Re: Them spammers are getting smarter..
Anyhow, you can use: /^Me again/ it looks for Me again at the beginning of the expression; it detects Me again, but also Me again Richard, etc. Theo Van Dinter wrote: On Tue, Nov 21, 2006 at 12:33:36PM -0800, Evan Platt wrote: So used to be mail from Richard Smith, subject Me again Richard. Now they're using the last name, ie Me again Smith FWIW, this is why it's pointless to try keeping up with those things. There's an infinite number of ways they can change around the subject/from/etc that there's no point in trying to keep up.
Tools-Monitoring Spam vs Ham, etc.
What tool, or maybe I already have it and don't know it, can I use to get email stastics on my server and domains? Like total emails, those tagged as spam, etc? I have FC2, qmail, Spamassassin 3.1.7 Is sa-tools helpful? Is it worth installing? Thanks, Wes - Sponsored Link Mortgage rates near historic lows: $150,000 loan as low as $579/mo. Intro-*Terms
Re: Bayes Database Missing
The files you are looking for are bayes_toks and bayes_seen They may be in /root/.spamassassin/ Try to find those files in a spamassassin default directory somewhere and cp them to that directory. First try to find them and do a: locate -u#catalogs all the files on your server Then do a: locate bayes_ #searches for those bayes files. Hopefully you will find those files in a spamassassin default directory. Otherwise if you find them in a user(s) directory you can copy the ones that you know or think are the most populated. Wes leemansvg [EMAIL PROTECTED] wrote: sorry, I there's no bayes files in /etc/mail/spamassassin/ directory. I'm using MailScanner. twofers wrote: You can try: mkdir /var/lib/MailScanner/ #Creates the directory cp /etc/mail/spamassassin/bayes* /var/lib/MailScanner/ #Copies the bayes databases from the default spamassassin directory to the bayes_path directory /etc/init.d/spamassassin restart or /etc/init.d/psa-spamassassin restart #restart SA, one of these might work. But you need to restart SA. Wes leemansvg wrote: I see in my spam.assassin.pref.conf file this entry, bayes_path /var/lib/MailScanner/bayes however when I navigate to this directory this database is not there, is there a way to generate this database. I've been noticing a lot of spam getting through and would like to tighten this. -- View this message in context: http://www.nabble.com/Bayes-Database-Missing-tf2681368.html#a7478860 Sent from the SpamAssassin - Users mailing list archive at Nabble.com. - Sponsored Link Rates near 39yr lows. $420,000 Loan for $1399/mo - Calculate new house payment -- View this message in context: http://www.nabble.com/Bayes-Database-Missing-tf2681368.html#a7480954 Sent from the SpamAssassin - Users mailing list archive at Nabble.com. - Sponsored Link Get an Online or Campus degree - Associate's, Bachelor's, or Master's -in less than one year.
Re: Them spammers are getting smarter..
On Tue, 21 Nov 2006, Evan Platt wrote: So used to be mail from Richard Smith, subject Me again Richard. Now they're using the last name, ie Me again Smith Their fake Received: line is still the same. Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ BAILEY: CYCLONIC BECOMING NORTHWESTERLY SEVERE GALE 9 TO VIOLENT STORM 11, OCCASIONALLY HURRICANE FORCE 12 IN SOUTH, DECREASING 7 TO SEVERE GALE 9 LATER. HIGH OR VERY HIGH. RAIN OR SQUALLY SHOWERS. MODERATE OR POOR.
RE: SPF and SMTP AUTH
-Original Message- From: Rene Caspari [mailto:[EMAIL PROTECTED] Sent: dinsdag 21 november 2006 12:09 To: users@spamassassin.apache.org Subject: SPF and SMTP AUTH I have a little problem with SPF: For domain.tld there is a SPF record, which says that mail.domain.tld is allowed to sending mails from [EMAIL PROTECTED] If I use mail.domain.tld with a dialin account by SMTP AUTH, spamassassin says SPF_SOFTFAIL because initially the mail was sent by the dialin account and not mail.domain.tld. How can I configure spamassassin to do not recognize the dialin account as a mailserver? The better route, really, is to configure your MTA, mail.domain.tld, to set pass for trusted mechanism you have in place (like SASL). Your MTA would then generate a header like this: Received-SPF: pass (mail.domain.tld: 1.2.3.4 is authenticated by a trusted mechanism In your current setup, it seems, you basically use softfail so as not have to deal with rejects from (authenticated) dynamic relays; but softfail was not really meant for that purpose, of course. - Mark
Re: FuzzyOcrPlugin hashdb permissions
And you have added all the users, that need access to the users group in /etc/group? IE your /etc/group file contains a line like: users:x:100:user1,user2,user3,user4,useretc Yes. If so, than it is spamassassin that does not switch the user context correctly. It looks a bit like it. I've just installed a newer version of SA from backports.org. Trouble is that other tests seem to pick up spam before FOCR is invoked. I've tried increasing focr_autodisable_score - I'll have a look in the morning.
RE: Is my Bayes DB borked?
