Re: mail bounce warning for the list
On 11/7/06, Derek Harding [EMAIL PROTECTED] wrote: Gary W. Smith wrote: Was the SA group listed by spamcop last month?I just now received this for messages from October 26th.Who cares? [EMAIL PROTECTED]: 209.209.82.24 does not like recipient. Remote host said: 554 5.7.1 Service unavailable; Client host [ 140.211.11.2] blocked using bl.spamcop.net; Blocked - see _http://www.spamcop.net/bl.shtml?140.211.11.2_ Giving up on 209.209.82.24 . Gary Wayne SmithAnyone dumb enough to block outright on the spamcop BL deserves whateverthey don't get.DerekIs this not part of the problem? That many of these people who 'deserve whatever they don't get' are operating under the mistaken belief that these spam vigilantes are protecting them from spam and allowing legitimate mail through? We can enter into a pointless argument about whether this is due to the stupidity of their administrators or the arrogance of the knowldgeable administrators, but the fact is that this is happening. This is evidenced by the number of complaints from people claiming either not to have received legitimate email or to have it bounced by spamcop or some such site. Blocking mail base soley on the IP address (whether because it is a dynamic address or has at some time in the past sent a mail to a spamtrap) is akin to shooting the postman because yesterday you received an advertisement. The only way to kill spam is to inspect the mail using a tool such as SA and then reach an intelligent decision based on the results (the interpretation of the results will vary from site to site). Blocking IP addresses will not kill spam, it kills the mail system.The spammer will move to anotehr IP, the poor innocent user doesn't know what to do and either accepts that his mail may not reach all recipients or reverts to licking stamps.mike
R: mail bounce warning for the list
Anyone dumb enough to block outright on the spamcop BL deserves whatever they don't get. Yeah! Score it, don't pretend it to be God. Giampaolo Derek
Problem synchronizing database of two spamassassins
Hello, We have two incoming email servers for our organization. We are running spamassassin in these servers (debian sarge + postfix 2.1.5 + spamassassin 3.1.0a). To syncronize spamassassin's database and journal we copy the /var/lib/amavis/.spamassassin of one server (let's call it the master server) in the other (and run the sa-learn --sync, the slave server). We also do all the learn operations in the master server. With this I thought that these two servers should behave the same way, but I am observing that they scored different the same messages. For example, for one message the master server returns for the command spamc -d master: X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on xenon1.telemat.um.es X-Spam-Level: *** X-Spam-Status: No, score=3.1 required=5.0 tests=BAYES_60,EXTRA_MPART_TYPE, HTML_00_10,HTML_MESSAGE,HTML_TAG_BALANCE_BODY,UPPERCASE_25_50 autolearn=disabled version=3.1.0 and the slave: X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on xenon2.telemat.um.es X-Spam-Level: * X-Spam-Status: Yes, score=5.1 required=5.0 tests=BAYES_80,EXTRA_MPART_TYPE, HTML_00_10,HTML_MESSAGE,HTML_TAG_BALANCE_BODY,UPPERCASE_25_50 autolearn=disabled version=3.1.0 X-Spam-Report: * 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry * 0.2 HTML_TAG_BALANCE_BODY BODY: HTML has unbalanced body tags * 3.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95% * [score: 0.9259] * 0.8 HTML_00_10 BODY: Message is 0% to 10% HTML * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.0 UPPERCASE_25_50 message body is 25-50% uppercase so one of them classified it as spam and the other not. The only difference I've found is that the master hit the BAYES_60 and the slave the BAYES_80. Why this different score? am I synchronizing my servers the right way? Thanks in advance. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337
R: new here, big problem
It seems to me that your work company runs its own e-mail server with its own copy of spamassassin. I suggest to contact the network and IT staff at work and explain them the problem: they can whitelist messages caming from [EMAIL PROTECTED] Giampaolo I sure hope you guys can help me out here. I am a non-techie that feels like she's entering a tech world. I receive an e-news type of deal daily through a reputable group in my line of business. I have received these for at least 2 years now with no problem. Last week they started getting interrupted and I was sent some version of the following with them: Our UCE (spam) detectors have been triggered by a message you received:- From: [EMAIL PROTECTED] Subject: SAMHSA Report: Cost/Coverage Limits Primary Barrier to MH Treatment Date: Fri Nov 3 12:25:15 2006 This message has not been delivered. The detectors that were triggered are spam, SpamAssassin. The message to you has been detected as spam based on either its contents or the mail server which sent the message to us, or both. We do not accept unsolicited commercial (spam) e-mail and actively work to stop it. If you have any questions about this, or you believe you have received this message in error, please contact the site system administrators. Your system administrators will need the following information: Server name: the antispam () MailScanner Message id: AD5344E6A97E.99C0B Date code: 20061103 __ Uh, yeah, sure whatever you say. I do not have spamassassin, never downloaded it. I changed servers about a month ago at home and have checked with my ISP and they do not use it. The from address has not changed either. I retrieve my mail through Mozilla at home, the account that is having this problem is on my work account so I don't know how that interplays because I have a different server at home where I am pulling the messages from. The first day I got this was Sep 25 and it blocked all the msgs (usually 2-5 a day) but it let 1 message through on the 26th and blocked the others. The 27th it let 5 through and deleted 2 for me (gee thanks) but I got all but one on the 30th and all on the 31st. you get the idea. What can I do to get my messages back? And how do I stop it from happening? sheryle
Re: Do something useful with bad addresses?
On Monday 06 November 2006 21:50, John Rudd wrote: And, I have in fact seen misses that had VERY low bayes scores (BAYES_00). With no more info about the content of said misses it would be hard to say your bayes was poisoned. It would be even harder to see how spam would poison bayes to MISS things. Historically the idea of poison was to make bayes useless, and un-trustworthy by causing it to generate too many false positives. That essentially hasn't worked out too well. Its not too hard to imagine that sending spam to linux users that pretends to deal with issues pertaining to linux, but slipping a couple lines about insert spam topic might sneak by. But this hardly fits my definition of bayes poison. -- _ John Andersen pgpuJIXkibOKb.pgp Description: PGP signature
Re: new here, big problem
On Monday 06 November 2006 22:02, sheryle Stafford wrote: The message to you has been detected as spam based on either its contents or the mail server which sent the message to us, or both. Even if the content didn't change dramatically, the SOURCE of the enews may have been reported to one of several spam-source-listings. (Usually by someone who can't get off their mailing list). In any event, Somebody is running spamassassin, it usually runs in mail servers, not desktop machines of end users. So follow Giampaolo's advice and see the people who run your Email server. And I have to include the obligatory: Spamassassin does not block mail, it only classifies it. Something ELSE is blocking your mail. -- _ John Andersen pgp8WgcUDkPmr.pgp Description: PGP signature
Re: Problem synchronizing database of two spamassassins
On Tuesday 07 November 2006 00:33, Angel L. Mateo wrote: so one of them classified it as spam and the other not. The only difference I've found is that the master hit the BAYES_60 and the slave the BAYES_80. Why this different score? am I synchronizing my servers the right way? So then, you answered your own question. ;-) More seriously, are you also copying the bayes database from one to the other? Are you running one site-wide bayes, or individual bases databases in user accounts? Were the files synced BEFORE or AFTER the test message was scored by the first server? -- _ John Andersen pgp3JdbD8ZCYs.pgp Description: PGP signature
Re: Problem synchronizing database of two spamassassins
El mar, 07-11-2006 a las 00:58 -0900, John Andersen escribió: On Tuesday 07 November 2006 00:33, Angel L. Mateo wrote: so one of them classified it as spam and the other not. The only difference I've found is that the master hit the BAYES_60 and the slave the BAYES_80. Why this different score? am I synchronizing my servers the right way? So then, you answered your own question. ;-) I guess I am doing something wrong, but I don't know what neither why is the correct way to synchronized them. More seriously, are you also copying the bayes database from one to the other? Yes, I am copying all files in the /var/lib/amavis/.spamassassin. The files copied are: * bayes_journal * bayes_seen * bayes_toks * user_prefs Are you running one site-wide bayes, or individual bases databases in user accounts? I am running site-wide bayes, not individual bayes databases. Were the files synced BEFORE or AFTER the test message was scored by the first server? The files on both servers were synced before I run this test, so servers are supposed to be using the same bayes database. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337
Re: Default SpamAssassin scores don't make sense
Matt Kettler writes: Adam Katz wrote: Theo Van Dinter wrote: http://wiki.apache.org/spamassassin/HowScoresAreAssigned Thanks, that's what I was looking for. The short version is that as far as SA and the perceptron (that which generates the scores) are concerned, rules are independent. There is no increase in severity, either a rule hits or it doesn't Bayes is a perfect example of this, and is mentioned as such on the very page you referenced. Several filters, including those that I listed at the top of this thread, are indeed incremental, increasing in severity. I am shocked to hear that there is nobody moderating the automated scores (an Alan Greenspan of the anti-spam world, per se). Nobody said that nobody moderates the scores. I myself spend a considerable amount of time studying them. However, none of us is so rash as to make adjustments just to make the results look better. 99% of the time, investigations into illogical scores turn up real-world evidence that explains them. Let's take a brief look at your SPF expample. You'd expect SPF_FAIL to have a higher score than SPF_SOFTFAIL. However, the real world shows otherwise. Let's rip the results out of STATISTICS-set3.txt: OVERALL% SPAM% HAM% S/ORANK SCORE NAME 3.437 4.8942 0.03960.992 0.801.38 SPF_SOFTFAIL 2.550 3.5717 0.16760.955 0.531.14 SPF_FAIL Look at the S/O for each. This represents what percentage of mail the rule matched is actually spam, where 1.00 means 100% of the matching messages were spam. Notice how the S/O of SPF_FAIL is actually LOWER than SOFTFAIL? Why? Probably because there are more aggressive admins publishing records with -all without thinking about their whole network. The more cautious folks who have spent a lot of time thinking about their network, are more likely to realize them might have missed something and use ~all (softfail). Human behavior is in no way linear, and SPF here is a result of the behavior of the admin publishing the records. My explanation is a guess, but it makes sense if you think about the generall behaviors of cautious admin compared to a rabbid one. Now let's look at DATE_IN_FUTURE.. 1.605 2.2815 0.02640.989 0.751.96 DATE_IN_FUTURE_03_06 0.926 1.2926 0.07160.948 0.561.67 DATE_IN_FUTURE_06_12 1.986 2.8309 0.01510.995 0.812.77 DATE_IN_FUTURE_12_24 0.260 0.3676 0.00750.980 0.532.69 DATE_IN_FUTURE_24_48 0.089 0.1252 0.00380.971 0.402.10 DATE_IN_FUTURE_48_96 0.245 0.3474 0.00750.979 0.522.40 DATE_IN_FUTURE_96_XX Here again we see non-linearity in the S/O performance of the real world data. Note that 06_12 has the lowest S/O of the lot, and, imagine that, it got the lowest score too. There's some degree of non-fit here, as DATE_IN_FUTURE_96_XX has the highest score, but not the highest S/O. A study of the actual corpus itself would likely show that this rule is more likely to match spam that has very few other rules matching, hence the higher score. This is a case of that interaction with other rules thing in my last message. HTML_OBFUSCATE is a bit more complicated: OVERALL% SPAM% HAM% S/ORANK SCORE NAME 0.637 0.9048 0.01320.986 0.661.45 HTML_OBFUSCATE_05_10 0.921 1.3128 0.00750.994 0.741.77 HTML_OBFUSCATE_10_20 0.671 0.9582 0.1.000 0.703.40 HTML_OBFUSCATE_20_30 0.406 0.5801 0.1.000 0.632.86 HTML_OBFUSCATE_30_40 0.198 0.2836 0.1.000 0.512.64 HTML_OBFUSCATE_40_50 0.242 0.3458 0.1.000 0.542.03 HTML_OBFUSCATE_50_60 0.081 0.1155 0.1.000 0.401.65 HTML_OBFUSCATE_60_70 0.055 0.0784 0.1.000 0.381.47 HTML_OBFUSCATE_70_80 0.012 0.0178 0.1.000 0.310.98 HTML_OBFUSCATE_80_90 0.004 0.0057 0.1.000 0.290.00 HTML_OBFUSCATE_90_100 Here the S/O's have a clear up-swing trend. However, the hit-rates at the upper end are very low. That's probably what's suppressing the scores of 60_70 and higher. They just don't hit enough mail to be relevant. Yep. It may also be that they hit only spam that is *already* scoring over 10 points -- at that stage, there's no point in adding to the score, so whatever value the perceptron assigns to it would have no real effect. Therefore the perceptron is free to assign low scores. --j.
