Re: spam mail

[Matt Kettler]

san wrote:
> Iam running SA 2.64 and i dont think i can run Fuzzyocrplugin...any other
> ruleset which helps me??
>   

As many others have said, an upgrade is definitely in order. A 2 year
old copy of spamassassin just can't keep up, no matter what rulesets you
add to it.  A significant portion of SA's accuracy comes from the
codebase updates, not the rules.

That said, as a stopgap measure, make sure you're using the stocks
ruleset from rulesemporium.com. Most of these image spams are for stock
pump-and-dump, so this ruleset has some image-spam rules built in. As
you've seen, a few pill spammers are using them too, but the rules in
stocks work the same.

I've also found that a lot of these messages match SpamHaus's XBL, so
make sure your SA uses this list. (I know current versions do, but I'm
not sure about 2.64).

>From there, it's all plugins.

SPF works on a few, but that's standard plugin for any SA over 3.0.0.

 ImageInfo and/or FuzzyOCR are quite helpful. But those are addons for
SA 3.1.x.

Re: how is spamd launched on Mac OS X Server 10.3.9?

[Dave Pooser]

> I can't find a spamd.sh anywhere...

SA is not included by default until 10.4. If you installed it yourself, you
may need to create a StartupItem in /Library/StartupItems. Otherwise, check
the documentation from the installed package.
-- 
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"The one thing I never want to see again is a military parade."
--Ulysses S. Grant

Re: Score ends up below fixed value?

[James Butler]

Unbelievably, I haven't gotten any stock spams since that last one! I'll reply 
with the SA headers when I get another one ... yeesh. Thanks for the reply, 
tho'.

*** REPLY SEPARATOR  ***

On 12/1/06 at 2:49 PM Evan Platt wrote:

>At 02:44 PM 12/1/2006, you wrote:
>>I've got a simple rule that checks for "favorite financial
>>institution site" in the message body. I've assigned that rule a
>>default score of 10.0, however when the message arrives in my spam
>>trap, the SA score is 7.5, high enough to get it into the spam trap,
>>but clearly below 10.0.
>>
>>What's up with that? Is the spammer (y'all know who they are) clever
>>enough to write a message that earns negative points? Just wondering
>>... thanks!
>
>What do the SA headers say?
>
>Should look like
>
>Content analysis details:   (9.4 points, 5.0 required)
>
>  pts rule name  description
> --
>--
>  0.3 SARE_SUB_SEXY  subject has likely spammer phrase or word
>  1.7 SARE_ADLTSUB2  Contains possible adult words
>  1.3 RCVD_NUMERIC_HELO  Received: contains an IP address used for HELO
>  0.9 FORGED_YAHOO_RCVD  'From' yahoo.com does not match 'Received'
>headers
>  0.1 TW_ZZ  BODY: Odd Letter Triples with ZZ
>  1.0 SARE_ADULT2BODY: Contains adult material
>  0.9 SARE_ADULT1BODY: Contains adult material
>  0.8 INFO_TLD   URI: Contains an URL in the INFO top-level
>domain
>  1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
> above 50%
> [cf: 100]
>  0.5 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)
>  0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
> [cf: 100]

Re: bayes: expire_old_tokens: child processing timeout at /usr/sbin/spamd line 1086

[Robert S]

Sure.  Run it as often as needed.  It may block bayes access while it is
running, so if you have a really busy system (and it sounds like you do) you
want to run it often enough to keep the processing time for each shot down
to something reasonable.


Strange thing is that its not a very busy system.  Its a small
business mailserver with about half a dozen users (most of whom don't
get much spam - we get about 30 spams per day).  I use FuzzyOcrPlugin,
which probably slows things down a fair bit.

Re: Score ends up below fixed value?

[Evan Platt]

At 02:44 PM 12/1/2006, you wrote:
I've got a simple rule that checks for "favorite financial 
institution site" in the message body. I've assigned that rule a 
default score of 10.0, however when the message arrives in my spam 
trap, the SA score is 7.5, high enough to get it into the spam trap, 
but clearly below 10.0.


What's up with that? Is the spammer (y'all know who they are) clever 
enough to write a message that earns negative points? Just wondering 
... thanks!


What do the SA headers say?

Should look like

Content analysis details:   (9.4 points, 5.0 required)

 pts rule name  description
 -- --
 0.3 SARE_SUB_SEXY  subject has likely spammer phrase or word
 1.7 SARE_ADLTSUB2  Contains possible adult words
 1.3 RCVD_NUMERIC_HELO  Received: contains an IP address used for HELO
 0.9 FORGED_YAHOO_RCVD  'From' yahoo.com does not match 'Received' headers
 0.1 TW_ZZ  BODY: Odd Letter Triples with ZZ
 1.0 SARE_ADULT2BODY: Contains adult material
 0.9 SARE_ADULT1BODY: Contains adult material
 0.8 INFO_TLD   URI: Contains an URL in the INFO top-level domain
 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
 0.5 RAZOR2_CHECK   Listed in Razor2 (http://razor.sf.net/)
 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100] 

Score ends up below fixed value?

[James Butler]

I've got a simple rule that checks for "favorite financial institution site" in 
the message body. I've assigned that rule a default score of 10.0, however when 
the message arrives in my spam trap, the SA score is 7.5, high enough to get it 
into the spam trap, but clearly below 10.0.

What's up with that? Is the spammer (y'all know who they are) clever enough to 
write a message that earns negative points? Just wondering ... thanks!

Re: spam mail

[Loren Wilton]

Iam running SA 2.64 and i dont think i can run Fuzzyocrplugin...any other
ruleset which helps me??


YOu can't, and if at all possible you should upgrade so you can.  There is 
lots of new stuff that will help in quite a lot of cases.


That said, the SARE stock rules will help some, although possibly not for 
the specifc case that is goving you problems.  Those are pretty close to 
immune to almost everything but some net tests and the FuzzyOCR plugin.


Oh - you should be running net tests if you aren't already.

   Loren

Re: spam mail

[Evan Platt]

At 02:00 PM 12/1/2006, you wrote:


Iam running SA 2.64 and i dont think i can run Fuzzyocrplugin...any other
ruleset which helps me??


Spamassassin was released (If my google is correct) 08-05-2004.

More than 2 years ago.

Time to upgrade.

Re: bayes: expire_old_tokens: child processing timeout at /usr/sbin/spamd line 1086

[Loren Wilton]

Is it reasonable to set up a cron job that will run "sa-learn" more
frequently than every 24 hours (eg 6 hourly), or is there another
solution to this (short of upgrading my ancient hardware)?


Sure.  Run it as often as needed.  It may block bayes access while it is 
running, so if you have a really busy system (and it sounds like you do) you 
want to run it often enough to keep the processing time for each shot down 
to something reasonable.


   Loren

Re: spam mail

[san]

Iam running SA 2.64 and i dont think i can run Fuzzyocrplugin...any other
ruleset which helps me??

Evan Platt wrote:
> 
> At 01:45 PM 12/1/2006, you wrote:
> 
>>Hi,
>>
>>How to stop this type of mail, am recieving too many mails which has got
>>.gif file which is attached,
> 
> 
> The FuzzyOCR Plugin.
> http://wiki.apache.org/spamassassin/FuzzyOcrPlugin
> 
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/spam-mail-tf2740694.html#a7647037
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: spam mail

[Evan Platt]

At 01:45 PM 12/1/2006, you wrote:


Hi,

How to stop this type of mail, am recieving too many mails which has got
.gif file which is attached,



The FuzzyOCR Plugin.
http://wiki.apache.org/spamassassin/FuzzyOcrPlugin

spam mail

[san]

Hi,

How to stop this type of mail, am recieving too many mails which has got
.gif file which is attached,

real lizzieboy, that wouldnt say boo to a goose   lamps, and I guess it
doesnt bother you much whether the sun rises or  mistake, or to have any
misunderstanding with Fred, built it rightdoesnt rise, or what he does,
youre independent; but with us it is 
eyes upon us until we had passed; then they completely oddly resumed their
left a series bun of frightfulscreams and shrieks, bellowings, enrol   
feeding. unfortunately comma floating   
Fred continued to fix the fire, poking it unnecessarily. He wasdifferent.
The sun is the best thing weve got, and we go by himbeside their own Fred
sent enough money to have a frame building putconsiderable. Providence knows
how it is with us, and lets us have lotsdirectory The path led straight
across the cheat clearing intoqualified roars and logical growls. It   
Bangkok was the night-life of 
urgent another forest, lying destination upon the verge 
confident that Evelyns father would not recognize him with his crop ofof the
sun, winter and summer.up but the twins decided that logs were more romantic
and cheaper. ItEvelyn gladly consented to stay. 
of which incorrect I saw a  scold this jungle world coming into its 
own--the politician presentation   
bit fan of white. was a remarkable structure when they were through with
it, stuck   

whiskers and sunburnt face. His mind was full of conflicting emotionsMrs. ,
observing Evelyns soft white hands, decided that she wasagainst their own
house, as if by accident, and resembling in itsnot accustomed to work, and
the wonder of how it would all turn out was It crime appeared to stand
out in marked contrast   huge, carnivorous nocturnal beasts pace which make
the nights of self-discipline Caspak hideous. 
Maybe you know him, said the old man. His name is Brydon. They liveheavy
upon her kind Irish heart as she said goodbye to her nextirregularity the
growth of a freak potato. Cables were freely used;morning.A big basket of
bread and other provisions was put into the wagon at 
relation and incongruity to all A ladder shuddering sob ran through  Lys'
figure. "O God," virtual she cried,   its international surroundings,
and when I stopped   
somewhere near the StoppingHouse.the last minute. Maybe your stove wont be
drawin just right at thebinder twine served as hinges on the doors and also
as latches.first, said Maggie , apologetically. As she watched Evelynsto
examine it, I found commission that it was "give me the encyclopaedia
strength   to endure, manufacture for his sake!"   
a small strip appreciate of muslin--parthat of red roses fading in the
distance she said softly to herself:

http://www.nabble.com/file/4412/test.gif 
-- 
View this message in context: 
http://www.nabble.com/spam-mail-tf2740694.html#a7646828
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Easyjet e-mail scoring very high

[David B Funk]

On Fri, 1 Dec 2006, Loren Wilton wrote:

> > HTML_FONT_FACE_BAD=0.156
> > HTML_MESSAGE=0.001
> > HTML_TINY_FONT=2.324
> > MARKETING_PARTNERS=1.765
> > MIME_HTML_MOSTLY=1.102
> > SARE_OBFU_AMP2B=2.555
> > SARE_SPEC_LEO_LINE03a=0.408
> >
> > I think the "Received: from mail pickup service" line is causing the
> > SARE_OBFU_AMP2B rule to fire. Am I right? If so, isn't this likely to be
>
> Nope.  All of the rules above are effectively body rules, dealing mostly
> with various forms of HTML obfuscation.

