RE: optional score in local.cf is not working

[Leon Kolchinsky]

Hi,

I thought I was wrong and amavis restart didn't really helped there, but 
there is an update for this problem I had with configuration in local.cf not 
catching.

It seems that only when I do /etc/init.d/amavis restart, all configs in 
local.cf are coming intact.

I've used to an old version of amavis and SA on Suse, where you would only do 
changes to local.cf and spamd restart.

1) So, my question is - Is this a normal behavior? 
2) For every change in local.cf should I do now only amavis restart and no 
spamd restart?



Regards,
Leon

-Original Message-
From: Mark Martinec [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 26, 2006 10:54 PM
To: users@spamassassin.apache.org
Subject: Re: optional score in local.cf is not working

On Sunday November 26 2006 20:25, Matt Kettler wrote:
  Erm.. are you sure? I thought amavisd-new called SA directly at the API
  layer, not via spamd...
 I didn't even realize amavis *could* use spamd, every amavis person I've
 talked to on the list isn't using it.

amavisd-new can't call spamd, there is no configuration option to do so,
and no code to support it.

spamc/spamd could be used (if desired/needed) by implementing the usual SA 
standalone setup, and disabling spam checking in amavisd.

  Mark

Re: optional score in local.cf is not working

[Nigel Frankcom]

On Wed, 29 Nov 2006 10:10:58 +0200, Leon Kolchinsky
[EMAIL PROTECTED] wrote:

Hi,

I thought I was wrong and amavis restart didn't really helped there, but 
there is an update for this problem I had with configuration in local.cf not 
catching.

It seems that only when I do /etc/init.d/amavis restart, all configs in 
local.cf are coming intact.

I've used to an old version of amavis and SA on Suse, where you would only do 
changes to local.cf and spamd restart.

1) So, my question is - Is this a normal behavior? 
2) For every change in local.cf should I do now only amavis restart and no 
spamd restart?



Regards,
Leon

-Original Message-
From: Mark Martinec [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 26, 2006 10:54 PM
To: users@spamassassin.apache.org
Subject: Re: optional score in local.cf is not working

On Sunday November 26 2006 20:25, Matt Kettler wrote:
  Erm.. are you sure? I thought amavisd-new called SA directly at the API
  layer, not via spamd...
 I didn't even realize amavis *could* use spamd, every amavis person I've
 talked to on the list isn't using it.

amavisd-new can't call spamd, there is no configuration option to do so,
and no code to support it.

spamc/spamd could be used (if desired/needed) by implementing the usual SA 
standalone setup, and disabling spam checking in amavisd.

  Mark

As far as I am aware any setting changes in the local.cf need a
restart of spamd. Whether or not amavis does this for you I don't
know. I do recall someone recently mentioning that the Amavis doesn't
give enough time and/or wait for the return from spamd. Though this
may not be at all related to your issue.

For a simple test. Make a change and manually restart spamassassin,
then undo the change, restart just amavis and see if amavis picks it
up?

HTH

Kind regards

Nigel

Re: tagging based on score level

[Craig Morrison]

beast wrote:
Is it possible to make different tag for a different score/classes, for 
example:


high: [SPAM!!!]  if score  50
medium: [SPAM!!]  if score between 20 - 50
low: [SPAM]  if score between treshold - 20

The reason is client filter or other redirection program (for example to 
be redirected/ quarantined for further inspection) can not parse the 
score directly.


perldoc Mail::SpamAssassin::Conf

Look for the TEMPLATE TAGS section, in particular the _STARS(*)_ tag.

--
Craig


smime.p7s
Description: S/MIME Cryptographic Signature

Re: tagging based on score level

[beast]

Craig Morrison wrote:

beast wrote:
Is it possible to make different tag for a different score/classes, 
for example:


high: [SPAM!!!]  if score  50
medium: [SPAM!!]  if score between 20 - 50
low: [SPAM]  if score between treshold - 20

The reason is client filter or other redirection program (for example 
to be redirected/ quarantined for further inspection) can not parse 
the score directly.


perldoc Mail::SpamAssassin::Conf

Look for the TEMPLATE TAGS section, in particular the _STARS(*)_ tag.

Almost, but not exactly what I want since it still has so many 
possibility (up to 50 stars).

I just want to use these 2 redirection (in postfix):

/^X-Spam-Level: Medium/  REDIRECT [EMAIL PROTECTED]
/^X-Spam-Level: High/  REDIRECT [EMAIL PROTECTED]



--beast

Re: Anyone else seeing this

[Loren Wilton]

Is anyone else seeing the below when sending a message to the list?


Yes.  Discussed a week or so ago when it seemingly first started happening.

   Loren

Re: tagging based on score level

[Loren Wilton]

high: [SPAM!!!]  if score  50
medium: [SPAM!!]  if score between 20 - 50
low: [SPAM]  if score between treshold - 20


Look for the TEMPLATE TAGS section, in particular the _STARS(*)_ tag.

Almost, but not exactly what I want since it still has so many possibility 
(up to 50 stars).

I just want to use these 2 redirection (in postfix):

/^X-Spam-Level: Medium/  REDIRECT [EMAIL PROTECTED]
/^X-Spam-Level: High/  REDIRECT [EMAIL PROTECTED]


I'm not a postfix guru, but if it uses a regex that includes a specification 
of number of occurrances, couldn't you do something like


   stars /*{51,}/
: high

   stars /*{21,}/
: medium

: low

   Loren

Re: Updated to SA 3.1.3 to get sa-update... But:

[Jeremy Fairbrass]

Why does your rule not work? It looks good to me, if you're trying to detect 
a subject consisting of (for example): hi it's John or something. Can you 
give some exact samples of subject lines you're trying to flag?

If this string (hi it's ) is the only thing in those subject fields - 
nothing else at all - then it might be wise to anchor your regex to the 
start and end of the field using ^ and $ as follows:

headerHI_ITS_NAME   Subject =~ /^hi it's +[a-z]+$/i

...That way, you avoid potential false positives.

Cheers,
Jeremy




Simon [EMAIL PROTECTED] wrote in message 
news:[EMAIL PROTECTED]
I was getting these spam emails with the subject Name wrote:, so
 someone suggested i update SA and run sa-update. Which i have and its
 now solved that issue - nice.

 But now im getting subject hi it's Name, does someone have a custom
 ruleset for this spam please? Im trying to write one myself with no
 luck:

 headerHI_ITS_NAME   Subject =~ /\bhi\sit's\s+[a-z]/i
 describe  HI_ITS_NAME   Hi It's Name in Subject
 score HI_ITS_NAME   6.5
 

MX1 server queue mail

[chisina mike]

I have a problem with my MX1 mail server running sendmail. Some mails are
being queued for days eg.

[EMAIL PROTECTED] ~]# more /var/log/maillog |grep kAS91uVl019923

Nov 28 11:02:25 mx1 sendmail[19923]: kAS91uVl019923:
from=[EMAIL PROTECTED], size=1728, class=0, nrcpts=1,
msgid=[EMAIL PROTECTED], proto=SMTP,
daemon=MTA, relay=web30405.mail.mud.yahoo.com [68.142.200.108]

Nov 28 11:02:25 mx1 sendmail[19923]: kAS91uVl019923: Milter add: header:
X-Virus-Scanned: ClamAV 0.88.2/2252/Mon Nov 27 20:47:11 2006 on
mx1.africau.ac.zw

Nov 28 11:02:25 mx1 sendmail[19923]: kAS91uVl019923: Milter add: header:
X-Virus-Status: Clean

Nov 28 11:02:25 mx1 sendmail[19923]: kAS91uVl019923:
to=[EMAIL PROTECTED], delay=00:00:03, mailer=smtp, pri=31728,
stat=queued

 

This mail is supposed to relayed to my main mail server. How did solve this
problem?

 

Regards

 

Mike chisina

Re: optional score in local.cf is not working

[Matt Kettler]

Leon Kolchinsky wrote:
 Hi,

 I thought I was wrong and amavis restart didn't really helped there, but 
 there is an update for this problem I had with configuration in local.cf not 
 catching.

 It seems that only when I do /etc/init.d/amavis restart, all configs in 
 local.cf are coming intact.

 I've used to an old version of amavis and SA on Suse, where you would only do 
 changes to local.cf and spamd restart.

 1) So, my question is - Is this a normal behavior? 
   
Yes. Because amavisd-new uses the API, restarting spamd should have no
affect on it. I don't know why your old version ever used spamd, as it's
highly inefficient for a perl application to do so instead of calling
Mail::SpamAssassin.
 2) For every change in local.cf should I do now only amavis restart and no 
 spamd restart?
   
Yes.. and you should also change your system to not run spamd anymore.

Amavisd-new does not use spamd, so running it is a waste of memory.

sa-update installation

[Odhiambo Washington]

Hello List,

I have successfully (I hope) installed and run sa-update, and
I see that it installed files in /var/lib/spamassassin/3.001007/

In my FreeBSD box, I am used to the rules being in 
/usr/local/share/spamassassin and /usr/local/etc/mail/spamassassin.

Do I just go out for a cold beer and hope that SA will be reading
these rules as well?

What happens when I run sa-update? Does it update the rules files in
/usr/local/share/spamassassin or what?



-Wash

http://www.netmeister.org/news/learn2quote.html

DISCLAIMER: See http://www.wananchi.com/bms/terms.php

--
+==+
|\  _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED]
Zzz /,`.-'`'-.  ;-;;,_ | Wananchi Online Ltd.   www.wananchi.com
   |,4-  ) )-,_. ,\ (  `'-'| Tel: +254 20 313985-9  +254 20 313922
  '---''(_/--'  `-'\_) | GSM: +254 722 743223   +254 733 744121
+==+

Pedaeration, n.:
The perfect body heat achieved by having one leg under the
sheet and one hanging off the edge of the bed.
-- Rich Hall, Sniglets

sa-update question, kinda

[Joe Zitnik]

I know you can use sa-update to download the new sa-rules as they become
available.  Are the rules located somewhere that they can be manually
downloaded as they are updated, kind of like rulesemporium?  I was
poking around the sa site, but couldn't find updated rules, only full
releases.

Re: Anyone else seeing this (remove user from list?)

[Matt Kettler]

Loren Wilton wrote:
 Is anyone else seeing the below when sending a message to the list?

 Yes.  Discussed a week or so ago when it seemingly first started
 happening.

Loren


Yes. Under the subject [Fwd: Your email message was blocked]

but they didn't talk about anything other than why the message was
kicked back.

The big question is should we continue to allow [EMAIL PROTECTED]
to be a list member while the csg content filter is responding to
From: addresses instead of the Return-Path with a delivery status
notification.

I personally vote for the removal of this user until they learn to
disable their content filter, or at least make it do the right thing and
not respond to messages with Precedence: bulk or list.

effectivity with local tests only [auf Viren überprüft]

[Hans Moser]

Hi!

My environment is a bit weired.
I get all my Mails from my ISP's relay. So I disabled AWL.
I have no direct internet access. I can use HTTP over a proxy cascade
and SMTP with the relay host. No external DNS.

So I'm stuck with static rules and bayes. I trained SA with 1600 spam
mails and 220 ham mails.
After that I took one of the spams and invoke

# spamassassin --test-mode  spammail

[...]

Inhaltsanalyse im Detail:   (3.5 Punkte, 5.0 benötigt)

Pkte Regelname  Beschreibung
 --
--
  0.0 HTML_MESSAGE   BODY: Nachricht enthält HTML
  3.5 BAYES_99   BODY: Spamwahrscheinlichkeit nach
Bayes-Test: 99-100%
 [score: 1.]
  0.0 MIME_HTML_ONLY BODY: MIME-Nachricht besteht nur aus HTML

Bayes ist nearly 100% certain that it is spam. It is spam, but the score
ist only 3,5.

Can you advice my something to adjust to get spam to the right score?

Set score of bayes up?
Lower score for spam?

Razor, Pyzor and DCC need direct internet access. If there is no other
way, I'll try to work this out with my ISP, but this will be hard work...


Hans

RE: optional score in local.cf is not working

[Leon Kolchinsky]

Hi,

OK.
I did some manual tests and indeed changes in local.cf only catching then I 
restart amavis.

# /etc/init.d/amavis restart
Shutting down virus-scanner (amavisd-new):Daemon [9905] terminated by SIGTERM

  done
Starting virus-scanner (amavisd-new):   
  done

When I restart only spamd no change in local.cf is catching.


I don’t really understand why?

Mark Martinec said that amavisd-new can't call spamd 

So, let me get this straight:
-
This is how I see the work of amavis+spamd+clamd:

1. As I see it amavis talk to spamd (spamassassin) and clamd (ClamAV) via 
appropriate sockets or TCP ports.
In my case - 
To clamd via /var/lib/clamav/clamd-socket (I can see it in amavisd.conf)
To spamd ? (I don't know how to check it)

2. Any configuration change I make to clamd and spamd take power only when I 
restart the deamons themselves.

3. But according to Matt Kettler response and my testings, any change to 
local.cf require amavis restart.

# /etc/init.d/amavis restart
Shutting down virus-scanner (amavisd-new):Daemon [9905] terminated by SIGTERM

  done
Starting virus-scanner (amavisd-new):   
  done


What is going on?
Where I can validate config options of amavis to make sure the way it works?



P.S.:


This is taken from /etc/init.d/amavis:
--
AMAVISD_BIN=/usr/sbin/amavisd
AMAVIS_MILTER_BIN=/usr/sbin/amavis-milter
echo -n Starting virus-scanner (amavisd-new):
$AMAVISD_BIN start
if ! checkproc amavisd; then
   rc_failed 7
fi
rc_status -v
if [ $AMAVIS_SENDMAIL_MILTER == yes ]; then
rc_reset
echo -n Starting amavis-milter:
startproc -u vscan $AMAVIS_MILTER_BIN -p 
local:/var/run/amavis/amavis-milter.sock  /dev/null 21
rc_status -v


This is taken from /etc/init.d/spamd:
-
# Short-Description: Start the spamassassin daemon
SPAMD_BIN=/usr/sbin/spamd
PIDFILE=/var/run/spamd.pid
startproc -p $PIDFILE $SPAMD_BIN $SPAMD_ARGS -r $PIDFILE


This is taken from /etc/amavisd.conf:
-
@av_scanners = (
### http://www.clamav.net/
['ClamAV-clamd',
  \ask_daemon, [CONTSCAN {}\n, /var/lib/clamav/clamd-socket],
  qr/\bOK$/, qr/\bFOUND$/,
  qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],



-Original Message-
From: Nigel Frankcom [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, November 29, 2006 10:21 AM
To: users@spamassassin.apache.org
Subject: Re: optional score in local.cf is not working

On Wed, 29 Nov 2006 10:10:58 +0200, Leon Kolchinsky
[EMAIL PROTECTED] wrote:

Hi,

I thought I was wrong and amavis restart didn't really helped there, but 
there is an update for this problem I had with configuration in local.cf not 
catching.

