Re: Single *letter* gif spams (ransom-note-style)
I'm wondering which rules you have that flagged that so well. The same spam message for me scored low: (X-Spam-Status: No, score=2.1 required=4.9 tests=BAYES_50, DK_POLICY_SIGNSOME, EXTRA_MPART_TYPE, HTML_MESSAGE, TRACKER_ID autolearn=no version=3.1.7). I'm using all default rule sets, network tests, bayes, and all plugins enabled except razor. Quinn On Wed, 08 Nov 2006 03:28:04 -0500, Daryl C. W. O'Shea wrote: Not one made it by SA unmarked (at 5.0+). The lowest scoring one I noticed was 7.8 while most fell evenly between 11 and 20.
Re: netset: cannot include w.x.y.z as it has already been included
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Kettler wrote: Gilles Hamel wrote: Hello, We are running v3.1.5 with mimedefang. Here is our setup : our own MTA with spamassassin ---/-- MTA at our ISP, our MX is HERE w.x.y.z / INTERNET In the local.cf file we have : trusted_networks w.x.y.z # Our MX Every time mimedefang spawn a child, we get this warning in log file. If we remove the trusted_networks parameter, the warning vanishes. Can you explain the reason of this warning ? Thank you Is there a duplicate setting in some other config file, ie: sa-mimedfang.cf? I've just done a new install of mimedefang 2.58 with spamassassin 3.17 and have confirmed that there are no duplicate settings in any of the config files in /etc/mail/spamassassin. also /etc/mail/sa-mimedefang.cf is a symbolic link to /etc/mail/spamassassin/sa-mimedefang.cf for forwards compatibility. the error happens once each for every network included in either trusted_networks or internal_networks. as an example in sa-mimedefang.cf: trusted_networks 1.1.1.1/32 2.2.2.2/32 internal_networks 127.0.0.1/32 3.3.3.0/24 the error in my log files are: mimedefang-multiplexor[PID]: Slave 1 stderr: netset: cannot include 1.1.1.1/32 as it has already been included mimedefang-multiplexor[PID]: Slave 1 stderr: netset: cannot include 2.2.2.2/32 as it has already been included mimedefang-multiplexor[PID]: Slave 1 stderr: netset: cannot include 127.0.0.1/32 as it has already been included mimedefang-multiplexor[PID]: Slave 1 stderr: netset: cannot include 3.3.3.0/24 as it has already been included This doesn't appear to be causing any problems, however. cross-posting to mimedefang list as well. Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFUabbE2gsBSKjZHQRAsFfAKDs0jgr4mFGbI+dWTzUgILiuaSWiwCg4P79 RA2RFW42Ivnn0D9M33hQnv0= =+BKD -END PGP SIGNATURE-
Re: Single *letter* gif spams (ransom-note-style)
are you using sa-update? --j. Quinn Comendant writes: I'm wondering which rules you have that flagged that so well. The same spam message for me scored low: (X-Spam-Status: No, score=2.1 required=4.9 tests=BAYES_50, DK_POLICY_SIGNSOME, EXTRA_MPART_TYPE, HTML_MESSAGE, TRACKER_ID autolearn=no version=3.1.7). I'm using all default rule sets, network tests, bayes, and all plugins enabled except razor. Quinn On Wed, 08 Nov 2006 03:28:04 -0500, Daryl C. W. O'Shea wrote: Not one made it by SA unmarked (at 5.0+). The lowest scoring one I noticed was 7.8 while most fell evenly between 11 and 20.
Re: Block wrote: spams
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Justin Mason wrote: there's a rule that matches them in 3.1.x sa-update, fwiw. Really? Mine is up to date they still get through... One thing I've noticed is the envelope return path... Watching this morning, they all seem to be from 'deborasomething@random.domain' Hamish. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFUbOh/3QXwQQkZYwRAjNXAKCDnl6PLVwpsdWbay5sDEkaOOxQegCdHVKL ptux54hbywk8q+5L6lLG+/Q= =G2tw -END PGP SIGNATURE-
RE: How to set up Razor (SOLVED)
Hello, Thanks for logging tip. How should I disable razor logging exactly? This is what I have in razor-agent.conf: # # Razor2 config file # # Autogenerated by Razor-Agents v2.82 # Thu Oct 26 12:17:46 2006 # Created with all default values # # see razor-agent.conf(5) man page # debuglevel = 3 identity = identity ignorelist = 0 listfile_catalogue = servers.catalogue.lst listfile_discovery = servers.discovery.lst listfile_nomination= servers.nomination.lst logfile= razor-agent.log logic_method = 4 min_cf = ac razordiscovery = discovery.spamnet.com rediscovery_wait = 172800 report_headers = 1 turn_off_discovery = 0 use_engines= 4,8 whitelist = razor-whitelist ### Best Regards, Leon Kolchinsky -Original Message- From: Gary V [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 07, 2006 5:25 PM To: users@spamassassin.apache.org Subject: RE: How to set up Razor (SOLVED) Installed it off Debian Sid. How do I get SA to make use of it? Thanks for all the helpful responses. I have it working fine, here is the idea: 1. Most of the documentation is out of date! One needs do absolutely nothing. Not true. It may function, but if you do nothing razor has to try and discover the servers for every message. This creates unnecessary traffic and processing power on both ends. You need to run razor-admin -create (twice for good measure - and then make sure it worked) as the user that will be calling razor (or every user that calls razor). This makes the available server data available locally. You also need to disable logging or eventually your disk will fill up with razor logs. You can do this globally if you like by configuring the site wide config file in the /etc/razor directory. SA tests for an will use Razor, Phyzor, etc., if they be installed. 2. All this is of no avail if TCP to port 2703 be not allowed by the firewall. This was buried in a email thread and not present in the documentation. (It is not sufficient to enable from Razors main site in a DMZ since other IPs are involved as well.) http://razor.sourceforge.net/docs/doc.php?type=textname=FAQ Q: I have a firewall. What ports do I need to open in order for Razor2 to work? Outgoing TCP port 2703 (Razor2), only. Previous versions used TCP port 7 (echo), but this is no longer used. Gary V _ Stay in touch with old friends and meet new ones with Windows Live Spaces http://clk.atdmt.com/MSN/go/msnnkwsp007001msn/direct/01/?href=http://spaces.live.com/spacesapi.aspx?wx_action=createwx_url=/friends.aspxmkt=en-us
RE: Block wrote: spams
Hi, I've just run sa-update on my 3.1.4 box and it's not picked up anything new. In fact it looking at the dates on the files it looks like there haven't been any updates to these rules since the first time I ran sa-update back in August. Is sa-update only supporting the newer releases of 3.1.x? Thanks, Jonathan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 03 November 2006 17:44 To: Loren Wilton Cc: users@spamassassin.apache.org Subject: Re: Block wrote: spams there's a rule that matches them in 3.1.x sa-update, fwiw. --j. Loren Wilton writes: I haven't seen any of these. But if the spams universally have single word wrote: stuff as the subject then I'd consider a more stringent rule: /^\w+\s+wrote:/i or /^(?:\w+\s+){1,2}wrote:/i or /^(?:re:\s*|fw:\s*){0,20}(?:\w+\s+){1,2}wrote:/i Loren - Original Message - From: Juan Mas To: MIKE YRABEDRA Cc: spamassassin-users Sent: Friday, November 03, 2006 7:15 AM Subject: Re: Block wrote: spams Ive been getting the same and just wrote a rule for it today. Ive got what you have listed below. Havent tested it though. On 11/3/06, MIKE YRABEDRA [EMAIL PROTECTED] wrote: I am getting a lot of these Bob wrote: spams Anyone know a way to write the rule so if the subject has wrote: in the subject, tag it? Here is what I have? header WROTE_SUB Subject =~ /\bwrote\:\b/i describe WROTE_SUB Wrote in Subject score WROTE_SUB 3.0 -- Mike Yrabedra B^) -- -Juan