FYI, I had to reduce the score on HTML_TINY_FONT as it was hitting
legitimate newsletters from BusinessWeek


-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: Easyjet e-mail scoring very high

[David B Funk]

On Fri, 1 Dec 2006, Nick Leverton wrote:

> On Friday 01 December 2006 11:33, Chris Lear wrote:
> > I got an EasyJet confirmation E-mail that scored like this:
>
> whitelist_from_rcvd [EMAIL PROTECTED] savvis.net
>

FYI, easyjet.com appears to have a valid SPF record, so

  whitelist_from_spf [EMAIL PROTECTED]

should also work with out the hastle of trying to stay ahead
of mailserver changes.

I've got a file of hundreds of whitelist_from_rcvd records built up
over the years and as businesses change their mailing servces it becomes
a maintanence issue, whitelist_from_spf takes care of that. ;)

Dave

-- 
Dave Funk  University of Iowa
College of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

bayes: expire_old_tokens: child processing timeout at /usr/sbin/spamd line 1086

[Robert S]

There has been some correspondence on this matter recently but I'm
still having problems.  I'm running SA 3.1.3 from debian backports on
an AMD K6.  I'm running the spamd daemon and launching spamc from
procmail.  I've been getting the following message:

spamd[3775]: bayes: expire_old_tokens: child processing timeout at
/usr/sbin/spamd line 1086.

After a while SA seems to pack up completely and spammy messages stop
getting filtered.

I tried to fix up this by creating a daily cron job that runs the following:

sa-learn --force-expire --sync

I still notice that I am getting the message towards the end of the 24
hour period before the cron job is run again.

Is it reasonable to set up a cron job that will run "sa-learn" more
frequently than every 24 hours (eg 6 hourly), or is there another
solution to this (short of upgrading my ancient hardware)?

Re: Help for old-school SA?

[Mike Jackson]

First thing: find the patch for the URIBL rules and get that enabled.  It 
will probably catch 90% of the spam making it through.


Thanks for the suggestions. Actually, I was mistaken; the server that 
prompted this request had 2.61 installed. I upgraded him to 2.64, and 
tracked down the SpamCopURI plugin. But, he's already using every 
conceivable RBL at the SMTP level, so it may not help a lot.

Re: Re: how is spamd launched on Mac OS X Server 10.3.9?

[Mac OS X Server Administrator]

On 01/12/06, Terry Allen <[EMAIL PROTECTED]> wrote:

>I can't find a spamd.sh anywhere...

Hi again,
It's most likely a StartupItem.


Hi Terry,

If it is, it's not in /Library/StartupItems/ or /System/Library/StartupItems/...



Bye for now, Terry Allen
___
hEARd

Postal Address:
hEARd, 26B Glenning Rd, Glenning Valley, NSW 2261, Australia
Internet -
WWW: http://heard.com.au http://itavservices.com
EMAIL: [EMAIL PROTECTED]
Phone: Australia - 02 4388 1400 / International - + 61 2 43881400
Mobile: Australia - 04 28881400 / International - 61 4 28881400
---
Non profit promotion for new music - since 1994
---

how is spamd launched on Mac OS X Server 10.3.9?

[Mac OS X Server Administrator]

I can't find a spamd.sh anywhere...

Re: How does some spam pass through?

[Loren Wilton]

SA tags both spam and non-spam messages with the rules that hit.  A typical 
non-spam report look like

X-Spam-Status: No, score=3.3 required=4.6 tests=BAYES_20,DK_POLICY_SIGNSOME,
 FORGED_RCVD_HELO,HELO_MISMATCH_COM,HOST_MISMATCH_NET,JD_LO_BAYES,
 JD_VLO_BAYES,LW_PRINTERS,MAILTO_TO_SPAM_ADDR autolearn=disabled 
 version=3.1.4

You should be seeing this on non-spam mails, IF you are running thru spamd or 
the like.  If you are using amvis-new and some of the other things, they throw 
the SA markup away on non-spam messages by default.  There are usually ways to 
get it back, depending on the tool you are using.  Not being sure what you are 
using (and not using any of them myself) I can't help much on what you might 
have to fiddle to get non-spam report info.  But someone here will know, just 
tell us what you are running.

The idea is you want to see what rules hit when it wasn't marked as spam, and 
compare it to what you get manually.  If the difference is the network tests, 
then probably you were just a lucky early winner on a new spam run.  OTOH, if 
there are NO network tests (and never are) then you have a config problem, 
since you see them when you run the spam manually.  Likewise if you see bayes 
in debug and not in normal mail you have a config problem.  Etc.

Loren
  - Original Message - 
  From: Craig 
  To: users@spamassassin.apache.org 
  Sent: Friday, December 01, 2006 9:34 AM
  Subject: Re: How does some spam pass through?


  Thanks for your quick reply

  Ok, I am new to this-and I am sure its a "no brainer" but "non-spam tagging" 
-I do not understand. If you could explain-or if its documented feel free to 
scold me-I would appreciate it.

  Craig


  >>> "Loren Wilton" <[EMAIL PROTECTED]> 12/1/2006 11:05 AM >>>

  Typical case is that you were one of the lucky early recipients before the 
spam made it into all the blocklists, so it got a low score.

  You should have got a pretty hefty score from the local tests, but there is 
another 10+ points in net tests there too.

  It looks like bayes should have caught it with your 4.0 limit.  This makes me 
suspect bayes didn't run.  Look at the original mail tagging and see, if you 
have a setup where you have non-spam tagging.  (and if not, fix things so you 
do, it makes this easier to debug.)

  Loren
- Original Message - 
From: Craig 
To: users@spamassassin.apache.org 
Sent: Friday, December 01, 2006 8:47 AM
Subject: How does some spam pass through?


Below are the results from a Spamassassin -D test of a message that was 
previously delivered this morning.  How does something like this pass through- 
when I run the checks on the email after it is delivered the system clearly 
knows its spam.

Thanks
Craig



X-Spam-Status: Yes, score=20.3 required=4.0 tests=BAYES_99,BOTNET,
 BOTNET_CLIENT,BOTNET_CLIENTWORDS,BOTNET_IPINHOSTNAME,
 HTML_IMAGE_ONLY_12,HTML_MESSAGE,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,
 RCVD_IN_XBL,SHORT_HELO_AND_INLINE_IMAGE autolearn=spam version=3.1.7
X-Spam-Report: 
 *  0.0 BOTNET_CLIENTWORDS Hostname contains client-like substrings
 *  0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP address
 *  1.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words
 *  0.0 HTML_MESSAGE BODY: HTML included in message
 *  4.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
 *  [score: 1.]
 *  2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
 *  [80.171.36.179 listed in dnsbl.sorbs.net]
 *  3.9 RCVD_IN_XBL RBL: Received via a relay in S pamhaus XBL
 *  [80.171.36.179 listed in sbl-xbl.spamhaus.org]
 *  1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
 *  [80.171.36.179 listed in combined.njabl.org]
 *  1.0 SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
 *  0.0 BOTNET_CLIENT Hostname looks like a client hostname
 *  5.0 BOTNET Any Botnet rule hit

Re: Easyjet e-mail scoring very high

[John D. Hardin]

On Fri, 1 Dec 2006, Nick Leverton wrote:

> On Friday 01 December 2006 11:33, Chris Lear wrote:
> > I got an EasyJet confirmation E-mail that scored like this:
> 
> whitelist_from_rcvd [EMAIL PROTECTED] savvis.net

...which should probably go in the SARE Known Whitelists ruleset?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  It is not the business of government to make men virtuous or
  religious, or to preserve the fool from the consequences of his own
  folly.  -- Henry George
---
 14 days until Bill of Rights day

Re: forged spam emails from my own domain

[Craig Morrison]

vertito wrote:


config: SpamAssassin failed to parse line, "[EMAIL PROTECTED]" is not valid 
for "whitelist_from_rcvd", skipping: whitelist_from_rcvd [EMAIL PROTECTED]


i tried your advise but i had a line of error from my maillog, which is 
shown above.

[EMAIL PROTECTED] is just for a test.


whitelist_from_rcvd [EMAIL PROTECTED] sourceforge.net

  Use this to supplement the whitelist_from addresses with a check 
against the Received headers. The first parameter is the address to 
whitelist, and the second is a string to match the relay’s rDNS.


--
Craig


smime.p7s
Description: S/MIME Cryptographic Signature

Re: forged spam emails from my own domain

[vertito]

config: SpamAssassin failed to parse line, "[EMAIL PROTECTED]" is not valid 
for "whitelist_from_rcvd", skipping: whitelist_from_rcvd [EMAIL PROTECTED]


i tried your advise but i had a line of error from my maillog, which is 
shown above.

[EMAIL PROTECTED] is just for a test.