Don't use bl.spamcop.net (Re: mail bounce warning for the list)
Gary W. Smith writes: Was the SA group listed by spamcop last month? I just now received this for messages from October 26th. Yes. Turn off use of bl.spamcop.net, it's FP'ing on about 25% of mail last time I checked, including ASF mail. --j. [EMAIL PROTECTED]: 209.209.82.24 does not like recipient. Remote host said: 554 5.7.1 Service unavailable; Client host [140.211.11.2] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?140.211.11.2 Giving up on 209.209.82.24. Gary Wayne Smith
FW: ezmlm warning
Hi, I couldn't find any other address to send this. It seems that ML address is blacklisted. Remote host said: 553 5.3.0 [EMAIL PROTECTED]... Spam blocked see: http://spamcop.net/bl.shtml?140.211.11.2 Giving up on 212.179.113.183. See bellow for full transcript. Best, -- Arthur Sherman +972-52-4878851 CPTeam -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 07, 2006 5:30 AM To: [EMAIL PROTECTED] Subject: ezmlm warning Hi! This is the ezmlm program. I'm managing the users@spamassassin.apache.org mailing list. Messages to you from the users mailing list seem to have been bouncing. I've attached a copy of the first bounce message I received. If this message bounces too, I will send you a probe. If the probe bounces, I will remove your address from the users mailing list, without further notice. I've kept a list of which messages from the users mailing list have bounced from your address. Copies of these messages may be in the archive. To retrieve a set of messages 123-145 (a maximum of 100 per request), send an empty message to: [EMAIL PROTECTED] To receive a subject and author list for the last 100 or so messages, send an empty message to: [EMAIL PROTECTED] Here are the message numbers: 49344 49341 49342 49343 49345 49346 49347 49348 49349 49350 49351 49352 49353 49354 49355 49356 49357 49358 49359 49360 49362 49361 49364 49363 49365 49367 49368 49369 49366 49370 49371 49372 49373 49375 49377 49378 49374 49376 49379 49380 49381 49382 49383 49384 49385 49386 49387 49435 49436 49437 49439 49438 49440 49441 49442 49444 49445 49446 49443 49447 49448 49449 49450 49451 49452 49454 49455 49453 49456 49458 49460 49457 49461 49462 49464 49465 49459 49466 49467 49468 49463 49469 49470 49471 49472 49473 49474 49475 49476 49477 49478 49481 49479 49480 49482 49483 49484 49485 49486 49487 49488 49489 49490 49492 49491 49493 49494 49495 49496 49497 49498 49499 49500 49501 49502 49503 49504 49505 49506 49507 49508 49509 49510 49511 --- Enclosed is a copy of the bounce message I received. Return-Path: Received: (qmail 1785 invoked for bounce); 26 Oct 2006 06:05:48 - Date: 26 Oct 2006 06:05:48 - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: failure notice Hi. This is the qmail-send program at apache.org. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. [EMAIL PROTECTED]: 212.179.113.183 does not like recipient. Remote host said: 553 5.3.0 [EMAIL PROTECTED]... Spam blocked see: http://spamcop.net/bl.shtml?140.211.11.2 Giving up on 212.179.113.183.
Re: Problem synchronizing database of two spamassassins
On Tue, Nov 07, 2006 at 11:22:31AM +0100, Angel L. Mateo wrote: I am running site-wide bayes, not individual bayes databases. I am also interested in the answer to your question. Do you stop spamd when copying the files or restart it after you have done so? We have three mail servers an they started out with the same Bayesian database, and we use the same feedback to feed sa-learn on all three of them. Other than that I do not sync them. I also see difference in the scores from the different machines on the same message. Would it be possible to rsync the databases while spamd are running? Regards Johann -- Johann Spies Telefoon: 021-808 4036 Informasietegnologie, Universiteit van Stellenbosch Jesus said unto her, I am the resurrection, and the life; he that believeth in me, though he were dead, yet shall he live. John 11:25
Re: Have SA delete a message
segassem pu skram ylno AS segassem pu skram ylno AS segassem pu skram ylno AS segassem pu skram ylno AS segassem pu skram ylno AS... Yep - stupid question as i can see :) - am on the right track now. Thanks!! On 11/7/06, Theo Van Dinter [EMAIL PROTECTED] wrote: On Tue, Nov 07, 2006 at 03:21:40PM +1300, Simon wrote: 'tag'ing spam correctly. What do i do to have sa delete the message above a certain level? Is there a preference i can set somewhere? Stand on your head and chant SA only marks up messages. :) ie: you can't have SA delete mails, you'd have to configure something outside of SA to delete or reject/etc messages, based on the markup. -- Randomly Selected Tagline: Matt to Lower Intestine ... Matt to Lower Intestine ... Please pick up white courtesy phone. - Theo to Matt
Re: Problem synchronizing database of two spamassassins
El mar, 07-11-2006 a las 14:28 +0200, Johann Spies escribió: On Tue, Nov 07, 2006 at 11:22:31AM +0100, Angel L. Mateo wrote: I am running site-wide bayes, not individual bayes databases. I am also interested in the answer to your question. Do you stop spamd when copying the files or restart it after you have done so? I copy the files while spamd is running and restart it after the copy. I run also sa-learn --sync in the slave server. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337
RE: mail bounce warning for the list
So what you're saying is that the rule that people running listservers should maintain valid recipients who want to receive messages from the list shouldn't be followed just because it's a list about an antispam product? The last time I checked, the most common reason for spamcop lists is due to messages being sent to their spam traps. What's the point of even having rules in SA for spamcop and other DNSBLs if you don't have a certain level of trust in them. SA is more resource intensive that an MTA block which is why so many still use it. I know that over 20k a day trip the SORBs DUL rule here and around 10k trip spamhaus.You can pretty much bet it's all spam so I can understand why people would rather use those lists at their MTAs based on their observations of the mail flow for their domains. There have been messages posted to this list that can have very positive SA scores simply due to the content. So based of that, I guess everyone should whitelist users@spamassassin.apache.organd spammers reading the list can just turn around and use that as their return address because then the argument could be made that anyone who doesn't deserves not to get mail from the SA lists. I believe the correct process here is that the moderators of the SA listserver investigate why the listserver got listed on Spamcop. If it is a case where there are addresses to spamtraps in the list, then maybe the list needs to send out opt-in verification messages to weed them out. -=B From: Mike Kenny [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 07, 2006 3:15 AMTo: users@spamassassin.apache.orgSubject: Re: mail bounce warning for the list On 11/7/06, Derek Harding [EMAIL PROTECTED] wrote: Gary W. Smith wrote: Was the SA group listed by spamcop last month?I just now received this for messages from October 26th.Who cares? [EMAIL PROTECTED]: MailScanner warning: numerical links are often malicious: 209.209.82.24 does not like recipient. Remote host said: 554 5.7.1 Service unavailable; Client host [MailScanner warning: numerical links are often malicious: 140.211.11.2] blocked using bl.spamcop.net; Blocked - see _http://www.spamcop.net/bl.shtml?140.211.11.2_ Giving up on MailScanner warning: numerical links are often malicious: 209.209.82.24 . Gary Wayne SmithAnyone dumb enough to block outright on the spamcop BL deserves whateverthey don't get.DerekIs this not part of the problem? That many of these people who 'deserve whatever they don't get' are operating under the mistaken belief that these spam vigilantes are protecting them from spam and allowing legitimate mail through? We can enter into a pointless argument about whether this is due to the stupidity of their administrators or the arrogance of the knowldgeable administrators, but the fact is that this is happening. This is evidenced by the number of complaints from people claiming either not to have received legitimate email or to have it bounced by spamcop or some such site. Blocking mail base soley on the IP address (whether because it is a dynamic address or has at some time in the past sent a mail to a spamtrap) is akin to shooting the postman because yesterday you received an advertisement. The only way to kill spam is to inspect the mail using a tool such as SA and then reach an intelligent decision based on the results (the interpretation of the results will vary from site to site). Blocking IP addresses will not kill spam, it kills the mail system.The spammer will move to anotehr IP, the poor innocent user doesn't know what to do and either accepts that his mail may not reach all recipients or reverts to licking stamps.mike
Re: Log Mail Caught As Spam
jdow wrote: Did you run sa-learn as the same user that is active when the email is being scanned coming in? Yes, the same user. jdow wrote: You do not give enough headers to diagnose the problem. WHAT spam rules hit, for example? That email may be going down in flames for other reasons than Bayes alone. {^_^} I am sorry, i deleted the email now because i found (so far so good) the solution through Magnus Holmgren's answer about whitelist_from_rcvd. So Thanks both of you :). -- View this message in context: http://www.nabble.com/Log-Mail-Caught-As-Spam-tf2582220.html#a7218059 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Problem synchronizing database of two spamassassins
I copy the files while spamd is running and restart it after the copy.I run also sa-learn --sync in the slave server. Do you run sa-learn --sync on the master?I ask because I wan under the impression that this just synchronized the journal with the database. As you have copied everything across to the slave from the master, it should be in an identical state, until you run the sync, at which stage the DBs are slightly out of sync. I am not sure but suspect that the problem may lie in this area. mike
Re: Problem synchronizing database of two spamassassins
El mar, 07-11-2006 a las 15:37 +0200, Mike Kenny escribió: I copy the files while spamd is running and restart it after the copy. I run also sa-learn --sync in the slave server. Do you run sa-learn --sync on the master? In the master and in the slave. I run: * sa-learn --ham --nosync --showdots ... (master) * sa-learn --spam --nosync --showdots ... (master) * sa-learn --sync (master) * copy files from master to slave * sa-learn --sync (slave) I ask because I wan under the impression that this just synchronized the journal with the database. As you have copied everything across to the slave from the master, it should be in an identical state, until you run the sync, at which stage the DBs are slightly out of sync. I am not sure but suspect that the problem may lie in this area. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337
SA and Catch-All
Hi :) My setup is Postfix-SpamAssassin-Amavis. I noticed this behavior: If i receive spam messages to unknown users at my site, for example: [EMAIL PROTECTED] - Mail is sent to quarantine if I send a regular email to [EMAIL PROTECTED] i receive the postfix warning of unknown user. So... Is the content filter happening before postfix MTA can check if the recipient exists ? Is This good? How do you handle this? Thanks -- View this message in context: http://www.nabble.com/SA-and-Catch-All-tf2588823.html#a7218522 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: mail bounce warning for the list
Rose, Bobby wrote: So what you're saying is that the rule that people running listservers should maintain valid recipients who want to receive messages from the list shouldn't be followed just because it's a list about an antispam product? The last time I checked, the most common reason for spamcop lists is due to messages being sent to their spam traps. What's the point of even having rules in SA for spamcop and other DNSBLs if you don't have a certain level of trust in them. SA is more resource intensive that an MTA block which is why so many still use it. I know that over 20k a day trip the SORBs DUL rule here and around 10k trip spamhaus. You can pretty much bet it's all spam so I can understand why people would rather use those lists at their MTAs based on their observations of the mail flow for their domains. You can block millions or billions or however many spams you want with this method, but the second you block one legit piece of mail and your boss doesnt get it, its your ass. People can do whatever they like with their servers, but blocking mail at the MTA using blacklists is A BAD IDEA, PERIOD. I realize it may be necessary for some setups that actually receive thousands or millions of messages a day, but that doesnt make it any better of an idea. Also, show me a boss that gives a crap that the reason the message to him/her was blocked was because the senders mail server is listed in some BL somewhere and i'll be really impressed. Most dont want to know and mainly dont care WHY it happened..they just know that the server you set up blocked a legit message and if your lucky they wont be too pissed off. Good luck. I'd rather not introduce that headache into my work life. There have been messages posted to this list that can have very positive SA scores simply due to the content. So based of that, I guess everyone should whitelist users@spamassassin.apache.org mailto:users@spamassassin.apache.org and spammers reading the list can just turn around and use that as their return address because then the argument could be made that anyone who doesn't deserves not to get mail from the SA lists. There are reasons that other whitelist methods exist that arent as easily forged but im sure you already know that. This argument is pretty lame at best. I believe the correct process here is that the moderators of the SA listserver investigate why the listserver got listed on Spamcop. If it is a case where there are addresses to spamtraps in the list, then maybe the list needs to send out opt-in verification messages to weed them out. Again, who knows..who cares? Legit systems get listed in BL's all the time. It really doesnt seem to matter how hard one tries to prevent this from happening as many lists have many different listing criteria. Would you like to volunteer your time to get legit servers delisted from all BLs? Thats mighty nice of you... As someone else said before, stop blocking mail outright based on these lists and use them for scoring instead and be done with it. -Jim
No hit on this..
I don't get any points or hits on the following mail (source code) Return-Path: [EMAIL PROTECTED] Received: from mail.the-server.net (192.168.222.210 [192.168.222.210]) by iris (Cyrus v2.1.15) with LMTP; Tue, 07 Nov 2006 14:16:42 +0100 X-Sieve: CMU Sieve 2.2 Received: from amavis.the-server.net (localhost [127.0.0.1]) by mail.the-server.net (Postfix) with ESMTP id A18B4289E for [EMAIL PROTECTED]; Tue, 7 Nov 2006 14:16:42 +0100 (CET) X-Virus-Scanned: amavisd-new, Kaspersky, NOD32 F-Secure AV at the-server.net Received: from mail.the-server.net ([127.0.0.1]) by amavis.the-server.net (siri.the-server.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id f1VtfVKEydJi for [EMAIL PROTECTED]; Tue, 7 Nov 2006 14:16:35 +0100 (CET) Received: from adsl196-248-101-217-196.adsl196-12.iam.net.ma (adsl196-248-101-217-196.adsl196-12.iam.net.ma [196.217.101.248]) by mail.the-server.net (Postfix) with ESMTP id C32F527CE for [EMAIL PROTECTED]; Tue, 7 Nov 2006 14:16:34 +0100 (CET) Received: from 207.46.163.22 (HELO mail.global.sprint.com) by onlineperv.net with esmtp (XY858TN74 NPLTF7) id 65QEDV-QBQJSL-FU for [EMAIL PROTECTED]; Mon, 6 Nov 2006 10:30:57 -0060 From: Reinaldo Gallagher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Reinaldo here :) Date: Mon, 6 Nov 2006 10:30:57 -0060 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Thread-Index: Aca6QHEK2ARZEZF3J8OLNEYUMM69T6== What's the first rule of investing? Buy low sell high! Yesterday, market forces caused our top pick (EGLY) to close down on the day. This gives our members the perfect opportunity to pick some up on the cheap before the big news! Ever-Glory International (EGLY) Current: 0.63 Projected: 1.30 Rating: 5/5 Here's the latest news: LOS ANGELES, CALIFORNIA-(MARKET WIRE)-Nov 6, 2006 - 9:45am- The Relationship between Ever-Glory and Disney's Agent is going well, with Orders Recorded in Excess of $100,000 for First Half of 2006. We believe that having such a relationship with Disney is a huge window of opportunity which could lead to extremely large contracts. Go EGLY! Other news: LOS ANGELES, CALIFORNIA-(MARKET WIRE)-Nov 1, 2006 10:16pm- Ever-Glory International Group, a multinational enterprise specializing in garment manufacturing and exports, has expanded the scope of its business in 2006, wherein the first half of the year, completed orders from a single customer, CA, totaled a staggering US$5.6 Million. This is just ONE customer! Many others have placed large orders this quarter. August 8th - $2mil order from Matalan July 25th - $500k order from Debenhams July 10th - $1mil order from OTTO Please check all these figures with your favorite source. EGLY is the real deal! We are expecting third quarter numbers to be out soon and are telling all of our members to take a position in before the data hits the street. These fortuitous figures are going to shock the market and send this one way up! Give yourself the chance to come out WAY ahead here. Fortune favors the bold!Also news are CHICAGO, Illinois (AP) -- New national data show school bus-related accidents send 17,000 U.S. children to emergency rooms each year, more than double the number in previous estimates that only included crashes. SAN FRANCISCO (Reuters) -- Google Inc. is set to begin helping customers buy advertisements in 50 U.S. newspapers in a test of how the Web search leader can extend its business into offline media, the company said on Sunday. WASHINGTON (CNN) -- The morning after the closely fought midterm elections, the U.S. Supreme Court will hear its first major abortion case in six years. PENSACOLA, Fla. (CNN) -- President Bush tried to rally Republican supporters in Florida at an event the state's GOP candidate for governor skipped Monday, raising the hackles of a top White House aide in the final hours before the midterm elections. -- Anders Norrbring Norrbring Consulting smime.p7s Description: S/MIME Cryptographic Signature
Re: No hit on this..
