Berkeley db, how to tune it ?

[Gilles Hamel]

Hello,

Last weeks, amount of received spam increased fastly. Now, our spamassassin 
server is becomming I/O bound to manage bayes and whitelist berkeley db. 
Spamassassin wiki suggests to stop using bayes, but it is not an acceptable 
solution here.
I have seen some people who fix this issue in putting db berkley in ramdisk and 
copy it every day on persistant storage. Other people talk about a dbd4 shared 
memory buffer pool. How to use it ? There is no information about it in wiki or 
faq. Documentation talks about a DB_CONFIG file with set_cachesize parameter, 
but to use it application must create a db environment ... 

http://pybsddb.sourceforge.net/ref/env/intro.html

Thank you

Say what?

[jdow]

I have two copies of the same message content and source sent two
minutes apart. These are the only differences in the messages as
I trimmed out the various verification data and differing times.

===8<---
$ diff first second
0a1

Status:  U

6c7
<   by mx-avoceta.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
---

  by mx-jacana.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id

9c10
<   by smtpout02.lax.untd.com with SMTP id
---

  by smtpout01.lax.untd.com with SMTP id

72a74,76





===8<---

Of course the various "id" strings all differ as well.

The first message scored Bayes 80. The second scored Bayes 95. This
implies that Bayes is training itself on garbage as well as message
content.

Since other sources of filtering deal with the Received: lines and the
message header id lines should Bayes be paying any attention to them, too?

Should an id string like L8QWHGMP or an X-UNTD-OriginStamp line such as
below figure into the Bayes algorithm at all?

X-UNTD-OriginStamp: qTKGdH6+6PX6q6wVyyDAiKpzgjuM3gNrL/xEOWaR9Ko1VNgBJE6wCw==
R

{^_^}

Re: Say what?

[Justin Mason]

jdow writes:
> I have two copies of the same message content and source sent two
> minutes apart. These are the only differences in the messages as
> I trimmed out the various verification data and differing times.
> 
> ===8<---
> $ diff first second
> 0a1
> > Status:  U
> 6c7
> <   by mx-avoceta.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP 
> id
> ---
> >   by mx-jacana.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
> 9c10
> <   by smtpout02.lax.untd.com with SMTP id
> ---
> >   by smtpout01.lax.untd.com with SMTP id
> 72a74,76
> >
> >
> >
> ===8<---
> 
> Of course the various "id" strings all differ as well.
> 
> The first message scored Bayes 80. The second scored Bayes 95. This
> implies that Bayes is training itself on garbage as well as message
> content.
> 
> Since other sources of filtering deal with the Received: lines and the
> message header id lines should Bayes be paying any attention to them, too?
> 
> Should an id string like L8QWHGMP or an X-UNTD-OriginStamp line such as
> below figure into the Bayes algorithm at all?
> 
> X-UNTD-OriginStamp: qTKGdH6+6PX6q6wVyyDAiKpzgjuM3gNrL/xEOWaR9Ko1VNgBJE6wCw==
> R

yes, to all questions. ;)  Bayes is good with that stuff.

--j.

Re: how is spamd launched on Mac OS X Server 10.3.9?

[Ian Eiloart]

--On 1 December 2006 20:42:06 -0600 Dave Pooser <[EMAIL PROTECTED]> 
wrote:



I can't find a spamd.sh anywhere...


SA is not included by default until 10.4. If you installed it yourself,
you may need to create a StartupItem in /Library/StartupItems. Otherwise,
check the documentation from the installed package.


I'm trying to install spamassassin on 10.4 using MacPorts (we're running 
Exim, since we need to integrate with other services that OSX default 
mailer doesn't).


When I start spamassassin, I see this error message in /var/log/system.log:
rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK'

I wouldn't mind so much, but in 37 seconds, the log entry was made 45,097 
times! That must be a bug, no?


I failed to notice this when I first started spamd, and it made 4GB of log 
entries in less than 24 hours. Ouch.


I guess the work around would be to remove the DIGEST_MULTIPLE test, or to 
fix my syslog config to not log these errors.


--
Ian Eiloart
IT Services, University of Sussex

Re: New Rule: OE_MULTIPART_RELATED

[Justin Mason]

[EMAIL PROTECTED] writes:
> >> Hello list,
> >> For your consideration:
> >> 
> >> header __MULTIPART_RELATED Content-Type =~ /multipart\/related/
> >> 
> >> meta OE_MULTIPART_RELATED (__OE_MUA && __MULTIPART_RELATED)
> >> describe OE_MULTIPART_RELATED Possible image spam forged as from MS Outlook
> >> 
> >> The false Positive rate on my corpus is 0.1%. I can't tell you about the 
> >> false 
> >> negative rate since I don't keep my spam (only my ham).

> >> This rule works very well on the pump-and-dump image spam that has
> >> been escaping my spamassassin installation for the last few months.
> >> Although Outlook Express is capable of generating messages with
> >> multipart/related MIME type, it only does that if the user creates an
> >> HTML message with inline images. This happens occasionally but rarely
> >> (hence the 0.1%). I expect the perceptron might give this rule a
> >> score of perhaps +0.5, which is not enough to catch the pump-and-dump
> >> image spam by itself, but works well in conjunction with
> >> Mail::SpamAssassin::Plugin::ImageInfo.
> >> 
> >> Thoughts on this rule?
> >> 
> >> --Ian Turner
> >> 
> 
> Hi Ian,
> 
> this would trap mail using outlook "stationery".
> 
> I dont really like it, but I get it in wanted mail. Generally I believe
> that rules scoring valid use of mail (cid addressing, mime types) should
> be avoided - unless you want to block, e.g., mails with images or mails
> sent from outlook generally Rather try to find a subtle difference in
> the way real outlook builds the message and the spammers do it, that
> would really reveal it is not from outlook

Yeah -- +1.

--j.

Re: Custom Rules

[Jonas Eckerman]

Jaysen Johnson wrote:
> Date in the mail header more than 10 minutes out of sync -  1 point
> Date in the mail header more than 30 mintues out of sync-  2 points

Out of sync with what?

There's nothing meaningful to compare the dates to that can show you that they 
are 10 or 30 minutes ot of sync with whatrever.

The actual "Date:" header should be created when the users saves the mail to 
the mail clients outgoing queue.
If the user has a dial-up connection, it might well be hours (sometimes days) 
before (s)he decides to send the outgoing mails to a server, so you can expect 
a long delay between the "Date:" field and the first "Received:" field.

In each server the mail passes it might be delayed. Servers usually tries to 
send mail as fast as possible, but more that 10 minutes delay is perfectly 
normal, and more than 30 minues isn't that uncommon.

Regards
/Jonas
-- 
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/

Over Zealous Checks for Nigerian 419 Scams

[Rick Mallett]

We run a centralized spam filtering filtering facility using
SpamAssassin and Mimedefang and we bounce (refuse receipt of) messages
that score higher than 10 and we've been doing this for several years
and never had any complaints of FP's from our users.

However, one of our users was having trouble receiving a newsletter
from Zimbabwe and the mail logs showed that some of the messages were
scoring a bit over 11 and being refused for that reason.

When I finally managed to get a copy of the newsletter and run it
through SpamAssassin manually I was surprised to discover that the
bulk of the points came from the checks in 20_advance_fee.cf which are
attempting to identify Nigerian 419 scams and which appear to be far
too aggressive IMO and likely to result in lots of FPs for certain
types of message.

It also picked up a few points from 99_sare_fraud_post25x.cf and I'm
also wondering if maybe those rules are inappropriate with SA 3.1.7
which is what I'm running.

