Re: question re. whitelist_from_rcvd
Miles Fidelman wrote: Hi, I'm trying to figure out how to whitelist control messages generated by our list manager (Sympa) - which are generated on the localhost and sent to addresses on the localhost. In particular, here's a specific example: *From: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *Received: * from localhost (localhost.localdomain [127.0.0.1]) by server1.neighborhoods.net (Postfix) with ESMTP id 5CDE2B6C2F0 for [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]; Sat, 11 Nov 2006 10:22:18 -0500 (EST) It's pretty clear that the entry in user_prefs would start with whitelist_from_rcvd [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] but what would I use as the domain part? Actually, no.. it would not start like that... As written the mailto:[EMAIL PROTECTED] would be interpreted as the Received: header check. Try: whitelist_from_rcvd [EMAIL PROTECTED] localhost.localdomain
Re: When Bayes goes bad... How to fix?
Bob Proulx wrote: I am still trying to figure out why Bayes is giving so many false positives. 0.000 0 3 0 non-token data: bayes db version 0.000 0 101467 0 non-token data: nspam 0.000 0 39694 0 non-token data: nham 0.000 0 181047 0 non-token data: ntokens 0.000 0 1163102355 0 non-token data: oldest atime 0.000 0 1163306671 0 non-token data: newest atime 0.000 0 1163306671 0 non-token data: last journal sync atime 0.000 0 1163275571 0 non-token data: last expiry atime 0.000 0 172800 0 non-token data: last expire atime delta 0.000 0 30379 0 non-token data: last expire reduction count If I read that right the all of the tokens are from the 9th to the 11th. Is that right? Dono, sounds about right.. my conversion of atimes sucks, but I can tell you that the span in time from the oldest to the newest is only 2.34 days, which fits your date range. In that case my suggestion to reduce the time is not going to help. But then why has the Bayes locked on to so many bad tokens? I wish there were some way to debug this. To start with, Run some of the false messages through spamassassin -D bayes... Should print out the tokens that match, in plaintext, and their probabilities. That should at least let you know what it is your bayes DB has learned that's bad. If it's not too horible you might be able to use sa-learn --backup to dump the DB, edit it by hand, and sa-learn --restore it. However, you'd need to find the correct SHA1 of the offending tokens.. not sure if that will be in the debug output.
user_prefs
I am re-submitting this question for help:I have searched for several hours and can't seem to find the answer to this. I've found close answers, but not complete.I have SA set up as individual users. When a new user is created SA creates a new user_prefs file for them. This file contains two prefs. required_score 7 and rewrite_header subject SPAM.I am trying to find out if I can change some prefs so that the new user_prefs file will contain my prefs when it is newly created.I have changed prefs in user_prefs.template and that didn't make any difference. I assume this template is supposed to be used by SA to create the new user_prefs, but it doesn't seem so.Where can I add my own prefs so the newly created defualt user_prefs file isloaded with what I want? Thanks. - /etc/mail/spamassassin/user_prefs.template: Default user preferences, for system admins to create, modify, and set defaults for users' preferences files. Takes precedence over the above prefs file, if it exists. Do not put system-wide settings in here; put them in a file in the "/etc/mail/spamassassin" directory ending in ".cf". This file is just a template, which will be copied to a user's home directory for them to change. - $USER_HOME/.spamassassin/user_prefs: User preferences file. If it does not exist, one of the default prefs file from above will be copied here for the user to edit later, if they wish. Unless you're using spamd, there is no difference in interpretation between the rules file and the preferences file, so users can add new rules for their own use in the "~/.spamassassin/user_prefs" file, if they like. (spamd disables this for security and increased speed.) Cheap Talk? Check out Yahoo! Messenger's low PC-to-Phone call rates.
Re: user_prefs
twofers wrote: I am re-submitting this question for help: I have searched for several hours and can't seem to find the answer to this. I've found close answers, but not complete. I have SA set up as individual users. When a new user is created SA creates a new user_prefs file for them. This file contains two prefs. required_score 7 and rewrite_header subject SPAM. I am trying to find out if I can change some prefs so that the new user_prefs file will contain my prefs when it is newly created I have changed prefs in user_prefs.template and that didn't make any difference. I assume this template is supposed to be used by SA to create the new user_prefs, but it doesn't seem so. Where can I add my own prefs so the newly created defualt user_prefs file is loaded with what I want? I dont know of a spamassassin way but have you thought of putting a line in /etc/skel/.bashrc that copies your user_prefs into their ~/.spamassassin dir when the users is created ? This would also update the user_prefs when they log in if you have updated yours. Generally users wont have access to other users home dirs so you could copy/link your user_prefs to somewhere like /var/tmp/spam/user_prefs and have an entry such as cp -f /var/tmp/spam/user_prefs ~/.spamassassin/ in /etc/skel/.bashrc . Just an idea. Nick .
large increase in spam after upgrading SA
I just upgraded SA from 3.1.0 to the current 3.1.7 via CPAN and am finding that a huge increase in the amount of spam that's coming in. On the order of almost 10 times the number that leaked into my inbox. Has anyone else run into this behavior? If so, what can I do? Configurations are unchanged as far as I can tell. Thanks in advance. - Hoover Chan[EMAIL PROTECTED] -or- [EMAIL PROTECTED] Eastwind Associates P.O. Box 16646 voice: 415-731-6019 -or- 415-565-8936 San Francisco, CA 94116
Re: large increase in spam after upgrading SA
Hoover Chan skrev: I just upgraded SA from 3.1.0 to the current 3.1.7 via CPAN and am finding that a huge increase in the amount of spam that's coming in. On the order of almost 10 times the number that leaked into my inbox. Has anyone else run into this behavior? If so, what can I do? Configurations are unchanged as far as I can tell. I had the same problem, and found out after a while that I had installed SA from RPM initially, then updated via CPAN. That resulted in TWO different versions of perl-SpamAssassin, one in /usr/lib/perl5/vendor_perl and the other in /usr/lib/perl5/site_perl. The one that was read in didn't correspond to the rest of SA and its version, and also didn't have valid rules in /var/lib/spamassassin. If this is the case for you, delete the old perl module version from your system. Anders smime.p7s Description: S/MIME Cryptographic Signature
user_prefs
Thanks Karl and Nick,Yes, the new account user_prefs is being created (I'm creating it from Plesk BTW) however the new user_prefs seems to be created with default values from I don't know where and not those values in either of thetwo.template files.That's my problem in a nut shell. Maybe this isn't a SpamAssassin process and that all new user_prefs files are created with these default values and then it's the admins or users job to edit the user_prefs or cp the .template file into /.spamassassin/Thats what I am trying to figure out. It appears to be more manual than automagic. I now think spamassassin creates new user_prefs and does not use the .template files to do so. Then the admincopies the .template file to the user_prefs or either just edits the new user_prefs. Is this a correct assumption?I'm unique in that I am the sole "creator" for this server and basically for the most part all users are "me". I have a couple of other users, but they do not have access beyond Plesk and FTP. If it's not GUI, they don't have a clue.Wes Want to start your own business? Learn how on Yahoo! Small Business.
error from sa-learn --dump data
Can someone help me understand what this means? Whats broken?[EMAIL PROTECTED] .spamassassin]# sa-learn --dump data bayes: bayes db version 0 is not able to be used, aborting! at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/BayesStore/DBM.pm line 196. bayes: bayes db version 0 is not able to be used, aborting! at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/BayesStore/DBM.pm line 196. ERROR: Bayes dump returned an error, please re-run with -D for more information[EMAIL PROTECTED] .spamassassin]# spamassassin -VSpamAssassin version 3.1.5 running on Perl version 5.8.3 Thanks again.Wes Access over 1 million songs - Yahoo! Music Unlimited.
CGPSA + MySQL, Userprefs Problems
Hi, I'm having a problem with CGPSA and MySQL Userprefs settings. For the record, this *was* working a few days ago when I was testing to set it up, but somehow it stopped working suddenly. Just in time for me to implement it into a working system. Well, my problem is that it only reacts on Global settings in the Userprefs database. If I change $GLOBAL required_hits 7 to 8 it follows nicely. But if I add a user or domain rule, it doesn't work. It may be some clue that my mail server reports this... Attempting to load domain configuration for sonic2000.org Using root configuration for sonic2000.org domain configuration already loaded, discard_threshold = 25 Attempting to load user configuration for [EMAIL PROTECTED] Using domain configuration for [EMAIL PROTECTED] Local address [EMAIL PROTECTED], account name [EMAIL PROTECTED], effective home directory /var/CommuniGate/Settings/SpamAssassin Using system default SpamAssassin settings for [EMAIL PROTECTED] Processing CGP header line: \n Finished processing CGP headers Running SpamAssassin with domain sonic2000.org default settings for 1 address SQL preferences in use, no state or user home directory Identified non-spam (7.1/8.0) for default in 1.9 seconds What makes me confused is that it now reports for default and not for [EMAIL PROTECTED] as it used to do. The only thing I have done is removing the state directories for SpamAssassin in the CommuniGate folder. (account.web/.spamassassin) My CGPSA Settings are these... cgp_username = cgpsa-spamassassin-cli cgp_password = xxx use_cli = true loop_prevention_header = X-TFF-CGPSA-Filter debug = true debug_level = 9 allow_user_prefs = true allow_user_state = true use_domain_prefs = true allow_auto_whitelist = true use_cgpsa = true use_user_prefs = true sql_user_prefs = true use_user_state = true use_auto_whitelist = true sql_auto_whitelist = true Hopefully someone can point me into the right direction for solving this
Re: Creating a signature of an email
On Sun, 12 Nov 2006 06:38:42 +0100 (CET) Benny Pedersen [EMAIL PROTECTED] wrote: On Sat, November 11, 2006 20:47, Dirk Bonengel wrote: The fine thing is that you can use the iXhash plugin along razor, pyzor and dcc. (I don't know if it's possible to use two pyzor servers from within spamassassin, I think if you set up your own server you automatically lose the capabilty to use the public one). with more then one ip in pyzor servers list all ip will be queried and reported to, atleast it seems so here on my pyzord don't use pyzor discover that will remove your own server could be the same reason its called servers not server, to my knowledge from pyzor maillist there will be pyzord to pyzord digest exchange in a new version when ready, this will hopefully improve pyzor alot -- This message was sent using 100% recycled spam mails. That's interesting, didn't know that. But that means I get still get one test - I can't have different tests/scores for different pyzords ? (i.e. score the public one different from the privately run one?)
