some concernns in collaboratif effort in learning process for Bayesian filter
Hi all, since it is hard for a person to teach the spamassassin which mails are spam and which are not for all users, i was thinking about doing the following: Create a mail account let's say : [EMAIL PROTECTED] Tell trusted users to forward the mails they identify as spam to [EMAIL PROTECTED] . Run a cron job that launch sa-learn on the mailbox [EMAIL PROTECTED], making the spamassassin identify them as spam. Since i don't really know how Bayesian filter works internally; i have some concerns: - First when we forward a messagge there is a character (usually ) added at each line; So should i remove this character before applying the sa-learn command ? - second when we forward an email there's an added header the one from the user we trust, should i remove also this added header before applying sa-learn? Does leaving this header when applying sa-learn could make any misclassification of the trusted users ? PS: I have autolearn on, so this procedure i am trying to implement will increase the probability of identifiying words in spam mails ! Thanks in advance for any help. - Everyone is raving about the all-new Yahoo! Mail beta.
sa-update / taint error
Hi, Whenever I try to run sa-update, it ends with the error: sa-update -D --channelfile /etc/mail/spamassassin/sare-sa-update-channels.txt --gpgkey 856AA88A ... [14411] dbg: generic: unlinking 10_misc.cf Insecure dependency in unlink while running with -T switch at /usr/bin/sa-update line 1173. I'm not an perl-wizzard. Untainting $path doesn't help. What can be the problem? dawn:mail/spamassassin-# rpm -qf `which sa-update` spamassassin-3.1.7-1.el3.rf Regards, -- Henk van Lingen, Systems Network Administrator (o- -+ Dept. of Computer Science, Utrecht University./\| phone: +31-30-2534107v_/_ http://henk.vanlingen.net/ http://www.tuxtown.net/netiquette/
new Botnet plugin version soon
Things I'm putting into the new Botnet version (which will be 0.5): 1) someone noticed that some MTA's (specifically CommuniGate Pro) don't put the relay's RDNS into the Received headers, and thus Botnet 0.4 always triggered NORDNS when run on that MTA. In the new version, if Botnet finds that the relay it's going to look at has no rdns in the pseudo-header, then the _first_ time it looks it will try to lookup the relay (and store it in the pseudo-header if it finds it; or store -1 if not). From then on, it will give the right answer for the other Botnet rules. This avoids the performance problem of every Botnet rule does 1 or 2 DNS checks that I tried to solve 1 or 2 versions ago, but does mean that at least 1 DNS check will be done (by the first Botnet rule that happens to get called) if the relay doesn't have RDNS. This might happen even if you have network checks turned off. If you're concerned about the small performance hit on this, then it might be a good idea to run a caching name server on the host where Botnet runs. (I had also considered only doing this if the user set a new config option, botnet_lame_mta_rdns, to 1 ... but I thought I'd try this first) 2) As suggested, I've added botnet_pass_domains -- regular expressions, anchored to the end of the hostname string, that look for domains to exempt from Botnet checks. 3) I modifed the IP in hostname check slightly. It used to look for mixed deximal and hexidecimal octets in the hostname. This caused a small problem with the following Received header: Received: from badger07006.apple.com (badger07006.apple.com [17.254.6.173]) (ad is hexadecimal for 173, and you can see 006 right in there, therefore 2 octets are present in the hostname) To avoid this special case, I have made it so that it doesn't put the hexicecimal and decimal checks into the same regular expression. This could, however, slightly reduce Botnet's effectiveness. I'm going to re-evaluate it over time. (note: I have ALSO addressed this by putting apple\.com into the botnet_pass_domains example; using botnet_pass_domains or botnet_pass_ip might be the better way to address these special cases in the future, but I'm not sure yet) 4) I've added mx to the included botnet_serverwords. Technically this alone would exempt the ebay hosts that use mxpool, so ebay wouldn't need a botnet_skip_domains entry ... but I also made such an entry for ebay. I'm not sure yet if mx is a good idea to have in botnet_serverwords though. 5) In the past, I only had the 127.* localhost IP address block, and the 10.* private IP address block in the example botnet_skip_ip config. From a suggestion I received, I've added the other two private IP blocks as well ( 192.168.* and 172.(16-31).* ). I have two questions: Question 1: Someone suggested that, for botnet_pass_domains, I not re-invent the wheel. SA already has several whitelist options (whitelist* and sare_whitelist* were specifically mentioned). They suggested that I leverage them. My first (two part) question is: a) do any of them have a small enough value that they wouldn't counter botnet's default score of 5? Meaning, if I do nothing with respect to those other whitelist mechanisms, they'll still do the right thing and let the botnet hosts through, right? b) clearly I've gone ahead and done botnet_pass_domains ... but part of me wants to do both. So what is the right way to have Botnet recognize those other host/domain whitelisting mechanisms? I have no idea what the sare_whitelist entries look like, but I was thinking maybe I could do take the whitelist_from argument, the 2nd argument to whitelist_from_rcvd, and maybe the whitelist_from_spf argument, and munge them into a domain name to exempt. The catch is: if I do that, shouldn't I _also_ recognize the unwhitelist_* configs? That starts to get a bit hairy, IMO. For now, I'm not going to go down this path... but I'm interested in people's opinions about whether or not I should recognize whitelist*, sare_whitelist*, and unwhitelist* config options and somehow incorporate them into botnet_pass_domains. I'd also consider code snippets that would be compatible with the code I already have for Botnet::parse_config. My main hope, though, is that the scores for those mechanisms are already negative enough that they over-ride Botnet anyway. Given that the ones in the base SA are scored at -6, -15, or -100 ... I think that's a comfortable assumption on my part. I don't know if sare_whitelist fits into that or not, though. (for similar reasons I'm currently not going to look at making the BOTNET meta rule's expression more complicated with references to DK and DKIM; the DK scores in the base SA are scored at -100 and -7.5 ... that seems useful enough to me; but I might look at putting in alternate meta rule expressions that are commented out, if people really want me to; that way people could
RE: new Botnet plugin version soon
Suggestion: Rename your plugin to AntiBotnet (or something like that) Otherwise, I could see someone getting the good guys and bad guys mixed up when reading or hearing about this! Rob McEwen
Re: new Botnet plugin version soon
John, a) do any of them have a small enough value that they wouldn't counter botnet's default score of 5? Meaning, if I do nothing with respect to those other whitelist mechanisms, they'll still do the right thing and let the botnet hosts through, right? Not by default, although I set my SA-based whitelist scores at -4 (I only use a handful). (for similar reasons I'm currently not going to look at making the BOTNET meta rule's expression more complicated with references to DK and DKIM; the DK scores in the base SA are scored at -100 and -7.5 ... that seems useful enough to me; but I might look at putting in alternate meta rule expressions that are commented out, if people really want me to; that way people could just choose to comment and uncomment whatever seems most appropriate for their situation) I 'whitelist' DK-verified yahoo and gmail mail at -2.5 (there is some spam coming from legitimate accounts there). It is also quite unlikely that verified yahoo or gmail mail would be coming from a botnet, so if BOTNET rules fired it would be almost certain false positive. Mark
Re: new Botnet plugin version soon