For example, the newsletter, which consisted of several articles
dealing with corruption in Zimbabwe and information about banking
rules and regulations received just under 8.5 points because it had
the words "remit", "business partner", "dollar", "in your country" and
"US$3 million".

Here are the relevant lines from the debug run

dbg: rules: ran body rule __FRAUD_WNY ==> got hit: "remit"
dbg: rules: ran body rule __FRAUD_TDP ==> got hit: "business partner"
dbg: rules: ran body rule __FRAUD_DBI ==> got hit: "dollar"
dbg: rules: ran body rule __FRAUD_IPK ==> got hit: "in your country"
dbg: rules: ran body rule __FRAUD_KDT ==> got hit: "US$3 million"

and here are the scores for having more than 2, 3, 4, and 5 hits on the
various __FRAUD__xxx META rules such as those shown above.

score ADVANCE_FEE_1 0 0 0.114 0
score ADVANCE_FEE_2 1.607 0.647 1.189 1.392
score ADVANCE_FEE_3 2.872 1.760 3.330 3.336
score ADVANCE_FEE_4 3.024 3.040 3.515 3.727

As you can see having those 5 words and/or phrases results in 8.455
points because all 4 rules succeed and contribute points to the spam
score,  whereas it would seem logical that only the one rule with the
highest points should apply, or the points should be a bit lower
to reduce the cumulative affect of hits on all of the rules.

The newsletter also picked up an additional 1.67 points because
of hits on the following META rules in 99_sare_fraud_post25x.cf which
triggered SARE_FRAUD_X3

dbg: rules: ran body rule __SARE_FRAUD_MONEY ==> got hit: "money transfer"
dbg: rules: ran body rule __SARE_FRAUD_LOC ==> got hit: " Zimbabwe "
dbg: rules: ran body rule __SARE_FRAUD_TINHORN ==> got hit: " Mugabe "
dbg: rules: ran body rule __SARE_FRAUD_MISC ==> got hit: "your country"

which in one case "your country" is a META rule that also ended up
contributing points via 20_advance_fee.cf so I'm now thinking I 
should stop using 99_sare_fraud_post25x.cf.


BTW, I've included some of the sentences from the newsletter that
triggered hits on the various META rules in 20_advance_fee.cf so that
you can see that they are all rather benign.

MTAs mushroomed in Zimbabwe since 2004 and have primarily served as a
channel for the more than three million Zimbabweans, or more than a
quarter of the country's population, living and working abroad to
remit cash back home through official banking system.

Former MP and businessman Tirivanhu Mudariki, who together with senior
government officials including Vice-President Joice Mujuru, have been linked
to the Ziscosteel looting saga, is a key business partner of the Mujuru
family.

However closure of MTAs appeared to have had little impact on the
black market which has continued to flourish with the American dollar
now fetching anything above Z$2 000 compared to the official market
rate of one greenback to Z$250.

Tekere said wistfully that people in your country have more money than
we have.

NECI investigators who went to Botswana to probe the Zisco graft
discovered plans were already under way to sell the two subsidiaries
for US$3 million to undisclosed buyers by repaying their parent firm
funds that were used to controversially purchase them in 2001.

- rick

Re: how is spamd launched on Mac OS X Server 10.3.9?

[Ian Eiloart]

--On 4 December 2006 12:00:32 + Ian Eiloart <[EMAIL PROTECTED]> wrote:




--On 1 December 2006 20:42:06 -0600 Dave Pooser <[EMAIL PROTECTED]>
wrote:


I can't find a spamd.sh anywhere...


SA is not included by default until 10.4. If you installed it yourself,
you may need to create a StartupItem in /Library/StartupItems. Otherwise,
check the documentation from the installed package.


I'm trying to install spamassassin on 10.4 using MacPorts (we're running
Exim, since we need to integrate with other services that OSX default
mailer doesn't).

When I start spamassassin, I see this error message in
/var/log/system.log:
 rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK'

I wouldn't mind so much, but in 37 seconds, the log entry was made 45,097
times! That must be a bug, no?

I failed to notice this when I first started spamd, and it made 4GB of
log entries in less than 24 hours. Ouch.

I guess the work around would be to remove the DIGEST_MULTIPLE test, or
to fix my syslog config to not log these errors.


I should add that I'm using launchd to launch spamd. It seems that fixing 
that problem causes the message "server started on UNIX domain socket 
/opt/local/var/run/spamd_socket (running version 3.1.7)" to be logged just 
as frequently, then a launchctl unload causes frequent logging of "server 
killed by SIGTERM, shutting down", but the perl process doesn't quit 
without a "kill -9".


Adding -D to the startup parameters seems to fix the logging problem, but 
am I just hiding a real problem here?


Ah, yes. The perl process seems to be using 80% of CPU even though I've not 
asked it to scan anything!


However, if I remove --syslog=mail from the invocation, all seems to be OK!
--
Ian Eiloart
IT Services, University of Sussex

How novice end users, neophytes can set things up so that suspected spam or likely spam or definitely spam type messages go to another secondary mail file for later examination in case there are any f

[Don Saklad]

How do novice end users, neophytes set things up so that
suspected spam or likely spam or definitely spam type messages go
to another secondary mail file for later examination in case
there are any false positives?...

Re: How novice end users, neophytes can set things up so that suspected spam or likely spam or definitely spam type messages go to another secondary mail file for later examination in case there are a

[Matt Kettler]

Don Saklad wrote:
> How do novice end users, neophytes set things up so that
> suspected spam or likely spam or definitely spam type messages go
> to another secondary mail file for later examination in case
> there are any false positives?...
>
>   
That depends on what MDA you're using, ie: procmail.

SpamAssassin itself can't be configured to do this because it doesn't
have the power to directly alter message delivery, it can only modify
the contents of the messages piped through it.

Let us know what delivery agent you're using to populate the mailboxes
and someone should be able to help you out.

Re: New Rule: OE_MULTIPART_RELATED

[Ian Turner]

On Monday 04 December 2006 01:20, [EMAIL PROTECTED] wrote:
> this would trap mail using outlook "stationery".
> I dont really like it, but I get it in wanted mail.

Yup. All of the FPs in my corpus are outlook messages with inline images. But 
it turns out that some of those are also spam; the actual FP rate is 

> Generally I believe that rules scoring valid use of mail (cid addressing,
> mime types) should be avoided

Actually, I disagree -- we already have lots of rules that match valid use of 
mail, such as CHARSET_FARAWAY, DOMAIN_RATIO, NO_REAL_NAME, TO_EMPTY, and 
nearly all of the SUBJ_ rules.

A spamassassin rule need not stand alone; it still has predictive power when 
used in combination with other rules, as long as it shows a statistically 
significant difference in spam/ham hit-rates. We use the perceptron to figure 
out exactly /how much/ predictive power it has.

When used in combination with, say, DC_GIF_UNO_LARGO, RCVD_IN_NJABL_DUL, and 
RCVD_IN_BL_SPAMCOP_NET, this rule can help make a more solid prediction.

> Rather try to find a subtle difference in the way real outlook builds the
> message and the spammers do it, that would really reveal it is not from
> outlook

That's what I'm trying to do, but this particular spammer seems to have been 
very careful (or really used outlook to generate the message) -- it seems to 
match exactly, at least at the MIME and RFC822 layers. I'm looking into HTML 
now.

Cheers,

--Ian

SPAM Question

[Robert Swan]

Q1. How does this e-mail end up in my mailbox, if the "To:" is someone
else (I am not [EMAIL PROTECTED]), and how can I identify this with a
SPAM rule:

 

Q2. Is there a custom rule that triggers if someone sends from an ".ar"
domain server or some other foreign country server , we don't get e-mail
here from other counties ever.