Re: Running spamc via postfix not as user nobody
On Saturday 11 November 2006 22:49, Michael Scheidell wrote: What happens with this: user=${recipient} argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} Does not work. But I found that postfix knows serveral variables for each incoming mail, one of them being the local user (without domain extension) the mail is being delivered to. This can be used to run spamc as the desired user: spamassassinunix - n n - - pipe user=nobody argv=/usr/bin/spamc -u $user -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} -- YT, Michael
Re: CGPSA + MySQL, Userprefs Problems
On Sun, 12 Nov 2006 12:59:33 +0100, Magnus Anderson wrote: Hi, I'm having a problem with CGPSA and MySQL Userprefs settings. For the record, this *was* working a few days ago when I was testing to set it up, but somehow it stopped working suddenly. Just in time for me to implement it into a working system. Well, my problem is that it only reacts on Global settings in the Userprefs database. If I change $GLOBAL required_hits 7 to 8 it follows nicely. But if I add a user or domain rule, it doesn't work. It may be some clue that my mail server reports this... Attempting to load domain configuration for sonic2000.org Using root configuration for sonic2000.org domain configuration already loaded, discard_threshold = 25 Attempting to load user configuration for [EMAIL PROTECTED] Using domain configuration for [EMAIL PROTECTED] Local address [EMAIL PROTECTED], account name [EMAIL PROTECTED], effective home directory /var/CommuniGate/Settings/SpamAssassin Using system default SpamAssassin settings for [EMAIL PROTECTED] Processing CGP header line: \n Finished processing CGP headers Running SpamAssassin with domain sonic2000.org default settings for 1 address SQL preferences in use, no state or user home directory Identified non-spam (7.1/8.0) for default in 1.9 seconds What makes me confused is that it now reports for default and not for [EMAIL PROTECTED] as it used to do. The only thing I have done is removing the state directories for SpamAssassin in the CommuniGate folder. (account.web/.spamassassin) My CGPSA Settings are these... cgp_username = cgpsa-spamassassin-cli cgp_password = xxx use_cli = true loop_prevention_header = X-TFF-CGPSA-Filter debug = true debug_level = 9 allow_user_prefs = true allow_user_state = true use_domain_prefs = true allow_auto_whitelist = true use_cgpsa = true use_user_prefs = true sql_user_prefs = true use_user_state = true use_auto_whitelist = true sql_auto_whitelist = true Hopefully someone can point me into the right direction for solving this I solved the problem with MySQL And the Userprefs file. If there are no user_prefs file in the account.web/.spamassassin folder the script thinks that the user doesn't have any preferences to load even tough the user has preferences in the SQL DB. To solve this I have to touch a empty file into each users account.web/.spamassassin folder so it think it does need to run for that user, and then it reports Identified (spam/non-spam) (score) for [EMAIL PROTECTED] correctly. This seems like a nasty bug, since there are no documents on this and I was thinking I could remove all these files now when I was using SQL (so it didn't read the wrong settings, like the ones that was once used in these files). Best Regards, Magnus
Re: question re. whitelist_from_rcvd
Matt Kettler wrote: Miles Fidelman wrote: Hi, I'm trying to figure out how to whitelist control messages generated by our list manager (Sympa) - which are generated on the localhost and sent to addresses on the localhost. In particular, here's a specific example: *From: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *Received: * from localhost (localhost.localdomain [127.0.0.1]) by server1.neighborhoods.net (Postfix) with ESMTP id 5CDE2B6C2F0 for [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]; Sat, 11 Nov 2006 10:22:18 -0500 (EST) It's pretty clear that the entry in user_prefs would start with whitelist_from_rcvd [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] hmmm...not sure how that last bit made it into my email, I thought I'd just typed whitelist_from_rcvd [EMAIL PROTECTED] must have to do with typing it at 2:46 in the am, sigh... but what would I use as the domain part? Actually, no.. it would not start like that... As written the mailto:[EMAIL PROTECTED] would be interpreted as the Received: header check. Try: whitelist_from_rcvd [EMAIL PROTECTED] localhost.localdomain Thanks! Will do. Miles
RE: large increase in spam after upgrading SA
I just upgraded SA from 3.1.0 to the current 3.1.7 via CPAN and am finding that a huge increase in the amount of spam that's coming in. On the order of almost 10 times the number that leaked into my inbox. Has anyone else run into this behavior? If so, what can I do? Configurations are unchanged as far as I can tell. Thanks in advance. I've run CPAN with the wrong umask, which resulted in the .cf files being installed readable only by root. So as root, it installed fine and tested fine... but when it ran for real it only picked up my local.cf rules. -- Tim Boyer Director Information Systems and Engineering Projects Denman Tire Corporation [EMAIL PROTECTED]
Exim4 / spamd --username question
I'm not clear if I need to run spamd as a specific user or run as root and use spamd -H dir. This is a single mail server running Debian Stable with the packages listed below. SA configuration is system-wide, that is, there's no user-specific configurations to worry about. ii exim4-daemon-h 4.50-8sarge2 exim MTA (v4) daemon with extended features, ii pyzor 0.4.0+cvs20030 spam-catcher using a collaborative filtering ii razor 2.670-1sarge2 spam-catcher using a collaborative filtering ii spamassassin 3.1.3-0bpo1Perl-based spam filter using text analysis ii spamc 3.0.3-2sarge1 Client for SpamAssassin spam filtering daemo ii dcc-client 1.2.74-2 Distributed Checksum Clearinghouse - client ii dcc-common 1.2.74-2 Distributed Checksum Clearinghouse - common If I (should I?) run spamd as, say, user spamd do I have to also setup exim to run spamc as that user? It will it not matter what user is running spamc since spamd can't setuid if not running as root Also, does the user spamd need a home directory, or can I use -H (or --helper-home-dir) to specify the directory and that will work for any feature that needs to read/write to the disk? Currently, I have spamd running as root with the following options: OPTIONS=--max-children 5 --max-conn-per-child=20 In exim4.conf I have: deny message = This message scored $spam_score spam points. spam = nobody:true condition = ${if {$spam_score_int}{100}{1}{0}} Now, correct me if I'm wrong. Exim is running spamc as user nobody. spamd is running as root -- so when Exim passes a message to spamc, spamd will setuid to nobody. The home directory for nobody is /nonexistent: $ fgrep nobody /etc/passwd nobody:x:65534:65534:nobody:/nonexistent:/bin/sh which causes all sorts of complaints in syslog since /nonexistent is, well, nonexistent. I guess why I'm confused is that the Debian install runs spamd as root, and has the exim config running spamc as nobody with a non-existent home -- which means spamd can't read/write as needed. I did see that adding dcc created a dcc user in /etc/passwd. -- Bill Moseley [EMAIL PROTECTED]
New FuzzyOcr Development Release (3.4.x)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello all, for those that are not on the devel-spam Mailing list, I'd like to announce a new development release here. If you are interested, our new website is located at http://fuzzyocr.own-hero.net/ The branch has been tested by me and some other people and seems to be very stable so far. This should be especially interesting for users of 2.3j or 2.3b which want to participate in testing. Major Changes are: For users of 2.3j: - - Logging Facility was fixed, you can specify a logfile again without getting the SA debug output into the logfile - - New animated gifs are all deanimated properly now - - No ImageMagick dependency anymore - - Improved Utilities for the hash database a bit - - Ocrad support For users of 2.3b: - - See http://www.joval.info/proj/FuzzyOcr-2.3j/CHANGES for changes between 2.3b - 2.3j, then read the above changes. The main reason for this release was to give users a version which also catches recent animated spam types, but also to show that we are still alive ;) Another major development branch is planned (3.5), it will hopefully be the last release before we release a new version labeled as stable with more features. The main features which are planned for 3.4 - 3.5 are: - - Splitting FuzzyOcr into multiple .pm files for better maintaining - - Config switches to disable scanning of specific extensions (like tiff... many people don't want this) - - Maximum image size and dimensions in configuration - - autodisable_score also for a minimum score, so messages which are to be considered ham already arent scanned anymore If you have more feature requests, ideas, bugs, or anything, please create a ticket on the mentioned website :) Best regards, Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFV0/1JQIKXnJyDxURAuGZAKC3Pl+FNomog0jxu8taqYckmpLmYwCfXOFC TRHAS+XquHo2+qthph454X0= =e8xF -END PGP SIGNATURE-
user_prefs / shared bayes database
Well I took this idea and also tried to create a single bayes database but it doesn't seem to be working.In local.cf I added bayes_path /var/spool/bayes_db/ and bayes_file_mode 0770 and allow_user_rules 1I also created mkdir /var/spool/bayes_db and chmod 0770 /var/spool/bayes_dbThen I copied a bayes_toks and bayes_seen from a users /.spamassassin directory into /bayes_db/That didn't seem to work, so I took one users /.spamassassin/user_prefs file and added the bayes_path and bayes_file_mode to it but that still didn't seem to make it work.Can someone tell me what I might be doing wrong? or am I just totally off base?Thanks.Karl Auer [EMAIL PROTECTED] wrote: On Sun, 2006-11-12 at 02:06 -0800, twofers wrote: I am trying to find out if I can change some prefs so that the new user_prefs file will contain my prefs when it is newly created. I have changed prefs in user_prefs.template and that didn't make any difference. I assume this template is supposed to be used by SA to create the new user_prefs, but it doesn't seem so.The user_prefs file should be created in ~/.spamassassin/user_prefs. Isit? And if it is, does it contain your templated stuff?Aside from putting the user-specific config in the right place,spamassassin has to been told to use it. In your site-local spamassassinconfig file (probably /etc/mail/spamassassin/local.cf) or in aseparate .cf file in the same directory as that file, add this line:allow_user_rules 1This is however a bad idea unless you have very trustworthy users. Alsonote this (from the spamassassin man page):Note that it is not currently possible to use"allow_user_rules" to modify an existing system rulefrom a "user_prefs" file with "spamd".You saw this mentioned in the user_prefs stuff you quoted:[...]users can add new rules for their own use in the"~/.spamassassin/user_prefs" file, if they like.(spamd disables this for security and increased speed.)Regards, K.-- ~~~Karl Auer ([EMAIL PROTECTED]) +61-2-64957160 (h)http://www.biplane.com.au/~kauer/ +61-428-957160 (mob) Everyone is raving about the all-new Yahoo! Mail beta.