On Thu, 30 Nov 2006, John Rudd wrote: From: John Rudd [EMAIL PROTECTED] To: users@spamassassin.apache.org, CommuniGate Pro Discussions [EMAIL PROTECTED], MailScanner discussion [EMAIL PROTECTED] Date: Thu, 30 Nov 2006 04:06:55 -0800 Subject: new Botnet plugin version soon ... Question 2: someone asked why my module is Botnet instead of Mail::SpamAssassin::Plugin::Botnet. The answer is: when I first started this (and this is/was my first SA Plugin authoring attempt), I tried that and it didn't work. If someone wants to look at it, and figure out how to make that work I prefer to have all the SpamAssassin plugins grouped together where the default install puts them. This is in the directory: /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin/Plugin/ on my OpenBSD boxes. So I altered Botnet.pm so the line: package Botnet; now reads: package Mail::SpamAssassin::Plugin::Botnet; and placed it in the above directory. The line: loadplugin BotnetBotnet.pm in /etc/mail/spamassassin/Botnet.cf was altered to: loadplugin Mail::SpamAssassin::Plugin::Botnet It works a treat. I did something similar for the FuzzyOcr.pm plugin. (but still have the files located in /etc/mail/spamassassin) I would happily incorporate it. Well, you *could* do this with soft links. But that would be a terrible hack :-( -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101
Re: MX server Queue
chisina mike wrote: MX1 sendmail server mail queue is getting bigger, it must forward all mail to Main mail server. [EMAIL PROTECTED] mqueue]# grep stat=queue -c /var/log/maillog 6363 I tried the following commands # vi /etc/MailScanner/MailScanner.conf Deliver In Background = yes Delivery Method = queue # vi /etc/crontab 0-59 * * * * /usr/sbin/sendmail [EMAIL PROTECTED] #vi /etc/mail/sendmail.cf O MinQueueAge=15m [EMAIL PROTECTED] ~]# sendmail -bd -ODeliveryMode=queueonly -OQueueDirectory=/var/spool/mqueue.in But I still have the same problem. Regards Mike chisina Is there a question here somewhere? Im not even sure what this has to do with SpamAssassin? -Jim
long: spamc returns 0/0 (spamd is crashing)
My spamassassin works fine, but sometimes is crashing . I need some help to figure out the cause and fix... Above, many details for this problem: I'm using Suse 10.0 Spamassassin 3.1.6 perl-5.8.7 As you can see, all my spamd process is running # netstat -an | grep 783 tcp0 0 127.0.0.1:783 0.0.0.0:* LISTEN # ps -ef | grep spam root 29440 1 0 09:58 ?00:00:29 /usr/bin/perl -T -w /usr/sbin/spamd -x -u spamd -d -m 15 -D -r /home/spamd/.spamassassin/var/run/spamd.pid spamd15777 29440 0 11:36 ?00:00:00 spamd child spamd15783 29440 0 11:37 ?00:00:00 spamd child But, spamc don't work (returns 0/0 results with a spam message) # spamc -c -R -l /tmp/spam1.eml 0/0 The cpu load is fine: top - 11:40:48 up 5 days, 21:47, 3 users, load average: 0.12, 0.18, 1.63 And no timout are given: # time spamc -c -R -l /tmp/spam1.eml 0/0 real0m1.762s user0m0.004s sys 0m0.000s as all can see, no erros are report (a long debug, be patient): -- Nov 30 12:07:25 server spamd[29440]: prefork: ordered 24417 to accept Nov 30 12:07:25 server spamd[29440]: prefork: sysread(7) not ready, wait max 300 secs Nov 30 12:07:25 server spamd[29440]: prefork: child 24417: entering state 2 Nov 30 12:07:25 server spamd[24417]: spamd: connection from localhost [127.0.0.1] at port 48289 Nov 30 12:07:25 server spamd[29440]: prefork: new lowest idle kid: 24490 Nov 30 12:07:25 server spamd[24417]: spamd: checking message [EMAIL PROTECTED] for root:1001 Nov 30 12:07:25 server spamd[24417]: dns: name server: 200.XXX.XXX.XXX, family: 2, ipv6: 0 Nov 30 12:07:25 server spamd[24417]: received-header: parsed as [ ip=200.XXX.XXX.XXX rdns=server.jamef.com.br helo=mail.jamef.com.br by=mail.bhz.jamef ident= [EMAIL PROTECTED] intl=0 id= auth= ] Nov 30 12:07:25 server spamd[24417]: received-header: parsed as [ ip=200.XXX.XXX.XXX rdns=server.jamef.com.br helo=mail.jamef.com.br by=mail.bhz.jamef ident= [EMAIL PROTECTED] intl=0 id= auth= ] Nov 30 12:07:25 server spamd[24417]: dns: looking up A records for 'mail.bhz.jamef' Nov 30 12:07:25 server spamd[24417]: dns: A records for 'mail.bhz.jamef': 172.22.10.1 Nov 30 12:07:25 server spamd[24417]: dns: looking up A records for 'mail.bhz.jamef' Nov 30 12:07:25 server spamd[24417]: dns: A records for 'mail.bhz.jamef': 172.22.10.1 Nov 30 12:07:25 server spamd[24417]: received-header: 'by' mail.bhz.jamef has private IP 172.22.10.1 Nov 30 12:07:25 server spamd[24417]: received-header: 'by' mail.bhz.jamef has no public IPs Nov 30 12:07:25 server spamd[24417]: received-header: relay 200.XXX.XXX.XXX trusted? yes internal? no Nov 30 12:07:25 server spamd[24417]: received-header: parsed as [ ip=195.13.38.136 rdns=terminal-1-136.retsat1.com.pl helo=terminal-1-136.retsat1.com.pl by=mail.jamef.com.br ident= envfrom= intl=0 id= auth= ] Nov 30 12:07:25 server spamd[24417]: received-header: parsed as [ ip=195.13.38.136 rdns=terminal-1-136.retsat1.com.pl helo=terminal-1-136.retsat1.com.pl by=mail.jamef.com.br ident= [EMAIL PROTECTED] intl=0 id= auth= ] Nov 30 12:07:25 server spamd[24417]: dns: looking up A records for 'mail.jamef.com.br' Nov 30 12:07:25 server spamd[24417]: dns: A records for 'mail.jamef.com.br': 200.XXX.XXX.XXX Nov 30 12:07:25 server spamd[24417]: received-header: 'by' mail.jamef.com.br has public IP 200.XXX.XXX.XXX Nov 30 12:07:25 server spamd[24417]: received-header: relay 195.13.38.136 trusted? no internal? no Nov 30 12:07:25 server spamd[24417]: metadata: X-Spam-Relays-Trusted: [ ip=200.XXX.XXX.XXX rdns=server.jamef.com.br helo=mail.jamef.com.br by=mail.bhz.jamef ident= [EMAIL PROTECTED] intl=0 id= auth= ] Nov 30 12:07:25 server spamd[24417]: metadata: X-Spam-Relays-Untrusted: [ ip=195.13.38.136 rdns=terminal-1-136.retsat1.com.pl helo=terminal-1-136.retsat1.com.pl by=mail.jamef.com.br ident= [EMAIL PROTECTED] intl=0 id= auth= ] Nov 30 12:07:25 server spamd[24417]: metadata: X-Spam-Relays-Internal: Nov 30 12:07:25 server spamd[24417]: metadata: X-Spam-Relays-External: [ ip=200.XXX.XXX.XXX rdns=server.jamef.com.br helo=mail.jamef.com.br by=mail.bhz.jamef ident= [EMAIL PROTECTED] intl=0 id= auth= ] [ ip=195.13.38.136 rdns=terminal-1-136.retsat1.com.pl helo=terminal-1-136.retsat1.com.pl by=mail.jamef.com.br ident= [EMAIL PROTECTED] intl=0 id= auth= ] Nov 30 12:07:25 server spamd[24417]: message: MIME PARSER START Nov 30 12:07:25 server spamd[24417]: message: main message type: multipart/mixed Nov 30 12:07:25 server spamd[24417]: message: parsing multipart, got boundary: =_NextPart_000_0007_01C70B4D.87788B80 Nov 30 12:07:25 server spamd[24417]: message: found part of type multipart/alternative, boundary: =_NextPart_001_0008_01C70B4D.87788B80 Nov 30 12:07:25 server spamd[24417]: message: parsing multipart, got boundary: =_NextPart_001_0008_01C70B4D.87788B80 Nov 30 12:07:25 server
RE: RE: How to extract the Reverse DNS hostname by script means?
Hello! Leon Kolchinsky [EMAIL PROTECTED] wrote on 19.11.2006 09:28:14: Hi Bret, According to tip from Gary V. you can reliably use whitelist_from_rcvd, You only should configure the following parameters right: trusted_networks internal_networks Best Regards, Leon Kolchinsky ... SpamAssassin will be testing the whitelist_from_rcvd against the topmost (final) received header when SA runs, so that's the one you need to look at. ... Well, does SA really check *only* topmost header? I've found that whitelist_from_rcvd works only if e-mail has *only one* received: header that fits with corresponding whitelist_from_rcvd record. If there are some additional untrusted received: headers in e-mail then whitelisting fails for me... Here is my configuration. my_server1.my_domain1.com is our SMTP server with Exim + SpamAssassin installed. my_server.my_domain.com acts as a relay for the first server (it can send both it's own mail and external mail to my_server1.my_domain1.com). my_server.my_domain.com is added in trusted_networks. For example, I have the following record in my local.cf: whitelist_from_rcvd [EMAIL PROTECTED] my_domain.com. E-mail with the following *two* received: headers will not be whitelisted while with the *first* only will be: Received: from my_server.my_domain.com ([XXX.XXX.XXX.XXX]) by my_server1.my_domain1.com with esmtp (Exim 4.63) (envelope-from [EMAIL PROTECTED]) id 1Gpcaa-0003ZF-Ti for [EMAIL PROTECTED]; Thu, 30 Nov 2006 06:27:57 +0300 Received: from alien_server.alien_domain.com ([YYY.YYY.YYY.YYY]) by my_server.my_domain.com (8.13.6/8.13.4) with SMTP id kAU3ROA5001821 for [EMAIL PROTECTED]; Thu, 30 Nov 2006 06:27:50 +0300 (MSK) (envelope-from [EMAIL PROTECTED]) So, Am I missing something? Thanx in advance. Vitaly.