Kurt Buff wrote: Nope - it's not that. Looking through my syslog more closely reveals that I'm getting 'SA TIMED OUT' messages all over the place, and referring to rules as well as Bayes. So, I'm just as confused as ever, and don't know what's going on. More analysis needed, I suppose, but I'm not sure where to start. Check your memory usage. If you fill up available memory with your Amavis/SA processes and the system starts swapping everything will get slow. That could explain all of the timeout messages. -- Bowie
RE: Greylisting
Here's an argument for you: http://www.nebrwesleyan.edu/people/stpierre/filtered.png This is the breakdown of mail filtered by one of our MXes over the past week. The RBL line shows mail rejected by an RBL, mostly by njabl; the Rejected line is line rejected by other MTA-level rules (like requiring an FQDN for the HELO); the Spam line shows mail that was accepted, marked as spam by SA, and delivered; and the Greylisted line shows mail that was delayed by Postgrey and not retried (i.e., successfully blocked). As you can see, about 30% of the mail we filter (and about 25% of our total mail) is rejected by greylisting. Each of our MTAs processes about 400K messages per week. We greylist after all other MTA restrictions, so that boils down to over 100K messages that SA would have to scan if we weren't using greylisting. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University On Tue, 21 Nov 2006, [EMAIL PROTECTED] wrote: I'm afraid you're right on this one. Of course the spammers read this very list - and they have already started to implement anti greylisting meassures... It's just a matter of time before they see too little success rate when they read the bot stats and start to circumvent greylisting too :( I have yet to try greylisting on a real production system. I am concerned about the 5-15 mins. delay because we have some sensitive customers that are already on their toes. But with the right set of arguments I'm sure I can convince even the worst customer that greylisting is a good thing... still. I wonder how many years it will take before some organization steps up and lead the way to new SMTP standards. My company has gone from 1 to 4 mail server over the past 6 months. I reckon it's about time protocols adapt to the world today :) - Nicolai -Original Message- From: John Andersen [mailto:[EMAIL PROTECTED] Sent: 21. november 2006 01:12 To: users@spamassassin.apache.org Subject: Re: Greylisting On Monday 20 November 2006 15:08, Rick Macdougall wrote: It's possible that they could send it all twice but I've never seen it. Remember that some unbelievable number of infected Windows clients are the main source of spam and it would just be too much trouble for the spammer to try every address twice after a 15 minute interval. Oh come on! It costs the spammer NOTHING to make that adjustment to his bot net. Its someone else's bandwidth, and someone else's cpu cycles. They are reading this list and planning the changes already. -- _ John Andersen
FP because of HELO_DYNAMIC_IPADDR
Hello, mails from our host 80.237.202.55 (ds80-237-202-55.dedicated.hosteurope.de) are tagged as HELO_DYNAMIC_IPADDR. Said IP is not dynamic, it's a dedicated server hosted at german ISP (Host Europe GmbH). How can we get our host removed from the list of DYNAMIC_IPS? thanks in advance messju
Re: Greylisting
I don't think the RFCs specify any time limit. Most timeout after 5 days of trying. We run 3 equivalent scanning machines, which requires us to run a greylisting that will sync between them. That could cause a large delay, if the sending machine tries to send to a different host that isn't synced. Messages that aren't sent from the same machine (SMTP farms like at GMail) can cause trouble as well, since the IP will change. The whitelist usually will timeout after a period of time, so there is a delay that may be induced again in the future, but that depends on setup. If a sensitive piece of mail needs to get through, it may be possible for the user to send the message again after the delay period has elapsed. This would be a new message, but if it leaves the same IP, with the same from and to pair (or however your greylisting works), it would fire right on through the greylist no problem. Not a perfect solution, but should work for rare occasions. One probably can whitelist recipients or recipient domains so that they are not affected by greylisting. Last week greylisting stopped 1.3 million messages, which is after the blacklists and greet pause did their significant work. Richard Joey wrote: One thing I have seen having greylisting on all 3 of my production email servers (about 4 months now) is that it definatly stops a lot of spam, HOWEVER I am seeing time sensative stuff take crazy amounts of time to be delivered. I am seeing 1/2 hour as the average, not the 5 minutes we are hoping for, and in a few cases we have seen a message delivered literally DAYS later, which what I thought was against what the RFC's specify, but it's what's happening. I had to move 1 client OFF our main servers onto a reseller plan in order to accommodate getting them off of the greylisting. Personally I get about 40 fewer spam messages a DAY because of greylisting and I am not willing to give it up just yet. Joey -Original Message- From: John Andersen [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 11:10 PM To: users@spamassassin.apache.org Subject: Re: Greylisting On Tuesday 21 November 2006 06:02, [EMAIL PROTECTED] wrote: I'm afraid you're right on this one. Of course the spammers read this very list - and they have already started to implement anti greylisting meassures... It's just a matter of time before they see too little success rate when they read the bot stats and start to circumvent greylisting too :( I have yet to try greylisting on a real production system. I am concerned about the 5-15 mins. delay because we have some sensitive customers that are already on their toes. But with the right set of arguments I'm sure I can convince even the worst customer that greylisting is a good thing... still. As I understand it, greylisting does not affect anything except the FIRST attempt. From there on, it goes through as fast as ever. Or am I wrong? -- _ John Andersen -- Richard Frovarp EduTech System Administrator 1-701-231-5127 or 1-800-774-1091
Message-ID in spamd log?