Anders Norrbring wrote: snip Anders heres my analysis Content analysis details: (12.0 points, 5.0 required) pts rule name description -- -- 0.7 HOST_EQ_D_D_D_DHOST_EQ_D_D_D_D 0.9 HOST_EQ_D_D_D_DB HOST_EQ_D_D_D_DB 0.9 DATE_IN_PAST_24_48 Date: is 24 to 48 hours before Received: date 0.5 FB_NIGERIAN1 BODY: FB_NIGERIAN1 0.6 J_CHICKENPOX_44BODY: {4}Letter - punctuation - {4}Letter 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50% [cf: 70] 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 70] 0.6 HELO_MISMATCH_NET HELO_MISMATCH_NET 0.0 ADVANCE_FEE_1 Appears to be advance fee fraud (Nigerian 419) -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: No hit on this..
On Tue, 07 Nov 2006 14:51:01 +0100 Anders Norrbring [EMAIL PROTECTED] wrote: I don't get any points or hits on the following mail (source code) Return-Path: [EMAIL PROTECTED] Received: from mail.the-server.net (192.168.222.210 [192.168.222.210]) by iris (Cyrus v2.1.15) with LMTP; Tue, 07 Nov 2006 14:16:42 +0100 X-Sieve: CMU Sieve 2.2 Received: from amavis.the-server.net (localhost [127.0.0.1]) by mail.the-server.net (Postfix) with ESMTP id A18B4289E for [EMAIL PROTECTED]; Tue, 7 Nov 2006 14:16:42 +0100 (CET) X-Virus-Scanned: amavisd-new, Kaspersky, NOD32 F-Secure AV at the-server.net Received: from mail.the-server.net ([127.0.0.1]) by amavis.the-server.net (siri.the-server.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id f1VtfVKEydJi for [EMAIL PROTECTED]; Tue, 7 Nov 2006 14:16:35 +0100 (CET) Received: from adsl196-248-101-217-196.adsl196-12.iam.net.ma (adsl196-248-101-217-196.adsl196-12.iam.net.ma [196.217.101.248]) by mail.the-server.net (Postfix) with ESMTP id C32F527CE for [EMAIL PROTECTED]; Tue, 7 Nov 2006 14:16:34 +0100 (CET) Received: from 207.46.163.22 (HELO mail.global.sprint.com) by onlineperv.net with esmtp (XY858TN74 NPLTF7) id 65QEDV-QBQJSL-FU for [EMAIL PROTECTED]; Mon, 6 Nov 2006 10:30:57 -0060 From: Reinaldo Gallagher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Reinaldo here :) Date: Mon, 6 Nov 2006 10:30:57 -0060 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Thread-Index: Aca6QHEK2ARZEZF3J8OLNEYUMM69T6== What's the first rule of investing? Buy low sell high! Yesterday, market forces caused our top pick (EGLY) to close down on the day. This gives our members the perfect opportunity to pick some up on the cheap before the big news! Ever-Glory International (EGLY) Current: 0.63 Projected: 1.30 Rating: 5/5 Here's the latest news: LOS ANGELES, CALIFORNIA-(MARKET WIRE)-Nov 6, 2006 - 9:45am- The Relationship between Ever-Glory and Disney's Agent is going well, with Orders Recorded in Excess of $100,000 for First Half of 2006. We believe that having such a relationship with Disney is a huge window of opportunity which could lead to extremely large contracts. Go EGLY! Other news: LOS ANGELES, CALIFORNIA-(MARKET WIRE)-Nov 1, 2006 10:16pm- Ever-Glory International Group, a multinational enterprise specializing in garment manufacturing and exports, has expanded the scope of its business in 2006, wherein the first half of the year, completed orders from a single customer, CA, totaled a staggering US$5.6 Million. This is just ONE customer! Many others have placed large orders this quarter. August 8th - $2mil order from Matalan July 25th - $500k order from Debenhams July 10th - $1mil order from OTTO Please check all these figures with your favorite source. EGLY is the real deal! We are expecting third quarter numbers to be out soon and are telling all of our members to take a position in before the data hits the street. These fortuitous figures are going to shock the market and send this one way up! Give yourself the chance to come out WAY ahead here. Fortune favors the bold!Also news are CHICAGO, Illinois (AP) -- New national data show school bus-related accidents send 17,000 U.S. children to emergency rooms each year, more than double the number in previous estimates that only included crashes. SAN FRANCISCO (Reuters) -- Google Inc. is set to begin helping customers buy advertisements in 50 U.S. newspapers in a test of how the Web search leader can extend its business into offline media, the company said on Sunday. WASHINGTON (CNN) -- The morning after the closely fought midterm elections, the U.S. Supreme Court will hear its first major abortion case in six years. PENSACOLA, Fla. (CNN) -- President Bush tried to rally Republican supporters in Florida at an event the state's GOP candidate for governor skipped Monday, raising the hackles of a top White House aide in the final hours before the midterm elections. -- Anders Norrbring Norrbring Consulting I don't even see any SpamAssassin headers on this thing saying one way or the otherdid this actually get piped through SpamAssassin? James
R: mail bounce warning for the list
From: Rose, Bobby [mailto:[EMAIL PROTECTED] So what you're saying is that the rule that people running listservers should maintain valid recipients who want to receive messages from the list shouldn't be followed just because it's a list about an antispam product? I would say, just because it's a list. Most listservers sends a fake 'envelope from' email address, but hitting the reply button works. The last time I checked, the most common reason for spamcop lists is due to messages being sent to their spam traps. Which means they registered to the list: this list mandates a double opt-in to register... What's the point of even having rules in SA for spamcop and other DNSBLs if you don't have a certain level of trust in them. Not all the DNSBLs score the same in SA. Also, they, after all, just score something. SA wants and needs much more to drop something on the spam folder. SA is more resource intensive that an MTA block which is why so many still use it. Then, so many are going to trade a safe approach to spam with system requirements. After all, it's their decision about it. I know that over 20k a day trip the SORBs DUL rule here and around 10k trip spamhaus. You can pretty much bet it's all spam so I can understand why people would rather use those lists at their MTAs based on their observations of the mail flow for their domains. Wrong. A system of mine is listed as dynamic not being it at all. People relying only on DNSBLs tests to classify incomings would shurely miss messages from that system. Oh, by the way: it never sent spam out... There have been messages posted to this list that can have very positive SA scores simply due to the content. So based of that, I guess everyone should whitelist users@spamassassin.apache.org and spammers reading the list can just turn around and use that as their return address because then the argument could be made that anyone who doesn't deserves not to get mail from the SA lists. I had few [Spam?]-tagged messages from this list and no FP. I believe the correct process here is that the moderators of the SA listserver investigate why the listserver got listed on Spamcop. Right. This is something I would do, too. If it is a case where there are addresses to spamtraps in the list, then maybe the list needs to send out opt-in verification messages to weed them out. Or even remove these addresses at once, if they are spamtraps. But I would like to know how a spamtrap address got entered into this list: it needs a double opt-in. Isn't that the person who setup the spamtrap just registered to the list itself and then forgot to remove from it? -=B Giampaolo From: Mike Kenny [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 07, 2006 3:15 AM To: users@spamassassin.apache.org Subject: Re: mail bounce warning for the list On 11/7/06, Derek Harding [EMAIL PROTECTED] wrote: Gary W. Smith wrote: Was the SA group listed by spamcop last month? I just now received this for messages from October 26th. Who cares? [EMAIL PROTECTED]: MailScanner warning: numerical links are often malicious: 209.209.82.24 does not like recipient. Remote host said: 554 5.7.1 Service unavailable; Client host [MailScanner warning: numerical links are often malicious: 140.211.11.2] blocked using bl.spamcop.net; Blocked - see _http://www.spamcop.net/bl.shtml?140.211.11.2_ Giving up on MailScanner warning: numerical links are often malicious: 209.209.82.24 . Gary Wayne Smith Anyone dumb enough to block outright on the spamcop BL deserves whatever they don't get. Derek Is this not part of the problem? That many of these people who 'deserve whatever they don't get' are operating under the mistaken belief that these spam vigilantes are protecting them from spam and allowing legitimate mail through? We can enter into a pointless argument about whether this is due to the stupidity of their administrators or the arrogance of the knowldgeable administrators, but the fact is that this is happening. This is evidenced by the number of complaints from people claiming either not to have received legitimate email or to have it bounced by spamcop or some such site. Blocking mail base soley on the IP address (whether because it is a dynamic address or has at some time in the past sent a mail to a spamtrap) is akin to shooting the postman because yesterday you received an advertisement. The only way to kill spam is to inspect the mail using a tool such as SA and then reach an intelligent decision based on the results (the interpretation of the results will vary from site to site). Blocking IP addresses will not kill spam, it kills the mail system.The spammer will move to anotehr IP, the poor innocent user doesn't know what to do and either accepts that his mail may not reach all recipients or reverts to licking stamps. mike
RE: No hit on this..
Ya for some reason Spamassassin didn't even look at it. Robert Peace he would say instead of goodbyepeace my brother. -Original Message- From: James Lay [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 07, 2006 8:59 AM To: Anders Norrbring Cc: users@spamassassin.apache.org Subject: Re: No hit on this.. On Tue, 07 Nov 2006 14:51:01 +0100 Anders Norrbring [EMAIL PROTECTED] wrote: I don't get any points or hits on the following mail (source code) Return-Path: [EMAIL PROTECTED] Received: from mail.the-server.net (192.168.222.210 [192.168.222.210]) by iris (Cyrus v2.1.15) with LMTP; Tue, 07 Nov 2006 14:16:42 +0100 X-Sieve: CMU Sieve 2.2 Received: from amavis.the-server.net (localhost [127.0.0.1]) by mail.the-server.net (Postfix) with ESMTP id A18B4289E for [EMAIL PROTECTED]; Tue, 7 Nov 2006 14:16:42 +0100 (CET) X-Virus-Scanned: amavisd-new, Kaspersky, NOD32 F-Secure AV at the-server.net Received: from mail.the-server.net ([127.0.0.1]) by amavis.the-server.net (siri.the-server.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id f1VtfVKEydJi for [EMAIL PROTECTED]; Tue, 7 Nov 2006 14:16:35 +0100 (CET) Received: from adsl196-248-101-217-196.adsl196-12.iam.net.ma (adsl196-248-101-217-196.adsl196-12.iam.net.ma [196.217.101.248]) by mail.the-server.net (Postfix) with ESMTP id C32F527CE for [EMAIL PROTECTED]; Tue, 7 Nov 2006 14:16:34 +0100 (CET) Received: from 207.46.163.22 (HELO mail.global.sprint.com) by onlineperv.net with esmtp (XY858TN74 NPLTF7) id 65QEDV-QBQJSL-FU for [EMAIL PROTECTED]; Mon, 6 Nov 2006 10:30:57 -0060 From: Reinaldo Gallagher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Reinaldo here :) Date: Mon, 6 Nov 2006 10:30:57 -0060 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Thread-Index: Aca6QHEK2ARZEZF3J8OLNEYUMM69T6== What's the first rule of investing? Buy low sell high! Yesterday, market forces caused our top pick (EGLY) to close down on the day. This gives our members the perfect opportunity to pick some up on the cheap before the big news! Ever-Glory International (EGLY) Current: 0.63 Projected: 1.30 Rating: 5/5 Here's the latest news: LOS ANGELES, CALIFORNIA-(MARKET WIRE)-Nov 6, 2006 - 9:45am- The Relationship between Ever-Glory and Disney's Agent is going well, with Orders Recorded in Excess of $100,000 for First Half of 2006. We believe that having such a relationship with Disney is a huge window of opportunity which could lead to extremely large contracts. Go EGLY! Other news: LOS ANGELES, CALIFORNIA-(MARKET WIRE)-Nov 1, 2006 10:16pm- Ever-Glory International Group, a multinational enterprise specializing in garment manufacturing and exports, has expanded the scope of its business in 2006, wherein the first half of the year, completed orders from a single customer, CA, totaled a staggering US$5.6 Million. This is just ONE customer! Many others have placed large orders this quarter. August 8th - $2mil order from Matalan July 25th - $500k order from Debenhams July 10th - $1mil order from OTTO Please check all these figures with your favorite source. EGLY is the real deal! We are expecting third quarter numbers to be out soon and are telling all of our members to take a position in before the data hits the street. These fortuitous figures are going to shock the market and send this one way up! Give yourself the chance to come out WAY ahead here. Fortune favors the bold!Also news are CHICAGO, Illinois (AP) -- New national data show school bus-related accidents send 17,000 U.S. children to emergency rooms each year, more than double the number in previous estimates that only included crashes. SAN FRANCISCO (Reuters) -- Google Inc. is set to begin helping customers buy advertisements in 50 U.S. newspapers in a test of how the Web search leader can extend its business into offline media, the company said on Sunday. WASHINGTON (CNN) -- The morning after the closely fought midterm elections, the U.S. Supreme Court will hear its first major abortion case in six years. PENSACOLA, Fla. (CNN) -- President Bush tried to rally Republican supporters in Florida at an event the state's GOP candidate for governor skipped Monday, raising the hackles of a top White House aide in the final hours before the midterm elections. -- Anders Norrbring Norrbring Consulting I don't even see any SpamAssassin headers on this thing saying one way or the otherdid this actually get piped through SpamAssassin? James
RE: No hit on this..
