RE: optional score in local.cf is not working
Hi, I thought I was wrong and amavis restart didn't really helped there, but there is an update for this problem I had with configuration in local.cf not catching. It seems that only when I do /etc/init.d/amavis restart, all configs in local.cf are coming intact. I've used to an old version of amavis and SA on Suse, where you would only do changes to local.cf and spamd restart. 1) So, my question is - Is this a normal behavior? 2) For every change in local.cf should I do now only amavis restart and no spamd restart? Regards, Leon -Original Message- From: Mark Martinec [mailto:[EMAIL PROTECTED] Sent: Sunday, November 26, 2006 10:54 PM To: users@spamassassin.apache.org Subject: Re: optional score in local.cf is not working On Sunday November 26 2006 20:25, Matt Kettler wrote: Erm.. are you sure? I thought amavisd-new called SA directly at the API layer, not via spamd... I didn't even realize amavis *could* use spamd, every amavis person I've talked to on the list isn't using it. amavisd-new can't call spamd, there is no configuration option to do so, and no code to support it. spamc/spamd could be used (if desired/needed) by implementing the usual SA standalone setup, and disabling spam checking in amavisd. Mark
Re: optional score in local.cf is not working
On Wed, 29 Nov 2006 10:10:58 +0200, Leon Kolchinsky [EMAIL PROTECTED] wrote: Hi, I thought I was wrong and amavis restart didn't really helped there, but there is an update for this problem I had with configuration in local.cf not catching. It seems that only when I do /etc/init.d/amavis restart, all configs in local.cf are coming intact. I've used to an old version of amavis and SA on Suse, where you would only do changes to local.cf and spamd restart. 1) So, my question is - Is this a normal behavior? 2) For every change in local.cf should I do now only amavis restart and no spamd restart? Regards, Leon -Original Message- From: Mark Martinec [mailto:[EMAIL PROTECTED] Sent: Sunday, November 26, 2006 10:54 PM To: users@spamassassin.apache.org Subject: Re: optional score in local.cf is not working On Sunday November 26 2006 20:25, Matt Kettler wrote: Erm.. are you sure? I thought amavisd-new called SA directly at the API layer, not via spamd... I didn't even realize amavis *could* use spamd, every amavis person I've talked to on the list isn't using it. amavisd-new can't call spamd, there is no configuration option to do so, and no code to support it. spamc/spamd could be used (if desired/needed) by implementing the usual SA standalone setup, and disabling spam checking in amavisd. Mark As far as I am aware any setting changes in the local.cf need a restart of spamd. Whether or not amavis does this for you I don't know. I do recall someone recently mentioning that the Amavis doesn't give enough time and/or wait for the return from spamd. Though this may not be at all related to your issue. For a simple test. Make a change and manually restart spamassassin, then undo the change, restart just amavis and see if amavis picks it up? HTH Kind regards Nigel
Re: tagging based on score level
beast wrote: Is it possible to make different tag for a different score/classes, for example: high: [SPAM!!!] if score 50 medium: [SPAM!!] if score between 20 - 50 low: [SPAM] if score between treshold - 20 The reason is client filter or other redirection program (for example to be redirected/ quarantined for further inspection) can not parse the score directly. perldoc Mail::SpamAssassin::Conf Look for the TEMPLATE TAGS section, in particular the _STARS(*)_ tag. -- Craig smime.p7s Description: S/MIME Cryptographic Signature
Re: tagging based on score level
Craig Morrison wrote: beast wrote: Is it possible to make different tag for a different score/classes, for example: high: [SPAM!!!] if score 50 medium: [SPAM!!] if score between 20 - 50 low: [SPAM] if score between treshold - 20 The reason is client filter or other redirection program (for example to be redirected/ quarantined for further inspection) can not parse the score directly. perldoc Mail::SpamAssassin::Conf Look for the TEMPLATE TAGS section, in particular the _STARS(*)_ tag. Almost, but not exactly what I want since it still has so many possibility (up to 50 stars). I just want to use these 2 redirection (in postfix): /^X-Spam-Level: Medium/ REDIRECT [EMAIL PROTECTED] /^X-Spam-Level: High/ REDIRECT [EMAIL PROTECTED] --beast
Re: Anyone else seeing this
Is anyone else seeing the below when sending a message to the list? Yes. Discussed a week or so ago when it seemingly first started happening. Loren
Re: tagging based on score level
high: [SPAM!!!] if score 50 medium: [SPAM!!] if score between 20 - 50 low: [SPAM] if score between treshold - 20 Look for the TEMPLATE TAGS section, in particular the _STARS(*)_ tag. Almost, but not exactly what I want since it still has so many possibility (up to 50 stars). I just want to use these 2 redirection (in postfix): /^X-Spam-Level: Medium/ REDIRECT [EMAIL PROTECTED] /^X-Spam-Level: High/ REDIRECT [EMAIL PROTECTED] I'm not a postfix guru, but if it uses a regex that includes a specification of number of occurrances, couldn't you do something like stars /*{51,}/ : high stars /*{21,}/ : medium : low Loren
Re: Updated to SA 3.1.3 to get sa-update... But:
Why does your rule not work? It looks good to me, if you're trying to detect a subject consisting of (for example): hi it's John or something. Can you give some exact samples of subject lines you're trying to flag? If this string (hi it's ) is the only thing in those subject fields - nothing else at all - then it might be wise to anchor your regex to the start and end of the field using ^ and $ as follows: headerHI_ITS_NAME Subject =~ /^hi it's +[a-z]+$/i ...That way, you avoid potential false positives. Cheers, Jeremy Simon [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I was getting these spam emails with the subject Name wrote:, so someone suggested i update SA and run sa-update. Which i have and its now solved that issue - nice. But now im getting subject hi it's Name, does someone have a custom ruleset for this spam please? Im trying to write one myself with no luck: headerHI_ITS_NAME Subject =~ /\bhi\sit's\s+[a-z]/i describe HI_ITS_NAME Hi It's Name in Subject score HI_ITS_NAME 6.5
MX1 server queue mail
I have a problem with my MX1 mail server running sendmail. Some mails are being queued for days eg. [EMAIL PROTECTED] ~]# more /var/log/maillog |grep kAS91uVl019923 Nov 28 11:02:25 mx1 sendmail[19923]: kAS91uVl019923: from=[EMAIL PROTECTED], size=1728, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=SMTP, daemon=MTA, relay=web30405.mail.mud.yahoo.com [68.142.200.108] Nov 28 11:02:25 mx1 sendmail[19923]: kAS91uVl019923: Milter add: header: X-Virus-Scanned: ClamAV 0.88.2/2252/Mon Nov 27 20:47:11 2006 on mx1.africau.ac.zw Nov 28 11:02:25 mx1 sendmail[19923]: kAS91uVl019923: Milter add: header: X-Virus-Status: Clean Nov 28 11:02:25 mx1 sendmail[19923]: kAS91uVl019923: to=[EMAIL PROTECTED], delay=00:00:03, mailer=smtp, pri=31728, stat=queued This mail is supposed to relayed to my main mail server. How did solve this problem? Regards Mike chisina
Re: optional score in local.cf is not working
Leon Kolchinsky wrote: Hi, I thought I was wrong and amavis restart didn't really helped there, but there is an update for this problem I had with configuration in local.cf not catching. It seems that only when I do /etc/init.d/amavis restart, all configs in local.cf are coming intact. I've used to an old version of amavis and SA on Suse, where you would only do changes to local.cf and spamd restart. 1) So, my question is - Is this a normal behavior? Yes. Because amavisd-new uses the API, restarting spamd should have no affect on it. I don't know why your old version ever used spamd, as it's highly inefficient for a perl application to do so instead of calling Mail::SpamAssassin. 2) For every change in local.cf should I do now only amavis restart and no spamd restart? Yes.. and you should also change your system to not run spamd anymore. Amavisd-new does not use spamd, so running it is a waste of memory.
sa-update installation
Hello List, I have successfully (I hope) installed and run sa-update, and I see that it installed files in /var/lib/spamassassin/3.001007/ In my FreeBSD box, I am used to the rules being in /usr/local/share/spamassassin and /usr/local/etc/mail/spamassassin. Do I just go out for a cold beer and hope that SA will be reading these rules as well? What happens when I run sa-update? Does it update the rules files in /usr/local/share/spamassassin or what? -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ Pedaeration, n.: The perfect body heat achieved by having one leg under the sheet and one hanging off the edge of the bed. -- Rich Hall, Sniglets
sa-update question, kinda
I know you can use sa-update to download the new sa-rules as they become available. Are the rules located somewhere that they can be manually downloaded as they are updated, kind of like rulesemporium? I was poking around the sa site, but couldn't find updated rules, only full releases.
Re: Anyone else seeing this (remove user from list?)
Loren Wilton wrote: Is anyone else seeing the below when sending a message to the list? Yes. Discussed a week or so ago when it seemingly first started happening. Loren Yes. Under the subject [Fwd: Your email message was blocked] but they didn't talk about anything other than why the message was kicked back. The big question is should we continue to allow [EMAIL PROTECTED] to be a list member while the csg content filter is responding to From: addresses instead of the Return-Path with a delivery status notification. I personally vote for the removal of this user until they learn to disable their content filter, or at least make it do the right thing and not respond to messages with Precedence: bulk or list.