Hey list, How do I go about to make spamd report message id, or any handle for that matter, into the log? Doing traces on spamlogs is a tough one without anything to go by :-) Best regards -- Kim Christensen With a gun barrel between your teeth, you speak only in vowels
how to solve errors after upgrade
Hello All, I'm running SLES9 with the following versions: spamassassin-2.64-3.2 perl-spamassassin-2.64-3.2 amavisd-new-20030616p9-3.6 I know I probably stuck with perl5.8.3 because SLES9 don't have the newer :( I've installed new versions of SA and amavis (see below) with the following packets (compiled from src.rpm's): # rpm -Uvh amavisd-new-2.4.4-4.i586.rpm perl-BerkeleyDB-0.25-2.i586.rpm perl-Compress-Zlib-1.35-12.i586.rpm perl-Convert-UUlib-1.051-11.i586.rpm # rpm -Uvh perl-spamassassin-3.1.7-3.i586.rpm spamassassin-3.1.7-3.i586.rpm Restarted SA and amavis, and started to get the following errors while there was no email-coming through my system and mailque growing! Example of maillog errors: Nov 22 14:25:39 mail postfix/smtp[15132]: 23CBE1CA24: to= [EMAIL PROTECTED] , orig_to= [EMAIL PROTECTED], relay=127.0.0.1[127.0.0.1], delay=25, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=15039-05, mime_decode-1 FAILED: Can't locate object method max_parts via package MIME::Parser at /usr/sbin/amavisd line 5933. (in reply to end of DATA command)) Nov 22 14:28:14 mail postfix/smtp[15215]: AC330192F3: to=[EMAIL PROTECTED], orig_to=[EMAIL PROTECTED], relay=127.0.0.1[127.0.0.1], delay=0, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=15038-09, mime_decode-1 FAILED: Can't locate object method max_parts via package MIME::Parser at /usr/sbin/amavisd line 5933. (in reply to end of DATA command)) So, meanwhile I got the old SA and amavis back, but I wish I could use the newest versions. What may be causing these errors and how to solve this? Best Regards, Leon Kolchinsky
Re: FP because of HELO_DYNAMIC_IPADDR
messju mohr writes: mails from our host 80.237.202.55 (ds80-237-202-55.dedicated.hosteurope.de) are tagged as HELO_DYNAMIC_IPADDR. Said IP is not dynamic, it's a dedicated server hosted at german ISP (Host Europe GmbH). How can we get our host removed from the list of DYNAMIC_IPS? stop using a dynamic-looking string (like 'ds80-237-202-55.dedicated.hosteurope.de' -- note the '80-237-202-55' part) in the HELO string. it's more common to use something like mail.lammfellpuschen.de, for example. --j.
Re: [spamassassin] Re: FP because of HELO_DYNAMIC_IPADDR
On Wed, Nov 22, 2006 at 03:39:43PM +, Justin Mason wrote: messju mohr writes: mails from our host 80.237.202.55 (ds80-237-202-55.dedicated.hosteurope.de) are tagged as HELO_DYNAMIC_IPADDR. Said IP is not dynamic, it's a dedicated server hosted at german ISP (Host Europe GmbH). How can we get our host removed from the list of DYNAMIC_IPS? stop using a dynamic-looking string (like 'ds80-237-202-55.dedicated.hosteurope.de' -- note the '80-237-202-55' part) in the HELO string. it's more common to use something like mail.lammfellpuschen.de, for example. --j. Ah, thanks. I Just found the button to configure our RDNS. thanks a lot! messju
Re: [OT really Amavis Q] how to solve errors after upgrade
You should upgrade your MIME::Parser as well. You are probably using a very old one, where it does not support of max_parts as stated in the error log! /Micke Leon Kolchinsky wrote: Example of maillog errors: Nov 22 14:25:39 mail postfix/smtp[15132]: 23CBE1CA24: to= [EMAIL PROTECTED] , orig_to= [EMAIL PROTECTED], relay=127.0.0.1[127.0.0.1], delay=25, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=15039-05, mime_decode-1 FAILED: Can't locate object method max_parts via package MIME::Parser at /usr/sbin/amavisd line 5933. (in reply to end of DATA command)) Nov 22 14:28:14 mail postfix/smtp[15215]: AC330192F3: to=[EMAIL PROTECTED], orig_to=[EMAIL PROTECTED], relay=127.0.0.1[127.0.0.1], delay=0, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=15038-09, mime_decode-1 FAILED: Can't locate object method max_parts via package MIME::Parser at /usr/sbin/amavisd line 5933. (in reply to end of DATA command)) So, meanwhile I got the old SA and amavis back, but I wish I could use the newest versions. What may be causing these errors and how to solve this? Best Regards, Leon Kolchinsky
Re: how to solve errors after upgrade
On Wed, Nov 22, 2006 at 05:33:39PM +0200, Leon Kolchinsky wrote: Nov 22 14:25:39 mail postfix/smtp[15132]: 23CBE1CA24: to= [EMAIL PROTECTED] , orig_to= [EMAIL PROTECTED], relay=127.0.0.1[127.0.0.1], delay=25, status=deferred (host 127.0.0.1[127.0.0.1] said: 451 4.5.0 Error in processing, id=15039-05, mime_decode-1 FAILED: Can't locate object method max_parts via package MIME::Parser at /usr/sbin/amavisd line 5933. (in reply to end of DATA command)) What may be causing these errors and how to solve this? You'll want to talk to the amavis folks, since those errors aren't coming from SA. -- Randomly Selected Tagline: There is hopeful symbolism in the fact that flags do not wave in a vacuum. - Arthur C. Clarke pgpfsuCkSoJk6.pgp Description: PGP signature