We got a bunch of these slip through as low-scoring. This rule helps - score as you see fit: header SPAMMER_HERESubject =~ /here \:\)$/ describe SPAMMER_HERESpammer here scoreSPAMMER_HERE4 Phil -- Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: Anders Norrbring [mailto:[EMAIL PROTECTED] Sent: 07 November 2006 13:51 To: users@spamassassin.apache.org Subject: No hit on this.. I don't get any points or hits on the following mail (source code) Return-Path: [EMAIL PROTECTED] Received: from mail.the-server.net (192.168.222.210 [192.168.222.210]) by iris (Cyrus v2.1.15) with LMTP; Tue, 07 Nov 2006 14:16:42 +0100 X-Sieve: CMU Sieve 2.2 Received: from amavis.the-server.net (localhost [127.0.0.1]) by mail.the-server.net (Postfix) with ESMTP id A18B4289E for [EMAIL PROTECTED]; Tue, 7 Nov 2006 14:16:42 +0100 (CET) X-Virus-Scanned: amavisd-new, Kaspersky, NOD32 F-Secure AV at the-server.net Received: from mail.the-server.net ([127.0.0.1]) by amavis.the-server.net (siri.the-server.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id f1VtfVKEydJi for [EMAIL PROTECTED]; Tue, 7 Nov 2006 14:16:35 +0100 (CET) Received: from adsl196-248-101-217-196.adsl196-12.iam.net.ma (adsl196-248-101-217-196.adsl196-12.iam.net.ma [196.217.101.248]) by mail.the-server.net (Postfix) with ESMTP id C32F527CE for [EMAIL PROTECTED]; Tue, 7 Nov 2006 14:16:34 +0100 (CET) Received: from 207.46.163.22 (HELO mail.global.sprint.com) by onlineperv.net with esmtp (XY858TN74 NPLTF7) id 65QEDV-QBQJSL-FU for [EMAIL PROTECTED]; Mon, 6 Nov 2006 10:30:57 -0060 From: Reinaldo Gallagher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Reinaldo here :) Date: Mon, 6 Nov 2006 10:30:57 -0060 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Thread-Index: Aca6QHEK2ARZEZF3J8OLNEYUMM69T6== What's the first rule of investing? Buy low sell high! Yesterday, market forces caused our top pick (EGLY) to close down on the day. This gives our members the perfect opportunity to pick some up on the cheap before the big news! Ever-Glory International (EGLY) Current: 0.63 Projected: 1.30 Rating: 5/5 Here's the latest news: LOS ANGELES, CALIFORNIA-(MARKET WIRE)-Nov 6, 2006 - 9:45am- The Relationship between Ever-Glory and Disney's Agent is going well, with Orders Recorded in Excess of $100,000 for First Half of 2006. We believe that having such a relationship with Disney is a huge window of opportunity which could lead to extremely large contracts. Go EGLY! Other news: LOS ANGELES, CALIFORNIA-(MARKET WIRE)-Nov 1, 2006 10:16pm- Ever-Glory International Group, a multinational enterprise specializing in garment manufacturing and exports, has expanded the scope of its business in 2006, wherein the first half of the year, completed orders from a single customer, CA, totaled a staggering US$5.6 Million. This is just ONE customer! Many others have placed large orders this quarter. August 8th - $2mil order from Matalan July 25th - $500k order from Debenhams July 10th - $1mil order from OTTO Please check all these figures with your favorite source. EGLY is the real deal! We are expecting third quarter numbers to be out soon and are telling all of our members to take a position in before the data hits the street. These fortuitous figures are going to shock the market and send this one way up! Give yourself the chance to come out WAY ahead here. Fortune favors the bold!Also news are CHICAGO, Illinois (AP) -- New national data show school bus-related accidents send 17,000 U.S. children to emergency rooms each year, more than double the number in previous estimates that only included crashes. SAN FRANCISCO (Reuters) -- Google Inc. is set to begin helping customers buy advertisements in 50 U.S. newspapers in a test of how the Web search leader can extend its business into offline media, the company said on Sunday. WASHINGTON (CNN) -- The morning after the closely fought midterm elections, the U.S. Supreme Court will hear its first major abortion case in six years. PENSACOLA, Fla. (CNN) -- President Bush tried to rally Republican supporters in Florida at an event the state's GOP candidate for governor skipped Monday, raising the hackles of a top White House aide in the final hours before the midterm elections. -- Anders Norrbring Norrbring Consulting
How to set up Razor (SOLVED)
Installed it off Debian Sid. How do I get SA to make use of it? Thanks for all the helpful responses. I have it working fine, here is the idea: 1. Most of the documentation is out of date! One needs do absolutely nothing. SA tests for an will use Razor, Phyzor, etc., if they be installed. 2. All this is of no avail if TCP to port 2703 be not allowed by the firewall. This was buried in a email thread and not present in the documentation. (It is not sufficient to enable from Razors main site in a DMZ since other IPs are involved as well.)
Re: How to set up Razor (SOLVED)
David Baron wrote: Installed it off Debian Sid. How do I get SA to make use of it? Thanks for all the helpful responses. I have it working fine, here is the idea: 1. Most of the documentation is out of date! One needs do absolutely nothing. SA tests for an will use Razor, Phyzor, etc., if they be installed. For razor and pyzor, this is true in the more recent versions. Razor recently changed their position on general usage, and that made the SA devs change it to loaded-by-default. However, the etc. part is not true.. For DCC you'll still have to load the plugin. DCC isn't free for everyone to use. 2. All this is of no avail if TCP to port 2703 be not allowed by the firewall. This was buried in a email thread and not present in the documentation. (It is not sufficient to enable from Razors main site in a DMZ since other IPs are involved as well.) That's pretty well non-buried in the razor documentation. It's in their FAQ http://razor.sourceforge.net/docs/faq.php -- Q: I have a firewall. What ports do I need to open in order for Razor2 to work? Outgoing TCP port 2703 (Razor2), only. Previous versions used TCP port 7 (echo), but this is no longer used. - But I agree it might be worth mentioning in the SA docs for razor.
RE: How to set up Razor (SOLVED)
Installed it off Debian Sid. How do I get SA to make use of it? Thanks for all the helpful responses. I have it working fine, here is the idea: 1. Most of the documentation is out of date! One needs do absolutely nothing. Not true. It may function, but if you do nothing razor has to try and discover the servers for every message. This creates unnecessary traffic and processing power on both ends. You need to run razor-admin -create (twice for good measure - and then make sure it worked) as the user that will be calling razor (or every user that calls razor). This makes the available server data available locally. You also need to disable logging or eventually your disk will fill up with razor logs. You can do this globally if you like by configuring the site wide config file in the /etc/razor directory. SA tests for an will use Razor, Phyzor, etc., if they be installed. 2. All this is of no avail if TCP to port 2703 be not allowed by the firewall. This was buried in a email thread and not present in the documentation. (It is not sufficient to enable from Razors main site in a DMZ since other IPs are involved as well.) http://razor.sourceforge.net/docs/doc.php?type=textname=FAQ Q: I have a firewall. What ports do I need to open in order for Razor2 to work? Outgoing TCP port 2703 (Razor2), only. Previous versions used TCP port 7 (echo), but this is no longer used. Gary V _ Stay in touch with old friends and meet new ones with Windows Live Spaces http://clk.atdmt.com/MSN/go/msnnkwsp007001msn/direct/01/?href=http://spaces.live.com/spacesapi.aspx?wx_action=createwx_url=/friends.aspxmkt=en-us
Re: How to set up Razor (SOLVED)
On Tue, Nov 07, 2006 at 10:14:38AM -0500, Matt Kettler wrote: http://razor.sourceforge.net/docs/faq.php But I agree it might be worth mentioning in the SA docs for razor. FWIW: http://wiki.apache.org/spamassassin/UsingRazor Already has pointers about firewall ports, license issues, etc. -- Randomly Selected Tagline: The Power Company is having EMP problems with their reactor. - Today's BOFH Excuse pgpiAG9RypxOC.pgp Description: PGP signature
RE: mail bounce warning for the list
Title: RE: mail bounce warning for the list Alright, I'll reply to this. I outright block using RBLs, and spamcop is one of them. Here's the deal: Senders get a response of the messege being blocked! It is also logged. The amount of legit mail anually blocked can be counted on two hands. And we use it to better relations with customers/vendors who are blocked. I contact them and inform them about their listing and how to attempt to get unlisted. They have been very greatful for the help! 9 out of 10 times when a user tells me they didn't receive an email someone sent, the sender was lieing! I love looking thru the logs just to prove that point. Feed them a plate of humble pie. I can instantly whitelist and bypass any domain, and I do once there is a problem. My boss does actually care about our customers/vendors being listed. He likes the idea I help them. This isn't the best idea for a large ISP, but for companies I see no problem rejecting on RBLs when you have a trained administrator. So I am getting what I deserve, and I love it. Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com
Re: spam filter working, but not well
Spamassassin is invoked from Courier-MTA. (OS is SUSE Pro 9.3) The /usr/lib/courier/etc/courierd file has the following line: DEFAULTDELIVERY=| /usr/bin/spamassassin | /usr/lib/courier/bin/maildrop I had tried it with 'spamc' but there was no difference. When I tried it with /usr/bin/spamd I get the following in my mail log: spamd[5895]: spamd: could not create INET socket on 127.0.0.1:783: Permission denied courierlocal: id=00086831.4550A56E.1702,from=...sender...,addr=[EMAIL PROTECTED]: [5895] error: spamd: could not create INET socket on 127.0.0.1:783: Permission denied courierlocal: id=00086831.4550A56E.1702,from=...sender...,addr=[EMAIL PROTECTED]: spamd: could not create INET socket on 127.0.0.1:783: Permission denied courierlocal: id=00086831.4550A56E.1702,from=...sender...,addr=[EMAIL PROTECTED],size=928,success: Message delivered. courierd: completed,id=00086831.4550A56E.1702 I definitely have more than 200 ham and 200 spam in the database (done with sa-learn commands). bayes_seen is 632k and bayes_toks is 2.5M in size. I think the problem is network tests but I checked the /etc/sysconfig/spamd file and the only uncommented line is: SPAMD_ARGS=-d -c -Brian On Mon, November 6, 2006 05:20, Peter Teunissen wrote: On 6-nov-2006, at 1:54, John Andersen wrote: On Sunday 05 November 2006 15:48, Brian S. Meehan wrote: Hi all, Spam filtering is working, but I'm getting about half the spam in my mailbox. Anyone have tips on adjustments I could make? Here's what I have in the local.cf file: rewrite_header SUBJECT **SPAM** dns_available yes required_score 4.0 bayes_path /etc/mail/spamassassin/bayesfiles/bayes use_bayes 1 bayes_auto_learn 1 bayes_auto_learn_threshold_spam 10 bayes_file_mode 0777 report_safe 0 trusted_networks 192.168.1.101 bayes_ignore_header X-purgate bayes_ignore_header X-purgate-ID bayes_ignore_header X-purgate-Ad bayes_ignore_header X-GMX-Antispam bayes_ignore_header X-Antispam bayes_ignore_header X-Spamcount bayes_ignore_header X-Spamsensitivity Its not clear if you have network tests running or not. How is spamassassin invoked? and: - have you trained you bayes DB with at least 200 HAM and 200 SPAM? - added some safe rules from SARE (for example with sa-update and the http://saupdates.openprotect.com/ channel?) Peter -- All people who think everything is either black or white are idiots.