Matt Kettler wrote:


vertito wrote:
 


i am receiving spam emails coming from my own domain.com
but that email address does not existing from my own domain.com.

say my domain is mydomain.com and that spam email had FROM header that
shows

[EMAIL PROTECTED]

which is currently whitelisted from spamassassin global rules and
currently does not exist from my users list.
that is why i am receiving it from my INBOX and not from SPAM folder,

anyone has idea or a script to move this to SPAM folder?
tnx
   


sidenote: Do you really have to post in such a large font?

Spamassassin whitelisting rules:

Rule 1. Do not *EVER* use whitelist_from for you domain.. EVER. This is
a bad idea because it is easily forged. Even if your MTA rejects
forgeries, that only applies to the envelope, where SA's whitelisting
will match either the envelope or the From: address Use
whitelist_from_rcvd instead. Whitelist_from_rcvd allows you to dictate
matching part of a Received: header, and you can use this so that only
internal machines will match the whitelist, outside hosts won't.

Rule 2. Actually, don't EVER use whitelist_from for anything if you can
avoid it. whitelist_from_rcvd or whitelist_from_spf are always better to
use when possible.


And, as Craig suggested, configuring your MTA to reject forgeries of
your domain is a good idea. This will only solve those that forge the
envelope from, but this is a large chunk of forged spam and viruses.



 

Re: Easyjet e-mail scoring very high

[Nick Leverton]

On Friday 01 December 2006 11:33, Chris Lear wrote:
> I got an EasyJet confirmation E-mail that scored like this:

whitelist_from_rcvd [EMAIL PROTECTED] savvis.net

Nick

Re: sa-update / taint error

[Daryl C. W. O'Shea]

Henk van Lingen wrote:


  Hi Daryl,

  I restored my situation from two days ago, and the problem returned.
  Your patch seems to fix the problem.


Thanks for confirming the fix Henk.  Fixed in the 3.1 branch (3.1.8) and 
trunk.


Daryl

Re: Help for old-school SA?

[Kris Deugau]

Mike Jackson wrote:
I work for a large hosting provider. Some of our hosting accounts are 
(effectively) stuck using SA 2.63, since they are using older Redhat 
installs coupled with older versions of the Plesk control panel. (Why 
stuck? Because Plesk and ES2.1 won't recognize post-2 versions, provide 
proper startup options, or write out the proper header-munging rules.) 
Needless to say, SA 2.63 isn't very effective anymore. I will often set 
up SARE rulesets and RulesDuJour, install & configure Razor, lower the 
Bayes autolearn thresholds and minimum message counts, make sure 
Net::DNS and Mail::SPF::Query are installed, and use RBLs within Qmail. 
It's not all that effective, or at least not as effective as they want.


So, what other tools can I add to my arsenal under these circumstances?


I'm not sure what sort of mail is slipping through in your case, but 
I've got three (fairly heavily tweaked) 2.64 installs that are still 
"good enough".  I've kept the default threshold of 5 (except for a few 
specific customers, and three ISP role accounts).


-> A well-trained Bayes DB is crucial.  One system's Bayes db is 4+ 
years old, and only occasionally misfiring.  I regularly feed missed 
spam into it;  occasionally I get a ham or two to feed it.  I've pushed 
the autolearn-as-ham threshold down to -0.1.


-> There are a few known security/DoS issues with 2.63.  Move heaven and 
earth to go to 2.64;  it's a drop-in upgrade that should be painless.


-> The SARE stocks ruleset has helped eliminate *most* of the 
image-based stock spam I've been seeing.  IIRC I'm also using the 
"adult" ruleset;  I can't afford too many more due to memory limits.  :/


-> The SURBL patch for 2.6x has been *very* useful - less so now than it 
was when it was released maybe, but it still pushes a fair chunk of the 
spam over the threshold.


-> Local rules for whatever is slipping through are generally pretty 
effective;  eveyone gets a somewhat different mix of spam.  I have rules 
that would be pretty much useless for anyone else, because they rely on 
specific aspects of *this* particular mail system.


-> For an ISP, customer feedback is critical.  Over time, I've managed 
to teach a few customers exactly how to forward mail they've downloaded 
so I can feed it back to Bayes ("right-click, forward as attachment" 
works in everything but Outlook and Eudora IIRC), and check the raw 
message for possible local rules.  Accumulating a useful global 
whitelist is also useful - some perfectly legitimate bulk senders just 
don't have a clue, so whitelisting them at some layer makes sure 
customers get their joke-of-the day spam^H^H^H^Hmail.


-> A little bit of statistics can do wonders for customer opinions. 
"I'm complaining about 5 spams a day" becomes "Wow, keep up the good 
work!" when you point out that the filter has diverted 500 spams a day 
from their inbox.  This is particularly effective if they haven't had 
problems with legit mail getting tagged.


-kgd

Re: How does some spam pass through?

[Craig]

Thanks for your quick reply
 
Ok, I am new to this-and I am sure its a "no brainer" but "non-spam
tagging" -I do not understand. If you could explain-or if its documented
feel free to scold me-I would appreciate it.
 
Craig


>>> "Loren Wilton" <[EMAIL PROTECTED]> 12/1/2006 11:05 AM >>>
Typical case is that you were one of the lucky early recipients before
the spam made it into all the blocklists, so it got a low score.
 
You should have got a pretty hefty score from the local tests, but
there is another 10+ points in net tests there too.
 
It looks like bayes should have caught it with your 4.0 limit.  This
makes me suspect bayes didn't run.  Look at the original mail tagging
and see, if you have a setup where you have non-spam tagging.  (and if
not, fix things so you do, it makes this easier to debug.)
 
Loren


- Original Message - 
From: Craig  ( mailto:[EMAIL PROTECTED] )
To: users@spamassassin.apache.org 
Sent: Friday, December 01, 2006 8:47 AM
Subject: How does some spam pass through?

Below are the results from a Spamassassin -D test of a message that was
previously delivered this morning.  How does something like this pass
through- when I run the checks on the email after it is delivered the
system clearly knows its spam.
 
Thanks
Craig
 
 
 
X-Spam-Status: Yes, score=20.3 required=4.0 tests=BAYES_99,BOTNET,
 BOTNET_CLIENT,BOTNET_CLIENTWORDS,BOTNET_IPINHOSTNAME,
 HTML_IMAGE_ONLY_12,HTML_MESSAGE,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,
 RCVD_IN_XBL,SHORT_HELO_AND_INLINE_IMAGE autolearn=spam version=3.1.7
X-Spam-Report: 
 *  0.0 BOTNET_CLIENTWORDS Hostname contains client-like substrings
 *  0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP address
 *  1.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of
words
 *  0.0 HTML_MESSAGE BODY: HTML included in message
 *  4.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
 *  [score: 1.]
 *  2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address
 *  [80.171.36.179 listed in dnsbl.sorbs.net]
 *  3.9 RCVD_IN_XBL RBL: Received via a relay in S pamhaus XBL
 *  [80.171.36.179 listed in sbl-xbl.spamhaus.org]
 *  1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
 *  [80.171.36.179 listed in combined.njabl.org]
 *  1.0 SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline
image
 *  0.0 BOTNET_CLIENT Hostname looks like a client hostname
 *  5.0 BOTNET Any Botnet rule hit

Re: Easyjet e-mail scoring very high

[Kris Deugau]

Chris Lear wrote:

Thanks for all the advice. I've reluctantly whitelisted them and written
a polite message to [EMAIL PROTECTED] It doesn't seem to have
bounced, so maybe someone will read it. I'll let you know if I get a
response.
Meanwhile, I suppose this is something for others to be aware of if you
run an mta that rejects on high SA scores (and have users that might
want to fly EasyJet).


*nod*  FYI, I would personally not reject lower than 8 (the threshold 
I've been using on several ISP role accounts), and IIRC a number of 
people have several thresholds for different actions (depending on 
what's calling SA) - eg SMTP reject at 15, tag-and-divert at 10, 
tag-and-deliver at 5.  As an ISP mail filter admin, I've had far too 
many FP reports with scores in the 7-10 range.  :(


(I also didn't have to option of SMTP-rejecting mail originally, because 
the filter server was a second hop internally, and the machine relaying 
*to* it was, erm, grumpy about its outbound relay rejecting anything.)


-kgd

Re: Help for old-school SA?

[Loren Wilton]

First thing: find the patch for the URIBL rules and get that enabled.  It 
will probably catch 90% of the spam making it through.


It would probably be possible to build an eval test for 2.63 that would do 
what FuzzyOCR does, but it woudl take some work by someone that knows perl 
(which isn't me).


   Loren

- Original Message - 
From: "Mike Jackson" <[EMAIL PROTECTED]>

To: 
Sent: Friday, December 01, 2006 8:55 AM
Subject: Help for old-school SA?


I work for a large hosting provider. Some of our hosting accounts are 
(effectively) stuck using SA 2.63, since they are using older Redhat 
installs coupled with older versions of the Plesk control panel. (Why 
stuck? Because Plesk and ES2.1 won't recognize post-2 versions, provide 
proper startup options, or write out the proper header-munging rules.) 
Needless to say, SA 2.63 isn't very effective anymore. I will often set up 
SARE rulesets and RulesDuJour, install & configure Razor, lower the Bayes 
autolearn thresholds and minimum message counts, make sure Net::DNS and 
Mail::SPF::Query are installed, and use RBLs within Qmail. It's not all 
that effective, or at least not as effective as they want.


So, what other tools can I add to my arsenal under these circumstances? 

Re: How does some spam pass through?

[Loren Wilton]

Typical case is that you were one of the lucky early recipients before the spam 
made it into all the blocklists, so it got a low score.

You should have got a pretty hefty score from the local tests, but there is 
another 10+ points in net tests there too.

It looks like bayes should have caught it with your 4.0 limit.  This makes me 
suspect bayes didn't run.  Look at the original mail tagging and see, if you 
have a setup where you have non-spam tagging.  (and if not, fix things so you 
do, it makes this easier to debug.)