Re: Braindeath in the Navy
It never fails to amaze me now many mail server admins ask for ways to break the RFC's in the interest of security. I do tech support on mail servers, and get requests to configure out server for this kind of thing weekly. . . jay Philip Prindeville wrote: Well, I tried to contact some people responsible for the servers below that what they were doing was broken, including citing chapter and verse where in RFC-2822 in syntax of the Received: lines was spec'd out: Received: from Gate2-sandiego.nmci.navy.mil (gate2-sandiego.nmci.navy.mil [138.163.0.42]) by mail.redfish-solutions.com (8.13.8/8.13.7) with ESMTP id kAGNLZHp020689 for [EMAIL PROTECTED]; Thu, 16 Nov 2006 16:21:40 -0700 Received: from nawesdnims03.nmci.navy.mil by Gate2-sandiego.nmci.navy.mil via smtpd (for mail.redfish-solutions.com [71.36.29.88]) with ESMTP; Thu, 16 Nov 2006 23:21:40 + Received: (private information removed) Received: (private information removed) Received: (private information removed) Received: (private information removed) Received: (private information removed) and which fields it requires (like the semi-colon followed by the timestamp coming after a comment field) [cf: RFC 2822, section 3.6.7: received= Received: name-val-list ; date-time CRLF name-val-list = [CFWS http://tools.ietf.org/html/rfc2822#ref-CFWS] [name-val-pair *(CFWS name-val-pair)] including the definition of CFWS in 3.2.3.] It just boggles my mind why anyone would go through that much trouble to deliberately damage a header line, rather than just delete it. Well, maybe they'll get a whiff of the errs of their ways in the Hall of Spam Shame... -Philip
Re: Sudden drop in spam-rate, parallel to a surge of new trojans - beware
Chris wrote: On Tuesday 21 November 2006 6:47 pm, Chr. v. Stuckrad wrote: Hi! Yesterday we had a sudden drop in spam-percentage from 80% to near 60%. Parallel to it I got six copies of an undetectable (by NAI and ClamAV) new trojan 'exe' in the Mail. Do we have to prepare for a new flood by an updated (just now reorganizing) botnet? Stucki Yes, I did see a drop in yesterdays spam load: Total: 255 reports in 16m 54s. 3.97 seconds per report. Mon Nov 20 21:01:17 CST 2006 compared with Sunday's: Total: 434 reports in 30m 34s. 4.22 seconds per report. Sun Nov 19 20:03:19 CST 2006 But today's was a killer!: Total: 580 reports in 39m 28s. 4.08 seconds per report. Tue Nov 21 22:08:56 CST 2006 Sorry to be OT, but are these spam stats a built in feature of SA, or have you got a plugin to get this information? Thanks! -- Andrew Hearn
Re: Braindeath in the Navy
Yep, a problem I continually get is that people want to make email into something that it is not. It's not a credit card or an ATM card or Driver's license or a Visa or etc. Joe jay plesset wrote: It never fails to amaze me now many mail server admins ask for ways to break the RFC's in the interest of security. I do tech support on mail servers, and get requests to configure out server for this kind of thing weekly. . . jay
A false positive...
An ebay watched item email has been wrongly tagged as spam... with the following rules: -- 2.2 INVALID_DATE Invalid Date: header (not RFC 2822) 0.8 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date 0.1 TW_SJ BODY: Odd Letter Triples with SJ 0.0 HTML_MESSAGE BODY: HTML included in message 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99% [score: 0.9887] 0.2 HTML_TITLE_EMPTY BODY: HTML title contains no text -0.0 SARE_LEGIT_EBAYHas signs it's from ebay, from, headers, uri -1.1 AWLAWL: From: address is in the auto white-list -- The (sanitised) headers read: -- Subject:... From:eBay [EMAIL PROTECTED] Date:Wed, 22 Nov 2006 09:03:16 GMT-07:00 To:... Return-Path:[EMAIL PROTECTED] X-Original-To:... Delivered-To:... Received:from mx9.smf.ebay.com (mxsmfpool05.ebay.com [66.135.209.202]) by ... (Postfix) with ESMTP id 06C81D8C24 for ...; Wed, 22 Nov 2006 16:04:00 + (GMT) Received:from sjc2bat08.sjc.ebay.com (sjc2bat08.sjc.ebay.com [10.11.37.18]) by mx9.smf.ebay.com (8.13.5/8.13.5) with ESMTP id kAMG3oaM009188 for ...; Wed, 22 Nov 2006 09:03:58 -0700 X-eBay-MailTracker:10089.487.3.0 MIME-Version:1.0 Content-Type:multipart/alternative; boundary=7101714.1164211396002.JavaMail.ebba.sjc2bat08 Message-ID:[EMAIL PROTECTED] -- While I understand why this email may have triggered the Bayesian rule (where spammers have copied ebay's email style...) I am bemused by INVALID_DATE and DATE_IN_PAST_06_12. The dates I see in the header look valid to me - and (if we allow for time international time differences) the message was sent two seconds before it was received. Am I overlooking something here? Why doesn't SpamAssassin like these dates? Steve
Re: A false positive...