Re: Is there a release date for 3.1.8?
The Doctor wrote: On Sat, Nov 11, 2006 at 06:06:15PM -0600, Stuart Johnston wrote: Robert Nicholson wrote: When will the Shortcircuit feature be made available in a release? The Shortcircuit plugin should be available in 3.2.0. Recent messages have suggested that this might be released before January. Is a beta available? Spamassassin doesn't really do betas. You can download the current development trunk either as a snapshot tarball or directly from svn: http://cvs.apache.org/snapshots/spamassassin/ http://wiki.apache.org/spamassassin/DownloadFromSvn
Re: Is there a release date for 3.1.8?
Are the configuration files backward compatible? If I add short circuit entries to my config file will that file only work with the trunk code? ie. are unrecognised configuration directives simply ignored? I want to try the trunk code and I can setup some symlinks for the perl modules but I want to know if I have to have a separate version specific configuration also. likewise I assume bayes hasn't changed? so in short I want to use some symlinks to try the trunk code and I want to know what has to be version specific and what does not. Probably safer to assume everything is version specific. On Nov 12, 2006, at 11:28 AM, Stuart Johnston wrote: The Doctor wrote: On Sat, Nov 11, 2006 at 06:06:15PM -0600, Stuart Johnston wrote: Robert Nicholson wrote: When will the Shortcircuit feature be made available in a release? The Shortcircuit plugin should be available in 3.2.0. Recent messages have suggested that this might be released before January. Is a beta available? Spamassassin doesn't really do betas. You can download the current development trunk either as a snapshot tarball or directly from svn: http://cvs.apache.org/snapshots/spamassassin/ http://wiki.apache.org/spamassassin/DownloadFromSvn
Re: Is there a release date for 3.1.8?
Also since the Changes file doesn't appear to have been updated in a long while how can I learn the differences b/w each release/trunk code? On Nov 12, 2006, at 11:28 AM, Stuart Johnston wrote: The Doctor wrote: On Sat, Nov 11, 2006 at 06:06:15PM -0600, Stuart Johnston wrote: Robert Nicholson wrote: When will the Shortcircuit feature be made available in a release? The Shortcircuit plugin should be available in 3.2.0. Recent messages have suggested that this might be released before January. Is a beta available? Spamassassin doesn't really do betas. You can download the current development trunk either as a snapshot tarball or directly from svn: http://cvs.apache.org/snapshots/spamassassin/ http://wiki.apache.org/spamassassin/DownloadFromSvn
Re: Exim4 / spamd --username question
Exim does not actually run spamc, it connects directly to spamd. spamd does run as root. Exim can connect as nobody depending on your configuration. Generally though, you want to have a writable home directory so it is easiest to create a user for this purpose that Exim can connect as. Bill Moseley wrote: I'm not clear if I need to run spamd as a specific user or run as root and use spamd -H dir. This is a single mail server running Debian Stable with the packages listed below. SA configuration is system-wide, that is, there's no user-specific configurations to worry about. ii exim4-daemon-h 4.50-8sarge2 exim MTA (v4) daemon with extended features, ii pyzor 0.4.0+cvs20030 spam-catcher using a collaborative filtering ii razor 2.670-1sarge2 spam-catcher using a collaborative filtering ii spamassassin 3.1.3-0bpo1Perl-based spam filter using text analysis ii spamc 3.0.3-2sarge1 Client for SpamAssassin spam filtering daemo ii dcc-client 1.2.74-2 Distributed Checksum Clearinghouse - client ii dcc-common 1.2.74-2 Distributed Checksum Clearinghouse - common If I (should I?) run spamd as, say, user spamd do I have to also setup exim to run spamc as that user? It will it not matter what user is running spamc since spamd can't setuid if not running as root Also, does the user spamd need a home directory, or can I use -H (or --helper-home-dir) to specify the directory and that will work for any feature that needs to read/write to the disk? Currently, I have spamd running as root with the following options: OPTIONS=--max-children 5 --max-conn-per-child=20 In exim4.conf I have: deny message = This message scored $spam_score spam points. spam = nobody:true condition = ${if {$spam_score_int}{100}{1}{0}} Now, correct me if I'm wrong. Exim is running spamc as user nobody. spamd is running as root -- so when Exim passes a message to spamc, spamd will setuid to nobody. The home directory for nobody is /nonexistent: $ fgrep nobody /etc/passwd nobody:x:65534:65534:nobody:/nonexistent:/bin/sh which causes all sorts of complaints in syslog since /nonexistent is, well, nonexistent. I guess why I'm confused is that the Debian install runs spamd as root, and has the exim config running spamc as nobody with a non-existent home -- which means spamd can't read/write as needed. I did see that adding dcc created a dcc user in /etc/passwd.
SpamAssassin in Mac OSX Server?
Is anybody using SpamAssassin in conjunction with OSX Server 10.4 and is it simply to simply upgrade the SA release independent of what ships with OSX Server and keep all the GUI configuration working?
Re: Is there a release date for 3.1.8?
If you want to try the trunk version, I would suggest you keep it on a separate server. Robert Nicholson wrote: Are the configuration files backward compatible? If I add short circuit entries to my config file will that file only work with the trunk code? ie. are unrecognised configuration directives simply ignored? I want to try the trunk code and I can setup some symlinks for the perl modules but I want to know if I have to have a separate version specific configuration also. likewise I assume bayes hasn't changed? so in short I want to use some symlinks to try the trunk code and I want to know what has to be version specific and what does not. Probably safer to assume everything is version specific. On Nov 12, 2006, at 11:28 AM, Stuart Johnston wrote: The Doctor wrote: On Sat, Nov 11, 2006 at 06:06:15PM -0600, Stuart Johnston wrote: Robert Nicholson wrote: When will the Shortcircuit feature be made available in a release? The Shortcircuit plugin should be available in 3.2.0. Recent messages have suggested that this might be released before January. Is a beta available? Spamassassin doesn't really do betas. You can download the current development trunk either as a snapshot tarball or directly from svn: http://cvs.apache.org/snapshots/spamassassin/ http://wiki.apache.org/spamassassin/DownloadFromSvn
Re: Is there a release date for 3.1.8?
You could browse the messages on the dev list or the commit logs from svn. Robert Nicholson wrote: Also since the Changes file doesn't appear to have been updated in a long while how can I learn the differences b/w each release/trunk code? On Nov 12, 2006, at 11:28 AM, Stuart Johnston wrote: The Doctor wrote: On Sat, Nov 11, 2006 at 06:06:15PM -0600, Stuart Johnston wrote: Robert Nicholson wrote: When will the Shortcircuit feature be made available in a release? The Shortcircuit plugin should be available in 3.2.0. Recent messages have suggested that this might be released before January. Is a beta available? Spamassassin doesn't really do betas. You can download the current development trunk either as a snapshot tarball or directly from svn: http://cvs.apache.org/snapshots/spamassassin/ http://wiki.apache.org/spamassassin/DownloadFromSvn
Re: When Bayes goes bad... How to fix?