Re: spam filter working, but not well
Brian S. Meehan wrote: Spamassassin is invoked from Courier-MTA. (OS is SUSE Pro 9.3) The /usr/lib/courier/etc/courierd file has the following line: DEFAULTDELIVERY=| /usr/bin/spamassassin | /usr/lib/courier/bin/maildrop I had tried it with 'spamc' but there was no difference. When I tried it with /usr/bin/spamd I get the following in my mail log: spamd is the daemon and you definitely do not want to start this for every message you receive. You should be using spamassassin or spamc here. If you use spamc, spamd must already be started and running for it to function correctly. spamc/spamd are a pair and are used together. spamassassin is standalone. spamd[5895]: spamd: could not create INET socket on 127.0.0.1:783: Permission denied courierlocal: id=00086831.4550A56E.1702,from=...sender...,addr=[EMAIL PROTECTED]: [5895] error: spamd: could not create INET socket on 127.0.0.1:783: Permission denied courierlocal: id=00086831.4550A56E.1702,from=...sender...,addr=[EMAIL PROTECTED]: spamd: could not create INET socket on 127.0.0.1:783: Permission denied courierlocal: id=00086831.4550A56E.1702,from=...sender...,addr=[EMAIL PROTECTED],size=928,success: Message delivered. courierd: completed,id=00086831.4550A56E.1702 I definitely have more than 200 ham and 200 spam in the database (done with sa-learn commands). bayes_seen is 632k and bayes_toks is 2.5M in size. I think the problem is network tests but I checked the /etc/sysconfig/spamd file and the only uncommented line is: SPAMD_ARGS=-d -c -Brian Can you send a sample of a message that you received? Im not sure if you did this already as i missed the original message. -Jim
Re: How to set up Razor (SOLVED)
On Tuesday 07 November 2006 17:24, Gary V wrote: Installed it off Debian Sid. How do I get SA to make use of it? Thanks for all the helpful responses. I have it working fine, here is the idea: 1. Most of the documentation is out of date! One needs do absolutely nothing. Not true. It may function, but if you do nothing razor has to try and discover the servers for every message. This creates unnecessary traffic and processing power on both ends. You need to run razor-admin -create (twice for good measure - and then make sure it worked) as the user that will be calling razor (or every user that calls razor). This makes the available server data available locally. You also need to disable logging or eventually your disk will fill up with razor logs. You can do this globally if you like by configuring the site wide config file in the /etc/razor directory. I did do this. This is what failed before changing the firewall. SA does not require this stuff but Razor works better with it done. About out-of-date documentation, suggested three steps. Running the first one said it was obselete and the Razor works by default. The second was the discover and the third was to get a registration ID. Now, how do I use that to report spam? SA tests for an will use Razor, Phyzor, etc., if they be installed. 2. All this is of no avail if TCP to port 2703 be not allowed by the firewall. This was buried in a email thread and not present in the documentation. (It is not sufficient to enable from Razors main site in a DMZ since other IPs are involved as well.) http://razor.sourceforge.net/docs/doc.php?type=textname=FAQ OK. When I install off Debian Sid, nothing refers me to sourceforge and neither the docs in the package nor the programs (could say discovery failed--cannot connect port 2703--check your firewall) suggested enabling stuff in the firewall. Q: I have a firewall. What ports do I need to open in order for Razor2 to work? Outgoing TCP port 2703 (Razor2), only. Previous versions used TCP port 7 (echo), but this is no longer used. Gary V _ Stay in touch with old friends and meet new ones with Windows Live Spaces http://clk.atdmt.com/MSN/go/msnnkwsp007001msn/direct/01/?href=http://sp aces.live.com/spacesapi.aspx?wx_action=createwx_url=/friends.aspxmkt=en-us
RE: Don't use bl.spamcop.net (Re: mail bounce warning for the list)
Thanks for the info. I like you answers much better than the rest of the insults I have received. I'm not sure how or why I put spamcop in my blocklist. I was sure that I didn't some time ago. It will be removed. With all due respect to the many of the people on this list, when did everyone on the list turn into flame war asses? I've been on this list prior to it being an apache list and it seems to be degrading more and more. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 07, 2006 2:57 AM To: Gary W. Smith Cc: users@spamassassin.apache.org Subject: Don't use bl.spamcop.net (Re: mail bounce warning for the list) Gary W. Smith writes: Was the SA group listed by spamcop last month? I just now received this for messages from October 26th. Yes. Turn off use of bl.spamcop.net, it's FP'ing on about 25% of mail last time I checked, including ASF mail. --j. [EMAIL PROTECTED]: 209.209.82.24 does not like recipient. Remote host said: 554 5.7.1 Service unavailable; Client host [140.211.11.2] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?140.211.11.2 Giving up on 209.209.82.24. Gary Wayne Smith
Re: mail bounce warning for the list
Rose, Bobby wrote: I believe the correct process here is that the moderators of the SA listserver investigate why the listserver got listed on Spamcop. If it is a case where there are addresses to spamtraps in the list, then maybe the list needs to send out opt-in verification messages to weed them out. Note that most of the mail sent from the ASF goes through hermes, not just list mail or SA list mail. I'd be a little surprised to find that one of the mailling lists are subscribed to one of Spamcop's spamtraps. It's far more likely that there are a number of people with @apache.org addresses, that are also Spamcop subscribers, who are reporting mail forwarded from their @apache.org address as spam. Since the mail to their @apache.org account is forwarded from hermes Spamcop lists hermes. I have no idea exactly how many people have to report a host (via reporting a spam message) to Spamcop, without the same host hitting a trap, to get a host listed but I wouldn't be surprised at all if there are indeed enough Spamcop users with @apache.org addresses to make it happen. The only thing I know for sure is that the _only_ spam I have ever received from hermes (and I receive quite a bit of spam from hermes) has been addresses to my @apache.org account and is just being forwarded to me. Daryl
Re: spam filter working, but not well
Jim, I have it set so that i'm using /usr/bin/spamassassin now. Thanks for that info. Here is the relevant message header from an email that was not caught: X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on mail.meehanontheweb.com X-Spam-Level: *** X-Spam-Status: No, score=3.1 required=4.0 tests=ADVANCE_FEE_1,RCVD_IN_XBL autolearn=no version=3.1.7 Received: from cliente-addc099 (201-68-96-184.dsl.telesp.net.br [:::201.68.96.184]) by meehanontheweb.com with esmtp; Tue, 07 Nov 2006 10:50:57 -0500 id 00072EA2.4550AB7D.18B6 Old-Return-Path: [EMAIL PROTECTED] Received: from 192.94.94.37 (HELO red.ext.ti.com) by meehanontheweb.com with esmtp (CSNG1VAZG A627H) id 6W926D-JODX0S-DO for [EMAIL PROTECTED]; Tue, 7 Nov 2006 15:49:51 +0180 From: Dillon Barron [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Dillon here :) Here is another one that wasn't caught: X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on mail.meehanontheweb.com X-Spam-Level: * X-Spam-Status: No, score=1.7 required=4.0 tests=EXTRA_MPART_TYPE, HTML_IMAGE_ONLY_24,HTML_MESSAGE autolearn=no version=3.1.7 Received: from catv-50634822.catv.broadband.hu (catv-50634822.catv.broadband.hu [:::80.99.72.34]) by meehanontheweb.com with esmtp; Mon, 06 Nov 2006 17:04:29 -0500 id 00086441.454FB16F.31DE Message-ID: [EMAIL PROTECTED] From: Project: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: rejected Uganda rebel Thanks, -Brian On Tue, November 7, 2006 10:42, Jim Maul wrote: Brian S. Meehan wrote: Spamassassin is invoked from Courier-MTA. (OS is SUSE Pro 9.3) The /usr/lib/courier/etc/courierd file has the following line: DEFAULTDELIVERY=| /usr/bin/spamassassin | /usr/lib/courier/bin/maildrop I had tried it with 'spamc' but there was no difference. When I tried it with /usr/bin/spamd I get the following in my mail log: spamd is the daemon and you definitely do not want to start this for every message you receive. You should be using spamassassin or spamc here. If you use spamc, spamd must already be started and running for it to function correctly. spamc/spamd are a pair and are used together. spamassassin is standalone. spamd[5895]: spamd: could not create INET socket on 127.0.0.1:783: Permission denied courierlocal: id=00086831.4550A56E.1702,from=...sender...,addr=[EMAIL PROTECTED]: [5895] error: spamd: could not create INET socket on 127.0.0.1:783: Permission denied courierlocal: id=00086831.4550A56E.1702,from=...sender...,addr=[EMAIL PROTECTED]: spamd: could not create INET socket on 127.0.0.1:783: Permission denied courierlocal: id=00086831.4550A56E.1702,from=...sender...,addr=[EMAIL PROTECTED],size=928,success: Message delivered. courierd: completed,id=00086831.4550A56E.1702 I definitely have more than 200 ham and 200 spam in the database (done with sa-learn commands). bayes_seen is 632k and bayes_toks is 2.5M in size. I think the problem is network tests but I checked the /etc/sysconfig/spamd file and the only uncommented line is: SPAMD_ARGS=-d -c -Brian Can you send a sample of a message that you received? Im not sure if you did this already as i missed the original message. -Jim -- All people who think everything is either black or white are idiots.
Re: No hit on this..
James Lay skrev: On Tue, 07 Nov 2006 14:51:01 +0100 Anders Norrbring [EMAIL PROTECTED] wrote: I don't get any points or hits on the following mail (source code) [8] I don't even see any SpamAssassin headers on this thing saying one way or the otherdid this actually get piped through SpamAssassin? James Yes, it did, but the score was so low that Amavis-new didn't even tag it. Here's the relating entries from the amavis log: Nov 7 14:16:42 siri.the-server.net /usr/sbin/amavisd[3315]: (03315-08) FWD via SMTP: [EMAIL PROTECTED] - [EMAIL PROTECTED], BODY=8BITMIME 250 2.6.0 Ok, id=03315-08, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as A18B4289E Nov 7 14:16:42 siri.the-server.net /usr/sbin/amavisd[3315]: (03315-08) Passed CLEAN, [196.217.101.248] [207.46.163.22] [EMAIL PROTECTED] - [EMAIL PROTECTED], Message-ID: [EMAIL PROTECTED], mail_id: f1VtfVKEydJi, Hits: 0, queued_as: A18B4289E, 7505 ms Nov 7 14:16:42 siri.the-server.net /usr/sbin/amavisd[3315]: (03315-08) TIMING [total 7525 ms] - SMTP LHLO: 8 (0%)0, SMTP pre-MAIL: 5 (0%)0, SMTP pre-DATA-flush: 0 (0%)0, SMTP DATA: 34 (0%)1, body_digest: 2 (0%)1, sql-enter: 23 (0%)1, mime_decode: 11 (0%)1, get-file-type1: 28 (0%)1, decompose_part: 3 (0%)2, parts_decode: 0 (0%)2, AV-scan-1: 38 (1%)2, AV-scan-2: 31 (0%)2, AV-scan-3: 26 (0%)3, spam-wb-list: 0 (0%)3, SA msg read: 1 (0%)3, SA parse: 5 (0%)3, SA check: 7147 (95%)98, SA finish: 3 (0%)98, update_cache: 3 (0%)98, decide_mail_destiny: 0 (0%)98, fwd-connect: 7 (0%)98, fwd-mail-from: 5 (0%)98, fwd-rcpt-to: 8 (0%)98, fwd-data-cmd: 2 (0%)98, write-header: 7 (0%)98, fwd-data-contents: 2 (0%)98, fwd-data-end: 59 (1%)99, fwd-rundown: 41 (1%)100, prepare-dsn: 1 (0%)100, main_log_entry: 8 (0%)100, sql-update: 15 (0%)100, update_snmp: 1 (0%)100, unlink-1-files: 1 (0%)100, rundown: 0 (0%)100 Nov 7 14:16:42 siri.the-server.net /usr/sbin/amavisd[3315]: (03315-08) extra modules loaded: Mail/SpamAssassin/Plugin/FuzzyOcr.pm, Mail/SpamAssassin/Plugin/TextCat.pm, String/Approx.pm -- Anders Norrbring Norrbring Consulting smime.p7s Description: S/MIME Cryptographic Signature
Re: spam filter working, but not well
Brian S. Meehan wrote: Jim, I have it set so that i'm using /usr/bin/spamassassin now. Thanks for that info. Here is the relevant message header from an email that was not caught: X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on mail.meehanontheweb.com X-Spam-Level: *** X-Spam-Status: No, score=3.1 required=4.0 tests=ADVANCE_FEE_1,RCVD_IN_XBL autolearn=no version=3.1.7 Received: from cliente-addc099 (201-68-96-184.dsl.telesp.net.br [:::201.68.96.184]) by meehanontheweb.com with esmtp; Tue, 07 Nov 2006 10:50:57 -0500 id 00072EA2.4550AB7D.18B6 Old-Return-Path: [EMAIL PROTECTED] Received: from 192.94.94.37 (HELO red.ext.ti.com) by meehanontheweb.com with esmtp (CSNG1VAZG A627H) id 6W926D-JODX0S-DO for [EMAIL PROTECTED]; Tue, 7 Nov 2006 15:49:51 +0180 From: Dillon Barron [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Dillon here :) Here is another one that wasn't caught: X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on mail.meehanontheweb.com X-Spam-Level: * X-Spam-Status: No, score=1.7 required=4.0 tests=EXTRA_MPART_TYPE, HTML_IMAGE_ONLY_24,HTML_MESSAGE autolearn=no version=3.1.7 Received: from catv-50634822.catv.broadband.hu (catv-50634822.catv.broadband.hu [:::80.99.72.34]) by meehanontheweb.com with esmtp; Mon, 06 Nov 2006 17:04:29 -0500 id 00086441.454FB16F.31DE Message-ID: [EMAIL PROTECTED] From: Project: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: rejected Uganda rebel Thanks, -Brian Whats strange is there are no bayes scores at all. I know you mentioned that you have at least 200 ham/spam in the database but are you sure its the same users database that mail processing runs as? Also, when i just ran those headers through spamc here, i got: 4.1 MSGID_OUTLOOK_INVALID Message-Id is fake (in Outlook Express format) Im curious as to why your system didnt trigger this rule? Im still running 2.64 ;( It does seem that you are using network tests, but are you using razor/pyzor/dcc? Those could help as well. -Jim
RE: spam filter working, but not well
Brian S. Meehan wrote: Spamassassin is invoked from Courier-MTA. (OS is SUSE Pro 9.3) The /usr/lib/courier/etc/courierd file has the following line: DEFAULTDELIVERY=| /usr/bin/spamassassin | /usr/lib/courier/bin/maildrop FYI, a cleaner way to do this is: DEFAULTDELIVERY=| /usr/lib/courier/bin/maildrop /etc/courier/maildroprc: xfilter /usr/bin/spamc This also gives you the ability to add some logic in the maildroprc if there are some messages that you don't want scanned. You can also use an exception clause if you want mail delivery to continue (unscanned) on spamc errors. exception { xfilter /usr/bin/spamc } -- Bowie
Re: No hit on this..