On Wed, Nov 22, 2006 at 04:20:29PM +, Steve [Spamassasin] wrote: Date:Wed, 22 Nov 2006 09:03:16 GMT-07:00 Am I overlooking something here? Why doesn't SpamAssassin like these dates? That's not a valid date header, the TZ is invalid. -- Randomly Selected Tagline: ... and we still have yet to create a neural computer with the sophistication of a garden slug ... - Prof. Michaelson pgpfyJ0bRcp9D.pgp Description: PGP signature
Re: Using SpamAssassin variables
John W Mickevich wrote: Hello all! ... I would like to know now to use a variable within SpamAssassin. For example, how would I “capture” the last name of the From header field for use in comparisons elsewhere? Here is a sample: From: Molly Owens [EMAIL PROTECTED] Subject: Me again Owens I am sure a lot of folks have been seeing this spam coming thru lately. I would like to check if the last name in From (Owens) shows up in the Subject header. There may or may not be a better way to catch this specific example, but being able to define a variable and use it elsewhere would be great. I have to assume that SpamAssassin allows for this, but I just can’t seem to figure out how to do it. I have seen mention of eval and $1, $2, etc, and assume they have something to do with defining or using a variable, but I can find no specifics on how to use them. SpamAssassin only supports captured variables within a single rule. This means that you have to write a single rule that matches over all headers. This is not very efficient or easy to write and usually it is better to look for spam signs to trigger on. If you were running a recent version of SA kept up to date with sa-update and SARE rules you would see this messages hitting on a lot more rules. Tom Brown posted this header rule to the sare-users list yesterday that tries to do what you are talking about: ALL =~ m/(?:^|\n)From: \S+ (\S+?)(?: |).*\nSubject:.*\1\n/s Also, I am curious if using variables has a significant impact on performance. Yes, using variables does impact performance. In particular, the type of rules you often need to make use of variables, matching over long areas of text, are inefficient as well. It would be interesting if SA added the ability to capture variable in one rule and match against them in another. It would certainly have a negative impact on performance at least for the rules that used it. And someone would have to write the code to implement it. Could allow for some pretty nifty rules though.
RE: A false positive...
From: Steve [Spamassasin] [mailto:[EMAIL PROTECTED] Date:Wed, 22 Nov 2006 09:03:16 GMT-07:00 Should be -0700 not GMT-07:00. This may also trigger the DATE_IN_PAST_06_12, since probably the SA's date parsing module simply discards the zone offset data. giampaolo To:... Return-Path:[EMAIL PROTECTED] X-Original-To:... Delivered-To:... Received:from mx9.smf.ebay.com (mxsmfpool05.ebay.com [66.135.209.202]) by ... (Postfix) with ESMTP id 06C81D8C24 for ...; Wed, 22 Nov 2006 16:04:00 + (GMT) Received:from sjc2bat08.sjc.ebay.com (sjc2bat08.sjc.ebay.com [10.11.37.18]) by mx9.smf.ebay.com (8.13.5/8.13.5) with ESMTP id kAMG3oaM009188 for ...; Wed, 22 Nov 2006 09:03:58 -0700 X-eBay-MailTracker:10089.487.3.0 MIME-Version:1.0 Content-Type:multipart/alternative; boundary=7101714.1164211396002.JavaMail.ebba.sjc2bat08 Message-ID:[EMAIL PROTECTED] -- While I understand why this email may have triggered the Bayesian rule (where spammers have copied ebay's email style...) I am bemused by INVALID_DATE and DATE_IN_PAST_06_12. The dates I see in the header look valid to me - and (if we allow for time international time differences) the message was sent two seconds before it was received. Am I overlooking something here? Why doesn't SpamAssassin like these dates? Steve
Re: A false positive...
On Wed, 22 Nov 2006, Steve [Spamassasin] wrote: 2.2 INVALID_DATE Invalid Date: header (not RFC 2822) 0.8 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date Date:Wed, 22 Nov 2006 09:03:16 GMT-07:00 Received:from sjc2bat08.sjc.ebay.com (sjc2bat08.sjc.ebay.com [10.11.37.18]) by mx9.smf.ebay.com (8.13.5/8.13.5) with ESMTP id kAMG3oaM009188 for ...; Wed, 22 Nov 2006 09:03:58 -0700 The dates I see in the header look valid to me - and (if we allow for time international time differences) the message was sent two seconds before it was received. The Date: header above is malformed, so SpamAssassin can't extract the timezone offset. Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ BAILEY: CYCLONIC BECOMING NORTHWESTERLY SEVERE GALE 9 TO VIOLENT STORM 11, OCCASIONALLY HURRICANE FORCE 12 IN SOUTH, DECREASING 7 TO SEVERE GALE 9 LATER. HIGH OR VERY HIGH. RAIN OR SQUALLY SHOWERS. MODERATE OR POOR.
Re: A false positive...
Steve [Spamassasin] writes: An ebay watched item email has been wrongly tagged as spam... with the following rules: -- 2.2 INVALID_DATE Invalid Date: header (not RFC 2822) 0.8 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date 0.1 TW_SJ BODY: Odd Letter Triples with SJ 0.0 HTML_MESSAGE BODY: HTML included in message 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99% [score: 0.9887] 0.2 HTML_TITLE_EMPTY BODY: HTML title contains no text -0.0 SARE_LEGIT_EBAYHas signs it's from ebay, from, headers, uri -1.1 AWLAWL: From: address is in the auto white-list -- The (sanitised) headers read: -- Subject:... From:eBay [EMAIL PROTECTED] Date:Wed, 22 Nov 2006 09:03:16 GMT-07:00 While I understand why this email may have triggered the Bayesian rule (where spammers have copied ebay's email style...) I am bemused by INVALID_DATE and DATE_IN_PAST_06_12. The dates I see in the header look valid to me - and (if we allow for time international time differences) the message was sent two seconds before it was received. Am I overlooking something here? Why doesn't SpamAssassin like these dates? they're malformed, missing spaces. this is what an RFC-compliant date looks like: Date: Wed, 22 Nov 2006 16:20:29 + this is what the ebay.co.uk date looks like, according to yr mail: Date:Wed, 22 Nov 2006 09:03:16 GMT-07:00 note: missing spaces; extra : in the TZ offset; and the TZ name. all are non-rfc-compliant. --j.