Re: some concernns in collaboratif effort in learning process for Bayesian filter
Najib Abi Fadel wrote: Hi all, since it is hard for a person to teach the spamassassin which mails are spam and which are not for all users, i was thinking about doing the following: Create a mail account let's say : [EMAIL PROTECTED] Tell trusted users to forward the mails they identify as spam to [EMAIL PROTECTED] . Run a cron job that launch sa-learn on the mailbox [EMAIL PROTECTED], making the spamassassin identify them as spam. Since i don't really know how Bayesian filter works internally; i have some concerns: In general, forwards are pretty useless for bayes training.. Try forwarding a multipart/alternative spam message with dissimilar text/plain and text/html sections and look at what really gets forwarded. All the headers are new, the originals are discarded. That's bad. Some of the body has been discarded. The rest of the body has been modified, reformatted and re-encoded differently. The two messages aren't the same. Sometimes you can do a redirect bounce or forward as attachment and end up with something reasonable, but plain forward nearly always destroys the message.
Re: long: spamc returns 0/0 (spamd is crashing)
The *difference between* log before and after spamd restart (maybe) is: the spamd do a prefork child and closed connection, before finish the rest of tests (*terminated* prematurely !?!) Look: - log when spamd crashed + log when spamd is work fine - dcc: got response: X-DCC-sonic.net-Metrics: server 1156; Body=22 Fuz1=22 Fuz2=22 + dcc: got response: X-DCC-sonic.net-Metrics: server 1156; Body=28 Fuz1=28 Fuz2=28 info: leaving helper-app run mode - prefork: new lowest idle kid: 24490 --- prefork child - spamd: handled cleanup of child pid 24417 due to SIGCHLD --- clenup here - prefork: child closed connection -- close connection - prefork: child states: I - spamd: server successfully spawned child process, pid 25831 - prefork: child 25831: entering state 0 - prefork: new lowest idle kid: 24490 - prefork: sysread(8) not ready, wait max 300 secs - prefork: child 25831: entering state 1 - prefork: new lowest idle kid: 24490 + check: running tests for priority: 500 after spamd restarted, prefork is doing, but the rest of tests continues. + dns: success for 15 of 18 queries -- see??? + dns: timeout for whois-lastexternal after 5 seconds -- see??? + dns: timeout for whois after 5 seconds -- see??? + dns: timeout for dsbl-lastexternal after 5 seconds -- see??? + rules: running meta tests; score so far=6.806 -- see??? + rules: running header regexp tests; score so far=6.806 + rules: running body-text per-line regexp tests; score so far=6.806 + uri: running uri tests; score so far=6.806 + rules: running raw-body-text per-line regexp tests; score so far=6.806 + rules: running full-text regexp tests; score so far=6.806 + check: running tests for priority: 900 + rules: running meta tests; score so far=6.806
Spamassasin Has Quit Working
Hello All! I have been running with spamassassin spamass-milter sucsessfully for several months. Then Redhat did a update and now I am having issues with spam not getting scored. Does anyone have any clue where I should go next? Thanks! Log Entry... Nov 30 10:20:03 gandalf spamass-milter[3602]: Could not extract score from Yum Update Log... Nov 28 11:53:24 Updated: spamassassin.i386 3.1.7-1.fc5 Nov 27 11:39:03 Updated: clamav-data.i386 0.88.6-1.fc5 Nov 27 11:39:04 Updated: clamav-lib.i386 0.88.6-1.fc5 Nov 27 11:39:25 Updated: clamav-milter.i386 0.88.6-1.fc5 Nov 27 11:39:28 Updated: clamav-server.i386 0.88.6-1.fc5 Nov 27 11:39:57 Updated: clamav.i386 0.88.6-1.fc5 Nov 27 11:40:05 Updated: clamav-update.i386 0.88.6-1.fc5 Nov 27 11:40:05 Updated: clamav-devel.i386 0.88.6-1.fc5 Part of Header... X-Virus-Scanned: ClamAV 0.88.6/2263/Thu Nov 30 01:51:08 2006 on gandalf.ctdx.net X-Virus-Status: Clean X-Spam-Report: * 3.0 SC_TOP200_88 A relay is listed in the Top200 SpamCop listing * 1.0 MIME_QP_LONG_LINE RAW: MIME_QP_LONG_LINE * 2.0 SARE_RAND_5 SARE_RAND_5 * 1.5 SARE_RAND_5B SARE_RAND_5B X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on gandalf.ctdx.net --- Chris Edwards Buy The Truck Phone: 706.638.5977 x222 Fax: 706.638.0595 Web: http://www.buythetruck.com http://www.buythetruck.com/ Email: [EMAIL PROTECTED] P.O. Box 468 1115 S. Chattanooga St. Lafayette, GA 30728 Quote of The Day: Better hardware is the true path to ultimate happiness. -- Dean Edmonds
Re: some concernns in collaboratif effort in learning process for Bayesian filter
On Thu, 30 Nov 2006, Najib Abi Fadel wrote: Create a mail account let's say : [EMAIL PROTECTED] Tell trusted users to forward the mails they identify as spam to [EMAIL PROTECTED] . Run a cron job that launch sa-learn on the mailbox [EMAIL PROTECTED], making the spamassassin identify them as spam. Bad idea. Forwarding a message alters that message, in a way which make it not appropriate for training Bayes. A better solution is to create mail folders (either shared or per-user) on the mail server, one for spam and one for ham, and have the user copy FNs (uncaught spam) to the spam folder and FPs (ham misclassified as spam) to the ham folder, then train from the folders on the server. I have a script that does training like this that you can run from cron.daily http://www.impsec.org/~jhardin/antispam/ -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...to announce there must be no criticism of the President or to stand by the President right or wrong is not only unpatriotic and servile, but is morally treasonous to the American public. -- Theodore Roosevelt, 1918 --- 15 days until Bill of Rights day
Re: MX server Queue
At 06:11 30-11-2006, chisina mike wrote: MX1 sendmail server mail queue is getting bigger, it must forward all mail to Main mail server. [EMAIL PROTECTED] mqueue]# grep stat=queue -c /var/log/maillog 6363 I tried the following commands # vi /etc/MailScanner/MailScanner.conf [snip] But I still have the same problem. Your problem is caused by Mailscanner. You may find the answer by posting this question to their mailing list. Regards, -sm
RE: new Botnet plugin version soon
Question 2: someone asked why my module is Botnet instead of Mail::SpamAssassin::Plugin::Botnet. The answer is: when I first started this (and this is/was my first SA Plugin authoring attempt), I tried that and it didn't work. If someone wants to look at it, and figure out how to make that work (but still have the files located in /etc/mail/spamassassin) I would happily incorporate it. Use the loadplugin line to specify the location, for example, I do the following: loadplugin Mail::SpamAssassin::Plugin::ImageInfo c:/perl/site/etc/mail/spamassassin/ImageInfo.pm That way you can put the module anywhere and still have it called Mail::SpamAssasssin::Plugin::___ Bret
RE: Spamassasin Has Quit Working
You should upgrade spamass-milter too. The error is from the milter, not SA itself. -Sietse From: Chris Edwards Sent: Thu 30-Nov-06 16:28 To: users@spamassassin.apache.org Subject: Spamassasin Has Quit Working Hello All! I have been running with spamassassin spamass-milter sucsessfully for several months. Then Redhat did a update and now I am having issues with spam not getting scored. Does anyone have any clue where I should go next? Thanks! Log Entry... Nov 30 10:20:03 gandalf spamass-milter[3602]: Could not extract score from Yum Update Log... Nov 28 11:53:24 Updated: spamassassin.i386 3.1.7-1.fc5 Nov 27 11:39:03 Updated: clamav-data.i386 0.88.6-1.fc5 Nov 27 11:39:04 Updated: clamav-lib.i386 0.88.6-1.fc5 Nov 27 11:39:25 Updated: clamav-milter.i386 0.88.6-1.fc5 Nov 27 11:39:28 Updated: clamav-server.i386 0.88.6-1.fc5 Nov 27 11:39:57 Updated: clamav.i386 0.88.6-1.fc5 Nov 27 11:40:05 Updated: clamav-update.i386 0.88.6-1.fc5 Nov 27 11:40:05 Updated: clamav-devel.i386 0.88.6-1.fc5 Part of Header... X-Virus-Scanned: ClamAV 0.88.6/2263/Thu Nov 30 01:51:08 2006 on gandalf.ctdx.net X-Virus-Status: Clean X-Spam-Report: * 3.0 SC_TOP200_88 A relay is listed in the Top200 SpamCop listing * 1.0 MIME_QP_LONG_LINE RAW: MIME_QP_LONG_LINE * 2.0 SARE_RAND_5 SARE_RAND_5 * 1.5 SARE_RAND_5B SARE_RAND_5B X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on gandalf.ctdx.net --- Chris Edwards Buy The Truck Phone: 706.638.5977 x222 Fax: 706.638.0595 Web: http://www.buythetruck.com/ Email: [EMAIL PROTECTED] P.O. Box 468 1115 S. Chattanooga St. Lafayette, GA 30728 Quote of The Day: Better hardware is the true path to ultimate happiness. -- Dean Edmonds
RE: This is so obvious...