 

 

Thanks in advance...

 

Received: by spam1.nskinc.com (Postfix, from userid 501)

id 26E7034D15F; Sat,  2 Dec 2006 02:23:15 -0500 (EST)

X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on SPAM1

X-Spam-Level: **

X-Spam-Status: No, score=2.8 required=4.9
tests=BAYES_80,LOCAL_INVALID_PTR2,

UNPARSEABLE_RELAY autolearn=no version=3.1.7

Received: from 41EB3698 (unknown [80.227.13.12])

by spam1.nskinc.com (Postfix) with SMTP id F07C034CB3C;

Sat,  2 Dec 2006 00:30:41 -0500 (EST)

Received: from intrusive.uccor.edu.ar (HELO precis.uccor.edu.ar)

by linux.org (8.12.6/8.12.6/Debian-1) with ESMTP id
gBAApHtr083821

for <[EMAIL PROTECTED]>; Fri, 01 Dec 2006 22:18:52 -0700

Message-Id: <[EMAIL PROTECTED]>

Reply-To: "Your Mngr. linetmelisa" <[EMAIL PROTECTED]>

Date: Fri, 01 Dec 2006 23:22:52 -0600

From: "Mr. lizzie" <[EMAIL PROTECTED]>

To: <[EMAIL PROTECTED]>

Subject: just like the real ones  -Roxanne

Return-Path: [EMAIL PROTECTED]

X-OriginalArrivalTime: 02 Dec 2006 18:54:45.0462 (UTC)
FILETIME=[55648760:01C71643]

 

Robert

 

 

 

 

 

 

Peace he would say instead of goodbyepeace my brother.

 

RE: SPAM Question

[Coffey, Neal]

> Q1. How does this e-mail end up in my mailbox, if the "To:" is someone
> else (I am not [EMAIL PROTECTED]) 

It's a relic from the days when there were about 8 computers on the
Internet, and you personally knew the administrator of each of them.
(I'm exaggerating, but only slightly.)

There's "envelope" information, and "data" information.  Think of it
like an actual letter in an envelope.  I can write whatever I want on
the outside of the envelope, and it doesn't have to match the letter
inside.

It looks like this:

Connecting...
<< 220 mail.example.com ESMTP
>> HELO mail.local
<< 250 Ok
>> MAIL FROM:<[EMAIL PROTECTED]>
<< 250 Ok
>> RCPT TO:<[EMAIL PROTECTED]>
<< 250 Ok
>> DATA
<< 354 Enter body of message, single . to quit
>> To: <[EMAIL PROTECTED]>
>> From: <[EMAIL PROTECTED]>
>> Subject: Impress your cabinet with a harder, longer joint chief of
staff!
>> 
>> Jim-bob Billy-joe,
>> 
>> The Federal Reserve Bank is performing a security audit, and we need
>> you to verify your social security number or you will lose your FDIC
>> insurance!
>> .

You get the idea... (got a little carried away, there)

Re: whitelist_from and whitelist_from_rcvd not working

[Mark Adams]

On Sun, Dec 03, 2006 at 05:55:24PM +0100, mouss wrote:
> Mark Adams wrote:
> >Hi All,
> >
> >Spamassassin 3.1.4-1
> >
> >Currently have entries like the following in the local.cf file
> >
> >whitelist_from [EMAIL PROTECTED]
> >and
> >whitelist_from [EMAIL PROTECTED]
> >
> >But mail is still picked up as spam for the [EMAIL PROTECTED]
> >
> >Have also tried the following;
> >
> >whitelist_from_rcvd [EMAIL PROTECTED] domain.com
> >and
> >whitelist_from_rcvd [EMAIL PROTECTED] domain.com
> >
> >But nothing seems to work? has anyone got any advice on this?
> >  
> 
> do you have
> 
>always_trust_envelope_sender 1
> 
> ?
>

No I don't have this setting
> 

Re: New Rule: OE_MULTIPART_RELATED

[Ian Turner]

Followup on my earlier message...

On Monday 04 December 2006 11:11, Ian Turner wrote:
> Yup. All of the FPs in my corpus are outlook messages with inline images.
> But it turns out that some of those are also spam; the actual FP rate is

The actual FP rate, eliminating false false positives (e.g., after corpus 
cleaning) is 4 messages in 4773, or 0.08%.

> That's what I'm trying to do, but this particular spammer seems to have
> been very careful (or really used outlook to generate the message) -- it
> seems to match exactly, at least at the MIME and RFC822 layers. I'm looking
> into HTML now.

A careful review of HTML messages from this class of spam and HTML messages 
from my corpus reveals nothing distinctive about the spam; the message 
template was almost certainly generated using Outlook Express itself. The 
rule I've already suggested (OE_MULTIPART_RELATED) is the most distinctive 
aspect I can find, barring any analysis of the image itself (which I leave to 
the ImageInfo or OCR plugins).

Cheers,

--Ian

RE: SPAM Question

[Robert Swan]

Ok so is there a rule that can identify when the 2 do not match?

Robert
 
 
 
 
 
 
Peace he would say instead of goodbyepeace my brother.
-Original Message-
From: Coffey, Neal [mailto:[EMAIL PROTECTED] 
Sent: Monday, December 04, 2006 12:55 PM
To: users@spamassassin.apache.org
Subject: RE: SPAM Question

> Q1. How does this e-mail end up in my mailbox, if the "To:" is someone
> else (I am not [EMAIL PROTECTED]) 

It's a relic from the days when there were about 8 computers on the
Internet, and you personally knew the administrator of each of them.
(I'm exaggerating, but only slightly.)

There's "envelope" information, and "data" information.  Think of it
like an actual letter in an envelope.  I can write whatever I want on
the outside of the envelope, and it doesn't have to match the letter
inside.

It looks like this:

Connecting...
<< 220 mail.example.com ESMTP
>> HELO mail.local
<< 250 Ok
>> MAIL FROM:<[EMAIL PROTECTED]>
<< 250 Ok
>> RCPT TO:<[EMAIL PROTECTED]>
<< 250 Ok
>> DATA
<< 354 Enter body of message, single . to quit
>> To: <[EMAIL PROTECTED]>
>> From: <[EMAIL PROTECTED]>
>> Subject: Impress your cabinet with a harder, longer joint chief of
staff!
>> 
>> Jim-bob Billy-joe,
>> 
>> The Federal Reserve Bank is performing a security audit, and we need
>> you to verify your social security number or you will lose your FDIC
>> insurance!
>> .

You get the idea... (got a little carried away, there)

Re: SPAM Question

[Theo Van Dinter]

On Mon, Dec 04, 2006 at 01:40:38PM -0500, Robert Swan wrote:
> Ok so is there a rule that can identify when the 2 do not match?

You can write a plugin to do it, but it'd be a horrible rule.  For instance,
all mailing lists will get flagged.

-- 
Randomly Selected Tagline:
"Linux is not beautiful. Because power means rawness. And its up to the
 user to paint it. When he gets there don't get scared. Everyone has a
 Picasso inside."- Unknown user from /.


pgpD81M3pvRsl.pgp
Description: PGP signature

RE: SPAM Question

[Robert Swan]

Ya I thought of that too, what about the second question:

Q2. Is there a custom rule that triggers if someone sends from an ".ar"
domain server or some other foreign country server, we don't get e-mail
here from other counties ever.

 


Robert
 
 
 
 
 
 
Peace he would say instead of goodbyepeace my brother.

