQCcDZeD
H1GXqjPxsVkVmQtqkVNXihU=
=rdkQ
-END PGP SIGNATURE-

RE: How do i catch this

2006-11-01 Thread Suhas \(QualiSpace\) 
But I am afraid of false positives. What others say on this?

Warm Regards,
Suhas
System Admin
QualiSpace - A QuantumPages Enterprise
===
Tel India: +91 (22) 6792 - 1480
Tel US: +1 (614) 827 - 1224
Fax India: +91 (22) 2530 - 3166
URL: http://www.qualispace.com 
===
For Any Technical Query Please Use: http://helpdesk.qualispace.com 
QualiSpace Community Discussion forum: http://forum.qualispace.com


-Original Message-
From: Duncan Hill [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, November 01, 2006 3:06 PM
To: users@spamassassin.apache.org
Subject: Re: How do i catch this

On Wed, November 1, 2006 09:27, Suhas \(QualiSpace\) wrote:

> How do I catch these types of mails?
>
> Received: from wk-2022 [125.92.211.28] by ourdomain.com

Don't accept mail from non-fully-qualified HELOs ?

Re: Relay Checker Plugin (code review please?)

2006-11-01 Thread Justin Mason 

John Rudd writes:
> Stuart Johnston wrote:
> > John Rudd wrote:
> >> Stuart Johnston wrote:
> >>> John Rudd wrote:
>  2) This sort of replaces the other set of rules I created, that did 
>  this with metarules instead of a plugin.  This made some of the 
>  checks less useful.  You probably don't need to use both methods.
> >>>
> >>> So, what is the point of doing this as a plugin instead of using 
> >>> existing rules?  The obvious disadvantage is the additional dns lookups.
> >>
> >> The advantages are:
> >>
> >> a) being sure that the hostname in RDNS points back to the IP address 
> >> you started with.  Thus detecting forgeries (which shouldn't happen 
> >> with _any_ legitimate service)
> > 
> > Postfix does this for you.  It is easy enough to write an SA rule to 
> > look at the Postfix headers.  I don't know about other MTAs.
> 
> Sendmail does some of it, but since I didn't find detailed documentation 
> on the Trusted/Untrusted Relay pseudo-headers, I don't know if its 
> represented in there.  Nor do I know if it's on the meta-information I 
> can get from permessagestatus when I ask for the untrusted relay entries 
> (whose hash keys are, I assume, the names of the fields in the 
> trusted/untrusted relays lines)
> 
> If I could get that same information without the DNS checks, I would. 
> (though, honestly, with a little more investigation, I can probably 
> eliminate ONE of my two DNS checks by looking at more of the pseudo-header).

for what it's worth: http://wiki.apache.org/spamassassin/TrustedRelays

they were woefully under-documented alright :(  now improved.

--j.

> >> b) just using the rules version of what I wrote, you can only check if 
> >> the decimal IP address, in individual segments, is in the hostname.  
> >> You can't check if the entire decimal IP address (one large number) is 
> >> in the IP address, nor can you check if the hexidecimal segments are 
> >> in the hostname.
> >>
> >>
> >> (a) requires more DNS work, yes.  (b) does not.  It just requires a 
> >> bit more math.
> >>
> > 
> > This is just my opinion, of course, but:  I'd probably make the plugin 
> > just do (b).
> > 
> > It might be nice if SA did (a) as part of its standard checks although 
> > in my experience, way too many legitimate mail servers fail on this for 
> > it to be useful anyway.
> 
> I have yet to have a legitimate message rejected by that check, when 
> I've been doing it in mimedefang.

RE: How do i catch this

2006-11-01 Thread Chinta, Chaitanya Sai Krishna 
Title: RE: How do i catch this



The FPs are more. I did observe some genuine newsltters coming from such IPs.
 
~Chaitu


From: Suhas (QualiSpace) [mailto:[EMAIL PROTECTED]Sent: Wed 11/1/2006 3:43 PMTo: 'Duncan Hill'Cc: users@spamassassin.apache.orgSubject: RE: How do i catch this

But I am afraid of false positives. What others say on this?Warm Regards,SuhasSystem AdminQualiSpace - A QuantumPages Enterprise===Tel India: +91 (22) 6792 - 1480Tel US: +1 (614) 827 - 1224Fax India: +91 (22) 2530 - 3166URL: http://www.qualispace.com===For Any Technical Query Please Use: http://helpdesk.qualispace.comQualiSpace Community Discussion forum: http://forum.qualispace.com-Original Message-From: Duncan Hill [mailto:[EMAIL PROTECTED]]Sent: Wednesday, November 01, 2006 3:06 PMTo: users@spamassassin.apache.orgSubject: Re: How do i catch thisOn Wed, November 1, 2006 09:27, Suhas \(QualiSpace\) wrote:> How do I catch these types of mails?>> Received: from wk-2022 [125.92.211.28] by ourdomain.comDon't accept mail from non-fully-qualified HELOs ?

rewrite subject?

2006-11-01 Thread Pablo Allietti 
hi all. i have a problem with rewrite subject. many meesages in the
server detected has spam and rewrite subject with ***SPAM*** but others
NOT. and in the headers have this. what is the problem why spamassassin
dont rewrite this messages? what is tagged_above=-999 ?


X-Spam-Status: Yes, hits=6.86 tagged_above=-999 required=4 tests=AWL,   
  
 BAYES_00, NA_DOLLARS, NIGERIAN_BODY1, RCVD_IN_BL_SPAMCOP_NET,  
  
 RCVD_IN_SORBS_WEB, RISK_FREE, TO_EMPTY, URG_BIZ, US_DOLLARS_3  
  
X-Spam-Level: **
  
X-Spam-Flag: YES 
-- 


.-
Pablo Allietti
E-mail: [EMAIL PROTECTED] | LACNIC  

  
Phone : +598 2 604   | http://LACNIC.NET

Re: R: Age of a domain name - a new test?

2006-11-01 Thread Jeff Chan 
On Tuesday, October 31, 2006, 11:24:35 AM, John Hardin wrote:
> On Tue, 31 Oct 2006, Kenneth Porter wrote:

>> --On Tuesday, October 31, 2006 8:28 AM +0100 Giampaolo Tomassoni 
>> <[EMAIL PROTECTED]> wrote:
>> 
>> > Ok. Why not combine an age check with Hardin's "spam-friendly registar"
>> > plugin?
>> 
>> Where can I find out more about this plugin? I searched the wiki for 
>> "registrar" and it doesn't turn up.

> I haven't really offically "released" it yet.

> http://www.impsec.org/~jhardin/SURBL_registrar/

FWIW I attemped to speed read John's code in about 2 seconds but
could not determine what ti had to do with SURBLs.  Maybe John
can clarify?

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Re: rewrite subject?

2006-11-01 Thread Magnus Holmgren 
On Wednesday 01 November 2006 13:29, Pablo Allietti took the opportunity to 
say:
> hi all. i have a problem with rewrite subject. many meesages in the
> server detected has spam and rewrite subject with ***SPAM*** but others
> NOT. and in the headers have this. what is the problem why spamassassin
> dont rewrite this messages? what is tagged_above=-999 ?

tagged_above indicates that you're using Amavisd-new, and it is adding the 
headers and (not) rewriting the subject, not SpamAssassin.

> X-Spam-Status: Yes, hits=6.86 tagged_above=-999 required=4 tests=AWL,
>  BAYES_00, NA_DOLLARS, NIGERIAN_BODY1, RCVD_IN_BL_SPAMCOP_NET,
>  RCVD_IN_SORBS_WEB, RISK_FREE, TO_EMPTY, URG_BIZ, US_DOLLARS_3
> X-Spam-Level: **
> X-Spam-Flag: YES

-- 
Magnus Holmgren[EMAIL PROTECTED]
   (No Cc of list mail needed, thanks)


pgp9XihfSsD4F.pgp
Description: PGP signature

[Slightly OT] Gocr-0.40 can't see netpbm for FuzzyOCR

2006-11-01 Thread James Lay 
Hey all!

Soo..the current gocr segfault patch ONLY works for gocr-0.40
(interesting as that version is no longer on the gocr site ;)).
However, after talking with the developer of gocr, gocr-0.40 can't seem
to find netpbm.  This has been fixed (and verified) in version 0.41.
Decoder spoke of some people in here that had a workaround/fix for just
this issue.  Any help here?  Heh...I love linux...even the smallest
task can turn into the biggest chore ;)

James

Inconsistent scoring

2006-11-01 Thread Tim Boyer 
I've been using SA for years.  I'm running 3.1.6 on a Red Hat box, and 99%
of the time, all is well.

Last week I added a rule to tag those annoying .gif pump-and-dump emails.
Nothing fancy:

rawbody IMG_SRC_CID /src\=(\"c|c)id\:/i
score IMG_SRC_CID   2.0

Most of the time it works fine.  However, occasionally, I'll get an email
that ONLY sees that rule.  I'm using MimeDefang to rewrite the headers, and
all it shows is

X-Spam-Score: 2 (**) IMG_SRC_CID

But when I do a spamassassin --debug

Re: [Slightly OT] Gocr-0.40 can't see netpbm for FuzzyOCR

2006-11-01 Thread Matthias Keller 

James Lay wrote:

Hey all!