effectivity with local tests only [auf Viren überprüft]
Hi! My environment is a bit weired. I get all my Mails from my ISP's relay. So I disabled AWL. I have no direct internet access. I can use HTTP over a proxy cascade and SMTP with the relay host. No external DNS. So I'm stuck with static rules and bayes. I trained SA with 1600 spam mails and 220 ham mails. After that I took one of the spams and invoke # spamassassin --test-mode spammail [...] Inhaltsanalyse im Detail: (3.5 Punkte, 5.0 benötigt) Pkte Regelname Beschreibung -- -- 0.0 HTML_MESSAGE BODY: Nachricht enthält HTML 3.5 BAYES_99 BODY: Spamwahrscheinlichkeit nach Bayes-Test: 99-100% [score: 1.] 0.0 MIME_HTML_ONLY BODY: MIME-Nachricht besteht nur aus HTML Bayes ist nearly 100% certain that it is spam. It is spam, but the score ist only 3,5. Can you advice my something to adjust to get spam to the right score? Set score of bayes up? Lower score for spam? Razor, Pyzor and DCC need direct internet access. If there is no other way, I'll try to work this out with my ISP, but this will be hard work... Hans
RE: optional score in local.cf is not working
Hi, OK. I did some manual tests and indeed changes in local.cf only catching then I restart amavis. # /etc/init.d/amavis restart Shutting down virus-scanner (amavisd-new):Daemon [9905] terminated by SIGTERM done Starting virus-scanner (amavisd-new): done When I restart only spamd no change in local.cf is catching. I don’t really understand why? Mark Martinec said that amavisd-new can't call spamd So, let me get this straight: - This is how I see the work of amavis+spamd+clamd: 1. As I see it amavis talk to spamd (spamassassin) and clamd (ClamAV) via appropriate sockets or TCP ports. In my case - To clamd via /var/lib/clamav/clamd-socket (I can see it in amavisd.conf) To spamd ? (I don't know how to check it) 2. Any configuration change I make to clamd and spamd take power only when I restart the deamons themselves. 3. But according to Matt Kettler response and my testings, any change to local.cf require amavis restart. # /etc/init.d/amavis restart Shutting down virus-scanner (amavisd-new):Daemon [9905] terminated by SIGTERM done Starting virus-scanner (amavisd-new): done What is going on? Where I can validate config options of amavis to make sure the way it works? P.S.: This is taken from /etc/init.d/amavis: -- AMAVISD_BIN=/usr/sbin/amavisd AMAVIS_MILTER_BIN=/usr/sbin/amavis-milter echo -n Starting virus-scanner (amavisd-new): $AMAVISD_BIN start if ! checkproc amavisd; then rc_failed 7 fi rc_status -v if [ $AMAVIS_SENDMAIL_MILTER == yes ]; then rc_reset echo -n Starting amavis-milter: startproc -u vscan $AMAVIS_MILTER_BIN -p local:/var/run/amavis/amavis-milter.sock /dev/null 21 rc_status -v This is taken from /etc/init.d/spamd: - # Short-Description: Start the spamassassin daemon SPAMD_BIN=/usr/sbin/spamd PIDFILE=/var/run/spamd.pid startproc -p $PIDFILE $SPAMD_BIN $SPAMD_ARGS -r $PIDFILE This is taken from /etc/amavisd.conf: - @av_scanners = ( ### http://www.clamav.net/ ['ClamAV-clamd', \ask_daemon, [CONTSCAN {}\n, /var/lib/clamav/clamd-socket], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], -Original Message- From: Nigel Frankcom [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 29, 2006 10:21 AM To: users@spamassassin.apache.org Subject: Re: optional score in local.cf is not working On Wed, 29 Nov 2006 10:10:58 +0200, Leon Kolchinsky [EMAIL PROTECTED] wrote: Hi, I thought I was wrong and amavis restart didn't really helped there, but there is an update for this problem I had with configuration in local.cf not catching. It seems that only when I do /etc/init.d/amavis restart, all configs in local.cf are coming intact. I've used to an old version of amavis and SA on Suse, where you would only do changes to local.cf and spamd restart. 1) So, my question is - Is this a normal behavior? 2) For every change in local.cf should I do now only amavis restart and no spamd restart? Regards, Leon -Original Message- From: Mark Martinec [mailto:[EMAIL PROTECTED] Sent: Sunday, November 26, 2006 10:54 PM To: users@spamassassin.apache.org Subject: Re: optional score in local.cf is not working On Sunday November 26 2006 20:25, Matt Kettler wrote: Erm.. are you sure? I thought amavisd-new called SA directly at the API layer, not via spamd... I didn't even realize amavis *could* use spamd, every amavis person I've talked to on the list isn't using it. amavisd-new can't call spamd, there is no configuration option to do so, and no code to support it. spamc/spamd could be used (if desired/needed) by implementing the usual SA standalone setup, and disabling spam checking in amavisd. Mark As far as I am aware any setting changes in the local.cf need a restart of spamd. Whether or not amavis does this for you I don't know. I do recall someone recently mentioning that the Amavis doesn't give enough time and/or wait for the return from spamd. Though this may not be at all related to your issue. For a simple test. Make a change and manually restart spamassassin, then undo the change, restart just amavis and see if amavis picks it up? HTH Kind regards Nigel
Re: RelayChecker (now Botnet ) 0.4
Rick Macdougall wrote: Those who like SQL might like the stuff at http://whatever.frukt.org/p0fstats.text.shtml wich includes my SpamAssassin plugin. :-) If I'm reading the docs correctly, it would not be of any use to me since spamd runs on its on separate server and p0f only supports local sockets. Correct or is there a way I could use it ? Wich docs did you read? The stuff at the link above lets you use p0f data on one machine even if p0f is running at another machine. I belive the other plugin that someone links to also has the ability to use p0f data on another machine. this is how our setup looks: The three relevant machines are Monty: our firewall (OpenBSD) Oliver: our statistics machine (FreeBSD) Chip: our mail gateway (FreeBSD) Monty runs p0f on the Internet interface using the p0f.udpsend script to forward the p0f data to Oliver. Oliver uses the p0f.udplog script to collect the p0f data and insert it into a MySQL database. Chip uses SpamAssassin, wich uses my p0f SpamAssassin plugin to get p0f data from Oliver. Regards /Jonas -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Re: sa-update installation
Odhiambo Washington wrote: Hello List, I have successfully (I hope) installed and run sa-update, and I see that it installed files in /var/lib/spamassassin/3.001007/ In my FreeBSD box, I am used to the rules being in /usr/local/share/spamassassin and /usr/local/etc/mail/spamassassin. Do I just go out for a cold beer and hope that SA will be reading these rules as well? What happens when I run sa-update? Does it update the rules files in /usr/local/share/spamassassin or what? after sa-update runs, restart spamassassin and it will use the new rules in /var/lib/spamassassin. I have this as a cron job: 30 3 * * * sa-update spamassassin --lint /etc/init.d/spamassassin restart -- Steve
Odd behaviour (?) of my Qmail / Qmail Scanner / SpamAssassin 3.1.3 Setup?
Hi, I've got a bit of an odd situation whereby some obvious spam seems to be slipping through the net of our setup. A prime example would be a Re: hi spam which has just come through, an obvious looking spam containing the text Hi and a drugs gif. Looking at the headers after qmail scanner has pushed it through spamc, it gives the following key things: -- Received: (qmail 17122 invoked by uid 1387); 29 Nov 2006 13:16:32 - Received: from 88.229.73.122 by servername (envelope-from [EMAIL PROTECTED], uid 33001) with qmail-scanner-2.01 (sweep: 2.39.2/4.11.0. spamassassin: 3.1.3. Clear:RC:0(88.229.73.122):SA:0(2.6/5.0):. Processed in 11.629468 secs); 29 Nov 2006 13:16:32 - X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on servername X-Spam-Level: ** X-Spam-Status: No, score=2.6 required=5.0 tests=BAYES_50,HTML_MESSAGE, RCVD_IN_DSBL,SARE_GIF_ATTACH autolearn=no version=3.1.3 X-Envelope-From: [EMAIL PROTECTED] Received: from unknown (HELO balboacompany.com) (88.229.73.122) -- As you can see, its only been given a score of 2.6. If I then log into the mailserver and run spamassassin on the message in my inbox, spamassassin scores it higher than that and marks it up as spam: --- Content preview: Hi Hi [...] Content analysis details: (6.5 points, 5.0 required) pts rule name description -- -- 0.1 HTML_90_100BODY: Message is 90% to 100% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99% [score: 0.9830] 0.8 SARE_GIF_ATTACHFULL: Email has a inline gif 2.6 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org [http://dsbl.org/listing?88.229.73.122] --- One of the key things for me is that this time the bayes probability is much higher, but this seems to happen with any spam that arrives in my inbox - it will come through with a lower score, but if I manually invoke SA on the message manually it will report back with a higher score thats picked up by more rules. Has anyone got any suggestions as to what I might need to look into to rectify this behaviour? I was running 3.1.0 until yesterday when I upgraded to 3.1.3 to take advantage of sa-update, so my rulesets should not be the problem. Many thanks in advance for any help provided. Wilb.
Cronjob with sa-learn
Hello, i tried to create a cron job to add spam messages as spamemails. The following command : 0 1 * * * vmail sa-learn --spam /var/opt/vmail/.info/oliver/Maildir/.spam/cur *.* But i get this retourn: archive-iterator: readdir found no mail in 'domain1.de' directory archive-iterator: readdir found no mail in 'domain2.de' directory Learned tokens from 7 message(s) (460 message(s) examined) I think the last message is ok. But what about the first and second one? The command is correct? Thanks for help marcus _ Die neue MSN Suche Toolbar mit Windows-Desktopsuche. Suchen Sie gleichzeitig im Web, Ihren E-Mails und auf Ihrem PC! Jetzt neu! http://desktop.msn.de/ Jetzt gratis downloaden!
Re: Odd behaviour (?) of my Qmail / Qmail Scanner / SpamAssassin 3.1.3 Setup?
To follow up on this, the message in question is flagged as spam if i run it through spamassassin, however if I run it through spamc its not. spamc is what Qmail Scanner invokes. Is there a separate configuration for spamc / spamd to spamassassin? I thought not... On Wed, 29 Nov 2006 14:00:13 + Adam Wilbraham [EMAIL PROTECTED] wrote: I've got a bit of an odd situation whereby some obvious spam seems to snip
Re: Odd behaviour (?) of my Qmail / Qmail Scanner / SpamAssassin 3.1.3 Setup?
Adam Wilbraham wrote: To follow up on this, the message in question is flagged as spam if i run it through spamassassin, however if I run it through spamc its not. spamc is what Qmail Scanner invokes. Is there a separate configuration for spamc / spamd to spamassassin? I thought not... when you run spamassassin it is running as the current user. who are you logged in as? When qmail-scanner runs spamc it is most likely running as a different user (maybe qscand?) Different users will provide different results depending on the configuration. Also, scanning a message at a later time may produce different results due to the message being listed in some RBL or razor,dcc,etc. -Jim On Wed, 29 Nov 2006 14:00:13 + Adam Wilbraham [EMAIL PROTECTED] wrote: I've got a bit of an odd situation whereby some obvious spam seems to snip
Re: Odd behaviour (?) of my Qmail / Qmail Scanner / SpamAssassin 3.1.3 Setup?
Adam Wilbraham wrote: To follow up on this, the message in question is flagged as spam if i run it through spamassassin, however if I run it through spamc its not. spamc is what Qmail Scanner invokes. Is there a separate configuration for spamc / spamd to spamassassin? I thought not... It sounds like you have the spamd bayes database, and then you have the database for whatever user you're actually running the test from. I ran into this problem as well - it's a known issue, and I wish the SA folks would come up with a way to run, as root, sa-learn for a NON-ROOT bayes database. Vpopmail directories aren't readable by spamd. One possible fix is to look in /root/.spamassassin and check the bayes information there against /home/spamd/.spamassassin (or whatever the home directory is for the user that's running spamd for Qmail Scanner) (It SHOULD be possible to make it so that a cron job could run a sa-learn -u spamd variation for learning stuff in directories unreadable by the 'spamd' user) BW
Moving to folder based upon spamassassin score
Hi all, I have what is probably a simple question. I know I have seen instructions on this before, but cannot locate them and was hoping someone could point me in the right direction. I am using spamassassin with sendmail and am using .procmailrc to direct my incoming email to be sent to spamassassin for scoring. What I want to do is move email tagged as spam to a specific linux folder, but I want it to be based upon the spamassassin score - not just the fact that spamassassin tagged it as spam. I am sure I need a .procmailrc entry, but I don't know what it would be. Any assistance would be greatly appreciated. Thanks! John W Mickevich Computer Management Technologies [EMAIL PROTECTED]
RE: This is so obvious...
Yeah this slipped thur as well. Just write a rule for the phone number. I'll see about getting 70_sare_specific.cf updated for this number. --Chris -Original Message- From: Jon D. Slater [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 29, 2006 9:17 AM To: users@spamassassin.apache.org Subject: This is so obvious... I am running SA 3.0.6-1 under Fedora Core 4 (2.6.17-1.2142_FC4). And I just got this spam. It's so obviously spam, how could it be scored 0.0? Besides the updates, I've also installed: 70_sare_adult.cf 70_sare_specific.cf 70_sare_stocks.cf Is there some other rule set I should be including? Thanks! Jon Return-Path: [EMAIL PROTECTED] Received: from love.allvrn.ru ([122.4.2.228]) by blahblahblah.org (8.13.7/8.13.4) with SMTP id kASNsqPw005647 for [EMAIL PROTECTED]; Tue, 28 Nov 2006 16:54:55 -0700 Message-ID: [EMAIL PROTECTED] Date: Tue, 28 Nov 2006 16:50:59 -0200 Reply-To: dewey fisher [EMAIL PROTECTED] From: dewey fisher [EMAIL PROTECTED] User-Agent: Mozilla/5.0 (Windows; U; Win95; en-GB; rv:0.9.4) Gecko/20011019 Netscape6/6.2 MIME-Version: 1.0 To: Starr Cole [EMAIL PROTECTED] Subject: Totally OutOfDebt Overnight Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.6 (2005-12-07) on blahblahblah.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=4.3 tests=none autolearn=ham version=3.0.6 Status: O X-UID: 4065 Content-Length: 593 X-Keywords: -Original Message- From: dewey fisher [ mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] Sent: Tuesday, November 28, 2006 11:51 AM To: Starr Cole Subject: Totally OutOfDebt Overnight A few select 1egal counse1 just found a loophole in the bank laws. With this discovery, we've been 5uccessful at eliminating people's creditcarddebt with 0ut them paying one more cent. WeGuarantee that we can help you with this. C0ntact us at 3l4-854-8497 The children and the Wizard rushed across the moving rock and sprang into the passage beyond, landing safely though a little out of breath. Rob washed and brushed the dust from his clothes, after which he sat down and amused himself by viewing the pictures that constantly formed upon the polished plate of the Record of EventsM20e -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.14.19/556 - Release Date: 11/28/2006 3:22 PM
Re: Odd behaviour (?) of my Qmail / Qmail Scanner / SpamAssassin 3.1.3 Setup?