Martin Hepworth skrev: Anders Norrbring wrote: snip Anders heres my analysis Content analysis details: (12.0 points, 5.0 required) pts rule name description -- -- 0.7 HOST_EQ_D_D_D_DHOST_EQ_D_D_D_D 0.9 HOST_EQ_D_D_D_DB HOST_EQ_D_D_D_DB 0.9 DATE_IN_PAST_24_48 Date: is 24 to 48 hours before Received: date 0.5 FB_NIGERIAN1 BODY: FB_NIGERIAN1 0.6 J_CHICKENPOX_44BODY: {4}Letter - punctuation - {4}Letter 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50% [cf: 70] 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% [cf: 70] 0.6 HELO_MISMATCH_NET HELO_MISMATCH_NET 0.0 ADVANCE_FEE_1 Appears to be advance fee fraud (Nigerian 419) I admit there's something weird with this.. If I save the text I posted in the post here, and then feed it into SA by invoking 'spamassassin -t letter', then I get this: Content analysis details: 7.7 points. Pts Rule name Description -- -- 4.2 HELO_DYNAMIC_IPADDRRelay HELO'd using suspicious hostname (IP addr 1) 3.1 HELO_DYNAMIC_DHCP Relay HELO'd using suspicious hostname (DHCP) 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 0.9 DATE_IN_PAST_24_48 Date: is 24 to 48 hours before Received: date -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [196.217.101.248 listed in dnsbl.sorbs.net] 0.0 ADVANCE_FEE_1 Appears to be advance fee fraud (Nigerian 419) -- Anders Norrbring Norrbring Consulting smime.p7s Description: S/MIME Cryptographic Signature
Re: How to set up Razor (SOLVED)
I have it working fine, here is the idea: 1. Most of the documentation is out of date! One needs do absolutely nothing. Not true. It may function, but if you do nothing razor has to try and discover the servers for every message. This creates unnecessary traffic and processing power on both ends. You need to run razor-admin -create (twice for good measure - and then make sure it worked) as the user that will be calling razor (or every user that calls razor). This makes the available server data available locally. You also need to disable logging or eventually your disk will fill up with razor logs. You can do this globally if you like by configuring the site wide config file in the /etc/razor directory. I did do this. This is what failed before changing the firewall. Right, it would fail if the port is blocked. SA does not require this stuff but Razor works better with it done. About out-of-date documentation, suggested three steps. Running the first one said it was obselete and the Razor works by default. Is this what you are refering to? http://marc.theaimsgroup.com/?l=razor-usersm=111962049416855 There have been some changes in versions, and when you run the deprecated command the error message is misleading and innacurate. I don't use sid, but from what you describe it looks like the documentation doesn't fit the version (that is if it asks you to run razor-client). If so, I would submit a bug report the the Debian maintainer. The second was the discover and the third was to get a registration ID. Now, how do I use that to report spam? spamassassin -r message (for example) as the Bayes user in question (this will to report to other stuff as well as razor). also see: man razor-agents SA tests for an will use Razor, Phyzor, etc., if they be installed. 2. All this is of no avail if TCP to port 2703 be not allowed by the firewall. This was buried in a email thread and not present in the documentation. (It is not sufficient to enable from Razors main site in a DMZ since other IPs are involved as well.) http://razor.sourceforge.net/docs/doc.php?type=textname=FAQ OK. When I install off Debian Sid, nothing refers me to sourceforge and neither the docs in the package nor the programs (could say discovery failed--cannot connect port 2703--check your firewall) suggested enabling stuff in the firewall. No doubt, that *would* be nice. Gary V _ Try the next generation of search with Windows Live Search today! http://imagine-windowslive.com/minisites/searchlaunch/?locale=en-ussource=hmtagline
[SOLVED - Idiot inside] Re: No hit on this..
Anders Norrbring skrev: James Lay skrev: On Tue, 07 Nov 2006 14:51:01 +0100 Anders Norrbring [EMAIL PROTECTED] wrote: I don't get any points or hits on the following mail (source code) [8] I don't even see any SpamAssassin headers on this thing saying one way or the otherdid this actually get piped through SpamAssassin? James Yes, it did, but the score was so low that Amavis-new didn't even tag it. I'm an idiot. I hate to say it, but I am. I had TWO versions of perl-SpamAssassin installed, one vendor_perl which was v3.1.7 and one site_perl at version 3.1.5. But there was nothing else corresponding to 3.1.5, no rules in /var/lib/spamassassin... And of course Amavis-new loaded the old perl module, not the new one. After deleting it, SA tagged the mail correctly. -- Anders Norrbring Norrbring Consulting smime.p7s Description: S/MIME Cryptographic Signature
Re: mail bounce warning for the list
Mike Kenny wrote: On 11/7/06, Derek Harding [EMAIL PROTECTED] wrote: Gary W. Smith wrote: Was the SA group listed by spamcop last month? I just now received this for messages from October 26th. Who cares? [EMAIL PROTECTED]: 209.209.82.24 does not like recipient. Remote host said: 554 5.7.1 Service unavailable; Client host [140.211.11.2] blocked using bl.spamcop.net; Blocked - see _http://www.spamcop.net/bl.shtml?140.211.11.2_ Giving up on 209.209.82.24. Gary Wayne Smith Anyone dumb enough to block outright on the spamcop BL deserves whatever they don't get. Derek Is this not part of the problem? That many of these people who 'deserve whatever they don't get' are operating under the mistaken belief that these spam vigilantes are protecting them from spam and allowing legitimate mail through? We can enter into a pointless argument about whether this is due to the stupidity of their administrators or the arrogance of the knowldgeable administrators, but the fact is that this is happening. This is evidenced by the number of complaints from people claiming either not to have received legitimate email or to have it bounced by spamcop or some such site. Blocking mail base soley on the IP address (whether because it is a dynamic address or has at some time in the past sent a mail to a spamtrap) is akin to shooting the postman because yesterday you received an advertisement. Do you accept mail from bogon addresses? What if you received 1000 messages a day from a single IP in china and senderbase said it was the single worst spammer in the universe. Would you block it or waste cpu cycles scanning every bit of mail coming from it? What about IPs on the SBL spamhaus list? What if the IP was on SBL AND spamcop's list? Does that sound like a high enough 'score' to you? What if it's on 3 rbls and you can reject it rather than accept and scan it with SA? The only way to kill spam is to inspect the mail using a tool such as SA and then reach an intelligent decision based on the results (the interpretation of the results will vary from site to site). Blocking IP addresses will not kill spam, it kills the mail system.The spammer will move to anotehr IP, the poor innocent user doesn't know what to do and either accepts that his mail may not reach all recipients or reverts to licking stamps. NO system is perfect. Your system may be a grey haired old man. You can line up 150 grey haired old men if you like, but it's still spam they are supposed to stop. The important thing is accuracy and what FPs you can live with, not the method you use. You will have some FPs with any system that is designed to stop spam if it's any good. Yes, that is a contradiction, and that's the balance any sysadmin has to find. Ken A Pacific.Net mike
Re: new here, big problem
sheryle Stafford wrote: started getting interrupted and I was sent some version of the following with them: Our UCE (spam) detectors have been triggered by a message you received:- From: [EMAIL PROTECTED] Subject: SAMHSA Report: Cost/Coverage Limits Primary Barrier to MH Treatment Date: Fri Nov 3 12:25:15 2006 This message has not been delivered. The detectors that were triggered are spam, SpamAssassin. That reads to me like there are two classifiers going. One is listing itself as SpamAssassin and one is listing itself as spam. It looks like both are triggered and listing the message as a spam message. The generic spam tag could be from one of many other classification engines available today. The message to you has been detected as spam based on either its contents or the mail server which sent the message to us, or both. We do not accept unsolicited commercial (spam) e-mail and actively work to stop it. This looks like a message inserted by your company. This tells me that some type of filtering is in the mail path to you. Apparently they continue to deliver a stripped form of the message when it is classified as spam. (That is actually a very bad thing to do because stripped messages are themselves a form of spam.) If you have any questions about this, or you believe you have received this message in error, please contact the site system administrators. The SpamAssassin folks here are a user community who contribute to the use and development of the free tool. This is then often deployed by individual sites around the world. I would guess that someone has deployed spamassassin in your environment. Therefore contacting your site system administrators with this information makes sense. If this is being filtered by your site mail administrators then they will be able to adjust the filters so that these messages are not classified as spam. This is valuable feedback to them because many users will experience the same behavior. Your system administrators will need the following information: Server name: the antispam () MailScanner Message id: AD5344E6A97E.99C0B Date code: 20061103 Well that is not very useful because it does not say the name of the server! This does not look like a spamassassin message. This looks like a message added by a site mail handler. Uh, yeah, sure whatever you say. I do not have spamassassin, never downloaded it. You are using a mail client to access your mail from the mail server. SpamAssassin is a tool that is typically installed on a mail server. We believe you that you have not installed it on your desktop. It is most probably installed on your mail server by your site mail administrators. Here is another important point. There could be many mail servers between the sender and the recipient. Mail messages are passed along hop by hop from one server to the next. It is possible that for the problem with this message that the filtering is not happening at the final hop but instead at one of the relays in between. Your site mail administrator should be able to deduce this information from the message headers. I changed servers about a month ago at home and have checked with my ISP and they do not use it. The from address has not changed either. I retrieve my mail through Mozilla at home, the account that is having this problem is on my work account so I don't know how that interplays because I have a different server at home where I am pulling the messages from. This information seems odd and seems in conflict with itself. It reads to me that you have two paths for mail. One path comes through your home ISP and your ISP is handling the mail. Another path comes through your work account which you are also using for mail and simply accessing through your ISP. Your ISP will only be concerned with the mail through the ISP servers. But the above messages indicate that this is probably a problem through your company mail servers. I think you need to contact your company's mail administrators. Bob P.S. Note that your message went to a mailing list. When you reply please group reply to keep the mailing list in the discussion so that all there may help and the answers will be available to others searching the archives.
Re: Do something useful with bad addresses?
John Rudd wrote: I had a similar problem. I don't divert unknown addresses to salearn, but if I don't fish a message out of my spam folder within X days, it gets automatically sent to sa-learn and awl. Then, last week, I started seeing BAYES_00 on messages that would have otherwise been scored as spam. I responded by removing the negative values for low bayes probabilities. Wait, how does training random text as spam indicators result in Bayes thinking that text indicates ham? At worst, I can see it diluting the Bayes scores for strong indicators, resulting in more hits close to BAYES_50. But to trigger BAYES_00 means that you have to have trained something similar *as ham*. I expect this has less to do with automated training (since, by your description, we're not talking auto-learn, so it won't learn anything in that folder as ham) and more to do with a new type of spam that simulates real mail more effectively, or that manages to get auto-learned in the initial SA process (if you have auto-learn enabled). -- Kelson Vibber SpeedGate Communications www.speed.net
Re: No hit on this..
Razor, DCC, and Bayes have been catching these handily here, with occasional header tests. They've all hit in the 5.5-10 range. I think this is the next stage of the So-and-so wrote: spams, which would explain where my Bayes DB got the data. -- Kelson Vibber SpeedGate Communications www.speed.net
RE: spam filter working, but not well
Bowie, I implemented your changes and now I'm seeing BAYES scores on all messages, whether it is 00 or 99. 1) changed courierd defaultdelivery to be cleaner 2) added the xfilter line to the top of maildroprc above the sorting rules 3) added the exception to the bottom of maildroprc below the sorting rules (the folder sorting rules are things like: if (/^X-Spam-Flag: .*YES/) {exception {to $HOME/Maildir/.spam/} } Now I have a bayes item in the header of each spam and ham message. This is great! Thank you, Brian On Tue, November 7, 2006 11:22, Bowie Bailey wrote: Brian S. Meehan wrote: Spamassassin is invoked from Courier-MTA. (OS is SUSE Pro 9.3) The /usr/lib/courier/etc/courierd file has the following line: DEFAULTDELIVERY=| /usr/bin/spamassassin | /usr/lib/courier/bin/maildrop FYI, a cleaner way to do this is: DEFAULTDELIVERY=| /usr/lib/courier/bin/maildrop /etc/courier/maildroprc: xfilter /usr/bin/spamc This also gives you the ability to add some logic in the maildroprc if there are some messages that you don't want scanned. You can also use an exception clause if you want mail delivery to continue (unscanned) on spamc errors. exception { xfilter /usr/bin/spamc } -- Bowie -- All people who think everything is either black or white are idiots.