Soo..the current gocr segfault patch ONLY works for gocr-0.40
(interesting as that version is no longer on the gocr site ;)).
However, after talking with the developer of gocr, gocr-0.40 can't seem
to find netpbm.  This has been fixed (and verified) in version 0.41.
Decoder spoke of some people in here that had a workaround/fix for just
this issue.  Any help here?  Heh...I love linux...even the smallest
task can turn into the biggest chore ;)
  

Hi

gocr 0.40 cant detect netpbm10 for some reason
The workaround is, install netpbm9, compile and then upgrade to netpbm10 
again

gocr works just fine like that
You'll also have to make some symlinks then to (i think) two netpbm10 
.so files - but gocr will tell you what it's missing upon each execution 
- just link the missing 9 files to the corresponding 10 then


Matt

RE: How do i catch this

2006-11-01 Thread Chris St. Pierre 
On Wed, 1 Nov 2006, Suhas (QualiSpace) wrote:

>But I am afraid of false positives. What others say on this?

We reject mail from non-fqdn HELOs and have had, thus far, one FP.
The one FP we had was a mailing list sent out by someone who was a
spammer in his spare time, and he just used the same (misconfigured)
spamming software to send out his legitimate mailing lists.

If someone can't properly identify themselves to your server, tell 'em
to pound sand.

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University

Re: Inconsistent scoring

2006-11-01 Thread Loren Wilton 
This seems rather odd.  I suppose you did lint your rules to make sure that 
you don't have a problem somewhere?  It is known that SA can do things like 
dropping most of the rules file following a rule with an error in it.


Maybe you are using Amvis-new or one of the other tools that does its own 
header rewriting in at least some cases?


I do have a suggestion for improving your rule though.  There are several 
things that aren't as efficient as they should be.  Instead of



rawbody IMG_SRC_CID /src\=(\"c|c)id\:/i


do


rawbody IMG_SRC_CID /src="?cid:/i


You don't need the alternation in there, all you really want is an optional 
quote mark, and following the quote with a question mark does that.  Even if 
you needed an alternation, it would be better to use a "non capturing" form 
of grouping: (?:blah) rather than just (blah).  This reduces the overhead 
for perl of saving the string that matches inside the parends in case you 
want to use it later in the regex for some reason.


Also, while I've never seen it done, I think it is theoretically possible to 
have spaces on either side of the equal sign.  So the regex really should 
probably be:



rawbody IMG_SRC_CID /src\s*=\s*"?cid:/i



   Loren

RE: Inconsistent scoring

2006-11-01 Thread Tim Boyer 
> 
> This seems rather odd.  I suppose you did lint your rules to 
> make sure that you don't have a problem somewhere?  It is 
> known that SA can do things like dropping most of the rules 
> file following a rule with an error in it.
> 

Yup; no lint problems at all.

> Maybe you are using Amvis-new or one of the other tools that 
> does its own header rewriting in at least some cases?
> 

MIMEDefang, but I can't see it doing this.

> I do have a suggestion for improving your rule though.  There 
> are several things that aren't as efficient as they should 
> be.  Instead of
> 
> > rawbody IMG_SRC_CID /src\=(\"c|c)id\:/i
> 
> do
> 
> > rawbody IMG_SRC_CID /src="?cid:/i
> 

Thanks much - I need all the perl help I can get. :)

-- tim --

How to not delivery messages when spamc gives imeout

2006-11-01 Thread Rejaine Monteiro 

Hi,


My qmail-scanner+spamassasin  works extremely well.

The only problem is when the spam processing server ever die mail 
continues to be processed without spamassassin. 

My spamc options on qmail-scanner-pl olny have "-c " option  (my 
$spamc_options=' -c ';)

So, the default timeout  is used (600 seconds)

Here is an example of the log file when this is happening:

Nov  1 09:49:11 serv spamc[11540]: connect(AF_INET) to spamd at 
127.0.0.1 failed, retrying (#1 of 3): Connection refused
Nov  1 09:49:12 serv spamc[11540]: connect(AF_INET) to spamd at 
127.0.0.1 failed, retrying (#2 of 3): Connection refused
Nov  1 09:49:13 serv spamc[11540]: connect(AF_INET) to spamd at 
127.0.0.1 failed, retrying (#3 of 3): Connection refused
Nov  1 09:49:14 serv spamc[11540]: connection attempt to spamd aborted 
after 3 retries
Nov  1 09:49:14 srv qmail-scanner[10390]: 
Clear:RC:0(82.135.252.97):SA:0(?/?): 102.8215 1114 
[EMAIL PROTECTED] [EMAIL PROTECTED] best_products_the_industry 
<[EMAIL PROTECTED]> orig-srv116238524754010390:1114 
1162385248.10399-0.srv:520


In that case above, spamd deamon is running, but 783 port not respoding...

I'm  using MONIT to restart spamd daemon if  783 port is not respoding 
or daemon is not running.
Monit execute a spamd service recovery very quickly,  and all becomes to 
work , but all spam received (hundreds) before recovery are delivery to 
user...


Does anyone have any idea how to NOT delivery messages in case of any 
problems with  spamassassin (like requeue or other idea)?

And why spamd/spamc dies or timeout sometimes?

Re: rewrite subject?

2006-11-01 Thread Matt Kettler 
Pablo Allietti wrote:
> hi all. i have a problem with rewrite subject. many meesages in the
> server detected has spam and rewrite subject with ***SPAM*** but others
> NOT. and in the headers have this. what is the problem why spamassassin
> dont rewrite this messages? 
Because you're not using spamassassin for message-rewriting. You appear
to be using amavis, which does its own rewriting. It calls SA, but then
generates its own headers based on what SA returns.
> what is tagged_above=-999 ?
>   
That's an amavis thing. Amavis's idea of  "tagged" means "has an
X-Spam-Status header".  So this means that anything with a score greater
than -999, ie: all messages, will get an X-Spam-Status header added.

This setting is controlled by  sa_tag_level_deflt in amavisd.conf.

The subject rewriting should occur at sa_tag2Llevel_deflt, which you
appear to have set to 4. That message *should* have had its subject
rewritten, as long as sa_spam_modifies_subj is set to 1.

But in general, you're using amavis to do this work, not SA, so check
your amavisd.conf file.
>
> X-Spam-Status: Yes, hits=6.86 tagged_above=-999 required=4 tests=AWL, 
> 
>  BAYES_00, NA_DOLLARS, NIGERIAN_BODY1, RCVD_IN_BL_SPAMCOP_NET,
> 
>  RCVD_IN_SORBS_WEB, RISK_FREE, TO_EMPTY, URG_BIZ, US_DOLLARS_3
> 
> X-Spam-Level: **  
> 
> X-Spam-Flag: YES 
>

high cpu load and recommend max-children value

2006-11-01 Thread Rejaine Monteiro 

Hi

I'm runing spamassasin in a mail server P4 CPU 2.80GHz HT - 2G RAM - 2G Swap
I'm using qmail  + qmail-scanner 2.01 + spamassassin 3.0.4 + clamav
My spamassassin contains: razor2 , dcc,  fuzzy_ocr, rlb_checks,  
bayes=yes, autolearn=no, autowhitelist=no  (with options "-x -u spamd -d 
-m 5")


Qmail-scanner statistics :

Average 123 Msgs / 5 min
Average 5 Viruses/5min
Average 95 Spams/5min

But we have some problems with high cpu load and spamd ( cpu load ~ 7, 
8,  9)


What I'm doing wrong?

Re: Inconsistent scoring

2006-11-01 Thread Theo Van Dinter 
On Wed, Nov 01, 2006 at 08:14:39AM -0500, Tim Boyer wrote:
> Last week I added a rule to tag those annoying .gif pump-and-dump emails.
> Nothing fancy:
> rawbody IMG_SRC_CID /src\=(\"c|c)id\:/i

There are several issues with this rule IMO, but there's already a very
similar rule available via sa-update:

 16.856  20.0630   0.31700.984   0.771.00  __TVD_INT_CID

which shows that it hits a lot of ham (0.32%), but also hits 20% of spam.
It's good enough for a meta dependency, but not necessarily as a rule for
itself, though YMMV.

-- 
Randomly Selected Tagline:
"It is sometimes fun to scare people... Especially Matt." - Michelle


pgpgoy1RG79RF.pgp
Description: PGP signature

RE: whitelist_from_rcvd

2006-11-01 Thread Chris Edwards 
OK I think I get it, here is a header from one of the companies we do
business with...