-Original Message-
From: Theo Van Dinter [mailto:[EMAIL PROTECTED] 
Sent: Monday, December 04, 2006 1:42 PM
To: users@spamassassin.apache.org
Subject: Re: SPAM Question

On Mon, Dec 04, 2006 at 01:40:38PM -0500, Robert Swan wrote:
> Ok so is there a rule that can identify when the 2 do not match?

You can write a plugin to do it, but it'd be a horrible rule.  For
instance,
all mailing lists will get flagged.

-- 
Randomly Selected Tagline:
"Linux is not beautiful. Because power means rawness. And its up to the
 user to paint it. When he gets there don't get scared. Everyone has a
 Picasso inside."- Unknown user from /.

Re: SPAM Question

[Theo Van Dinter]

On Mon, Dec 04, 2006 at 01:44:50PM -0500, Robert Swan wrote:
> Q2. Is there a custom rule that triggers if someone sends from an ".ar"
> domain server or some other foreign country server, we don't get e-mail
> here from other counties ever.

You can write a rule to look at the from address, or use some country RBL (I
was going to point at countries.blackholes.us, but it seems deprecated?)

I'd just filter at the MTA for this kind of thing.

-- 
Randomly Selected Tagline:
"You're a creature of the night, Michael.  Wait'll Mom hears about this."
 -- from the movie "The Lost Boys"


pgpexGMhf5gMs.pgp
Description: PGP signature

Re: Berkeley db, how to tune it ?

[Theo Van Dinter]

On Mon, Dec 04, 2006 at 09:48:08AM +0100, Gilles Hamel wrote:
> Last weeks, amount of received spam increased fastly. Now, our spamassassin 
> server is becomming I/O bound to manage bayes and whitelist berkeley db. 
> Spamassassin wiki suggests to stop using bayes, but it is not an acceptable 
> solution here.

I don't think there's a lot of optimizations that you can do to BDB.  You may
want to consider switching to SQL.

I'm not sure why the wiki suggests turning bayes off.  Perhaps it's suggesting
disabling auto-expire, since that tends to be the big i/o suck.

-- 
Randomly Selected Tagline:
"Apres moe le deluge" - Larry and Curly get wet


pgpg6eNvSn5Yh.pgp
Description: PGP signature

RE: whitelist_from and whitelist_from_rcvd not working

[Robert Swan]

I had a similar problem with SA not reading a specific .cf file. I
basically created a new greylist.cf file and copied the test over and it
worked, and of coarse make sure it is in the right folder... Might be
worth a try



Robert
 
 
 
 
 
 
Peace he would say instead of goodbyepeace my brother.

-Original Message-
From: Mark Adams [mailto:[EMAIL PROTECTED] 
Sent: Monday, December 04, 2006 12:56 PM
To: [EMAIL PROTECTED]
Cc: users@spamassassin.apache.org
Subject: Re: whitelist_from and whitelist_from_rcvd not working

On Sun, Dec 03, 2006 at 05:55:24PM +0100, mouss wrote:
> Mark Adams wrote:
> >Hi All,
> >
> >Spamassassin 3.1.4-1
> >
> >Currently have entries like the following in the local.cf file
> >
> >whitelist_from [EMAIL PROTECTED]
> >and
> >whitelist_from [EMAIL PROTECTED]
> >
> >But mail is still picked up as spam for the [EMAIL PROTECTED]
> >
> >Have also tried the following;
> >
> >whitelist_from_rcvd [EMAIL PROTECTED] domain.com
> >and
> >whitelist_from_rcvd [EMAIL PROTECTED] domain.com
> >
> >But nothing seems to work? has anyone got any advice on this?
> >  
> 
> do you have
> 
>always_trust_envelope_sender 1
> 
> ?
>

No I don't have this setting
> 

Re: SA Rule

[Sven Schuster]

Hi,

On Wed, Nov 29, 2006 at 04:46:32PM -0800, John D. Hardin told us:
> On Wed, 29 Nov 2006, Loren Wilton wrote:
> > > for mangled viagra and other stuff ..is there any simple rule??
> > > such as following text...
> >
> > Mangled rules are never simple rules.
>
> I have a perl script that will take a word list and generate REs for
> obfuscated versions of those words.
>  http://www.impsec.org/~jhardin/antispam

Another thought on this topic: has anybody ever tried using the
String::Approx module (or something similar) to do approximity/
distance matching on obfuscated words?? Kind of like the way
FuzzyOcr does it??


have a nice day :-)

Sven

-- 
Linux zion.homelinux.com 2.6.18-1.2849.fc6xen #1 SMP Fri Nov 10 13:56:52 EST 
2006 i686 athlon i386 GNU/Linux
 21:00:15 up 18 days, 22:18,  1 user,  load average: 0.37, 0.72, 0.60


pgpT69MnXf2x4.pgp
Description: PGP signature

Re: Over Zealous Checks for Nigerian 419 Scams

[Justin Mason]

please feel free to pass on more FP samples for these rules -- so
far we clearly don't have enough, given those scores!

--j.

Rick Mallett writes:
> We run a centralized spam filtering filtering facility using
> SpamAssassin and Mimedefang and we bounce (refuse receipt of) messages
> that score higher than 10 and we've been doing this for several years
> and never had any complaints of FP's from our users.
> 
> However, one of our users was having trouble receiving a newsletter
> from Zimbabwe and the mail logs showed that some of the messages were
> scoring a bit over 11 and being refused for that reason.
> 
> When I finally managed to get a copy of the newsletter and run it
> through SpamAssassin manually I was surprised to discover that the
> bulk of the points came from the checks in 20_advance_fee.cf which are
> attempting to identify Nigerian 419 scams and which appear to be far
> too aggressive IMO and likely to result in lots of FPs for certain
> types of message.
> 
> It also picked up a few points from 99_sare_fraud_post25x.cf and I'm
> also wondering if maybe those rules are inappropriate with SA 3.1.7
> which is what I'm running.
> 
> For example, the newsletter, which consisted of several articles
> dealing with corruption in Zimbabwe and information about banking
> rules and regulations received just under 8.5 points because it had
> the words "remit", "business partner", "dollar", "in your country" and
> "US$3 million".
> 
> Here are the relevant lines from the debug run
> 
> dbg: rules: ran body rule __FRAUD_WNY ==> got hit: "remit"
> dbg: rules: ran body rule __FRAUD_TDP ==> got hit: "business partner"
> dbg: rules: ran body rule __FRAUD_DBI ==> got hit: "dollar"
> dbg: rules: ran body rule __FRAUD_IPK ==> got hit: "in your country"
> dbg: rules: ran body rule __FRAUD_KDT ==> got hit: "US$3 million"
> 
> and here are the scores for having more than 2, 3, 4, and 5 hits on the
> various __FRAUD__xxx META rules such as those shown above.
> 
> score ADVANCE_FEE_1 0 0 0.114 0
> score ADVANCE_FEE_2 1.607 0.647 1.189 1.392
> score ADVANCE_FEE_3 2.872 1.760 3.330 3.336
> score ADVANCE_FEE_4 3.024 3.040 3.515 3.727
> 
> As you can see having those 5 words and/or phrases results in 8.455
> points because all 4 rules succeed and contribute points to the spam
> score,  whereas it would seem logical that only the one rule with the
> highest points should apply, or the points should be a bit lower
> to reduce the cumulative affect of hits on all of the rules.
> 
> The newsletter also picked up an additional 1.67 points because
> of hits on the following META rules in 99_sare_fraud_post25x.cf which
> triggered SARE_FRAUD_X3
> 
> dbg: rules: ran body rule __SARE_FRAUD_MONEY ==> got hit: "money transfer"
> dbg: rules: ran body rule __SARE_FRAUD_LOC ==> got hit: " Zimbabwe "
> dbg: rules: ran body rule __SARE_FRAUD_TINHORN ==> got hit: " Mugabe "
> dbg: rules: ran body rule __SARE_FRAUD_MISC ==> got hit: "your country"
> 
> which in one case "your country" is a META rule that also ended up
> contributing points via 20_advance_fee.cf so I'm now thinking I 
> should stop using 99_sare_fraud_post25x.cf.
> 
> BTW, I've included some of the sentences from the newsletter that
> triggered hits on the various META rules in 20_advance_fee.cf so that
> you can see that they are all rather benign.
> 
> MTAs mushroomed in Zimbabwe since 2004 and have primarily served as a
> channel for the more than three million Zimbabweans, or more than a
> quarter of the country's population, living and working abroad to
> remit cash back home through official banking system.
> 
> Former MP and businessman Tirivanhu Mudariki, who together with senior
> government officials including Vice-President Joice Mujuru, have been linked
> to the Ziscosteel looting saga, is a key business partner of the Mujuru
> family.
> 
> However closure of MTAs appeared to have had little impact on the
> black market which has continued to flourish with the American dollar
> now fetching anything above Z$2 000 compared to the official market
> rate of one greenback to Z$250.
> 
> Tekere said wistfully that people in your country have more money than
> we have.
> 
> NECI investigators who went to Botswana to probe the Zisco graft
> discovered plans were already under way to sell the two subsidiaries
> for US$3 million to undisclosed buyers by repaying their parent firm
> funds that were used to controversially purchase them in 2001.
> 
> - rick