Okay.. I have to confess.. I’ve never written a rule.. To me, they look like Perl regular expressions (which I *have* written). Do I add my new rule to my local.cf or directly to 70_sare_specific.cf? Are there any guides to writing rules? Also the area code below is written with an ‘L’ instead of a 1, so I’m assuming I should I test for ‘314’, ‘3l4’ and ‘3|4’ _ From: Chris Santerre [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 29, 2006 7:49 AM To: 'Jon D. Slater'; users@spamassassin.apache.org Subject: RE: This is so obvious... Yeah this slipped thur as well. Just write a rule for the phone number. I'll see about getting 70_sare_specific.cf updated for this number. --Chris -Original Message- From: Jon D. Slater [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 29, 2006 9:17 AM To: users@spamassassin.apache.org Subject: This is so obvious... I am running SA 3.0.6-1 under Fedora Core 4 (2.6.17-1.2142_FC4). And I just got this spam. It's so obviously spam, how could it be scored 0.0? Besides the updates, I've also installed: 70_sare_adult.cf 70_sare_specific.cf 70_sare_stocks.cf Is there some other rule set I should be including? Thanks! Jon Return-Path: [EMAIL PROTECTED] Received: from love.allvrn.ru ([122.4.2.228]) by blahblahblah.org (8.13.7/8.13.4) with SMTP id kASNsqPw005647 for [EMAIL PROTECTED]; Tue, 28 Nov 2006 16:54:55 -0700 Message-ID: [EMAIL PROTECTED] Date: Tue, 28 Nov 2006 16:50:59 -0200 Reply-To: dewey fisher [EMAIL PROTECTED] From: dewey fisher [EMAIL PROTECTED] User-Agent: Mozilla/5.0 (Windows; U; Win95; en-GB; rv:0.9.4) Gecko/20011019 Netscape6/6.2 MIME-Version: 1.0 To: Starr Cole [EMAIL PROTECTED] Subject: Totally OutOfDebt Overnight Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.6 (2005-12-07) on blahblahblah.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=4.3 tests=none autolearn=ham version=3.0.6 Status: O X-UID: 4065 Content-Length: 593 X-Keywords: -Original Message- From: dewey fisher [HYPERLINK mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED] Sent: Tuesday, November 28, 2006 11:51 AM To: Starr Cole Subject: Totally OutOfDebt Overnight A few select 1egal counse1 just found a loophole in the bank laws. With this discovery, we've been 5uccessful at eliminating people's creditcarddebt with 0ut them paying one more cent. WeGuarantee that we can help you with this. C0ntact us at 3l4-854-8497 The children and the Wizard rushed across the moving rock and sprang into the passage beyond, landing safely though a little out of breath. Rob washed and brushed the dust from his clothes, after which he sat down and amused himself by viewing the pictures that constantly formed upon the polished plate of the Record of EventsM20e -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.14.19/556 - Release Date: 11/28/2006 3:22 PM -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.14.19/556 - Release Date: 11/28/2006 3:22 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.0/557 - Release Date: 11/29/2006 4:15 PM
Re: new Botnet plugin version soon
John Rudd wrote: Question 2: someone asked why my module is Botnet instead of Mail::SpamAssassin::Plugin::Botnet. The answer is: when I first started this (and this is/was my first SA Plugin authoring attempt), I tried that and it didn't work. That's odd. What errors did you get? If someone wants to look at it, and figure out how to make that work (but still have the files located in /etc/mail/spamassassin) I would happily incorporate it. It shoudl just work. I'll take my own p0f plugin as an exampl. This is copied from /usr/local/etc/mail/spamassassin.plugins/p0fOS.pm: ---8--- package Mail::SpamAssassin::Plugin::p0fOS; use base 'Mail::SpamAssassin::Plugin'; ---8--- This is copied from /usr/local/etc/mail/spamassassin/plugins.pre: ---8--- loadplugin Mail::SpamAssassin::Plugin::p0fOS /usr/local/etc/mail/spamassassin.plugins/p0fOS.pm ---8--- As you can see, my local configs are in /usr/local/etc/mail/spamassassin, the plugin is placed in /usr/local/etc/mail/spamassassin.plugins, and is named Mail::SpamAssassin::Plugin::p0fOS. As long as I specify both the full name and full path when loading the plugin, it works just fine. Regards /Jonas -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Re: This is so obvious...
Jon D. Slater wrote: To me, they look like Perl regular expressions (which I **have** written). Do I add my new rule to my local.cf or directly to 70_sare_specific.cf? local.cf is the best place. Placing them in any of the stock SA rule files or in the RDJ files will cause you to lose them if you upgrade them by any automatic means. Are there any guides to writing rules? http://wiki.apache.org/spamassassin/WritingRules Also the area code below is written with an ‘L’ instead of a 1, so I’m assuming I should I test for ‘314’, ‘3l4’ and ‘3|4’ That looks to be the case, yes. -- Craig smime.p7s Description: S/MIME Cryptographic Signature
Re: new Botnet plugin version soon
John Rudd wrote: Question 1: Someone suggested that, for botnet_pass_domains, I not re-invent the wheel. SA already has several whitelist options (whitelist* and sare_whitelist* were specifically mentioned). They suggested that I leverage them. My first (two part) question is: Personally, I prefer to have a plugin be aböe to function independantly from other addons (such as sare whitelists). (I don't use ordinary whitelist commands in SA (when I whitelist something, I do it so that the filkter wiull not call SA at all).) Does the Botnet plugin really need any code at all to use the existing whitelists, or could this be done entirely with meta rules anyway? If it can be done with meta rules you could just put a few commented examples in Botnet.cf instead of having to expand the plugin. Or... You could make a separate file with contributed examples and include that in the Botnet package. This way there could be meta rules with DKIM, whitelists, p0f, ice cream, dark beer or whatever people send you without cluttering Botnet.cf and without ýou having to test and take responsibility for everything (just remember to put a disclaimer at the top if it). Or... You could just point out that meta rules are possible and let those who wants to read the SpamAssassin docs and make there own advanced rules. :-) Regards /Jonas -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Re: sa-update / taint error
Henk van Lingen wrote:
[14411] dbg: generic: unlinking 10_misc.cf
Insecure dependency in unlink while running with -T switch at
/usr/bin/sa-update line 1173.
Please try the attached patch and *please* let me know if it resolves
the problem.
Daryl
Index: sa-update.raw
===
--- sa-update.raw (revision 452742)
+++ sa-update.raw (working copy)
@@ -1173,6 +1173,7 @@
return;
}
while(my $file = readdir(DIR)) {
+local ($1); # prevent random taint flagging
$file =~ /^(.+)$/; # untaint
$file = $1;
check_illegal_chars
Hi all,
Can someone please let me know exactly what illegal characters are being
checked for with the eval:check_illegal_chars rules? Can I find a list of
those characters somewhere?
Also, what are the meanings of the variables that this rule takes? For
example:
eval:check_illegal_chars('Subject','0.00','2')
...I get the 'Subject' bit, it clearly means that the rule is only gonna
check the Subject field. Can I put in the name of *any* header I want in
that part, eg. Received, To, etc etc?
And what do the '0.00' and the '2' variables mean?