Microsoft Mail Internet Headers Version 2.0
Received: from gandalf.ctdx.net ([199.0.161.154]) by buythetruck.com
with Microsoft SMTPSVC(6.0.3790.211);
 Tue, 31 Oct 2006 23:27:03 -0500
Received: from harbor.x-cart.com (harbor.x-cart.com [69.20.14.15])
by gandalf.ctdx.net (8.13.7/8.13.6) with ESMTP id kA14M3vT018502
for <[EMAIL PROTECTED]>; Tue, 31 Oct 2006 23:22:03 -0500
Received: from localhost (localhost [127.0.0.1])
by harbor.x-cart.com (Postfix) with ESMTP id 32CA4FC2B4
for <[EMAIL PROTECTED]>; Tue, 31 Oct 2006 20:18:36 -0800 (PST)
Received: from harbor.x-cart.com ([127.0.0.1])
by localhost (harbor.x-cart.com [127.0.0.1]) (amavisd-new, port
10024)
with ESMTP id FJP1WignZXnm for <[EMAIL PROTECTED]>;
Tue, 31 Oct 2006 20:18:34 -0800 (PST)
Received: from gw-red.crtdev.local (mail.crtdev.local [192.168.10.1])
by harbor.x-cart.com (Postfix) with ESMTP id 1EE32FC2B2
for <[EMAIL PROTECTED]>; Tue, 31 Oct 2006 20:18:33 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
by gw-red.crtdev.local (Postfix) with ESMTP id 0C9B8112EC3C;
Wed,  1 Nov 2006 07:18:33 +0300 (MSK)
Received: from gw-red.crtdev.local ([127.0.0.1])
by localhost (mail.crtdev.local [127.0.0.1]) (amavisd-new, port
10024)
with ESMTP id Iqw-2Ddq46oC; Wed,  1 Nov 2006 07:18:32 +0300
(MSK)
Received: from gw-green.crtdev.local (green-red-fiber.crtdev.local
[192.168.99.13])
by gw-red.crtdev.local (Postfix) with ESMTP id DC976112EC2B
for <[EMAIL PROTECTED]>; Wed,  1 Nov 2006 07:18:32 +0300 (MSK)
Received: from sauron.crtdev.local (sauron.crtdev.local [192.168.12.10])
by gw-green.crtdev.local (Postfix) with ESMTP id C1738244C21
for <[EMAIL PROTECTED]>; Wed,  1 Nov 2006 07:18:32 +0300 (MSK)
Received: from sauron.crtdev.local (localhost [127.0.0.1])
by sauron.crtdev.local (8.13.8/8.13.8) with ESMTP id
kA14IFAa080272
for <[EMAIL PROTECTED]>; Wed, 1 Nov 2006 07:18:15 +0300 (MSK)
(envelope-from [EMAIL PROTECTED])
Received: (from [EMAIL PROTECTED])
by sauron.crtdev.local (8.13.8/8.13.8/Submit) id kA14IEv1080271;
Wed, 1 Nov 2006 07:18:14 +0300 (MSK)
(envelope-from www)
Date: Wed, 1 Nov 2006 07:18:14 +0300 (MSK)
Message-Id: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Valentine Kaverin has posted a new message for you.
From: Qualiteam HelpDesk system <[EMAIL PROTECTED]>
Content-Type: text/plain;charset=iso-8859-1;
X-Signature-Check-Ignore: Yes
X-Virus-Scanned: ClamAV 0.88.5/2136/Tue Oct 31 22:06:48 2006 on
gandalf.ctdx.net
X-Virus-Scanned: amavisd-new at x-cart.com
X-Virus-System: ClamAV 0.88.5/2136/Tue Oct 31 19:06:48 2006
X-Virus-Status: Clean
X-Spam-Status: No, score=3.0 required=5.0 tests=AWL,BAYES_00,BIZ_TLD,
SPF_SOFTFAIL,URI_NO_WWW_BIZ_CGI autolearn=no version=3.1.3
X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on
gandalf.ctdx.net
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 01 Nov 2006 04:27:03.0500 (UTC)
FILETIME=[FB3D50C0:01C6FD6D]

So there entry would be...

whitelist_from_rcvd [EMAIL PROTECTED] x-cart.com 

Correct?

Thanks for the help!!

Chris Edwards

-Original Message-
From: Matt Kettler [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 31, 2006 10:30 PM
To: Chris Edwards
Cc: users@spamassassin.apache.org
Subject: Re: whitelist_from_rcvd

Chris Edwards wrote:
> Hello!
>  
> Praise...
>  
> I have not used spamassassin for several years.  I switched companies 
> recently and they were getting killed with spam.  I have really 
> enjoyed relearning spamassassin and reading the mailing list.
> Spamassassin has done and incredible job of reducing the amount of 
> spam coming into the company.  I just wanted to say thanks to all of 
> you who have had a hand in developing this awesome program!
>  
> Ok, now my question...
>  
> My company has several other companies that it does business with and 
> I want to put those companies and all the domains we own into a white 
> list.  Can I find the needed information in the headers of an email to

> create a  whitelist_from_rcvd entry in local.cf?  If so, what 
> information do I need?  If not, where would I go about finding it.
whitelist_from_rcvd needs to match two parts:

1) A "From" address. This could be the From: header, but could also be a
Return-Path, Envelope-Sender, or similar header with the Envelope "Mail
FROM" recorded in it. Which one you pick for most cases doesn't matter,
but matching a Return-Path is useful for public mailing lists where the
From: header changes constantly, but the Return-Path is always the list
server.

Note: you can use file-glob style wildcards for the addresses here. ie:
[EMAIL PROTECTED]

2) The Reverse DNS hostname for the host that delivered the message to
your network. So find the Received: header your MX added. Then grab the
hos

RE: Simple script that rejects mail from spammers

2006-11-01 Thread Suhas \(QualiSpace\) 
Even I'd be interested in something for postfix and iptables.

Warm Regards,
Suhas
System Admin
QualiSpace - A QuantumPages Enterprise
===
Tel India: +91 (22) 6792 - 1480
Tel US: +1 (614) 827 - 1224
Fax India: +91 (22) 2530 - 3166
URL: http://www.qualispace.com 
===
For Any Technical Query Please Use: http://helpdesk.qualispace.com 
QualiSpace Community Discussion forum: http://forum.qualispace.com


-Original Message-
From: Evan Platt [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 31, 2006 11:15 PM
To: users@spamassassin.apache.org
Subject: Re: Simple script that rejects mail from spammers

At 09:36 AM 10/31/2006, you wrote:

>Here's something similar:
>
>http://fut.patch.com/

I'd be interested in something for postfix / ipfw... :)

Re: script for reporting ham/spam/resending?

2006-11-01 Thread Chris Purves 

Leon Kolchinsky wrote:

Hello All,

I'm running Cyrus as my IMAP server 
(Cyrus+Postfix+Amavis_ClamAV+Spamassassin+Web-Cyradm).

I've wrote a script for reporting spam to Razor DB and teaching with it 
Bayesian DB, revoking false positives from Razor DB and teaching Bayesian DB 
with false positives.

It looks like this (didn't test it yet, waiting for your suggestions), had to do it this way (for i in *.) cause Razor manual says that more than one non-mbox mail cannot be read from stdin: 



#!/bin/bash

###Razor stuff###

##Revoking
cd /ham_folder/
chmod 644 *.
for i in *.;
do
echo Revoking $i
su vscan -c "(/usr/lib/razor-revoke $i)"
done
echo Razor Revoke Completed!
###Reporting###
cd /spam_folder/
chmod 644 *.
for i in *.;
do
echo Reporting $i
su vscan -c "(/usr/lib/razor-report $i)"
done
echo Razor Reporting Completed!

###Bayesian stuff###
su vscan -c "(sa-learn --showdots --spam /spam_folder/)"
su vscan -c "(sa-learn --showdots --ham /ham_folder/"

###Cleaning spam folder from learned emails###
su cyrus -c "(/usr/lib/cyrus/bin/ipurge -d0 -f user/spamkiller/spam)"

End of the script###


What I'm missing is a proper way of resending false positives (located now in 
/ham_folder/).
Should I also add the sender to a whitelist? If yes how?

How should I remove SA headers (how exactly?) and resend ham in the proper way?
 


You're making it a lot harder for yourself.

Take a look at the manual pages 'man 3 spamassassin'

spamassassin -r < ... This performes bayes learning and reports message 
to razor, pyzor, DCC, and spamcop.


spamassassin -k < ... This learns as ham and revokes message with razor.



--
Chris

Re: R: Age of a domain name - a new test?

2006-11-01 Thread John D. Hardin 
On Wed, 1 Nov 2006, Jeff Chan wrote:

> > I haven't really offically "released" it yet.
> 
> > http://www.impsec.org/~jhardin/SURBL_registrar/
> 
> FWIW I attemped to speed read John's code in about 2 seconds but
> could not determine what ti had to do with SURBLs.  Maybe John
> can clarify?

The DNS server version was intended to be donated to SURBL for public
use. Unfortunately names have an inertia all their own.

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  You are in a maze of twisty little protocols,
  all written by Microsoft.
--
 6 days until the campaign ads stop

Re: Postfix setting? or Spam Assassin?

2006-11-01 Thread mouss 

Alan Fullmer wrote:

Thanks.  That puts me on the right path.

I did forget to post my script:

#!/bin/bash
/usr/bin/spamc -f -u "$4"  | /usr/sbin/sendmail -i "$@"
exit $?
  


You are filtering one message, using the first recipient ($4). as a 
result, the message will have one score (corresponding to the first user).


use
spamassassin_destination_recipient_limit = 1

so that the message is "split" by postfix (one recipient at a time) 
before using the spamassassin transport.