RE: spam filter working, but not well
Brian S. Meehan wrote: Bowie, I implemented your changes and now I'm seeing BAYES scores on all messages, whether it is 00 or 99. 1) changed courierd defaultdelivery to be cleaner 2) added the xfilter line to the top of maildroprc above the sorting rules 3) added the exception to the bottom of maildroprc below the sorting rules (the folder sorting rules are things like: if (/^X-Spam-Flag: .*YES/) {exception {to $HOME/Maildir/.spam/} } Now I have a bayes item in the header of each spam and ham message. This is great! I'm not sure what you mean by added the exception to the bottom of maildroprc. What does your maildroprc look like? -- Bowie
where rule resides/ and scored
Hi all, I'm sure this is pretty basic for the more experienced *nix /*bsd admins here , but I'm not yet one. I want to know where this rules lives and where the scoring is so that I may change it 0.0 ADVANCE_FEE_1 Appears to be advance fee fraud I just upgraded to 3.1.7 TIA Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
Re: where rule resides/ and scored
On Tue, Nov 07, 2006 at 01:38:56PM -0500, Jean-Paul Natola wrote: I want to know where this rules lives and where the scoring is so that I may change it 0.0 ADVANCE_FEE_1 Appears to be advance fee fraud Same as all the other default rules, either the default rules directory (typically /usr/share/spamassassin) or if you use sa-update it'll be in the local state directory (typically /var/lib/spamassassin/version/updates_spamassassin_org). More info in the spamassassin POD. -- Randomly Selected Tagline: For every soul, you are bound to find a heel. pgpJiN8zL9WS8.pgp Description: PGP signature
Re: No hit on this..
I'm also getting a lot of variations on this spam trying to promote some junk stock. Every time a different name is in the subject like Demetrius here :) or Mabel here :) and of course the From: is different. RAZOR and DCC catch most of them but some slip through. One even managed to trigger only the following rules: 0.6 J_CHICKENPOX_44 BODY: 4alpha-pock-4alpha 0.0 ADVANCE_FEE_1 Appears to be advance fee fraud I intend to add the rule Phil suggested of: header SPAMMER_HERESubject =~ /here \:\)$/ ...-- Ilan AisicRegistered Linux User 8124 http://counter.li.org
Re: Is the short circuit plugin available yet?
So today is it possible to simply do a head test and if it indicates unwanted language or whatever to not scan the body? Is there anything that short circuits body tests once a head test proves positive for certain types of tests? Quoting Justin Mason [EMAIL PROTECTED]: Robert Nicholson writes: I'm looking to run SA on some mailing list mail that's constantly getting bombarded by asian spam. So I would like the check to be as efficient as possible such that as soon as I know the mail has asian character sets or unwanted language I don't want it to check any more. Any chance I can short circuit the additional checking once I know the mail is likely to be asian or unwanted language? If you start using SVN trunk -- unreleased code -- you can use Shortcircuit. That check would work nicely ;) for what it's worth, I use SVN trunk on my own personal MX and it works great there... --j. This message was sent using IMP, the Internet Messaging Program.
RE: where rule resides/ and scored-Clarification
Ok I found the rule, Now I just got a little more confused Does SA read and score from /var/lib/spamassassin/3.001007/updates_spamassassin_org As well as from /usr/local/etc/mail/spamassassin ?- this is where I have added custom rules in the past. And I do use sa-update Thanks for your tolerating me folks :) -Original Message- From: Theo Van Dinter [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 07, 2006 1:54 PM To: users@spamassassin.apache.org Subject: Re: where rule resides/ and scored On Tue, Nov 07, 2006 at 01:38:56PM -0500, Jean-Paul Natola wrote: I want to know where this rules lives and where the scoring is so that I may change it 0.0 ADVANCE_FEE_1 Appears to be advance fee fraud Same as all the other default rules, either the default rules directory (typically /usr/share/spamassassin) or if you use sa-update it'll be in the local state directory (typically /var/lib/spamassassin/version/updates_spamassassin_org). More info in the spamassassin POD. -- Randomly Selected Tagline: For every soul, you are bound to find a heel.
Re: where rule resides/ and scored-Clarification
On Tue, Nov 07, 2006 at 03:20:40PM -0500, Jean-Paul Natola wrote: Does SA read and score from /var/lib/spamassassin/3.001007/updates_spamassassin_org As well as from /usr/local/etc/mail/spamassassin ?- this is where I have added custom rules in the past. It'll read from both of those. The first is the local state dir, the second is your site config dir. As mentioned before, reading the spamassassin POD gives more information. http://wiki.apache.org/spamassassin/RuleUpdates has other info related to sa-update. -- Randomly Selected Tagline: I could nail your head to the table, set fire to it, and feed the charred remains to the pak-mara. But we can't always get what we want. - Sheridan on Babylon 5 pgpBdTJO7yQ54.pgp Description: PGP signature
SA filter load: massive increase
Hi, after fixing sone lint errors that had gone unnoticed for some time, our MailScanner/SA filter server has started bogging under the daily flood of mail (~100k mails per day) - a load that had not done anything to the box before ... As the only change had been fixing the lint error, followed by RDJ update, I suspect one or multiple of the rules have caused the load increase ... here's the list of rules I use: TRUSTED_RULESETS=SARE_REDIRECT_POST300 SARE_EVILNUMBERS2 SARE_BAYES_POISON_NXM SARE_HTML0 SARE_HTML1 SARE_HTML2 SARE_HTML3 SARE_HTML0 SARE_HTML1 SARE_HTML2 SARE_HTML3 SARE_SPECIFIC SARE_ADULT SARE_BML SARE_FRAUD SARE_SPOOF SARE_RANDOM SARE_SPAMCOP_TOP200 SARE_OEM SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_GENLSUBJ2 SARE_GENLSUBJ3 SARE_UNSUB SARE_URI0 SARE_URI1 SARE_URI3 SARE_WHITELIST_SPF SARE_WHITELIST_RCVD SARE_OBFU SARE_STOCKS EVILNUMBERS SARE_ADULT SARE_BAYES_POISON_NXM SARE_BML SARE_CODING SARE_FRAUD SARE_HEADER SARE_OEM SARE_RANDOM SARE_REDIRECT_POST300 SARE_SPECIFIC SARE_SPOOF TRIPWIRE ZMI_GERMAN; Anything that could cause massive backlog and should be dropped? Thanks! -garry
RE: where rule resides/ and scored-Clarification
Jean-Paul Natola wrote: Ok I found the rule, Now I just got a little more confused Does SA read and score from /var/lib/spamassassin/3.001007/updates_spamassassin_org As well as from /usr/local/etc/mail/spamassassin ?- this is where I have added custom rules in the past. And I do use sa-update The default rules live in two places: /usr/share/spamassassin/ /var/lib/spamassassin/3.001007/updates_spamassassin_org/ Don't touch the files in these directories. Your custom rules and score changes should be in /usr/local/etc/mail/spamassassin/ -- Bowie
The greedy SA 3.1.7
Hi, I have been watching one of my servers running 3.1.7 for several days. With just the default install and a simplistic local.cf, this server is scoring messages so highly that I have gotten suspicious. I decided to deinstall and reinstall everything, even blew away all bayes data! I especially have an issue with the way it's scoring Mail Delivery Failures, all of which seem to be classified as spam with very high scores. It would appear that NDR are not reaching my users, just because of this behaviour. Another thing I have noted is the fact that even legit mail is being scored highly as spam, but it is the scores that are really amazing. I have used rulesdujour sparingly, with the following rules: TRUSTED_RULESETS= TRIPWIRE ANTIDRUG SARE_ADULT SARE_SPOOF SARE_OEM SARE_HEADER SARE_OBFU SARE_GENLSUBJ SARE_UNSUB SARE_WHITELIST I have even disabled all these rules, but still, the SA seems to have developed a mind of its own. Now I am lost as to why this should happen. I have put my local.cf at http://mx0.wananchi.com/sa/ I have also put in there a file named sample-data.txt which contains an extract of my MTA's logs as SA is rejecting data. I am logging the data with the following fields: DISCARD_SPAM: Size::$message_size Score::SA_SCORE F:sender_addr T:recipient_addr S:message_subject PS: This data is here for a few hours only.. Again, it's simply amazing how much score (and damage) SA seems to be showing. Please advise. -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ When Marriage is Outlawed, Only Outlaws will have Inlaws.
Re: The greedy SA 3.1.7
At 12:58 PM 11/7/2006, you wrote: It would appear that NDR are not reaching my users, just because of this behaviour. Why? SpamAssassin isn't deleting messages, so what else is? Another thing I have noted is the fact that even legit mail is being scored highly as spam, but it is the scores that are really amazing. I have also put in there a file named sample-data.txt which contains an extract of my MTA's logs as SA is rejecting data. I am logging the data with the following fields: SpamAssassin isn't rejecting anything. DISCARD_SPAM: Size::$message_size Score::SA_SCORE F:sender_addr T:recipient_addr S:message_subject PS: This data is here for a few hours only.. Again, it's simply amazing how much score (and damage) SA seems to be showing. Please advise. Put on your website a sample message with spamassasin markup.
RE: BIG increase in spam today
On Thu, November 2, 2006 20:22, Mark wrote: The rest of the invalid HELOs are just non-FQDNSs (like HELO friend), or IP addresses (not inside braces, like an address literal). could be a spammer that call his computer friend since Microsoft have a habit of deniding . in the computer name most spams also just have a computer name as message-id again without a dot Seriously, HELO tests rock! don't tell spammer how fool icy thay are :-) -- This message was sent using 100% recycled spam mails.
dccifd broken pipe
This might be a better suited question for the DCC list but thought I'd give a try here. I am calling DCC via SA and using the default (out of the box) DCC servers. SpamAssassin version 3.1.5 DCC 1.3.42 I am seeing this error more and more frequently in my logs and am wondering if it is just due to DCC server loss of connectivity perhaps due to network latency ? Anybody seen this and or have a clue ? Nov 7 15:48:10 kady.education.ucsb.edu dccifd[14514]: [ID 465929 mail.error] write(MTA socket,53): Broken pipe Nov 7 15:48:10 kady.education.ucsb.edu dccifd[14514]: [ID 465929 mail.error] write(MTA socket,49): Broken pipe Nov 7 15:48:10 kady.education.ucsb.edu dccifd[14514]: [ID 465929 mail.error] write(MTA socket,53): Broken pipe Nov 7 15:48:12 kady.education.ucsb.edu dccifd[14514]: [ID 465929 mail.error] write(MTA socket,65): Broken pipe -john -- John Goubeaux Systems Administrator Gevirtz Graduate School of Education UC Santa Barbara Phelps Hall 3534 805 893-8190
Re: The greedy SA 3.1.7
Odhiambo Washington wrote: Hi, I have been watching one of my servers running 3.1.7 for several days. snip I have used rulesdujour sparingly, with the following rules: TRUSTED_RULESETS= TRIPWIRE ANTIDRUG It's not part of your problem, but: Do NOT use antidrug with SA 3.0.0 or higher. (I'm the author of antidrug.) These rules are already a part of SA 3.0.0 and higher, and if I, or anyone else, ever makes fixes to the main codebase, this file will downgrade those changes.