Cheers,
Jeremy
forged spam emails from my own domain
i am receiving spam emails coming from my own domain.com but that email address does not existing from my own domain.com. say my domain is mydomain.com and that spam email had FROM header that shows [EMAIL PROTECTED] which is currently whitelisted from spamassassin global rules and currently does not exist from my users list. that is why i am receiving it from my INBOX and not from SPAM folder, anyone has idea or a script to move this to SPAM folder? tnx
Re: new Botnet plugin version soon
Jonas Eckerman wrote: John Rudd wrote: Question 2: someone asked why my module is Botnet instead of Mail::SpamAssassin::Plugin::Botnet. The answer is: when I first started this (and this is/was my first SA Plugin authoring attempt), I tried that and it didn't work. That's odd. What errors did you get? When I change Botnet.pm to have: package Mail::SpamAssassin::Plugin::Botnet; use base 'Mail::SpamAssassin::Plugin'; and then change Botnet.cf to have loadplugin Mail::SpamAssassin::Plugin::Botnet /etc/mail/spamassassin/Botnet.pm I get these errors: [2797] warn: plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::Botnet: Can't locate object method new via package Mail::SpamAssassin::Plugin::Botnet (perhaps you forgot to load Mail::SpamAssassin::Plugin::Botnet?) at (eval 200) line 1. [2797] info: config: failed to parse line, skipping: botnet_pass_auth 0 [2797] info: config: failed to parse line, skipping: botnet_skip_ip ^127\.0\.0\.1$ [2797] info: config: failed to parse line, skipping: botnet_skip_ip ^10\..*$ (and it keeps going with an error for each of the config lines I have in Botnet.cf) If I go back to what's in the distribution, the errors go away and everything works fine.
Re: check_illegal_chars
On Thu, Nov 30, 2006 at 06:22:46PM +0100, Jeremy Fairbrass wrote: Can someone please let me know exactly what illegal characters are being checked for with the eval:check_illegal_chars rules? Can I find a list of those characters somewhere? Also, what are the meanings of the variables that this rule takes? For example: You'll want to take a look at EvalTests.pm. It should answer all your questions. -- Randomly Selected Tagline: Stewie: Ah! Damn it! I want pancakes. God! You people understand every language except English. Yo quiero pancakes. Dali mua pancakes. Clik clik bloody clik pancakes! - Family Guy, Love Thy Trophy
Re: new Botnet plugin version soon
John Rudd wrote the following on 11/30/2006 9:26 AM -0800: Jonas Eckerman wrote: John Rudd wrote: Question 2: someone asked why my module is Botnet instead of Mail::SpamAssassin::Plugin::Botnet. The answer is: when I first started this (and this is/was my first SA Plugin authoring attempt), I tried that and it didn't work. That's odd. What errors did you get? When I change Botnet.pm to have: package Mail::SpamAssassin::Plugin::Botnet; use base 'Mail::SpamAssassin::Plugin'; and then change Botnet.cf to have loadplugin Mail::SpamAssassin::Plugin::Botnet /etc/mail/spamassassin/Botnet.pm I get these errors: [2797] warn: plugin: failed to create instance of plugin Mail::SpamAssassin::Plugin::Botnet: Can't locate object method new via package Mail::SpamAssassin::Plugin::Botnet (perhaps you forgot to load Mail::SpamAssassin::Plugin::Botnet?) at (eval 200) line 1. [2797] info: config: failed to parse line, skipping: botnet_pass_auth 0 [2797] info: config: failed to parse line, skipping: botnet_skip_ip ^127\.0\.0\.1$ [2797] info: config: failed to parse line, skipping: botnet_skip_ip ^10\..*$ (and it keeps going with an error for each of the config lines I have in Botnet.cf) If I go back to what's in the distribution, the errors go away and everything works fine. Here are the changes I made to init.pre and Botnet.pm and Botnet.cf: /etc/mail/spamassassin/init.pre loadplugin Mail::SpamAssassin::Plugin::Botnet /etc/mail/spamassassin/Botnet.pm /etc/mail/spamassassin/Botnet.pm package Mail::SpamAssassin::Plugin::Botnet; /etc/mail/spamassassin/Botnet.cf removed: loadplugin BotnetBotnet.pm added at top of file: ifplugin Mail::SpamAssassin::Plugin::Botnet added at end of file: endif And it works great. Bill
Re: forged spam emails from my own domain
vertito wrote: i am receiving spam emails coming from my own domain.com but that email address does not existing from my own domain.com. say my domain is mydomain.com and that spam email had FROM header that shows [EMAIL PROTECTED] which is currently whitelisted from spamassassin global rules and currently does not exist from my users list. that is why i am receiving it from my INBOX and not from SPAM folder, anyone has idea or a script to move this to SPAM folder? tnx Have your MTA reject addresses that aren't present in your user list. You'll have to look to your MTA's documentation to find the recipe though. -- Craig smime.p7s Description: S/MIME Cryptographic Signature
Re: Problem with spam from non-existant users of my domain.
On 28 Nov 2006 at 11:33, Steven W. Orr wrote: snip One more example to be clearerer. This message came in from someplace in Russia (maybe), to syslang.net and claims to come from bs at syslang.net. I don't have a bs on my machine. If it helps, I'd even be willing to create a file with a list of all of my valid account names. ... X-Spam-Status: No, hits=-83.5 required=5.0 tests=HTML_MESSAGE,URIBL_AB_SURBL, URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL, USER_IN_WHITELIST autolearn=no version=3.1.7 If there's no [EMAIL PROTECTED] on your system, why is USER_IN_WHITELIST being triggered? You don't appear to be using Bayes (no BAYES_nn test) so by my calculation, this message would have scored 15.884 without the USER_IN_WHITELIST hit. What's your reject threshold? I know this doesn't directly address your question about detecting non-local e-mail addresses in From:, but if the ultimate problem is that such messages are making it through your filter, then configuring SpamAssassin properly might be easier than adding complexity to your Sendmail configuration. Nels Lindquist * Information Systems Manager Morningstar Air Express Inc.
webg bug
Hi everyone, I'm not sure if I should post to the Exim list or the SA list- Excuse me if its not the correct list- I was wondering if there is a way to either strip away, or totally block messages that have web bugs that report back to servers like www.readnotify.com TIA Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
Re: sa-update / taint error
On Thu, Nov 30, 2006 at 11:55:36AM -0500, Daryl C. W. O'Shea wrote: Henk van Lingen wrote: [14411] dbg: generic: unlinking 10_misc.cf Insecure dependency in unlink while running with -T switch at /usr/bin/sa-update line 1173. Please try the attached patch and *please* let me know if it resolves the problem. +local ($1); # prevent random taint flagging Hm, I've runned sa-update without -T today, and now I can't reproduce the problem :-( Maybe because there are no updates anymore... Maybe tomorrow (when back at the office) I can reproduce yesterdays situation. Regards, -- Henk van Lingen, Systems Network Administrator (o- -+ Dept. of Computer Science, Utrecht University./\| phone: +31-30-2534107v_/_ http://henk.vanlingen.net/ http://www.tuxtown.net/netiquette/
Re: Odd behaviour (?) of my Qmail / Qmail Scanner / SpamAssassin 3.1.3 Setup?
Bookworm wrote: (locate -i bayes_journal works well for this sort of thing) ... assuming you're not on a system like Debian, where locate is pretty much crippled for finding things in user home directories. :/ (The process that populates the database locate relies on is set up to exclude non-globally-readable and otherwise non-system directories - prefectly understandable securitywise, but it breaks usage like this.) -kgd
Re: sa-update / taint error
Henk van Lingen wrote: On Thu, Nov 30, 2006 at 11:55:36AM -0500, Daryl C. W. O'Shea wrote: Henk van Lingen wrote: [14411] dbg: generic: unlinking 10_misc.cf Insecure dependency in unlink while running with -T switch at /usr/bin/sa-update line 1173. Please try the attached patch and *please* let me know if it resolves the problem. +local ($1); # prevent random taint flagging Hm, I've runned sa-update without -T today, and now I can't reproduce the problem :-( Maybe because there are no updates anymore... You removed the -T from the first line of sa-update? Perl won't complain about tainted variables without it. Just rm /var/lib/spamassassin/updates.spamassassin.org* (or wherever your updates are stored) so you can download the same update again. Maybe tomorrow (when back at the office) I can reproduce yesterdays situation. Please follow up in bug 5216 or at least to the list (and copy me) as soon as you can. http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5216 Thanks, Daryl
Restart Errors..