It seems that only when I do /etc/init.d/amavis restart, all configs in 
local.cf are coming intact.

I've used to an old version of amavis and SA on Suse, where you would only do 
changes to local.cf and spamd restart.

1) So, my question is - Is this a normal behavior? 
2) For every change in local.cf should I do now only amavis restart and no 
spamd restart?



Regards,
Leon

-Original Message-
From: Mark Martinec [mailto:[EMAIL PROTECTED] 
Sent: Sunday, November 26, 2006 10:54 PM
To: users@spamassassin.apache.org
Subject: Re: optional score in local.cf is not working

On Sunday November 26 2006 20:25, Matt Kettler wrote:
  Erm.. are you sure? I thought amavisd-new called SA directly at the API
  layer, not via spamd...
 I didn't even realize amavis *could* use spamd, every amavis person I've
 talked to on the list isn't using it.

amavisd-new can't call spamd, there is no configuration option to do so,
and no code to support it.

spamc/spamd could be used (if desired/needed) by implementing the usual SA 
standalone setup, and disabling spam checking in amavisd.

  Mark

As far as I am aware any setting changes in the local.cf need a
restart of spamd. Whether or not amavis does this for you I don't
know. I do recall someone recently mentioning that the Amavis doesn't
give enough time and/or wait for the return from spamd. Though this
may not be at all related to your issue.

For a simple test. Make a change and manually restart spamassassin,
then undo the change, restart just amavis and see if amavis picks it
up?

HTH

Kind regards

Nigel

Re: RelayChecker (now Botnet ) 0.4

[Jonas Eckerman]

Rick Macdougall wrote:
Those who like SQL might like the stuff at 
http://whatever.frukt.org/p0fstats.text.shtml wich includes my 
SpamAssassin plugin. :-)


If I'm reading the docs correctly, it would not be of any use to me 
since spamd runs on its on separate server and p0f only supports local 
sockets.  Correct or is there a way I could use it ?


Wich docs did you read?

The stuff at the link above lets you use p0f data on one machine even if p0f is 
running at another machine. I belive the other plugin that someone links to 
also has the ability to use p0f data on another machine.

this is how our setup looks:

The three relevant machines are
Monty: our firewall (OpenBSD)
Oliver: our statistics machine (FreeBSD)
Chip: our mail gateway (FreeBSD)

Monty runs p0f on the Internet interface using the p0f.udpsend script to 
forward the p0f data to Oliver.

Oliver uses the p0f.udplog script to collect the p0f data and insert it into a 
MySQL database.

Chip uses SpamAssassin, wich uses my p0f SpamAssassin plugin to get p0f data 
from Oliver.

Regards
/Jonas
--
Jonas Eckerman, FSDB  Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/

Re: sa-update installation

[Steven Stern]

Odhiambo Washington wrote:
 Hello List,
 
 I have successfully (I hope) installed and run sa-update, and
 I see that it installed files in /var/lib/spamassassin/3.001007/
 
 In my FreeBSD box, I am used to the rules being in 
 /usr/local/share/spamassassin and /usr/local/etc/mail/spamassassin.
 
 Do I just go out for a cold beer and hope that SA will be reading
 these rules as well?
 
 What happens when I run sa-update? Does it update the rules files in
 /usr/local/share/spamassassin or what?
 
 

after sa-update runs, restart spamassassin and it will use the new rules
in /var/lib/spamassassin.

I have this as a cron job:

30 3 * * *  sa-update  spamassassin --lint  /etc/init.d/spamassassin
restart


-- 

  Steve

Odd behaviour (?) of my Qmail / Qmail Scanner / SpamAssassin 3.1.3 Setup?

[Adam Wilbraham]

Hi,

I've got a bit of an odd situation whereby some obvious spam seems to
be slipping through the net of our setup. A prime example would be a
Re: hi spam which has just come through, an obvious looking spam
containing the text Hi and a drugs gif. Looking at the headers after
qmail scanner has pushed it through spamc, it gives the following key things:

--
Received: (qmail 17122 invoked by uid 1387); 29 Nov 2006 13:16:32 -
Received: from 88.229.73.122 by servername (envelope-from
[EMAIL PROTECTED], uid 33001) with qmail-scanner-2.01
(sweep: 2.39.2/4.11.0. spamassassin: 3.1.3.
Clear:RC:0(88.229.73.122):SA:0(2.6/5.0):. Processed in 11.629468 secs);
29 Nov 2006 13:16:32 - X-Spam-Checker-Version: SpamAssassin 3.1.3
(2006-06-01) on servername X-Spam-Level: **
X-Spam-Status: No, score=2.6 required=5.0 tests=BAYES_50,HTML_MESSAGE,
RCVD_IN_DSBL,SARE_GIF_ATTACH autolearn=no version=3.1.3
X-Envelope-From: [EMAIL PROTECTED]
Received: from unknown (HELO balboacompany.com) (88.229.73.122)
--

As you can see, its only been given a score of 2.6. If I then log into the 
mailserver and run spamassassin on the message in my inbox, spamassassin 
scores it higher than that and marks it up as spam:

---
Content preview:  Hi Hi [...] 

Content analysis details:   (6.5 points, 5.0 required)

 pts rule name  description
 -- --
 0.1 HTML_90_100BODY: Message is 90% to 100% HTML
 0.0 HTML_MESSAGE   BODY: HTML included in message
 3.0 BAYES_95   BODY: Bayesian spam probability is 95 to 99%
[score: 0.9830]
 0.8 SARE_GIF_ATTACHFULL: Email has a inline gif
 2.6 RCVD_IN_DSBL   RBL: Received via a relay in list.dsbl.org
[http://dsbl.org/listing?88.229.73.122]
---

One of the key things for me is that this time the bayes probability is 
much higher, but this seems to happen with any spam that arrives in my 
inbox - it will come through with a lower score, but if I manually invoke SA 
on the message manually it will report back with a higher score thats picked 
up by more rules.

Has anyone got any suggestions as to what I might need to look into to 
rectify this behaviour? I was running 3.1.0 until yesterday when I upgraded 
to 3.1.3 to take advantage of sa-update, so my rulesets should not be the 
problem.

Many thanks in advance for any help provided.


Wilb.
 

Cronjob with sa-learn

[Markus Braun]

Hello,

i tried to create a cron job to add spam messages as spamemails.

The following command :

0 1 * * *  vmail sa-learn  --spam 
/var/opt/vmail/.info/oliver/Maildir/.spam/cur *.*


But i get this retourn:

archive-iterator: readdir found no mail in 'domain1.de' directory
archive-iterator: readdir found no mail in 'domain2.de' directory
Learned tokens from 7 message(s) (460 message(s) examined)

I think the last message is ok. But what about the first and second one? The 
command is correct?


Thanks for help

marcus

_
Die neue MSN Suche Toolbar mit Windows-Desktopsuche. Suchen Sie gleichzeitig 
im Web, Ihren E-Mails und auf Ihrem PC! Jetzt neu! http://desktop.msn.de/ 
Jetzt gratis downloaden!

Re: Odd behaviour (?) of my Qmail / Qmail Scanner / SpamAssassin 3.1.3 Setup?

[Adam Wilbraham]

To follow up on this, the message in question is flagged as spam if i
run it through spamassassin, however if I run it through spamc its not.
spamc is what Qmail Scanner invokes. Is there a separate configuration
for spamc / spamd to spamassassin? I thought not...
 

On Wed, 29 Nov 2006 14:00:13 +
Adam Wilbraham [EMAIL PROTECTED] wrote:

 I've got a bit of an odd situation whereby some obvious spam seems to
snip

Re: Odd behaviour (?) of my Qmail / Qmail Scanner / SpamAssassin 3.1.3 Setup?

[Jim Maul]

Adam Wilbraham wrote:

To follow up on this, the message in question is flagged as spam if i
run it through spamassassin, however if I run it through spamc its not.
spamc is what Qmail Scanner invokes. Is there a separate configuration
for spamc / spamd to spamassassin? I thought not...
 



when you run spamassassin it is running as the current user.  who are 
you logged in as?  When qmail-scanner runs spamc it is most likely 
running as a different user (maybe qscand?)  Different users will 
provide different results depending on the configuration.  Also, 
scanning a message at a later time may produce different results due to 
the message being listed in some RBL or razor,dcc,etc.


-Jim



On Wed, 29 Nov 2006 14:00:13 +
Adam Wilbraham [EMAIL PROTECTED] wrote:


I've got a bit of an odd situation whereby some obvious spam seems to

snip

Re: Odd behaviour (?) of my Qmail / Qmail Scanner / SpamAssassin 3.1.3 Setup?

[Bookworm]

Adam Wilbraham wrote:

To follow up on this, the message in question is flagged as spam if i
run it through spamassassin, however if I run it through spamc its not.
spamc is what Qmail Scanner invokes. Is there a separate configuration
for spamc / spamd to spamassassin? I thought not...
 
It sounds like you have the spamd bayes database, and then you have the 
database for whatever user you're actually running the test from.   I 
ran into this problem as well - it's a known issue, and I wish the SA 
folks would come up with a way to run, as root, sa-learn for a NON-ROOT 
bayes database.   Vpopmail directories aren't readable by spamd.


One possible fix is to look in /root/.spamassassin and check the bayes 
information there against /home/spamd/.spamassassin (or whatever the 
home directory is for the user that's running spamd for Qmail Scanner)


(It SHOULD be possible to make it so that a cron job could run a 
sa-learn -u spamd variation for learning stuff in directories unreadable 
by the 'spamd' user)


BW

Moving to folder based upon spamassassin score

[John W Mickevich]

Hi all,

 

I have what is probably a simple question.  I know I have seen instructions
on this before, but cannot locate them and was hoping someone could point me
in the right direction.

 

I am using spamassassin with sendmail and am using .procmailrc to direct my
incoming email to be sent to spamassassin for scoring.

 

What I want to do is move email tagged as spam to a specific linux folder,
but I want it to be based upon the spamassassin score - not just the fact
that spamassassin tagged it as spam.

 

I am sure I need a .procmailrc entry, but I don't know what it would be.

 

Any assistance would be greatly appreciated.

 

Thanks!

 

John W Mickevich

Computer Management Technologies

[EMAIL PROTECTED]

 

RE: This is so obvious...

[Chris Santerre]

Yeah this slipped thur as well. Just write a rule for the phone number. I'll
see about getting 70_sare_specific.cf updated for this number. 
 
--Chris

-Original Message-
From: Jon D. Slater [mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 29, 2006 9:17 AM
To: users@spamassassin.apache.org
Subject: This is so obvious...



I am running SA 3.0.6-1 under Fedora Core 4 (2.6.17-1.2142_FC4).

 

And I just got this spam.  It's so obviously spam, how could it be scored
0.0?

 

Besides the updates, I've also installed:

70_sare_adult.cf

70_sare_specific.cf

70_sare_stocks.cf

 

Is there some other rule set I should be including?

 

Thanks!

 

Jon

 

 

 

Return-Path: [EMAIL PROTECTED]

Received: from love.allvrn.ru ([122.4.2.228])

by blahblahblah.org (8.13.7/8.13.4) with SMTP id kASNsqPw005647

for [EMAIL PROTECTED]; Tue, 28 Nov 2006 16:54:55 -0700

Message-ID: [EMAIL PROTECTED]

Date: Tue, 28 Nov 2006 16:50:59 -0200

Reply-To: dewey fisher [EMAIL PROTECTED]

From: dewey fisher [EMAIL PROTECTED]

User-Agent: Mozilla/5.0 (Windows; U; Win95; en-GB; rv:0.9.4) Gecko/20011019
Netscape6/6.2

MIME-Version: 1.0

To: Starr Cole [EMAIL PROTECTED]

Subject: Totally OutOfDebt Overnight

Content-Type: text/plain;

charset=iso-8859-1

Content-Transfer-Encoding: 7bit

X-Spam-Checker-Version: SpamAssassin 3.0.6 (2005-12-07) on blahblahblah.org

X-Spam-Level: 

X-Spam-Status: No, score=0.0 required=4.3 tests=none autolearn=ham 

version=3.0.6

Status: O

X-UID: 4065

Content-Length: 593

X-Keywords:


 

 -Original Message-

 From: dewey fisher [ mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] ]

 Sent: Tuesday, November 28, 2006 11:51 AM

 To: Starr Cole

 Subject: Totally OutOfDebt Overnight

 

 A few select  1egal counse1 just found a loophole in the bank laws. 

 With this discovery, we've been 5uccessful at eliminating people's 

 creditcarddebt with 0ut them paying one more cent. WeGuarantee that we 

 can help you with this.

 

 C0ntact us at

 

 3l4-854-8497

 

 

 The children and the Wizard rushed across the moving rock and sprang 

 into the passage beyond, landing safely though a little out of breath. 

 Rob washed and brushed the dust from his clothes, after which he sat 

 down and amused himself by viewing the pictures that constantly formed 

 upon the polished plate of the Record of EventsM20e

 

 


--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.14.19/556 - Release Date: 11/28/2006
3:22 PM

Re: Odd behaviour (?) of my Qmail / Qmail Scanner / SpamAssassin 3.1.3 Setup?

[Adam Wilbraham]

On Wed, 29 Nov 2006 08:22:13 -0600
Bookworm [EMAIL PROTECTED] wrote:
 It sounds like you have the spamd bayes database, and then you have
 the database for whatever user you're actually running the test
 from.   I ran into this problem as well - it's a known issue, and I
 wish the SA folks would come up with a way to run, as root, sa-learn
 for a NON-ROOT bayes database.   Vpopmail directories aren't readable
 by spamd.