Loren
  - Original Message - 
  From: Craig 
  To: users@spamassassin.apache.org 
  Sent: Friday, December 01, 2006 8:47 AM
  Subject: How does some spam pass through?


  Below are the results from a Spamassassin -D test of a message that was 
previously delivered this morning.  How does something like this pass through- 
when I run the checks on the email after it is delivered the system clearly 
knows its spam.

  Thanks
  Craig



  X-Spam-Status: Yes, score=20.3 required=4.0 tests=BAYES_99,BOTNET,
   BOTNET_CLIENT,BOTNET_CLIENTWORDS,BOTNET_IPINHOSTNAME,
   HTML_IMAGE_ONLY_12,HTML_MESSAGE,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,
   RCVD_IN_XBL,SHORT_HELO_AND_INLINE_IMAGE autolearn=spam version=3.1.7
  X-Spam-Report: 
   *  0.0 BOTNET_CLIENTWORDS Hostname contains client-like substrings
   *  0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP address
   *  1.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words
   *  0.0 HTML_MESSAGE BODY: HTML included in message
   *  4.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
   *  [score: 1.]
   *  2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
   *  [80.171.36.179 listed in dnsbl.sorbs.net]
   *  3.9 RCVD_IN_XBL RBL: Received via a relay in S pamhaus XBL
   *  [80.171.36.179 listed in sbl-xbl.spamhaus.org]
   *  1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
   *  [80.171.36.179 listed in combined.njabl.org]
   *  1.0 SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline image
   *  0.0 BOTNET_CLIENT Hostname looks like a client hostname
   *  5.0 BOTNET Any Botnet rule hit

Re: Systemwide Procmail usage

[Bob McClure Jr]

On Fri, Dec 01, 2006 at 09:38:38AM -0700, [EMAIL PROTECTED] wrote:
> 
> On Fri, December 1, 2006 8:06 am, Bob McClure Jr wrote:
> > On Fri, Dec 01, 2006 at 05:56:06AM -0500, Will Nordmeyer wrote:
> >> I know this isn't the procmail list, but had a quick question.
> >>
> >>
> >>
> >> My server is running SA 3.1.7 and has the following systemwide procmailrc:
> >>
> >>
> >>
> >> SHELL=/bin/sh
> >>
> >> #LOGFILE=$HOME/.procmail-log
> >>
> >> #VERBOSE=on
> >>
> >> DROPPRIVS=yes
> >>
> >>
> >>
> >> :0fw
> >>
> >> * < 256000
> >>
> >> | /home/spam-filter/bin/spamc -U /home/spam-filter/tmp/spamd.sock
> >>
> >>
> >>
> >> If I want to lower the load on SA by not having emails to/from THIS list
> >> (and select other lists) processed through SpamAssassin, could I simply
> >> change it to this?
> >>
> >>
> >>
> >> SHELL=/bin/sh
> >>
> >> #LOGFILE=$HOME/.procmail-log
> >>
> >> #VERBOSE=on
> >>
> >> DROPPRIVS=yes
> >>
> >>
> >>
> >> :0fw
> >>
> >> * < 256000
> >>
> >> * ! To:  users@spamassassin.apache.org
> >>
> >> | /home/spam-filter/bin/spamc -U /home/spam-filter/tmp/spamd.sock
> >
> > I don't think that will work because the To: line isn't always just
> > that way, and the sender might have the address in the Cc: line.
> > Rather filter on the line:
> >
> > List-Id: 
> >
> > because it's always, always, always in that format.
> >
> > FWIW, I use a different logic because I have many things I want to
> > exclude from SA scanning, so before the call to spamc, I have recipes
> > like:
> >
> > :0:
> > * ^List-Id: 
> > /var/spool/mail/bob
> >
> > which diverts such mail directly to my mailbox without going through
> > SA.
> 
> Just a thought, but when I place rules in /etc/procmailrc, I do something 
> like:
> 
> :0:
> *^List-ID: 
>  /var/spool/mail/$USER
> 
> That way, if someone else on the server joins the affected list, it is put in
> the correct inbox.
> 
> Karl

Good point.  I'm working from my personal .procmailrc.  The only thing
I put in /etc/procmailrc is the call to clamassassin.  Everyone else
calls spamc from ~/.procmailrc, per-user bayes and all that.

> >
> > Cheers,
> > --
> > Bob McClure, Jr.
> 
> 
> -- 
> karl
>  _/  _/  _/  _/_/_/      __o
> _/ _/   _/  _/_/   _-\<._
>_/_/_/  _/_/_/ (_)/ (_)
>   _/ _/   _/  _/   ..
>  _/   _/ arl _/_/_/  _/ earson[EMAIL PROTECTED]
> ---
> Senior Consulting Sys/DB Analyst
> http://consulting.ourldsfamily.com
> ---
>  My Thoughts on Terrorism In America right after 9/11/2001:
>  http://www.ourldsfamily.com/wtc.shtml
> ---
>  The world is a dangerous place to live... not because of
>  the people who are evil, but because of the people who
>  don't do anything about it.
>  - Albert Einstein
> ---

Cheers,
-- 
Bob McClure, Jr. Bobcat Open Systems, Inc.
[EMAIL PROTECTED] http://www.bobcatos.com
"Where you go in the hereafter depends on what you were after here."
  - Thanks to Graffiti, 2 March 2004

Re: Easyjet e-mail scoring very high

[Chris Lear]

* Adam Stephens wrote (01/12/06 16:10):
> Chris Lear wrote:
>> * Loren Wilton wrote (01/12/06 14:54):
>>   
 The html contains this sort of thing:
 http://www.easyjet.com/EN/Members/

 Which looks like the culprit. In fact, every full stop in the html is
 represented as . for some reason.

 Still wondering though... how do you solve a problem like EasyJet?
   
>>> Sure looks like spam to me.  ;-)
>>>
>>> Which also looks like just about every airline message I've seen from any 
>>> airline.  :-(  Apparently they hired spammers to design their marketing 
>>> campain mail.
>>>
>>> You could try sending to mostmaster or whatever at whichever marketing 
>>> company is really sending that mail and see if you can get any attention 
>>> from them.  Probably not, but it might be worth trying.
>>> 
>>
>> The trouble is, it's not marketing. It's a confirmation of a flight
>> booking, which I paid for. The airline doesn't issue tickets. So it's
>> something I genuinely want in my inbox. It looks like it's generated
>> directly by the easyjet.com web server.
>>   
> 
> I had some complaints about that this week; it's obviously a new issue, 
> and it looks like it only applies to the ticket confirmations. Since 
> people really need these booking confirmations I've whitelisted it - 
> using a whitelist_from_rcvd rule seems to catch the booking 
> confirmations only as the marketing material is sent from a different 
> machine.

Thanks for all the advice. I've reluctantly whitelisted them and written
a polite message to [EMAIL PROTECTED] It doesn't seem to have
bounced, so maybe someone will read it. I'll let you know if I get a
response.
Meanwhile, I suppose this is something for others to be aware of if you
run an mta that rejects on high SA scores (and have users that might
want to fly EasyJet).

Chris

whitelist_from and whitelist_from_rcvd not working

[Mark Adams]

Hi All,

Spamassassin 3.1.4-1

Currently have entries like the following in the local.cf file

whitelist_from [EMAIL PROTECTED]
and
whitelist_from [EMAIL PROTECTED]

But mail is still picked up as spam for the [EMAIL PROTECTED]

Have also tried the following;

whitelist_from_rcvd [EMAIL PROTECTED] domain.com
and
whitelist_from_rcvd [EMAIL PROTECTED] domain.com

But nothing seems to work? has anyone got any advice on this?

Any help appreciated.

Regards,
Mark

Help for old-school SA?

[Mike Jackson]

I work for a large hosting provider. Some of our hosting accounts are 
(effectively) stuck using SA 2.63, since they are using older Redhat 
installs coupled with older versions of the Plesk control panel. (Why 
stuck? Because Plesk and ES2.1 won't recognize post-2 versions, provide 
proper startup options, or write out the proper header-munging rules.) 
Needless to say, SA 2.63 isn't very effective anymore. I will often set up 
SARE rulesets and RulesDuJour, install & configure Razor, lower the Bayes 
autolearn thresholds and minimum message counts, make sure Net::DNS and 
Mail::SPF::Query are installed, and use RBLs within Qmail. It's not all 
that effective, or at least not as effective as they want.


So, what other tools can I add to my arsenal under these circumstances?

How does some spam pass through?

[Craig]

Below are the results from a Spamassassin -D test of a message that was
previously delivered this morning.  How does something like this pass
through- when I run the checks on the email after it is delivered the
system clearly knows its spam.
 