Matt Kettler wrote: Bob Proulx wrote: I am still trying to figure out why Bayes is giving so many false positives. It is really starting to perform badly. I am about to the point of resetting the database. But then I expect that it will trip into the current state again. So I am trying to avoid doing that and trying to debug why it has gone sour. If I read that right the all of the tokens are from the 9th to the 11th. Is that right? Dono, sounds about right.. my conversion of atimes sucks, but I can tell you that the span in time from the oldest to the newest is only 2.34 days, which fits your date range. Thanks for the confirmation. I had not realized that bayes tracked such a short period of time. Wow. Hint: Here is an easy way to convert from seconds to human readable times. The first is using GNU coreutils date which should work for many versions for a long time. The second one relies upon a new feature in 5.3.0 and later versions of GNU date. date -R -d '1970-01-01 UTC 1163102355 seconds' Thu, 09 Nov 2006 12:59:15 -0700 date -R -d @1163306671# requires date =5.3.0 Sat, 11 Nov 2006 21:44:31 -0700 To start with, Run some of the false messages through spamassassin -D bayes... Should print out the tokens that match, in plaintext, and their probabilities. Yes. I included that in my original posting. I will repeat here for some specific questions. [15528] dbg: bayes: token 'H*c:multipart' = 0.864700569756485 [15528] dbg: bayes: token 'H*c:alternative' = 0.994304725802302 [15528] dbg: bayes: token 'H*c:HHH' = 0.992454564805099 [15528] dbg: bayes: token 'H*c:NHxtPHrt' = 0.991016151567721 [15528] dbg: bayes: token 'H*c:' = 0.985263624445525 [15528] dbg: bayes: token 'H*c:' = 0.983903973265669 [15528] dbg: bayes: token 'H*r:8.13.5' = 0.958 I am guessing that H*c is a header and some specific token. If there a key somewhere that will help decode these? [15528] dbg: bayes: token 'H*MI:OEA0023' = 0.985096774193548 [15528] dbg: bayes: token 'H*M:OEA0023' = 0.985096774193548 [15528] dbg: bayes: token 'H*UA:Express' = 0.985060557114832 [15528] dbg: bayes: token 'H*x:Express' = 0.985059973253254 [15528] dbg: bayes: token 'HX-MimeOLE:V6.00.2900.2962' = 0.976898908840907 [15528] dbg: bayes: token 'HX-MimeOLE:MimeOLE' = 0.976313886128059 [15528] dbg: bayes: token 'HX-MSMail-Priority:Normal' = 0.974305670960733 [15528] dbg: bayes: token 'HX-MimeOLE:Microsoft' = 0.959224439139177 [15528] dbg: bayes: token 'HX-MimeOLE:Produced' = 0.959178732453666 It has really learned outlook as a spam source. But there should be plenty of valid messages to have offset these. I keep running sa-learn --ham on all valid messages hoping that it would offset the spam ones. As you can see from the numbers there are 150,000 messages and apparently all in the last 2.34 days too. (But that does not quite make sense to me either.) [15528] dbg: bayes: token 'HX-Spam-Relays-Internal:lists.example.com' = 0.950917490471412 [15528] dbg: bayes: token 'HX-Spam-Relays-Internal:sk:monty-p' = 0.95091594711816 [15528] dbg: bayes: token 'HX-Spam-Relays-Internal:199.232.76.173' = 0.95091594711816 [15528] dbg: bayes: token 'HX-Spam-Relays-Internal:envfrom' = 0.950880625609595 [15528] dbg: bayes: token 'HX-Spam-Relays-Internal:auth' = 0.950880625609595 [15528] dbg: bayes: token 'HX-Spam-Relays-Internal:helo' = 0.950880625609595 [15528] dbg: bayes: token 'HX-Spam-Relays-Internal:intl' = 0.950880625609595 [15528] dbg: bayes: token 'HX-Spam-Relays-Internal:ident' = 0.950880625609595 [15528] dbg: bayes: token 'HX-Spam-Relays-Internal:rdns' = 0.950880625609595 It seems to have learned one of the trusted_network machines as a spam relay. Hmm... That seems like a bug. [8683] dbg: received-header: relay 199.232.76.173 trusted? yes internal? yes That should at least let you know what it is your bayes DB has learned that's bad. If it's not too horible you might be able to use sa-learn --backup to dump the DB, edit it by hand, and sa-learn --restore it. Hmm... That is an idea. A good suggestion. Of course everything has been hashed so I would need to reverse engineer them back to something meaningful but should be possible with a message to test against. I think the bayes is learning things from the mime structure that it should not be learning such as multipart/alternative. Is there a way to whitelist tokens so that it does not show up in the bayes at all? However, you'd need to find the correct SHA1 of the offending tokens.. not sure if that will be in the debug output. Yes. Correlating one to the other is going to be a pain. Thanks for the suggestions. Bob
Re: spamassassin stuck in local mode
David Cottle wrote: I am using spamassassin 3.1.6 Its working fine except I cant get DCC, Pyzor, Razor 2 and spamcop tests to work, when I lint the rules it just complains its in local mode. Run a test message through with debugging turned on. | spamassassin -d -t -D 21 | less Then look for something like these lines. [16563] dbg: dns: is Net::DNS::Resolver available? yes [16563] dbg: dns: Net::DNS version: 0.48 [16563] dbg: pyzor: network tests on, attempting Pyzor Look in /etc/spamassassin/*.pre and verify that the plugins that you wish to be enabled are enabled. Some such as DCC are not open and so are commented out by default. Here is my --lint dump, you will see all the 'local tests only, skipping xx' Running --lint is always in local mode. It is a passive check of rule syntax and not an active check of networking. Bob
Re: spam that only hits the BAYES_99 rule
Matt Kettler wrote: Tom H wrote: Hi, I was getting hit by a great deal of spam that only hits the BAYES_99 I would be grateful for any ideas on this... Sounds like the message contains a URI that is now listed in many of the SURBL and URIBL lists. It may be that this got listed after you got the spam, but do you have network tests enabled? There is a url in the domain that definitely hits some of the URIBLs (results from the SURBL+ Checker on rulesemporium ) * RBL: skipping uri lookups on ip-based RBLs * URIBL: multi.surbl.org: *listed* [Blocked, madesucxxxntiondetunhadesu.com on lists [ab][jp][ob][sc][ws], See: http://www.surbl.org/lists.html] * URIBL: multi.uribl.com: *listed* [Blacklisted, see http://lookup.uribl.com/?domain=madesuntioxxxndetunxxxhadesu.com http://lookup.uribl.com/?domain=madesuntiondetunhadesu.com] However I don't seem to get any score for those, even though spamassassin is clearly running the network tests, as I can see from the debug output; [EMAIL PROTECTED] ~]# spamassassin -t -D -p /etc/mail/sa-mimedefang.cf /usr/share/doc/spamassassin-3.1.4/sample-spam.txt snip [27826] dbg: uridnsbl: domains to query: [27826] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl [27826] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp-untrusted [27826] dbg: dns: checking RBL combined.njabl.org., set njabl-lastexternal [27826] dbg: dns: checking RBL combined.njabl.org., set njabl [27826] dbg: dns: checking RBL bl.spamcop.net., set spamcop [27826] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-lastexternal [27826] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs [27826] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl-lastexternal [27826] dbg: dns: checking RBL sa-accredit.habeas.com., set habeas-firsttrusted [27826] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set whois [27826] dbg: dns: checking RBL list.dsbl.org., set dsbl-lastexternal [27826] dbg: dns: checking RBL sa-trusted.bondedsender.org., set bsp-firsttrusted [27826] dbg: dns: checking RBL combined-HIB.dnsiplists.completewhois.com., set whois-lastexternal [27826] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted snip Content analysis details: (999.9 points, 4.5 required) pts rule name description -- -- -0.0 NO_RELAYS Informational: message was not relayed via SMTP 1000 GTUBE BODY: Generic Test for Unsolicited Bulk Email -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.2288] -0.0 NO_RECEIVEDInformational: message has no Received headers 0.1 AWLAWL: From: address is in the auto white-list my sa-defang.cf is ; required_hits4.5 ok_localesen rewrite_subject 1 # report_header 1 # use_terse_report 0 # defang_mime 0 # skip_rbl_checks 0 #Enable bayes auto_learn 1 use_bayes 1 bayes_path /var/spool/MIMEDefang/.spamassassin/bayes bayes_file_mode 0666
Re: error from sa-learn --dump data
twofers wrote: [22325] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_toks [22325] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_seen [22325] dbg: bayes: found bayes db version 0 bayes: bayes db version 0 is not able to be used, aborting! at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/BayesStore/DBM.pm line 196. [22325] dbg: config: score set 1 chosen. [22325] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_toks [22325] dbg: bayes: tie-ing to DB file R/O /root/.spamassassin/bayes_seen [22325] dbg: bayes: found bayes db version 0 bayes: bayes db version 0 is not able to be used, aborting! at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/BayesStore/DBM.pm line 196. [EMAIL PROTECTED] .spamassassin]# sa-learn --dump data bayes: bayes db version 0 is not able to be used, aborting! at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/BayesStore/DBM.pm line 196. bayes: bayes db version 0 is not able to be used, aborting! at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/BayesStore/DBM.pm line 196. ERROR: Bayes dump returned an error, please re-run with -D for more information The perl db code is not able to use those files (unable to tie those to a perl hash data structure) and is reporting errors. What is the output of these commands? ls -l /root/.spamassassin/bayes_toks /root/.spamassassin/bayes_seen If those exist then what information does 'file' report about them? file /root/.spamassassin/bayes_toks /root/.spamassassin/bayes_seen Bob
RE: Exim4 / spamd --username question
-Original Message- From: Stuart Johnston [mailto:[EMAIL PROTECTED] Sent: zondag 12 november 2006 18:35 To: users@spamassassin.apache.org Subject: Re: Exim4 / spamd --username question Exim does not actually run spamc, it connects directly to spamd. Slightly OT, I guess; but is there actually a documented way of calling the appropriate Perl module, without using spamc? Thanks, - Mark
Re: question re. whitelist_from_rcvd
Matt Kettler wrote: Miles Fidelman wrote: Hi, I'm trying to figure out how to whitelist control messages generated by our list manager (Sympa) - which are generated on the localhost and sent to addresses on the localhost. In particular, here's a specific example: *From: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *Received: * from localhost (localhost.localdomain [127.0.0.1]) by server1.neighborhoods.net (Postfix) with ESMTP id 5CDE2B6C2F0 for [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]; Sat, 11 Nov 2006 10:22:18 -0500 (EST) It's pretty clear that the entry in user_prefs would start with whitelist_from_rcvd [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] but what would I use as the domain part? Actually, no.. it would not start like that... As written the mailto:[EMAIL PROTECTED] would be interpreted as the Received: header check. Try: whitelist_from_rcvd [EMAIL PROTECTED] localhost.localdomain Well that doesn't seem to work. I also tried whitelist_from_rcvd [EMAIL PROTECTED] server1.neighborhoods.net whitelist_from_rcvd [EMAIL PROTECTED] 127.0.0.1 I think the problem is that the reverse lookups don't match in any of these combinations (look closely at the headers): *From: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *Subject: * SPAM*** Message diffusion* *Date: * November 11, 2006 10:22:05 AM EST *To: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *Return-Path: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *X-Original-To: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *Delivered-To: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *Received: * from localhost (localhost.localdomain [127.0.0.1]) by server1.neighborhoods.net (Postfix) with ESMTP id 5CDE2B6C2F0 for [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]; Sat, 11 Nov 2006 10:22:18 -0500 (EST) *Received: * from server1.neighborhoods.net ([127.0.0.1]) by localhost (server1 [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 31180-01-2 for [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]; Sat, 11 Nov 2006 10:22:12 -0500 (EST) *Received: * by server1.neighborhoods.net (Postfix, from userid 114) id 1A9BFB6C2F6; Sat, 11 Nov 2006 10:22:05 -0500 (EST) Any thoughts on other ways to whitelist locally originated messages from a single address ([EMAIL PROTECTED]) without just opening up the world to spammers by using a simple whitelist_from command? Thanks again, Miles
Re: Exim4 / spamd --username question
On Sun, Nov 12, 2006 at 11:41:34AM -0600, Stuart Johnston wrote: Exim does not actually run spamc, it connects directly to spamd. spamd does run as root. Exim can connect as nobody depending on your configuration. Generally though, you want to have a writable home directory so it is easiest to create a user for this purpose that Exim can connect as. I wondered if Exim didn't connect directly to spamd. You say spamd does run as root, but I was asking about it not running as root. So, I created a user spamd: # adduser --disabled-login spamd And added the --username=spamd to spamd startup: # ps aux | grep spamd root 21086 36.8 21.7 115400 111960 ? Ss 10:53 0:05 /usr/sbin/spamd --max-children 5 --max-conn-per-child=20 --username=spamd -d --pidfile=/home/spamd/spamd.pid spamd21092 0.0 21.7 115400 111968 ? S10:54 0:00 spamd child spamd21093 0.5 21.7 115400 111968 ? S10:54 0:00 spamd child I updated my Exim config to use spamd as the user: deny message = This message scored $spam_score spam points. spam = spamd:true condition = ${if {$spam_score_int}{100}{1}{0}} Now all is happy, it seems. Well, except dccproc complains about Address family not supported. cdcc 'IPv6 off' seems to have fixed that for now. Just not sure how to make it permanent. -- Bill Moseley [EMAIL PROTECTED]
Re: Is there a release date for 3.1.8?