RE: How to set up Razor (SOLVED)
Hello, Thanks for logging tip. How should I disable razor logging exactly? This is what I have in razor-agent.conf: debuglevel = 3 Best Regards, Leon Kolchinsky debuglevel = 0 Gary V _ Try Search Survival Kits: Fix up your home and better handle your cash with Live Search! http://imagine-windowslive.com/search/kits/default.aspx?kit=improvelocale=en-USsource=hmtagline
Problem with spamd
Hi, about a week ago my server started experiencing load problems and eventually closed all connections. It is running at an ISP and has lots of software preconfigured including spam assassin configured by the ISP. There are currently two problems: spamd is nearly monopolising the CPU but also the tcprcvbuf eventually get used up; but I suspect the two are related. As I did not configure the system I am have to working my way through but it looks like a default install. I could not find anything on the FAQ relating to this specifically apart from the reference to max-children (set to 1 in this case). It doesn't look like there are a lot of e-mails to process. The setup is Debian with spamd being called by as an Exim transport. These are the active rules vs171127:/usr/share/spamassassin# ls -l total 552 -rw-r--r-- 1 root root 6013 Jun 30 2005 10_misc.cf -rw-r--r-- 1 root root 1600 Jun 30 2005 20_anti_ratware.cf -rw-r--r-- 1 root root 8193 Jun 30 2005 20_body_tests.cf -rw-r--r-- 1 root root 1608 Jun 30 2005 20_compensate.cf -rw-r--r-- 1 root root 12078 Jun 30 2005 20_dnsbl_tests.cf -rw-r--r-- 1 root root 15695 Jun 30 2005 20_drugs.cf -rw-r--r-- 1 root root 11263 Jun 30 2005 20_fake_helo_tests.cf -rw-r--r-- 1 root root 27706 Jun 30 2005 20_head_tests.cf -rw-r--r-- 1 root root 15482 Jun 30 2005 20_html_tests.cf -rw-r--r-- 1 root root 10934 Jun 30 2005 20_meta_tests.cf -rw-r--r-- 1 root root 22094 Jun 30 2005 20_phrases.cf -rw-r--r-- 1 root root 4961 Jun 30 2005 20_porn.cf -rw-r--r-- 1 root root 14134 Jun 30 2005 20_ratware.cf -rw-r--r-- 1 root root 5027 Jun 30 2005 20_uri_tests.cf -rw-r--r-- 1 root root 2329 Jun 30 2005 23_bayes.cf -rw-r--r-- 1 root root 9112 Jun 30 2005 25_body_tests_es.cf -rw-r--r-- 1 root root 2733 Jun 30 2005 25_hashcash.cf -rw-r--r-- 1 root root 2299 Jun 30 2005 25_spf.cf -rw-r--r-- 1 root root 4698 Jun 30 2005 25_uribl.cf -rw-r--r-- 1 root root 52288 Jun 30 2005 30_text_de.cf -rw-r--r-- 1 root root 40677 Jun 30 2005 30_text_fr.cf -rw-r--r-- 1 root root 57934 Jun 30 2005 30_text_nl.cf -rw-r--r-- 1 root root 34798 Jun 30 2005 30_text_pl.cf -rw-r--r-- 1 root root 29369 Jun 30 2005 50_scores.cf -rw-r--r-- 1 root root 6882 Jun 30 2005 60_whitelist.cf -rw-r--r-- 1 root root939 Jun 30 2005 65_debian.cf -rw-r--r-- 1 root root 101479 Jun 30 2005 languages -rw-r--r-- 1 root root 18944 Jun 30 2005 triplets.txt -rw-r--r-- 1 root root 1531 Jun 30 2005 user_prefs.template This is from top: 3796 web1p239 15 46764 42m 4252 R 65.2 0.7 144:06.98 spamd and this is a check of the tcprc use tcprcvbuf481548189607218840243681759 148967 (machine was rebooted this morning) Is it possible to get more information from spamd about why it's taking so long? Thanks for any help. Charlie -- Charlie Clark Helmholtzstr. 20 Düsseldorf D- 40215 Tel: +49-211-938-5360 GSM: +49-178-782-6226
IncrediMail?
has anyone got a good corpus of mail from this mail tool? I hear many anti-image-spam rules have a tendency to FP on its output and I'd like to try to avoid this (where possible). --j.
Re: Is the short circuit plugin available yet?
so short circuting tflags is only available on the trunk code? On Nov 7, 2006, at 10:55 PM, Loren Wilton wrote: So today is it possible to simply do a head test and if it indicates unwanted language or whatever to not scan the body? If by today you mean using the currently unreleased trunk code, yes. Is there anything that short circuits body tests once a head test proves positive for certain types of tests? You misunderstand slightly. All tests, no matter what they are for, can be assigned a priority. The tests with the higher priority (which I believe is actually the lower number) are run before those with lower priority. (Unless they are meta dependencies and the meta test priority forces them earlier. And a few other minor wierd cases.) You cal also specify a tflags value for a test that will indicate that it should 'short circuit' all following tests. If this test has a fairly high priority it will run fairly early. If it hits it will stop further tests. It doesn't matter if the test itself is a head test, a body test, or something else. Loren
Re: IncrediMail?
* On 08/11/06 13:57 +, Justin Mason wrote: | has anyone got a good corpus of mail from this mail tool? | I hear many anti-image-spam rules have a tendency to FP on its | output and I'd like to try to avoid this (where possible). Hmm, I wish I had, but yes, I do agree with the fact that alot of mail generated from this tool are being classified as spam. -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ Quick, sing me the BUDAPEST NATIONAL ANTHEM!!
RE: IncrediMail?
Title: RE: IncrediMail? has anyone got a good corpus of mail from this mail tool? I hear many anti-image-spam rules have a tendency to FP on its output and I'd like to try to avoid this (where possible). --j. Yes they do FP. I hate that nasty hunk of bloated junk. I do not have a corpus of it, but I'll try to save any new ones that come in. I'll double check, but I think I wrote my own rules to counter these FPs. Which may be why I don't have any in my traps. HTH, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com
config: could not find site rules directory
My web hosting service is running SA 3.1.6. When I do an sa-learn, I get config: could not find site rules directory. Anyone know what this is all about? Is there anything that needs to be fixed? Here is an example output from 'ssh': [~]# cat newspam | sa-learn --mbox --spam config: could not find site rules directory Learned tokens from 119 message(s) (122 message(s) examined) Thanks! David -- View this message in context: http://www.nabble.com/config%3A-could-not-find-site-rules-directory-tf2595579.html#a7239429 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: IncrediMail?