On Wed, 29 Nov 2006 08:22:13 -0600 Bookworm [EMAIL PROTECTED] wrote: It sounds like you have the spamd bayes database, and then you have the database for whatever user you're actually running the test from. I ran into this problem as well - it's a known issue, and I wish the SA folks would come up with a way to run, as root, sa-learn for a NON-ROOT bayes database. Vpopmail directories aren't readable by spamd. I'm not running vpopmail on this server. spamd is running as qscand, however I've got my /etc/spamassasin/local.cf set to use a site wide bayes database. I also have auto_whitelist configured, and I'm wondering if this is such a good idea: bayes_path /etc/mail/spamassassin/bayes bayes_file_mode0770 auto_whitelist_path/etc/mail/spamassassin/auto-whitelist auto_whitelist_file_mode 0770 use_bayes 1 bayes_auto_learn 1 I have a script that runs every night that sa-learn's data from each users SpamTrain folder into this site wide database. Now I seriously hope that spamd isn't reading its bayes data from qscands home, as this data hasn't been touched for 2 years: ls -alh ~/qscand/.spamassassin drwxr-xr-x 2 qscand qscand 4.0K 2004-07-07 11:01 . drwxr-xr-x 4 qscand root 4.0K 2006-07-26 11:28 .. -rw-r--r-- 1 qscand qscand 20K 2004-01-06 16:43 auto-whitelist -rw--- 1 qscand qscand 556K 2004-07-07 11:01 auto-whitelist.dir -rw--- 1 qscand qscand 556K 2004-07-07 11:01 auto-whitelist.pag -rw--- 1 qscand qscand 47K 2004-07-07 11:01 bayes_journal -rw-r--r-- 1 qscand qscand 10M 2004-07-07 11:01 bayes_seen -rw--- 1 qscand qscand 4.2M 2004-07-07 11:01 bayes_toks -rw-r--r-- 1 qscand qscand 1.5K 2006-07-06 09:53 user_prefs Maybe I should delete that and symlink in the files to the sitewide bayes, just in case? When I ran spamassassin on the item of spam I referred to earlier, it was using my own user account. I don't even have any data in my .spamassassin folder, so I can only assume that it was using the site wide bayes for its checks then. Or could my bayes data be completely messed up, and spamassassin was doing a better job of identifying spam under my user account with no bayes data at all? Once again many thanks for the suggestions and help... Wilb
Re: sa-update installation
On 11/29/06, Steven Stern [EMAIL PROTECTED] wrote: after sa-update runs, restart spamassassin and it will use the new rules in /var/lib/spamassassin. I have this as a cron job: 30 3 * * * sa-update spamassassin --lint /etc/init.d/spamassassin restart Oh? I thought you needed to specify within the local.cf file to use those updated rules? Am I mistaken? Will it automatically use the correct rules from /var/lib/spamassassin? (correct meaning that if I update to the next version, will it use the latest rules and not get confused with possible rules left lying around?) -- Steve -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
RE: optional score in local.cf is not working
Leon Kolchinsky wrote: So, let me get this straight: - This is how I see the work of amavis+spamd+clamd: 1. As I see it amavis talk to spamd (spamassassin) and clamd (ClamAV) via appropriate sockets or TCP ports. In my case - To clamd via /var/lib/clamav/clamd-socket (I can see it in amavisd.conf) To spamd ? (I don't know how to check it) Not quite. Amavisd does not talk to spamd. Amavisd has the SpamAssassin code built into it. 2. Any configuration change I make to clamd and spamd take power only when I restart the deamons themselves. If you were using spamd, you would need to restart it to apply the changes. But since you are using Amavisd to run SpamAssassin, this is not necessary. 3. But according to Matt Kettler response and my testings, any change to local.cf require amavis restart. When you restart Amavisd, it reads the local.cf file and uses that to initialize its internal copy of SpamAssassin. # /etc/init.d/amavis restart Shutting down virus-scanner (amavisd-new):Daemon [9905] terminated by SIGTERM done Starting virus-scanner (amavisd-new): done What is going on? Where I can validate config options of amavis to make sure the way it works? You can shutdown spamd, you don't need it. To sum it up, there are three ways to use SpamAssassin: 1) The spamassassin executable -- This loads everything each time you call it. It is inefficient, but it is useful for simple scripts and for testing. 2) The spamd daemon -- This loads everything once and then scans messages passed to it by spamc. This is much more efficient since it only has to load the Perl interpreter and all of the rulesets and plugins once. 3) The Mail::SpamAssassin Perl API -- This allows the SpamAssassin code to be called directly by another Perl program. This is how Amavisd runs. It gets a message, calls the SpamAssassin routines, marks up the message, and sends it along. It still only loads everything once, but it is being loaded into Amavisd instead of spamd. -- Bowie
Re: sa-update question, kinda
Joe Zitnik wrote: I know you can use sa-update to download the new sa-rules as they become available. Are the rules located somewhere that they can be manually downloaded as they are updated, kind of like rulesemporium? I was poking around the sa site, but couldn't find updated rules, only full releases. Nope. Well, maybe via SVN, but that's about it. The primary reason being that the standard rulesets are a bit specific as to what rules works with what version. sa-update makes some version checks and will, in theory, only download rules appropriate to your version of SA. If you're running a version that's old enough to not have sa-update, you really should upgrade all of spamassassin before looking for better rules. The code itself is quite critical to accuracy as improvements are constantly made to various parts such as mime and URI parsers to deal with spammer's tricks. Rules alone can't be a complete solution.
RE: sa-update installation
Jason Frisvold wrote: On 11/29/06, Steven Stern [EMAIL PROTECTED] wrote: after sa-update runs, restart spamassassin and it will use the new rules in /var/lib/spamassassin. I have this as a cron job: 30 3 * * * sa-update spamassassin --lint /etc/init.d/spamassassin restart Oh? I thought you needed to specify within the local.cf file to use those updated rules? Am I mistaken? Will it automatically use the correct rules from /var/lib/spamassassin? (correct meaning that if I update to the next version, will it use the latest rules and not get confused with possible rules left lying around?) SA knows about the directories used by sa-update and will automatically use the correct rules. To be more specific, it checks /var/lib/spamassassin first. If it finds rules there, it uses them. Otherwise, it goes to /usr/share/spamassassin. -- Bowie
RE: Cronjob with sa-learn
Markus Braun wrote: Hello, i tried to create a cron job to add spam messages as spamemails. The following command : 0 1 * * * vmail sa-learn --spam /var/opt/vmail/.info/oliver/Maildir/.spam/cur *.* But i get this retourn: archive-iterator: readdir found no mail in 'domain1.de' directory archive-iterator: readdir found no mail in 'domain2.de' directory Learned tokens from 7 message(s) (460 message(s) examined) I think the last message is ok. But what about the first and second one? The command is correct? I think the problem is the '*.*' at the end. It is trying to run sa-learn against all of the directories with a period in the current directory. Take off the '*.*' and see what happens. -- Bowie
spam is marked as user_in_whitelist
*keep getting the following spam which spamassassin for some reason give a scrore of -100 or - 70 keeps saying the user is in whitelist Subject:* both of those that is of the people, of the Lord your words of subject :me: a certain man that hear O house of man from among the land of our or other of similar context .. they look like quotes from the bible :) with offers to buy some crap from s a b a n z e n dot com X-Spam-Status: No, score=-74.498 tagged_above=-150 required=3 tests=[BAYES_80=2, EXTRA_MPART_TYPE=1.091, HELO_DYNAMIC_IPADDR2=3.818, HTML_IMAGE_ONLY_08=3.126, HTML_MESSAGE=0.001, RCVD_IN_DYNABLOCK=1, RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SBL_XBL=1.5, RCVD_IN_SORBS=1, RCVD_IN_SORBS_DUL=2.046, RCVD_IN_XBL=3.897, SARE_GIF_ATTACH=0.75, SARE_GIF_STOX=1.66, SARE_RECV_SPAM_DOMN0b=1.666, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100] i can't think of anything at this point aside from getting rid of the old whitelist and starting a new one.
Re: Moving to folder based upon spamassassin score
John W Mickevich schrieb: Hi all, I have what is probably a simple question. I know I have seen instructions on this before, but cannot locate them and was hoping someone could point me in the right direction. I am using spamassassin with sendmail and am using .procmailrc to direct my incoming email to be sent to spamassassin for scoring. What I want to do is move email tagged as spam to a specific linux folder, but I want it to be based upon the spamassassin score – not just the fact that spamassassin tagged it as spam. I am sure I need a .procmailrc entry, but I don’t know what it would be. Any assistance would be greatly appreciated. Thanks! John W Mickevich Computer Management Technologies [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Hi , to the List u can use with procmail $VAR a treshhold VERBOSE=ON # setting the level #trash TLVL=-10 #quarantine QLVL=-4 #maybe spam MLVL=-2 SL=0 # counting stars :0 * 1^1 ()^X-Spam-Level:[$WS]\/[*] { } SL = $= # with this you sort the mail in MBOX files :0 * $ $SL^0 * $ $TLVL^0 /dev/null :0 * $ $SL^0 * $ QLVL^0 /var/mail/quarantine :0 * $ $SL^0 * $ MLVL^0 /var/mail/maybespam #the rest let pass Matthias
Re: Moving to folder based upon spamassassin score
UUPS i have some syntax errors / fast copy / misssing $ John W Mickevich schrieb: Hi all, I have what is probably a simple question. I know I have seen instructions on this before, but cannot locate them and was hoping someone could point me in the right direction. I am using spamassassin with sendmail and am using .procmailrc to direct my incoming email to be sent to spamassassin for scoring. What I want to do is move email tagged as spam to a specific linux folder, but I want it to be based upon the spamassassin score – not just the fact that spamassassin tagged it as spam. I am sure I need a .procmailrc entry, but I don’t know what it would be. Any assistance would be greatly appreciated. Thanks! John W Mickevich Computer Management Technologies [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Hi , to the List u can use with procmail $VAR a treshhold VERBOSE=ON # setting the level #trash TLVL=-10 #quarantine QLVL=-4 #maybe spam MLVL=-2 SL=0 # counting stars :0 * 1^1 ()^X-Spam-Level:[$WS]\/[*] { } SL = $= # with this you sort the mail in MBOX files :0 * $ $SL^0 * $ $TLVL^0 /dev/null :0 * $ $SL^0 * $ $QLVL^0 /var/mail/quarantine :0 * $ $SL^0 * $ $MLVL^0 /var/mail/maybespam #the rest let pass Matthias
Re: spam is marked as user_in_whitelist
On Wed, Nov 29, 2006 at 10:22:11AM -0500, Stas Khromoy wrote: *keep getting the following spam which spamassassin for some reason give a scrore of -100 or - 70 keeps saying the user is in whitelist Subject:* both of those that is of the people, of the Lord your words of subject :me: a certain man that hear O house of man from among the land of our or other of similar context .. they look like quotes from the bible :) with offers to buy some crap from s a b a n z e n dot com X-Spam-Status: No, score=-74.498 tagged_above=-150 required=3 tests=[BAYES_80=2, EXTRA_MPART_TYPE=1.091, HELO_DYNAMIC_IPADDR2=3.818, HTML_IMAGE_ONLY_08=3.126, HTML_MESSAGE=0.001, RCVD_IN_DYNABLOCK=1, RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SBL_XBL=1.5, RCVD_IN_SORBS=1, RCVD_IN_SORBS_DUL=2.046, RCVD_IN_XBL=3.897, SARE_GIF_ATTACH=0.75, SARE_GIF_STOX=1.66, SARE_RECV_SPAM_DOMN0b=1.666, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100] i can't think of anything at this point aside from getting rid of the old whitelist and starting a new one. Hi Stas, I am betting that the envelope-sender is the user that is in the whitelist and you are looking at the from address and thinking that the from address is not in the whitelist. We have run into a fair amount of the above situation on our system. I think it might be a good idea to make USER_IN_WHITELIST have a score of ~ -15 instead of ~100. --Greg
Re: sa-update installation
Steven Stern wrote: Odhiambo Washington wrote: Hello List, I have successfully (I hope) installed and run sa-update, and I see that it installed files in /var/lib/spamassassin/3.001007/ In my FreeBSD box, I am used to the rules being in /usr/local/share/spamassassin and /usr/local/etc/mail/spamassassin. Do I just go out for a cold beer and hope that SA will be reading these rules as well? What happens when I run sa-update? Does it update the rules files in /usr/local/share/spamassassin or what? after sa-update runs, restart spamassassin and it will use the new rules in /var/lib/spamassassin. I have this as a cron job: 30 3 * * * sa-update spamassassin --lint /etc/init.d/spamassassin restart Perfect I was just about to ask what the recommended interval was for running sa-update was :-) Cheers Mate! Bryan