RE: mcafee-spamassassin-rules

2006-11-01 Thread Chris Santerre 
Title: RE: mcafee-spamassassin-rules







> -Original Message-
> From: Theo Van Dinter [mailto:[EMAIL PROTECTED]]
> Sent: Friday, October 27, 2006 3:36 PM
> To: users@spamassassin.apache.org
> Subject: Re: mcafee-spamassassin-rules
> 
> 
> On Fri, Oct 27, 2006 at 01:38:32PM -0400, Chris Santerre wrote:
> > > It's also worth noting that hypothetically, if I was a 
> > > company releasing
> > > updates based on an open-source product, I may have 
> incentive to avoid
> > > making those updates useful on said product, otherwise 
> people would
> > > download my updates and not pay me for the software.
> > 
> > Wouldn't that be against the open source lic? 
> 
> Not that I'm aware of, why would it be?  If I produce something on my
> own (like new rules) and publish it, I'm not bound by someone else's
> licensing.  In this case, if I'm following the code license and make
> modifications such that new rules that I produce are in a proprietary
> format, then that's perfectly valid.  With SA 3, I could even make the
> config parsing a plugin and not have to modify any of the base code.


Yeah, I was taking a jab at someone on the list ;) 


Actually I have nothing but PRAISE for Mcafee. They are one company who actually give back to the community. If the list knew everything, they would all be emailing mcafee a "thank you" email! 

I'd go work for them, if it wasn't for...you know... that whole UK thing ;) 


Thanks,


Chris Santerre
SysAdmin and Spamfighter
www.rulesemporium.com
www.uribl.com

RE: Inconsistent scoring

2006-11-01 Thread Mark 
> -Original Message-
> From: Loren Wilton [mailto:[EMAIL PROTECTED] 
> Sent: woensdag 1 november 2006 15:11
> To: users@spamassassin.apache.org
> Subject: Re: Inconsistent scoring
> 
> 
> Also, while I've never seen it done, I think it is 
> theoretically possible to have spaces on either side
> of the equal sign. So the regex really should 
> probably be:
> 
> > rawbody IMG_SRC_CID /src\s*=\s*"?cid:/i

Well, that matches newlines, too (really, even without /m). So, you want:

rawbody IMG_SRC_CID /src[ \t]*=[ \t]*"?cid:/i

And if we're really nitpicky, we want to match "src" on a boundary:

rawbody IMG_SRC_CID /\bsrc[ \t]*=[ \t]*"?cid:/i

- Mark

Re: R: R: R: Relay Checker Plugin (code review please?)

2006-11-01 Thread Andreas Pettersson 

Steven Dickenson wrote:


On Oct 31, 2006, at 6:09 AM, John Rudd wrote:

I've considered the exact opposite (adding static to the check for  
keywords).  My rules are really looking more for "is this a  _client_ 
host", not "is this a dynamic host".  That one check looks  for 
"dynamic", but I'm not interested in exempting anyone because  
they're "static".  They've still got a hostname that looks like an  
end-client, and an end-client shouldn't be connecting to other  
people's mail servers.  Any end-client that connects to someone  
else's email server should be treated like it's a spam/virus zombie



I can't agree with this.  Many small businesses in the US get just  
these kind of static connections from broadband ISPs.  Comcast, for  
example, has all of their static customers using rDNS that would fail  
your tests, and they refuse to set up a custom PTR record or delegate  
the record to someone else. 



I disagree on your disagreement. This is my opinion: If you don't have 
control over your rDNS, do NOT run any mail server, unless you relay all 
outbound mail through a server at your ISP.


Most of these static customers are  legitimate business networks 
running their own mail server, and have  neither the need nor desire 
to relay their mail through Comcast's  SMTP servers.  I think your 
general idea is very good, but you're  reaching a little too far with 
this one.



'No need nor desire', that's not really any good excuse. Use a relay or 
find your mail rejected, I'd say.


--
Andreas

AWL score change

2006-11-01 Thread Steve Ingraham 








I am running qmail with spamassassin 3.1.5.  I am
having a problem with spamassassin scoring.  I have been attempting to change
the score for AWL to -25.  Here is a header from an email I received a
short time ago with a score of 1.4 for AWL in the X-Spam-Report section:

 

Microsoft Mail Internet Headers Version 2.0

Received: from MXI.occa.state.ok.us ([172.16.255.12]) by
mxi2.occa.state.ok.us with Microsoft SMTPSVC(6.0.3790.1830);

     Wed,
1 Nov 2006 11:42:36 -0600

Received: from dellapp02.occa.state.ok.us ([204.87.111.225])
by MXI.occa.state.ok.us with Microsoft SMTPSVC(5.0.2195.6713);

     Wed,
1 Nov 2006 11:42:36 -0600

Received: (qmail 14972 invoked by uid 507); 1 Nov 2006 17:37:38 -

Received: by simscan 1.2.0 ppid: 14916, pid: 14927, t:
6.1872s

 scanners:
attach: 1.2.0 clamav: 0.88.4/m:40/d:2106 spam: 3.1.5

X-Spam-Flag: YES

X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on 

    dellapp02.occa.state.ok.us

X-Spam-Level: *

X-Spam-Status: Yes, score=5.4 required=5.0 tests=AWL,BAYES_50,

    JR_RCVD_TOO_FEW_HOPS
autolearn=no version=3.1.5

X-Spam-Report: 

    * 
1.0 JR_RCVD_TOO_FEW_HOPS Just one hop means direct untrusted client

    * 
3.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%

    * 
[score: 0.5858]

    * 
1.4 AWL AWL: From: address is in the auto white-list

Received: from unknown (HELO 101comm.hdsmail.com)
(66.37.227.191)

  by dellapp02.occa.state.ok.us with SMTP; 1 Nov 2006 17:37:32 -

Received-SPF: pass (dellapp02.occa.state.ok.us: SPF record at
101comm.hdsmail.com designates 66.37.227.191 as permitted sender)

From: "Federal Computer Week"
<[EMAIL PROTECTED]>

To: [EMAIL PROTECTED]

Subject: ***SPAM*** Effective Compliance Strategies webinar
from FCW and CA

Date: Wed, 01 Nov 2006 11:00:00 -0600

MIME-Version: 1.0

Content-Type: text/plain; charset="ISO-8859-1"

Content-Transfer-Encoding: 7bit

Reply-To: [EMAIL PROTECTED]

Message-Id: SM[EMAIL PROTECTED]>

X-Spam-Prev-Subject: Effective Compliance Strategies webinar
from FCW and CA

Return-Path: [EMAIL PROTECTED]

X-OriginalArrivalTime: 01 Nov 2006
17:42:36.0803 (UTC) FILETIME=[1E815530:01C6FDDD]

 

I don’t understand why AWL would not be showing a
score of -25.  The above header is just one example of user emails that
have an AWL score higher than the -25 that I set up.  I believe I have
made the change for this scoring correctly.  To make the change I inserted
a line in local.cf.

 

Here is the local.cf script:

 

# These values can be overridden by editing ~/.spamassassin/user_prefs.cf


# (see spamassassin(1) for details)

 

# These should be safe assumptions and allow for simple
visual sifting

# without risking lost emails.

 

# This file has been changed to support
spamassassin-toaster-3.0.1-1.2.1

# Nick Hemmesch <[EMAIL PROTECTED]>

# May 30, 2005


 

#ok_languages all

ok_locales all

skip_rbl_checks 0

 

required_hits 5

report_safe 0

# report_header 1

# use_terse_report 1

# rewrite_subject 0

rewrite_header Subject ***SPAM***

 

use_bayes 1

bayes_file_mode 0700

bayes_path /etc/mail/spamassassin/.spamassassin/bayes

bayes_auto_learn_threshold_spam 8.0

bayes_auto_expire 1

 

use_auto_whitelist 1

auto_whitelist_file_mode 0700

auto_whitelist_path
/etc/mail/spamassassin/.spamassassin/auto-whitelist

 

#use_razor2 1

 

score BAYES_05 0.5

score BAYES_50 3.0

score BAYES_95 9.5

score BAYES_99 10.0

score AWL -25

 

whitelist_to [EMAIL PROTECTED]

whitelist_from [EMAIL PROTECTED] *.abanet.org [EMAIL PROTECTED]

whitelist_from searchExchange@lists.techtarget.com
[EMAIL PROTECTED] [EMAIL PROTECTED]

whitelist_from [EMAIL PROTECTED] [EMAIL PROTECTED]

whitelist_from [EMAIL PROTECTED]

whitelist_from [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]

 

After saving local.cf I then ran Jake Vickers command
qmail-spam restart but our users are still receiving emails with AWL scores
that are not showing as -25.  Does anyone have any ideas why my AWL scores
are not reflecting -25?  Where is the AWL rule located?  I would like
to understand better how spamassassin is using AWL and why my change to the
local.cf is not having an effect on this score.

 

Thanks in advance,

Steve
 Ingraham

Director of Information Services

Oklahoma Court of Criminal Appeals

[EMAIL PROTECTED]

405 522-5343

 

Re: AWL score change

2006-11-01 Thread Jim Maul 

Steve Ingraham wrote:
I am running qmail with spamassassin 3.1.5.  I am having a problem with 
spamassassin scoring.  I have been attempting to change the score for 
AWL to -25.  Here is a header from an email I received a short time ago 
with a score of 1.4 for AWL in the X-Spam-Report section:





You can not change the score of this rule.  The AWL is not a whitelist. 
 It is a score averager. Its score changes depending on certain factors.


Why not just disable it and use real whitelisting?