Well I invoke SA from a perlscript via .qmail so theoretically I can install another version in another directory under PERL5LIB but I need to make sure bayes and all config is separate from my existing version. On Nov 12, 2006, at 11:47 AM, Stuart Johnston wrote: If you want to try the trunk version, I would suggest you keep it on a separate server. Robert Nicholson wrote: Are the configuration files backward compatible? If I add short circuit entries to my config file will that file only work with the trunk code? ie. are unrecognised configuration directives simply ignored? I want to try the trunk code and I can setup some symlinks for the perl modules but I want to know if I have to have a separate version specific configuration also. likewise I assume bayes hasn't changed? so in short I want to use some symlinks to try the trunk code and I want to know what has to be version specific and what does not. Probably safer to assume everything is version specific. On Nov 12, 2006, at 11:28 AM, Stuart Johnston wrote: The Doctor wrote: On Sat, Nov 11, 2006 at 06:06:15PM -0600, Stuart Johnston wrote: Robert Nicholson wrote: When will the Shortcircuit feature be made available in a release? The Shortcircuit plugin should be available in 3.2.0. Recent messages have suggested that this might be released before January. Is a beta available? Spamassassin doesn't really do betas. You can download the current development trunk either as a snapshot tarball or directly from svn: http://cvs.apache.org/snapshots/spamassassin/ http://wiki.apache.org/spamassassin/DownloadFromSvn
Re: Creating a signature of an email
On Sun, November 12, 2006 13:26, Dirk Bonengel wrote: That's interesting, didn't know that. thats what maillists are for imho :-) But that means I get still get one test yes from spamassassin it will be one test to 2 pyzord servers I can't have different tests/scores for different pyzords ? the plugin need to be rewrited to this so, still waiting for new pyzord here, so far i just use 0.4.0-r2 on gentoo where the pyzord is not installed, but i managed to make this myself and have upstream gentoo developpers follow me :-) (i.e. score the public one different from the privately run one?) could be usefull yes, but for now this is not posible, you can make a meta rule to simulate something for this -- This message was sent using 100% recycled spam mails.
Mail::SpamAssassin::Plugin and Mail::SpamAssassin::Conf
So, Mail::SpamAssassin::Plugin says, in the doc section for parse_config, that I should store my config data in a Mail::SpamAssassin::Conf object (and that the one I should use is both passed into the options for parse_config and can be accessed as $plugin-{main}-{conf}). But, Mail::SpamAssassin::Conf 's perldoc page is not at all oriented around a programming API approach, so I have no idea how to treat that object. What I've done for my next release of RelayChecker is treat it just like a hash. $self-{main}-{conf}-{mysetting} = $value Is that correct, or not? Or should I be accessing this object as ... well ... an object (ie. via methods, instead of directly accessing its data). If that's the case, which perldoc page explains the conf object's methods and such?
First time sa-update gotcha questions
Hello All! SoI'm thinking about trying sa-update. My rules are in /etc/mail/spamassassin. Are there any gotchas or things I need to be wary of before I plunge ahead? Just curious as I see a lot of traffic on this topic in here. Thanks. James
Re: Mail::SpamAssassin::Plugin and Mail::SpamAssassin::Conf
John Rudd writes: So, Mail::SpamAssassin::Plugin says, in the doc section for parse_config, that I should store my config data in a Mail::SpamAssassin::Conf object (and that the one I should use is both passed into the options for parse_config and can be accessed as $plugin-{main}-{conf}). But, Mail::SpamAssassin::Conf 's perldoc page is not at all oriented around a programming API approach, so I have no idea how to treat that object. What I've done for my next release of RelayChecker is treat it just like a hash. $self-{main}-{conf}-{mysetting} = $value Is that correct, or not? yep, that's correct. Or should I be accessing this object as ... well ... an object (ie. via methods, instead of directly accessing its data). If that's the case, which perldoc page explains the conf object's methods and such? Your best bet is to read, and copy, the other plugins ;) --j.
Re: Running spamc via postfix not as user nobody
Michael Frotscher wrote: On Saturday 11 November 2006 22:49, Michael Scheidell wrote: What happens with this: user=${recipient} argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} Does not work. are you after user=${user} But I found that postfix knows serveral variables for each incoming mail, one of them being the local user (without domain extension) the mail is being delivered to. This can be used to run spamc as the desired user: spamassassinunix - n n - - pipe user=nobody argv=/usr/bin/spamc -u $user -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} He can indeed use the obsolete form. In both cases, he must have resolved his aliases so that $user is a real account. In particular, he should use virtual aliases instead of local aliases, and he must enable alias expansion before the filter, not after the filter as is usually done. If he is delivering mail to local accounts, it is probably better to run spamc from procmail|maildrop... If he is forwarding mail, he can still cheat by delivering it locally (he already have the accounts on the machine), then forwarding it using addresse rewrite tricks or using multiple instances of postfix. but all this is more appropriate on the postfix ML.
Re: question re. whitelist_from_rcvd
Miles Fidelman wrote: Do you *really* need to pass locally generated mail through Spamassassin? Most likely not. *Received: * from localhost (localhost.localdomain [127.0.0.1]) by server1.neighborhoods.net (Postfix) with ESMTP id 5CDE2B6C2F0 for [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]; Sat, 11 Nov 2006 10:22:18 -0500 (EST) *Received: * from server1.neighborhoods.net ([127.0.0.1]) by localhost (server1 [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 31180-01-2 for [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]; Sat, 11 Nov 2006 10:22:12 -0500 (EST) *Received: * by server1.neighborhoods.net (Postfix, from userid 114) id 1A9BFB6C2F6; Sat, 11 Nov 2006 10:22:05 -0500 (EST) Any thoughts on other ways to whitelist locally originated messages from a single address ([EMAIL PROTECTED]) without just opening up the world to spammers by using a simple whitelist_from command? Looking at the Received: headers it looks as if you're running a mostly regular Postfix/Amavis setup, ie Postfix forwards to Amavis which in turn forwards it to Postfix. You can tell Postfix which conent filters it should use depending on where mail comes from. Since the mail in question is generated locally (from userid 114), you can tell Postfix not to use the content filter in the pickup process: +-- /etc/postfix/master.cf -- | pickupfifo n - - 60 1 pickup |-o content_filter= +-- -- See [1] for a more complete example. -- Matthias [1] http://matthias.leisi.net/archives/120-Unblocking-an-EICAR-with-PostfixAmavisClamAV.html smime.p7s Description: S/MIME Cryptographic Signature
Re: question re. whitelist_from_rcvd
Not as easily done as said. Matthias Leisi wrote: Miles Fidelman wrote: Do you *really* need to pass locally generated mail through Spamassassin? Most likely not. I prefer to, since I have a number of users who use my machine as their SMTP route to the world - and you never know when a desktop machine can pick up a virus or trojan. Since I run a number of email lists, I like to have multiple lines of defense to keep spam and viruses from getting to lists. Beyond the obvious reason, it also reduces the likelihood of getting listed in blocklists. Hence I need something more fine-grained than eliminating filters from all locally generated mail. *Received: * from localhost (localhost.localdomain [127.0.0.1]) by server1.neighborhoods.net (Postfix) with ESMTP id 5CDE2B6C2F0 for [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]; Sat, 11 Nov 2006 10:22:18 -0500 (EST) *Received: * from server1.neighborhoods.net ([127.0.0.1]) by localhost (server1 [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 31180-01-2 for [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]; Sat, 11 Nov 2006 10:22:12 -0500 (EST) *Received: * by server1.neighborhoods.net (Postfix, from userid 114) id 1A9BFB6C2F6; Sat, 11 Nov 2006 10:22:05 -0500 (EST) Any thoughts on other ways to whitelist locally originated messages from a single address ([EMAIL PROTECTED]) without just opening up the world to spammers by using a simple whitelist_from command? Looking at the Received: headers it looks as if you're running a mostly regular Postfix/Amavis setup, ie Postfix forwards to Amavis which in turn forwards it to Postfix. You can tell Postfix which conent filters it should use depending on where mail comes from. Since the mail in question is generated locally (from userid 114), you can tell Postfix not to use the content filter in the pickup process: +-- /etc/postfix/master.cf -- | pickupfifo n - - 60 1 pickup |-o content_filter= +-- -- See [1] for a more complete example. -- Matthias [1] http://matthias.leisi.net/archives/120-Unblocking-an-EICAR-with-PostfixAmavisClamAV.html
Re: When Bayes goes bad... How to fix?