Phisher tracking visits
Looks like this phisher is tracking visits to his page: /* SiteCatalyst code version: H.5. Copyright 1997-2006 Omniture, Inc. More info available at http://www.omniture.com */ var s_account=paypalglobal var s=s_gi(s_account) s.visitorNamespace=paypal s.trackDownloadLinks=true s.linkDownloadFileTypes=exe,zip,wav,mp3,mov,mpg,avi,wmv,doc,pdf,xls s.trackExternalLinks=true s.linkInternalFilters=javascript:,paypal.com s.trackInlineStats=true s.linkLeaveQueryString=true s.linkTrackVars=prop30,prop31,prop47 s.linkTrackEvents=None s.charSet= s.currencyCode= s.formList= s.trackFormList=false s.trackPageName=true s.useCommerce=true s.varUsed=eVar2 s.eventList=event13 s.faUsePlugins=true Bunch more below this at: http://www.paypalobjects.com/js/site_catalyst/pp_jscode_080706.js Then there was this /* DO NOT ALTER ANYTHING BELOW THIS LINE ! **/ var s_code=s.t();if(s_code)document.write(s_code) // -- /script script language=JavaScript !--if(navigator.appVersion.indexOf(apsMSIEaps)=0)document.write(unescape(aps%3Caps)+aps\!-aps+aps-aps) //-- /scriptnoscriptimg src=//paypal.112.2O7.net/b/ss/paypalglobal/1/H.6--NS/0?pageName=NonJavaScript height=1 width=1 border=0 alt= //noscript !--/DO NOT REMOVE/-- !-- End SiteCatalyst Code -- script type=text/javascript src=http://www.paypalobjects.com/js/pp_naturalsearch.js;/scriptscript type=text/javascript !-- var ppns = new PayPalNaturalSearch(apshttps://www.paypal.com/cgi-bin/webscr?cmd=p/wel/index-outsideaps,aps3484-30830-12422-0aps,this.document); ppns.addEngines(new Array( A9.com, .altavista.com, clusty.com, google.co.jp, google.co.kr, google.ru, www.google.com, icerocket.com, infospace.com, mooter.com, search.msn., snap.com, search.yahoo.com, search.yahoo.co.jp ,www.overture.com/d/search/p/altavista/, aolsearch.aol.com, search.aol.com, web.ask.com, pictures.ask.com, images.google.com, groups.google.com, www.google.com/search, www.hotbot.com, search.netscape.com, s.teoma.com/, www.wisenut.com )); // End of aEngines array. ppns.init(); -- /script /body /html -- Chris pgp4vatcuO9TT.pgp Description: PGP signature
Re: SA filter load: massive increase
Garry Glendown wrote: Hi, after fixing sone lint errors that had gone unnoticed for some time, our MailScanner/SA filter server has started bogging under the daily flood of mail (~100k mails per day) - a load that had not done anything to the box before ... As the only change had been fixing the lint error, followed by RDJ update, I suspect one or multiple of the rules have caused the load increase ... here's the list of rules I use: TRUSTED_RULESETS=SARE_REDIRECT_POST300 SARE_EVILNUMBERS2 SARE_BAYES_POISON_NXM SARE_HTML0 SARE_HTML1 SARE_HTML2 SARE_HTML3 SARE_HTML0 SARE_HTML1 SARE_HTML2 SARE_HTML3 SARE_SPECIFIC SARE_ADULT SARE_BML SARE_FRAUD SARE_SPOOF SARE_RANDOM SARE_SPAMCOP_TOP200 SARE_OEM SARE_GENLSUBJ0 SARE_GENLSUBJ1 SARE_GENLSUBJ2 SARE_GENLSUBJ3 SARE_UNSUB SARE_URI0 SARE_URI1 SARE_URI3 SARE_WHITELIST_SPF SARE_WHITELIST_RCVD SARE_OBFU SARE_STOCKS EVILNUMBERS SARE_ADULT SARE_BAYES_POISON_NXM SARE_BML SARE_CODING SARE_FRAUD SARE_HEADER SARE_OEM SARE_RANDOM SARE_REDIRECT_POST300 SARE_SPECIFIC SARE_SPOOF TRIPWIRE ZMI_GERMAN; Anything that could cause massive backlog and should be dropped? Nothing jumps out at me as causing your problem. However, if you have network tests enabled, ditch SARE_SPAMCOP_TOP200. This is really only intended as a tool for folks that can't use network tests, and is 100% redundant with the network tests built into versions of SA higher than 3.0.0. And given that you're using SARE_WHITELIST_SPF, you have network tests enabled, and are using a recent version of SA. In general I'd take a look at the sizes of the rule files themselves.. Look for ones that are significantly larger than 128k or so. In general the files should be in /etc/mail/spamassassin, /etc/spamassassin, or /usr/local/etc/mail/spamassassin, depending on what platform, package and build options were used. Thanks! -garry
RE: dccifd broken pipe
This might be a better suited question for the DCC list but thought I'd give a try here. I am calling DCC via SA and using the default (out of the box) DCC servers. SpamAssassin version 3.1.5 DCC 1.3.42 I am seeing this error more and more frequently in my logs and am wondering if it is just due to DCC server loss of connectivity perhaps due to network latency ? Anybody seen this and or have a clue ? Nov 7 15:48:10 kady.education.ucsb.edu dccifd[14514]: [ID 465929 mail.error] write(MTA socket,53): Broken pipe Nov 7 15:48:10 kady.education.ucsb.edu dccifd[14514]: [ID 465929 mail.error] write(MTA socket,49): Broken pipe Nov 7 15:48:10 kady.education.ucsb.edu dccifd[14514]: [ID 465929 mail.error] write(MTA socket,53): Broken pipe Nov 7 15:48:12 kady.education.ucsb.edu dccifd[14514]: [ID 465929 mail.error] write(MTA socket,65): Broken pipe -john -- I think lots of people see this now and again. http://www.rhyolite.com/pipermail/dcc/2005/002917.html probably a timeout. I set: dcc_timeout 8 and it seems to help. I think this may be the default for new SA versions, but I'm not certain about that. Gary V _ All-in-one security and maintenance for your PC. Get a free 90-day trial! http://clk.atdmt.com/MSN/go/msnnkwlo005002msn/direct/01/?href=http://www.windowsonecare.com/?sc_cid=msn_hotmail
Re: Is the short circuit plugin available yet?
So today is it possible to simply do a head test and if it indicates unwanted language or whatever to not scan the body? If by today you mean using the currently unreleased trunk code, yes. Is there anything that short circuits body tests once a head test proves positive for certain types of tests? You misunderstand slightly. All tests, no matter what they are for, can be assigned a priority. The tests with the higher priority (which I believe is actually the lower number) are run before those with lower priority. (Unless they are meta dependencies and the meta test priority forces them earlier. And a few other minor wierd cases.) You cal also specify a tflags value for a test that will indicate that it should 'short circuit' all following tests. If this test has a fairly high priority it will run fairly early. If it hits it will stop further tests. It doesn't matter if the test itself is a head test, a body test, or something else. Loren
Re: SA filter load: massive increase
Matt Kettler wrote: In general I'd take a look at the sizes of the rule files themselves.. Look for ones that are significantly larger than 128k or so. Of those, there only few: -rw-r--r-- 1 root root 384645 Oct 30 2005 70_sare_header.cf -rw-r--r-- 1 root root 158513 Oct 1 2005 70_sare_obfu.cf Given both are significantly older than the occurrence of the performance decrease, neither should be the cause ... in fact, the only sare-rules that have dates newer than Oct 1st are sare_stocks and sc_top200 ... -gg
Re: The greedy SA 3.1.7
* On 07/11/06 13:19 -0800, Evan Platt wrote: | At 12:58 PM 11/7/2006, you wrote: | It would appear that NDR are not reaching my users, just because of this | behaviour. | | Why? SpamAssassin isn't deleting messages, so what else is? Well, I have told my MTA to reject mail that scores above 7, so yes, I am responsible for these not getting there, but SA is responsible for the high scores, which is what I am trying to address. | Another thing I have noted is the fact that even legit mail is being | scored highly as spam, but it is the scores that are really amazing. | I have also put in there a file named sample-data.txt which contains | an extract of my MTA's logs as SA is rejecting data. I am logging the | data with the following fields: | | SpamAssassin isn't rejecting anything. My problem is not with rejections, but with the wildly high scores ;) | Put on your website a sample message with spamassasin markup. Okay. I am gonna do this in a few minutes -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ The average woman would rather have beauty than brains, because the average man can see better than he can think.
Re: The greedy SA 3.1.7
* On 07/11/06 20:23 -0500, Matt Kettler wrote: | Odhiambo Washington wrote: | Hi, | | I have been watching one of my servers running 3.1.7 for several days. | | | snip | I have used rulesdujour sparingly, with the following rules: | | TRUSTED_RULESETS= | TRIPWIRE | ANTIDRUG | | It's not part of your problem, but: Do NOT use antidrug with SA 3.0.0 or | higher. (I'm the author of antidrug.) | These rules are already a part of SA 3.0.0 and higher, and if I, or | anyone else, ever makes fixes to the main codebase, this file will | downgrade those changes. Noted with thanks Best regards, Odhiambo Washington Systems Admin, Wananchi Online Ltd. Are you hosting your domain name with the leaders??: See http://webhosting.info/webhosts/tophosts/Country/KE DISCLAIMER: See http://www.wananchi.com/bms/terms.php --+- Odhiambo WASHINGTON. WANANCHI ONLINE LTD (Nairobi, KE) http://www.wananchi.com/email/ . 1ere Etage, Laptrust Plaza, Loita St., Mobile: (+254) 722 743 223 . # 10286, 00100 NAIROBI --+- Pleasant words are a honeycomb, sweet to the soul and healing to the bones. Proverbs 16:24
Single *letter* gif spams (ransom-note-style)
Got some spams with apparently a single letter per gif, like a ransom note, with different color backdrounds, capitalization, fonts, etc., *per letter*. Is this new? http://www.surbl.org/evidence/single-letter-gif-spam.png (rendered, somewhat redacted) (I'm not going to bother posting the message source, as you'll probably all be getting them soon.) One of our OCR programs did not decode it correctly, which presumably is the goal of the ransom-note-style. The message also passed through greylisting, meaning the sending agent retries later like a real MTA. Sent from rene.com.pl, a Polish DSL provider, presumably from a bot. Advertised domain is: usably.net Related domains: palatals.net mayoresses.com (nameserver) wrongdoers.net (nameserver) All registered 14 July 2006 on xinnet.cn, all with the same whois: Domain Name: WRONGDOERS.NET Registrar: XIN NET TECHNOLOGY CORPORATION Whois Server: whois.paycenter.com.cn Referral URL: http://www.paycenter.com.cn Name Server: NS.XINNETDNS.COM Name Server: NS.XINNET.CN Status: ACTIVE EPP Status: ok Updated Date: 01-Nov-2006 Creation Date: 14-Jul-2006 Expiration Date: 14-Jul-2007 Domain Name:wrongdoers.net Registrant: Mike Vester Allensteiner Strasse 24 47237 Administrative Contact: Mike Vester Mike Vester Allensteiner Strasse 24 Duisburg 47237 Germany tel: 49 7161 3079405 fax: 49 7161 3079405 [EMAIL PROTECTED] Technical Contact: Mike Vester Mike Vester Allensteiner Strasse 24 Duisburg 47237 Germany tel: 49 7161 3079405 fax: 49 7161 3079405 [EMAIL PROTECTED] Billing Contact: Mike Vester Mike Vester Allensteiner Strasse 24 Duisburg 47237 Germany tel: 49 7161 3079405 fax: 49 7161 3079405 [EMAIL PROTECTED] Registration Date: 2006-07-14 Update Date: 2006-11-02 Expiration Date: 2007-07-14 Primary DNS: ns.xinnetdns.com 210.51.170.66 Secondary DNS: ns.xinnet.cn 210.51.171.209 Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
Re: No hit on this..
Randal, Phil skrev: We got a bunch of these slip through as low-scoring. This rule helps - score as you see fit: header SPAMMER_HERESubject =~ /here \:\)$/ describe SPAMMER_HERESpammer here scoreSPAMMER_HERE4 Phil Thanks Phil! That simple rule pushes these mails over the kill limit. Now we don't have to see them at all.. :) Anders. -Original Message- From: Anders Norrbring [mailto:[EMAIL PROTECTED] Sent: 07 November 2006 13:51 To: users@spamassassin.apache.org Subject: No hit on this.. I don't get any points or hits on the following mail (source code) Return-Path: [EMAIL PROTECTED] Received: from mail.the-server.net (192.168.222.210 [192.168.222.210]) by iris (Cyrus v2.1.15) with LMTP; Tue, 07 Nov 2006 14:16:42 +0100 X-Sieve: CMU Sieve 2.2 Received: from amavis.the-server.net (localhost [127.0.0.1]) by mail.the-server.net (Postfix) with ESMTP id A18B4289E for [EMAIL PROTECTED]; Tue, 7 Nov 2006 14:16:42 +0100 (CET) X-Virus-Scanned: amavisd-new, Kaspersky, NOD32 F-Secure AV at the-server.net Received: from mail.the-server.net ([127.0.0.1]) by amavis.the-server.net (siri.the-server.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id f1VtfVKEydJi for [EMAIL PROTECTED]; Tue, 7 Nov 2006 14:16:35 +0100 (CET) Received: from adsl196-248-101-217-196.adsl196-12.iam.net.ma (adsl196-248-101-217-196.adsl196-12.iam.net.ma [196.217.101.248]) by mail.the-server.net (Postfix) with ESMTP id C32F527CE for [EMAIL PROTECTED]; Tue, 7 Nov 2006 14:16:34 +0100 (CET) Received: from 207.46.163.22 (HELO mail.global.sprint.com) by onlineperv.net with esmtp (XY858TN74 NPLTF7) id 65QEDV-QBQJSL-FU for [EMAIL PROTECTED]; Mon, 6 Nov 2006 10:30:57 -0060 From: Reinaldo Gallagher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Reinaldo here :) Date: Mon, 6 Nov 2006 10:30:57 -0060 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Thread-Index: Aca6QHEK2ARZEZF3J8OLNEYUMM69T6== What's the first rule of investing? Buy low sell high! Yesterday, market forces caused our top pick (EGLY) to close down on the day. This gives our members the perfect opportunity to pick some up on the cheap before the big news! Ever-Glory International (EGLY) Current: 0.63 Projected: 1.30 Rating: 5/5 Here's the latest news: LOS ANGELES, CALIFORNIA-(MARKET WIRE)-Nov 6, 2006 - 9:45am- The Relationship between Ever-Glory and Disney's Agent is going well, with Orders Recorded in Excess of $100,000 for First Half of 2006. We believe that having such a relationship with Disney is a huge window of opportunity which could lead to extremely large contracts. Go EGLY! Other news: LOS ANGELES, CALIFORNIA-(MARKET WIRE)-Nov 1, 2006 10:16pm- Ever-Glory International Group, a multinational enterprise specializing in garment manufacturing and exports, has expanded the scope of its business in 2006, wherein the first half of the year, completed orders from a single customer, CA, totaled a staggering US$5.6 Million. This is just ONE customer! Many others have placed large orders this quarter. August 8th - $2mil order from Matalan July 25th - $500k order from Debenhams July 10th - $1mil order from OTTO Please check all these figures with your favorite source. EGLY is the real deal! We are expecting third quarter numbers to be out soon and are telling all of our members to take a position in before the data hits the street. These fortuitous figures are going to shock the market and send this one way up! Give yourself the chance to come out WAY ahead here. Fortune favors the bold!Also news are CHICAGO, Illinois (AP) -- New national data show school bus-related accidents send 17,000 U.S. children to emergency rooms each year, more than double the number in previous estimates that only included crashes. SAN FRANCISCO (Reuters) -- Google Inc. is set to begin helping customers buy advertisements in 50 U.S. newspapers in a test of how the Web search leader can extend its business into offline media, the company said on Sunday. WASHINGTON (CNN) -- The morning after the closely fought midterm elections, the U.S. Supreme Court will hear its first major abortion case in six years. PENSACOLA, Fla. (CNN) -- President Bush tried to rally Republican supporters in Florida at an event the state's GOP candidate for governor skipped Monday, raising the hackles of a top White House aide in the final hours before the midterm elections. smime.p7s Description: S/MIME Cryptographic Signature