What do these errors mean when I am restarting spamd? Nov 30 13:56:55 gandalf spamd[11971]: spamd: server killed by SIGTERM, shutting down Nov 30 13:56:59 gandalf spamd[12018]: logger: removing stderr method Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test __SARE_HEAD_FALSE has undefined dependency '__FROM_AOL_COM' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test __SARE_HEAD_FALSE has undefined dependency '__FROM_AOL_COM' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test SARE_BOUNDARY_D12 has undefined dependency 'MIME_BOUND_DIGITS_15' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test SARE_CIT_BLOCKER has undefined dependency 'USER_IN_WHITELIST' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test SARE_SUN_BLOCKER has undefined dependency 'USER_IN_WHITELIST' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test SARE_SUB_INET_PHARM has undefined dependency 'ONLINE_PHARMACY' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test SARE_HTML_MANY_BR05 has undefined dependency 'HTML_MESSAGE' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test __IMG_ONLY has undefined dependency 'HTML_IMAGE_ONLY_04' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test __IMG_ONLY has undefined dependency 'HTML_IMAGE_ONLY_08' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test __IMG_ONLY has undefined dependency 'HTML_IMAGE_ONLY_12' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test __IMG_ONLY has undefined dependency 'HTML_IMAGE_ONLY_16' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test __IMG_ONLY has undefined dependency 'HTML_IMAGE_ONLY_20' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test __IMG_ONLY has undefined dependency 'HTML_IMAGE_ONLY_24' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test __IMG_ONLY has undefined dependency 'HTML_IMAGE_ONLY_28' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_XMAIL_SUSP2' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_HEAD_XAUTH_WARN' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'X_AUTH_WARN_FAKED' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_MKSHRT' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_GT' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_TINY' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test SARE_FPP_BLOCKER has undefined dependency 'USER_IN_WHITELIST' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test __SARE_SUB_FALSE has undefined dependency '__FROM_AOL_COM' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test __SARE_SUB_FALSE has undefined dependency '__FROM_AOL_COM' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test SARE_FEB_BLOCKER has undefined dependency 'USER_IN_WHITELIST' Nov 30 13:57:00 gandalf spamd[12020]: rules: meta test LW_STOCK_SPAM4 has undefined dependency 'MIME_BASE64_TEXT' Nov 30 13:57:01 gandalf spamd[12020]: spamd: server started on port 783/tcp (running version 3.1.7) Nov 30 13:57:01 gandalf spamd[12020]: spamd: server pid: 12020 Nov 30 13:57:01 gandalf spamd[12020]: spamd: server successfully spawned child process, pid 12022 Nov 30 13:57:01 gandalf spamd[12020]: spamd: server successfully spawned child process, pid 12023 Nov 30 13:57:01 gandalf spamd[12020]: prefork: child states: II Thanks!! Chris Edwards Everyone knows at present that the ability to endure contradiction is a good indication of culture. Some people even know that the higher man courts opposition, and provokes it, so as to get a cue to his hitherto unknown partiality. But the ability to contradict, the attainment of a good conscience in hostility to the accustomed, the traditional and the hallowed--that is more than both the above-named abilities, and is the really great, new and astonishing thing in our culture, the step of all steps of the emancipated intellect: who knows that? -- Nietzsche
Re: new Botnet plugin version soon
On Thu, 30 Nov 2006, Jonas Eckerman wrote: John Rudd wrote: Question 1: Someone suggested that, for botnet_pass_domains, I not re-invent the wheel. SA already has several whitelist options (whitelist* and sare_whitelist* were specifically mentioned). They suggested that I leverage them. My first (two part) question is: Personally, I prefer to have a plugin be aböe to function independantly from other addons (such as sare whitelists). ... If it can be done with meta rules you could just put a few commented examples in Botnet.cf instead of having to expand the plugin. Or... You could make a separate file with contributed examples and include that in the Botnet package. This way there could be meta rules with DKIM, whitelists, p0f, ice cream, dark beer or whatever people send you without cluttering Botnet.cf and without ýou having to test and take responsibility for everything (just remember to put a disclaimer at the top if it). I vote for the separate file / examples as well. Especially the examples or common ones to help us get a working system that handles general whitelisting as well. Per the botnet_pass_domains, this will be a great enhancement. Maybe you could collect false positives reported to you and include a starting point of common domains to exempt as well. It's tough to find out all the valid domains out there that still trip the botnet filter on your own. :) Question 2: someone asked why my module is Botnet instead of Mail::SpamAssassin::Plugin::Botnet. The current method is simple as you just drop the 2 files into /etc/mail/spamassassin and you're done. But, making it standard as long as it works is fine with me. Thanks for a great plugin! Rob
Re: webg bug
On Thu, 30 Nov 2006, Jean-Paul Natola wrote: I was wondering if there is a way to either strip away, or totally block messages that have web bugs that report back to servers like www.readnotify.com plug type=shameless http://www.impsec.org/email-tools/procmail-security.html /plug -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...to announce there must be no criticism of the President or to stand by the President right or wrong is not only unpatriotic and servile, but is morally treasonous to the American public. -- Theodore Roosevelt, 1918 --- 15 days until Bill of Rights day
RE: new Botnet plugin version soon
From: Dennis Davis [mailto:[EMAIL PROTECTED] ... Question 2: someone asked why my module is Botnet instead of Mail::SpamAssassin::Plugin::Botnet. The answer is: when I first started this (and this is/was my first SA Plugin authoring attempt), I tried that and it didn't work. If someone wants to look at it, and figure out how to make that work I prefer to have all the SpamAssassin plugins grouped together where the default install puts them. This is in the directory: /usr/local/libdata/perl5/site_perl/Mail/SpamAssassin/Plugin/ I would prefer to use the xxx/site_perl/Mail/SpamAssassin/Plugin for plugins that are packaged with SpamAssassin, and that any added-in plugins that I install separately go into /etc/mail/spamassassin. I also see no advantage to moving the loadplugin statement into the init.pre file unless there are rules in other .cf files that depend on the plugin. In other words, it's fine the way it is.
Re: Stock Spam
On Nov 29, 2006, at 6:16 PM, san wrote: Yeah Giampaolo. with 3.1x it should be alright. But my superior is still stick to the old one..:( Does he also use 3 year old antivirus software with no updates? At least updating SA is pretty much zero cost other than a few minutes of time. smime.p7s Description: S/MIME cryptographic signature
Prevent scanning internal mail
This might be a simple question for most of you. How would I prevent spamassassin from scanning my internal mail, e.g from a particular server, or originating from my internal network. E.g if my domain was mydomain.org, I could whitelist 'mydomain.org' the problem is lately I've seen these pesky spammers forge email accounts with my own domain name so I dont want to do that. Any help will be greatly appreciated. -- View this message in context: http://www.nabble.com/Prevent-scanning-internal-mail-tf2734288.html#a7627865 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Prevent scanning internal mail
On Thu, Nov 30, 2006 at 01:02:29PM -0800, leemansvg wrote: This might be a simple question for most of you. How would I prevent spamassassin from scanning my internal mail, e.g from a particular server, or originating from my internal network. Don't pass those to SpamAssassin. Once SA gets a mail, it'll be scanned. -- Randomly Selected Tagline: [Rob] Reiner agrees. If it was made clear to people that we could win the war on terrorism by driving a hybrid car, that we could stop global warming by driving a hybrid, I think people would do it, he says. But people haven't made those kind of connections. - http://www.washingtonpost.com/wp-dyn/articles/A2587-2002Jun5.html pgpXqAPsd6PG4.pgp Description: PGP signature
Re: Prevent scanning internal mail
leemansvg wrote: This might be a simple question for most of you. How would I prevent spamassassin from scanning my internal mail Don't pass the mail to SpamAssassin. SA is a mail filter, it'll filter anything it's given. Daryl
Re: Prevent scanning internal mail
Theo Van Dinter wrote: On Thu, Nov 30, 2006 at 01:02:29PM -0800, leemansvg wrote: This might be a simple question for most of you. How would I prevent spamassassin from scanning my internal mail, e.g from a particular server, or originating from my internal network. Don't pass those to SpamAssassin. Once SA gets a mail, it'll be scanned. Is there a FAQ entry for this somewhere on the wiki? If not, there should be.. This is the 3rd or 5th time in the past couple days something similar has been asked.. -- Craig smime.p7s Description: S/MIME Cryptographic Signature
RE: webg bug
I was wondering if there is a way to either strip away, or totally block messages that have web bugs that report back to servers like www.readnotify.com plug type=shameless http://www.impsec.org/email-tools/procmail-security.html /plug Can someone help a newbie find some info on installing procmail ?