Bob Proulx wrote: I am guessing that H*c is a header and some specific token. If there a key somewhere that will help decode these? From Bayes.pm: %HEADER_NAME_COMPRESSION = ( 'Message-Id' = '*m', 'Message-ID' = '*M', 'Received'= '*r', 'User-Agent' = '*u', 'References' = '*f', 'In-Reply-To' = '*i', 'From'= '*F', 'Reply-To'= '*R', 'Return-Path' = '*p', 'Return-path' = '*rp', 'X-Mailer'= '*x', 'X-Authentication-Warning' = '*a', 'Organization'= '*o', 'Organisation'= '*o', 'Content-Type'= '*c', 'X-Spam-Relays-Trusted' = '*RT', 'X-Spam-Relays-Untrusted' = '*RU', ); So H*r = Received: header, etc. [15528] dbg: bayes: token 'H*MI:OEA0023' = 0.985096774193548 [15528] dbg: bayes: token 'H*M:OEA0023' = 0.985096774193548 [15528] dbg: bayes: token 'H*UA:Express' = 0.985060557114832 [15528] dbg: bayes: token 'H*x:Express' = 0.985059973253254 [15528] dbg: bayes: token 'HX-MimeOLE:V6.00.2900.2962' = 0.976898908840907 [15528] dbg: bayes: token 'HX-MimeOLE:MimeOLE' = 0.976313886128059 [15528] dbg: bayes: token 'HX-MSMail-Priority:Normal' = 0.974305670960733 [15528] dbg: bayes: token 'HX-MimeOLE:Microsoft' = 0.959224439139177 [15528] dbg: bayes: token 'HX-MimeOLE:Produced' = 0.959178732453666 It has really learned outlook as a spam source. But there should be plenty of valid messages to have offset these. I keep running sa-learn --ham on all valid messages hoping that it would offset the spam ones. As you can see from the numbers there are 150,000 messages and apparently all in the last 2.34 days too. (But that does not quite make sense to me either.) [15528] dbg: bayes: token 'HX-Spam-Relays-Internal:lists.example.com' = 0.950917490471412 [15528] dbg: bayes: token 'HX-Spam-Relays-Internal:sk:monty-p' = 0.95091594711816 [15528] dbg: bayes: token 'HX-Spam-Relays-Internal:199.232.76.173' = 0.95091594711816 [15528] dbg: bayes: token 'HX-Spam-Relays-Internal:envfrom' = 0.950880625609595 [15528] dbg: bayes: token 'HX-Spam-Relays-Internal:auth' = 0.950880625609595 [15528] dbg: bayes: token 'HX-Spam-Relays-Internal:helo' = 0.950880625609595 [15528] dbg: bayes: token 'HX-Spam-Relays-Internal:intl' = 0.950880625609595 [15528] dbg: bayes: token 'HX-Spam-Relays-Internal:ident' = 0.950880625609595 [15528] dbg: bayes: token 'HX-Spam-Relays-Internal:rdns' = 0.950880625609595 It seems to have learned one of the trusted_network machines as a spam relay. Hmm... That seems like a bug. Perhaps.. either that or you're doing your spam learning after this machine has added it's headers, but very little of your ham learning has it. [8683] dbg: received-header: relay 199.232.76.173 trusted? yes internal? yes That should at least let you know what it is your bayes DB has learned that's bad. If it's not too horible you might be able to use sa-learn --backup to dump the DB, edit it by hand, and sa-learn --restore it. Hmm... That is an idea. A good suggestion. Of course everything has been hashed so I would need to reverse engineer them back to something meaningful but should be possible with a message to test against. I think the bayes is learning things from the mime structure that it should not be learning such as multipart/alternative. Is there a way to whitelist tokens so that it does not show up in the bayes at all? However, you'd need to find the correct SHA1 of the offending tokens.. not sure if that will be in the debug output. Yes. Correlating one to the other is going to be a pain. Thanks for the suggestions. Bob
Re: spam that only hits the BAYES_99 rule
Tom H wrote: Matt Kettler wrote: Tom H wrote: Hi, I was getting hit by a great deal of spam that only hits the BAYES_99 I would be grateful for any ideas on this... Sounds like the message contains a URI that is now listed in many of the SURBL and URIBL lists. It may be that this got listed after you got the spam, but do you have network tests enabled? There is a url in the domain that definitely hits some of the URIBLs (results from the SURBL+ Checker on rulesemporium ) * RBL: skipping uri lookups on ip-based RBLs * URIBL: multi.surbl.org: *listed* [Blocked, madesucxxxntiondetunhadesu.com on lists [ab][jp][ob][sc][ws], See: http://www.surbl.org/lists.html] * URIBL: multi.uribl.com: *listed* [Blacklisted, see http://lookup.uribl.com/?domain=madesuntioxxxndetunxxxhadesu.com http://lookup.uribl.com/?domain=madesuntiondetunhadesu.com] However I don't seem to get any score for those, even though spamassassin is clearly running the network tests, as I can see from the debug output; [EMAIL PROTECTED] ~]# spamassassin -t -D -p /etc/mail/sa-mimedefang.cf /usr/share/doc/spamassassin-3.1.4/sample-spam.txt Is there any chance your init.pre is missing from /etc/mail/spamassassin? Or does it have the URIBL plugin commented out? It looks like you have working network test,s but not working URIBLs. The most common cause would be the plugin isn't being loaded by init.pre. The other possibility is your Net::DNS is too old to support URIBLs, but new enough to handle normal RBLs, however, the -D output would complain if this was the case.
Is this a problem with 3.2.0pr?
[6858] dbg: rules: ran eval rule TVD_SPACE_RATIO == got hit (1) rules: failed to run CHARSET_FARAWAY test, skipping: (Can't locate object method are_more_high_bits_set via package Mail::SpamAssassin::PerMsgStatus at /home/robert/TRUNK/lib/ perl5/site_perl/5.8.0/Mail/SpamAssassin/Plugin/MIMEEval.pm line 84. ) Mail::SpamAssassin::PerMsgStatus::handle_eval_rule_errors ('Mail::SpamAssassin::PerMsgStatus=HASH (0xa13db3c)','CHARSET_FARAWAY') called at (eval 671)[/home/robert/ TRUNK/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Plugin/Check.pm: 1167] line 3072 cannot find any are_more_high_bits_set in PerMsgStatus.pm
Re: Is this a problem with 3.2.0pr?
Where is EvalTests.pm now then? On Nov 12, 2006, at 5:46 PM, Robert Nicholson wrote: [6858] dbg: rules: ran eval rule TVD_SPACE_RATIO == got hit (1) rules: failed to run CHARSET_FARAWAY test, skipping: (Can't locate object method are_more_high_bits_set via package Mail::SpamAssassin::PerMsgStatus at /home/robert/TRUNK/ lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Plugin/MIMEEval.pm line 84. ) Mail::SpamAssassin::PerMsgStatus::handle_eval_rule_errors ('Mail::SpamAssassin::PerMsgStatus=HASH (0xa13db3c)','CHARSET_FARAWAY') called at (eval 671)[/home/robert/ TRUNK/lib/perl5/site_perl/5.8.0/Mail/SpamAssassin/Plugin/Check.pm: 1167] line 3072 cannot find any are_more_high_bits_set in PerMsgStatus.pm
Re: error from sa-learn --dump data
twofers wrote: Can someone help me understand what this means? Whats broken? [EMAIL PROTECTED] .spamassassin]# sa-learn --dump data bayes: bayes db version 0 is not able to be used, aborting! at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/BayesStore/DBM.pm line 196. bayes: bayes db version 0 is not able to be used, aborting! at /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/BayesStore/DBM.pm line 196. ERROR: Bayes dump returned an error, please re-run with -D for more information Sounds like you upgraded from a 2.6x version and never ran sa-learn --sync, as per the UPGRADE instructions for going from 2.6x or older to 3.0.x or higher. Did you recently upgrade? [EMAIL PROTECTED] .spamassassin]# spamassassin -V SpamAssassin version 3.1.5 running on Perl version 5.8.3 Thanks again. Wes Access over 1 million songs - Yahoo! Music Unlimited. http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=36035/*http://music.yahoo.com/unlimited/
RelayChecker 0.3
New version of RelayChecker. http://people.ucsc.edu/~jrudd/spamassassin/RelayChecker.tar Changes: - It's now in a single tar file. Put the tar file into your plugin directory, expand it, and all should be good. The tar file includes: COPYING- the GPL RelayChecker.txt - explanations of each rule and option RelayChecker.pm- the plugin, now with copyright info RelayChecker.cf- example cf file (you should check the file) - The individual tests are now individual rules. Each has a score of .01 - The badrdns and baddns test are combined into one rule, RELAY_CHECKER_BADDNS - The RELAY_CHECKER rule is now a meta rule, with a score of 6. It is now set statically in the cf file instead of dynamically in the pm file. - The config options have changed a bit. You no longer set a skip preference for individual tests. Since the tests are now rules, you just set that rule to 0. - There is now an option, relaychecker_reduced_dns, which eliminates all extra DNS checks. Instead of the PTR check, it uses the rdns= part of the Untrusted Relays pseudo-header, and the RELAY_CHECKER_BADDNS test always returns 0. - The dynhostname and clienthostname tests have been combined and replaced by the RELAY_CHECKER_KEYWORDS rule. This uses a cf file option, relaychecker_keywords, which feeds this test with keywords to search for in the hostname. If you don't like certain keywords, just don't use them. Or you can add more keywords just by changing the cf file. - The iphostname check (now RELAY_CHECKER_IPHOSTNAME) now allows more than 1 character of separation between the octets (since some hosts have multiple characters), automatically pads a 0 for hex values less than 10 (to avoid tripping on words with ff or ee in them), and looks for decimal values that combine 2 or 3 of the octets. - I think the relaychecker_skip_ip, relaychecker_pass_ip, and relaychecker_pass_auth options had been in the previous release so I'm not going to explain them here. If I'm wrong, then the explanation is in the .txt file. I still haven't set it up to use Net::DNS. Not sure if I'm going to at this point, or not. Let me know if you have opinions, one way or the other, about it. I'm still interested in hearing about bug reports, feed back, etc. I think the main thing I have left for a 1.0 release is getting it into the wiki, assuming there aren't any major complaints, requests, nor bug reports. Though, I had contemplated renaming it to BotNetHunter, since that's what it's real goal is. But, not yet. If you have an opinion there, let me know.