I'm not running vpopmail on this server. spamd is running as qscand,
however I've got my /etc/spamassasin/local.cf set to use a site wide
bayes database. I also have auto_whitelist configured, and I'm
wondering if this is such a good idea:

bayes_path /etc/mail/spamassassin/bayes
bayes_file_mode0770
auto_whitelist_path/etc/mail/spamassassin/auto-whitelist
auto_whitelist_file_mode   0770
use_bayes  1
bayes_auto_learn   1

I have a script that runs every night that sa-learn's data from each
users SpamTrain folder into this site wide database. Now I seriously
hope that spamd isn't reading its bayes data from qscands home, as this
data hasn't been touched for 2 years:

ls -alh ~/qscand/.spamassassin
drwxr-xr-x 2 qscand qscand 4.0K 2004-07-07 11:01 .
drwxr-xr-x 4 qscand root   4.0K 2006-07-26 11:28 ..
-rw-r--r-- 1 qscand qscand  20K 2004-01-06 16:43 auto-whitelist
-rw--- 1 qscand qscand 556K 2004-07-07 11:01 auto-whitelist.dir
-rw--- 1 qscand qscand 556K 2004-07-07 11:01 auto-whitelist.pag
-rw--- 1 qscand qscand  47K 2004-07-07 11:01 bayes_journal
-rw-r--r-- 1 qscand qscand  10M 2004-07-07 11:01 bayes_seen
-rw--- 1 qscand qscand 4.2M 2004-07-07 11:01 bayes_toks
-rw-r--r-- 1 qscand qscand 1.5K 2006-07-06 09:53 user_prefs

Maybe I should delete that and symlink in the files to the sitewide
bayes, just in case?

When I ran spamassassin on the item of spam I referred to earlier,  it
was using my own user account. I don't even have any data in
my .spamassassin folder, so I can only assume that it was using the
site wide bayes for its checks then. Or could my bayes data be
completely messed up, and spamassassin was doing a better job of
identifying spam under my user account with no bayes data at all? 

Once again many thanks for the suggestions and help...

Wilb

Re: sa-update installation

[Jason Frisvold]

On 11/29/06, Steven Stern [EMAIL PROTECTED] wrote:

after sa-update runs, restart spamassassin and it will use the new rules
in /var/lib/spamassassin.

I have this as a cron job:

30 3 * * *  sa-update  spamassassin --lint  /etc/init.d/spamassassin
restart


Oh?  I thought you needed to specify within the local.cf file to use
those updated rules?  Am I mistaken?  Will it automatically use the
correct rules from /var/lib/spamassassin?  (correct meaning that if
I update to the next version, will it use the latest rules and not get
confused with possible rules left lying around?)


--

  Steve


--
Jason 'XenoPhage' Frisvold
[EMAIL PROTECTED]

RE: optional score in local.cf is not working

[Bowie Bailey]

Leon Kolchinsky wrote:
 
 So, let me get this straight:
 -
 This is how I see the work of amavis+spamd+clamd:
 
 1. As I see it amavis talk to spamd (spamassassin) and clamd (ClamAV)
 via appropriate sockets or TCP ports. 
 In my case -
 To clamd via /var/lib/clamav/clamd-socket (I can see it in
 amavisd.conf) 
 To spamd ? (I don't know how to check it)

Not quite.  Amavisd does not talk to spamd.  Amavisd has the SpamAssassin
code built into it.

 2. Any configuration change I make to clamd and spamd take power only
 when I restart the deamons themselves. 

If you were using spamd, you would need to restart it to apply the changes.
But since you are using Amavisd to run SpamAssassin, this is not necessary.

 3. But according to Matt Kettler response and my testings, any change
 to local.cf require amavis restart. 

When you restart Amavisd, it reads the local.cf file and uses that to
initialize its internal copy of SpamAssassin.

 # /etc/init.d/amavis restart
 Shutting down virus-scanner (amavisd-new):Daemon [9905] terminated by
  
 SIGTERM done 
 Starting virus-scanner (amavisd-new):
 done 
 
 
 What is going on?
 Where I can validate config options of amavis to make sure the way it
 works? 

You can shutdown spamd, you don't need it.

To sum it up, there are three ways to use SpamAssassin:

1) The spamassassin executable -- This loads everything each time you call
   it.  It is inefficient, but it is useful for simple scripts and for
   testing.
2) The spamd daemon -- This loads everything once and then scans messages
   passed to it by spamc.  This is much more efficient since it only has to
   load the Perl interpreter and all of the rulesets and plugins once.
3) The Mail::SpamAssassin Perl API -- This allows the SpamAssassin code to
   be called directly by another Perl program.  This is how Amavisd runs.
   It gets a message, calls the SpamAssassin routines, marks up the message,
   and sends it along.  It still only loads everything once, but it is being
   loaded into Amavisd instead of spamd.

-- 
Bowie

Re: sa-update question, kinda

[Matt Kettler]

Joe Zitnik wrote:
 I know you can use sa-update to download the new sa-rules as they become
 available.  Are the rules located somewhere that they can be manually
 downloaded as they are updated, kind of like rulesemporium?  I was
 poking around the sa site, but couldn't find updated rules, only full
 releases.

   
Nope. Well, maybe via SVN, but that's about it.

The primary reason being that the standard rulesets are a bit specific
as to what rules works with what version. sa-update makes some version
checks and will, in theory, only download rules appropriate to your
version of SA.

If you're running a version that's old enough to not have sa-update, you
really should upgrade all of spamassassin before looking for better
rules. The code itself is quite critical to accuracy as improvements are
constantly made to various parts such as mime and URI parsers to deal
with spammer's tricks. Rules alone can't be a complete solution.

RE: sa-update installation

[Bowie Bailey]

Jason Frisvold wrote:
 On 11/29/06, Steven Stern [EMAIL PROTECTED] wrote:
  after sa-update runs, restart spamassassin and it will use the new
  rules in /var/lib/spamassassin. 
  
  I have this as a cron job:
  
  30 3 * * *  sa-update  spamassassin --lint 
  /etc/init.d/spamassassin restart
 
 Oh?  I thought you needed to specify within the local.cf file to use
 those updated rules?  Am I mistaken?  Will it automatically use the
 correct rules from /var/lib/spamassassin?  (correct meaning that if
 I update to the next version, will it use the latest rules and not get
 confused with possible rules left lying around?)

SA knows about the directories used by sa-update and will automatically use
the correct rules.

To be more specific, it checks /var/lib/spamassassin first.  If it finds
rules there, it uses them.  Otherwise, it goes to /usr/share/spamassassin.

-- 
Bowie

RE: Cronjob with sa-learn

[Bowie Bailey]

Markus Braun wrote:
 Hello,
 
 i tried to create a cron job to add spam messages as spamemails.
 
 The following command :
 
 0 1 * * *  vmail sa-learn  --spam
 /var/opt/vmail/.info/oliver/Maildir/.spam/cur *.*
 
 But i get this retourn:
 
 archive-iterator: readdir found no mail in 'domain1.de' directory
 archive-iterator: readdir found no mail in 'domain2.de' directory
 Learned tokens from 7 message(s) (460 message(s) examined)
 
 I think the last message is ok. But what about the first and second
 one? The command is correct?

I think the problem is the '*.*' at the end.  It is trying to run sa-learn
against all of the directories with a period in the current directory.

Take off the '*.*' and see what happens.

-- 
Bowie

spam is marked as user_in_whitelist

[Stas Khromoy]

*keep getting the following spam
which spamassassin for some reason
give a scrore of -100 or - 70
keeps saying the user is in whitelist



Subject:* both of those that is of the people, of the Lord your words of
subject :me: a certain man that hear O house of man from among the land 
of our

or other of similar context .. they look like quotes from the bible :)


with offers to buy  some crap  from
s a b a n z e n dot com

X-Spam-Status: No, score=-74.498 tagged_above=-150 required=3
tests=[BAYES_80=2, EXTRA_MPART_TYPE=1.091, HELO_DYNAMIC_IPADDR2=3.818,
HTML_IMAGE_ONLY_08=3.126, HTML_MESSAGE=0.001, RCVD_IN_DYNABLOCK=1,
RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SBL_XBL=1.5, RCVD_IN_SORBS=1,
RCVD_IN_SORBS_DUL=2.046, RCVD_IN_XBL=3.897, SARE_GIF_ATTACH=0.75,
SARE_GIF_STOX=1.66, SARE_RECV_SPAM_DOMN0b=1.666,
UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100]


i can't think of anything at this point aside from getting rid of the 
old whitelist and starting a new one.

Re: Moving to folder based upon spamassassin score

[Matthias Häker]

John W Mickevich schrieb:


Hi all,

I have what is probably a simple question. I know I have seen 
instructions on this before, but cannot locate them and was hoping 
someone could point me in the right direction.


I am using spamassassin with sendmail and am using .procmailrc to 
direct my incoming email to be sent to spamassassin for scoring.


What I want to do is move email tagged as spam to a specific linux 
folder, but I want it to be based upon the spamassassin score – not 
just the fact that spamassassin tagged it as spam.


I am sure I need a .procmailrc entry, but I don’t know what it would be.

Any assistance would be greatly appreciated.

Thanks!

John W Mickevich

Computer Management Technologies

[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]




Hi , to the List


u can use with procmail $VAR a treshhold

VERBOSE=ON
# setting the level
#trash
TLVL=-10
#quarantine
QLVL=-4
#maybe spam 
MLVL=-2

SL=0

# counting stars

:0
* 1^1 ()^X-Spam-Level:[$WS]\/[*]
{ } SL = $=

# with this you sort the mail in MBOX files

:0
* $ $SL^0 
* $ $TLVL^0 
/dev/null

:0
* $ $SL^0 
* $ QLVL^0 
/var/mail/quarantine

:0
* $ $SL^0 
* $ MLVL^0 
/var/mail/maybespam

#the rest let pass 




Matthias

Re: Moving to folder based upon spamassassin score

[Matthias Haeker]

UUPS

i have some syntax errors / fast copy / misssing $

John W Mickevich schrieb:


Hi all,

I have what is probably a simple question. I know I have seen 
instructions on this before, but cannot locate them and was hoping 
someone could point me in the right direction.


I am using spamassassin with sendmail and am using .procmailrc to 
direct my incoming email to be sent to spamassassin for scoring.


What I want to do is move email tagged as spam to a specific linux 
folder, but I want it to be based upon the spamassassin score – not 
just the fact that spamassassin tagged it as spam.


I am sure I need a .procmailrc entry, but I don’t know what it would be.

Any assistance would be greatly appreciated.

Thanks!

John W Mickevich

Computer Management Technologies

[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]




Hi , to the List


u can use with procmail $VAR a treshhold

VERBOSE=ON
# setting the level
#trash
TLVL=-10
#quarantine
QLVL=-4
#maybe spam
MLVL=-2
SL=0

# counting stars

:0
* 1^1 ()^X-Spam-Level:[$WS]\/[*]
{ } SL = $=

# with this you sort the mail in MBOX files

:0
* $ $SL^0 
* $ $TLVL^0 
/dev/null

:0
* $ $SL^0 
* $ $QLVL^0 
/var/mail/quarantine

:0
* $ $SL^0 
* $ $MLVL^0 
/var/mail/maybespam

#the rest let pass



Matthias

Re: spam is marked as user_in_whitelist

[Greg Skouby]

On Wed, Nov 29, 2006 at 10:22:11AM -0500, Stas Khromoy wrote:
 *keep getting the following spam
 which spamassassin for some reason
 give a scrore of -100 or - 70
 keeps saying the user is in whitelist
 
 
 
 Subject:* both of those that is of the people, of the Lord your words of
 subject :me: a certain man that hear O house of man from among the land 
 of our
 or other of similar context .. they look like quotes from the bible :)
 
 
 with offers to buy  some crap  from
 s a b a n z e n dot com
 
 X-Spam-Status: No, score=-74.498 tagged_above=-150 required=3
 tests=[BAYES_80=2, EXTRA_MPART_TYPE=1.091, HELO_DYNAMIC_IPADDR2=3.818,
 HTML_IMAGE_ONLY_08=3.126, HTML_MESSAGE=0.001, RCVD_IN_DYNABLOCK=1,
 RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SBL_XBL=1.5, RCVD_IN_SORBS=1,
 RCVD_IN_SORBS_DUL=2.046, RCVD_IN_XBL=3.897, SARE_GIF_ATTACH=0.75,
 SARE_GIF_STOX=1.66, SARE_RECV_SPAM_DOMN0b=1.666,
 UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100]
 
 
 i can't think of anything at this point aside from getting rid of the 
 old whitelist and starting a new one.
 


Hi Stas,


I am betting that the envelope-sender is the user that is in the whitelist 
and you are looking at the from address and thinking that the from address 
is not in the whitelist. 
We have run into a fair amount of the above situation on our system. I think it 
might be a good idea to make USER_IN_WHITELIST have a score of ~ -15 instead of 
~100.




--Greg

Re: sa-update installation

[Bryan Hepworth]

Steven Stern wrote:

Odhiambo Washington wrote:
  

Hello List,

I have successfully (I hope) installed and run sa-update, and
I see that it installed files in /var/lib/spamassassin/3.001007/

In my FreeBSD box, I am used to the rules being in 
/usr/local/share/spamassassin and /usr/local/etc/mail/spamassassin.


Do I just go out for a cold beer and hope that SA will be reading
these rules as well?

What happens when I run sa-update? Does it update the rules files in
/usr/local/share/spamassassin or what?





after sa-update runs, restart spamassassin and it will use the new rules
in /var/lib/spamassassin.

I have this as a cron job:

30 3 * * *  sa-update  spamassassin --lint  /etc/init.d/spamassassin
restart


  

Perfect

I was just about to ask what the recommended interval was for running 
sa-update was :-)


Cheers Mate!

Bryan

Re: Moving to folder based upon spamassassin score

[Matthias Haeker]

# third try :)


u can use with procmail $VAR a treshhold

VERBOSE=ON
# setting the level
#trash
TLVL=-10
#quarantine
QLVL=-4
#maybe spam
MLVL=-2
SL=0

# counting stars

:0
* $ H  ?? ()^X-Spam-Level: \/[*]+
{ SPAMLEVEL=$MATCH }


:0
* 1^1 SPAMLEVEL ?? ()\*
{ } SL = $=


# with this you sort the mail in MBOX files

:0
* $ $SL^0 
* $ $TLVL^0 
/dev/null

:0
* $ $SL^0 
* $ QLVL^0 
/var/mail/quarantine

:0
* $ $SL^0 
* $ MLVL^0 
/var/mail/maybespam

#the rest let pass



Matthias

Re: Moving to folder based upon spamassassin score

[Matthias Haeker]

öh , ja

I shoudnt try to be so quick sorry forget a : and have a false $

#


u can use with procmail $VAR a treshhold

VERBOSE=ON
# setting the level
#trash
TLVL=-10
#quarantine
QLVL=-4
#maybe spam
MLVL=-2
SL=0

# counting stars

:0
* H  ?? ()^X-Spam-Level: \/[*]+
{ SPAMLEVEL=$MATCH }


:0
* 1^1 SPAMLEVEL ?? ()\*
{ } SL = $=


# with this you sort the mail in MBOX files

:0
* $ $SL^0 
* $ $TLVL^0 
/dev/null

:0:
* $ $SL^0 
* $ $QLVL^0 
/var/mail/quarantine

:0:
* $ $SL^0 
* $ $MLVL^0 
/var/mail/maybespam

#the rest let pass



Matthias

Re: sa-update installation

[Odhiambo Washington]

* On 29/11/06 07:56 -0600, Steven Stern wrote:
| Odhiambo Washington wrote:
|  Hello List,
|  
|  I have successfully (I hope) installed and run sa-update, and
|  I see that it installed files in /var/lib/spamassassin/3.001007/
|  
|  In my FreeBSD box, I am used to the rules being in 
|  /usr/local/share/spamassassin and /usr/local/etc/mail/spamassassin.
|  
|  Do I just go out for a cold beer and hope that SA will be reading
|  these rules as well?
|  
|  What happens when I run sa-update? Does it update the rules files in
|  /usr/local/share/spamassassin or what?
|  
|  
| 
| after sa-update runs, restart spamassassin and it will use the new rules
| in /var/lib/spamassassin.