VBounce.pm - anyone know where it went?

[Darron Froese]

http://wiki.apache.org/spamassassin/VBounceRuleset

It's linked to from that page, but appears to have been removed from  
svn - anyone know where I can get it now AND/OR why it was removed?


Thanks.
--
darron froese
principal
nonfiction studios inc.
t  403.686.8887
c 403.819.7887
f  403.313.9233
w http://nonfiction.ca/
e  [EMAIL PROTECTED]

spamassassin config question

[Sujit Choudhury]

I am running SpamAssassin version 3.1.7.  I have few questions regarding the 
working of spamassassin:
 
1) In /etc/mail/spamassassin, there is a file called init.pre.  Is it necessary 
to have that contents of that file in local.cf?
 
2)  I am running exim and calling spamd from within exim.  When I do 
check_whitelist, I get the following:
Cannot open file /root/.spamassassin/auto-whitelist: No such file or directory
Is there any thing I should have done for AWL to work?
 
3)  Lately we are getting lot of spam consists of images+text.  While some are 
caught a large proportion of them are not marked as spam.  I am using Botnet.cf 
and in the same directory have Botnet.pm file.  Is there any other rule that 
can be used to catch this kind of spam?
 
Many thanks
 
 
Sujit

Re: Over Zealous Checks for Nigerian 419 Scams

[Rick Mallett]

What's the proper way to submit material for the ham corpus?

I've got the entire newsletter that resulted in the "Nigerian Scam" 
FP I reported but I wasn't sure if it was appropriate to include it in

the posting.

Its only about 3 pages long but its got both a plain text and an HTML
component and its about 50KB in size.

- rick

On Mon, 4 Dec 2006, Justin Mason wrote:



please feel free to pass on more FP samples for these rules -- so
far we clearly don't have enough, given those scores!

--j.



[deleted]

How to examine a system and determine the mail delivery agent.

[Don Saklad]

How do novice end users, neophytes examine things and determine
what is the mail delivery agent ?... as a general understanding
of the particular system at hand.

This is with respect to setting up a secondary mail file for
screened spam type messages that later can be checked over for
any false positives.

Re: New Rule: OE_MULTIPART_RELATED

[John D. Hardin]

On Mon, 4 Dec 2006, Ian Turner wrote:

> When used in combination with, say, DC_GIF_UNO_LARGO,
> RCVD_IN_NJABL_DUL, and RCVD_IN_BL_SPAMCOP_NET, this rule can help
> make a more solid prediction.

The perceptron doesn't create meta rules, does it?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...to announce there must be no criticism of the President or to
  stand by the President right or wrong is not only unpatriotic and
  servile, but is morally treasonous to the American public.
  -- Theodore Roosevelt, 1918
---
 11 days until Bill of Rights day

Re: How to examine a system and determine the mail delivery agent.

[Evan Platt]

At 12:20 PM 12/4/2006, you wrote:

How do novice end users, neophytes examine things and determine
what is the mail delivery agent ?... as a general understanding
of the particular system at hand.

This is with respect to setting up a secondary mail file for
screened spam type messages that later can be checked over for
any false positives.


Unless I'm not understanding you... You could attempt to telnet to 
the mail server on port 25, some will say for example:

220 example.com ESMTP Postfix


Evan 

Re: spamassassin config question

[Theo Van Dinter]

On Mon, Dec 04, 2006 at 08:54:09PM -, Sujit Choudhury wrote:
> 1) In /etc/mail/spamassassin, there is a file called init.pre.  Is it 
> necessary to have that contents of that file in local.cf?

No.  In fact, that's why the data is in a different file. :)

> 3)  Lately we are getting lot of spam consists of images+text.  While some 
> are caught a large proportion of them are not marked as spam.  I am using 
> Botnet.cf and in the same directory have Botnet.pm file.  Is there any other 
> rule that can be used to catch this kind of spam?

run sa-update.

-- 
Randomly Selected Tagline:
"I would never have sex with a cow.  Cause that is wrong, and I am
 lactose intolerant."- Dave Attell


pgpHqqxsoUnvG.pgp
Description: PGP signature

Re: How is LOCAL_AUTH_RCVD used?

[Daryl C. W. O'Shea]

René Berber wrote:

Hi,

I have a similar problem as the one recently reported by J. Rhett in thread
"skipping SPF checks for authenticated users".  I'm trying to use Botnet plugin
and make it not score for authenticated users; having the same for SPF and RBL
would be even better.

So the problem is that SA doesn't recognize that users are authenticated, I saw
this document: http://wiki.apache.org/spamassassin/DynablockIssues which just
says to add a LOCAL_AUTH_RCVD rule that matches your mail server, I did and it
doesn't work as expected: SA matches the rule and adds a 1.0 score, the
pseudo-header shows no authentication was recognized:


That's not what it "just says".  The info before it talks about how 
SpamAssassin will attempt to detect RFC 3848 style auth tokens (it'll 
also detect Sendmail and a few other styles of auth tokens) and how 
Postfix is a pain in the ass about this (but finally, optionally, 
provides the info in Postfix 2.3).




dbg: metadata: X-Spam-Relays-Untrusted: [ ip=200.52.129.137
rdns=mail.legosoft.com.mx helo= by=cactus-soft.dyndns.org ident=
[EMAIL PROTECTED] intl=0 id=J9POUJ-0001MC-JY auth= ] [
ip=189.149.70.163 rdns=dsl-189-149-70-163.prod-infinitum.com.mx helo=MARISELA
by=mail.legosoft.com.mx ident= envfrom= intl=0 id=kB3G26P6019032 auth= ]


It doesn't look like you have your trusted_networks configured 
correctly.  Fix that before you even attempt to get auth token detection 
working.




Any help clarifying how the LOCAL_AUTH_RCVD rule is used, or an alternative to
make SA recognize the authenticated user, will be appreciated.


I've updated the DynablockIssues wiki page to be clear that custom rules 
are only a workaround for less than helpful MTAs.




Using SA 3.1.7, under Solaris 9 with sendmail 8.13.8 and Windwos XP manually for
testing.