Re: RelayChecker 0.3
On Sun, Nov 12, 2006 at 05:26:10PM -0800, John Rudd wrote: New version of RelayChecker. http://people.ucsc.edu/~jrudd/spamassassin/RelayChecker.tar Changes: - It's now in a single tar file. Put the tar file into your plugin directory, expand it, and all should be good. The tar file includes: COPYING- the GPL RelayChecker.txt - explanations of each rule and option RelayChecker.pm- the plugin, now with copyright info RelayChecker.cf- example cf file (you should check the file) - The individual tests are now individual rules. Each has a score of .01 - The badrdns and baddns test are combined into one rule, RELAY_CHECKER_BADDNS - The RELAY_CHECKER rule is now a meta rule, with a score of 6. It is now set statically in the cf file instead of dynamically in the pm file. - The config options have changed a bit. You no longer set a skip preference for individual tests. Since the tests are now rules, you just set that rule to 0. - There is now an option, relaychecker_reduced_dns, which eliminates all extra DNS checks. Instead of the PTR check, it uses the rdns= part of the Untrusted Relays pseudo-header, and the RELAY_CHECKER_BADDNS test always returns 0. - The dynhostname and clienthostname tests have been combined and replaced by the RELAY_CHECKER_KEYWORDS rule. This uses a cf file option, relaychecker_keywords, which feeds this test with keywords to search for in the hostname. If you don't like certain keywords, just don't use them. Or you can add more keywords just by changing the cf file. - The iphostname check (now RELAY_CHECKER_IPHOSTNAME) now allows more than 1 character of separation between the octets (since some hosts have multiple characters), automatically pads a 0 for hex values less than 10 (to avoid tripping on words with ff or ee in them), and looks for decimal values that combine 2 or 3 of the octets. - I think the relaychecker_skip_ip, relaychecker_pass_ip, and relaychecker_pass_auth options had been in the previous release so I'm not going to explain them here. If I'm wrong, then the explanation is in the .txt file. I still haven't set it up to use Net::DNS. Not sure if I'm going to at this point, or not. Let me know if you have opinions, one way or the other, about it. I'm still interested in hearing about bug reports, feed back, etc. I think the main thing I have left for a 1.0 release is getting it into the wiki, assuming there aren't any major complaints, requests, nor bug reports. Though, I had contemplated renaming it to BotNetHunter, since that's what it's real goal is. But, not yet. If you have an opinion there, let me know. Hello, how do you install this? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- Member - Liberal International This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] God Queen and country! Beware Anti-Christ rising! Lest we forget 11 Nov 2006
Re: RelayChecker 0.3
The Doctor wrote: On Sun, Nov 12, 2006 at 05:26:10PM -0800, John Rudd wrote: New version of RelayChecker. http://people.ucsc.edu/~jrudd/spamassassin/RelayChecker.tar Changes: - It's now in a single tar file. Put the tar file into your plugin directory, expand it, and all should be good. The tar file includes: COPYING- the GPL RelayChecker.txt - explanations of each rule and option RelayChecker.pm- the plugin, now with copyright info RelayChecker.cf- example cf file (you should check the file) - The individual tests are now individual rules. Each has a score of .01 - The badrdns and baddns test are combined into one rule, RELAY_CHECKER_BADDNS - The RELAY_CHECKER rule is now a meta rule, with a score of 6. It is now set statically in the cf file instead of dynamically in the pm file. - The config options have changed a bit. You no longer set a skip preference for individual tests. Since the tests are now rules, you just set that rule to 0. - There is now an option, relaychecker_reduced_dns, which eliminates all extra DNS checks. Instead of the PTR check, it uses the rdns= part of the Untrusted Relays pseudo-header, and the RELAY_CHECKER_BADDNS test always returns 0. - The dynhostname and clienthostname tests have been combined and replaced by the RELAY_CHECKER_KEYWORDS rule. This uses a cf file option, relaychecker_keywords, which feeds this test with keywords to search for in the hostname. If you don't like certain keywords, just don't use them. Or you can add more keywords just by changing the cf file. - The iphostname check (now RELAY_CHECKER_IPHOSTNAME) now allows more than 1 character of separation between the octets (since some hosts have multiple characters), automatically pads a 0 for hex values less than 10 (to avoid tripping on words with ff or ee in them), and looks for decimal values that combine 2 or 3 of the octets. - I think the relaychecker_skip_ip, relaychecker_pass_ip, and relaychecker_pass_auth options had been in the previous release so I'm not going to explain them here. If I'm wrong, then the explanation is in the .txt file. I still haven't set it up to use Net::DNS. Not sure if I'm going to at this point, or not. Let me know if you have opinions, one way or the other, about it. I'm still interested in hearing about bug reports, feed back, etc. I think the main thing I have left for a 1.0 release is getting it into the wiki, assuming there aren't any major complaints, requests, nor bug reports. Though, I had contemplated renaming it to BotNetHunter, since that's what it's real goal is. But, not yet. If you have an opinion there, let me know. Hello, how do you install this? 1) Put the tar file into whatever directory you use for plugins (ex: /etc/mail/spamassassin ) 2) cd into that directory 3) tar xpf RelayChecker.tar 4) if you use spam assassin through some persistent mechanism (spamd, mailscanner, a milter, etc.), then you'll need to restart that. Otherwise, if you just call it directly (not with spamc) through procmail, you should be fine.
Re: Is this a problem with 3.2.0pr?
On Sun, Nov 12, 2006 at 05:51:10PM -0600, Robert Nicholson wrote: Where is EvalTests.pm now then? There is no EvalTests.pm in 3.2. All of the functions got moved to plugins. -- Randomly Selected Tagline: When the outcome of a meeting is to have another meeting, it has been a lousy meeting. - Herbert Hoover pgpsbTgFS2fct.pgp Description: PGP signature
Re: Is this a problem with 3.2.0pr?
On Nov 12, 2006, at 8:29 PM, Robert Nicholson wrote: Correct but before It use to be $body = join(\n, @$body); if ($self-are_more_high_bits_set ($body)) { return 1; } and now it's $body = join(\n, @$body); if ($pms-are_more_high_bits_set ($body)) { return 1; } but are_more_high_bits_set isn't defined in PerMsgStatus it's defined in MIMEEval.pm which is self again On Nov 12, 2006, at 8:09 PM, Theo Van Dinter wrote: On Sun, Nov 12, 2006 at 05:51:10PM -0600, Robert Nicholson wrote: Where is EvalTests.pm now then? There is no EvalTests.pm in 3.2. All of the functions got moved to plugins. -- Randomly Selected Tagline: When the outcome of a meeting is to have another meeting, it has been a lousy meeting. - Herbert Hoover
RE: RelayChecker 0.3
Am I missing something or is the use of Sys::Syslog not necessary? I can't find a compatible Win32 build.. Though I didn't look all that hard for it, as the module seems to work correctly without it (from my limited testing). Thanks, Steven -Original Message- From: John Rudd [mailto:[EMAIL PROTECTED] Sent: Sunday, November 12, 2006 6:26 PM To: SpamAssassin Users Subject: RelayChecker 0.3 New version of RelayChecker. http://people.ucsc.edu/~jrudd/spamassassin/RelayChecker.tar Changes: - It's now in a single tar file. Put the tar file into your plugin directory, expand it, and all should be good. The tar file includes: COPYING- the GPL RelayChecker.txt - explanations of each rule and option RelayChecker.pm- the plugin, now with copyright info RelayChecker.cf- example cf file (you should check the file) - The individual tests are now individual rules. Each has a score of .01 - The badrdns and baddns test are combined into one rule, RELAY_CHECKER_BADDNS - The RELAY_CHECKER rule is now a meta rule, with a score of 6. It is now set statically in the cf file instead of dynamically in the pm file. - The config options have changed a bit. You no longer set a skip preference for individual tests. Since the tests are now rules, you just set that rule to 0. - There is now an option, relaychecker_reduced_dns, which eliminates all extra DNS checks. Instead of the PTR check, it uses the rdns= part of the Untrusted Relays pseudo-header, and the RELAY_CHECKER_BADDNS test always returns 0. - The dynhostname and clienthostname tests have been combined and replaced by the RELAY_CHECKER_KEYWORDS rule. This uses a cf file option, relaychecker_keywords, which feeds this test with keywords to search for in the hostname. If you don't like certain keywords, just don't use them. Or you can add more keywords just by changing the cf file. - The iphostname check (now RELAY_CHECKER_IPHOSTNAME) now allows more than 1 character of separation between the octets (since some hosts have multiple characters), automatically pads a 0 for hex values less than 10 (to avoid tripping on words with ff or ee in them), and looks for decimal values that combine 2 or 3 of the octets. - I think the relaychecker_skip_ip, relaychecker_pass_ip, and relaychecker_pass_auth options had been in the previous release so I'm not going to explain them here. If I'm wrong, then the explanation is in the .txt file. I still haven't set it up to use Net::DNS. Not sure if I'm going to at this point, or not. Let me know if you have opinions, one way or the other, about it. I'm still interested in hearing about bug reports, feed back, etc. I think the main thing I have left for a 1.0 release is getting it into the wiki, assuming there aren't any major complaints, requests, nor bug reports. Though, I had contemplated renaming it to BotNetHunter, since that's what it's real goal is. But, not yet. If you have an opinion there, let me know.