Re: Moving to folder based upon spamassassin score
# third try :) u can use with procmail $VAR a treshhold VERBOSE=ON # setting the level #trash TLVL=-10 #quarantine QLVL=-4 #maybe spam MLVL=-2 SL=0 # counting stars :0 * $ H ?? ()^X-Spam-Level: \/[*]+ { SPAMLEVEL=$MATCH } :0 * 1^1 SPAMLEVEL ?? ()\* { } SL = $= # with this you sort the mail in MBOX files :0 * $ $SL^0 * $ $TLVL^0 /dev/null :0 * $ $SL^0 * $ QLVL^0 /var/mail/quarantine :0 * $ $SL^0 * $ MLVL^0 /var/mail/maybespam #the rest let pass Matthias
Re: Moving to folder based upon spamassassin score
öh , ja I shoudnt try to be so quick sorry forget a : and have a false $ # u can use with procmail $VAR a treshhold VERBOSE=ON # setting the level #trash TLVL=-10 #quarantine QLVL=-4 #maybe spam MLVL=-2 SL=0 # counting stars :0 * H ?? ()^X-Spam-Level: \/[*]+ { SPAMLEVEL=$MATCH } :0 * 1^1 SPAMLEVEL ?? ()\* { } SL = $= # with this you sort the mail in MBOX files :0 * $ $SL^0 * $ $TLVL^0 /dev/null :0: * $ $SL^0 * $ $QLVL^0 /var/mail/quarantine :0: * $ $SL^0 * $ $MLVL^0 /var/mail/maybespam #the rest let pass Matthias
Re: sa-update installation
* On 29/11/06 07:56 -0600, Steven Stern wrote: | Odhiambo Washington wrote: | Hello List, | | I have successfully (I hope) installed and run sa-update, and | I see that it installed files in /var/lib/spamassassin/3.001007/ | | In my FreeBSD box, I am used to the rules being in | /usr/local/share/spamassassin and /usr/local/etc/mail/spamassassin. | | Do I just go out for a cold beer and hope that SA will be reading | these rules as well? | | What happens when I run sa-update? Does it update the rules files in | /usr/local/share/spamassassin or what? | | | | after sa-update runs, restart spamassassin and it will use the new rules | in /var/lib/spamassassin. My sa-update script is configured to do this already: 'svc -h /var/service/spamd' And I have a crontab entry, so it's time for beer ;) -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ It is the business of little minds to shrink. -- Carl Sandburg
Re: spam is marked as user_in_whitelist
hey greg: you got me there i was looking at : Received: from myserver ([127.0.0.1]) by localhost (myserver [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TnlkYt9U0aRr for myuser; Wed, 29 Nov 2006 06:09:20 -0500 (EST) Received: from 218-171-61-71.dynamic.hinet.net (218-171-61-71.dynamic.hinet.net [218.171.61.71]) by myserver (Postfix) with ESMTP id 76A9DC97AC for myuser; Wed, 29 Nov 2006 06:09:06 -0500 (EST) Received: from insersudamerica.com (port=2457 helo=hhdyayyfbpavq) by 218-171-61-71.dynamic.hinet.net with smtp id 666-jMbg-4o for myuser; Wed, 29 Nov 2006 19:08:40 +0800 and i don't see the envelope-from field at all in the header i can post the full header if that would help Original Message Subject: Re:spam is marked as user_in_whitelist From: Greg Skouby [EMAIL PROTECTED] To: users@spamassassin.apache.org Date: 11/29/2006 10:27 AM On Wed, Nov 29, 2006 at 10:22:11AM -0500, Stas Khromoy wrote: *keep getting the following spam which spamassassin for some reason give a scrore of -100 or - 70 keeps saying the user is in whitelist Subject:* both of those that is of the people, of the Lord your words of subject :me: a certain man that hear O house of man from among the land of our or other of similar context .. they look like quotes from the bible :) with offers to buy some crap from s a b a n z e n dot com X-Spam-Status: No, score=-74.498 tagged_above=-150 required=3 tests=[BAYES_80=2, EXTRA_MPART_TYPE=1.091, HELO_DYNAMIC_IPADDR2=3.818, HTML_IMAGE_ONLY_08=3.126, HTML_MESSAGE=0.001, RCVD_IN_DYNABLOCK=1, RCVD_IN_NJABL_DUL=1.946, RCVD_IN_SBL_XBL=1.5, RCVD_IN_SORBS=1, RCVD_IN_SORBS_DUL=2.046, RCVD_IN_XBL=3.897, SARE_GIF_ATTACH=0.75, SARE_GIF_STOX=1.66, SARE_RECV_SPAM_DOMN0b=1.666, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100] i can't think of anything at this point aside from getting rid of the old whitelist and starting a new one. Hi Stas, I am betting that the envelope-sender is the user that is in the whitelist and you are looking at the from address and thinking that the from address is not in the whitelist. We have run into a fair amount of the above situation on our system. I think it might be a good idea to make USER_IN_WHITELIST have a score of ~ -15 instead of ~100. --Greg
Re: sa-update installation
* On 29/11/06 15:27 +, Bryan Hepworth wrote: | Steven Stern wrote: | Odhiambo Washington wrote: | | Hello List, | | I have successfully (I hope) installed and run sa-update, and | I see that it installed files in /var/lib/spamassassin/3.001007/ | | In my FreeBSD box, I am used to the rules being in | /usr/local/share/spamassassin and /usr/local/etc/mail/spamassassin. | | Do I just go out for a cold beer and hope that SA will be reading | these rules as well? | | What happens when I run sa-update? Does it update the rules files in | /usr/local/share/spamassassin or what? | | | | | after sa-update runs, restart spamassassin and it will use the new rules | in /var/lib/spamassassin. | | I have this as a cron job: | | 30 3 * * * sa-update spamassassin --lint /etc/init.d/spamassassin | restart | | | | Perfect | | I was just about to ask what the recommended interval was for running | sa-update was :-) Hi Bryan, It's a good idea to use a different time than the one shown so that the update servers are not overloaded by the whole world banging them all at once ;) -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ I don't think so, said Ren'e Descartes. Just then, he vanished.
Re: sa-update question, kinda
On Wed, Nov 29, 2006 at 07:39:10AM -0500, Joe Zitnik wrote: I know you can use sa-update to download the new sa-rules as they become available. Are the rules located somewhere that they can be manually downloaded as they are updated, kind of like rulesemporium? I was poking around the sa site, but couldn't find updated rules, only full releases. You can download the tarball if you know what update you want, or you can look in SVN where we generate the tarballs from (http://svn.apache.org/repos/asf/spamassassin/rules/branches/3.1/) -- Randomly Selected Tagline: Money doesn't guarantee happiness. But having enough can make life a lot less stressful. - Robert H. Frank, http://www.nytimes.com/2003/12/27/arts/27INTR.html?pagewanted=48hpib pgpNSTphoCwKE.pgp Description: PGP signature
Re: sa-update installation
Hi Steven, On Wed, Nov 29, 2006 at 07:56:18AM -0600, Steven Stern told us: after sa-update runs, restart spamassassin and it will use the new rules in /var/lib/spamassassin. I have this as a cron job: 30 3 * * * sa-update spamassassin --lint /etc/init.d/spamassassin restart I think you don't need the lint here, as sa-update internally does this for each channel it gets updates for (at least this is what the source tells me ;-) ) Kind regards, Sven -- Steve -- Linux zion.homelinux.com 2.6.18-1.2849.fc6xen #1 SMP Fri Nov 10 13:56:52 EST 2006 i686 athlon i386 GNU/Linux 16:42:51 up 13 days, 18:00, 3 users, load average: 0.04, 0.14, 0.26 pgpWFOPe42os4.pgp Description: PGP signature
Re: Moving to folder based upon spamassassin score
for the record now tested !! i kicked out te and the coouting is working sorry to have you spamed :) VERBOSE=ON # setting the level #trash TLVL=-20 #quarantine QLVL=-4 #maybe spam MLVL=-2 SL=0 # counting stars :0 * H ?? ()^X-Spam-Level: \/[*]+ { SPAMLEVEL=$MATCH } :0 * 1^1 SPAMLEVEL ?? ()\* { } SL = $= # with this you sort the mail in MBOX files :0 * $ $SL^0 * $ $TLVL^0 /dev/null :0: * $ $SL^0 * $ $QLVL^0 /var/mail/quarantine :0: * $ $SL^0 * $ $MLVL^0 /var/mail/maybespam #the rest let pass
Re: Installed FuzzyOCR - What am I missing?
Evan Platt wrote: At 02:56 PM 11/28/2006, you wrote: Last month there was a discussion thread on this list about that exact topic. Search either the Apache list archives or the GMANE archives. For example see: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200610.mbox/[EMAIL PROTECTED] Thanks to everyone especially Decoder, I think I'm up and running. png is the only one not working. Any reason NOT to assign 10 points to fuzzy ocr tripped words? The defaults are already quite high, and don't forget that more points are added for more words found. I think the default is one point for every word matched, but requiring that at least two words are found. Since most of the drug spams have several words, you are usually over 10 points anyway. I mean I wouldn't add 10 points just because someone typed the V word in an e-mail to me, but I can't think of an instance where I'd expect a GIF message with it in it. Someone might send you a copy of a comic strip about an old guy visiting the doctor. You might miss out on some poor taste humour. -- Chris
Re: Cronjob with sa-learn
Markus Braun wrote: Hello, i tried to create a cron job to add spam messages as spamemails. The following command : 0 1 * * * vmail sa-learn --spam /var/opt/vmail/.info/oliver/Maildir/.spam/cur *.* But i get this retourn: archive-iterator: readdir found no mail in 'domain1.de' directory archive-iterator: readdir found no mail in 'domain2.de' directory Learned tokens from 7 message(s) (460 message(s) examined) I think you want: sa-learn --spam /var/opt/vmail/.info/oliver/Maildir/.spam/cur/* -- Chris
Re: Why no bayes? [FIXED]
YMMV- I am not sure the *proper* way to do this (but I am glad there is no registry- :) ). Here ya go! find /usr/lib/per5 -name SpamAssassin.pm I have deleted mine but you should have 2 listings: /usr/lib/perl5/site-perl/5.8.5/Mail/SpamAssassin.pm /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin.pm The site-perl is, I believe, is the location where cpan installs. I can confirm this by doing the following find where the rpm installs to: rpm -q spamassassin -l|grep SpamAssassin.pm result: /usr/lib/perl5/vendor_perl/5.8.5/Mail/SpamAssassin.pm The location should be one of those 2 entries and THAT is the one you want to keep. I then, for safety's sake, moved the non-rpm version, located at /usr/lib/perl5/site-perl/5.8.5/Mail mv /usr/lib/perl5/site-perl/5.8.5/Mail /root/spamassassin_Mail Finally, running /usr/sbin/amavisd -d bayes debug-sa as user amavis and should so no errors about version mismatches. There may be other errors particular to your installation. I got some based on specific rules not having something but nothing about entire CF files not being used. If there is a better PERL way of doing this, I would appreciate anything offered in that regard. BTW- I think that this happened because a yum dependancy wasn't available via yum so I used CPAN(site-perl) to meet the dependancy. Later, yum got the dependancy and installed it into vendor-perl. Hope it helps! Dave Augustus On Tue, 2006-11-28 at 19:27 -0800, Quinn Comendant wrote: How did you uninstall the cpan version? Just for the hell of it I ran the same test you did and I also have two versions installed (although my SA is running fine). I should uninstall the unused version, no? Quinn On Tue, 28 Nov 2006 14:53:49 -0600, Dave Augustus wrote: TADA! 2 installs- the one in site-perl must have come from cpan.
Re: tagging based on score level
beast wrote: Is it possible to make different tag for a different score/classes, for example: high: [SPAM!!!] if score 50 medium: [SPAM!!] if score between 20 - 50 low: [SPAM] if score between treshold - 20 Depends on how you're calling SpamAssassin and whether SA is doing the markup or the calling program is. I don't think SA has this functionality itself, but if you're calling it with a program like MIMEDefang or Amavisd-new, you have a lot more flexibility. With MIMEDefang, for instance, you would do something like this in filter_end after calling SpamAssassin. ($hits is the message's score, $req is the spam threshold) if ($hits = 50) { action_change_header(Subject, [SPAM!!!] $Subject); } elsif ($hits = 20) { action_change_header(Subject, [SPAM!!] $Subject); } elsif ($hits = $req) { action_change_header(Subject, [SPAM] $Subject); } -- Kelson Vibber SpeedGate Communications www.speed.net
Naive Keyword Filtering Considered Harmful (was Re: Anyone else seeing this)
This is due to automatic rules that have determined that the message is probably Porn related junk email. If you believe the message was business related please contact [EMAIL PROTECTED] and request that the message be released. If no contact is made within 4 days the message will automatically be deleted. Yet another example of why rejecting/blocking based solely on keywords without considering context is a Bad Idea(tm). -- Kelson Vibber SpeedGate Communications www.speed.net
Re: Anyone else seeing this (remove user from list?)