-Jim

RE: AWL score change

2006-11-01 Thread Steve Ingraham 
Steve Ingraham wrote:
>> I am running qmail with spamassassin 3.1.5.  I am having a problem
with 
>> spamassassin scoring.  I have been attempting to change the score for

>> AWL to -25.  Here is a header from an email I received a short time
ago 
>> with a score of 1.4 for AWL in the X-Spam-Report section:
 
Jim Maul wrote:
>You can not change the score of this rule.  The AWL is not a whitelist.

>It is a score averager. Its score changes depending on certain factors.

>Why not just disable it and use real whitelisting?

I did not know that about AWL.  As far as using the whitelist, my users
are getting messages that are scored using AWL from multiple locations.
I see it as becoming cumbersome to add dozens or hundreds of incoming
addresses in the whitelist.

Steve

Compromised computer IP list downloadable?

2006-11-01 Thread Ben Wylie 
Obviously there are many different DNS block lists and some of these are 
specifically for blocking compromised computers used as drones to send 
spam. However I have experienced a massive attack on my server by some 
bot network, trying to send spam through my server, and i would like to 
be able to download a list of ip addresses or ranges of ip addresses to 
plug into a firewall to block all of this traffic automatically.


Is there such a list, or is this kind of service only available from DNS 
block lists?

Thanks
Ben

Re: AWL score change

2006-11-01 Thread Jim Maul 

Steve Ingraham wrote:

Steve Ingraham wrote:

I am running qmail with spamassassin 3.1.5.  I am having a problem
with 

spamassassin scoring.  I have been attempting to change the score for



AWL to -25.  Here is a header from an email I received a short time
ago 

with a score of 1.4 for AWL in the X-Spam-Report section:
 
Jim Maul wrote:

You can not change the score of this rule.  The AWL is not a whitelist.



It is a score averager. Its score changes depending on certain factors.



Why not just disable it and use real whitelisting?


I did not know that about AWL.  As far as using the whitelist, my users
are getting messages that are scored using AWL from multiple locations.
I see it as becoming cumbersome to add dozens or hundreds of incoming
addresses in the whitelist.

Steve




I've not used whitelisting myself but from what others have posted on 
this list, it seems that you can use wildcards.  Im not sure if many of 
the addresses are from the same domain or not but this may be able to 
help you out.  I'd look into the various whitelist_* commands and see if 
they will work for you.


http://wiki.apache.org/spamassassin/ManualWhitelist

-Jim

RE: Inconsistent scoring

2006-11-01 Thread John D. Hardin 
On Wed, 1 Nov 2006, Mark wrote:

> > > rawbody IMG_SRC_CID /src\s*=\s*"?cid:/i
> 
> Well, that matches newlines, too (really, even without /m). So, you want:
> 
> rawbody IMG_SRC_CID /src[ \t]*=[ \t]*"?cid:/i

Why? Newlines there are syntactically valid, are they not?

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  If someone has a gun and is trying to kill you, it would be
  reasonable to shoot back with your own gun.
  -- the Dalai Lama, May 15, 2001
---
 6 days until the campaign ads stop

Re: Compromised computer IP list downloadable?

2006-11-01 Thread Stuart Johnston 

Ben Wylie wrote:
Obviously there are many different DNS block lists and some of these are 
specifically for blocking compromised computers used as drones to send 
spam. However I have experienced a massive attack on my server by some 
bot network, trying to send spam through my server, and i would like to 
be able to download a list of ip addresses or ranges of ip addresses to 
plug into a firewall to block all of this traffic automatically.


Is there such a list, or is this kind of service only available from DNS 
block lists?


Spamhaus has the DROP (Don't Route Or Peer) list which is specifically intended for use on routers 
and firewalls.  It is fairly small though so it may not help in your situation.


http://www.spamhaus.org/drop/

Re: Relay Checker Plugin (code review please?)

2006-11-01 Thread Billy Huddleston 

Attached is patch to allow scores to be done in the .cf file

--- RelayChecker.pm 2006-10-30 18:02:28.0 -0500
+++ ../RelayChecker.pm  2006-11-01 15:36:53.0 -0500
@@ -31,6 +31,12 @@
# headerRELAY_CHECKER   eval:relay_checker()
# describe  RELAY_CHECKER   Check relay for DNS/Hostname issues.

+our $base_score = 4;
+our $nordns_score = 1;
+our $badrdns_score = 1;
+our $baddns_score = 1;
+our $ipinhostname_score = 1;
+our $dynhostname_score = 1;

sub new {
   my ($class, $mailsa) = @_;
@@ -44,6 +50,27 @@
   return $self;
   }

+sub parse_config {
+my ( $self, $opts ) = @_;
+   if ( $opts->{key} eq "rc_base_score" ) {
+$base_score = $opts->{value};
+   }
+   elsif ( $opts->{key} eq "rc_nordns_score" ) {
+$nordns_score = $opts->{value};
+   }
+   elsif ( $opts->{key} eq "rc_badrdns_score" ) {
+$badrdns_score = $opts->{value};
+   }
+   elsif ( $opts->{key} eq "rc_baddns_score" ) {
+$baddns_score = $opts->{value};
+   }
+   elsif ( $opts->{key} eq "rc_ipinhostname_score" ) {
+$ipinhostname_score = $opts->{value};
+   }
+   elsif ( $opts->{key} eq "rc_dynhostname_score" ) {
+$dynhostname_score = $opts->{value};
+   }
+}

sub relay_checker {
   my ($self, $pms) = @_;
@@ -75,7 +102,7 @@
   if (! defined($hostname)) {
  # the IP address doesn't have a PTR record
  Mail::SpamAssassin::Plugin::dbg("RelayChecker: nordns");
-  $nordns = 1;
+  $nordns = $nordns_score;
  }
   else {
  ($name, $aliases, $addrtype, $length, @addrs) = 
gethostbyname($hostname);

@@ -83,7 +110,7 @@
  if (! defined($name)) {
 # the PTR record leads to a host that doesn't resolve in DNS
 Mail::SpamAssassin::Plugin::dbg("RelayChecker: badrdns");
- $badrdns = 1;
+ $badrdns = $badrdns_score;
 }
  else {
 Mail::SpamAssassin::Plugin::dbg("RelayChecker: name is $name");
@@ -96,7 +123,7 @@
# the hostname in the PTR record does resolve, but that 
hostname

# doesn't have $ip as one of its IP addresses
Mail::SpamAssassin::Plugin::dbg("RelayChecker: baddns");
-$baddns = 1;
+$baddns = $baddns_score;
}
 else {
($a, $b, $c, $d) = split(/\./, $ip); # decimal octets
@@ -124,7 +151,7 @@
   # in hex or decimal form ... or the entire thing in decimal
   # probably a spambot since this is an untrusted relay
   Mail::SpamAssassin::Plugin::dbg("RelayChecker: 
ipinhostname");

-   $ipinhostname = 1;
+   $ipinhostname = $ipinhostname_score;
   }
if ($hostname =~
  /(cable|catv|client|ddns|dhcp|dial-?up|dip|dsl|dynamic|ppp)\S*\.\S+\.\S+$/
@@ -136,7 +163,7 @@
   # hostname contains words that look dynamic
   # probably a spambot since this is an untrusted relay
   Mail::SpamAssassin::Plugin::dbg("RelayChecker: 
dynhostname");

-   $dynhostname = 1;
+   $dynhostname = $dynhostname_score;
   }

} # found ip addr
@@ -145,7 +172,7 @@

   $score = $nordns + $badrdns + $baddns + $ipinhostname + $dynhostname;
   if ($score) {
-  $score += 4;
+  $score += $base_score;
  my $description = $pms->{conf}->{description}->{RELAY_CHECKER};

  if ($nordns) {


--- RelayChecker.cf 2006-10-30 18:02:28.0 -0500
+++ ../RelayChecker.cf  2006-11-01 15:38:30.0 -0500
@@ -7,4 +7,9 @@
loadplugin  RelayCheckerRelayChecker.pm
header  RELAY_CHECKER   eval:relay_checker()
describeRELAY_CHECKER   Check relay for DNS/Hostname issues
-
+rc_base_score  1.4
+rc_nordns_score1
+rc_badrdns_score   1
+rc_baddns_score1
+rc_ipinhostname_score  1
+rc_dynhostname_score   1







- Original Message - 
From: "Andreas Pettersson" <[EMAIL PROTECTED]>

To: "Steven Dickenson" <[EMAIL PROTECTED]>
Cc: "John Rudd" <[EMAIL PROTECTED]>; "Giampaolo Tomassoni" 
<[EMAIL PROTECTED]>; 

Sent: Wednesday, November 01, 2006 12:11 PM
Subject: Re: R: R: R: Relay Checker Plugin (code review please?)



Steven Dickenson wrote:


On Oct 31, 2006, at 6:09 AM, John Rudd wrote:

I've considered the exact opposite (adding static to the check for 
keywords).  My rules are really looking more for "is this a  _client_ 
host", not "is this a dynamic host".  That one check looks  for 
"dynamic", but I'm not interested in exempting anyone because  they're 
"static".  They've still got a hostname that looks like an  end-client, 
and an end-client shouldn't be connecting to other  people's mail 
servers.  Any end-client that connects to someone  else's email server 
should be treated like it's a spam/virus zombie



I can't agree with this.  Many small businesses in the US get just  these 
kind of static connections from broadband ISPs.  Comcast, for  example, 
has all of their static customers using rDNS that would fail  your tests, 
and t

RE: Relay Checker Plugin (code review please?)