Sendmail should be putting a "(authenticated bits=0)" line in its 
Received header when the user authenticates.  SA will automatically use 
this to extend the trust path if the header above it is trusted.



Daryl

Re: How to examine a system and determine the mail delivery agent.

[Theo Van Dinter]

On Mon, Dec 04, 2006 at 01:32:44PM -0800, Evan Platt wrote:
> Unless I'm not understanding you... You could attempt to telnet to 
> the mail server on port 25, some will say for example:
> 220 example.com ESMTP Postfix

Assuming the MTA doesn't tell you (I think most of them do), you can do
something like:

$ sudo lsof -i :25
COMMAND   PIDUSER   FD   TYPEDEVICE SIZE NODE NAME
master   2134root   11u  IPv4  5054   TCP *:smtp (LISTEN)
smtpd   21230 postfix6u  IPv4  5054   TCP *:smtp (LISTEN)
smtpd   21231 postfix6u  IPv4  5054   TCP *:smtp (LISTEN)
[...]

and find out what process is listening on port 25, in this case, postfix.

-- 
Randomly Selected Tagline:
Don't marry a girl whose father calls her princess.


pgpJ1Lm4S4DqI.pgp
Description: PGP signature

Scan Messages according to arrival

[leemansvg]

Hello,

I don't know if anyone has come across this, but my
Mailscanner/spamasssasin/sendmail bunch seems to scan messages  randomly. I
noticed this because it once got behind on scanning mail and it started to
scan the ones that came in immediately first. Is there a setting that I
tweak for it to adopt the policy "first in, first out" ?

Mike.
-- 
View this message in context: 
http://www.nabble.com/Scan-Messages-according-to-arrival-tf2757348.html#a7688534
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Over Zealous Checks for Nigerian 419 Scams

[Nigel Frankcom]

On Mon, 04 Dec 2006 16:12:01 -0500 (EST), Rick Mallett
<[EMAIL PROTECTED]> wrote:

>What's the proper way to submit material for the ham corpus?
>
>I've got the entire newsletter that resulted in the "Nigerian Scam" 
>FP I reported but I wasn't sure if it was appropriate to include it in
>the posting.
>
>Its only about 3 pages long but its got both a plain text and an HTML
>component and its about 50KB in size.
>
>- rick
>
>On Mon, 4 Dec 2006, Justin Mason wrote:
>
>>
>> please feel free to pass on more FP samples for these rules -- so
>> far we clearly don't have enough, given those scores!
>>
>> --j.
>>
>
>[deleted]

What's the method for submitting false negatives to that particular
corpus? I got 6 of em in one day last week - that's usually my entire
spam quotient for a month; that they came to my personal account added
insult to injury :-D

Keep doing what you do, it sure as hell makes my life easier.

Kind regards

Nigel

Wiki: Document the rules!

[Kenneth Porter]

See 

There's now a wiki page that creates a prototype documentation page for a 
rule:




Plug in a rule name and start documenting!

[Slightly OT and long] Architectural question...

[Rubin Bennett]

Ok, so like the rest of you, I've been getting swamped by stock and
other spam for the past couple of months.  I've been beating me head on
the wall trying to come up with the magic combination of things that
make my client's SpamAssassin installations work as well as my own.  And
Now I prostrate myself on the ground, in deference to the higher
knowledge of a group of SA heads...

The basic issue is this:
Most of my clients are now running dedicated Email "firewall" systems,
that I build and install from Open Source materials.
I use ClamAV-milter, SpamAss-milter (which tags and sends to messages
into quarantine but doesn't reject anything), and Sendmail (or postfix,
but usually Sendmail).
I'm using MySQL for userprefs, Bayes, and whitelisting, all on the same
box.
I have pretty much every test on the planet being run (see list below)
and updated via Rules_Du_Jour on the SpamAssassin side of things, and
I'm also running no less than 6 dnsbl's in Sendmail.  I have a couple
clients who are getting hammered with those darn messages that get sent
50 times each; if one gets through the filter, they all do.  Thus my
clients yell that they're getting tagged with spam, but to SA it's
really only one message that happened to get through multiple (many)
times.  To each user.

My quandry is that my own server is tagging the messages MUCH more
consistently than my clients.  There are 2 reasons for this that I can
see:
First, I'm a small target... it's a mailserver, but it's just me.  My
client sites are smallish (under 50 addresses), but that's a bigger
target than I present for sure.  I receive on average ~150-200 spams,
all but 1 or 2 end up in my Junk folder via SpamAssassin (called and
then sorted by Procmail).

Second, I run SA and my IMAP server on the same box, which means that I
can run sa-learn periodically to update my Bayes database, and there's
not currently a mechanism in place for email firewall users to do the
same.  Part of the reason for this is the need to take the human (i.e.
end user) component out of the filtering process, for all the reasons
discussed at length on this list (people feeding the wrong stuff to
their filter, not feeding their filter, etc., etc.)

My question basically boils down to this: How do I get similar results
in an appliance type model to what I see from my 'monolithic' mailserver
setup?

I'd like to keep using the MySQL prefs etc, and for a number of reasons
I have to stick with the architecture I've described with an external
(to the mailserver, not the LAN) Spam filtering server.

Thank you all in advance for your consideration!

Rubin

SpamAssassin 3.1.5,
FuzzyOCR 3.4.2
SpamAssassin MySQL userpref:
| $GLOBAL   | score URIBL_SBL  | 4.66
|  1 |
| $GLOBAL   | score HTML_IMAGE_ONLY_04 | 4.66
|  2 |
| $GLOBAL   | score HTML_IMAGE_ONLY_08 | 4.16
|  3 |
| $GLOBAL   | score HTML_IMAGE_ONLY_16 | 3.8
|  4 |
| $GLOBAL   | score HTML_IMAGE_ONLY_20 | 1.8
|  5 |
| $GLOBAL   | score HTML_IMAGE_ONLY_12 | 3.8
|  6 |
| $GLOBAL   | score HTML_IMAGE_ONLY_24 | 2.8
|  7 |
| $GLOBAL   | score HTML_IMAGE_ONLY_28 | 3.8
|  8 |
| $GLOBAL   | score HTML_IMAGE_ONLY_32 | 3.8
|  9 |
| $GLOBAL   | score DNS_FROM_RFC_ABUSE | 2.5
| 10 |
| $GLOBAL   | ok_locales   | en
| 11 |
| $GLOBAL   | score RCVD_IN_SORBS_DUL  | 3.5
| 13 |
| $GLOBAL   | score RCVD_NUMERIC_HELO  | 3.5  

Rules_du_jour:
TRUSTED_RULESETS="
TRIPWIRE
ANTIDRUG
SARE_EVILNUMBERS0
SARE_EVILNUMBERS1
SARE_EVILNUMBERS2
RANDOMVAL
BOGUSVIRUS
SARE_ADULT
SARE_FRAUD
SARE_BML
SARE_SPOOF
SARE_BAYES_POISON_NXM
SARE_OEM
SARE_RANDOM
SARE_HEADER
SARE_HEADER_ENG
SARE_HEADER_X264_X30
SARE_HEADER_X30
SARE_HTML
SARE_HTML_ENG
SARE_HTML_PRE300
SARE_SPECIFIC
SARE_OBFU
SARE_REDIRECT
SARE_REDIRECT_POST300
SARE_SPAMCOP_TOP200
SARE_GENLSUBJ
SARE_GENLSUBJ_X30
SARE_GENLSUBJ_ENG
SARE_HIGHRISK
SARE_UNSUB
SARE_URI0
SARE_URI1
SARE_URI3
SARE_URI_ENG"

That's all I can think of to toss in at this point... Thank you!
-- 
Rubin Bennett
RB Technologies
http://thatitguy.com
[EMAIL PROTECTED]
(802)223-4448

"They that can give up essential liberty to obtain a little
temporary security deserve neither liberty nor safety"
  --Benjamin Franklin, Historical Review of Pennsylvania, 1759

Re: How is LOCAL_AUTH_RCVD used?