FP on TVD_FW_GRAPHIC_ID1
I've got a FP on the TVD_FW_GRAPHIC_ID1 rule. It is a message with a single in line image from Outlook Express. I can't post the whole message, here are what I hope are the relevant parts: X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 --=_NextPart_001_006F_01C70E1B.A5CE8730 Content-Type: text/html; charset=Windows-1252 Content-Transfer-Encoding: quoted-printable !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTMLHEAD META http-equiv=3DContent-Type content=3Dtext/html; = charset=3Dwindows-1252 META content=3DMSHTML 6.00.5730.11 name=3DGENERATOR STYLE/STYLE /HEAD BODY bgColor=3D#ff DIVtestIMG alt=3D hspace=3D0 = src=3Dcid:006d01c70e4d$f0641530$3c038c0a@Office=20 align=3Dbaseline border=3D0/DIV/BODY/HTML --=_NextPart_000_006E_01C70E1B.A5CE8730 Content-Type: image/jpeg; name=MountainRoad.jpg Content-Transfer-Encoding: base64 Content-ID: [EMAIL PROTECTED]
Re: Greylisting
Don't they? I thought the recommended retry time was 2 minutes, doubling on each failure, and maxing out at 2 hours. That's what sendmail does (unless it's retry time has been explicitly set to more than 2 hours, of course). -Philip Richard Frovarp wrote: I don't think the RFCs specify any time limit. Most timeout after 5 days of trying. We run 3 equivalent scanning machines, which requires us to run a greylisting that will sync between them. That could cause a large delay, if the sending machine tries to send to a different host that isn't synced. Messages that aren't sent from the same machine (SMTP farms like at GMail) can cause trouble as well, since the IP will change. The whitelist usually will timeout after a period of time, so there is a delay that may be induced again in the future, but that depends on setup. If a sensitive piece of mail needs to get through, it may be possible for the user to send the message again after the delay period has elapsed. This would be a new message, but if it leaves the same IP, with the same from and to pair (or however your greylisting works), it would fire right on through the greylist no problem. Not a perfect solution, but should work for rare occasions. One probably can whitelist recipients or recipient domains so that they are not affected by greylisting. Last week greylisting stopped 1.3 million messages, which is after the blacklists and greet pause did their significant work. Richard
Re: user_prefs not used
Hi Loren! On Tue, 21 Nov 2006, Loren Wilton wrote: Did you restart spamd after changing any options? Yes. It made no difference. Regards, Chris -- /* _\|/_ (o o) +oOO-{_}-OOo+ |Chris Willard [EMAIL PROTECTED]| | | |The four food groups: Fast, Frozen, Instant and Chocolate.| | | +--*/
Re: user_prefs not used
Hi Wes! On Tue, 21 Nov 2006, twofers wrote: Are you saying that you have separate rules in user_prefs and those rules are not being processed? or are you talking about just configuration lines in user_prefs like use_bayes 1? Yes - it does not process the seperate rules that are in user_prefs. Regards, Chris -- /* _\|/_ (o o) +oOO-{_}-OOo-+ |Chris Willard [EMAIL PROTECTED] | || |What was the best thing BEFORE sliced bread?| || +---*/
Re: user_prefs not used
Have you run spamassassin -D --lint? to check for syntax, etc. errors? Wes Chris Willard [EMAIL PROTECTED] wrote: Hi Wes! On Tue, 21 Nov 2006, twofers wrote: Are you saying that you have separate rules in user_prefs and those rules are not being processed? or are you talking about just configuration lines in user_prefs like use_bayes 1? Yes - it does not process the seperate rules that are in user_prefs. Regards, Chris -- /* _\|/_ (o o) +oOO-{_}-OOo-+ |Chris Willard | | | |What was the best thing BEFORE sliced bread?| | | +---*/ - Sponsored Link Rates near 39yr lows. $510,000 Loan for $1698/mo - Calculate new house payment
Re: Sudden drop in spam-rate, parallel to a surge of new trojans - beware
On Wednesday 22 November 2006 9:54 am, Andrew Hearn (AAISP) wrote: Chris wrote: Total: 580 reports in 39m 28s. 4.08 seconds per report. Tue Nov 21 22:08:56 CST 2006 Sorry to be OT, but are these spam stats a built in feature of SA, or have you got a plugin to get this information? Thanks! Neither actually, they are gotten from running a script called monthly-asn-report and monthly-cidr-report. These two scripts from the my NANAS report logs which are generated by a series of scripts called SpamTools by Karsten Self. These and other useful scripts can be downloaded here: http://linuxmafia.com/~karsten/Download/ If you do download and decide to run this give me a yell if you have any problems. -- Chris pgpVXUL99oDk0.pgp Description: PGP signature
RE: Is my Bayes DB borked?