My sa-update script is configured to do this already:
 'svc -h /var/service/spamd'

And I have a crontab entry, so it's time for beer ;)



-Wash

http://www.netmeister.org/news/learn2quote.html

DISCLAIMER: See http://www.wananchi.com/bms/terms.php

--
+==+
|\  _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED]
Zzz /,`.-'`'-.  ;-;;,_ | Wananchi Online Ltd.   www.wananchi.com
   |,4-  ) )-,_. ,\ (  `'-'| Tel: +254 20 313985-9  +254 20 313922
  '---''(_/--'  `-'\_) | GSM: +254 722 743223   +254 733 744121
+==+

It is the business of little minds to shrink.
-- Carl Sandburg

Re: spam is marked as user_in_whitelist

[Stas Khromoy]

hey greg:

you got me there
i was looking at :


Received: from myserver ([127.0.0.1])
by localhost (myserver [127.0.0.1]) (amavisd-new, port
10024)
with ESMTP id TnlkYt9U0aRr for myuser;
Wed, 29 Nov 2006 06:09:20 -0500 (EST)
Received: from 218-171-61-71.dynamic.hinet.net
(218-171-61-71.dynamic.hinet.net [218.171.61.71])
by myserver (Postfix) with ESMTP id 76A9DC97AC
for myuser; Wed, 29 Nov 2006 06:09:06 -0500 (EST)
Received: from insersudamerica.com (port=2457 helo=hhdyayyfbpavq)
by 218-171-61-71.dynamic.hinet.net with smtp
id 666-jMbg-4o
for myuser; Wed, 29 Nov 2006 19:08:40 +0800



and i don't see the envelope-from field at all in the header
i can post the full header if that would help


 Original Message  
Subject: Re:spam is marked as user_in_whitelist
From: Greg Skouby [EMAIL PROTECTED]
To: users@spamassassin.apache.org
Date: 11/29/2006 10:27 AM

On Wed, Nov 29, 2006 at 10:22:11AM -0500, Stas Khromoy wrote:
  

*keep getting the following spam
which spamassassin for some reason
give a scrore of -100 or - 70
keeps saying the user is in whitelist



Subject:* both of those that is of the people, of the Lord your words of
subject :me: a certain man that hear O house of man from among the land 
of our

or other of similar context .. they look like quotes from the bible :)


with offers to buy  some crap  from
s a b a n z e n dot com

X-Spam-Status: No, score=-74.498 tagged_above=-150 required=3
tests=[BAYES_80=2, EXTRA_MPART_TYPE=1.091, HELO_DYNAMIC_IPADDR2=3.818,
HTML_IMAGE_ONLY_08=3.126, HTML_MESSAGE=0.001, RCVD_IN_DYNABLOCK=1,
RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SBL_XBL=1.5, RCVD_IN_SORBS=1,
RCVD_IN_SORBS_DUL=2.046, RCVD_IN_XBL=3.897, SARE_GIF_ATTACH=0.75,
SARE_GIF_STOX=1.66, SARE_RECV_SPAM_DOMN0b=1.666,
UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100]


i can't think of anything at this point aside from getting rid of the 
old whitelist and starting a new one.






Hi Stas,


I am betting that the envelope-sender is the user that is in the whitelist and you are looking at the from address and thinking that the from address is not in the whitelist. 
We have run into a fair amount of the above situation on our system. I think it might be a good idea to make USER_IN_WHITELIST have a score of ~ -15 instead of ~100.





--Greg


  

Re: sa-update installation

[Odhiambo Washington]

* On 29/11/06 15:27 +, Bryan Hepworth wrote:
| Steven Stern wrote:
| Odhiambo Washington wrote:
|   
| Hello List,
| 
| I have successfully (I hope) installed and run sa-update, and
| I see that it installed files in /var/lib/spamassassin/3.001007/
| 
| In my FreeBSD box, I am used to the rules being in 
| /usr/local/share/spamassassin and /usr/local/etc/mail/spamassassin.
| 
| Do I just go out for a cold beer and hope that SA will be reading
| these rules as well?
| 
| What happens when I run sa-update? Does it update the rules files in
| /usr/local/share/spamassassin or what?
| 
| 
| 
| 
| after sa-update runs, restart spamassassin and it will use the new rules
| in /var/lib/spamassassin.
| 
| I have this as a cron job:
| 
| 30 3 * * *  sa-update  spamassassin --lint  /etc/init.d/spamassassin
| restart
| 
| 
|   
| Perfect
| 
| I was just about to ask what the recommended interval was for running 
| sa-update was :-)

Hi Bryan,

It's a good idea to use a different time than the one shown so that the
update servers are not overloaded by the whole world banging them all
at once ;)



-Wash

http://www.netmeister.org/news/learn2quote.html

DISCLAIMER: See http://www.wananchi.com/bms/terms.php

--
+==+
|\  _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED]
Zzz /,`.-'`'-.  ;-;;,_ | Wananchi Online Ltd.   www.wananchi.com
   |,4-  ) )-,_. ,\ (  `'-'| Tel: +254 20 313985-9  +254 20 313922
  '---''(_/--'  `-'\_) | GSM: +254 722 743223   +254 733 744121
+==+

I don't think so, said Ren'e Descartes.  Just then, he vanished.

Re: sa-update question, kinda

[Theo Van Dinter]

On Wed, Nov 29, 2006 at 07:39:10AM -0500, Joe Zitnik wrote:
 I know you can use sa-update to download the new sa-rules as they become
 available.  Are the rules located somewhere that they can be manually
 downloaded as they are updated, kind of like rulesemporium?  I was
 poking around the sa site, but couldn't find updated rules, only full
 releases.

You can download the tarball if you know what update you want,
or you can look in SVN where we generate the tarballs from
(http://svn.apache.org/repos/asf/spamassassin/rules/branches/3.1/)

-- 
Randomly Selected Tagline:
Money doesn't guarantee happiness. But having enough can make life a
 lot less stressful.
 - Robert H. Frank, 
http://www.nytimes.com/2003/12/27/arts/27INTR.html?pagewanted=48hpib


pgpNSTphoCwKE.pgp
Description: PGP signature

Re: sa-update installation

[Sven Schuster]

Hi Steven,

On Wed, Nov 29, 2006 at 07:56:18AM -0600, Steven Stern told us:
 after sa-update runs, restart spamassassin and it will use the new rules
 in /var/lib/spamassassin.

 I have this as a cron job:

 30 3 * * *  sa-update  spamassassin --lint  /etc/init.d/spamassassin
 restart

I think you don't need the lint here, as sa-update internally does
this for each channel it gets updates for (at least this is what
the source tells me ;-) )


Kind regards,

Sven


 --

   Steve

-- 
Linux zion.homelinux.com 2.6.18-1.2849.fc6xen #1 SMP Fri Nov 10 13:56:52 EST 
2006 i686 athlon i386 GNU/Linux
 16:42:51 up 13 days, 18:00,  3 users,  load average: 0.04, 0.14, 0.26


pgpWFOPe42os4.pgp
Description: PGP signature

Re: Moving to folder based upon spamassassin score

[Matthias Häker]

for the record  now tested !!


i kicked out te  and the coouting is working

sorry to have you spamed :)


VERBOSE=ON
# setting the level
#trash
TLVL=-20
#quarantine
QLVL=-4
#maybe spam
MLVL=-2
SL=0

# counting stars

:0
* H  ?? ()^X-Spam-Level: \/[*]+
{ SPAMLEVEL=$MATCH }


:0
* 1^1 SPAMLEVEL ?? ()\*
{ } SL = $=


# with this you sort the mail in MBOX files

:0
* $ $SL^0 
* $ $TLVL^0 
/dev/null


:0:
* $ $SL^0 
* $ $QLVL^0 
/var/mail/quarantine


:0:
* $ $SL^0 
* $ $MLVL^0 
/var/mail/maybespam 

#the rest let pass 

Re: Installed FuzzyOCR - What am I missing?

[Chris Purves]

Evan Platt wrote:

At 02:56 PM 11/28/2006, you wrote:


Last month there was a discussion thread on this list about that
exact topic. Search either the Apache list archives or the GMANE
archives. For example see:

http://mail-archives.apache.org/mod_mbox/spamassassin-users/200610.mbox/[EMAIL PROTECTED] 



Thanks to everyone especially Decoder, I think I'm up and running.

png is the only one not working.

Any reason NOT to assign 10 points to fuzzy ocr tripped words?


The defaults are already quite high, and don't forget that more points 
are added for more words found. I think the default is one point for 
every word matched, but requiring that at least two words are found. 
Since most of the drug spams have several words, you are usually over 10 
points anyway.


I mean I wouldn't add 10 points just because someone typed the V word in 
an e-mail to me, but I can't think of an instance where I'd expect a GIF 
message with it in it.


Someone might send you a copy of a comic strip about an old guy visiting 
the doctor.  You might miss out on some poor taste humour.


--
Chris

Re: Cronjob with sa-learn

[Chris Purves]

Markus Braun wrote:

Hello,

i tried to create a cron job to add spam messages as spamemails.

The following command :

0 1 * * *  vmail sa-learn  --spam 
/var/opt/vmail/.info/oliver/Maildir/.spam/cur *.*


But i get this retourn:

archive-iterator: readdir found no mail in 'domain1.de' directory
archive-iterator: readdir found no mail in 'domain2.de' directory
Learned tokens from 7 message(s) (460 message(s) examined)


I think you want:

sa-learn --spam /var/opt/vmail/.info/oliver/Maildir/.spam/cur/*

--
Chris

Re: Why no bayes? [FIXED]

[Dave Augustus]

YMMV- I am not sure the *proper* way to do this (but I am glad there is
no registry- :) ).

Here ya go!

find /usr/lib/per5 -name SpamAssassin.pm

I have deleted mine but you should have 2 listings:

/usr/lib/perl5/site-perl/5.8.5/Mail/SpamAssassin.pm
/usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin.pm

The site-perl is, I believe, is the location where cpan installs. I can
confirm this by doing the following

find where the rpm installs to:
rpm -q spamassassin -l|grep SpamAssassin.pm

result:
/usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin.pm


The location should be one of those 2 entries and THAT is the one you
want to keep. 

I then, for safety's sake, moved the non-rpm version, located at 
/usr/lib/perl5/site-perl/5.8.5/Mail

mv /usr/lib/perl5/site-perl/5.8.5/Mail /root/spamassassin_Mail

Finally, running /usr/sbin/amavisd -d bayes debug-sa as user amavis
and should so no errors about version mismatches. There may be other
errors particular to your installation. I got some based on specific
rules not having something but nothing about entire CF files not being
used.

If there is a better PERL way of doing this, I would appreciate anything
offered in that regard.

BTW- I think that this happened because a yum dependancy wasn't
available via yum so I used CPAN(site-perl) to meet the dependancy.
Later, yum got the dependancy and installed it into vendor-perl.


Hope it helps!

Dave Augustus

On Tue, 2006-11-28 at 19:27 -0800, Quinn Comendant wrote:
 How did you uninstall the cpan version? Just for the hell of it I ran the 
 same test you did and I also have two versions installed (although my SA is 
 running fine). I should uninstall the unused version, no?
 
 Quinn
 
 On Tue, 28 Nov 2006 14:53:49 -0600, Dave Augustus wrote:
  TADA! 2 installs- the one in site-perl must have come from cpan.

Re: tagging based on score level

[Kelson]

beast wrote:
Is it possible to make different tag for a different score/classes, for 
example:


high: [SPAM!!!]  if score  50
medium: [SPAM!!]  if score between 20 - 50
low: [SPAM]  if score between treshold - 20


Depends on how you're calling SpamAssassin and whether SA is doing the 
markup or the calling program is.


I don't think SA has this functionality itself, but if you're calling it 
with a program like MIMEDefang or Amavisd-new, you have a lot more 
flexibility.


With MIMEDefang, for instance, you would do something like this in 
filter_end after calling SpamAssassin.  ($hits is the message's score, 
$req is the spam threshold)


if ($hits = 50) {
action_change_header(Subject, [SPAM!!!] $Subject);
}
elsif ($hits = 20) {
action_change_header(Subject, [SPAM!!] $Subject);
}
elsif ($hits = $req) {
action_change_header(Subject, [SPAM] $Subject);
}

--
Kelson Vibber
SpeedGate Communications www.speed.net

Naive Keyword Filtering Considered Harmful (was Re: Anyone else seeing this)

[Kelson]

This is due to automatic rules that have determined that the 
message is probably Porn related junk email.  If you believe the message was 
business related please contact [EMAIL PROTECTED] and request
that the message be released.  If no contact is made within 4 
days the message will automatically be deleted.


Yet another example of why rejecting/blocking based solely on keywords 
without considering context is a Bad Idea(tm).


--
Kelson Vibber
SpeedGate Communications www.speed.net

Re: Anyone else seeing this (remove user from list?)

[John D. Hardin]

On Wed, 29 Nov 2006, Matt Kettler wrote:

 I personally vote for the removal of this user until they learn to
 disable their content filter, or at least make it do the right
 thing and not respond to messages with Precedence: bulk or list.

+1

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Bother, said Pooh as he struggled with /etc/sendmail.cf, it never
  does quite what I want. I wish Christopher Robin was here.
   -- Peter da Silva in a.s.r
---
 26 days until Christmas

Number of email addresses in whitelist_from

[David Cross]

SA version is 3.1.7 on Linux.

In a user's prefs file, is there an upper limit/maximum number of email
addresses using whitelist_from?

A user wishes to add about 5000 email addresses from his entire contact
database.