Justin Mason wrote: has anyone got a good corpus of mail from this mail tool? I hear many anti-image-spam rules have a tendency to FP on its output and I'd like to try to avoid this (where possible). --j. It may not matter, but if you provide unlimited free tech support as we do, Incredimail is a drag on your staff. Luckily we now only have a few users with Incredimail. We had over a thousand, and we had calls constantly. As an ISP we stopped supporting Incredimail years ago. When it fails to connect, looses mail, smokes a pop box, gets it's messages tagged as Spam, we suggest installing Thunderbird and thank them for calling the support line. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: Single *letter* gif spams (ransom-note-style)
On Wed, November 8, 2006 09:52, Quinn Comendant wrote: I'm wondering which rules you have that flagged that so well. The same spam message for me scored low: (X-Spam-Status: No, score=2.1 required=4.9 tests=BAYES_50, DK_POLICY_SIGNSOME, EXTRA_MPART_TYPE, HTML_MESSAGE, TRACKER_ID autolearn=no version=3.1.7). I'm using all default rule sets, network tests, bayes, and all plugins enabled except razor. DK_POLICY_SIGNSOME and not DK_POLICY_TESTING ? when will DK_SIGNED then come ? and it was not DK_VERIFIED changes the score on them and you wall catch that one -- This message was sent using 100% recycled spam mails.
Re: config: could not find site rules directory
rothmail wrote: My web hosting service is running SA 3.1.6. When I do an sa-learn, I get config: could not find site rules directory. Anyone know what this is all about? Is there anything that needs to be fixed? Here is an example output from 'ssh': [~]# cat newspam | sa-learn --mbox --spam config: could not find site rules directory Learned tokens from 119 message(s) (122 message(s) examined) Thanks! David sounds like SA was looking for /etc/mail/spamassassin or an equivalent substitute, and did not find one.
test
disregard Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
RE: SA filter load: massive increase
Title: RE: SA filter load: massive increase -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 08, 2006 5:00 AM To: Garry Glendown Cc: Matt Kettler; users@spamassassin.apache.org Subject: Re: SA filter load: massive increase Garry Glendown writes: Matt Kettler wrote: In general I'd take a look at the sizes of the rule files themselves.. Look for ones that are significantly larger than 128k or so. Of those, there only few: -rw-r--r-- 1 root root 384645 Oct 30 2005 70_sare_header.cf -rw-r--r-- 1 root root 158513 Oct 1 2005 70_sare_obfu.cf Given both are significantly older than the occurrence of the performance decrease, neither should be the cause ... in fact, the only sare-rules that have dates newer than Oct 1st are sare_stocks and sc_top200 ... for what it's worth, I would suggest an iterative search -- remove all extra rulesets, and re-add them gradually until you spot one or two that are causing the load issues. --j. I'm shocked!! As you are a good coder! Why not follow the rule of halfs? Take half the rules out, if the problem goes away, its the other half of the rules, throw half the other rules in, and so on, always cutting in half. Far less time then adding one by one. Hmm... Theo, go check all of JM's code ;) --Chris
Using sa-learn on separate systems?
I have a slight problem.. I thought I'd finally start using sa-learn to train the Bayes, the catch is that I have Cyrus and its mailboxes on another server.. I transport the mail via LMTP to Cyrus. So, is there a smooth way to use sa-learn on the remote IMAP folders, or do I have to mount it as a NFS share (or similar) to be able to run it? -- Anders Norrbring Norrbring Consulting smime.p7s Description: S/MIME Cryptographic Signature
Re: Using sa-learn on separate systems?
Anders Norrbring wrote: I have a slight problem.. I thought I'd finally start using sa-learn to train the Bayes, the catch is that I have Cyrus and its mailboxes on another server.. I transport the mail via LMTP to Cyrus. So, is there a smooth way to use sa-learn on the remote IMAP folders, or do I have to mount it as a NFS share (or similar) to be able to run it? Hi, Check the Wiki for imap sa-learn Regards, Rick
Writing a new DNSBL rule
Hi all. So I've got a DNSBL I want to use with SpamAssassin that wasn't included in the stock install. My question (and there's an alarming lack of anything useful in this area... wiki anyone on the SA site?) is if my syntax and placement are correct for what I've done. In my local.cf file, I've added the following lines:(see the code at http://www.daringone.net/salines.txt - the list bounced this message for spam for some reason with the lines added)It looks like all the other ones, but I'm not entirely sure what everything exactly does in the coding... so I took an educated guess. Thanks for everyone's input. - D.J.
Sa_learn and razor-report
Does sa_lean -spam ... feed razor report if installed? If not, does either feed their stdin message input back to stdout to enable chaining?
RE: IncrediMail?
Title: RE: IncrediMail? From: Chris Santerre [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 08, 2006 9:27 AM To: '[EMAIL PROTECTED]'; users@spamassassin.apache.org Subject: RE: IncrediMail? has anyone got a good corpus of mail from this mail tool? I hear many anti-image-spam rules have a tendency to FP on its output and I'd like to try to avoid this (where possible). --j. Yes they do FP. I hate that nasty hunk of bloated junk. I do not have a corpus of it, but I'll try to save any new ones that come in. I'll double check, but I think I wrote my own rules to counter these FPs. Which may be why I don't have any in my traps. HTH, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com Would it be a bad idea to write a rule to give a negative score when the string, META content=IncrediMail is found in the body? Dylan
Re: Problem with spamd
On Wed, Nov 08, 2006 at 06:38:19PM +0100, Charlie Clark wrote: 2006-11-08 17:31:00 [9733] i: debug: refresh: 9733 refresh /home/ confixx/web1p2/.spamassassin/bayes.lock Is this standard behaviour? It seemed okay when the lock is acquired but seems to spend most of its time actually refreshing the lock. It's ok if it's doing something to the DB, you want the lock refreshed. I'm guessing you're seeing a bayes expiry. -- Randomly Selected Tagline: Sorry, not tonight. I have to floss my cat. - Random Turn-down line pgpkj6C9d2UZJ.pgp Description: PGP signature
Re: Block wrote: spams
On Wed, November 8, 2006 11:38, Hamish Marson wrote: One thing I've noticed is the envelope return path... Watching this morning, they all seem to be from 'deborasomething@random.domain' debora wrote: in subject at the same time ? -- This message was sent using 100% recycled spam mails.