On Wed, 29 Nov 2006, Matt Kettler wrote: I personally vote for the removal of this user until they learn to disable their content filter, or at least make it do the right thing and not respond to messages with Precedence: bulk or list. +1 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Bother, said Pooh as he struggled with /etc/sendmail.cf, it never does quite what I want. I wish Christopher Robin was here. -- Peter da Silva in a.s.r --- 26 days until Christmas
Number of email addresses in whitelist_from
SA version is 3.1.7 on Linux. In a user's prefs file, is there an upper limit/maximum number of email addresses using whitelist_from? A user wishes to add about 5000 email addresses from his entire contact database. What is the limit? Can a simple text file be maintained in which any email addresses are considered whitelisted? Thanks
RE: optional score in local.cf is not working
As has been stated multiple times, Amavisd-new does NOT use spamd. Just try out this little test, m'kay? Stop spamd. Don't restart it, just stop it. Now see if amavisd is still scanning for spam. What's that? It is? Whodathunkit! That's why you need to restart amavisd to reload changed config files. You should stop spamd from starting automatically, as it is just a waste of resources since you are using amavisd-new. -Original Message- From: Leon Kolchinsky [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 29, 2006 8:53 AM To: Nigel Frankcom; users@spamassassin.apache.org Subject: RE: optional score in local.cf is not working Hi, OK. I did some manual tests and indeed changes in local.cf only catching then I restart amavis. # /etc/init.d/amavis restart Shutting down virus-scanner (amavisd-new):Daemon [9905] terminated by SIGTERM done Starting virus-scanner (amavisd-new): done When I restart only spamd no change in local.cf is catching. I don't really understand why? Mark Martinec said that amavisd-new can't call spamd So, let me get this straight: - This is how I see the work of amavis+spamd+clamd: 1. As I see it amavis talk to spamd (spamassassin) and clamd (ClamAV) via appropriate sockets or TCP ports. In my case - To clamd via /var/lib/clamav/clamd-socket (I can see it in amavisd.conf) To spamd ? (I don't know how to check it) 2. Any configuration change I make to clamd and spamd take power only when I restart the deamons themselves. 3. But according to Matt Kettler response and my testings, any change to local.cf require amavis restart. # /etc/init.d/amavis restart Shutting down virus-scanner (amavisd-new):Daemon [9905] terminated by SIGTERM done Starting virus-scanner (amavisd-new): done What is going on? Where I can validate config options of amavis to make sure the way it works? P.S.: This is taken from /etc/init.d/amavis: -- AMAVISD_BIN=/usr/sbin/amavisd AMAVIS_MILTER_BIN=/usr/sbin/amavis-milter echo -n Starting virus-scanner (amavisd-new): $AMAVISD_BIN start if ! checkproc amavisd; then rc_failed 7 fi rc_status -v if [ $AMAVIS_SENDMAIL_MILTER == yes ]; then rc_reset echo -n Starting amavis-milter: startproc -u vscan $AMAVIS_MILTER_BIN -p local:/var/run/amavis/amavis-milter.sock /dev/null 21 rc_status -v This is taken from /etc/init.d/spamd: - # Short-Description: Start the spamassassin daemon SPAMD_BIN=/usr/sbin/spamd PIDFILE=/var/run/spamd.pid startproc -p $PIDFILE $SPAMD_BIN $SPAMD_ARGS -r $PIDFILE This is taken from /etc/amavisd.conf: - @av_scanners = ( ### http://www.clamav.net/ ['ClamAV-clamd', \ask_daemon, [CONTSCAN {}\n, /var/lib/clamav/clamd-socket], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], -Original Message- From: Nigel Frankcom [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 29, 2006 10:21 AM To: users@spamassassin.apache.org Subject: Re: optional score in local.cf is not working On Wed, 29 Nov 2006 10:10:58 +0200, Leon Kolchinsky [EMAIL PROTECTED] wrote: Hi, I thought I was wrong and amavis restart didn't really helped there, but there is an update for this problem I had with configuration in local.cf not catching. It seems that only when I do /etc/init.d/amavis restart, all configs in local.cf are coming intact. I've used to an old version of amavis and SA on Suse, where you would only do changes to local.cf and spamd restart. 1) So, my question is - Is this a normal behavior? 2) For every change in local.cf should I do now only amavis restart and no spamd restart? Regards, Leon -Original Message- From: Mark Martinec [mailto:[EMAIL PROTECTED] Sent: Sunday, November 26, 2006 10:54 PM To: users@spamassassin.apache.org Subject: Re: optional score in local.cf is not working On Sunday November 26 2006 20:25, Matt Kettler wrote: Erm.. are you sure? I thought amavisd-new called SA directly at the API layer, not via spamd... I didn't even realize amavis *could* use spamd, every amavis person I've talked to on the list isn't using it. amavisd-new can't call spamd, there is no configuration option to do so, and no code to support it. spamc/spamd could be used (if desired/needed) by implementing
HTML Source Rule
Hello, I was wondering if there is a way to write a rule for HTML source code contained in an email. I am getting many of these Buy This Stock emails and I am finding that the pictures contained in them all have a portion of a line of source that says... src=cid: Thanks in advance for any help anyone may be able to provide. -- Jason Broyles Use Linux, it's free.
Stock Spam
Hi All, I am recieving lot of stock related spam mails which spam assassin is not able catch as spam. I have added Sare_stcok.cf file. I cant use imageinfo, fuzzy ocr as iam using 2.6o ver of spam assassin i think. I have enclosed the undecoded letter mail of one kind below. Can you plz help me to make this kind of mails as spam. X-Real-To: anyname Return-Path: [EMAIL PROTECTED] Received: by some.com (CommuniGate Pro PIPE 5.1.1) with PIPE id 1368603; Mon, 27 Nov 2006 17:39:57 -0600 Received: from [EMAIL PROTECTED] by mail.seatoncorp.com (CommuniGate Pro GROUP 5.1.1) with GROUP id 1368364; Mon, 27 Nov 2006 17:38:31 -0600 X-Autogenerated: group Received: from 84-120-14-114.onocable.ono.com ([84.120.14.114] verified) by some.com (CommuniGate Pro SMTP 5.1.1) with ESMTP id 1368200 for [EMAIL PROTECTED]; Mon, 27 Nov 2006 17:37:50 -0600 Received-SPF: neutral receiver=some.com; client-ip=XX.XX.XX.XX; [EMAIL PROTECTED] Received: from [131.121.84.151] (port=5734 helo=JMfieKIKDzZ) by qMfMKKYkDTw with asmtp id bhqPeb-KhbbzT-07 for [EMAIL PROTECTED]; Tue, 28 Nov 2006 00:38:20 +0100 Date: Tue, 28 Nov 2006 00:37:46 +0100 From: reserved [EMAIL PROTECTED] X-Mailer: The Bat! (v3.0) Professional Reply-To: [EMAIL PROTECTED] X-Priority: 3 (Normal) Message-ID: [EMAIL PROTECTED]@some.com To: [EMAIL PROTECTED] Subject: Delay Albert Strategist MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--305E3064BA67 X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on evg60ms_email.seatoncorp.com X-Spam-Status: No, hits=4.1 required=4.5 tests=HTML_20_30,HTML_MESSAGE, HTML_TITLE_EMPTY,RATWR9_MESSID,SARE_MSGID_DBL_AT,Seaton_Signup,TW_TV, TW_VP,TW_YD autolearn=no version=2.60 X-Spam-Level: X-TFF-CGPSA-Filter: Scanned X-TFF-CGPSA-Version: 1.2.5 305E3064BA67 Content-Type: multipart/alternative; boundary=--EF0BA740CEFEF7D2 EF0BA740CEFEF7D2 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hoffman head rands office leading expert returns think. Eroding getting, steeper say! Older americans improved shows, findings good? Sd encoder simple styles videowave sorry. Half awardsjune social delivery systems far apart, medicare. Easy dvdit, pro mydvd essentials premeier photosuite, primetime. Copy inc, all rights reserved privacy use press gt. Charles deborah hensler, becomes senior fellow. Reassuring individual alan charles deborah hensler becomes. Urge equals between trustees elects. Unless accept following terms provided site are. Elects paul reform act fails slash delay albert strategist. Rom formatter roxio creator? You can get yearmore than gift. Clare ellinger director, human, sentencing laws undermine control goals. Angeles mayor richard riordan deliver launches. Firm memo financial reporters. Training admissions people life after. Trends indicate need natalie. Accept following terms provided site? Service wide range private venture is. Admissions people life after events calendar? Minimums strategy curbs crimemay writers re icj economic! Economy eroding, getting, steeper say trends indicate need. Pricestips tvpopular networks pswiixbox, pussycat dollsfree! On, amp, trickscnet, tvcompare prices plustm shields. Results both reassuring individual. Bust ignore continuing many countries term. Bf log, in sign upwhy. Impact class action tobacco lawsapril that heart. High grades india pakistan nuclear explosions, were detected. Chairjune ticking, time bomb, shrink commission urges. Burnersdvd toolshome toolsmedia find the, perfect gadget. Cebit support enterprise affiliate program legal leader decoder. Slight previous estimates greatly overstate effects. Way as do obtain ownership right. Public safety science technology. Moment will be redirected to latest version of. Technology, substance abuse terrorism homeland workforce workplace, current! EF0BA740CEFEF7D2 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit !DOCTYPE html PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN HTMLHEADTITLE/TITLE STYLE type=text/css!-- BODY { margin: 5px 5px 5px 5px; background-color: #FF; } /*--Text Styles--*/ HR { color: #00} BODY, TABLE /* Normal text */ { font-size: 9pt; font-family: 'Courier New'; font-style: normal; font-weight: normal; color: #00; text-decoration: none; } SPAN.RVTS1 /* Heading */ { font-size: 10pt; font-family: 'Arial'; font-weight: bold; color: #FF; } SPAN.RVTS2 /* Subheading */ { font-size: 10pt; font-family: 'Arial'; font-weight: bold; color: #80; } SPAN.RVTS3 /* Keywords */ { font-size: 10pt; font-family: 'Arial'; font-style: italic; color: #80; } A.RVTS4, SPAN.RVTS4 /* Jump 1 */ { font-size: 10pt; font-family: 'Arial'; color: #008000; text-decoration: underline; } A.RVTS5, SPAN.RVTS5 /* Jump 2 */ { font-size: 10pt; font-family: 'Arial'; color: #008000; text-decoration: underline; }
Re: Stock Spam
On Wed, Nov 29, 2006 at 02:33:02PM -0800, san wrote: able catch as spam. I have added Sare_stcok.cf file. I cant use imageinfo, fuzzy ocr as iam using 2.6o ver of spam assassin i think. I have enclosed the undecoded letter mail of one kind below. Can you plz help me to make this kind of mails as spam. Upgrade to 3.1.7, then use sa-update. 2.6x is ancient. -- Randomly Selected Tagline: A way out of financial mess is discovered as if by magic! - stupid fortune cookie pgpWWHuW3vsht.pgp Description: PGP signature
Re: Stock Spam
Yes thats true but as of now in my office we are using 2.6x. Is there any rules to catch in 2.6x? Right now the score it is genarating is more than 3 and need another 2 to mark as spam. Theo Van Dinter-2 wrote: On Wed, Nov 29, 2006 at 02:33:02PM -0800, san wrote: able catch as spam. I have added Sare_stcok.cf file. I cant use imageinfo, fuzzy ocr as iam using 2.6o ver of spam assassin i think. I have enclosed the undecoded letter mail of one kind below. Can you plz help me to make this kind of mails as spam. Upgrade to 3.1.7, then use sa-update. 2.6x is ancient. -- Randomly Selected Tagline: A way out of financial mess is discovered as if by magic! - stupid fortune cookie -- View this message in context: http://www.nabble.com/Stock-Spam-tf2728271.html#a7609648 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: HTML Source Rule
Hello, I was wondering if there is a way to write a rule for HTML source code contained in an email. I am getting many of these Buy This Stock emails and I am finding that the pictures contained in them all have a portion of a line of source that says... src=cid: Thanks in advance for any help anyone may be able to provide. So does every message sent from Outlook that includes an image. I'd suspect that you'd end up rejecting a lot of legitimate e-mail, unless no one that sends you e-mail uses Outlook or Outlook Express... Bret
RE: Stock Spam