What is the limit? Can a simple text file be maintained in which any email
addresses are considered whitelisted?

Thanks

RE: optional score in local.cf is not working

[Dan Horne]

As has been stated multiple times, Amavisd-new does NOT use spamd.  Just
try out this little test, m'kay?  Stop spamd.  Don't restart it, just
stop it.  Now see if amavisd is still scanning for spam.  What's that?
It is?  Whodathunkit!  That's why you need to restart amavisd to reload
changed config files.

You should stop spamd from starting automatically, as it is just a waste
of resources since you are using amavisd-new.

 -Original Message-
 From: Leon Kolchinsky [mailto:[EMAIL PROTECTED] 
 Sent: Wednesday, November 29, 2006 8:53 AM
 To: Nigel Frankcom; users@spamassassin.apache.org
 Subject: RE: optional score in local.cf is not working
 
 Hi,
 
 OK.
 I did some manual tests and indeed changes in local.cf only 
 catching then I restart amavis.
 
 # /etc/init.d/amavis restart
 Shutting down virus-scanner (amavisd-new):Daemon [9905] 
 terminated by SIGTERM
   
 done
 Starting virus-scanner (amavisd-new): 
 done
 
 When I restart only spamd no change in local.cf is catching.
 
 
 I don't really understand why?
 
 Mark Martinec said that amavisd-new can't call spamd 
 
 So, let me get this straight:
 -
 This is how I see the work of amavis+spamd+clamd:
 
 1. As I see it amavis talk to spamd (spamassassin) and clamd 
 (ClamAV) via appropriate sockets or TCP ports.
 In my case -
 To clamd via /var/lib/clamav/clamd-socket (I can see it in 
 amavisd.conf) To spamd ? (I don't know how to check it)
 
 2. Any configuration change I make to clamd and spamd take 
 power only when I restart the deamons themselves.
 
 3. But according to Matt Kettler response and my testings, 
 any change to local.cf require amavis restart.
 
 # /etc/init.d/amavis restart
 Shutting down virus-scanner (amavisd-new):Daemon [9905] 
 terminated by SIGTERM
   
 done
 Starting virus-scanner (amavisd-new): 
 done
 
 
 What is going on?
 Where I can validate config options of amavis to make sure 
 the way it works?
 
 
 
 P.S.:
 
 
 This is taken from /etc/init.d/amavis:
 --
 AMAVISD_BIN=/usr/sbin/amavisd
 AMAVIS_MILTER_BIN=/usr/sbin/amavis-milter
 echo -n Starting virus-scanner (amavisd-new):
 $AMAVISD_BIN start
 if ! checkproc amavisd; then
rc_failed 7
 fi
 rc_status -v
 if [ $AMAVIS_SENDMAIL_MILTER == yes ]; then
 rc_reset
 echo -n Starting amavis-milter:
 startproc -u vscan $AMAVIS_MILTER_BIN -p 
 local:/var/run/amavis/amavis-milter.sock  /dev/null 21
 rc_status -v
 
 
 This is taken from /etc/init.d/spamd:
 -
 # Short-Description: Start the spamassassin daemon 
 SPAMD_BIN=/usr/sbin/spamd PIDFILE=/var/run/spamd.pid 
 startproc -p $PIDFILE $SPAMD_BIN $SPAMD_ARGS -r $PIDFILE
 
 
 This is taken from /etc/amavisd.conf:
 -
 @av_scanners = (
 ### http://www.clamav.net/
 ['ClamAV-clamd',
   \ask_daemon, [CONTSCAN {}\n, /var/lib/clamav/clamd-socket],
   qr/\bOK$/, qr/\bFOUND$/,
   qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
 
 
 
 -Original Message-
 From: Nigel Frankcom [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, November 29, 2006 10:21 AM
 To: users@spamassassin.apache.org
 Subject: Re: optional score in local.cf is not working
 
 On Wed, 29 Nov 2006 10:10:58 +0200, Leon Kolchinsky
 [EMAIL PROTECTED] wrote:
 
 Hi,
 
 I thought I was wrong and amavis restart didn't really 
 helped there, but there is an update for this problem I had 
 with configuration in local.cf not catching.
 
 It seems that only when I do /etc/init.d/amavis restart, all 
 configs in local.cf are coming intact.
 
 I've used to an old version of amavis and SA on Suse, where 
 you would only do changes to local.cf and spamd restart.
 
 1) So, my question is - Is this a normal behavior? 
 2) For every change in local.cf should I do now only amavis 
 restart and no spamd restart?
 
 
 
 Regards,
 Leon
 
 -Original Message-
 From: Mark Martinec [mailto:[EMAIL PROTECTED]
 Sent: Sunday, November 26, 2006 10:54 PM
 To: users@spamassassin.apache.org
 Subject: Re: optional score in local.cf is not working
 
 On Sunday November 26 2006 20:25, Matt Kettler wrote:
   Erm.. are you sure? I thought amavisd-new called SA directly at 
   the API layer, not via spamd...
  I didn't even realize amavis *could* use spamd, every 
 amavis person 
  I've talked to on the list isn't using it.
 
 amavisd-new can't call spamd, there is no configuration option to do 
 so, and no code to support it.
 
 spamc/spamd could be used (if desired/needed) by 
 implementing 

HTML Source Rule

[Bob Newhart]

Hello, I was wondering if there is a way to write a rule for HTML
source code contained in an email. I am getting many of these Buy
This Stock emails and I am finding that the pictures contained in
them all have a portion of a line of source that says...

src=cid:

Thanks in advance for any help anyone may be able to provide.

--
Jason Broyles

Use Linux, it's free.

Stock Spam

[san]

Hi All,

I am recieving lot of stock related spam mails which spam assassin is not
able catch as spam. I have added Sare_stcok.cf file. I cant use imageinfo,
fuzzy ocr as iam using 2.6o ver of spam assassin i think. I have enclosed
the undecoded letter mail of one kind below. Can you plz help me to make
this kind of mails as spam. 

X-Real-To: anyname
Return-Path: [EMAIL PROTECTED]
Received: by some.com (CommuniGate Pro PIPE 5.1.1)
  with PIPE id 1368603; Mon, 27 Nov 2006 17:39:57 -0600
Received: from [EMAIL PROTECTED]
  by mail.seatoncorp.com (CommuniGate Pro GROUP 5.1.1)
  with GROUP id 1368364; Mon, 27 Nov 2006 17:38:31 -0600
X-Autogenerated: group
Received: from 84-120-14-114.onocable.ono.com ([84.120.14.114] verified)
  by some.com (CommuniGate Pro SMTP 5.1.1)
  with ESMTP id 1368200 for [EMAIL PROTECTED]; Mon, 27 Nov 2006
17:37:50 -0600
Received-SPF: neutral
 receiver=some.com; client-ip=XX.XX.XX.XX; [EMAIL PROTECTED]
Received: from [131.121.84.151] (port=5734 helo=JMfieKIKDzZ)
by qMfMKKYkDTw with asmtp
id bhqPeb-KhbbzT-07
for [EMAIL PROTECTED]; Tue, 28 Nov 2006 00:38:20 +0100
Date: Tue, 28 Nov 2006 00:37:46 +0100
From: reserved [EMAIL PROTECTED]
X-Mailer: The Bat! (v3.0) Professional
Reply-To: [EMAIL PROTECTED]
X-Priority: 3 (Normal)
Message-ID: [EMAIL PROTECTED]@some.com
To: [EMAIL PROTECTED]
Subject: Delay Albert Strategist
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary=--305E3064BA67
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on 
evg60ms_email.seatoncorp.com
X-Spam-Status: No, hits=4.1 required=4.5 tests=HTML_20_30,HTML_MESSAGE,
HTML_TITLE_EMPTY,RATWR9_MESSID,SARE_MSGID_DBL_AT,Seaton_Signup,TW_TV,
TW_VP,TW_YD autolearn=no version=2.60
X-Spam-Level: 
X-TFF-CGPSA-Filter: Scanned
X-TFF-CGPSA-Version: 1.2.5

305E3064BA67
Content-Type: multipart/alternative;
 boundary=--EF0BA740CEFEF7D2


EF0BA740CEFEF7D2
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hoffman head rands office leading expert returns think. Eroding getting,
steeper say! Older americans improved shows, findings good? Sd encoder
simple styles videowave sorry. Half awardsjune social delivery systems far
apart, medicare. Easy dvdit, pro mydvd essentials premeier photosuite,
primetime.
Copy inc, all rights reserved privacy use press gt.
Charles deborah hensler, becomes senior fellow. Reassuring individual alan
charles deborah hensler becomes. Urge equals between trustees elects.
Unless accept following terms provided site are.
Elects paul reform act fails slash delay albert strategist. Rom formatter
roxio creator? You can get yearmore than gift. Clare ellinger director,
human, sentencing laws undermine control goals. Angeles mayor richard
riordan deliver launches. Firm memo financial reporters. Training admissions
people life after. Trends indicate need natalie.
Accept following terms provided site?
Service wide range private venture is. Admissions people life after events
calendar?
Minimums strategy curbs crimemay writers re icj economic! Economy eroding,
getting, steeper say trends indicate need. Pricestips tvpopular networks
pswiixbox, pussycat dollsfree!
On, amp, trickscnet, tvcompare prices plustm shields.
Results both reassuring individual. Bust ignore continuing many countries
term.
Bf log, in sign upwhy.
Impact class action tobacco lawsapril that heart.
High grades india pakistan nuclear explosions, were detected.
Chairjune ticking, time bomb, shrink commission urges. Burnersdvd toolshome
toolsmedia find the, perfect gadget. Cebit support enterprise affiliate
program legal leader decoder.
Slight previous estimates greatly overstate effects.
Way as do obtain ownership right. Public safety science technology. Moment
will be redirected to latest version of. Technology, substance abuse
terrorism homeland workforce workplace, current!
EF0BA740CEFEF7D2
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

!DOCTYPE html PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN
HTMLHEADTITLE/TITLE
STYLE type=text/css!--
BODY {
  margin: 5px 5px 5px 5px;
  background-color: #FF;
}
/*--Text Styles--*/
HR { color: #00}
BODY, TABLE /* Normal text */
{
 font-size: 9pt;
 font-family: 'Courier New';
 font-style: normal;
 font-weight: normal;
 color: #00;
 text-decoration: none;
}
SPAN.RVTS1 /* Heading */
{
 font-size: 10pt;
 font-family: 'Arial';
 font-weight: bold;
 color: #FF;
}
SPAN.RVTS2 /* Subheading */
{
 font-size: 10pt;
 font-family: 'Arial';
 font-weight: bold;
 color: #80;
}
SPAN.RVTS3 /* Keywords */
{
 font-size: 10pt;
 font-family: 'Arial';
 font-style: italic;
 color: #80;
}
A.RVTS4, SPAN.RVTS4 /* Jump 1 */
{
 font-size: 10pt;
 font-family: 'Arial';
 color: #008000;
 text-decoration: underline;
}
A.RVTS5, SPAN.RVTS5 /* Jump 2 */
{
 font-size: 10pt;
 font-family: 'Arial';
 color: #008000;
 text-decoration: underline;
}

Re: Stock Spam

[Theo Van Dinter]

On Wed, Nov 29, 2006 at 02:33:02PM -0800, san wrote:
 able catch as spam. I have added Sare_stcok.cf file. I cant use imageinfo,
 fuzzy ocr as iam using 2.6o ver of spam assassin i think. I have enclosed
 the undecoded letter mail of one kind below. Can you plz help me to make
 this kind of mails as spam. 

Upgrade to 3.1.7, then use sa-update.  2.6x is ancient.

-- 
Randomly Selected Tagline:
A way out of financial mess is discovered as if by magic!
  - stupid fortune cookie


pgpWWHuW3vsht.pgp
Description: PGP signature

Re: Stock Spam

[san]

Yes thats true but as of now in my office we are using 2.6x. Is there any
rules to catch in 2.6x?
Right now the score it is genarating is more than 3 and need another 2 to
mark as spam. 


Theo Van Dinter-2 wrote:
 
 On Wed, Nov 29, 2006 at 02:33:02PM -0800, san wrote:
 able catch as spam. I have added Sare_stcok.cf file. I cant use
 imageinfo,
 fuzzy ocr as iam using 2.6o ver of spam assassin i think. I have enclosed
 the undecoded letter mail of one kind below. Can you plz help me to make
 this kind of mails as spam. 
 
 Upgrade to 3.1.7, then use sa-update.  2.6x is ancient.
 
 -- 
 Randomly Selected Tagline:
 A way out of financial mess is discovered as if by magic!
   - stupid fortune cookie
 
  
 

-- 
View this message in context: 
http://www.nabble.com/Stock-Spam-tf2728271.html#a7609648
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

RE: HTML Source Rule

[Bret Miller]

 Hello, I was wondering if there is a way to write a rule for
 HTML source code contained in an email. I am getting many of
 these Buy This Stock emails and I am finding that the
 pictures contained in them all have a portion of a line of
 source that says...

 src=cid:

 Thanks in advance for any help anyone may be able to provide.

So does every message sent from Outlook that includes an image. I'd
suspect that you'd end up rejecting a lot of legitimate e-mail, unless
no one that sends you e-mail uses Outlook or Outlook Express...

Bret

RE: Stock Spam

[Giampaolo Tomassoni]

From: san [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, November 29, 2006 11:33 PM
 To: users@spamassassin.apache.org
 Subject: Stock Spam
 
 
 
 Hi All,
 
 I am recieving lot of stock related spam mails which spam assassin is not
 able catch as spam. I have added Sare_stcok.cf file. I cant use imageinfo,
 fuzzy ocr as iam using 2.6o ver of spam assassin i think. I have enclosed
 the undecoded letter mail of one kind below. Can you plz help me to make
 this kind of mails as spam. 