2006-11-01 Thread Dylan Bouterse 
> -Original Message-
> From: Billy Huddleston [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, November 01, 2006 3:58 PM
> To: users@spamassassin.apache.org
> Subject: Re: Relay Checker Plugin (code review please?)
> 
> Attached is patch to allow scores to be done in the .cf file
> 
> --- RelayChecker.pm 2006-10-30 18:02:28.0 -0500
> +++ ../RelayChecker.pm  2006-11-01 15:36:53.0 -0500
> @@ -31,6 +31,12 @@
>  # headerRELAY_CHECKER   eval:relay_checker()
>  # describe  RELAY_CHECKER   Check relay for DNS/Hostname issues.
> 
> +our $base_score = 4;
> +our $nordns_score = 1;
> +our $badrdns_score = 1;
> +our $baddns_score = 1;
> +our $ipinhostname_score = 1;
> +our $dynhostname_score = 1;
> 
>  sub new {
> my ($class, $mailsa) = @_;
> @@ -44,6 +50,27 @@
> return $self;
> }
> 
> +sub parse_config {
> +my ( $self, $opts ) = @_;
> +   if ( $opts->{key} eq "rc_base_score" ) {
> +$base_score = $opts->{value};
> +   }
> +   elsif ( $opts->{key} eq "rc_nordns_score" ) {
> +$nordns_score = $opts->{value};
> +   }
> +   elsif ( $opts->{key} eq "rc_badrdns_score" ) {
> +$badrdns_score = $opts->{value};
> +   }
> +   elsif ( $opts->{key} eq "rc_baddns_score" ) {
> +$baddns_score = $opts->{value};
> +   }
> +   elsif ( $opts->{key} eq "rc_ipinhostname_score" ) {
> +$ipinhostname_score = $opts->{value};
> +   }
> +   elsif ( $opts->{key} eq "rc_dynhostname_score" ) {
> +$dynhostname_score = $opts->{value};
> +   }
> +}
> 
>  sub relay_checker {
> my ($self, $pms) = @_;
> @@ -75,7 +102,7 @@
> if (! defined($hostname)) {
># the IP address doesn't have a PTR record
>Mail::SpamAssassin::Plugin::dbg("RelayChecker: nordns");
> -  $nordns = 1;
> +  $nordns = $nordns_score;
>}
> else {
>($name, $aliases, $addrtype, $length, @addrs) =
> gethostbyname($hostname);
> @@ -83,7 +110,7 @@
>if (! defined($name)) {
>   # the PTR record leads to a host that doesn't resolve in DNS
>   Mail::SpamAssassin::Plugin::dbg("RelayChecker: badrdns");
> - $badrdns = 1;
> + $badrdns = $badrdns_score;
>   }
>else {
>   Mail::SpamAssassin::Plugin::dbg("RelayChecker: name is
$name");
> @@ -96,7 +123,7 @@
>  # the hostname in the PTR record does resolve, but that
> hostname
>  # doesn't have $ip as one of its IP addresses
>  Mail::SpamAssassin::Plugin::dbg("RelayChecker: baddns");
> -$baddns = 1;
> +$baddns = $baddns_score;
>  }
>   else {
>  ($a, $b, $c, $d) = split(/\./, $ip); # decimal octets
> @@ -124,7 +151,7 @@
> # in hex or decimal form ... or the entire thing in
> decimal
> # probably a spambot since this is an untrusted relay
> Mail::SpamAssassin::Plugin::dbg("RelayChecker:
> ipinhostname");
> -   $ipinhostname = 1;
> +   $ipinhostname = $ipinhostname_score;
> }
>  if ($hostname =~
>/(cable|catv|client|ddns|dhcp|dial-
> ?up|dip|dsl|dynamic|ppp)\S*\.\S+\.\S+$/
> @@ -136,7 +163,7 @@
> # hostname contains words that look dynamic
> # probably a spambot since this is an untrusted relay
> Mail::SpamAssassin::Plugin::dbg("RelayChecker:
> dynhostname");
> -   $dynhostname = 1;
> +   $dynhostname = $dynhostname_score;
> }
> 
>  } # found ip addr
> @@ -145,7 +172,7 @@
> 
> $score = $nordns + $badrdns + $baddns + $ipinhostname +
$dynhostname;
> if ($score) {
> -  $score += 4;
> +  $score += $base_score;
>my $description = $pms->{conf}->{description}->{RELAY_CHECKER};
> 
>if ($nordns) {
> 
> 
> --- RelayChecker.cf 2006-10-30 18:02:28.0 -0500
> +++ ../RelayChecker.cf  2006-11-01 15:38:30.0 -0500
> @@ -7,4 +7,9 @@
>  loadplugin  RelayCheckerRelayChecker.pm
>  header  RELAY_CHECKER   eval:relay_checker()
>  describeRELAY_CHECKER   Check relay for DNS/Hostname issues
> -
> +rc_base_score  1.4
> +rc_nordns_score1
> +rc_badrdns_score   1
> +rc_baddns_score1
> +rc_ipinhostname_score  1
> +rc_dynhostname_score   1
> 
> 
> 
> 
> 
> 
> 
> - Original Message -
> From: "Andreas Pettersson" <[EMAIL PROTECTED]>
> To: "Steven Dickenson" <[EMAIL PROTECTED]>
> Cc: "John Rudd" <[EMAIL PROTECTED]>; "Giampaolo Tomassoni"
> <[EMAIL PROTECTED]>; 
> Sent: Wednesday, November 01, 2006 12:11 PM
> Subject: Re: R: R: R: Relay Checker Plugin (code review please?)
> 
> 
> > Steven Dickenson wrote:
> >
> >> On Oct 31, 2006, at 6:09 AM, John Rudd wrote:
> >>
> >>> I've considered the exact opposite (adding static to the check for
> >>> keywords).  My rules are really looking more for "is this a
_client_
> >>> host", not "is this a dynamic host".  That one check looks  for
> >>> "dy

RE: Relay Checker Plugin (code review please?)

2006-11-01 Thread John D. Hardin 
On Wed, 1 Nov 2006, Dylan Bouterse wrote:

> # headerRELAY_CHECKER   eval:relay_checker()
> # describe  RELAY_CHECKER   Check relay for DNS/Hostname issues.
> to:
>if ($nordns) {
> 
> and when I run --lint I get the following errors:
> 
> /etc/mail/spamassassin/RelayChecker.pm line 44, near "27 @@

...how exactly did you apply the patch? From the contents of that
error message it looks like you just inserted the patch text into the
source file...

Take a look at "man patch".

(Sorry if you did do that, but that error message is really suggestive
of improper procedure.)

--
 John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  If someone has a gun and is trying to kill you, it would be
  reasonable to shoot back with your own gun.
  -- the Dalai Lama, May 15, 2001
---
 6 days until the campaign ads stop

how accurate are rfc-ignorant.org? tests

2006-11-01 Thread Dylan Bouterse 
I have a FP that hit both DNS_FROM_RFC_POST and DNS_FROM_RFC_ABUSE but
when I go to http://www.rfc-ignorant.org/ and lookup the sending mail
server IP it says not found. Am I right in assuming if an email fails
these tests the IP should be listed in the above site?

Dylan

RE: Relay Checker Plugin (code review please?)

2006-11-01 Thread Dylan Bouterse 
> -Original Message-
> From: John D. Hardin [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, November 01, 2006 5:05 PM
> To: Dylan Bouterse
> Cc: users@spamassassin.apache.org
> Subject: RE: Relay Checker Plugin (code review please?)
> 
> On Wed, 1 Nov 2006, Dylan Bouterse wrote:
> 
> > # headerRELAY_CHECKER   eval:relay_checker()
> > # describe  RELAY_CHECKER   Check relay for DNS/Hostname issues.
> > to:
> >if ($nordns) {
> >
> > and when I run --lint I get the following errors:
> >
> > /etc/mail/spamassassin/RelayChecker.pm line 44, near "27 @@
> 
> ...how exactly did you apply the patch? From the contents of that
> error message it looks like you just inserted the patch text into the
> source file...
> 
> Take a look at "man patch".
> 
> (Sorry if you did do that, but that error message is really suggestive
> of improper procedure.)
> 

I have never used the patch command and was not aware of it. Thank you
for pointing me in the right direction. I was able to patch my
RelayChecker.cf file using the patch command and the provided patch for
that file but I am getting errors when trying to patch the
RelayChecker.pm file.