From: san [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 29, 2006 11:33 PM To: users@spamassassin.apache.org Subject: Stock Spam Hi All, I am recieving lot of stock related spam mails which spam assassin is not able catch as spam. I have added Sare_stcok.cf file. I cant use imageinfo, fuzzy ocr as iam using 2.6o ver of spam assassin i think. I have enclosed the undecoded letter mail of one kind below. Can you plz help me to make this kind of mails as spam. These are the scores it would get on a 3.1.7 + some sare rules: 1.9 MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters 0.8 FH_HOST_EQ_D_D_D_D Host starts with d-d-d-d 0.9 FH_HOST_EQ_D_D_D_DBHost is d-d-d-d 3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 1.6 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d 1.1 SPF_NEUTRALSPF: sender does not match SPF record (neutral) [SPF failed: Please see http://www.openspf.org/why.html?sender=how%40sotelrostov.ruip=84.120.14.114receiver=ns2.edlui.it] 0.1 TW_YD BODY: Odd Letter Triples with YD 0.1 TW_VP BODY: Odd Letter Triples with VP 0.1 TW_TV BODY: Odd Letter Triples with TV 0.4 HTML_30_40 BODY: Message is 30% to 40% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 2.2 TVD_FW_GRAPHIC_ID2 BODY: TVD_FW_GRAPHIC_ID2 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.2 HTML_TITLE_EMPTY BODY: HTML title contains no text 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [84.120.14.114 listed in dnsbl.sorbs.net] 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [84.120.14.114 listed in sbl-xbl.spamhaus.org] 2.0 FM__TIMES_2Dual helo + host eq d_d_d_d I have fuzzyocr, but it doesn't even need to be invoked: this mail scores enough to be just thrown away... X-Real-To: anyname Return-Path: [EMAIL PROTECTED] Received: by some.com (CommuniGate Pro PIPE 5.1.1) with PIPE id 1368603; Mon, 27 Nov 2006 17:39:57 -0600 Received: from [EMAIL PROTECTED] by mail.seatoncorp.com (CommuniGate Pro GROUP 5.1.1) with GROUP id 1368364; Mon, 27 Nov 2006 17:38:31 -0600 X-Autogenerated: group Received: from 84-120-14-114.onocable.ono.com ([84.120.14.114] verified) by some.com (CommuniGate Pro SMTP 5.1.1) with ESMTP id 1368200 for [EMAIL PROTECTED]; Mon, 27 Nov 2006 17:37:50 -0600 Received-SPF: neutral receiver=some.com; client-ip=XX.XX.XX.XX; [EMAIL PROTECTED] Received: from [131.121.84.151] (port=5734 helo=JMfieKIKDzZ) by qMfMKKYkDTw with asmtp id bhqPeb-KhbbzT-07 for [EMAIL PROTECTED]; Tue, 28 Nov 2006 00:38:20 +0100 Date: Tue, 28 Nov 2006 00:37:46 +0100 From: reserved [EMAIL PROTECTED] X-Mailer: The Bat! (v3.0) Professional Reply-To: [EMAIL PROTECTED] X-Priority: 3 (Normal) Message-ID: [EMAIL PROTECTED]@some.com To: [EMAIL PROTECTED] Subject: Delay Albert Strategist MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--305E3064BA67 X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on evg60ms_email.seatoncorp.com X-Spam-Status: No, hits=4.1 required=4.5 tests=HTML_20_30,HTML_MESSAGE, HTML_TITLE_EMPTY,RATWR9_MESSID,SARE_MSGID_DBL_AT,Seaton_Signup,TW_TV, TW_VP,TW_YD autolearn=no version=2.60 X-Spam-Level: X-TFF-CGPSA-Filter: Scanned X-TFF-CGPSA-Version: 1.2.5 305E3064BA67 Content-Type: multipart/alternative; boundary=--EF0BA740CEFEF7D2 EF0BA740CEFEF7D2 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hoffman head rands office leading expert returns think. Eroding getting, steeper say! Older americans improved shows, findings good? Sd encoder simple styles videowave sorry. Half awardsjune social delivery systems far apart, medicare. Easy dvdit, pro mydvd essentials premeier photosuite, primetime. Copy inc, all rights reserved privacy use press gt. Charles deborah hensler, becomes senior fellow. Reassuring individual alan charles deborah hensler becomes. Urge equals between trustees elects. Unless accept following terms provided site are. Elects paul reform act fails slash delay albert strategist. Rom formatter roxio creator? You can get yearmore than gift. Clare ellinger director, human, sentencing laws undermine control goals. Angeles mayor richard riordan deliver launches. Firm memo financial reporters. Training admissions people life after. Trends indicate need natalie. Accept following terms provided site? Service wide range private venture is. Admissions people life after events calendar? Minimums strategy curbs crimemay writers re icj economic! Economy eroding, getting, steeper say trends indicate need. Pricestips tvpopular networks
RE: Stock Spam
Thanks for ur inputs. when i put across SA this is what i get on my pc.. Content analysis details: (2.3 points, 4.5 required) pts rule name description -- -- 1.0 Local_Signup BODY: Body mentions Sign up 0.1 TW_TV BODY: Odd Letter Triples with TV 0.1 TW_VP BODY: Odd Letter Triples with VP 0.1 TW_YD BODY: Odd Letter Triples with YD 0.5 HTML_20_30 BODY: Message is 20% to 30% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 0.5 HTML_TITLE_EMPTY BODY: HTML title contains no text Giampaolo Tomassoni wrote: From: san [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 29, 2006 11:33 PM To: users@spamassassin.apache.org Subject: Stock Spam Hi All, I am recieving lot of stock related spam mails which spam assassin is not able catch as spam. I have added Sare_stcok.cf file. I cant use imageinfo, fuzzy ocr as iam using 2.6o ver of spam assassin i think. I have enclosed the undecoded letter mail of one kind below. Can you plz help me to make this kind of mails as spam. These are the scores it would get on a 3.1.7 + some sare rules: 1.9 MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters 0.8 FH_HOST_EQ_D_D_D_D Host starts with d-d-d-d 0.9 FH_HOST_EQ_D_D_D_DBHost is d-d-d-d 3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 1.6 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d 1.1 SPF_NEUTRALSPF: sender does not match SPF record (neutral) [SPF failed: Please see http://www.openspf.org/why.html?sender=how%40sotelrostov.ruip=84.120.14.114receiver=ns2.edlui.it] 0.1 TW_YD BODY: Odd Letter Triples with YD 0.1 TW_VP BODY: Odd Letter Triples with VP 0.1 TW_TV BODY: Odd Letter Triples with TV 0.4 HTML_30_40 BODY: Message is 30% to 40% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 2.2 TVD_FW_GRAPHIC_ID2 BODY: TVD_FW_GRAPHIC_ID2 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.2 HTML_TITLE_EMPTY BODY: HTML title contains no text 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [84.120.14.114 listed in dnsbl.sorbs.net] 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [84.120.14.114 listed in sbl-xbl.spamhaus.org] 2.0 FM__TIMES_2Dual helo + host eq d_d_d_d I have fuzzyocr, but it doesn't even need to be invoked: this mail scores enough to be just thrown away... X-Real-To: anyname Return-Path: [EMAIL PROTECTED] Received: by some.com (CommuniGate Pro PIPE 5.1.1) with PIPE id 1368603; Mon, 27 Nov 2006 17:39:57 -0600 Received: from [EMAIL PROTECTED] by mail.seatoncorp.com (CommuniGate Pro GROUP 5.1.1) with GROUP id 1368364; Mon, 27 Nov 2006 17:38:31 -0600 X-Autogenerated: group Received: from 84-120-14-114.onocable.ono.com ([84.120.14.114] verified) by some.com (CommuniGate Pro SMTP 5.1.1) with ESMTP id 1368200 for [EMAIL PROTECTED]; Mon, 27 Nov 2006 17:37:50 -0600 Received-SPF: neutral receiver=some.com; client-ip=XX.XX.XX.XX; [EMAIL PROTECTED] Received: from [131.121.84.151] (port=5734 helo=JMfieKIKDzZ) by qMfMKKYkDTw with asmtp id bhqPeb-KhbbzT-07 for [EMAIL PROTECTED]; Tue, 28 Nov 2006 00:38:20 +0100 Date: Tue, 28 Nov 2006 00:37:46 +0100 From: reserved [EMAIL PROTECTED] X-Mailer: The Bat! (v3.0) Professional Reply-To: [EMAIL PROTECTED] X-Priority: 3 (Normal) Message-ID: [EMAIL PROTECTED]@some.com To: [EMAIL PROTECTED] Subject: Delay Albert Strategist MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--305E3064BA67 X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on evg60ms_email.seatoncorp.com X-Spam-Status: No, hits=4.1 required=4.5 tests=HTML_20_30,HTML_MESSAGE, HTML_TITLE_EMPTY,RATWR9_MESSID,SARE_MSGID_DBL_AT,Seaton_Signup,TW_TV, TW_VP,TW_YD autolearn=no version=2.60 X-Spam-Level: X-TFF-CGPSA-Filter: Scanned X-TFF-CGPSA-Version: 1.2.5 305E3064BA67 Content-Type: multipart/alternative; boundary=--EF0BA740CEFEF7D2 EF0BA740CEFEF7D2 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hoffman head rands office leading expert returns think. Eroding getting, steeper say! Older americans improved shows, findings good? Sd encoder simple styles videowave sorry. Half awardsjune social delivery systems far apart, medicare. Easy dvdit, pro mydvd essentials premeier photosuite, primetime. Copy inc, all rights reserved privacy use press gt. Charles deborah hensler, becomes senior fellow. Reassuring individual alan charles deborah
RE: Stock Spam
From: san [mailto:[EMAIL PROTECTED] Thanks for ur inputs. when i put across SA this is what i get on my pc.. Content analysis details: (2.3 points, 4.5 required) pts rule name description -- -- 1.0 Local_Signup BODY: Body mentions Sign up 0.1 TW_TV BODY: Odd Letter Triples with TV 0.1 TW_VP BODY: Odd Letter Triples with VP 0.1 TW_YD BODY: Odd Letter Triples with YD 0.5 HTML_20_30 BODY: Message is 20% to 30% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 0.5 HTML_TITLE_EMPTY BODY: HTML title contains no text It's time to switch to 3.1.7, San. Isn't it? :) giampaolo Giampaolo Tomassoni wrote: From: san [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 29, 2006 11:33 PM To: users@spamassassin.apache.org Subject: Stock Spam Hi All, I am recieving lot of stock related spam mails which spam assassin is not able catch as spam. I have added Sare_stcok.cf file. I cant use imageinfo, fuzzy ocr as iam using 2.6o ver of spam assassin i think. I have enclosed the undecoded letter mail of one kind below. Can you plz help me to make this kind of mails as spam. These are the scores it would get on a 3.1.7 + some sare rules: 1.9 MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters 0.8 FH_HOST_EQ_D_D_D_D Host starts with d-d-d-d 0.9 FH_HOST_EQ_D_D_D_DBHost is d-d-d-d 3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 1.6 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d 1.1 SPF_NEUTRALSPF: sender does not match SPF record (neutral) [SPF failed: Please see http://www.openspf.org/why.html?sender=how%40sotelrostov.ruip=84. 120.14.114receiver=ns2.edlui.it] 0.1 TW_YD BODY: Odd Letter Triples with YD 0.1 TW_VP BODY: Odd Letter Triples with VP 0.1 TW_TV BODY: Odd Letter Triples with TV 0.4 HTML_30_40 BODY: Message is 30% to 40% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 2.2 TVD_FW_GRAPHIC_ID2 BODY: TVD_FW_GRAPHIC_ID2 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.2 HTML_TITLE_EMPTY BODY: HTML title contains no text 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [84.120.14.114 listed in dnsbl.sorbs.net] 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [84.120.14.114 listed in sbl-xbl.spamhaus.org] 2.0 FM__TIMES_2Dual helo + host eq d_d_d_d I have fuzzyocr, but it doesn't even need to be invoked: this mail scores enough to be just thrown away... X-Real-To: anyname Return-Path: [EMAIL PROTECTED] Received: by some.com (CommuniGate Pro PIPE 5.1.1) with PIPE id 1368603; Mon, 27 Nov 2006 17:39:57 -0600 Received: from [EMAIL PROTECTED] by mail.seatoncorp.com (CommuniGate Pro GROUP 5.1.1) with GROUP id 1368364; Mon, 27 Nov 2006 17:38:31 -0600 X-Autogenerated: group Received: from 84-120-14-114.onocable.ono.com ([84.120.14.114] verified) by some.com (CommuniGate Pro SMTP 5.1.1) with ESMTP id 1368200 for [EMAIL PROTECTED]; Mon, 27 Nov 2006 17:37:50 -0600 Received-SPF: neutral receiver=some.com; client-ip=XX.XX.XX.XX; [EMAIL PROTECTED] Received: from [131.121.84.151] (port=5734 helo=JMfieKIKDzZ) by qMfMKKYkDTw with asmtp id bhqPeb-KhbbzT-07 for [EMAIL PROTECTED]; Tue, 28 Nov 2006 00:38:20 +0100 Date: Tue, 28 Nov 2006 00:37:46 +0100 From: reserved [EMAIL PROTECTED] X-Mailer: The Bat! (v3.0) Professional Reply-To: [EMAIL PROTECTED] X-Priority: 3 (Normal) Message-ID: [EMAIL PROTECTED]@some.com To: [EMAIL PROTECTED] Subject: Delay Albert Strategist MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--305E3064BA67 X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on evg60ms_email.seatoncorp.com X-Spam-Status: No, hits=4.1 required=4.5 tests=HTML_20_30,HTML_MESSAGE, HTML_TITLE_EMPTY,RATWR9_MESSID,SARE_MSGID_DBL_AT,Seaton_Signup,TW_TV, TW_VP,TW_YD autolearn=no version=2.60 X-Spam-Level: X-TFF-CGPSA-Filter: Scanned X-TFF-CGPSA-Version: 1.2.5 305E3064BA67 Content-Type: multipart/alternative; boundary=--EF0BA740CEFEF7D2 EF0BA740CEFEF7D2 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hoffman head rands office leading expert returns think. Eroding getting, steeper say! Older americans improved shows, findings good? Sd encoder simple styles videowave sorry. Half awardsjune social delivery systems far apart,
Re: HTML Source Rule
Bret Miller wrote: pictures contained in them all have a portion of a line of source that says... src=cid: Thanks in advance for any help anyone may be able to provide. So does every message sent from Outlook that includes an image. I'd suspect that you'd end up rejecting a lot of legitimate e-mail, unless no one that sends you e-mail uses Outlook or Outlook Express... Actually, I believe any email with embedded* images, regardless of the sending software, will contain that fragment. cid: is the protocol for identifying a resource in another MIME part of the same document. I've got one in my inbox right now that was sent from Thunderbird. *Embedded meaning that they appear inline in the message body and the data is included in the message, not retrieved from a remote server. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: SA Rule
for mangled viagra and other stuff ..is there any simple rule?? such as following text... Mangled rules are never simple rules. The SARE rules contain a lot of these, as does the antidrug stuff in SA itself. It may be that these specific cases aren't caught though. Loren
Re: HTML Source Rule
This Stock emails and I am finding that the pictures contained in them all have a portion of a line of source that says... src=cid: *ANY* inline image of any sort is going to contain that tag. That is what links to the other mime section containing the image. There are quite a number of rules for image stock spams. The ImageInfo and FuzzyOCR plugins also help quite a lot in these cases, as do many SARE rules and the network rules. Loren
Re: Stock Spam
It's time to switch to 3.1.7, San. Isn't it? :) giampaolo It was time a long time ago. :-) The upgrade is good. sa-update is a useful tool.