These are the scores it would get on a 3.1.7 + some sare rules:

 1.9 MSGID_MULTIPLE_AT  Message-ID contains multiple '@' characters
 0.8 FH_HOST_EQ_D_D_D_D Host starts with d-d-d-d
 0.9 FH_HOST_EQ_D_D_D_DBHost is d-d-d-d
 3.8 HELO_DYNAMIC_IPADDR2   Relay HELO'd using suspicious hostname (IP addr
2)
 1.6 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d
 1.1 SPF_NEUTRALSPF: sender does not match SPF record (neutral)
[SPF failed: Please see 
http://www.openspf.org/why.html?sender=how%40sotelrostov.ruip=84.120.14.114receiver=ns2.edlui.it]
 0.1 TW_YD  BODY: Odd Letter Triples with YD
 0.1 TW_VP  BODY: Odd Letter Triples with VP
 0.1 TW_TV  BODY: Odd Letter Triples with TV
 0.4 HTML_30_40 BODY: Message is 30% to 40% HTML
 0.0 HTML_MESSAGE   BODY: HTML included in message
 2.2 TVD_FW_GRAPHIC_ID2 BODY: TVD_FW_GRAPHIC_ID2
 3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
 0.2 HTML_TITLE_EMPTY   BODY: HTML title contains no text
 2.0 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP address
[84.120.14.114 listed in dnsbl.sorbs.net]
 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
[84.120.14.114 listed in sbl-xbl.spamhaus.org]
 2.0 FM__TIMES_2Dual helo + host eq d_d_d_d

I have fuzzyocr, but it doesn't even need to be invoked: this mail scores 
enough to be just thrown away...


 X-Real-To: anyname
 Return-Path: [EMAIL PROTECTED]
 Received: by some.com (CommuniGate Pro PIPE 5.1.1)
   with PIPE id 1368603; Mon, 27 Nov 2006 17:39:57 -0600
 Received: from [EMAIL PROTECTED]
   by mail.seatoncorp.com (CommuniGate Pro GROUP 5.1.1)
   with GROUP id 1368364; Mon, 27 Nov 2006 17:38:31 -0600
 X-Autogenerated: group
 Received: from 84-120-14-114.onocable.ono.com ([84.120.14.114] verified)
   by some.com (CommuniGate Pro SMTP 5.1.1)
   with ESMTP id 1368200 for [EMAIL PROTECTED]; Mon, 27 Nov 2006
 17:37:50 -0600
 Received-SPF: neutral
  receiver=some.com; client-ip=XX.XX.XX.XX; 
 [EMAIL PROTECTED]
 Received: from [131.121.84.151] (port=5734 helo=JMfieKIKDzZ)
   by qMfMKKYkDTw with asmtp
   id bhqPeb-KhbbzT-07
   for [EMAIL PROTECTED]; Tue, 28 Nov 2006 00:38:20 +0100
 Date: Tue, 28 Nov 2006 00:37:46 +0100
 From: reserved [EMAIL PROTECTED]
 X-Mailer: The Bat! (v3.0) Professional
 Reply-To: [EMAIL PROTECTED]
 X-Priority: 3 (Normal)
 Message-ID: [EMAIL PROTECTED]@some.com
 To: [EMAIL PROTECTED]
 Subject: Delay Albert Strategist
 MIME-Version: 1.0
 Content-Type: multipart/mixed;
  boundary=--305E3064BA67
 X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on 
   evg60ms_email.seatoncorp.com
 X-Spam-Status: No, hits=4.1 required=4.5 tests=HTML_20_30,HTML_MESSAGE,
   
 HTML_TITLE_EMPTY,RATWR9_MESSID,SARE_MSGID_DBL_AT,Seaton_Signup,TW_TV,
   TW_VP,TW_YD autolearn=no version=2.60
 X-Spam-Level: 
 X-TFF-CGPSA-Filter: Scanned
 X-TFF-CGPSA-Version: 1.2.5
 
 305E3064BA67
 Content-Type: multipart/alternative;
  boundary=--EF0BA740CEFEF7D2
 
 
 EF0BA740CEFEF7D2
 Content-Type: text/plain; charset=us-ascii
 Content-Transfer-Encoding: 7bit
 
 Hoffman head rands office leading expert returns think. Eroding getting,
 steeper say! Older americans improved shows, findings good? Sd encoder
 simple styles videowave sorry. Half awardsjune social delivery systems far
 apart, medicare. Easy dvdit, pro mydvd essentials premeier photosuite,
 primetime.
 Copy inc, all rights reserved privacy use press gt.
 Charles deborah hensler, becomes senior fellow. Reassuring individual alan
 charles deborah hensler becomes. Urge equals between trustees elects.
 Unless accept following terms provided site are.
 Elects paul reform act fails slash delay albert strategist. Rom formatter
 roxio creator? You can get yearmore than gift. Clare ellinger director,
 human, sentencing laws undermine control goals. Angeles mayor richard
 riordan deliver launches. Firm memo financial reporters. Training 
 admissions
 people life after. Trends indicate need natalie.
 Accept following terms provided site?
 Service wide range private venture is. Admissions people life after events
 calendar?
 Minimums strategy curbs crimemay writers re icj economic! Economy eroding,
 getting, steeper say trends indicate need. Pricestips tvpopular networks
 

RE: Stock Spam

[san]

Thanks for ur inputs. when i put across SA this is what i get on my pc..
Content analysis details:   (2.3 points, 4.5 required)

 pts rule name  description
 --
--
 1.0 Local_Signup  BODY: Body mentions Sign up
 0.1 TW_TV  BODY: Odd Letter Triples with TV
 0.1 TW_VP  BODY: Odd Letter Triples with VP
 0.1 TW_YD  BODY: Odd Letter Triples with YD
 0.5 HTML_20_30 BODY: Message is 20% to 30% HTML
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.5 HTML_TITLE_EMPTY   BODY: HTML title contains no text


Giampaolo Tomassoni wrote:
 
 From: san [mailto:[EMAIL PROTECTED]
 Sent: Wednesday, November 29, 2006 11:33 PM
 To: users@spamassassin.apache.org
 Subject: Stock Spam
 
 
 
 Hi All,
 
 I am recieving lot of stock related spam mails which spam assassin is not
 able catch as spam. I have added Sare_stcok.cf file. I cant use
 imageinfo,
 fuzzy ocr as iam using 2.6o ver of spam assassin i think. I have enclosed
 the undecoded letter mail of one kind below. Can you plz help me to make
 this kind of mails as spam. 
 
 These are the scores it would get on a 3.1.7 + some sare rules:
 
  1.9 MSGID_MULTIPLE_AT  Message-ID contains multiple '@' characters
  0.8 FH_HOST_EQ_D_D_D_D Host starts with d-d-d-d
  0.9 FH_HOST_EQ_D_D_D_DBHost is d-d-d-d
  3.8 HELO_DYNAMIC_IPADDR2   Relay HELO'd using suspicious hostname (IP
 addr
 2)
  1.6 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d
  1.1 SPF_NEUTRALSPF: sender does not match SPF record
 (neutral)
 [SPF failed: Please see
 http://www.openspf.org/why.html?sender=how%40sotelrostov.ruip=84.120.14.114receiver=ns2.edlui.it]
  0.1 TW_YD  BODY: Odd Letter Triples with YD
  0.1 TW_VP  BODY: Odd Letter Triples with VP
  0.1 TW_TV  BODY: Odd Letter Triples with TV
  0.4 HTML_30_40 BODY: Message is 30% to 40% HTML
  0.0 HTML_MESSAGE   BODY: HTML included in message
  2.2 TVD_FW_GRAPHIC_ID2 BODY: TVD_FW_GRAPHIC_ID2
  3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
 [score: 1.]
  0.2 HTML_TITLE_EMPTY   BODY: HTML title contains no text
  2.0 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP
 address
 [84.120.14.114 listed in dnsbl.sorbs.net]
  3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
 [84.120.14.114 listed in sbl-xbl.spamhaus.org]
  2.0 FM__TIMES_2Dual helo + host eq d_d_d_d
 
 I have fuzzyocr, but it doesn't even need to be invoked: this mail scores
 enough to be just thrown away...
 
 
 X-Real-To: anyname
 Return-Path: [EMAIL PROTECTED]
 Received: by some.com (CommuniGate Pro PIPE 5.1.1)
   with PIPE id 1368603; Mon, 27 Nov 2006 17:39:57 -0600
 Received: from [EMAIL PROTECTED]
   by mail.seatoncorp.com (CommuniGate Pro GROUP 5.1.1)
   with GROUP id 1368364; Mon, 27 Nov 2006 17:38:31 -0600
 X-Autogenerated: group
 Received: from 84-120-14-114.onocable.ono.com ([84.120.14.114] verified)
   by some.com (CommuniGate Pro SMTP 5.1.1)
   with ESMTP id 1368200 for [EMAIL PROTECTED]; Mon, 27 Nov 2006
 17:37:50 -0600
 Received-SPF: neutral
  receiver=some.com; client-ip=XX.XX.XX.XX; 
 [EMAIL PROTECTED]
 Received: from [131.121.84.151] (port=5734 helo=JMfieKIKDzZ)
  by qMfMKKYkDTw with asmtp
  id bhqPeb-KhbbzT-07
  for [EMAIL PROTECTED]; Tue, 28 Nov 2006 00:38:20 +0100
 Date: Tue, 28 Nov 2006 00:37:46 +0100
 From: reserved [EMAIL PROTECTED]
 X-Mailer: The Bat! (v3.0) Professional
 Reply-To: [EMAIL PROTECTED]
 X-Priority: 3 (Normal)
 Message-ID: [EMAIL PROTECTED]@some.com
 To: [EMAIL PROTECTED]
 Subject: Delay Albert Strategist
 MIME-Version: 1.0
 Content-Type: multipart/mixed;
  boundary=--305E3064BA67
 X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on 
  evg60ms_email.seatoncorp.com
 X-Spam-Status: No, hits=4.1 required=4.5 tests=HTML_20_30,HTML_MESSAGE,
  
 HTML_TITLE_EMPTY,RATWR9_MESSID,SARE_MSGID_DBL_AT,Seaton_Signup,TW_TV,
  TW_VP,TW_YD autolearn=no version=2.60
 X-Spam-Level: 
 X-TFF-CGPSA-Filter: Scanned
 X-TFF-CGPSA-Version: 1.2.5
 
 305E3064BA67
 Content-Type: multipart/alternative;
  boundary=--EF0BA740CEFEF7D2
 
 
 EF0BA740CEFEF7D2
 Content-Type: text/plain; charset=us-ascii
 Content-Transfer-Encoding: 7bit
 
 Hoffman head rands office leading expert returns think. Eroding getting,
 steeper say! Older americans improved shows, findings good? Sd encoder
 simple styles videowave sorry. Half awardsjune social delivery systems
 far
 apart, medicare. Easy dvdit, pro mydvd essentials premeier photosuite,
 primetime.
 Copy inc, all rights reserved privacy use press gt.
 Charles deborah hensler, becomes senior fellow. Reassuring individual
 alan
 charles deborah 

RE: Stock Spam

[Giampaolo Tomassoni]

From: san [mailto:[EMAIL PROTECTED]
 Thanks for ur inputs. when i put across SA this is what i get on my pc..
 Content analysis details:   (2.3 points, 4.5 required)
 
  pts rule name  description
  --
 --
  1.0 Local_Signup  BODY: Body mentions Sign up
  0.1 TW_TV  BODY: Odd Letter Triples with TV
  0.1 TW_VP  BODY: Odd Letter Triples with VP
  0.1 TW_YD  BODY: Odd Letter Triples with YD
  0.5 HTML_20_30 BODY: Message is 20% to 30% HTML
  0.0 HTML_MESSAGE   BODY: HTML included in message
  0.5 HTML_TITLE_EMPTY   BODY: HTML title contains no text

It's time to switch to 3.1.7, San. Isn't it? :)

giampaolo


 
 
 Giampaolo Tomassoni wrote:
  
  From: san [mailto:[EMAIL PROTECTED]
  Sent: Wednesday, November 29, 2006 11:33 PM
  To: users@spamassassin.apache.org
  Subject: Stock Spam
  
  
  
  Hi All,
  
  I am recieving lot of stock related spam mails which spam 
 assassin is not
  able catch as spam. I have added Sare_stcok.cf file. I cant use
  imageinfo,
  fuzzy ocr as iam using 2.6o ver of spam assassin i think. I 
 have enclosed
  the undecoded letter mail of one kind below. Can you plz help 
 me to make
  this kind of mails as spam. 
  
  These are the scores it would get on a 3.1.7 + some sare rules:
  
   1.9 MSGID_MULTIPLE_AT  Message-ID contains multiple '@' characters
   0.8 FH_HOST_EQ_D_D_D_D Host starts with d-d-d-d
   0.9 FH_HOST_EQ_D_D_D_DBHost is d-d-d-d
   3.8 HELO_DYNAMIC_IPADDR2   Relay HELO'd using suspicious hostname (IP
  addr
  2)
   1.6 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d
   1.1 SPF_NEUTRALSPF: sender does not match SPF record
  (neutral)
  [SPF failed: Please see
  
 http://www.openspf.org/why.html?sender=how%40sotelrostov.ruip=84.
 120.14.114receiver=ns2.edlui.it]
   0.1 TW_YD  BODY: Odd Letter Triples with YD
   0.1 TW_VP  BODY: Odd Letter Triples with VP
   0.1 TW_TV  BODY: Odd Letter Triples with TV
   0.4 HTML_30_40 BODY: Message is 30% to 40% HTML
   0.0 HTML_MESSAGE   BODY: HTML included in message
   2.2 TVD_FW_GRAPHIC_ID2 BODY: TVD_FW_GRAPHIC_ID2
   3.5 BAYES_99   BODY: Bayesian spam probability is 
 99 to 100%
  [score: 1.]
   0.2 HTML_TITLE_EMPTY   BODY: HTML title contains no text
   2.0 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP
  address
  [84.120.14.114 listed in dnsbl.sorbs.net]
   3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
  [84.120.14.114 listed in 
 sbl-xbl.spamhaus.org]
   2.0 FM__TIMES_2Dual helo + host eq d_d_d_d
  
  I have fuzzyocr, but it doesn't even need to be invoked: this 
 mail scores
  enough to be just thrown away...
  