Re: webg bug
Jean-Paul Natola wrote: I was wondering if there is a way to either strip away, or totally block messages that have web bugs that report back to servers like www.readnotify.com plug type=shameless http://www.impsec.org/email-tools/procmail-security.html /plug Can someone help a newbie find some info on installing procmail ? http://www.google.com/search?q=installing+procmail -- Craig smime.p7s Description: S/MIME Cryptographic Signature
Re: Prevent scanning internal mail
Theo Van Dinter wrote: On Thu, Nov 30, 2006 at 01:02:29PM -0800, leemansvg wrote: This might be a simple question for most of you. How would I prevent spamassassin from scanning my internal mail, e.g from a particular server, or originating from my internal network. Don't pass those to SpamAssassin. Once SA gets a mail, it'll be scanned. Is there a FAQ entry for this somewhere on the wiki? If not, there should be.. This is the 3rd or 5th time in the past couple days something similar has been asked.. -- Craig Because of the many ways SA can be implemented, other than the suggestion provided, the task of providing a working example of how this is accomplished for each possible implementation is not simple (because it's no small task to imagine every possible implementaion). For example, I came up with about 15 scenarios when the implementation involves amavisd-new and Postfix. Considering the number of other implementations and specific needs, it is apparent there are many ways to approach the issue. In this case for example, more information would be needed to give a practical example. http://www200.pair.com/mecham/spam/bypassing.html Gary V _ Fixing up the home? Live Search can help http://imagine-windowslive.com/search/kits/default.aspx?kit=improvelocale=en-USsource=hmemailtaglinenov06FORM=WLMTAG
Re: Prevent scanning internal mail
At 02:13 PM 11/30/2006, you wrote: Because of the many ways SA can be implemented, other than the suggestion provided, the task of providing a working example of how this is accomplished for each possible implementation is not simple (because it's no small task to imagine every possible implementaion). For example, I came up with about 15 scenarios when the implementation involves amavisd-new and Postfix. Considering the number of other implementations and specific needs, it is apparent there are many ways to approach the issue. In this case for example, more information would be needed to give a practical example. There's always the blunt method: How do I have spamassassin... not scan outgoing mail? not scan mail for authenticated users? not scan mail for Bob, but scan mail for Joe? not scan mail from yahoo.com? not scan mail insert condition here? Answer: Don't call spamassassin when that condition is met. Spamassassin will scan all mail fed to it. However you are calling spamassassin, create a work around to not call spamassassin for that event. Think of it as a paper shredder. Your wife gives you a stack of papers, and says shred everything except the bank statements. If you put a bank statement in the shredder, the shredder will shred it. :-D
Re: Prevent scanning internal mail
On Thu, Nov 30, 2006 at 04:46:41PM -0500, Craig Morrison wrote: Is there a FAQ entry for this somewhere on the wiki? There could be, but most people don't look there anyway. I haven't checked. -- Randomly Selected Tagline: The very essence of leadership is that you have to have a vision. You can't blow an uncertain trumpet. - Theodore Hesburgh pgpiJCvwzTozs.pgp Description: PGP signature
Re: Prevent scanning internal mail
At 02:35 PM 11/30/2006, you wrote: On Thu, Nov 30, 2006 at 04:46:41PM -0500, Craig Morrison wrote: Is there a FAQ entry for this somewhere on the wiki? There could be, but most people don't look there anyway. I haven't checked. Read through some frequently asked questions? FAQ that! :-D
whitelisted where?
I'm noticing a bunch of obviously spam that is getting thru because it is whitelisted where is this whitelist? it's not something I created. it's not the auto_whitelist is it? wouldn't that say AWL is it the phishing whitelist? when I start MailScanner I see Read 755 hostnames from the phishing whitelist thanks for any help s Return-Path: [EMAIL PROTECTED] Received: from 4C2B80B8 (computername.voip.canet.ne.jp [202.58.145.231] (may be forged)) by englishmail.fsu.edu (8.13.3/8.12.9) with SMTP id kAUJvfwn002997; Thu, 30 Nov 2006 14:57:48 -0500 Received: from cyberc79 (unverified [202.58.145.231]) by btcc.org (SurgeMail 3.1c) with ESMTP id 97935670 for [EMAIL PROTECTED]; Thu, 30 Nov 2006 11:57:22 -0800 Date: Thu, 30 Nov 2006 11:57:22 -0800 From: YING FRAZIER [EMAIL PROTECTED] MIME-Version: 1.0 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: re:You can't go wrong ... Message-Id: [EMAIL PROTECTED] X-Authentication-Warning: localhost.localdomain: apache set sender to [EMAIL PROTECTED] using -f X-Accept-Language: en-us, en Content-Type: multipart/related; boundary=MultiSham466971670361690949053174 X-English-FSU-MailScanner: Found to be clean X-English-FSU-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=41.052, required 4, autolearn=spam, BAYES_60 1.00, HTML_MESSAGE 0.00, MIME_HTML_ONLY 0.00, RCVD_IN_BL_SPAMCOP_NET 7.00, RCVD_IN_DSBL 2.60, RCVD_IN_SORBS_WEB 1.46, RCVD_IN_XBL 3.90, URIBL_AB_SURBL 3.81, URIBL_BLACK 3.00, URIBL_JP_SURBL 7.00, URIBL_OB_SURBL 3.01, URIBL_SBL 1.64, URIBL_SC_SURBL 4.50, URIBL_WS_SURBL 2.14) X-English-FSU-MailScanner-Envelope-From: [EMAIL PROTECTED] Scott Kopel English Department - FSU 850 644 6177
Re: Prevent scanning internal mail
There's always the blunt method: How do I have spamassassin... not scan outgoing mail? not scan mail for authenticated users? not scan mail for Bob, but scan mail for Joe? not scan mail from yahoo.com? not scan mail insert condition here? Answer: Don't call spamassassin when that condition is met. Spamassassin will scan all mail fed to it. However you are calling spamassassin, create a work around to not call spamassassin for that event. Think of it as a paper shredder. Your wife gives you a stack of papers, and says shred everything except the bank statements. If you put a bank statement in the shredder, the shredder will shred it. :-D Exactly. How you prevent sending the message through SA is not a function of SA itself, but of the implementation, and because of the large number of implementations and configurations I question whether it would be practical (or even related) to provide examples of the various procedures. I didn't see much of anything on this subject in the Wiki. Gary V _ Fixing up the home? Live Search can help http://imagine-windowslive.com/search/kits/default.aspx?kit=improvelocale=en-USsource=hmemailtaglinenov06FORM=WLMTAG
Re: whitelisted where?
Scott Kopel wrote: I'm noticing a bunch of obviously spam that is getting thru because it is whitelisted where is this whitelist? it's not something I created. it's not the auto_whitelist is it? wouldn't that say AWL is it the phishing whitelist? when I start MailScanner I see Read 755 hostnames from the phishing whitelist thanks for any help [snippage] X-English-FSU-MailScanner-SpamCheck: not spam (whitelisted), I think you answered your own question here.. 'not spam (whitelisted)' is not something SA adds. Might wanna tug the chain for the MailScanner folks. -- Craig smime.p7s Description: S/MIME Cryptographic Signature
Re: whitelisted where?
Scott Kopel wrote: I'm noticing a bunch of obviously spam that is getting thru because it is whitelisted where is this whitelist? it's not something I created. it's not the auto_whitelist is it? wouldn't that say AWL is it the phishing whitelist? when I start MailScanner I see Read 755 hostnames from the phishing whitelist As a follow-up: http://wiki.mailscanner.info/doku.php?id=maq:index # For whitelist: edit the spam.whitelist.rules from the rules directory following the format shown in the file. # -- Craig smime.p7s Description: S/MIME Cryptographic Signature
Re: Prevent scanning internal mail
Gary V wrote: Exactly. How you prevent sending the message through SA is not a function of SA itself, but of the implementation, and because of the large number of implementations and configurations I question whether it would be practical (or even related) to provide examples of the various procedures. Point well taken Gary. I didn't see much of anything on this subject in the Wiki. Neither did I. I've been googling a bit and the cornucopia of hits for insert_your_MTA_here+spamassassin is a mess. :-) -- Craig smime.p7s Description: S/MIME Cryptographic Signature
Re: Prevent scanning internal mail
Craig Morrison wrote: Gary V wrote: Exactly. How you prevent sending the message through SA is not a function of SA itself, but of the implementation, and because of the large number of implementations and configurations I question whether it would be practical (or even related) to provide examples of the various procedures. Point well taken Gary. I didn't see much of anything on this subject in the Wiki. Neither did I. I've been googling a bit and the cornucopia of hits for insert_your_MTA_here+spamassassin is a mess. :-) My solution to this problem is this: I'm running postfix 2.1.5-5 on Fedora Core 3 and recently had this same question come up. I was whitelisting all 30something domains I hosted but ran into spammers using foo@domain name to get around spam filtering. My solution was to create a rule in postfix main.cf: smtpd_recipient_restrictions = permit_sasl_authenticated, check_client_access pcre:/etc/postfix/non-auth.re, -- snip -- And the contents of non-auth.re is: /^/ PREPEND X-No-Auth: Unauthenticated Sender Since postfix aborts checking at the first match, this has the effect of stamping every single message with a header that I can find and react to, which for me bypasses spamd -- note: this decision takes place _after_ virus scanning, etc. Hope this helps someone. -=Ray
Re: HTML Source Rule
On Thursday, November 30, 2006 5:01 PM -0600 Richard Frovarp [EMAIL PROTECTED] wrote: Kenneth Porter wrote: --On Wednesday, November 29, 2006 5:17 PM -0600 Richard Frovarp [EMAIL PROTECTED] wrote: I have a few legit messages that are scoring over 5.0 due to SARE_STOCKS and the TVD rules to catch stocks, and this is after ALL_TRUSTED has done its work to reduce the score. These messages of course have inline images and are being sent via Outlook Express. Some of the scores on those rules are over 2.0. I have started to reduce the scores, as the stock messages I get usually have header problems and hit on Razor as well. I've seen legit messages fire the MY_CID set of rules enough to rack up a score of over 7.0 from those rules alone. Can you attach a sample? Perhaps the sender can be convinced to change the format to make the message look less spammy. I'll find one tomorrow. The big three rules are/were 2.00 PART_CID_STOCK 2.00 PART_CID_STOCK_LESS 2.80 TVD_FW_GRAPHIC_ID1 The PART_CID rules have been removed from where ever they were located. I have reduced the score on the TVD rule. I have 40K+ users. Talking to individual users isn't something that I can do effectively. To make a message look less spammy, they would have to not inline the image with OE. [Please reply to the list.] My point is simply that others may be seeing the same issue but not know how to report it so that rule developers can exclude the ham. Given some samples, it may be possible to separate the wheat from the chaff.