RE: Stock Spam
Yeah Giampaolo. with 3.1x it should be alright. But my superior is still stick to the old one..:( Giampaolo Tomassoni wrote: From: san [mailto:[EMAIL PROTECTED] Thanks for ur inputs. when i put across SA this is what i get on my pc.. Content analysis details: (2.3 points, 4.5 required) pts rule name description -- -- 1.0 Local_Signup BODY: Body mentions Sign up 0.1 TW_TV BODY: Odd Letter Triples with TV 0.1 TW_VP BODY: Odd Letter Triples with VP 0.1 TW_YD BODY: Odd Letter Triples with YD 0.5 HTML_20_30 BODY: Message is 20% to 30% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 0.5 HTML_TITLE_EMPTY BODY: HTML title contains no text It's time to switch to 3.1.7, San. Isn't it? :) giampaolo Giampaolo Tomassoni wrote: From: san [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 29, 2006 11:33 PM To: users@spamassassin.apache.org Subject: Stock Spam Hi All, I am recieving lot of stock related spam mails which spam assassin is not able catch as spam. I have added Sare_stcok.cf file. I cant use imageinfo, fuzzy ocr as iam using 2.6o ver of spam assassin i think. I have enclosed the undecoded letter mail of one kind below. Can you plz help me to make this kind of mails as spam. These are the scores it would get on a 3.1.7 + some sare rules: 1.9 MSGID_MULTIPLE_AT Message-ID contains multiple '@' characters 0.8 FH_HOST_EQ_D_D_D_D Host starts with d-d-d-d 0.9 FH_HOST_EQ_D_D_D_DBHost is d-d-d-d 3.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 1.6 FH_HELO_EQ_D_D_D_D Helo is d-d-d-d 1.1 SPF_NEUTRALSPF: sender does not match SPF record (neutral) [SPF failed: Please see http://www.openspf.org/why.html?sender=how%40sotelrostov.ruip=84. 120.14.114receiver=ns2.edlui.it] 0.1 TW_YD BODY: Odd Letter Triples with YD 0.1 TW_VP BODY: Odd Letter Triples with VP 0.1 TW_TV BODY: Odd Letter Triples with TV 0.4 HTML_30_40 BODY: Message is 30% to 40% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 2.2 TVD_FW_GRAPHIC_ID2 BODY: TVD_FW_GRAPHIC_ID2 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.2 HTML_TITLE_EMPTY BODY: HTML title contains no text 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [84.120.14.114 listed in dnsbl.sorbs.net] 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [84.120.14.114 listed in sbl-xbl.spamhaus.org] 2.0 FM__TIMES_2Dual helo + host eq d_d_d_d I have fuzzyocr, but it doesn't even need to be invoked: this mail scores enough to be just thrown away... X-Real-To: anyname Return-Path: [EMAIL PROTECTED] Received: by some.com (CommuniGate Pro PIPE 5.1.1) with PIPE id 1368603; Mon, 27 Nov 2006 17:39:57 -0600 Received: from [EMAIL PROTECTED] by mail.seatoncorp.com (CommuniGate Pro GROUP 5.1.1) with GROUP id 1368364; Mon, 27 Nov 2006 17:38:31 -0600 X-Autogenerated: group Received: from 84-120-14-114.onocable.ono.com ([84.120.14.114] verified) by some.com (CommuniGate Pro SMTP 5.1.1) with ESMTP id 1368200 for [EMAIL PROTECTED]; Mon, 27 Nov 2006 17:37:50 -0600 Received-SPF: neutral receiver=some.com; client-ip=XX.XX.XX.XX; [EMAIL PROTECTED] Received: from [131.121.84.151] (port=5734 helo=JMfieKIKDzZ) by qMfMKKYkDTw with asmtp id bhqPeb-KhbbzT-07 for [EMAIL PROTECTED]; Tue, 28 Nov 2006 00:38:20 +0100 Date: Tue, 28 Nov 2006 00:37:46 +0100 From: reserved [EMAIL PROTECTED] X-Mailer: The Bat! (v3.0) Professional Reply-To: [EMAIL PROTECTED] X-Priority: 3 (Normal) Message-ID: [EMAIL PROTECTED]@some.com To: [EMAIL PROTECTED] Subject: Delay Albert Strategist MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--305E3064BA67 X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on evg60ms_email.seatoncorp.com X-Spam-Status: No, hits=4.1 required=4.5 tests=HTML_20_30,HTML_MESSAGE, HTML_TITLE_EMPTY,RATWR9_MESSID,SARE_MSGID_DBL_AT,Seaton_Signup,TW_TV, TW_VP,TW_YD autolearn=no version=2.60 X-Spam-Level: X-TFF-CGPSA-Filter: Scanned X-TFF-CGPSA-Version: 1.2.5 305E3064BA67 Content-Type: multipart/alternative; boundary=--EF0BA740CEFEF7D2 EF0BA740CEFEF7D2 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hoffman head rands office leading expert returns think. Eroding getting, steeper say! Older
Re: Stock Spam
I am recieving lot of stock related spam mails which spam assassin is not able catch as spam. I have added Sare_stcok.cf file. I cant use imageinfo, fuzzy ocr as iam using 2.6o ver of spam assassin i think. I have enclosed the undecoded letter mail of one kind below. Can you plz help me to make this kind of mails as spam. Image spams are hard to catch using normal header and body rules, especially when they don't have any urls in the body. Enabling network tests and installing the patch for the URIBL will probably help some. Loren
Re: HTML Source Rule
Bret Miller wrote: Hello, I was wondering if there is a way to write a rule for HTML source code contained in an email. I am getting many of these Buy This Stock emails and I am finding that the pictures contained in them all have a portion of a line of source that says... src=cid: Thanks in advance for any help anyone may be able to provide. So does every message sent from Outlook that includes an image. I'd suspect that you'd end up rejecting a lot of legitimate e-mail, unless no one that sends you e-mail uses Outlook or Outlook Express... Bret I have a few legit messages that are scoring over 5.0 due to SARE_STOCKS and the TVD rules to catch stocks, and this is after ALL_TRUSTED has done its work to reduce the score. These messages of course have inline images and are being sent via Outlook Express. Some of the scores on those rules are over 2.0. I have started to reduce the scores, as the stock messages I get usually have header problems and hit on Razor as well. I've seen legit messages fire the MY_CID set of rules enough to rack up a score of over 7.0 from those rules alone.
Re: Stock Spam
Thanks for ur inputs. when i put across SA this is what i get on my pc.. Content analysis details: (2.3 points, 4.5 required) pts rule name description -- -- 1.0 Local_Signup BODY: Body mentions Sign up 0.1 TW_TV BODY: Odd Letter Triples with TV 0.1 TW_VP BODY: Odd Letter Triples with VP 0.1 TW_YD BODY: Odd Letter Triples with YD 0.5 HTML_20_30 BODY: Message is 20% to 30% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 0.5 HTML_TITLE_EMPTY BODY: HTML title contains no text As Theo mentioned, 2.6 is ancient. You really can't expect a set of rules and tools written, what, 2-3 years ago? to keep up with spammer tricks that change every day. If 2.6 was up to it, there would have been no reason to make the newr versions of SA! 1.1 SPF_NEUTRALSPF: sender does not match SPF record 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL That said, it appears that you aren't running either Bayes or network tests. Bayes_99 has always been a real good way to get rid of spam. Here it is 3.5 points. On 2.6 I think it was closer to 4.0 points or maybe more. Note there is also another 7+ points to be had from network tests, all of which (except maybe SPF) are available in 2.6. Loren
Re: Stock Spam
Thanks loren..let me invoke bayes and try it out Loren Wilton wrote: Thanks for ur inputs. when i put across SA this is what i get on my pc.. Content analysis details: (2.3 points, 4.5 required) pts rule name description -- -- 1.0 Local_Signup BODY: Body mentions Sign up 0.1 TW_TV BODY: Odd Letter Triples with TV 0.1 TW_VP BODY: Odd Letter Triples with VP 0.1 TW_YD BODY: Odd Letter Triples with YD 0.5 HTML_20_30 BODY: Message is 20% to 30% HTML 0.0 HTML_MESSAGE BODY: HTML included in message 0.5 HTML_TITLE_EMPTY BODY: HTML title contains no text As Theo mentioned, 2.6 is ancient. You really can't expect a set of rules and tools written, what, 2-3 years ago? to keep up with spammer tricks that change every day. If 2.6 was up to it, there would have been no reason to make the newr versions of SA! 1.1 SPF_NEUTRALSPF: sender does not match SPF record 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL That said, it appears that you aren't running either Bayes or network tests. Bayes_99 has always been a real good way to get rid of spam. Here it is 3.5 points. On 2.6 I think it was closer to 4.0 points or maybe more. Note there is also another 7+ points to be had from network tests, all of which (except maybe SPF) are available in 2.6. Loren -- View this message in context: http://www.nabble.com/Stock-Spam-tf2728271.html#a7610364 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: HTML Source Rule
--On Wednesday, November 29, 2006 5:17 PM -0600 Richard Frovarp [EMAIL PROTECTED] wrote: I have a few legit messages that are scoring over 5.0 due to SARE_STOCKS and the TVD rules to catch stocks, and this is after ALL_TRUSTED has done its work to reduce the score. These messages of course have inline images and are being sent via Outlook Express. Some of the scores on those rules are over 2.0. I have started to reduce the scores, as the stock messages I get usually have header problems and hit on Razor as well. I've seen legit messages fire the MY_CID set of rules enough to rack up a score of over 7.0 from those rules alone. Can you attach a sample? Perhaps the sender can be convinced to change the format to make the message look less spammy.