Good thought. The backup has slowly drained (while I was involved in solving a major firewall problem - god I love being an SA in a medium-sized firm), so I can't check it at this moment, but if it happens again, I'll have something to start with. Kurt | -Original Message- | From: Bowie Bailey [mailto:[EMAIL PROTECTED] | Sent: Wednesday, November 22, 2006 06:09 | To: 'users@spamassassin.apache.org' | Subject: RE: Is my Bayes DB borked? | | | Kurt Buff wrote: | Nope - it's not that. | | Looking through my syslog more closely reveals that I'm getting 'SA | TIMED OUT' messages all over the place, and referring to rules as | well as Bayes. So, I'm just as confused as ever, and don't know | what's going on. | | More analysis needed, I suppose, but I'm not sure where to start. | | Check your memory usage. If you fill up available memory with your | Amavis/SA processes and the system starts swapping everything | will get slow. | That could explain all of the timeout messages. | | -- | Bowie |
backscatter from a joejob is killing me
I've been receiving tons of supposed bounces from Peru saying I've sent messages to non-existant address using a [EMAIL PROTECTED] address. One such bounce is below: Return-Path: Received: from pop.earthlink.net [209.86.93.201] by localhost with POP3 (fetchmail-6.2.5) for [EMAIL PROTECTED] (single-drop); Wed, 22 Nov 2006 03:44:55 -0600 (CST) Received: from barracuda.americatv.com.pe ([200.60.156.44]) by mx-nebolish.atl.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1gMOEB4tQ3Nl3490 for [EMAIL PROTECTED]; Wed, 22 Nov 2006 04:44:29 -0500 (EST) MIME-Version: 1.0 From: MAILER-DAEMON Message-Id: [EMAIL PROTECTED] Subject: **Message you sent blocked by our bulk email filter** Content-Type: multipart/report; report-type=delivery-status; charset=utf-8; boundary=--=_1164188668-21286-133 To: [EMAIL PROTECTED] Date: Wed, 22 Nov 2006 04:44:28 -0500 (PET) X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=001; X-SenderIP: 200.60.156.44 X-ASN: ASN-6147 X-CIDR: 200.60.128.0/19 Your message to: [EMAIL PROTECTED] was blocked by our Spam Firewall. The email you sent with the following subject has NOT BEEN DELIVERED: Subject: Manual de Comercio Exterior para empresarios Exportadores - Publicidad Reporting-MTA: dns; barracuda.americatv.com.pe Received-From-MTA: smtp; barracuda.americatv.com.pe ([127.0.0.1]) Arrival-Date: Wed, 22 Nov 2006 04:44:27 -0500 (PET) Content-Type: X-UID: 80197 Final-Recipient: rfc822; [EMAIL PROTECTED] Action: failed Status: 5.7.1 Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, UBE, id=21286-02-6 Last-Attempt-Date: Wed, 22 Nov 2006 04:44:28 -0500 (PET) Received: from ROSITAS (unknown [201.240.82.234]) by barracuda.americatv.com.pe (Spam Firewall) with SMTP id 53F60AC0B for [EMAIL PROTECTED]; Wed, 22 Nov 2006 04:44:25 -0500 (PET) Message-ID: [EMAIL PROTECTED] Reply-To: =?windows-1251?B?RXhwb3J0YSBQZXJ1IElQSg==?= [EMAIL PROTECTED] From: =?windows-1251?B?RXhwb3J0YSBQZXJ1IElQSg==?= [EMAIL PROTECTED] Subject: =?windows-1251?B?TWFudWFsIGRlIENvbWVyY2lvIEV4dGVyaW9yIHBhcmEgZW1wcmVzYXJpb3MgRXhwb3J0YWRvcmVzIC0gUHVibGljaWRhZA==?= Date: Wed, 22 Nov 2006 04:43:26 -0500 MIME-Version: 1.0 Content-Type: text/html; charset=windows-1251 Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1081 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081 I've gotten about 500 of these today and its getting to be hell weeding through them to pull out my LARTs which are also bouncing. Any ideas/suggestions are whole heartedly welcome. Chris -- Chris pgpV66VNeif4E.pgp Description: PGP signature
Re: FP because of HELO_DYNAMIC_IPADDR
messju mohr wrote: Hello, mails from our host 80.237.202.55 (ds80-237-202-55.dedicated.hosteurope.de) are tagged as HELO_DYNAMIC_IPADDR. Said IP is not dynamic, it's a dedicated server hosted at german ISP (Host Europe GmbH). How can we get our host removed from the list of DYNAMIC_IPS? Change the PTR record. In this case, the rule isn't a blacklist, it's simply looking at the hostname. To the rule, it looks like a typical name associated with a dynamic-ip'ed DSL host..