Re: Problem with spamd
Am 08.11.2006 um 18:43 schrieb Theo Van Dinter: On Wed, Nov 08, 2006 at 06:38:19PM +0100, Charlie Clark wrote: 2006-11-08 17:31:00 [9733] i: debug: refresh: 9733 refresh /home/ confixx/web1p2/.spamassassin/bayes.lock Is this standard behaviour? It seemed okay when the lock is acquired but seems to spend most of its time actually refreshing the lock. It's ok if it's doing something to the DB, you want the lock refreshed. I'm guessing you're seeing a bayes expiry. Okay, seems to have calmed down now. i wonder if that's related to the fact that I seem to be having problems sending e-mail: The address to which the message has not yet been delivered is: [EMAIL PROTECTED] Delay reason: Connection timed out Presumably because my buffers have been filled. I'v restarted Exim in the hope that will help but I wonder what's causing this in the first place - what is screwing my SMTP server? It really doesn't look like it should be that busy but I don't really know where I should be looking! Charlie -- Charlie Clark Helmholtzstr. 20 Düsseldorf D- 40215 Tel: +49-211-938-5360 GSM: +49-178-782-6226
Re: IncrediMail?
...Incredimail is a drag on your staff. Luckily we now only have a few users with Incredimail. We had over a thousand, and we had calls constantly. Btw, this incredible mailer is also the one which leaves empty lines (TAB only) in the header when it tries to wrap a long header field such as Subject. Mark
RE: IncrediMail?
On Wed, 8 Nov 2006, Dylan Bouterse wrote: Would it be a bad idea to write a rule to give a negative score when the string, META content=IncrediMail is found in the body? Probably. That's trivial for spammers to forge on an image spam. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- False is the idea of utility that sacrifices a thousand real advantages for one imaginary or trifling inconvenience; that would take fire from men because it burns, and water because one may drown in it; that has no remedy for evils except destruction. The laws that forbid the carrying of arms are laws of such a nature. They disarm only those who are neither inclined nor determined to commit crime. -- Cesare Beccaria, quoted by Thomas Jefferson ---
Re: IncrediMail?
Mark Martinec wrote: ...Incredimail is a drag on your staff. Luckily we now only have a few users with Incredimail. We had over a thousand, and we had calls constantly. Btw, this incredible mailer is also the one which leaves empty lines (TAB only) in the header when it tries to wrap a long header field such as Subject. Mark Yep, among other things it does. I'm not so certain that I would call SA hitting an Incredamil message as an FP. I guess it depends on your idea of Spam ;^) DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: IncrediMail?
On Wed, 8 Nov 2006, DAve wrote: Yep, among other things it does. I'm not so certain that I would call SA hitting an Incredamil message as an FP. How about calling it a waste of resources? It'd be *much* better to reject IncrediMail at the MTA level using milter-regex et. al. on the User-Agent: header. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- False is the idea of utility that sacrifices a thousand real advantages for one imaginary or trifling inconvenience; that would take fire from men because it burns, and water because one may drown in it; that has no remedy for evils except destruction. The laws that forbid the carrying of arms are laws of such a nature. They disarm only those who are neither inclined nor determined to commit crime. -- Cesare Beccaria, quoted by Thomas Jefferson ---
Help with dumb mistake
Hello to all. I'm currently running spamassassin-3.0.4-1 on a CentOS 3.8 server, along with sendmail-8.12.11-4.RHEL3.6. I don't want to upgrade either just yet. But, I do want to keep SA default rules up to date. Alas, sa-update doesn't work; it simply doesn't do anything that I can see, and certainly doesn't update default rules. What was my response? To run sa-update on a Debian box with spamassassin-3.1.0a-2 running on it, and copy over the rules to my CentOS box. Now, when I run lint, I get the following: [1375] warn: Subroutine Mail::SpamAssassin::Plugin::MIMEHeader::_mimeheader_eval_TVD_FW_GRAPHIC_ID1 redefined at (eval 1715) line 2. [1375] warn: Subroutine Mail::SpamAssassin::Plugin::MIMEHeader::_mimeheader_eval_TVD_FW_GRAPHIC_ID2 redefined at (eval 1717) line 2. [1375] warn: Subroutine Mail::SpamAssassin::Plugin::MIMEHeader::_mimeheader_eval_TVD_FW_GRAPHIC_NAME_LONG redefined at (eval 1719) line 2. [1375] warn: Subroutine Mail::SpamAssassin::Plugin::MIMEHeader::_mimeheader_eval_TVD_FW_GRAPHIC_NAME_MID redefined at (eval 1721) line 2. [1375] warn: Subroutine Mail::SpamAssassin::Plugin::MIMEHeader::_mimeheader_eval___GIF_ATTACH redefined at (eval 1723) line 2. [1375] warn: Subroutine Mail::SpamAssassin::Plugin::MIMEHeader::_mimeheader_eval___TVD_OUTLOOK_IMG redefined at (eval 1725) line 2. I think the offender here is the 80_additional.cf rule. When I remove it, no lint barfs. But, I'd like to retain its functionality, if I can. Yes, i r stoopid. Is there any way I can correct this within the context of my current setup? Thanks. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Single *letter* gif spams (ransom-note-style)
Quinn Comendant wrote: I'm wondering which rules you have that flagged that so well. The same spam message for me scored low: (X-Spam-Status: No, score=2.1 required=4.9 tests=BAYES_50, DK_POLICY_SIGNSOME, EXTRA_MPART_TYPE, HTML_MESSAGE, TRACKER_ID autolearn=no version=3.1.7). I'm using all default rule sets, network tests, bayes, and all plugins enabled except razor. Here's a sample of the lowest scoring ones (10.1). It wouldn't be caught by a default SA install with the low bayes score it got (5.4 is from some SARE rules, 1.0 is from the Outbound Index rep score): * 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type=entry * 1.1 SPF_FAIL SPF: sender does not match SPF record (fail) * [SPF failed: Please see ... * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.6 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5795] * 0.8 SARE_GIF_ATTACH FULL: Email has a inline gif * 0.9 MY_CID_AND_CLOSING SARE cid and closing * 0.7 MY_CID_AND_STYLE SARE cid and style * 1.2 MY_CID_ARIAL2_CLOSING SARE cid arial2 closing * 1.1 MY_CID_ARIAL_STYLE SARE cid arial2 style * 0.7 MY_CID_AND_ARIAL2 SARE CID and Arial2 * 1.0 SIQ_OI_01 Outbound Index Reputation: http://outboundindex.org/ * [SIQ: score: 1 queried: shinbiro.com/85.130.113.8] * 0.0 SIQ_OI_IP_01 Outbound Index IP Reputation: * http://outboundindex.org/ * [SIQ: score: 1 queried: shinbiro.com/85.130.113.8] Here's a random one with an average (or little less than average) score: * 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type=entry * 2.2 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname * 1.0 TRACKER_ID BODY: Incorporates a tracking ID number * 0.0 HTML_MESSAGE BODY: HTML included in message * 4.1 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 0.] * 0.8 SARE_GIF_ATTACH FULL: Email has a inline gif * 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) * 0.9 MY_CID_AND_CLOSING SARE cid and closing * 0.7 MY_CID_AND_STYLE SARE cid and style * 1.2 MY_CID_ARIAL2_CLOSING SARE cid arial2 closing * 1.1 MY_CID_ARIAL_STYLE SARE cid arial2 style * 0.7 MY_CID_AND_ARIAL2 SARE CID and Arial2 * 0.0 SIQ_OI_IP_01 Outbound Index IP Reputation: * http://outboundindex.org/ * [SIQ: score: 1 queried: vnn.vn/83.34.223.80] * 1.5 SIQ_OI_00 Outbound Index Reputation: http://outboundindex.org/ * [SIQ: score: 0 queried: vnn.vn/83.34.223.80] Daryl
Re: IncrediMail?