[Jo Rhett]

On Dec 4, 2006, at 1:03 PM, Daryl C. W. O'Shea wrote:
That's not what it "just says".  The info before it talks about how  
SpamAssassin will attempt to detect RFC 3848 style auth tokens  
(it'll also detect Sendmail and a few other styles of auth tokens)  
and how Postfix is a pain in the ass about this (but finally,  
optionally, provides the info in Postfix 2.3).


Frankly, the text here kindof rambles and so I'm not certain that it  
makes direct linear sense to me.  In particular this following quote  
says that I missed something:


Sendmail should be putting a "(authenticated bits=0)" line in its  
Received header when the user authenticates.  SA will automatically  
use this to extend the trust path if the header above it is trusted.


Automatically how?  Before I added the LOCAL_AUTH_RCVD SA was doing  
nothing about that header.  Today, I can use the LOCAL_AUTH_RECEIVED  
score to decrement the score a bit, but it doesn't extend the trust  
path at all.


--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness

Re: [Slightly OT and long] Architectural question...

[Rick Macdougall]

Rubin Bennett wrote:


SpamAssassin 3.1.5,
FuzzyOCR 3.4.2

Rules_du_jour:
TRUSTED_RULESETS="
TRIPWIRE
ANTIDRUG
SARE_EVILNUMBERS0
SARE_EVILNUMBERS1
SARE_EVILNUMBERS2
RANDOMVAL
BOGUSVIRUS
SARE_ADULT
SARE_FRAUD
SARE_BML
SARE_SPOOF
SARE_BAYES_POISON_NXM
SARE_OEM
SARE_RANDOM
SARE_HEADER
SARE_HEADER_ENG
SARE_HEADER_X264_X30
SARE_HEADER_X30
SARE_HTML
SARE_HTML_ENG
SARE_HTML_PRE300
SARE_SPECIFIC
SARE_OBFU
SARE_REDIRECT
SARE_REDIRECT_POST300
SARE_SPAMCOP_TOP200
SARE_GENLSUBJ
SARE_GENLSUBJ_X30
SARE_GENLSUBJ_ENG
SARE_HIGHRISK
SARE_UNSUB
SARE_URI0
SARE_URI1
SARE_URI3
SARE_URI_ENG"

That's all I can think of to toss in at this point... Thank you!


Hi,

I don't see sare_stock or ImageInfo in that list.  That (and bayes) is 
what catches it here.


Regards,

Rick

Re: New Rule: OE_MULTIPART_RELATED

[Ian Turner]

On Monday 04 December 2006 16:19, John D. Hardin wrote:
> On Mon, 4 Dec 2006, Ian Turner wrote:
> > When used in combination with, say, DC_GIF_UNO_LARGO,
> > RCVD_IN_NJABL_DUL, and RCVD_IN_BL_SPAMCOP_NET, this rule can help
> > make a more solid prediction.
>
> The perceptron doesn't create meta rules, does it?

Nope, although you can always create them and see what score it gives them. 
But what I actually meant when I said "in combination" was not meta rules, 
but simply the sum-of-scores rule aggregation that spamassassin already does. 
Each of the rules may provide the suggestion of spam, but most rules are not 
scored high enough to mark an e-mail as spam on their own -- several rules 
must match in order to make a "spam" decision.

Cheers,

--Ian Turner

Re: [Slightly OT and long] Architectural question...

[Dimitri Yioulos]

On Monday 04 December 2006 5:19 pm, Rubin Bennett wrote:
> Ok, so like the rest of you, I've been getting swamped by stock and
> other spam for the past couple of months.  I've been beating me head on
> the wall trying to come up with the magic combination of things that
> make my client's SpamAssassin installations work as well as my own.  And
> Now I prostrate myself on the ground, in deference to the higher
> knowledge of a group of SA heads...
>
[SNIP]
>
> Rules_du_jour:
> TRUSTED_RULESETS="
> TRIPWIRE
> ANTIDRUG
> SARE_EVILNUMBERS0
> SARE_EVILNUMBERS1
> SARE_EVILNUMBERS2
> RANDOMVAL
> BOGUSVIRUS
> SARE_ADULT
> SARE_FRAUD
> SARE_BML
> SARE_SPOOF
> SARE_BAYES_POISON_NXM
> SARE_OEM
> SARE_RANDOM
> SARE_HEADER
> SARE_HEADER_ENG
> SARE_HEADER_X264_X30
> SARE_HEADER_X30
> SARE_HTML
> SARE_HTML_ENG
> SARE_HTML_PRE300
> SARE_SPECIFIC
> SARE_OBFU
> SARE_REDIRECT
> SARE_REDIRECT_POST300
> SARE_SPAMCOP_TOP200
> SARE_GENLSUBJ
> SARE_GENLSUBJ_X30
> SARE_GENLSUBJ_ENG
> SARE_HIGHRISK
> SARE_UNSUB
> SARE_URI0
> SARE_URI1
> SARE_URI3
> SARE_URI_ENG"
>

I don't see sare_stocks in your list.  Surely that will help.

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: VBounce.pm - anyone know where it went?

[Rocky Olsen]

The log message for the svn says: 'virus-bounce ruleset integration; move
the scores into 50_scores.cf' - i heard this was happing with SA
3.2.but what about us 3.1.x users! Will the .pm and .cf be made
available anywhere? Or we left digging through svn?




On Mon, Dec 04, 2006 at 01:47:48PM -0700, Darron Froese wrote:
> http://wiki.apache.org/spamassassin/VBounceRuleset
> 
> It's linked to from that page, but appears to have been removed from  
> svn - anyone know where I can get it now AND/OR why it was removed?
> 
> Thanks.
> -- 
> darron froese
> principal
> nonfiction studios inc.
> t  403.686.8887
> c 403.819.7887
> f  403.313.9233
> w http://nonfiction.ca/
> e  [EMAIL PROTECTED]
> 
> 

-- 
__


what's with today, today?

Email:  [EMAIL PROTECTED]
PGP:http://rocky.mindphone.org/rocky_mindphone.org.gpg

Re: VBounce.pm - anyone know where it went?

[Rocky Olsen]

*dug through svn*

http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/?pathrev=482207

On Mon, Dec 04, 2006 at 04:14:53PM -0700, Rocky Olsen wrote:
> The log message for the svn says: 'virus-bounce ruleset integration; move
> the scores into 50_scores.cf' - i heard this was happing with SA
> 3.2.but what about us 3.1.x users! Will the .pm and .cf be made
> available anywhere? Or we left digging through svn?
> 
> 
> 
> 
> On Mon, Dec 04, 2006 at 01:47:48PM -0700, Darron Froese wrote:
> > http://wiki.apache.org/spamassassin/VBounceRuleset
> > 
> > It's linked to from that page, but appears to have been removed from  
> > svn - anyone know where I can get it now AND/OR why it was removed?
> > 
> > Thanks.
> > -- 
> > darron froese
> > principal
> > nonfiction studios inc.
> > t  403.686.8887
> > c 403.819.7887
> > f  403.313.9233
> > w http://nonfiction.ca/
> > e  [EMAIL PROTECTED]
> > 
> > 
> 
> -- 
> __
> 
> 
> what's with today, today?
> 
> Email:[EMAIL PROTECTED]
> PGP:  http://rocky.mindphone.org/rocky_mindphone.org.gpg

-- 
__


what's with today, today?