Re: FP because of HELO_DYNAMIC_IPADDR
| messju mohr wrote: | Hello, | | mails from our host 80.237.202.55 (ds80-237-202-55.dedicated.hosteurope.de) | are tagged as HELO_DYNAMIC_IPADDR. Said IP is not dynamic, it's a | dedicated server hosted at german ISP (Host Europe GmbH). | | How can we get our host removed from the list of DYNAMIC_IPS? | | Change the PTR record. In this case, the rule isn't a blacklist, it's | simply looking at the hostname. To the rule, it looks like a typical | name associated with a dynamic-ip'ed DSL host.. In Messju's defense, why should he have to change anything? Our rules are tagging a FP, and it should be upon us to fix it. The above attitude is similar to SpamCop and other RBLs which don't admit that they have a problem tagging valid mail. Brian
Re: backscatter from a joejob is killing me
On Wed, 2006-11-22 at 19:34 -0600, Chris wrote: I've been receiving tons of supposed bounces from Peru saying I've sent messages to non-existant address using a [EMAIL PROTECTED] address. One such bounce is below: Return-Path: Received: from pop.earthlink.net [209.86.93.201] by localhost with POP3 (fetchmail-6.2.5) for [EMAIL PROTECTED] (single-drop); Wed, 22 Nov 2006 03:44:55 -0600 (CST) Received: from barracuda.americatv.com.pe ([200.60.156.44]) by mx-nebolish.atl.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1gMOEB4tQ3Nl3490 for [EMAIL PROTECTED]; Wed, 22 Nov 2006 04:44:29 -0500 (EST) MIME-Version: 1.0 From: MAILER-DAEMON Message-Id: [EMAIL PROTECTED] Subject: **Message you sent blocked by our bulk email filter** Content-Type: multipart/report; report-type=delivery-status; charset=utf-8; boundary=--=_1164188668-21286-133 To: [EMAIL PROTECTED] Date: Wed, 22 Nov 2006 04:44:28 -0500 (PET) X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=001; X-SenderIP: 200.60.156.44 X-ASN: ASN-6147 X-CIDR: 200.60.128.0/19 Your message to: [EMAIL PROTECTED] was blocked by our Spam Firewall. The email you sent with the following subject has NOT BEEN DELIVERED: Subject: Manual de Comercio Exterior para empresarios Exportadores - Publicidad Reporting-MTA: dns; barracuda.americatv.com.pe Received-From-MTA: smtp; barracuda.americatv.com.pe ([127.0.0.1]) Arrival-Date: Wed, 22 Nov 2006 04:44:27 -0500 (PET) Content-Type: X-UID: 80197 Final-Recipient: rfc822; [EMAIL PROTECTED] Action: failed Status: 5.7.1 Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, UBE, id=21286-02-6 Last-Attempt-Date: Wed, 22 Nov 2006 04:44:28 -0500 (PET) Received: from ROSITAS (unknown [201.240.82.234]) by barracuda.americatv.com.pe (Spam Firewall) with SMTP id 53F60AC0B for [EMAIL PROTECTED]; Wed, 22 Nov 2006 04:44:25 -0500 (PET) Message-ID: [EMAIL PROTECTED] Reply-To: =?windows-1251?B?RXhwb3J0YSBQZXJ1IElQSg==?= [EMAIL PROTECTED] From: =?windows-1251?B?RXhwb3J0YSBQZXJ1IElQSg==?= [EMAIL PROTECTED] Subject: =?windows-1251?B?TWFudWFsIGRlIENvbWVyY2lvIEV4dGVyaW9yIHBhcmEgZW1wcmVzYXJpb3MgRXhwb3J0YWRvcmVzIC0gUHVibGljaWRhZA==?= Date: Wed, 22 Nov 2006 04:43:26 -0500 MIME-Version: 1.0 Content-Type: text/html; charset=windows-1251 Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1081 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081 I've gotten about 500 of these today and its getting to be hell weeding through them to pull out my LARTs which are also bouncing. Any ideas/suggestions are whole heartedly welcome. From the stats on my server earthlink.net is a top forged domain. So many of my users simply want earthlink.net blacklisted, but I cant do that. They could use spf but apparently that didnt work for them Unfortunately such bounces are creating problems for my servers too , who send these NDRs to innocent emailids from earthlink I had been reading about BATV. But didnt quiet get time to really go thru the docs http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation Anyone using BATV already ?
Re: Greylisting
Philip Prindeville wrote: Don't they? I thought the recommended retry time was 2 minutes, doubling on each failure, and maxing out at 2 hours. The traditional Sendmail would retry either every 15 or every 30 minutes. This would almost always be seen as the command line setting as sendmail -q30m. But this may have changed in recent Sendmail releases. I just checked a stock RHEL4 system and the queue retry time by default there is 1h. So from such a system a greylisting would delay the initial message by 1h. Subsequent messages would pass without delay. Bob
Re: FP because of HELO_DYNAMIC_IPADDR
wrote: | messju mohr wrote: | mails from our host 80.237.202.55 (ds80-237-202-55.dedicated.hosteurope.de) | are tagged as HELO_DYNAMIC_IPADDR. Said IP is not dynamic, it's a | dedicated server hosted at german ISP (Host Europe GmbH). | | How can we get our host removed from the list of DYNAMIC_IPS? | | Change the PTR record. In this case, the rule isn't a blacklist, it's | simply looking at the hostname. To the rule, it looks like a typical | name associated with a dynamic-ip'ed DSL host.. In Messju's defense, why should he have to change anything? Our rules are tagging a FP, and it should be upon us to fix it. The above attitude is similar to SpamCop and other RBLs which don't admit that they have a problem tagging valid mail. But in this case it is an example of poor form for the forward and reverse dns not to match. If you are running a mail server this is one of the things that should be set up properly for it. When that is fixed then the rule won't trigger on it as a side-effect of doing the right thing. And unless I am mistaken this change has already been made. host 80.237.202.55 55.202.237.80.in-addr.arpa domain name pointer flyerheaven.de. host flyerheaven.de flyerheaven.de has address 80.237.202.55 That looks much better! Bob
Re: backscatter from a joejob is killing me
Mick Pollard wrote: On Wed, 2006-11-22 at 19:34 -0600, Chris wrote: I've gotten about 500 of these today and its getting to be hell weeding through them to pull out my LARTs which are also bouncing. Any ideas/suggestions are whole heartedly welcome. This may be useful. I haven't had a proper look but it is on my ( long ) todo list. http://www.postfix.org/BACKSCATTER_README.html I am using the techniques described there and it really does help. Bob