John D. Hardin writes: On Wed, 8 Nov 2006, DAve wrote: Yep, among other things it does. I'm not so certain that I would call SA hitting an Incredamil message as an FP. How about calling it a waste of resources? It'd be *much* better to reject IncrediMail at the MTA level using milter-regex et. al. on the User-Agent: header. Well, *you* could do that. However, if it's solicited, or non-bulk, it's an FP in SpamAssassin terms. See http://wiki.apache.org/spamassassin/Spam --j.
Re: Writing a new DNSBL rule
D.J. wrote: Hi all. So I've got a DNSBL I want to use with SpamAssassin that wasn't included in the stock install. My question (and there's an alarming lack of anything useful in this area... wiki anyone on the SA site?) is if my syntax and placement are correct for what I've done. In my local.cf http://local.cf/ file, I've added the following lines: (see the code at http://www.daringone.net/salines.txt - the list bounced this message for spam for some reason with the lines added) It looks like all the other ones, but I'm not entirely sure what everything exactly does in the coding... so I took an educated guess. Thanks for everyone's input. - D.J. Try this instead header __NEWDNSBL eval:check_rbl('newdnsbl', 'dnsbl.newdnsbl.com.') tflags __NEWDNSBL net header RCVD_IN_NEWDNSBLeval:check_rbl_sub('newdnsbl', '127.0.0.2') describe RCVD_IN_NEWDNSBL NEWDNSBL: Received via a relay in NEWDNSBL tflags RCVD_IN_NEWDNSBLnet score RCVD_IN_NEWDNSBL 1.5 -- Andreas
Re: Block wrote: spams
I've added three procmail rules in the last few days to combat the deluge of these (and other) spams. I figure that these are all passing fads and aren't worth writing SA rules. YMMV, of course, but in my case, the procmail method works best. :0 * ^subject:.*your concert tickets reservation .spam.learn/ :0 * ^subject:.* here :\) .spam.learn/ :0 * ^subject:.* wrote:$ .spam.learn/ I normally don't tweak my .procmailrc for a specific type of spam, but the sheer volume of these three types of spams made it worth it. I've cut the volume of spam that makes it to my inbox and spam folder in half - the rest goes directly into the 'learn' directory, where a cron job runs once an hour to add them to bayes.
Re: IncrediMail?
On Wed, 8 Nov 2006, Justin Mason wrote: John D. Hardin writes: On Wed, 8 Nov 2006, DAve wrote: Yep, among other things it does. I'm not so certain that I would call SA hitting an Incredamil message as an FP. How about calling it a waste of resources? It'd be *much* better to reject IncrediMail at the MTA level using milter-regex et. al. on the User-Agent: header. Well, *you* could do that. However, if it's solicited, or non-bulk, it's an FP in SpamAssassin terms. See http://wiki.apache.org/spamassassin/Spam Humor, folks! -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- False is the idea of utility that sacrifices a thousand real advantages for one imaginary or trifling inconvenience; that would take fire from men because it burns, and water because one may drown in it; that has no remedy for evils except destruction. The laws that forbid the carrying of arms are laws of such a nature. They disarm only those who are neither inclined nor determined to commit crime. -- Cesare Beccaria, quoted by Thomas Jefferson ---
Re: Problem with spamd
max-children (set to 1 in this case).Why 1???How many email to you received by day? (or by minute???)Francois Rousseau2006/11/8, Charlie Clark [EMAIL PROTECTED]:Am 08.11.2006 um 18:43 schrieb Theo Van Dinter: On Wed, Nov 08, 2006 at 06:38:19PM +0100, Charlie Clark wrote: 2006-11-08 17:31:00 [9733] i: debug: refresh: 9733 refresh /home/ confixx/web1p2/.spamassassin/bayes.lock Is this standard behaviour? It seemed okay when the lock is acquired but seems to spend most of its time actually refreshing the lock. It's ok if it's doing something to the DB, you want the lock refreshed.I'm guessing you're seeing a bayes expiry. Okay, seems to have calmed down now. i wonder if that's related tothe fact that I seem tobe having problems sending e-mail:The address to which the message has not yet been delivered is: [EMAIL PROTECTED] Delay reason: Connection timed outPresumably because my buffers have been filled. I'v restarted Exim inthe hope that will help but I wonder what's causing this in the firstplace - what is screwing my SMTP server? It really doesn't look like it should be that busy but I don't really know where I should belooking!Charlie--Charlie ClarkHelmholtzstr. 20DüsseldorfD- 40215Tel: +49-211-938-5360GSM: +49-178-782-6226
base64 transfer encoding defeats rules
I just received an email the other day that had mime headers including:content-type: text/plaincontent-transfer-encoding: base64and the message was encoded in base64, but to the client, it looks like regular text including a geocities spam message. It was only picked up by the MIME_BASE64_TEXT rule and I have a rule that blocks geocities spam which failed to pick up because the text was all in base64. Is there a way to get rules to pass for both plain and base64 encoded messages?My current rule that failed is like this:body IPBL_6 /geocities\.com\//idescribe IPBL_6 IPBL: Geocities is spam ... score IPBL_6 5.5
RE: IncrediMail?
Title: RE: IncrediMail? -Original Message- From: John D. Hardin [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 08, 2006 1:05 PM To: Dylan Bouterse Cc: users@spamassassin.apache.org Subject: RE: IncrediMail? On Wed, 8 Nov 2006, Dylan Bouterse wrote: Would it be a bad idea to write a rule to give a negative score when the string, META content=IncrediMail is found in the body? Probably. That's trivial for spammers to forge on an image spam. Its ok to write the rule, but not ok to post on public list that you did ;) --Chris
Re: Block wrote: spams
One thing I've noticed is the envelope return path... Watching this morning, they all seem to be from 'deborasomething@random.domain' debora wrote: in subject at the same time ? No. (Finally got my first one of these.) Loren
Re: base64 transfer encoding defeats rules
Is there a way to get rules to pass for both plain and base64 encoded messages? There are three stages or so to mail decoding: 1 The raw mail body 2 The body after undoing any compression/encoding (base64) 3 The body after any HTML rendering 'body' rules handle case 3. Both 'full' and 'rawbody' rules handle case 1. Nothing handles case 2. Unfortunately all of the rules that detect HTML trickery have to run at step 2. But because rawbody runs on step 1, there is no way to run HTML-detection rules on an encoded email. I've always considered this a problem, but it seems nobody else does. Loren
Re: base64 transfer encoding defeats rules
On Wed, Nov 08, 2006 at 02:56:26PM -0500, Steven Kiehl wrote: Is there a way to get rules to pass for both plain and base64 encoded messages? SA handles quoted-printable and base64 encodings, so yes, already happens. My current rule that failed is like this: body IPBL_6/geocities\.com\//i Perhaps you want a uri rule instead? -- Randomly Selected Tagline: Sex is like air; it's not important unless you aren't getting any. - Zen Musings pgpCPc7ImnjDo.pgp Description: PGP signature
RE: IncrediMail?