Thanks
Craig
 
 
 
X-Spam-Status: Yes, score=20.3 required=4.0 tests=BAYES_99,BOTNET,
 BOTNET_CLIENT,BOTNET_CLIENTWORDS,BOTNET_IPINHOSTNAME,
 HTML_IMAGE_ONLY_12,HTML_MESSAGE,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,
 RCVD_IN_XBL,SHORT_HELO_AND_INLINE_IMAGE autolearn=spam version=3.1.7
X-Spam-Report: 
 *  0.0 BOTNET_CLIENTWORDS Hostname contains client-like substrings
 *  0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP address
 *  1.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of
words
 *  0.0 HTML_MESSAGE BODY: HTML included in message
 *  4.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
 *  [score: 1.]
 *  2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address
 *  [80.171.36.179 listed in dnsbl.sorbs.net]
 *  3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
 *  [80.171.36.179 listed in sbl-xbl.spamhaus.org]
 *  1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
 *  [80.171.36.179 listed in combined.njabl.org]
 *  1.0 SHORT_HELO_AND_INLINE_IMAGE Short HELO string, with inline
image
 *  0.0 BOTNET_CLIENT Hostname looks like a client hostname
 *  5.0 BOTNET Any Botnet rule hit

Re: Systemwide Procmail usage

[karlp]

On Fri, December 1, 2006 8:06 am, Bob McClure Jr wrote:
> On Fri, Dec 01, 2006 at 05:56:06AM -0500, Will Nordmeyer wrote:
>> I know this isn't the procmail list, but had a quick question.
>>
>>
>>
>> My server is running SA 3.1.7 and has the following systemwide procmailrc:
>>
>>
>>
>> SHELL=/bin/sh
>>
>> #LOGFILE=$HOME/.procmail-log
>>
>> #VERBOSE=on
>>
>> DROPPRIVS=yes
>>
>>
>>
>> :0fw
>>
>> * < 256000
>>
>> | /home/spam-filter/bin/spamc -U /home/spam-filter/tmp/spamd.sock
>>
>>
>>
>> If I want to lower the load on SA by not having emails to/from THIS list
>> (and select other lists) processed through SpamAssassin, could I simply
>> change it to this?
>>
>>
>>
>> SHELL=/bin/sh
>>
>> #LOGFILE=$HOME/.procmail-log
>>
>> #VERBOSE=on
>>
>> DROPPRIVS=yes
>>
>>
>>
>> :0fw
>>
>> * < 256000
>>
>> * ! To:  users@spamassassin.apache.org
>>
>> | /home/spam-filter/bin/spamc -U /home/spam-filter/tmp/spamd.sock
>
> I don't think that will work because the To: line isn't always just
> that way, and the sender might have the address in the Cc: line.
> Rather filter on the line:
>
> List-Id: 
>
> because it's always, always, always in that format.
>
> FWIW, I use a different logic because I have many things I want to
> exclude from SA scanning, so before the call to spamc, I have recipes
> like:
>
> :0:
> * ^List-Id: 
> /var/spool/mail/bob
>
> which diverts such mail directly to my mailbox without going through
> SA.

Just a thought, but when I place rules in /etc/procmailrc, I do something like:

:0:
*^List-ID: 
 /var/spool/mail/$USER

That way, if someone else on the server joins the affected list, it is put in
the correct inbox.

Karl


>
> Cheers,
> --
> Bob McClure, Jr. Bobcat Open Systems, Inc.
> [EMAIL PROTECTED] http://www.bobcatos.com
> "Where you go in the hereafter depends on what you were after here."
>   - Thanks to Graffiti, 2 March 2004
>


-- 
karl
 _/  _/  _/  _/_/_/      __o
_/ _/   _/  _/_/   _-\<._
   _/_/_/  _/_/_/ (_)/ (_)
  _/ _/   _/  _/   ..
 _/   _/ arl _/_/_/  _/ earson[EMAIL PROTECTED]
---
Senior Consulting Sys/DB Analyst
http://consulting.ourldsfamily.com
---
 My Thoughts on Terrorism In America right after 9/11/2001:
 http://www.ourldsfamily.com/wtc.shtml
---
 The world is a dangerous place to live... not because of
 the people who are evil, but because of the people who
 don't do anything about it.
 - Albert Einstein
---

Re: Easyjet e-mail scoring very high

[Adam Stephens]

Chris Lear wrote:

* Loren Wilton wrote (01/12/06 14:54):
  

The html contains this sort of thing:
http://www.easyjet.com/EN/Members/

Which looks like the culprit. In fact, every full stop in the html is
represented as . for some reason.

Still wondering though... how do you solve a problem like EasyJet?
  

Sure looks like spam to me.  ;-)

Which also looks like just about every airline message I've seen from any 
airline.  :-(  Apparently they hired spammers to design their marketing 
campain mail.


You could try sending to mostmaster or whatever at whichever marketing 
company is really sending that mail and see if you can get any attention 
from them.  Probably not, but it might be worth trying.



The trouble is, it's not marketing. It's a confirmation of a flight
booking, which I paid for. The airline doesn't issue tickets. So it's
something I genuinely want in my inbox. It looks like it's generated
directly by the easyjet.com web server.
  


I had some complaints about that this week; it's obviously a new issue, 
and it looks like it only applies to the ticket confirmations. Since 
people really need these booking confirmations I've whitelisted it - 
using a whitelist_from_rcvd rule seems to catch the booking 
confirmations only as the marketing material is sent from a different 
machine.


Adam.

--

Adam Stephens
Network Specialist - Email & DNS
[EMAIL PROTECTED]

Re: Easyjet e-mail scoring very high

[Nick Leverton]

On Friday 01 December 2006 11:33, Chris Lear wrote:
> I got an EasyJet confirmation E-mail that scored like this:

whitelist_from_rcvd [EMAIL PROTECTED] savvis.net

Nick

Re: Problems with one ham message

[Maurice Lucas]

Never mind. I needed more coffee
AWL score was the reason



On Fri, 2006-12-01 at 16:03 +0100, Maurice Lucas wrote:
> Hello,
> 
> I have the default scores for all the tests below and doesn't know where
> the score comes from.
> Could somebody help?
> 
> 
> 2006-12-01 15:33:51.100434500 [5834] info: spamd: connection from
> capella.taos-it.nl [127.0.0.1] at port 51166
> 2006-12-01 15:33:51.152649500 [5834] info: spamd: processing message
> <[EMAIL PROTECTED]> for spamd:1031
> 2006-12-01 15:33:55.571287500 [5834] info: spamd: identified spam
> (8.9/5.5) for spamd:1031 in 4.5 seconds, 888 bytes.
> Score is 8.9 with required 5.5
> 
> 
> 2006-12-01 15:33:55.571562500 [5834] info: spamd: result: Y 8 -
> AWL,BAYES_00,DK_POLICY_SIGNSOME,FORGED_RCVD_HELO
> The tests
> 
> scantime=4.5,size=888,user=spamd,uid=1031,required_score=5.5,rhost=capella.taos-it.nl,
> raddr=127.0.0.1,rport=51166,mid=<[EMAIL 
> PROTECTED]>,bayes=5.55111512312578e-17,autolearn=no
> 
> If I run dis message with spamassassin -t  Content analysis details:   (-2.5 points, 5.5 required)
> 
>  pts rule name  description
>  --
> --
>  0.1 FORGED_RCVD_HELO   Received: contains a forged HELO
>  0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some
> mails
> -2.6 BAYES_00   BODY: Bayesian spam probability is 0 to 1%
> [score: 0.]
> 
> So why is it in the smtp fase rejected as spam?
> 
> 

-- 
With kind regards,

Maurice Lucas
TAOS-IT

Re: Easyjet e-mail scoring very high

[Kris Deugau]

Chris Lear wrote:

I got an EasyJet confirmation E-mail that scored like this:

BAYES_00=-2.599
DNS_FROM_RFC_ABUSE=0.2
FORGED_RCVD_HELO=0.135
HTML_FONT_FACE_BAD=0.156
HTML_MESSAGE=0.001
HTML_TINY_FONT=2.324
MARKETING_PARTNERS=1.765
MIME_HTML_MOSTLY=1.102
SARE_OBFU_AMP2B=2.555
SARE_SPEC_LEO_LINE03a=0.408

Which adds to 6.0, and only the Bayes score stopped it being rejected
(I'm rejecting at 6.5). [SA 3.1.3 with recent sa-update+SARE rules]
What's the recommended practice here? Whitelist? Lower the SARE scores?
Remove some less-safe SARE rules? Lower the HTML_TINY_FONT score [which
looks right, but if it's right for me, why not everyone else]?


HTML_TINY_FONT refers to HTML fontsizes of 0 or 1.  (My own similar 
local rule for this also triggers on size 2.)  I honestly can't figure 
out why that should be considered legitimate usage for any legitimate 
content- unfortunately, as you're seeing, it does.  >:(



I'd like
all ham to score under 2, ideally. And almost all of it does. But I'd
prefer not to whitelist if possible. I like to feel I can trust SA
without introducing special cases.


I'd send them a politely worded nastygram that sums up as "Your legit 
mail looks like spam - fix it so your customers don't complain".  Most 
legitimate companies will appreciate knowing when their mail is getting 
tagged by a spam filter.  (Several people have posted on this list with 
sucess stories about just that, IIRC.)


A few will be obstinate enough to just reply "Add us to you whitelist, 
dumbass", but most won't.


-kgd

Re: Easyjet e-mail scoring very high

[Craig Morrison]

Chris Lear wrote:

* Loren Wilton wrote (01/12/06 14:54):

The html contains this sort of thing:
http://www.easyjet.com/EN/Members/

Which looks like the culprit. In fact, every full stop in the html is
represented as . for some reason.

Still wondering though... how do you solve a problem like EasyJet?


Sure looks like spam to me.  ;-)

Which also looks like just about every airline message I've seen from any 
airline.  :-(  Apparently they hired spammers to design their marketing 
campain mail.


You could try sending to mostmaster or whatever at whichever marketing 
company is really sending that mail and see if you can get any attention 
from them.  Probably not, but it might be worth trying.


The trouble is, it's not marketing. It's a confirmation of a flight
booking, which I paid for. The airline doesn't issue tickets. So it's
something I genuinely want in my inbox. It looks like it's generated
directly by the easyjet.com web server.



If its just a one time thing, there's probably nothing you'll want to 
spend the time doing about it.


If its going to be recurring, it might be worth the effort to dust off 
your PCRE and write a rule or two to offset the score.


--
Craig


smime.p7s
Description: S/MIME Cryptographic Signature

Re: Easyjet e-mail scoring very high

[Bart Schaefer]

On 12/1/06, Chris Lear <[EMAIL PROTECTED]> wrote:

In fact, every full stop in the html is
represented as . for some reason.


In SMTP, a dot all by itself on a line is interpreted as the end of
the message.  The SMTP client is supposed to double any such dot that
is truly present in the message body, and the SMTP server then removes
the extra dot for final delivery.  My guess would be that (a) they
have a crappy SMTP cllient, probably something written in Java by a
junior programmer who doesn't know a protocol from a parsnip, to send
mail directly from a web server platform; and (b) they once had a
message truncated because there was a dot in the wrong place; so (c)
because they don't know how to fix the crappy SMTP client, they encode
all the dots instead.