Re: whitelisted where?
Scott Kopel wrote: I'm noticing a bunch of obviously spam that is getting thru because it is whitelisted where is this whitelist? it's not something I created. it's not the auto_whitelist is it? wouldn't that say AWL Yes, that would say AWL. And SA's whitelist_from* would sa USER_IN_WHITELIST. is it the phishing whitelist? when I start MailScanner I see Read 755 hostnames from the phishing whitelist No, that merely exempts certian sites from the phishing net that tries to detect phishing attempts like: a href= foo.comsignin.ebay.com/a thanks for any help This message was whitelisted at the Mailscanner by the file pointed to by your Is Definitely Not Spam setting in your MailScanner.conf. Words of advice: My guess is that you whitelisted all mail to one or more recipients, and that this message was actually sent to several people at once, including one whitelisted user. Since there's only one message to act on, MailScanner honored the recipient whitelist. There's a whole lot of people in the Cc: line.. are any of them listed in your whitelist for To? It's also possible there were more recipients that were Bcc'ed in (typical for spam). To find these, try grepping your maillog for the SMTP id: grep kAUJvfwn002997 /var/log/maillog
Re: Prevent scanning internal mail
From: Ray Anderson [EMAIL PROTECTED] My solution to this problem is this: I'm running postfix 2.1.5-5 on Fedora Core 3 and recently had this same question come up. I was whitelisting all 30something domains I hosted but ran into spammers using foo@domain name to get around spam filtering. My solution was to create a rule in postfix main.cf: smtpd_recipient_restrictions = permit_sasl_authenticated, check_client_access pcre:/etc/postfix/non-auth.re, -- snip -- And the contents of non-auth.re is: /^/ PREPEND X-No-Auth: Unauthenticated Sender Since postfix aborts checking at the first match, this has the effect of stamping every single message with a header that I can find and react to, which for me bypasses spamd -- note: this decision takes place _after_ virus scanning, etc. Hope this helps someone. -=Ray Variations on a theme: http://marc.theaimsgroup.com/?l=amavis-userm=116490679931010 Of course regexp can be used in place of pcre if pcre is not support on a particular build. Gary V Gary V _ Fixing up the home? Live Search can help http://imagine-windowslive.com/search/kits/default.aspx?kit=improvelocale=en-USsource=hmemailtaglinenov06FORM=WLMTAG
reporter.pl
I run a perl script that was written quite awhile back by D.J. Harbaugh in 2004. Its purpose is to run sa-learn and to report all spam to Razor/Pyzor/DCC and optionally SpamCop. At the end of the run it 'used' to send me a report of how much spam/ham was learned and the total number of each in the bayes.db. Although I've changed nothing, for quite a while now the report is not being sent out and I can't figure out why. Would someone be so kind as to take a look at this and see if they can figure out why this has stopped? Thank you Chris -- Chris pgpn0xFrZr3sY.pgp Description: PGP signature
My Credit rateing does TOO matter
How is it these spams slip under the radar with such low scores? They seldom score about 3.1 in my setup even with network tests and bayes (SA 3.1.7). I wish I could find an effective block for them other than killing off all geocities urls. -- _ John Andersen
Re: My Credit rateing does TOO matter
John Andersen wrote: How is it these spams slip under the radar with such low scores? They seldom score about 3.1 in my setup even with network tests and bayes (SA 3.1.7). I don't think I've seen such a spam pass as ham, although you've been quite vague. I wish I could find an effective block for them other than killing off all geocities urls. Perhaps the WebRedirect plugin is catching these if they've got links to Geocities sites. Daryl
Re: Problem with spam from non-existant users of my domain.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Steven W. Orr wrote: On Tuesday, Nov 28th 2006 at 08:09 -0800, quoth John D. Hardin: =On Tue, 28 Nov 2006, Steven W. Orr wrote: = = Spam comes in to steveo from [EMAIL PROTECTED] and I want to = reject it because it's coming from an address that doesn't exist. = Sendmail does not support this; i.e., it can only reject mail *to* = an address that doesn't exist. = = Is there a way to do this? = =First off, what exactly do you mean by does not exist? The domain =is not registered? Or the username is not valid within the domain? Sorry, I was afraid this might not be clear. I want to find a way to reject/tag all messages that come From the syslang.net domain (I am that domain) which are From a user which does not exist. I'm not talking about messages coming in that have a From address that is not syslang.net. One more example to be clearerer. This message came in from someplace in Russia (maybe), to syslang.net and claims to come from bs at syslang.net. I don't have a bs on my machine. If it helps, I'd even be willing to create a file with a list of all of my valid account names. ...snip... So this idea is to reject all mail from invalid accounts that claim to be coming from my own domain. ...snip... Steven, you should be able to do this pretty easily within MIMEDefang. you could put a routine in the filter_sender() subroutine that does something like a getpwent on the user portion of the sender address if the domain portion is in your domain. (there are probably plenty of ways to do this) on top of that, if you have any control over your DNS settings (and your DNS provider supports TXT records) you may want to consider configuring SPF. SPF is designed (in part) to reduce this type of scenario. so, with SPF what will happen is, some machine in RU connects to you and sends a MAIL FROM: [EMAIL PROTECTED] ... the SPF checks will lookup the SPF information from your DNS records and determine if that host in RU is allowed to send mail for your domain. if not, it get a score boost. (or with something like MIMEDefang you could just reject on failed SPF if you chose to) hope this helps, Alan -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFb8lfE2gsBSKjZHQRAqenAKDrcNu7h2l7xZFKC09CgQERto3OEwCgo1x/ Ivq9yfQf8kWC0FUcouCi9xI= =HN2v -END PGP SIGNATURE-
Re: My Credit rateing does TOO matter
On Thursday 30 November 2006 21:11, Daryl C. W. O'Shea wrote: John Andersen wrote: How is it these spams slip under the radar with such low scores? They seldom score about 3.1 in my setup even with network tests and bayes (SA 3.1.7). I don't think I've seen such a spam pass as ham, although you've been quite vague. Other than a fat fingering of the keyboard, I thought it was pretty clear. I was talking about the your credit rating doesn't matter to us spams. They never score ABOVE 3.1 here until they find their way to sorbs.. They never hit Razor due to the gibberish at the end. They usually get tagged by bayes, but bayes alone just gets them near 3. They sneak past SURBL. -- _ John Andersen pgpjmL2Xo74De.pgp Description: PGP signature
OT: sender address verification .. is it feasible
I had read of sender address verification(SAV) about a year back, some people had done that too. I found the idea too unfeasible for checking from-addresses before accepting mail at MTA. The scene is different today now with 90% of all mail being spam it seems not that bad an idea anyway My guess is around 50% of these spams dont have a deliverable from-id Waste resource and bandwidth accepting mail and scanning it or waste time probing for correct from ids ( and also risk being blacklisted for probes ) .. which is better. IMHO if SAV becomes some standard then domains can have something like DNS records for all correct ids and probing will become a lot easier Is anyone already having experiences with sender address verification Thanks Ram