Re: SA Rule
On Wed, 29 Nov 2006, Loren Wilton wrote: for mangled viagra and other stuff ..is there any simple rule?? such as following text... Mangled rules are never simple rules. I have a perl script that will take a word list and generate REs for obfuscated versions of those words. http://www.impsec.org/~jhardin/antispam Examples: # cialas @ 3.0 describeOBFU_WRD_021obfuscated cialas bodyOBFU_WRD_021 /\b(?!cialas)(?:(?:(?:[c\xA2\xA9\xAB\xC7\xE7]|\#(?:67|99);){1,2}['\.~*^]?(?:[i!l1j\|\/\xA1\xCC-\xCF\xEC-\xEF]|i[a-z]+;){1,2}['\.~*^]?(?:[EMAIL PROTECTED]|\/\\|a[a-z]+;){1,2}['\.~*^]?(?:[l1i!\|\xCC-\xCF]|(\|_)|\#(?:76|108);){1,2}['\.~*^]?(?:[EMAIL PROTECTED]|\/\\|a[a-z]+;){1,2}['\.~*^]?(?:[s5z\$\xA6\xA7\xA8]|\#(?:83|115);))|(?:c\s?i\s?a\s?l\s?a\s?s))/i score OBFU_WRD_0213.0 # cialis @ 3.0 describeOBFU_WRD_022obfuscated cialis bodyOBFU_WRD_022 /\b(?!cialis)(?:(?:(?:[c\xA2\xA9\xAB\xC7\xE7]|\#(?:67|99);){1,2}['\.~*^]?(?:[i!l1j\|\/\xA1\xCC-\xCF\xEC-\xEF]|i[a-z]+;){1,2}['\.~*^]?(?:[EMAIL PROTECTED]|\/\\|a[a-z]+;){1,2}['\.~*^]?(?:[l1i!\|\xCC-\xCF]|(\|_)|\#(?:76|108);){1,2}['\.~*^]?(?:[i!l1j\|\/\xA1\xCC-\xCF\xEC-\xEF]|i[a-z]+;){1,2}['\.~*^]?(?:[s5z\$\xA6\xA7\xA8]|\#(?:83|115);))|(?:c\s?i\s?a\s?l\s?i\s?s))/i score OBFU_WRD_0223.0 # levitra @ 3.0 describeOBFU_WRD_089obfuscated levitra bodyOBFU_WRD_089 /\b(?!levitra)(?:(?:(?:[l1i!\|\xCC-\xCF]|(\|_)|\#(?:76|108);){1,2}['\.~*^]?(?:[e3\xBC\xBD\xC6\xC8-\xCB\xE6\xE8-\xEB]|e[a-z]+;){1,2}['\.~*^]?(?:v|(\\\/)|\#(?:86|118);){1,2}['\.~*^]?(?:[i!l1j\|\/\xA1\xCC-\xCF\xEC-\xEF]|i[a-z]+;){1,2}['\.~*^]?(?:[t\xA3\xB1]|\#(?:84|116);){1,2}['\.~*^]?(?:r|\#(?:82|114);){1,2}['\.~*^]?(?:[EMAIL PROTECTED]|\/\\|a[a-z]+;))|(?:l\s?e\s?v\s?i\s?t\s?r\s?a))/i score OBFU_WRD_0893.0 # viagra @ 2.5 describeOBFU_WRD_184obfuscated viagra bodyOBFU_WRD_184 /\b(?!viagra)(?:(?:(?:v|(\\\/)|\#(?:86|118);){1,2}['\.~*^]?(?:[i!l1j\|\/\xA1\xCC-\xCF\xEC-\xEF]|i[a-z]+;){1,2}['\.~*^]?(?:[EMAIL PROTECTED]|\/\\|a[a-z]+;){1,2}['\.~*^]?(?:[gq]|\#(?:71|103);){1,2}['\.~*^]?(?:r|\#(?:82|114);){1,2}['\.~*^]?(?:[EMAIL PROTECTED]|\/\\|a[a-z]+;))|(?:v\s?i\s?a\s?g\s?r\s?a))/i score OBFU_WRD_1842.5 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Bother, said Pooh as he struggled with /etc/sendmail.cf, it never does quite what I want. I wish Christopher Robin was here. -- Peter da Silva in a.s.r --- 26 days until Christmas
Score=x+5
I've just seen a mail marked as spammy (amavisd-new) where the score header had Score=x+5 where x was the sum of the SA tests. X-Spam-Status: Yes, score=0.917+5 tagged_above=0 required=5 tests=[AWL=0.727,BAYES_00=-2.599, BOTNET_SERVERWORDS=-0.01, FORGED_RCVD_HELO=0.135,HTML_MESSAGE=0.001, P0F_UNIX=-0.001, SARE_HTML_MANY_BR05=0.5,SARE_HTML_TD_BR=0.934, SARE_UNA=1.231, SPF_PASS=-0.001] I'm curious as to where the 5 came from as the the mail report does not look like spam: Content analysis details: (0.9 points, 5.0 required) pts rule name description -- -- -0.0 P0F_UNIX OS fingerprint BSD/Solaris/HP-UX/Tru64 0.1 FORGED_RCVD_HELO Received: contains a forged HELO -0.0 SPF_PASS SPF: sender matches SPF record -0.0 BOTNET_SERVERWORDS Hostname contains server-like substrings -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 0.0 HTML_MESSAGE BODY: HTML included in message 1.2 SARE_UNA RAW: SARE_UNA 0.9 SARE_HTML_TD_BRFULL: Multiple line breaks in spammer pattern 0.5 SARE_HTML_MANY_BR05Tooo many br's! 0.7 AWLAWL: From: address is in the auto white-list I've not seen this before (in over 4 years) and could not see and answer from a quick search. Thanks Alan
Re: Fetchmail/sa-learn timeout (config included) --SOLVED
Turned out to just be a bad message in my IMAP folder. Deleted that one and the rest came through. Ian Pattison [EMAIL PROTECTED] 28/11/2006 23:23 Hi All, Forgot to incliude the config last time SuSE 10.1 Spamassassin 3.1.7 (Built from source tarballs) Fetchmail 6.3.2 IMAP server is GroupWise 6.5, on same segment I've been fighting with sa-learn all day and need some help here. I'm using fetchmail to pull spam messages from a remote IMAP server and classify them with sa-learn. So far it's not working well. Fetchmail will download the first message and feed it to sa-learn. Sa-learn will process cleanly right through until the end of the expire process then will hang for 300 seconds, give an error that fetchmail has timed out, proceed to profile the one message it has received and then terminate. This is a new installation, clean empty databases and I'm at a loss right now. Packet scans show no requests to/from the IMAP server during the 300 second hang time. I've attached a transcript of the output (-D used). Anyone have any ideas? Ian
MailMarshal at csg.com.au
Can we *please* get csg.com.au unsubscribed? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Bother, said Pooh as he struggled with /etc/sendmail.cf, it never does quite what I want. I wish Christopher Robin was here. -- Peter da Silva in a.s.r --- 26 days until Christmas -- Forwarded message -- Date: Thu, 30 Nov 2006 11:17:50 +0930 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Your email message was blocked MailMarshal (an automated content monitoring gateway) has stopped the following email for the following reason: It believes it may contain unacceptable language, or inappropriate material. Message: B0003dbe6d.0001.mml From:[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Your email message was blocked Please remove any inappropriate language and send it again. The blocked email will be automatically deleted after 4 days. MailMarshal Rule: CSG Bothways : Block Unacceptable Language Script Offensive Language (Basic) Triggered in Body Expression: [elided] Triggered 1 times weighting 5 For more information on email virus scanning, security and content management, visit http://www.marshalsoftware.com
Re: Installed FuzzyOCR - What am I missing?
On Tue, 28 Nov 2006, Evan Platt wrote: Thanks to everyone especially Decoder, I think I'm up and running. png is the only one not working. Any reason NOT to assign 10 points to fuzzy ocr tripped words? I mean I wouldn't add 10 points just because someone typed the V word in an e-mail to me, but I can't think of an instance where I'd expect a GIF message with it in it. You -do- understand that the 'fuzzy' part of FuzzyOCR means that it does inexact matching on the characters that it pulls out of an image. So for example, a college newsletter that I received which had a school logo image fired on FuzzyOCR claiming to match company. I've also seen it fire on things such as an airline ticket confirmation notice, a religious newsletter, and a technical bulletin. Just one word for each, which with the default score wasn't enough to tag as spam but with a score of 10 a guaranteed FP. Dave -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: Score=x+5
Alan Munday wrote: I've just seen a mail marked as spammy (amavisd-new) where the score header had Score=x+5 where x was the sum of the SA tests. X-Spam-Status: Yes, score=0.917+5 tagged_above=0 required=5 tests=[AWL=0.727,BAYES_00=-2.599, BOTNET_SERVERWORDS=-0.01, FORGED_RCVD_HELO=0.135,HTML_MESSAGE=0.001, P0F_UNIX=-0.001, SARE_HTML_MANY_BR05=0.5,SARE_HTML_TD_BR=0.934, SARE_UNA=1.231, SPF_PASS=-0.001] I'm curious as to where the 5 came from as the the mail report does not look like spam: My guess would be amavis's soft-blacklist feature.
Re: HTML Source Rule
Bob Newhart wrote: Hello, I was wondering if there is a way to write a rule for HTML source code contained in an email. Use rawbody as the rule type. This will match the text after decoding (ie: base64) and line-wrap removal, but before HTML tags are removed.
Re: Fetchmail/sa-learn timeout (config included) --SOLVED
What IMAP client are you using? It'd pay to forward the bad message to the maintainers so they can fix the hang. It would make a dandy DoS attack. {^_^} - Original Message - From: Ian Pattison [EMAIL PROTECTED] Turned out to just be a bad message in my IMAP folder. Deleted that one and the rest came through. Ian Pattison [EMAIL PROTECTED] 28/11/2006 23:23 Hi All, Forgot to incliude the config last time SuSE 10.1 Spamassassin 3.1.7 (Built from source tarballs) Fetchmail 6.3.2 IMAP server is GroupWise 6.5, on same segment I've been fighting with sa-learn all day and need some help here. I'm using fetchmail to pull spam messages from a remote IMAP server and classify them with sa-learn. So far it's not working well. Fetchmail will download the first message and feed it to sa-learn. Sa-learn will process cleanly right through until the end of the expire process then will hang for 300 seconds, give an error that fetchmail has timed out, proceed to profile the one message it has received and then terminate. This is a new installation, clean empty databases and I'm at a loss right now. Packet scans show no requests to/from the IMAP server during the 300 second hang time. I've attached a transcript of the output (-D used). Anyone have any ideas? Ian
Re: Odd behaviour (?) of my Qmail / Qmail Scanner / SpamAssassin 3.1.3 Setup?
Adam Wilbraham wrote: On Wed, 29 Nov 2006 08:22:13 -0600 Bookworm [EMAIL PROTECTED] wrote: It sounds like you have the spamd bayes database, and then you have the database for whatever user you're actually running the test from. I ran into this problem as well - it's a known issue, and I wish the SA folks would come up with a way to run, as root, sa-learn for a NON-ROOT bayes database. Vpopmail directories aren't readable by spamd. I'm not running vpopmail on this server. spamd is running as qscand, however I've got my /etc/spamassasin/local.cf set to use a site wide bayes database. I also have auto_whitelist configured, and I'm wondering if this is such a good idea: bayes_path /etc/mail/spamassassin/bayes bayes_file_mode0770 auto_whitelist_path/etc/mail/spamassassin/auto-whitelist auto_whitelist_file_mode 0770 use_bayes 1 bayes_auto_learn 1 I have a script that runs every night that sa-learn's data from each users SpamTrain folder into this site wide database. Now I seriously hope that spamd isn't reading its bayes data from qscands home, as this data hasn't been touched for 2 years: ls -alh ~/qscand/.spamassassin drwxr-xr-x 2 qscand qscand 4.0K 2004-07-07 11:01 . drwxr-xr-x 4 qscand root 4.0K 2006-07-26 11:28 .. -rw-r--r-- 1 qscand qscand 20K 2004-01-06 16:43 auto-whitelist -rw--- 1 qscand qscand 556K 2004-07-07 11:01 auto-whitelist.dir -rw--- 1 qscand qscand 556K 2004-07-07 11:01 auto-whitelist.pag -rw--- 1 qscand qscand 47K 2004-07-07 11:01 bayes_journal -rw-r--r-- 1 qscand qscand 10M 2004-07-07 11:01 bayes_seen -rw--- 1 qscand qscand 4.2M 2004-07-07 11:01 bayes_toks -rw-r--r-- 1 qscand qscand 1.5K 2006-07-06 09:53 user_prefs Maybe I should delete that and symlink in the files to the sitewide bayes, just in case? When I ran spamassassin on the item of spam I referred to earlier, it was using my own user account. I don't even have any data in my .spamassassin folder, so I can only assume that it was using the site wide bayes for its checks then. Or could my bayes data be completely messed up, and spamassassin was doing a better job of identifying spam under my user account with no bayes data at all? Once again many thanks for the suggestions and help... Wilb If you're running it as yourself, and spamassassin isn't running as your username, then it's probably not working. Check /home/spamd (or whatever user spamassassin runs as). See if there's a bayes database in there. Also check YOUR home directory, and see if you have bayes files. (locate -i bayes_journal works well for this sort of thing) BW