Re: RelayChecker 0.3
On Sun, Nov 12, 2006 at 06:06:53PM -0800, John Rudd wrote: The Doctor wrote: On Sun, Nov 12, 2006 at 05:26:10PM -0800, John Rudd wrote: New version of RelayChecker. http://people.ucsc.edu/~jrudd/spamassassin/RelayChecker.tar Changes: - It's now in a single tar file. Put the tar file into your plugin directory, expand it, and all should be good. The tar file includes: COPYING- the GPL RelayChecker.txt - explanations of each rule and option RelayChecker.pm- the plugin, now with copyright info RelayChecker.cf- example cf file (you should check the file) - The individual tests are now individual rules. Each has a score of .01 - The badrdns and baddns test are combined into one rule, RELAY_CHECKER_BADDNS - The RELAY_CHECKER rule is now a meta rule, with a score of 6. It is now set statically in the cf file instead of dynamically in the pm file. - The config options have changed a bit. You no longer set a skip preference for individual tests. Since the tests are now rules, you just set that rule to 0. - There is now an option, relaychecker_reduced_dns, which eliminates all extra DNS checks. Instead of the PTR check, it uses the rdns= part of the Untrusted Relays pseudo-header, and the RELAY_CHECKER_BADDNS test always returns 0. - The dynhostname and clienthostname tests have been combined and replaced by the RELAY_CHECKER_KEYWORDS rule. This uses a cf file option, relaychecker_keywords, which feeds this test with keywords to search for in the hostname. If you don't like certain keywords, just don't use them. Or you can add more keywords just by changing the cf file. - The iphostname check (now RELAY_CHECKER_IPHOSTNAME) now allows more than 1 character of separation between the octets (since some hosts have multiple characters), automatically pads a 0 for hex values less than 10 (to avoid tripping on words with ff or ee in them), and looks for decimal values that combine 2 or 3 of the octets. - I think the relaychecker_skip_ip, relaychecker_pass_ip, and relaychecker_pass_auth options had been in the previous release so I'm not going to explain them here. If I'm wrong, then the explanation is in the .txt file. I still haven't set it up to use Net::DNS. Not sure if I'm going to at this point, or not. Let me know if you have opinions, one way or the other, about it. I'm still interested in hearing about bug reports, feed back, etc. I think the main thing I have left for a 1.0 release is getting it into the wiki, assuming there aren't any major complaints, requests, nor bug reports. Though, I had contemplated renaming it to BotNetHunter, since that's what it's real goal is. But, not yet. If you have an opinion there, let me know. Hello, how do you install this? 1) Put the tar file into whatever directory you use for plugins (ex: /etc/mail/spamassassin ) 2) cd into that directory 3) tar xpf RelayChecker.tar 4) if you use spam assassin through some persistent mechanism (spamd, mailscanner, a milter, etc.), then you'll need to restart that. Otherwise, if you just call it directly (not with spamc) through procmail, you should be fine. You just may want to add this into an install.txt file . -- Member - Liberal International This is [EMAIL PROTECTED] Ici [EMAIL PROTECTED] God Queen and country! Beware Anti-Christ rising! Lest we forget 11 Nov 2006 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: RelayChecker 0.3
The Doctor wrote: On Sun, Nov 12, 2006 at 06:06:53PM -0800, John Rudd wrote: The Doctor wrote: On Sun, Nov 12, 2006 at 05:26:10PM -0800, John Rudd wrote: New version of RelayChecker. http://people.ucsc.edu/~jrudd/spamassassin/RelayChecker.tar Changes: - It's now in a single tar file. Put the tar file into your plugin directory, expand it, and all should be good. The tar file includes: COPYING- the GPL RelayChecker.txt - explanations of each rule and option RelayChecker.pm- the plugin, now with copyright info RelayChecker.cf- example cf file (you should check the file) - The individual tests are now individual rules. Each has a score of .01 - The badrdns and baddns test are combined into one rule, RELAY_CHECKER_BADDNS - The RELAY_CHECKER rule is now a meta rule, with a score of 6. It is now set statically in the cf file instead of dynamically in the pm file. - The config options have changed a bit. You no longer set a skip preference for individual tests. Since the tests are now rules, you just set that rule to 0. - There is now an option, relaychecker_reduced_dns, which eliminates all extra DNS checks. Instead of the PTR check, it uses the rdns= part of the Untrusted Relays pseudo-header, and the RELAY_CHECKER_BADDNS test always returns 0. - The dynhostname and clienthostname tests have been combined and replaced by the RELAY_CHECKER_KEYWORDS rule. This uses a cf file option, relaychecker_keywords, which feeds this test with keywords to search for in the hostname. If you don't like certain keywords, just don't use them. Or you can add more keywords just by changing the cf file. - The iphostname check (now RELAY_CHECKER_IPHOSTNAME) now allows more than 1 character of separation between the octets (since some hosts have multiple characters), automatically pads a 0 for hex values less than 10 (to avoid tripping on words with ff or ee in them), and looks for decimal values that combine 2 or 3 of the octets. - I think the relaychecker_skip_ip, relaychecker_pass_ip, and relaychecker_pass_auth options had been in the previous release so I'm not going to explain them here. If I'm wrong, then the explanation is in the .txt file. I still haven't set it up to use Net::DNS. Not sure if I'm going to at this point, or not. Let me know if you have opinions, one way or the other, about it. I'm still interested in hearing about bug reports, feed back, etc. I think the main thing I have left for a 1.0 release is getting it into the wiki, assuming there aren't any major complaints, requests, nor bug reports. Though, I had contemplated renaming it to BotNetHunter, since that's what it's real goal is. But, not yet. If you have an opinion there, let me know. Hello, how do you install this? 1) Put the tar file into whatever directory you use for plugins (ex: /etc/mail/spamassassin ) 2) cd into that directory 3) tar xpf RelayChecker.tar 4) if you use spam assassin through some persistent mechanism (spamd, mailscanner, a milter, etc.), then you'll need to restart that. Otherwise, if you just call it directly (not with spamc) through procmail, you should be fine. You just may want to add this into an install.txt file . It was in the first bullet item of the announcement.. but, yeah, I've put it in a file named INSTALL and in RelayChecker.txt
Re: RelayChecker 0.3
You're right. Not necessary. Must have been something I had intended to use and use the SA debug output instead. I've taken it out of my sources. Wont be in the next release. Thanks! Steven Manross wrote: Am I missing something or is the use of Sys::Syslog not necessary? I can't find a compatible Win32 build.. Though I didn't look all that hard for it, as the module seems to work correctly without it (from my limited testing). Thanks, Steven -Original Message- From: John Rudd [mailto:[EMAIL PROTECTED] Sent: Sunday, November 12, 2006 6:26 PM To: SpamAssassin Users Subject: RelayChecker 0.3 New version of RelayChecker. http://people.ucsc.edu/~jrudd/spamassassin/RelayChecker.tar Changes: - It's now in a single tar file. Put the tar file into your plugin directory, expand it, and all should be good. The tar file includes: COPYING- the GPL RelayChecker.txt - explanations of each rule and option RelayChecker.pm- the plugin, now with copyright info RelayChecker.cf- example cf file (you should check the file) - The individual tests are now individual rules. Each has a score of .01 - The badrdns and baddns test are combined into one rule, RELAY_CHECKER_BADDNS - The RELAY_CHECKER rule is now a meta rule, with a score of 6. It is now set statically in the cf file instead of dynamically in the pm file. - The config options have changed a bit. You no longer set a skip preference for individual tests. Since the tests are now rules, you just set that rule to 0. - There is now an option, relaychecker_reduced_dns, which eliminates all extra DNS checks. Instead of the PTR check, it uses the rdns= part of the Untrusted Relays pseudo-header, and the RELAY_CHECKER_BADDNS test always returns 0. - The dynhostname and clienthostname tests have been combined and replaced by the RELAY_CHECKER_KEYWORDS rule. This uses a cf file option, relaychecker_keywords, which feeds this test with keywords to search for in the hostname. If you don't like certain keywords, just don't use them. Or you can add more keywords just by changing the cf file. - The iphostname check (now RELAY_CHECKER_IPHOSTNAME) now allows more than 1 character of separation between the octets (since some hosts have multiple characters), automatically pads a 0 for hex values less than 10 (to avoid tripping on words with ff or ee in them), and looks for decimal values that combine 2 or 3 of the octets. - I think the relaychecker_skip_ip, relaychecker_pass_ip, and relaychecker_pass_auth options had been in the previous release so I'm not going to explain them here. If I'm wrong, then the explanation is in the .txt file. I still haven't set it up to use Net::DNS. Not sure if I'm going to at this point, or not. Let me know if you have opinions, one way or the other, about it. I'm still interested in hearing about bug reports, feed back, etc. I think the main thing I have left for a 1.0 release is getting it into the wiki, assuming there aren't any major complaints, requests, nor bug reports. Though, I had contemplated renaming it to BotNetHunter, since that's what it's real goal is. But, not yet. If you have an opinion there, let me know.