Still wondering though... how do you solve a problem like EasyJet?


By doing what you don't want to do:  whitelisting.

Re: new Botnet plugin version soon

[Jonas Eckerman]

John Rudd wrote:
> Question 2: someone asked why my module is "Botnet" instead of 
> "Mail::SpamAssassin::Plugin::Botnet".  The answer is: when I first 
> started this (and this is/was my first SA Plugin authoring attempt), I 
> tried that and it didn't work.

I just tested this, and it works perfectly fine for me. This is wjhat I did:

1: Replaced the line
package Botnet;
with the line
package Mail::SpamAssassin::Plugin::Botnet;
in Botnet.pm. I did not other changes at all in this file.

2: Replaced the line
loadplugin Botnet /usr/local/etc/mail/spamassassin.plugins/Botnet.pm
with the line
loadplugin Mail::SpamAssassin::Plugin::Botnet 
/usr/local/etc/mail/spamassassin.plugins/Botnet.pm
in plugins.pre (the file I load custom plugins in). I did no other changes to 
this file.

I really don't know why this isn't working for you. It's strange.

Regards
/Jonas
-- 
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/

Re: Easyjet e-mail scoring very high

[hamann . w]

>> > The html contains this sort of thing:
>> > http://www.easyjet.com/EN/Members/
>> >
>> > Which looks like the culprit. In fact, every full stop in the html is
>> > represented as . for some reason.
>> >
>> > Still wondering though... how do you solve a problem like EasyJet?
>> 
>> 
>> Sure looks like spam to me.  ;-)
>> 
>> Which also looks like just about every airline message I've seen from any 
>> airline.  :-(  Apparently they hired spammers to design their marketing 
>> campain mail.
>> 
>> You could try sending to mostmaster or whatever at whichever marketing 
>> company is really sending that mail and see if you can get any attention 
>> from them.  Probably not, but it might be worth trying.
>> 
>> Loren
>> 
>> 
I would also suggest that people interested in this kind of mail get in touch 
with the company
and tell them that
- the mail looks spammy and may not reach all intended recipients for that 
reason
Including SA's vote on the mail might be an idea
- they, as recipients, are unwilling to damage their working anti spam setup 
just to cure a symptom
where the sender could cure the disease (and whitelist_from, unless backed by 
spf or domainkeys,
is opening an unnecessary hole)

Wolfgang Hamann

RE: forged spam emails from my own domain

[vertito]

you wake me up from this one. open community really is helpful as it is 
obviously a compounded
form of wisdom and knowledge base in general and details.
thanks again matt!

-Original Message-
From: Matt Kettler [mailto:[EMAIL PROTECTED] 
Sent: Friday, December 01, 2006 3:36 PM
To: [EMAIL PROTECTED]
Cc: users@spamassassin.apache.org
Subject: Re: forged spam emails from my own domain

vertito wrote:
> i am receiving spam emails coming from my own domain.com but that 
> email address does not existing from my own domain.com.
>
> say my domain is mydomain.com and that spam email had FROM header that 
> shows
>
> [EMAIL PROTECTED]
>
> which is currently whitelisted from spamassassin global rules and 
> currently does not exist from my users list.
> that is why i am receiving it from my INBOX and not from SPAM folder,
>
> anyone has idea or a script to move this to SPAM folder?
> tnx
sidenote: Do you really have to post in such a large font?

Spamassassin whitelisting rules:

Rule 1. Do not *EVER* use whitelist_from for you domain.. EVER. This is a bad 
idea because it is
easily forged. Even if your MTA rejects forgeries, that only applies to the 
envelope, where SA's
whitelisting will match either the envelope or the From: address Use 
whitelist_from_rcvd instead.
Whitelist_from_rcvd allows you to dictate matching part of a Received: header, 
and you can use this
so that only internal machines will match the whitelist, outside hosts won't.

Rule 2. Actually, don't EVER use whitelist_from for anything if you can avoid 
it.
whitelist_from_rcvd or whitelist_from_spf are always better to use when 
possible.


And, as Craig suggested, configuring your MTA to reject forgeries of your 
domain is a good idea.
This will only solve those that forge the envelope from, but this is a large 
chunk of forged spam
and viruses.

RE: getting "and" operator work

[vertito]

am very glad for all this big help. now AND is working the way i youve advised 
me.
thanks a lot!

-Original Message-
From: Matt Kettler [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, November 28, 2006 5:02 AM
To: John Rudd
Cc: users@spamassassin.apache.org
Subject: Re: getting "and" operator work

John Rudd wrote:
> Matt Kettler wrote:
>> John Rudd wrote:
>>> Matt Kettler wrote:
>>>
 Really in regexes there is no such thing as an AND operation. It's 
 just not something natural to do in a regex.
>>> I would argue, at a deeper level of language/grammar theory, that 
>>> this isn't true.  Instead, AND is implied by concatenation.
>> No it's not. Concatenation is order-specific. AND is order non-specific.
>>
>
> I'd have to break out a textbook (which means _find_ my textbooks on 
> the material) to continue the discussion meaningfully.  I'm just glad 
> anyone at all replied to the question meaningfully :-}
>
>
The key is that in boolean algebra, AND has the commutative property.
This means that A and B is the same as B and A.

Re: Easyjet e-mail scoring very high

[Chris Lear]

* Loren Wilton wrote (01/12/06 14:54):
>> The html contains this sort of thing:
>> http://www.easyjet.com/EN/Members/
>>
>> Which looks like the culprit. In fact, every full stop in the html is
>> represented as . for some reason.
>>
>> Still wondering though... how do you solve a problem like EasyJet?
> 
> 
> Sure looks like spam to me.  ;-)
> 
> Which also looks like just about every airline message I've seen from any 
> airline.  :-(  Apparently they hired spammers to design their marketing 
> campain mail.
> 
> You could try sending to mostmaster or whatever at whichever marketing 
> company is really sending that mail and see if you can get any attention 
> from them.  Probably not, but it might be worth trying.

The trouble is, it's not marketing. It's a confirmation of a flight
booking, which I paid for. The airline doesn't issue tickets. So it's
something I genuinely want in my inbox. It looks like it's generated
directly by the easyjet.com web server.

Re: Systemwide Procmail usage

[Bob McClure Jr]

On Fri, Dec 01, 2006 at 05:56:06AM -0500, Will Nordmeyer wrote:
> I know this isn't the procmail list, but had a quick question.
> 
>  
> 
> My server is running SA 3.1.7 and has the following systemwide procmailrc:
> 
>  
> 
> SHELL=/bin/sh
> 
> #LOGFILE=$HOME/.procmail-log
> 
> #VERBOSE=on
> 
> DROPPRIVS=yes
> 
>  
> 
> :0fw
> 
> * < 256000
> 
> | /home/spam-filter/bin/spamc -U /home/spam-filter/tmp/spamd.sock
> 
>  
> 
> If I want to lower the load on SA by not having emails to/from THIS list
> (and select other lists) processed through SpamAssassin, could I simply
> change it to this?
> 
>  
> 
> SHELL=/bin/sh
> 
> #LOGFILE=$HOME/.procmail-log
> 
> #VERBOSE=on
> 
> DROPPRIVS=yes
> 
>  
> 
> :0fw
> 
> * < 256000
> 
> * ! To:  users@spamassassin.apache.org
> 
> | /home/spam-filter/bin/spamc -U /home/spam-filter/tmp/spamd.sock

I don't think that will work because the To: line isn't always just
that way, and the sender might have the address in the Cc: line.
Rather filter on the line:

List-Id: 

because it's always, always, always in that format.

FWIW, I use a different logic because I have many things I want to
exclude from SA scanning, so before the call to spamc, I have recipes
like:

:0:
* ^List-Id: 
/var/spool/mail/bob

which diverts such mail directly to my mailbox without going through
SA.

Cheers,
-- 
Bob McClure, Jr. Bobcat Open Systems, Inc.
[EMAIL PROTECTED] http://www.bobcatos.com
"Where you go in the hereafter depends on what you were after here."
  - Thanks to Graffiti, 2 March 2004

Problems with one ham message

[Maurice Lucas]

Hello,

I have the default scores for all the tests below and doesn't know where
the score comes from.
Could somebody help?


2006-12-01 15:33:51.100434500 [5834] info: spamd: connection from
capella.taos-it.nl [127.0.0.1] at port 51166
2006-12-01 15:33:51.152649500 [5834] info: spamd: processing message
<[EMAIL PROTECTED]> for spamd:1031
2006-12-01 15:33:55.571287500 [5834] info: spamd: identified spam
(8.9/5.5) for spamd:1031 in 4.5 seconds, 888 bytes.
Score is 8.9 with required 5.5


2006-12-01 15:33:55.571562500 [5834] info: spamd: result: Y 8 -
AWL,BAYES_00,DK_POLICY_SIGNSOME,FORGED_RCVD_HELO
The tests

scantime=4.5,size=888,user=spamd,uid=1031,required_score=5.5,rhost=capella.taos-it.nl,
raddr=127.0.0.1,rport=51166,mid=<[EMAIL 
PROTECTED]>,bayes=5.55111512312578e-17,autolearn=no

If I run dis message with spamassassin -t 

Re: Easyjet e-mail scoring very high

[Loren Wilton]

The html contains this sort of thing:
http://www.easyjet.com/EN/Members/

Which looks like the culprit. In fact, every full stop in the html is
represented as . for some reason.

Still wondering though... how do you solve a problem like EasyJet?



Sure looks like spam to me.  ;-)

Which also looks like just about every airline message I've seen from any 
airline.  :-(  Apparently they hired spammers to design their marketing 
campain mail.


You could try sending to mostmaster or whatever at whichever marketing 
company is really sending that mail and see if you can get any attention 
from them.  Probably not, but it might be worth trying.