On Wed, November 8, 2006 18:42, Dylan Bouterse wrote: Would it be a bad idea to write a rule to give a negative score when the string, META content=IncrediMail is found in the body? any negative scores will be abused by spammers :( PS: disable html in your mua when posting to maillists -- This message was sent using 100% recycled spam mails.
Re: Problem with spamd
Am 08.11.2006 um 20:51 schrieb François Rousseau: max-children (set to 1 in this case). Why 1??? That's the default for servers run by this ISP. Do you have a suggestion? How many email to you received by day? (or by minute???) Excluding spam it's probably less than 50 per day for all accounts on this server! So there shouldn't ever be a problem. I *think* that the changes I've made today including restarting Exim seem to be working. The problem may have been related to one account getting full and not accepting any new mail but I don't find this particularly convincing for the mail server running out of resources, Charlie -- Charlie Clark Helmholtzstr. 20 Düsseldorf D- 40215 Tel: +49-211-938-5360 GSM: +49-178-782-6226
Re: Problem with spamd
On Wed, Nov 08, 2006 at 10:18:53PM +0100, Charlie Clark wrote: How many email to you received by day? (or by minute???) Excluding spam it's probably less than 50 per day for all accounts on this server! So there shouldn't ever be a problem. I *think* that the changes I've made today including restarting Exim seem to be working. If you only receive 2-3 messages per hour, just run spamassassin and don't bother with spamc/spamd. Why have another daemon? -- Randomly Selected Tagline: The random quantum fluctuations of my brain are historical accidents that happen to have decided that the concepts of dynamic scoping and lexical scoping are orthogonal and should remain that way. - Larry Wall pgpUZK3L41Ypw.pgp Description: PGP signature
RE: Block wrote: spams
We just started getting a ton of these. Is there an SA ruleset that I can grab or do I just have to write my own. Jason -Original Message- From: Loren Wilton [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 08, 2006 3:26 PM To: users@spamassassin.apache.org Subject: Re: Block wrote: spams One thing I've noticed is the envelope return path... Watching this morning, they all seem to be from 'deborasomething@random.domain' debora wrote: in subject at the same time ? No. (Finally got my first one of these.) Loren
Re: IncrediMail?
John D. Hardin wrote: On Wed, 8 Nov 2006, Justin Mason wrote: John D. Hardin writes: On Wed, 8 Nov 2006, DAve wrote: Yep, among other things it does. I'm not so certain that I would call SA hitting an Incredamil message as an FP. How about calling it a waste of resources? It'd be *much* better to reject IncrediMail at the MTA level using milter-regex et. al. on the User-Agent: header. Well, *you* could do that. However, if it's solicited, or non-bulk, it's an FP in SpamAssassin terms. See http://wiki.apache.org/spamassassin/Spam Humor, folks! Thank You! -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ WB9VTB -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: Problem with spamd
Am 08.11.2006 um 22:45 schrieb Theo Van Dinter: On Wed, Nov 08, 2006 at 10:18:53PM +0100, Charlie Clark wrote: How many email to you received by day? (or by minute???) Excluding spam it's probably less than 50 per day for all accounts on this server! So there shouldn't ever be a problem. I *think* that the changes I've made today including restarting Exim seem to be working. If you only receive 2-3 messages per hour, just run spamassassin and don't bother with spamc/spamd. Why have another daemon? I didn't set this up originally and I generally try and follow the rule of messing with the system as little as possible as it is. That said I've extended the local.cf file which had virtually no directives and am in the process of upgrading from 3.0.3 to 3.1.7. I'm not pleased with my ISP for taking over a week to investigate the initial complaint and me actually using the trouble ticket to annotate the changes I make! Charlie -- Charlie Clark Helmholtzstr. 20 Düsseldorf D- 40215 Tel: +49-211-938-5360 GSM: +49-178-782-6226
Re: Block wrote: spams
Write your own: header LR_WROTE_SUBSubject =~ /\bwrote\b\:/i describeLR_WROTE_SUBWrote in Subject score LR_WROTE_SUB3.0 Thanks for the members that made them earlier. I just repeat them because they do a nice job at my webserver: bodyLR_CSAIL_EVERGLORY /Ever-Glory International/i describeLR_CSAIL_EVERGLORY Ever-Glory International score LR_CSAIL_EVERGLORY 1.5 bodyLR_CSAIL_EGLY_TICKER/\(EGLY\)/ describeLR_CSAIL_EGLY_TICKEREver-Glory International stock symbol score LR_CSAIL_EGLY_TICKER1.5 bodyLR_CSAIL_EVERGLORY_DISNEY /Ever-Glory and Disney/ describeLR_CSAIL_EVERGLORY_DISNEY Bogus Ever-Glory press release score LR_CSAIL_EVERGLORY_DISNEY 2.5 header __CSAIL_EGLY_SUBJ Subject =~ /^\S+ here\s+:\)/ metaLR_CSAIL_EGLY_SPAM ( __CSAIL_EGLY_SUBJ LR_CSAIL_EGLY_TICKER ) describeLR_CSAIL_EGLY_SPAM This message really looks like a recent EGLY pump dump scam score LR_CSAIL_EGLY_SPAM 5.0 Jason Little wrote: We just started getting a ton of these. Is there an SA ruleset that I can grab or do I just have to write my own. Jason -Original Message- From: Loren Wilton [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 08, 2006 3:26 PM To: users@spamassassin.apache.org Subject: Re: Block wrote: spams One thing I've noticed is the envelope return path... Watching this morning, they all seem to be from 'deborasomething@random.domain' debora wrote: in subject at the same time ? No. (Finally got my first one of these.) Loren
SA-STATS on BSD
Hi everyone, I've tried on apache and SARE and bsd sites to find the documentation on installing sa-stats , I have found the the actual sa-stats.pl but I dont know how to go about installing it on BSD any guidance would be appreciated. Freebsd 5.4 exim sa 3.1.7 Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
Rule for raw HTML
A few spams have slipped by that contain HTML that is appearing as normal text (due to them not getting something right). For example: and you may haveBRcontempt seemed abundantly increasing with the length of his second speech, and at the end of it heBRand the mortification of kitty Is there a rule that will catch HTML like tags that are not in the right MIME type section? I also see this a lot with A HREF=... links. Ron
Re: Problem with spamd
Am 08.11.2006 um 23:00 schrieb Charlie Clark: Am 08.11.2006 um 22:45 schrieb Theo Van Dinter: On Wed, Nov 08, 2006 at 10:18:53PM +0100, Charlie Clark wrote: How many email to you received by day? (or by minute???) Excluding spam it's probably less than 50 per day for all accounts on this server! So there shouldn't ever be a problem. I *think* that the changes I've made today including restarting Exim seem to be working. If you only receive 2-3 messages per hour, just run spamassassin and don't bother with spamc/spamd. Why have another daemon? I didn't set this up originally and I generally try and follow the rule of messing with the system as little as possible as it is. That said I've extended the local.cf file which had virtually no directives and am in the process of upgrading from 3.0.3 to 3.1.7. I'm not pleased with my ISP for taking over a week to investigate the initial complaint and me actually using the trouble ticket to annotate the changes I make! Looks like I'm on top of the resources problem but I am getting 421 delivery errors even though the e-mails are coming through. This looks very similar to bug 3828 (which is Spamassassin + Exim). Except this bug should have been closed a long time ago. The strange thing is these errors never occurred before last week and having just upgraded to 3.1.7 I would hope to have a system including all relevant bug fixes. Of course, as Theo said it might simply be easier to stop using spamd and just call spamassassin but it might also be helpful to track down the problem. Should I jump on the back of the old bug or make a new submission? Charlie -- Charlie Clark Helmholtzstr. 20 Düsseldorf D- 40215 Tel: +49-211-938-5360 GSM: +49-178-782-6226