[EMAIL PROTECTED] spamassassin]# patch -i RelayChecker.pm.patch
RelayChecker.pm
missing header for unified diff at line 3 of patch
patching file RelayChecker.pm
Hunk #3 succeeded at 102 with fuzz 1.
missing header for unified diff at line 77 of patch
can't find file to patch at input line 77
Perhaps you should have used the -p or --strip option?
The text leading up to this was:
--
|   if (! defined($name)) {
|  # the PTR record leads to a host that doesn't resolve in DNS
|  Mail::SpamAssassin::Plugin::dbg("RelayChecker: badrdns");
|- $badrdns = 1;
|+ $badrdns = $badrdns_score;
|  }
|   else {
|  Mail::SpamAssassin::Plugin::dbg("RelayChecker: name is
$name"); @@ -96,7 +123,7 @@
| # the hostname in the PTR record does resolve, but that
hostname
| # doesn't have $ip as one of its IP addresses
| Mail::SpamAssassin::Plugin::dbg("RelayChecker: baddns");
|-$baddns = 1;
|+$baddns = $baddns_score;
| }
|  else {
| ($a, $b, $c, $d) = split(/\./, $ip); # decimal octets @@
-124,7 +151,7 @@
|# in hex or decimal form ... or the entire thing in
decimal
|# probably a spambot since this is an untrusted relay
|Mail::SpamAssassin::Plugin::dbg("RelayChecker:
ipinhostname");
|-   $ipinhostname = 1;
|+   $ipinhostname = $ipinhostname_score;
|}
| if ($hostname =~
|
/(cable|catv|client|ddns|dhcp|dial-?up|dip|dsl|dynamic|ppp)\S*\.\S+\.\S+
$/
--

BIG increase in spam today

2006-11-01 Thread Chris 
I usually come home from work to find about 60-80 spam's in my spam folder. 
Today upon bringing up the mailer there were over 400!  Looks like a large 
botnet attack or something. Has anyone else noticed this? I've not finished 
looking at the ASN's to see where they're from, but I do notice that there 
are about 25-30 with the same subject in each group.

-- 
Chris


pgpZ2NZHgacMK.pgp
Description: PGP signature

confusing message

2006-11-01 Thread Chris 
I noticed the below my spam folder amoung the other 400+. One note, I have a 
formail recipe that takes the X-SPAM tags from my other domain and marks 
them as Old-X-SPAM. Whats confusing is that it appears as though the 
message already went through my box due to the Old-X-SPAM tags from a check 
here. Also weird is that in the list of email addresses they have three of 
mine, one I haven't used in over 5 years and don't have an account there.

Received: from localhost by cpollock.localdomain
with SpamAssassin (version 3.1.7);
Tue, 31 Oct 2006 20:55:27 -0600
 From: WANLIDA TEXTILE COMPANY <[EMAIL PROTECTED]>
 To: [EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED]
 Subject: COMPANY AGENT NEEDED!!! (EARN. 10%)
 Date: 31 Oct 2006 09:51:17 -0600
 Message-Id: <[EMAIL PROTECTED]>
 X-Spam-Virus: No
 X-Spam-Seen: Tokens 543
 X-Spam-New: Tokens 759
 X-Spam-Remote: Host localhost.localdomain
 X-Spam-Flag: YES
 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on 
cpollock.localdomain
 X-Spam-Hammy: Tokens 35
 X-Spam-Status: Yes, score=9.7 required=5.0 
tests=BAYES_80,DATE_IN_PAST_06_12,
DEAR_SOMETHING,FROM_HAS_ULINE_NUMS,PLING_PLING,SAGREY,SUBJ_ALL_CAPS,
UNPARSEABLE_RELAY autolearn=disabled version=3.1.7
 X-Spam-Spammy: Tokens 116
 X-Spam-Pyzor: Reported 0 times.
 X-Spam-Token: Summary Tokens: new, 216; hammy, 35; neutral, 392; spammy, 
116.
 X-Spam-DCC: cpollock 1113; Body=1 Fuz1=1 Fuz2=1
 X-Spam-Untrusted: Relays
 X-Spam-Level: *
 X-Spam-RBL: Results
 MIME-Version: 1.0
 Content-Type: multipart/mixed;
  boundary="--=_45480C9F.9E6A47F5"
 X-UID: 73827
 X-Length: 16405

Encapsulated message

Encapsulated message


Return-Path: <[EMAIL PROTECTED]>
 Received: from linuxsrv01.ecdiscounts.com ([EMAIL PROTECTED]) 
by toadnet.com (8.13.1/8.13.1) with ESMTP id k9VG1f70008895 
for <[EMAIL PROTECTED]>; Tue, 31 Oct 2006 10:01:41 -0600
 X-ClientAddr: 72.3.230.4
 Received: from www1.sssecure.net (www1.sssecure.net [72.3.230.4]) 
by linuxsrv01.ecdiscounts.com (8.13.1/8.12.11) with ESMTP id 
k9VG1ZcB019918 
for <[EMAIL PROTECTED]>; Tue, 31 Oct 2006 10:01:38 -0600
 Received: (qmail 17702 invoked by uid 48); 31 Oct 2006 09:51:17 -0600
 Date: 31 Oct 2006 09:51:17 -0600
 Message-ID: <[EMAIL PROTECTED]>
 To: [EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAIL PROTECTED], 
[EMAI

Re: Relay Checker Plugin (code review please?)

2006-11-01 Thread Billy Huddleston 
You may want to download new RelayChecker.pm file...  you may have messed it 
up previously..


If you still have problems let me know..

- Original Message - 
From: "Dylan Bouterse" <[EMAIL PROTECTED]>

To: 
Sent: Wednesday, November 01, 2006 6:39 PM
Subject: RE: Relay Checker Plugin (code review please?)



-Original Message-
From: John D. Hardin [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 01, 2006 5:05 PM
To: Dylan Bouterse
Cc: users@spamassassin.apache.org
Subject: RE: Relay Checker Plugin (code review please?)

On Wed, 1 Nov 2006, Dylan Bouterse wrote:

> # headerRELAY_CHECKER   eval:relay_checker()
> # describe  RELAY_CHECKER   Check relay for DNS/Hostname issues.
> to:
>if ($nordns) {
>
> and when I run --lint I get the following errors:
>
> /etc/mail/spamassassin/RelayChecker.pm line 44, near "27 @@

...how exactly did you apply the patch? From the contents of that
error message it looks like you just inserted the patch text into the
source file...

Take a look at "man patch".

(Sorry if you did do that, but that error message is really suggestive
of improper procedure.)



I have never used the patch command and was not aware of it. Thank you
for pointing me in the right direction. I was able to patch my
RelayChecker.cf file using the patch command and the provided patch for
that file but I am getting errors when trying to patch the
RelayChecker.pm file.

[EMAIL PROTECTED] spamassassin]# patch -i RelayChecker.pm.patch
RelayChecker.pm
missing header for unified diff at line 3 of patch
patching file RelayChecker.pm
Hunk #3 succeeded at 102 with fuzz 1.
missing header for unified diff at line 77 of patch
can't find file to patch at input line 77
Perhaps you should have used the -p or --strip option?
The text leading up to this was:
--
|   if (! defined($name)) {
|  # the PTR record leads to a host that doesn't resolve in DNS
|  Mail::SpamAssassin::Plugin::dbg("RelayChecker: badrdns");
|- $badrdns = 1;
|+ $badrdns = $badrdns_score;
|  }
|   else {
|  Mail::SpamAssassin::Plugin::dbg("RelayChecker: name is
$name"); @@ -96,7 +123,7 @@
| # the hostname in the PTR record does resolve, but that
hostname
| # doesn't have $ip as one of its IP addresses
| Mail::SpamAssassin::Plugin::dbg("RelayChecker: baddns");
|-$baddns = 1;
|+$baddns = $baddns_score;
| }
|  else {
| ($a, $b, $c, $d) = split(/\./, $ip); # decimal octets @@
-124,7 +151,7 @@
|# in hex or decimal form ... or the entire thing in
decimal
|# probably a spambot since this is an untrusted relay
|Mail::SpamAssassin::Plugin::dbg("RelayChecker:
ipinhostname");
|-   $ipinhostname = 1;
|+   $ipinhostname = $ipinhostname_score;
|}
| if ($hostname =~
|
/(cable|catv|client|ddns|dhcp|dial-?up|dip|dsl|dynamic|ppp)\S*\.\S+\.\S+
$/
--

Re: whitelist_from_rcvd

2006-11-01 Thread Matt Kettler 
Chris Edwards wrote:
> OK I think I get it, here is a header from one of the companies we do
> business with...
>
> Microsoft Mail Internet Headers Version 2.0
> Received: from gandalf.ctdx.net ([199.0.161.154]) by buythetruck.com
> with Microsoft SMTPSVC(6.0.3790.211);
>Tue, 31 Oct 2006 23:27:03 -0500
> Received: from harbor.x-cart.com (harbor.x-cart.com [69.20.14.15])
>   by gandalf.ctdx.net (8.13.7/8.13.6) with ESMTP id kA14M3vT018502
>   for <[EMAIL PROTECTED]>; Tue, 31 Oct 2006 23:22:03 -0500
>
>   

> So there entry would be...
>
> whitelist_from_rcvd [EMAIL PROTECTED] x-cart.com 
>
> Correct?
>   

Depends, is the IP address that results from resolving gandalf.ctdx.net
trusted?

If so, yes, that's the correct entry.

RE: Relay Checker Plugin (code review please?)