  
  X-Real-To: anyname
  Return-Path: [EMAIL PROTECTED]
  Received: by some.com (CommuniGate Pro PIPE 5.1.1)
with PIPE id 1368603; Mon, 27 Nov 2006 17:39:57 -0600
  Received: from [EMAIL PROTECTED]
by mail.seatoncorp.com (CommuniGate Pro GROUP 5.1.1)
with GROUP id 1368364; Mon, 27 Nov 2006 17:38:31 -0600
  X-Autogenerated: group
  Received: from 84-120-14-114.onocable.ono.com ([84.120.14.114] 
 verified)
by some.com (CommuniGate Pro SMTP 5.1.1)
with ESMTP id 1368200 for [EMAIL PROTECTED]; Mon, 27 Nov 2006
  17:37:50 -0600
  Received-SPF: neutral
   receiver=some.com; client-ip=XX.XX.XX.XX; 
  [EMAIL PROTECTED]
  Received: from [131.121.84.151] (port=5734 helo=JMfieKIKDzZ)
 by qMfMKKYkDTw with asmtp
 id bhqPeb-KhbbzT-07
 for [EMAIL PROTECTED]; Tue, 28 Nov 2006 00:38:20 +0100
  Date: Tue, 28 Nov 2006 00:37:46 +0100
  From: reserved [EMAIL PROTECTED]
  X-Mailer: The Bat! (v3.0) Professional
  Reply-To: [EMAIL PROTECTED]
  X-Priority: 3 (Normal)
  Message-ID: [EMAIL PROTECTED]@some.com
  To: [EMAIL PROTECTED]
  Subject: Delay Albert Strategist
  MIME-Version: 1.0
  Content-Type: multipart/mixed;
   boundary=--305E3064BA67
  X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on 
 evg60ms_email.seatoncorp.com
  X-Spam-Status: No, hits=4.1 required=4.5 tests=HTML_20_30,HTML_MESSAGE,
 
  HTML_TITLE_EMPTY,RATWR9_MESSID,SARE_MSGID_DBL_AT,Seaton_Signup,TW_TV,
 TW_VP,TW_YD autolearn=no version=2.60
  X-Spam-Level: 
  X-TFF-CGPSA-Filter: Scanned
  X-TFF-CGPSA-Version: 1.2.5
  
  305E3064BA67
  Content-Type: multipart/alternative;
   boundary=--EF0BA740CEFEF7D2
  
  
  EF0BA740CEFEF7D2
  Content-Type: text/plain; charset=us-ascii
  Content-Transfer-Encoding: 7bit
  
  Hoffman head rands office leading expert returns think. 
 Eroding getting,
  steeper say! Older americans improved shows, findings good? Sd encoder
  simple styles videowave sorry. Half awardsjune social delivery systems
  far
  apart, 

Re: HTML Source Rule

[Kelson]

Bret Miller wrote:
pictures contained in them all have a portion of a line of 
source that says...


src=cid:

Thanks in advance for any help anyone may be able to provide.


So does every message sent from Outlook that includes an image. I'd
suspect that you'd end up rejecting a lot of legitimate e-mail, unless
no one that sends you e-mail uses Outlook or Outlook Express...


Actually, I believe any email with embedded* images, regardless of the 
sending software, will contain that fragment.  cid: is the protocol for 
identifying a resource in another MIME part of the same document.


I've got one in my inbox right now that was sent from Thunderbird.


*Embedded meaning that they appear inline in the message body and the 
data is included in the message, not retrieved from a remote server.


--
Kelson Vibber
SpeedGate Communications www.speed.net

Re: SA Rule

[Loren Wilton]

for mangled viagra and other stuff ..is there any simple rule??
such as following text...


Mangled rules are never simple rules.  The SARE rules contain a lot of 
these, as does the antidrug stuff in SA itself.  It may be that these 
specific cases aren't caught though.


   Loren

Re: HTML Source Rule

[Loren Wilton]

This Stock emails and I am finding that the pictures contained in
them all have a portion of a line of source that says...

src=cid:


*ANY* inline image of any sort is going to contain that tag.  That is what 
links to the other mime section containing the image.


There are quite a number of rules for image stock spams.  The ImageInfo and 
FuzzyOCR plugins also help quite a lot in these cases, as do many SARE rules 
and the network rules.


   Loren

Re: Stock Spam

[Jonathan Nichols]

It's time to switch to 3.1.7, San. Isn't it? :)

giampaolo


It was time a long time ago. :-)

The upgrade is good. sa-update is a useful tool.

RE: Stock Spam

[san]

Yeah Giampaolo. with 3.1x it should be alright. But my superior is still
stick to the old one..:( 


Giampaolo Tomassoni wrote:
 
 From: san [mailto:[EMAIL PROTECTED]
 Thanks for ur inputs. when i put across SA this is what i get on my pc..
 Content analysis details:   (2.3 points, 4.5 required)
 
  pts rule name  description
  --
 --
  1.0 Local_Signup  BODY: Body mentions Sign up
  0.1 TW_TV  BODY: Odd Letter Triples with TV
  0.1 TW_VP  BODY: Odd Letter Triples with VP
  0.1 TW_YD  BODY: Odd Letter Triples with YD
  0.5 HTML_20_30 BODY: Message is 20% to 30% HTML
  0.0 HTML_MESSAGE   BODY: HTML included in message
  0.5 HTML_TITLE_EMPTY   BODY: HTML title contains no text
 
 It's time to switch to 3.1.7, San. Isn't it? :)
 
 giampaolo
 
 
 
 
 Giampaolo Tomassoni wrote:
  
  From: san [mailto:[EMAIL PROTECTED]
  Sent: Wednesday, November 29, 2006 11:33 PM
  To: users@spamassassin.apache.org
  Subject: Stock Spam
  
  
  
  Hi All,
  
  I am recieving lot of stock related spam mails which spam 
 assassin is not
  able catch as spam. I have added Sare_stcok.cf file. I cant use
  imageinfo,
  fuzzy ocr as iam using 2.6o ver of spam assassin i think. I 
 have enclosed
  the undecoded letter mail of one kind below. Can you plz help 
 me to make
  this kind of mails as spam. 
  
  These are the scores it would get on a 3.1.7 + some sare rules:
  
   1.9 MSGID_MULTIPLE_AT  Message-ID contains multiple '@' characters
   0.8 FH_HOST_EQ_D_D_D_D Host starts with d-d-d-d
   0.9 FH_HOST_EQ_D_D_D_DBHost is d-d-d-d
   3.8 HELO_DYNAMIC_IPADDR2   Relay HELO'd using suspicious hostname (IP
  addr
  2)
   1.6 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d
   1.1 SPF_NEUTRALSPF: sender does not match SPF record
  (neutral)
  [SPF failed: Please see
  
 http://www.openspf.org/why.html?sender=how%40sotelrostov.ruip=84.
 120.14.114receiver=ns2.edlui.it]
   0.1 TW_YD  BODY: Odd Letter Triples with YD
   0.1 TW_VP  BODY: Odd Letter Triples with VP
   0.1 TW_TV  BODY: Odd Letter Triples with TV
   0.4 HTML_30_40 BODY: Message is 30% to 40% HTML
   0.0 HTML_MESSAGE   BODY: HTML included in message
   2.2 TVD_FW_GRAPHIC_ID2 BODY: TVD_FW_GRAPHIC_ID2
   3.5 BAYES_99   BODY: Bayesian spam probability is 
 99 to 100%
  [score: 1.]
   0.2 HTML_TITLE_EMPTY   BODY: HTML title contains no text
   2.0 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP
  address
  [84.120.14.114 listed in dnsbl.sorbs.net]
   3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
  [84.120.14.114 listed in 
 sbl-xbl.spamhaus.org]
   2.0 FM__TIMES_2Dual helo + host eq d_d_d_d
  
  I have fuzzyocr, but it doesn't even need to be invoked: this 
 mail scores
  enough to be just thrown away...
  
  
  X-Real-To: anyname
  Return-Path: [EMAIL PROTECTED]
  Received: by some.com (CommuniGate Pro PIPE 5.1.1)
with PIPE id 1368603; Mon, 27 Nov 2006 17:39:57 -0600
  Received: from [EMAIL PROTECTED]
by mail.seatoncorp.com (CommuniGate Pro GROUP 5.1.1)
with GROUP id 1368364; Mon, 27 Nov 2006 17:38:31 -0600
  X-Autogenerated: group
  Received: from 84-120-14-114.onocable.ono.com ([84.120.14.114] 
 verified)
by some.com (CommuniGate Pro SMTP 5.1.1)
with ESMTP id 1368200 for [EMAIL PROTECTED]; Mon, 27 Nov 2006
  17:37:50 -0600
  Received-SPF: neutral
   receiver=some.com; client-ip=XX.XX.XX.XX; 
  [EMAIL PROTECTED]
  Received: from [131.121.84.151] (port=5734 helo=JMfieKIKDzZ)
by qMfMKKYkDTw with asmtp
id bhqPeb-KhbbzT-07
for [EMAIL PROTECTED]; Tue, 28 Nov 2006 00:38:20 +0100
  Date: Tue, 28 Nov 2006 00:37:46 +0100
  From: reserved [EMAIL PROTECTED]
  X-Mailer: The Bat! (v3.0) Professional
  Reply-To: [EMAIL PROTECTED]
  X-Priority: 3 (Normal)
  Message-ID: [EMAIL PROTECTED]@some.com
  To: [EMAIL PROTECTED]
  Subject: Delay Albert Strategist
  MIME-Version: 1.0
  Content-Type: multipart/mixed;
   boundary=--305E3064BA67
  X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on 
evg60ms_email.seatoncorp.com
  X-Spam-Status: No, hits=4.1 required=4.5
 tests=HTML_20_30,HTML_MESSAGE,

  HTML_TITLE_EMPTY,RATWR9_MESSID,SARE_MSGID_DBL_AT,Seaton_Signup,TW_TV,
TW_VP,TW_YD autolearn=no version=2.60
  X-Spam-Level: 
  X-TFF-CGPSA-Filter: Scanned
  X-TFF-CGPSA-Version: 1.2.5
  
  305E3064BA67
  Content-Type: multipart/alternative;
   boundary=--EF0BA740CEFEF7D2
  
  
  EF0BA740CEFEF7D2
  Content-Type: text/plain; charset=us-ascii
  Content-Transfer-Encoding: 7bit
  
  Hoffman head rands office leading expert returns think. 
 Eroding getting,
  steeper say! Older 

Re: Stock Spam

[Loren Wilton]

I am recieving lot of stock related spam mails which spam assassin is not
able catch as spam. I have added Sare_stcok.cf file. I cant use imageinfo,
fuzzy ocr as iam using 2.6o ver of spam assassin i think. I have enclosed
the undecoded letter mail of one kind below. Can you plz help me to make
this kind of mails as spam.


Image spams are hard to catch using normal header and body rules, especially 
when they don't have any urls in the body.  Enabling network tests and 
installing the patch for the URIBL will probably help some.


   Loren

Re: HTML Source Rule

[Richard Frovarp]

Bret Miller wrote:

Hello, I was wondering if there is a way to write a rule for
HTML source code contained in an email. I am getting many of
these Buy This Stock emails and I am finding that the
pictures contained in them all have a portion of a line of
source that says...

src=cid:

Thanks in advance for any help anyone may be able to provide.



So does every message sent from Outlook that includes an image. I'd
suspect that you'd end up rejecting a lot of legitimate e-mail, unless
no one that sends you e-mail uses Outlook or Outlook Express...

Bret




  


I have a few legit messages that are scoring over 5.0 due to SARE_STOCKS 
and the TVD rules to catch stocks, and this is after ALL_TRUSTED has 
done its work to reduce the score. These messages of course have inline 
images and are being sent via Outlook Express. Some of the scores on 
those rules are over 2.0. I have started to reduce the scores, as the 
stock messages I get usually have header problems and hit on Razor as 
well. I've seen legit messages fire the MY_CID set of rules enough to 
rack up a score of over 7.0 from those rules alone.

Re: Stock Spam

[Loren Wilton]

Thanks for ur inputs. when i put across SA this is what i get on my pc..
Content analysis details:   (2.3 points, 4.5 required)

pts rule name  description
 --
--
1.0 Local_Signup  BODY: Body mentions Sign up
0.1 TW_TV  BODY: Odd Letter Triples with TV
0.1 TW_VP  BODY: Odd Letter Triples with VP
0.1 TW_YD  BODY: Odd Letter Triples with YD
0.5 HTML_20_30 BODY: Message is 20% to 30% HTML
0.0 HTML_MESSAGE   BODY: HTML included in message
0.5 HTML_TITLE_EMPTY   BODY: HTML title contains no text


As Theo mentioned, 2.6 is ancient.  You really can't expect a set of rules 
and tools written, what, 2-3 years ago? to keep up with spammer tricks that 
change every day.  If 2.6 was up to it, there would have been no reason to 
make the newr versions of SA!



 1.1 SPF_NEUTRALSPF: sender does not match SPF record
 3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
 2.0 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP
 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL


That said, it appears that you aren't running either Bayes or network tests. 
Bayes_99 has always been a real good way to get rid of spam.  Here it is 3.5 
points.  On 2.6 I think it was closer to 4.0 points or maybe more.  Note 
there is also another 7+ points to be had from network tests, all of which 
(except maybe SPF) are available in 2.6.


   Loren

Re: Stock Spam

[san]

Thanks loren..let me invoke bayes and try it out

Loren Wilton wrote:
 
 Thanks for ur inputs. when i put across SA this is what i get on my pc..
 Content analysis details:   (2.3 points, 4.5 required)

 pts rule name  description
  --
 --
 1.0 Local_Signup  BODY: Body mentions Sign up
 0.1 TW_TV  BODY: Odd Letter Triples with TV
 0.1 TW_VP  BODY: Odd Letter Triples with VP
 0.1 TW_YD  BODY: Odd Letter Triples with YD
 0.5 HTML_20_30 BODY: Message is 20% to 30% HTML
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.5 HTML_TITLE_EMPTY   BODY: HTML title contains no text
 
 As Theo mentioned, 2.6 is ancient.  You really can't expect a set of rules 
 and tools written, what, 2-3 years ago? to keep up with spammer tricks
 that 
 change every day.  If 2.6 was up to it, there would have been no reason to 
 make the newr versions of SA!
 
  1.1 SPF_NEUTRALSPF: sender does not match SPF record
  3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
  2.0 RCVD_IN_SORBS_DUL  RBL: SORBS: sent directly from dynamic IP
  3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
 
 That said, it appears that you aren't running either Bayes or network
 tests. 
 Bayes_99 has always been a real good way to get rid of spam.  Here it is
 3.5 
 points.  On 2.6 I think it was closer to 4.0 points or maybe more.  Note 
 there is also another 7+ points to be had from network tests, all of which 
 (except maybe SPF) are available in 2.6.
 
 Loren
 
 
 

-- 
View this message in context: 
http://www.nabble.com/Stock-Spam-tf2728271.html#a7610364
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: HTML Source Rule

[Kenneth Porter]

--On Wednesday, November 29, 2006 5:17 PM -0600 Richard Frovarp 
[EMAIL PROTECTED] wrote:



I have a few legit messages that are scoring over 5.0 due to SARE_STOCKS
and the TVD rules to catch stocks, and this is after ALL_TRUSTED has done
its work to reduce the score. These messages of course have inline images
and are being sent via Outlook Express. Some of the scores on those rules
are over 2.0. I have started to reduce the scores, as the stock messages
I get usually have header problems and hit on Razor as well. I've seen
legit messages fire the MY_CID set of rules enough to rack up a score of
over 7.0 from those rules alone.