Re: Rule for raw HTML
Am 09.11.2006 um 01:18 schrieb Ron: A few spams have slipped by that contain HTML that is appearing as normal text (due to them not getting something right). For example: and you may haveBRcontempt seemed abundantly increasing with the length of his second speech, and at the end of it heBRand the mortification of kitty Is there a rule that will catch HTML like tags that are not in the right MIME type section? I also see this a lot with A HREF=... links. I can't see the need for an extra rule for this as it should be caught by the Bayesian rules after the very briefest of training. That the HTML doesn't display correctly is par for the course for spam which almost by definition does not play by the rules. Charlie -- Charlie Clark Helmholtzstr. 20 Düsseldorf D- 40215 Tel: +49-211-938-5360 GSM: +49-178-782-6226
ifspamh
Hi, I am using ifspamh 1.5 with spamassassin and qmail. I guess there might be a bug in this script that let some emails through, whcich should be treated as a spam. Do you know if there is a new version of the script or something I can use instead? Thank's Wojtek
Re: IncrediMail?
On Wed, November 8, 2006 22:53, DAve wrote: John Hardin KA7OHZ WB9VTB how is spam on the radio networking ? :-) -- This message was sent using 100% recycled spam mails.
Re: Problem with spamd
Charlie Clark wrote: Looks like I'm on top of the resources problem but I am getting 421 delivery errors even though the e-mails are coming through. This looks very similar to bug 3828 (which is Spamassassin + Exim). Except this bug should have been closed a long time ago. Without looking at the bug, it sounds like you're saying that Exim temp fails messages when a filter (SA) isn't available to filter the message in time. If that's the case it's sensible for that to happen. The strange thing is these errors never occurred before last week and having just upgraded to 3.1.7 I would hope to have a system including all relevant bug fixes. Of course, as Theo said it might simply be easier to stop using spamd and just call spamassassin but it might also be helpful to track down the problem. Should I jump on the back of the old bug or make a new submission? Have you actually looked into making sure that you're not experiencing an expiry issue (like the expiry being times out and never completed) like Theo inferred you do off the bat? Daryl
sa-update DNS not updated (was: Block wrote: spams)
--On Friday, November 03, 2006 5:43 PM + Justin Mason [EMAIL PROTECTED] wrote: there's a rule that matches them in 3.1.x sa-update, fwiw. I don't see it either. What's the name of the rule? Dates on files in /var/lib/spamassassin are 20061024. I ran sa-update -D and got this at the end: [7784] dbg: channel: attempting channel updates.spamassassin.org [7784] dbg: channel: update directory /var/lib/spamassassin/3.001007/updates_spamassassin_org [7784] dbg: channel: channel cf file /var/lib/spamassassin/3.001007/updates_spamassassin_org.cf [7784] dbg: channel: channel pre file /var/lib/spamassassin/3.001007/updates_spamassassin_org.pre [7784] dbg: channel: metadata version = 431276 [7784] dbg: dns: 7.1.3.updates.spamassassin.org = 431276, parsed as 431276 [7784] dbg: channel: current version is 431276, new version is 431276, skipping channel Is this new rule supposed to be in 431276? I also tried running the DNS query with dig against a few of the servers for that zone and get the same answer, so it's not my local DNS server caching an old answer. I chased through the update logic and found the update archive here: http://spamassassin.kluge.net/updates/ I see some later updates there, and the wrote rule is in 472539. Is the DNS not getting updated to push these new rules out?
Re: Rule for raw HTML
A few spams have slipped by that contain HTML that is appearing as normal text (due to them not getting something right). For example: and you may haveBRcontempt seemed abundantly increasing with the length of his second speech, and at the end of it heBRand the mortification of kitty Is there a rule that will catch HTML like tags that are not in the right MIME type section? I also see this a lot with A HREF=... links. Ron I really dislike html in mails - whether in the right mime part or not - but I have seen many legitimate mails that get mime stuff wrong. Of course these are not normal mail clients, but server generated mails like order confirmations, invoices, etc. It even happens to big ISPs :( Wolfgang Hamann
Re: IncrediMail?
On Thu, 9 Nov 2006, Benny Pedersen wrote: On Wed, November 8, 2006 22:53, DAve wrote: John Hardin KA7OHZ WB9VTB how is spam on the radio networking ? :-) {Field Day flashbacks} -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- False is the idea of utility that sacrifices a thousand real advantages for one imaginary or trifling inconvenience; that would take fire from men because it burns, and water because one may drown in it; that has no remedy for evils except destruction. The laws that forbid the carrying of arms are laws of such a nature. They disarm only those who are neither inclined nor determined to commit crime. -- Cesare Beccaria, quoted by Thomas Jefferson ---
Re: sa-update DNS not updated
Kenneth Porter wrote: --On Friday, November 03, 2006 5:43 PM + Justin Mason [EMAIL PROTECTED] wrote: there's a rule that matches them in 3.1.x sa-update, fwiw. I don't see it either. What's the name of the rule? I looked at this a few days ago when Theo mentioned it, and forgot to reply, and the rule I believe he was referring to hit on the old wrote: spams but not the current version of them. Daryl
Re: Rule for raw HTML
--On Thursday, November 09, 2006 1:21 AM + [EMAIL PROTECTED] wrote: I really dislike html in mails - whether in the right mime part or not - but I have seen many legitimate mails that get mime stuff wrong. Of course these are not normal mail clients, but server generated mails like order confirmations, invoices, etc. It even happens to big ISPs :( Is there some online Hall of Shame where badly-behaving mail clients can be enumerated and their crimes listed? It would be nice to have some ammo to bring to the PHB's to show why particular clients should be avoided (ie. that they contribute to the spam problem by forcing mail admins to accept broken input). My manufacturing company is very picky about accepting physical inputs from vendors. We should be equally picky about what we accept from them in email.