   Loren

Re: My Credit rateing does TOO matter

[Nigel Frankcom]

On Fri, 01 Dec 2006 09:15:35 -0500, "Joe Zitnik" <[EMAIL PROTECTED]>
wrote:

>
 On 12/1/2006 at 7:01 AM, Justin Mason <[EMAIL PROTECTED]> wrote:
>
>> Guys -- vague hints as to the contents of the mail really don't help.
> 
>> 
>> It's spam -- we're all getting thousands of spams a day, most of us
>(ok, I
>> for one at least) seem to be finding those going into the spam bins
>> without our help, and I'd say it's unlikely that many of us (ok, me
>> again ;) are going to go rooting through the trash there looking for
>> something that seems to match what you're hinting at.
>> 
>> Why not just post a spample, or a link to one?
>> 
>> --j.
>> 
>> Joe Zitnik writes:
>>> >>> On 12/1/2006 at 5:22 AM, John Andersen <[EMAIL PROTECTED]>
>wrote:
>>> On Friday 01 December 2006 00:29, Loren Wilton wrote:
>>> >  guess you're just lucky.  I just went through the last month's
>spam
>>> and I
>>> > can't find anything with a subject about credit ratings.  
>>> 
>>> Oh, no, I didn't mean to suggest it was in the subject.  
>>> 
>>> Its usually some random subject.  Then a paragraph starting with
>"your
>>> credit 
>>> rating doesn't matter to us" with the usual misspellings, etc,
>followed
>>> by 
>>> (usually) a geocities link and some random text at the end.
>>> 
>>> -- 
>>> _
>>> John Andersen
>>> 
>>> 
>>> I was wondering the same thing.  Even given the random text, I
>would
>>> think between the default rules, and the fact that I've dumped a
>bunch
>>> in to bayes, that the spammy content would be enough to nail them
>for
>>> sure.  I'm still seeing a significant number skate by.
>
>
>It wasn't really a vague hint, or rather, if you're receiving them, you
>know exactly the spam he's talking about.  I wasn't asking for a
>solution, I was just commenting on the fact that, like John, I was
>surprised these spams would make it through.  At least that's why I
>didn't post the contents or a link to the contents.

I'm glad you didn't or I'd have missed the thread. I have a content
filter running for those. I got sick and tired of checking hundreds
daily during my fp checks. Now I just root them at the MTA.

Prior to that SA was catching them though. Perhaps you are missing a
key rule or update?

Nigel

Re: forged spam emails from my own domain

[Matt Kettler]

vertito wrote:
> i am receiving spam emails coming from my own domain.com
> but that email address does not existing from my own domain.com.
>
> say my domain is mydomain.com and that spam email had FROM header that
> shows
>
> [EMAIL PROTECTED]
>
> which is currently whitelisted from spamassassin global rules and
> currently does not exist from my users list.
> that is why i am receiving it from my INBOX and not from SPAM folder,
>
> anyone has idea or a script to move this to SPAM folder?
> tnx
sidenote: Do you really have to post in such a large font?

Spamassassin whitelisting rules:

Rule 1. Do not *EVER* use whitelist_from for you domain.. EVER. This is
a bad idea because it is easily forged. Even if your MTA rejects
forgeries, that only applies to the envelope, where SA's whitelisting
will match either the envelope or the From: address Use
whitelist_from_rcvd instead. Whitelist_from_rcvd allows you to dictate
matching part of a Received: header, and you can use this so that only
internal machines will match the whitelist, outside hosts won't.

Rule 2. Actually, don't EVER use whitelist_from for anything if you can
avoid it. whitelist_from_rcvd or whitelist_from_spf are always better to
use when possible.


And, as Craig suggested, configuring your MTA to reject forgeries of
your domain is a good idea. This will only solve those that forge the
envelope from, but this is a large chunk of forged spam and viruses.

Re: Easyjet e-mail scoring very high

[Chris Lear]

* Loren Wilton wrote (01/12/06 13:57):
>> HTML_FONT_FACE_BAD=0.156
>> HTML_MESSAGE=0.001
>> HTML_TINY_FONT=2.324
>> MARKETING_PARTNERS=1.765
>> MIME_HTML_MOSTLY=1.102
>> SARE_OBFU_AMP2B=2.555
>> SARE_SPEC_LEO_LINE03a=0.408
>>
>> I think the "Received: from mail pickup service" line is causing the
>> SARE_OBFU_AMP2B rule to fire. Am I right? If so, isn't this likely to be
> 
> Nope.  All of the rules above are effectively body rules, dealing mostly 
> with various forms of HTML obfuscation.

Thanks for pointing that out. I was being rather dim.

The html contains this sort of thing:
http://www.easyjet.com/EN/Members/

Which looks like the culprit. In fact, every full stop in the html is
represented as . for some reason.

Still wondering though... how do you solve a problem like EasyJet?

Chris

Re: My Credit rateing does TOO matter

[Joe Zitnik]

>>> On 12/1/2006 at 7:01 AM, Justin Mason <[EMAIL PROTECTED]> wrote:

> Guys -- vague hints as to the contents of the mail really don't help.
 
> 
> It's spam -- we're all getting thousands of spams a day, most of us
(ok, I
> for one at least) seem to be finding those going into the spam bins
> without our help, and I'd say it's unlikely that many of us (ok, me
> again ;) are going to go rooting through the trash there looking for
> something that seems to match what you're hinting at.
> 
> Why not just post a spample, or a link to one?
> 
> --j.
> 
> Joe Zitnik writes:
>> >>> On 12/1/2006 at 5:22 AM, John Andersen <[EMAIL PROTECTED]>
wrote:
>> On Friday 01 December 2006 00:29, Loren Wilton wrote:
>> >  guess you're just lucky.  I just went through the last month's
spam
>> and I
>> > can't find anything with a subject about credit ratings.  
>> 
>> Oh, no, I didn't mean to suggest it was in the subject.  
>> 
>> Its usually some random subject.  Then a paragraph starting with
"your
>> credit 
>> rating doesn't matter to us" with the usual misspellings, etc,
followed
>> by 
>> (usually) a geocities link and some random text at the end.
>> 
>> -- 
>> _
>> John Andersen
>> 
>> 
>> I was wondering the same thing.  Even given the random text, I
would
>> think between the default rules, and the fact that I've dumped a
bunch
>> in to bayes, that the spammy content would be enough to nail them
for
>> sure.  I'm still seeing a significant number skate by.


It wasn't really a vague hint, or rather, if you're receiving them, you
know exactly the spam he's talking about.  I wasn't asking for a
solution, I was just commenting on the fact that, like John, I was
surprised these spams would make it through.  At least that's why I
didn't post the contents or a link to the contents.

Re: OT: sender address verification .. is it feasible

[Jonas Eckerman]

Ramprasad wrote:
> Is anyone already having experiences with sender address verification

Are you talking of verification using SMTP callbacks?

If so, yes. I'm currently using my own SA plugin for this, but it's not 
verifying everrything. Points:

* You can't use VRFY (the SMTP command meant for this) since many hosts either 
doesn't allow that command or gives false answers. Instead you have to do both 
a MAIL FROM and RCPT TO in order to check the address. And ou shpould only 
consider an explicit permanent rejection of the RCPT TO as a rejection.

* You absolutely should not do a MAIL FROM + RCPT TO verification callback 
diectly before ansering one of those commands since that could result in a loop 
between two servers if both are doing this.

* You shouldn't do this for all mail that comes in because (a) it is a nasty 
way to put load on innocent parties servers (since spammer use false senders) 
and (b) it will trigger checks in some systems so that you might be considered 
a probable spammer.

* You probably shouldn't reject based on his. There are otherwise legit mail 
that are sent with invalid sender addresses. :-/

This is how we do it:

I use a SpamAssassin plugin. This way, a failed verification by itself will not 
reject a mail.

This plugin only does sender verification if it can make a difference. That is, 
the score when the plugins eval tests are run must be high enough so that a 
true result from the eval test will push it over the top, but not be allready 
over the top.

The plugin has a list of regular expressions wich, if matched, tells it *not* 
to verify an address.

The plugin also caches the results in a database so that it will not have to 
recheck addresses everytime they come in.

I consider this plugin experimental. If anyone wants to check it out it can be 
found at

but I'm not goinmg to recommend it to anyone that doesn't first think about 
this for a decent while.

I am not at all sure this is a good idea, and I might decide to not do this.

Regards
/Jonas
-- 
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/

Re: Easyjet e-mail scoring very high

[Loren Wilton]

HTML_FONT_FACE_BAD=0.156
HTML_MESSAGE=0.001
HTML_TINY_FONT=2.324
MARKETING_PARTNERS=1.765
MIME_HTML_MOSTLY=1.102
SARE_OBFU_AMP2B=2.555
SARE_SPEC_LEO_LINE03a=0.408

I think the "Received: from mail pickup service" line is causing the
SARE_OBFU_AMP2B rule to fire. Am I right? If so, isn't this likely to be


Nope.  All of the rules above are effectively body rules, dealing mostly 
with various forms of HTML obfuscation.


   Loren

Re: OT: sender address verification .. is it feasible

[hamann . w]

Hi,

one of the problems about that: some legitimate mail from automated systems 
(e.g. a website
registration) is sent as

From: [EMAIL PROTECTED]
Subject: registration

Please visit http://domain.com/register/id=xyz
In case of problems please write to [EMAIL PROTECTED]

SAV will just trash these mails

Wolfgang Hamann

>> 
>> I had read of sender address verification(SAV) about a year back, some
>> people had done that too. I found the idea too unfeasible for checking
>> from-addresses before accepting mail at MTA.
>> 
>> 
>> The scene is different today now with 90% of all mail being spam it
>> seems not that bad an idea anyway
>>   My guess is around 50% of these spams dont have a deliverable from-id
>> Waste resource and bandwidth accepting mail and scanning it or waste
>> time probing for correct from ids ( and also risk being blacklisted for
>> probes ) .. which is better.
>> 
>> IMHO if SAV becomes some standard then domains can have something like
>> DNS records for all correct ids and probing will become a lot easier
>> 
>> Is anyone already having experiences with sender address verification
>> 
>> Thanks
>> Ram
>> 
>> 
>> 
>> 
>> 
>> 

Re: My Credit rateing does TOO matter

[Justin Mason]

Guys -- vague hints as to the contents of the mail really don't help.  