2006-11-01 Thread Dylan Bouterse 
I did a couple of times. :(

> -Original Message-
> From: Billy Huddleston [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, November 01, 2006 9:20 PM
> To: Dylan Bouterse; users@spamassassin.apache.org
> Subject: Re: Relay Checker Plugin (code review please?)
> 
> You may want to download new RelayChecker.pm file...  you may have
messed
> it
> up previously..
> 
>  If you still have problems let me know..
> 
> - Original Message -
> From: "Dylan Bouterse" <[EMAIL PROTECTED]>
> To: 
> Sent: Wednesday, November 01, 2006 6:39 PM
> Subject: RE: Relay Checker Plugin (code review please?)
> 
> 
> > -Original Message-
> > From: John D. Hardin [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, November 01, 2006 5:05 PM
> > To: Dylan Bouterse
> > Cc: users@spamassassin.apache.org
> > Subject: RE: Relay Checker Plugin (code review please?)
> >
> > On Wed, 1 Nov 2006, Dylan Bouterse wrote:
> >
> > > # headerRELAY_CHECKER   eval:relay_checker()
> > > # describe  RELAY_CHECKER   Check relay for DNS/Hostname
issues.
> > > to:
> > >if ($nordns) {
> > >
> > > and when I run --lint I get the following errors:
> > >
> > > /etc/mail/spamassassin/RelayChecker.pm line 44, near "27 @@
> >
> > ...how exactly did you apply the patch? From the contents of that
> > error message it looks like you just inserted the patch text into
the
> > source file...
> >
> > Take a look at "man patch".
> >
> > (Sorry if you did do that, but that error message is really
suggestive
> > of improper procedure.)
> >
> 
> I have never used the patch command and was not aware of it. Thank you
> for pointing me in the right direction. I was able to patch my
> RelayChecker.cf file using the patch command and the provided patch
for
> that file but I am getting errors when trying to patch the
> RelayChecker.pm file.
> 
> [EMAIL PROTECTED] spamassassin]# patch -i RelayChecker.pm.patch
> RelayChecker.pm
> missing header for unified diff at line 3 of patch
> patching file RelayChecker.pm
> Hunk #3 succeeded at 102 with fuzz 1.
> missing header for unified diff at line 77 of patch
> can't find file to patch at input line 77
> Perhaps you should have used the -p or --strip option?
> The text leading up to this was:
> --
> |   if (! defined($name)) {
> |  # the PTR record leads to a host that doesn't resolve in
DNS
> |  Mail::SpamAssassin::Plugin::dbg("RelayChecker: badrdns");
> |- $badrdns = 1;
> |+ $badrdns = $badrdns_score;
> |  }
> |   else {
> |  Mail::SpamAssassin::Plugin::dbg("RelayChecker: name is
> $name"); @@ -96,7 +123,7 @@
> | # the hostname in the PTR record does resolve, but that
> hostname
> | # doesn't have $ip as one of its IP addresses
> | Mail::SpamAssassin::Plugin::dbg("RelayChecker: baddns");
> |-$baddns = 1;
> |+$baddns = $baddns_score;
> | }
> |  else {
> | ($a, $b, $c, $d) = split(/\./, $ip); # decimal octets @@
> -124,7 +151,7 @@
> |# in hex or decimal form ... or the entire thing in
> decimal
> |# probably a spambot since this is an untrusted relay
> |Mail::SpamAssassin::Plugin::dbg("RelayChecker:
> ipinhostname");
> |-   $ipinhostname = 1;
> |+   $ipinhostname = $ipinhostname_score;
> |}
> | if ($hostname =~
> |
>
/(cable|catv|client|ddns|dhcp|dial-?up|dip|dsl|dynamic|ppp)\S*\.\S+\.\S+
> $/
> --

Re: Compromised computer IP list downloadable?

2006-11-01 Thread Jeff Chan 
On Wednesday, November 1, 2006, 10:25:35 AM, Ben Wylie wrote:
> Obviously there are many different DNS block lists and some of these are 
> specifically for blocking compromised computers used as drones to send 
> spam. However I have experienced a massive attack on my server by some 
> bot network, trying to send spam through my server, and i would like to 
> be able to download a list of ip addresses or ranges of ip addresses to 
> plug into a firewall to block all of this traffic automatically.

> Is there such a list, or is this kind of service only available from DNS 
> block lists?
> Thanks
> Ben

There are various lists that attempt to map out bad-guy-space,
but if there were one perfect list of compromised computers,
don't you think we would all be using it to block spam and
attacks?

That's a rhetorical question, not a criticism of your question.

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

Re[4]: why this spam has a negative score?

2006-11-01 Thread m . donicova 
I edit my setting to:

whitelist_from_rcvd * fw.muvalmez.cz

the spam with negative score is coming through spamassassin again

Return-Path: <[EMAIL PROTECTED]>
X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on fw.muvalmez.cz
X-Spam-Status: No, score=-80.5 required=5.0 tests=BAYES_50,DC_GIF_UNO_LARGO,
DC_IMAGE_SPAM_HTML,DC_IMAGE_SPAM_TEXT,DC_IMG_HTML_RATIO,
DC_IMG_TEXT_RATIO,EXTRA_MPART_TYPE,HTML_90_100,HTML_IMAGE_ONLY_08,
HTML_MESSAGE,MIME_HTML_MOSTLY,MY_CID_AND_CLOSING,MY_CID_AND_STYLE,
SARE_GIF_ATTACH,SARE_GIF_STOX,UNPARSEABLE_RELAY,USER_IN_WHITELIST 
autolearn=no version=3.1.5
X-Spam-Level: 
X-Original-To: [EMAIL PROTECTED]
Received: from tm.net.my (unknown [219.95.18.47])
by fw.muvalmez.cz (Postfix) with ESMTP id 4C3292C0EB
for <[EMAIL PROTECTED]>; Wed,  1 Nov 2006 10:25:29 +0100 (CET)
Received: from mailin.webmailer.de (port=1513 helo=ctwumfepkgu)
by tm.net.my with smtp
id 1856q-VwQ6-2u
for [EMAIL PROTECTED]; Wed, 01 Nov 2006 17:25:34 +0800
Message-ID: <[EMAIL PROTECTED]>
From: "Curtis Lopez" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: high priest representative on Askone invent them.
Date: Wed, 01 Nov 2006 17:25:34 +0800
MIME-Version: 1.0
X-Security: MIME headers sanitized on fw.muvalmez.cz
See http://www.impsec.org/email-tools/sanitizer-intro.html
for details. $Revision: 1.139 $Date: 2003-09-07 10:14:23-07 
Content-Type: multipart/related;
type="multipart/alternative";
boundary="=_NextPart_000_000B_01C6FDDA.B2AB33A0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Virus-Status: No
X-Virus-Checker-Version: clamassassin 1.2.3 with clamscan / ClamAV 
0.88.4/2137/Wed Nov  1 09:39:47 2006
Status:   
X-Antivirus: AVG for E-mail 7.5.427 [268.13.21/510]



-- 
S pozdravem,
 [EMAIL PROTECTED]
 mailto:[EMAIL PROTECTED]

Re: why this spam has a negative score?

2006-11-01 Thread Alan Premselaar 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



[EMAIL PROTECTED] wrote:
> I edit my setting to:
> 
> whitelist_from_rcvd * fw.muvalmez.cz
> 
> the spam with negative score is coming through spamassassin again
> 
> Return-Path: <[EMAIL PROTECTED]>
> X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on fw.muvalmez.cz
> X-Spam-Status: No, score=-80.5 required=5.0 tests=BAYES_50,DC_GIF_UNO_LARGO,
> DC_IMAGE_SPAM_HTML,DC_IMAGE_SPAM_TEXT,DC_IMG_HTML_RATIO,
> DC_IMG_TEXT_RATIO,EXTRA_MPART_TYPE,HTML_90_100,HTML_IMAGE_ONLY_08,
> HTML_MESSAGE,MIME_HTML_MOSTLY,MY_CID_AND_CLOSING,MY_CID_AND_STYLE,
> SARE_GIF_ATTACH,SARE_GIF_STOX,UNPARSEABLE_RELAY,USER_IN_WHITELIST 
  ^^

You don't happen to have [EMAIL PROTECTED] in your whitelist do you?

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFSYrvE2gsBSKjZHQRAuIyAKDsNuKCRJF1cediMAhFrlj/EPTuuwCgg1si
//6OQ9JjPbissU9bTrm/8lI=
=CRaS
-END PGP SIGNATURE-

TVD tests?

2006-11-01 Thread Dylan Bouterse 
In the 80_additional.cf file I have a list of TVD* rules that are not
explained on the http://spamassassin.apache.org/tests_3_1_x.html page
(I'm running SA 3.1.7 and up to date with sa-update). Are these new
rules added to SA? Most of the scores rank pretty high and I'm seeing
them pop up in FPs more and more.

Dylan

Re: TVD tests?

2006-11-01 Thread Nigel Frankcom 
On Thu, 2 Nov 2006 01:47:31 -0500, "Dylan Bouterse"
<[EMAIL PROTECTED]> wrote:

>In the 80_additional.cf file I have a list of TVD* rules that are not
>explained on the http://spamassassin.apache.org/tests_3_1_x.html page
>(I'm running SA 3.1.7 and up to date with sa-update). Are these new
>rules added to SA? Most of the scores rank pretty high and I'm seeing
>them pop up in FPs more and more.
>
>Dylan

I Think the TVD rules are to do with gif spams. If your users use
Outlook and stationary then FP's can be high unless  you balance the
scores with whitelisting and/or don't scan local users.

HTH

Nigel