Can you attach a sample? Perhaps the sender can be convinced to change the 
format to make the message look less spammy.

Re: SA Rule

[John D. Hardin]

On Wed, 29 Nov 2006, Loren Wilton wrote:

  for mangled viagra and other stuff ..is there any simple rule??
  such as following text...
 
 Mangled rules are never simple rules.

I have a perl script that will take a word list and generate REs for
obfuscated versions of those words.

 http://www.impsec.org/~jhardin/antispam

Examples:

# cialas @  3.0
describeOBFU_WRD_021obfuscated cialas
bodyOBFU_WRD_021
/\b(?!cialas)(?:(?:(?:[c\xA2\xA9\xAB\xC7\xE7]|\#(?:67|99);){1,2}['\.~*^]?(?:[i!l1j\|\/\xA1\xCC-\xCF\xEC-\xEF]|i[a-z]+;){1,2}['\.~*^]?(?:[EMAIL
 
PROTECTED]|\/\\|a[a-z]+;){1,2}['\.~*^]?(?:[l1i!\|\xCC-\xCF]|(\|_)|\#(?:76|108);){1,2}['\.~*^]?(?:[EMAIL
 
PROTECTED]|\/\\|a[a-z]+;){1,2}['\.~*^]?(?:[s5z\$\xA6\xA7\xA8]|\#(?:83|115);))|(?:c\s?i\s?a\s?l\s?a\s?s))/i
score   OBFU_WRD_0213.0

# cialis @  3.0
describeOBFU_WRD_022obfuscated cialis
bodyOBFU_WRD_022
/\b(?!cialis)(?:(?:(?:[c\xA2\xA9\xAB\xC7\xE7]|\#(?:67|99);){1,2}['\.~*^]?(?:[i!l1j\|\/\xA1\xCC-\xCF\xEC-\xEF]|i[a-z]+;){1,2}['\.~*^]?(?:[EMAIL
 
PROTECTED]|\/\\|a[a-z]+;){1,2}['\.~*^]?(?:[l1i!\|\xCC-\xCF]|(\|_)|\#(?:76|108);){1,2}['\.~*^]?(?:[i!l1j\|\/\xA1\xCC-\xCF\xEC-\xEF]|i[a-z]+;){1,2}['\.~*^]?(?:[s5z\$\xA6\xA7\xA8]|\#(?:83|115);))|(?:c\s?i\s?a\s?l\s?i\s?s))/i
score   OBFU_WRD_0223.0

# levitra @ 3.0
describeOBFU_WRD_089obfuscated levitra
bodyOBFU_WRD_089
/\b(?!levitra)(?:(?:(?:[l1i!\|\xCC-\xCF]|(\|_)|\#(?:76|108);){1,2}['\.~*^]?(?:[e3\xBC\xBD\xC6\xC8-\xCB\xE6\xE8-\xEB]|e[a-z]+;){1,2}['\.~*^]?(?:v|(\\\/)|\#(?:86|118);){1,2}['\.~*^]?(?:[i!l1j\|\/\xA1\xCC-\xCF\xEC-\xEF]|i[a-z]+;){1,2}['\.~*^]?(?:[t\xA3\xB1]|\#(?:84|116);){1,2}['\.~*^]?(?:r|\#(?:82|114);){1,2}['\.~*^]?(?:[EMAIL
 PROTECTED]|\/\\|a[a-z]+;))|(?:l\s?e\s?v\s?i\s?t\s?r\s?a))/i
score   OBFU_WRD_0893.0

# viagra @  2.5
describeOBFU_WRD_184obfuscated viagra
bodyOBFU_WRD_184
/\b(?!viagra)(?:(?:(?:v|(\\\/)|\#(?:86|118);){1,2}['\.~*^]?(?:[i!l1j\|\/\xA1\xCC-\xCF\xEC-\xEF]|i[a-z]+;){1,2}['\.~*^]?(?:[EMAIL
 
PROTECTED]|\/\\|a[a-z]+;){1,2}['\.~*^]?(?:[gq]|\#(?:71|103);){1,2}['\.~*^]?(?:r|\#(?:82|114);){1,2}['\.~*^]?(?:[EMAIL
 PROTECTED]|\/\\|a[a-z]+;))|(?:v\s?i\s?a\s?g\s?r\s?a))/i
score   OBFU_WRD_1842.5

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Bother, said Pooh as he struggled with /etc/sendmail.cf, it never
  does quite what I want. I wish Christopher Robin was here.
   -- Peter da Silva in a.s.r
---
 26 days until Christmas

Score=x+5

[Alan Munday]

I've just seen a mail marked as spammy (amavisd-new) where the score header had 
Score=x+5 where x was the sum of the SA tests.

X-Spam-Status:  Yes, score=0.917+5 tagged_above=0 required=5 
tests=[AWL=0.727,BAYES_00=-2.599, BOTNET_SERVERWORDS=-0.01, 
FORGED_RCVD_HELO=0.135,HTML_MESSAGE=0.001, P0F_UNIX=-0.001, 
SARE_HTML_MANY_BR05=0.5,SARE_HTML_TD_BR=0.934, SARE_UNA=1.231, SPF_PASS=-0.001]

I'm curious as to where the 5 came from as the the mail report does not look like spam: 


Content analysis details:   (0.9 points, 5.0 required)

pts rule name  description
 -- --
-0.0 P0F_UNIX   OS fingerprint BSD/Solaris/HP-UX/Tru64
0.1 FORGED_RCVD_HELO   Received: contains a forged HELO
-0.0 SPF_PASS   SPF: sender matches SPF record
-0.0 BOTNET_SERVERWORDS Hostname contains server-like substrings
-2.6 BAYES_00   BODY: Bayesian spam probability is 0 to 1%
   [score: 0.]
0.0 HTML_MESSAGE   BODY: HTML included in message
1.2 SARE_UNA   RAW: SARE_UNA
0.9 SARE_HTML_TD_BRFULL: Multiple line breaks in spammer pattern
0.5 SARE_HTML_MANY_BR05Tooo many br's!
0.7 AWLAWL: From: address is in the auto white-list



I've not seen this before (in over 4 years) and could not see and answer from a 
quick search.

Thanks

Alan

Re: Fetchmail/sa-learn timeout (config included) --SOLVED

[Ian Pattison]

Turned out to just be a bad message in my IMAP folder. Deleted that one and the 
rest came through.

 Ian Pattison [EMAIL PROTECTED] 28/11/2006 23:23 
Hi All,

Forgot to incliude the config last time

SuSE 10.1
Spamassassin 3.1.7 (Built from source tarballs)
Fetchmail 6.3.2
IMAP server is GroupWise 6.5, on same segment

I've been fighting with sa-learn all day and need some help here.

I'm using fetchmail to pull spam messages from a remote IMAP server and 
classify them with sa-learn. So far it's not working well. Fetchmail will 
download the first message and feed it to sa-learn. Sa-learn will process 
cleanly right through until the end of the expire process then will hang for 
300 seconds, give an error that fetchmail has timed out, proceed to profile the 
one message it has received and then terminate.

This is a new installation, clean empty databases and I'm at a loss right now. 
Packet scans show no requests to/from the IMAP server during the 300 second 
hang time. I've attached a transcript of the output (-D used).

Anyone have any ideas?

Ian

MailMarshal at csg.com.au

[John D. Hardin]

Can we *please* get csg.com.au unsubscribed?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Bother, said Pooh as he struggled with /etc/sendmail.cf, it never
  does quite what I want. I wish Christopher Robin was here.
   -- Peter da Silva in a.s.r
---
 26 days until Christmas

-- Forwarded message --
Date: Thu, 30 Nov 2006 11:17:50 +0930
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Your email message was blocked

MailMarshal (an automated content monitoring gateway) has 
stopped the following email for the following reason:

It believes it may contain unacceptable language, or inappropriate material.

   Message: B0003dbe6d.0001.mml
   From:[EMAIL PROTECTED]
   To:  [EMAIL PROTECTED]
   Subject: Re: Your email message was blocked

Please remove any inappropriate language and send it again.

The blocked email will be automatically deleted after 4 days.

MailMarshal Rule: CSG Bothways : Block Unacceptable Language
Script Offensive Language (Basic) Triggered in Body
Expression: [elided] Triggered 1 times weighting 5

For more information on email virus scanning, security and content 
management, visit http://www.marshalsoftware.com

Re: Installed FuzzyOCR - What am I missing?

[David B Funk]

On Tue, 28 Nov 2006, Evan Platt wrote:

 Thanks to everyone especially Decoder, I think I'm up and running.

 png is the only one not working.

 Any reason NOT to assign 10 points to fuzzy ocr tripped words?

 I mean I wouldn't add 10 points just because someone typed the V word
 in an e-mail to me, but I can't think of an instance where I'd expect
 a GIF message with it in it.

You -do- understand that the 'fuzzy' part of FuzzyOCR means that it
does inexact matching on the characters that it pulls out of an
image. So for example, a college newsletter that I received which
had a school logo image fired on FuzzyOCR claiming to match company.

I've also seen it fire on things such as an airline ticket confirmation
notice, a religious newsletter, and a technical bulletin. Just one
word for each, which with the default score wasn't enough to tag
as spam but with a score of 10 a guaranteed FP.

Dave

-- 
Dave Funk  University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{

Re: Score=x+5

[Matt Kettler]

Alan Munday wrote:
 I've just seen a mail marked as spammy (amavisd-new) where the score
 header had Score=x+5 where x was the sum of the SA tests.

 X-Spam-Status: Yes, score=0.917+5 tagged_above=0 required=5
 tests=[AWL=0.727,BAYES_00=-2.599, BOTNET_SERVERWORDS=-0.01,
 FORGED_RCVD_HELO=0.135,HTML_MESSAGE=0.001, P0F_UNIX=-0.001,
 SARE_HTML_MANY_BR05=0.5,SARE_HTML_TD_BR=0.934, SARE_UNA=1.231,
 SPF_PASS=-0.001]

 I'm curious as to where the 5 came from as the the mail report does
 not look like spam: 

My guess would be amavis's soft-blacklist feature.

Re: HTML Source Rule

[Matt Kettler]

Bob Newhart wrote:
 Hello, I was wondering if there is a way to write a rule for HTML
 source code contained in an email.
Use rawbody as the rule type. This will match the text after decoding
(ie: base64) and line-wrap removal, but before HTML tags are removed.

Re: Fetchmail/sa-learn timeout (config included) --SOLVED

[jdow]

What IMAP client are you using? It'd pay to forward the bad message to
the maintainers so they can fix the hang. It would make a dandy DoS attack.

{^_^}
- Original Message - 
From: Ian Pattison [EMAIL PROTECTED]



Turned out to just be a bad message in my IMAP folder. Deleted that one and the rest came 
through.



Ian Pattison [EMAIL PROTECTED] 28/11/2006 23:23 

Hi All,

Forgot to incliude the config last time

SuSE 10.1
Spamassassin 3.1.7 (Built from source tarballs)
Fetchmail 6.3.2
IMAP server is GroupWise 6.5, on same segment

I've been fighting with sa-learn all day and need some help here.

I'm using fetchmail to pull spam messages from a remote IMAP server and classify them with 
sa-learn. So far it's not working well. Fetchmail will download the first message and feed 
it to sa-learn. Sa-learn will process cleanly right through until the end of the expire 
process then will hang for 300 seconds, give an error that fetchmail has timed out, 
proceed to profile the one message it has received and then terminate.


This is a new installation, clean empty databases and I'm at a loss right now. Packet 
scans show no requests to/from the IMAP server during the 300 second hang time. I've 
attached a transcript of the output (-D used).


Anyone have any ideas?

Ian

Re: Odd behaviour (?) of my Qmail / Qmail Scanner / SpamAssassin 3.1.3 Setup?

[Bookworm]

Adam Wilbraham wrote:

On Wed, 29 Nov 2006 08:22:13 -0600
Bookworm [EMAIL PROTECTED] wrote:
  

It sounds like you have the spamd bayes database, and then you have
the database for whatever user you're actually running the test
from.   I ran into this problem as well - it's a known issue, and I
wish the SA folks would come up with a way to run, as root, sa-learn
for a NON-ROOT bayes database.   Vpopmail directories aren't readable
by spamd.



I'm not running vpopmail on this server. spamd is running as qscand,
however I've got my /etc/spamassasin/local.cf set to use a site wide
bayes database. I also have auto_whitelist configured, and I'm
wondering if this is such a good idea:

bayes_path /etc/mail/spamassassin/bayes
bayes_file_mode0770
auto_whitelist_path/etc/mail/spamassassin/auto-whitelist
auto_whitelist_file_mode   0770
use_bayes  1
bayes_auto_learn   1

I have a script that runs every night that sa-learn's data from each
users SpamTrain folder into this site wide database. Now I seriously
hope that spamd isn't reading its bayes data from qscands home, as this
data hasn't been touched for 2 years:

ls -alh ~/qscand/.spamassassin
drwxr-xr-x 2 qscand qscand 4.0K 2004-07-07 11:01 .
drwxr-xr-x 4 qscand root   4.0K 2006-07-26 11:28 ..
-rw-r--r-- 1 qscand qscand  20K 2004-01-06 16:43 auto-whitelist
-rw--- 1 qscand qscand 556K 2004-07-07 11:01 auto-whitelist.dir
-rw--- 1 qscand qscand 556K 2004-07-07 11:01 auto-whitelist.pag
-rw--- 1 qscand qscand  47K 2004-07-07 11:01 bayes_journal
-rw-r--r-- 1 qscand qscand  10M 2004-07-07 11:01 bayes_seen
-rw--- 1 qscand qscand 4.2M 2004-07-07 11:01 bayes_toks
-rw-r--r-- 1 qscand qscand 1.5K 2006-07-06 09:53 user_prefs

Maybe I should delete that and symlink in the files to the sitewide
bayes, just in case?

When I ran spamassassin on the item of spam I referred to earlier,  it
was using my own user account. I don't even have any data in
my .spamassassin folder, so I can only assume that it was using the
site wide bayes for its checks then. Or could my bayes data be
completely messed up, and spamassassin was doing a better job of
identifying spam under my user account with no bayes data at all? 


Once again many thanks for the suggestions and help...

Wilb
  


If you're running it as yourself, and spamassassin isn't running as your 
username, then it's probably not working. 

Check /home/spamd (or whatever user spamassassin runs as).   See if 
there's a bayes database in there.  Also check YOUR home directory, and 
see if you have bayes files.  (locate -i bayes_journal works well for 
this sort of thing)


BW