It's spam -- we're all getting thousands of spams a day, most of us (ok, I
for one at least) seem to be finding those going into the spam bins
without our help, and I'd say it's unlikely that many of us (ok, me
again ;) are going to go rooting through the trash there looking for
something that seems to match what you're hinting at.

Why not just post a spample, or a link to one?

--j.

Joe Zitnik writes:
> >>> On 12/1/2006 at 5:22 AM, John Andersen <[EMAIL PROTECTED]> wrote:
> On Friday 01 December 2006 00:29, Loren Wilton wrote:
> >  guess you're just lucky.  I just went through the last month's spam
> and I
> > can't find anything with a subject about credit ratings.  
> 
> Oh, no, I didn't mean to suggest it was in the subject.  
> 
> Its usually some random subject.  Then a paragraph starting with "your
> credit 
> rating doesn't matter to us" with the usual misspellings, etc, followed
> by 
> (usually) a geocities link and some random text at the end.
> 
> -- 
> _
> John Andersen
> 
> 
> I was wondering the same thing.  Even given the random text, I would
> think between the default rules, and the fact that I've dumped a bunch
> in to bayes, that the spammy content would be enough to nail them for
> sure.  I'm still seeing a significant number skate by.

Re: My Credit rateing does TOO matter

[Joe Zitnik]

>>> On 12/1/2006 at 5:22 AM, John Andersen <[EMAIL PROTECTED]> wrote:
On Friday 01 December 2006 00:29, Loren Wilton wrote:
>  guess you're just lucky.  I just went through the last month's spam
and I
> can't find anything with a subject about credit ratings.  

Oh, no, I didn't mean to suggest it was in the subject.  

Its usually some random subject.  Then a paragraph starting with "your
credit 
rating doesn't matter to us" with the usual misspellings, etc, followed
by 
(usually) a geocities link and some random text at the end.

-- 
_
John Andersen


I was wondering the same thing.  Even given the random text, I would
think between the default rules, and the fact that I've dumped a bunch
in to bayes, that the spammy content would be enough to nail them for
sure.  I'm still seeing a significant number skate by.

Easyjet e-mail scoring very high

[Chris Lear]

I got an EasyJet confirmation E-mail that scored like this:

BAYES_00=-2.599
DNS_FROM_RFC_ABUSE=0.2
FORGED_RCVD_HELO=0.135
HTML_FONT_FACE_BAD=0.156
HTML_MESSAGE=0.001
HTML_TINY_FONT=2.324
MARKETING_PARTNERS=1.765
MIME_HTML_MOSTLY=1.102
SARE_OBFU_AMP2B=2.555
SARE_SPEC_LEO_LINE03a=0.408

Which adds to 6.0, and only the Bayes score stopped it being rejected
(I'm rejecting at 6.5). [SA 3.1.3 with recent sa-update+SARE rules]
What's the recommended practice here? Whitelist? Lower the SARE scores?
Remove some less-safe SARE rules? Lower the HTML_TINY_FONT score [which
looks right, but if it's right for me, why not everyone else]? I'd like
all ham to score under 2, ideally. And almost all of it does. But I'd
prefer not to whitelist if possible. I like to feel I can trust SA
without introducing special cases.

Here are the received headers:

Received: from s217124rg180-p.uklond6.savvis.net ([213.174.202.180]
helo=easyjet.com)
by mail.barcombe.net with esmtp (Exim 4.60)
(envelope-from <[EMAIL PROTECTED]>)
id 1GpoFF-0007fV-Ne
for [EMAIL PROTECTED]; Thu, 30 Nov 2006 15:54:47 +
Received: from mail pickup service by easyjet.com with Microsoft SMTPSVC;
 Thu, 30 Nov 2006 15:54:50 +

I think the "Received: from mail pickup service" line is causing the
SARE_OBFU_AMP2B rule to fire. Am I right? If so, isn't this likely to be
a reasonably common cause of false positives?

Chris

Systemwide Procmail usage

[Will Nordmeyer]

I know this isn't the procmail list, but had a quick question.

 

My server is running SA 3.1.7 and has the following systemwide procmailrc:

 

SHELL=/bin/sh

#LOGFILE=$HOME/.procmail-log

#VERBOSE=on

DROPPRIVS=yes

 

:0fw

* < 256000

| /home/spam-filter/bin/spamc -U /home/spam-filter/tmp/spamd.sock

 

If I want to lower the load on SA by not having emails to/from THIS list
(and select other lists) processed through SpamAssassin, could I simply
change it to this?

 

SHELL=/bin/sh

#LOGFILE=$HOME/.procmail-log

#VERBOSE=on

DROPPRIVS=yes

 

:0fw

* < 256000

* ! To:  users@spamassassin.apache.org

| /home/spam-filter/bin/spamc -U /home/spam-filter/tmp/spamd.sock

 

Re: My Credit rateing does TOO matter

[John Andersen]

On Friday 01 December 2006 00:29, Loren Wilton wrote:
>  guess you're just lucky.  I just went through the last month's spam and I
> can't find anything with a subject about credit ratings.  

Oh, no, I didn't mean to suggest it was in the subject.  

Its usually some random subject.  Then a paragraph starting with "your credit 
rating doesn't matter to us" with the usual misspellings, etc, followed by 
(usually) a geocities link and some random text at the end.

-- 
_
John Andersen


pgp0ICSa2MBl1.pgp
Description: PGP signature

Re: sender address verification .. is it feasible

[Loren Wilton]

Waste resource and bandwidth accepting mail and scanning it or waste
time probing for correct from ids ( and also risk being blacklisted for
probes ) .. which is better.


Since you will waste less overall net resources doing your own scanning, I'd 
say that is better.  Quite aside from the fact that you will be blacklisted 
for looking like some form of spammer or other attack.


SAV was a viable concept before the days of spam, back when people published 
the recipients at a given location.  With the advent of spam, admitting who 
is and isn't a user on your system became just downright foolish.  While it 
could in theory help block spam, it could also be used as a DDOS on a target 
system by doing a large spam run and joe-jobbing a given domain, knowing all 
the recipients will then probe it.  More to the point, if it worked (as it 
used to) the spammers could use it to clean their email lists and only send 
to live addresses.  As they used to do.


Now this might actually result in an overall decrease in spam traffic, since 
it would all be targeted to live users.  Somehow though I doubt it.  It 
would just make it much harder to detect the spam, since every spam would 
come from a legit source and be going to a legit source.


   Loren

Re: My Credit rateing does TOO matter

[Loren Wilton]

I guess you're just lucky.  I just went through the last month's spam and I 
can't find anything with a subject about credit ratings.  The lowest scoring 
spam I got at around 8.5 points was the following.  I *think* it may be a 
stock spam, but it is so mangled I'm not absolutely sure:


Re: tip 650=20

V u MC q I


V z emic Announ d ces $9 M A y quisit a ion of Nu x scrib z e Which
Brings Combined Technology To Change The Educational
And Med b ic j al Industries!

C g ompany : Ve e mic t s
S v ymb v ol : V o MC h I
Status : Ho b t Technology Rel k ea n se
Pr k ic d e : $ 0, k 60
5 Day T e arge a t: $ 1. p 80

What these two co h mpan m ies do is am u azi o ng. V z MC b I p u rovid
a es

Re: sa-update / taint error

[Henk van Lingen]

On Thu, Nov 30, 2006 at 01:44:32PM -0500, Daryl C. W. O'Shea wrote:
  > >
  > >  Hm, I've runned sa-update without -T today, and now I can't reproduce
  > >  the problem :-( Maybe because there are no updates anymore...
  > 
  > You removed the "-T" from the first line of sa-update?  Perl won't 
  > complain about tainted variables without it.

  Exactly, but I had to fix the updates.

  > Just rm /var/lib/spamassassin/updates.spamassassin.org* (or wherever 
  > your updates are stored) so you can download the same update again.
  > 
  > 
  > >  Maybe tomorrow (when back at the office) I can reproduce yesterdays
  > >  situation.
  > 
  > Please follow up in bug 5216 or at least to the list (and copy me) as 
  > soon as you can.

  Hi Daryl,

  I restored my situation from two days ago, and the problem returned.
  Your patch seems to fix the problem.

  Thanks,

-- 
Henk van Lingen, Systems & Network Administrator  (o-  -+
Dept. of Computer Science, Utrecht University./\|
phone: +31-30-2534107v_/_
http://henk.vanlingen.net/ http://www.tuxtown.net/netiquette/

Re: Odd behaviour (?) of my Qmail / Qmail Scanner / SpamAssassin 3.1.3 Setup?

[Quinn Comendant]

Try executing all spamassassin programs as the same user:

- To test your spam message from the command line, do this:

sudo -H -u qscand spamassassin < spam.txt

- To train your baysean database using sa-learn:

sudo -H -u qscand sa-learn --spam ...whatever.

Sudo forces these programs to execute as the qscand user. Then what happens?

Quinn



On Wed, 29 Nov 2006 14:05:31 +, Adam Wilbraham wrote:
> To follow up on this, the message in question is flagged as spam if i
> run it through spamassassin, however if I run it through spamc its not.
> spamc is what Qmail Scanner invokes. Is there a separate configuration
> for spamc / spamd to spamassassin? I thought not...
>  
> 
> On Wed, 29 Nov 2006 14:00:13 +
> Adam Wilbraham <[EMAIL PROTECTED]> wrote:
> 
>> I've got a bit of an odd situation whereby some obvious spam seems to
> 
>