RE: Rule for raw HTML
-Original Message- From: Kenneth Porter [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 08, 2006 10:06 PM To: users@spamassassin.apache.org Subject: Re: Rule for raw HTML My manufacturing company is very picky about accepting physical inputs from vendors. We should be equally picky about what we accept from them in email. I'll bet a bunch of us could set up a juicy anti-spam system that enforces ALL the rfc's. :-) Might even be fun. (would block fedex, hotmail, microsoft, yahoo, gmail..) and anyone that doesn't follow the rfc's !)
sa-update -D
On a certain box we ran a successful current sa-update Later on, I went back and ran sa-update -D in it was this [7317] dbg: diag: module not installed: Mail::SPF::Query ('require' failed) [7317] dbg: diag: module not installed: IP::Country::Fast ('require' failed) [7317] dbg: diag: module not installed: Razor2::Client::Agent ('require' failed) [7317] dbg: diag: module not installed: Net::Ident ('require' failed) [7317] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [7317] dbg: diag: module not installed: IO::Socket::SSL ('require' failed) I was wondering... when this is the case, what is this telling me other than those modules are not installed? Is it telling me that some SA tests are not being run because of the lack of modules and therefore the reflective update configs are not pulled? What else should we know in regards to this? Thanks and kind regards - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
Re: IncrediMail?
There is no such thing as a false positive on Incredimail. I am quite pleased to have it relegated to the spam bucket. {^_-} - Original Message - From: Justin Mason [EMAIL PROTECTED] has anyone got a good corpus of mail from this mail tool? I hear many anti-image-spam rules have a tendency to FP on its output and I'd like to try to avoid this (where possible). --j.
Re: sa-update -D
--On Wednesday, November 08, 2006 8:52 PM -0800 R Lists06 [EMAIL PROTECTED] wrote: [7317] dbg: diag: module not installed: Mail::SPF::Query ('require' failed) [7317] dbg: diag: module not installed: IP::Country::Fast ('require' failed) [7317] dbg: diag: module not installed: Razor2::Client::Agent ('require' failed) [7317] dbg: diag: module not installed: Net::Ident ('require' failed) [7317] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [7317] dbg: diag: module not installed: IO::Socket::SSL ('require' failed) I was wondering... when this is the case, what is this telling me other than those modules are not installed? When I initially built SA from source, these missing modules were flagged along with a short explanation of what they're used for (ie. what I'd be missing). I think it was the configure script that reports this.
spamd causing high load
Hi all, I am running SA 3.1.1. I have seen that sometimes spamd processes using up a lot of CPU. The cpu load goes up very high to ~ 10. I have checked that RAM is not the problem since free shows that memory is still free. I have 1 GB RAM. Another thing is that my AWL file is around 85 MB. I did a du -k and it shows 65036. My bayes_seen file is around 25 MB. I have set auto_expire to 1. There's also a sa-learn --sync thats running hourly. My line is a 64k leased line. I also see that my smtpd connections are also maxing out to 100. Generally this happens when a mailing list starts bombarding my server with mails. These are legit mails as a lot of my users have subscribed to this list. Any suggestions would be welcome. Thanx Anand
Re: spamd causing high load
K Anand wrote: Hi all, I am running SA 3.1.1. Warning: if you use the -v and -P options to spamd, your version is vulnerable to a remote code exploit. This is not a typical setup, but you should be aware of it. http://wiki.apache.org/spamassassin/Security I have seen that sometimes spamd processes using up a lot of CPU. The cpu load goes up very high to ~ 10. I have checked that RAM is not the problem since free shows that memory is still free. I have 1 GB RAM. Another thing is that my AWL file is around 85 MB. I did a du -k and it shows 65036. My bayes_seen file is around 25 MB. I have set auto_expire to 1. There's also a sa-learn --sync thats running hourly. My line is a 64k leased line. I also see that my smtpd connections are also maxing out to 100. Generally this happens when a mailing list starts bombarding my server with mails. These are legit mails as a lot of my users have subscribed to this list. Any suggestions would be welcome. The AWL file won't auto-expire, so you'll need to use the check_whitelist script from the tools directory of the tarball to clean it. It's just a script, and some terse docs are at the top of the file if you open it in an editor. As for the load.. do you have a local caching DNS server? or is you SA box having to always go out over the 64k line to resolve DNS? If it is, install a simple cache on your SA box and change the resolv.conf to use 127.0.0.1 as a DNS server. This should help considerably with latency, which might help a bit with the load. Also, with that much mail coming in at the same time, there could be contention for bayes locks. You might try adding bayes_learn_to_journal 1 to your local.cf, and see if that helps. This will cause learning to be done into a journal file which periodically gets merged into the main bayes DB. This causes the live bayes to be delayed in update until the next sync (once a day or every 100k of bayes data by default), but you can force-sync any manual training runs by running sa-learn --sync afterwards.
Re: spamd causing high load
- Original Message - From: Matt Kettler [EMAIL PROTECTED] K Anand wrote: Hi all, I am running SA 3.1.1. Warning: if you use the -v and -P options to spamd, your version is vulnerable to a remote code exploit. This is not a typical setup, but you should be aware of it. No, I'm not runnning -v or -P options. Thanx for the tip. I have seen that sometimes spamd processes using up a lot of CPU. The cpu load goes up very high to ~ 10. I have checked that RAM is not the problem since free shows that memory is still free. I have 1 GB RAM. Another thing is that my AWL file is around 85 MB. I did a du -k and it shows 65036. My bayes_seen file is around 25 MB. I have set auto_expire to 1. There's also a sa-learn --sync thats running hourly. My line is a 64k leased line. I also see that my smtpd connections are also maxing out to 100. Generally this happens when a mailing list starts bombarding my server with mails. These are legit mails as a lot of my users have subscribed to this list. Any suggestions would be welcome. The AWL file won't auto-expire, so you'll need to use the check_whitelist script from the tools directory of the tarball to clean it. It's just a script, and some terse docs are at the top of the file if you open it in an editor. I was reading the forums and I saw that this scrit won't actually lower the file size. Another script was suggested to compact the db. As for the load.. do you have a local caching DNS server? or is you SA box having to always go out over the 64k line to resolve DNS? If it is, install a simple cache on your SA box and change the resolv.conf to use 127.0.0.1 as a DNS server. This should help considerably with latency, which might help a bit with the load. I'm not running a local caching DNS server ..But I'm using a DNS server which is on the same LAN as my mail server. So I don't think thats the problem. Also, with that much mail coming in at the same time, there could be contention for bayes locks. You might try adding bayes_learn_to_journal 1 to your local.cf, and see if that helps. This will cause learning to be done into a journal file which periodically gets merged into the main bayes DB. This causes the live bayes to be delayed in update until the next sync (once a day or every 100k of bayes data by default), but you can force-sync any manual training runs by running sa-learn --sync afterwards. I don't have bayes_learn_to_journal 1 in my local.cf. But I see bayes_journal file in the bayes directory. So it must be default behaviour. As I had written , I do sa-learn --sync every hour . need some more ideas. Thanx .