Email:  [EMAIL PROTECTED]
PGP:http://rocky.mindphone.org/rocky_mindphone.org.gpg

Re: VBounce.pm - anyone know where it went?

[Justin Mason]

Yep -- these files should work:

VBounce.pm - 
http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/VBounce.pm?revision=467392&pathrev=482207

20_vbounce.cf - 
http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_vbounce.cf?revision=482200&pathrev=482207

I'd add those to the wiki page, but wiki.apache.org seems to be hanging
for me right now :(

--j.

Rocky Olsen writes:
>*dug through svn*
>
>http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/?pathrev=482207
>
>On Mon, Dec 04, 2006 at 04:14:53PM -0700, Rocky Olsen wrote:
>> The log message for the svn says: 'virus-bounce ruleset integration; move
>> the scores into 50_scores.cf' - i heard this was happing with SA
>> 3.2.but what about us 3.1.x users! Will the .pm and .cf be made
>> available anywhere? Or we left digging through svn?
>> 
>> 
>> 
>> 
>> On Mon, Dec 04, 2006 at 01:47:48PM -0700, Darron Froese wrote:
>> > http://wiki.apache.org/spamassassin/VBounceRuleset
>> > 
>> > It's linked to from that page, but appears to have been removed from  
>> > svn - anyone know where I can get it now AND/OR why it was removed?
>> > 
>> > Thanks.
>> > -- 
>> > darron froese
>> > principal
>> > nonfiction studios inc.
>> > t  403.686.8887
>> > c 403.819.7887
>> > f  403.313.9233
>> > w http://nonfiction.ca/
>> > e  [EMAIL PROTECTED]
>> > 
>> > 
>> 
>> -- 
>> __
>> 
>> 
>> what's with today, today?
>> 
>> Email:   [EMAIL PROTECTED]
>> PGP: http://rocky.mindphone.org/rocky_mindphone.org.gpg
>
>-- 
>__
>
>
>what's with today, today?
>
>Email: [EMAIL PROTECTED]
>PGP:   http://rocky.mindphone.org/rocky_mindphone.org.gpg
>
>

Re: How is LOCAL_AUTH_RCVD used?

[René Berber]

Daryl C. W. O'Shea wrote:

> René Berber wrote:
>>
[snip]
>> So the problem is that SA doesn't recognize that users are
>> authenticated, I saw
>> this document: http://wiki.apache.org/spamassassin/DynablockIssues
>> which just
>> says to add a LOCAL_AUTH_RCVD rule that matches your mail server, I
>> did and it
>> doesn't work as expected: SA matches the rule and adds a 1.0 score, the
>> pseudo-header shows no authentication was recognized:
> 
> That's not what it "just says".  The info before it talks about how
> SpamAssassin will attempt to detect RFC 3848 style auth tokens (it'll
> also detect Sendmail and a few other styles of auth tokens) and how
> Postfix is a pain in the ass about this (but finally, optionally,
> provides the info in Postfix 2.3).

I read all the page before asking, and I understand that it follows the trust
path page.  The fact is SA is not detecting the authentication, and there is
nothing in that page that gives a clue as to why, it just mentions that
LOCAL_AUTH_RCVD rule and it certainly doesn't say it's not needed for sendmail.

> 
>> dbg: metadata: X-Spam-Relays-Untrusted: [ ip=200.52.129.137
>> rdns=mail.legosoft.com.mx helo= by=cactus-soft.dyndns.org ident=
>> [EMAIL PROTECTED] intl=0 id=J9POUJ-0001MC-JY auth= ] [
>> ip=189.149.70.163 rdns=dsl-189-149-70-163.prod-infinitum.com.mx
>> helo=MARISELA
>> by=mail.legosoft.com.mx ident= envfrom= intl=0 id=kB3G26P6019032 auth= ]
> 
> It doesn't look like you have your trusted_networks configured
> correctly.  Fix that before you even attempt to get auth token detection
> working.

It is configured correctly (don't assume something you don't know), it is in my
mailscanner.cf, like this :

trusted_networks 192.168.10/24
trusted_networks 200.52.129.137

>> Any help clarifying how the LOCAL_AUTH_RCVD rule is used, or an
>> alternative to
>> make SA recognize the authenticated user, will be appreciated.
> 
> I've updated the DynablockIssues wiki page to be clear that custom rules
> are only a workaround for less than helpful MTAs.

I've ran SA with -D, it sees the (standard sendmail) header and created the 2
trusted pseudo-headers, but doesn't detect the authentication:

$ spamassassin -x -D -t < S.eml
[824] dbg: logger: adding facilities: all
[824] dbg: logger: logging level is DBG
[824] dbg: generic: SpamAssassin version 3.1.7
...
[824] dbg: received-header: unknown format: via tmail-2002(14) (invoked by user
rberber) for rberber; Sun, 3 Dec 2006 13:01:33 -0600
[824] dbg: received-header: unparseable: via tmail-2002(14) (invoked by user
rberber) for rberber; Sun, 3 Dec 2006 13:01:33 -0600
[824] dbg: received-header: parsed as [ ip=200.52.129.137
rdns=mail.legosoft.com.mx helo= by=cactus-soft.dyndns.org ident=
[EMAIL PROTECTED] intl=0 id=J9POUJ-0001MC-JY auth= ]
[824] dbg: received-header: relay 200.52.129.137 trusted? yes internal? yes
[824] dbg: received-header: parsed as [ ip=189.149.70.163
rdns=dsl-189-149-70-163.prod-infinitum.com.mx helo=MARISELA
by=mail.legosoft.com.mx ident= envfrom= intl=0 id=kB3G26P6019032 auth= ]
[824] dbg: received-header: relay 189.149.70.163 trusted? no internal? no
[824] dbg: metadata: X-Spam-Relays-Trusted: [ ip=200.52.129.137
rdns=mail.legosoft.com.mx helo= by=cactus-soft.dyndns.org ident=
[EMAIL PROTECTED] intl=1 id=J9POUJ-0001MC-JY auth= ]
[824] dbg: metadata: X-Spam-Relays-Untrusted: [ ip=189.149.70.163
rdns=dsl-189-149-70-163.prod-infinitum.com.mx helo=MARISELA
by=mail.legosoft.com.mx ident= envfrom= intl=0 id=kB3G26P6019032 auth= ]
[824] dbg: metadata: X-Spam-Relays-Internal: [ ip=200.52.129.137
rdns=mail.legosoft.com.mx helo= by=cactus-soft.dyndns.org ident=
[EMAIL PROTECTED] intl=1 id=J9POUJ-0001MC-JY auth= ]
[824] dbg: metadata: X-Spam-Relays-External: [ ip=189.149.70.163
rdns=dsl-189-149-70-163.prod-infinitum.com.mx helo=MARISELA
by=mail.legosoft.com.mx ident= envfrom= intl=0 id=kB3G26P6019032 auth= ]
...

The message headers are :

Received: via tmail-2002(14) (invoked by user rberber) for rberber; Sun, 3 Dec
2006 13:01:33 -0600
...
Received: from mail.legosoft.com.mx ([200.52.129.137])
by cactus-soft.dyndns.org with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.63)
(envelope-from <[EMAIL PROTECTED]>)
id J9POUJ-0001MC-JY
for [EMAIL PROTECTED]; Sun, 03 Dec 2006 13:01:32 -0600
Received: from MARISELA (dsl-189-149-70-163.prod-infinitum.com.mx
[189.149.70.163] (may be forged))
(authenticated bits=0)
by mail.legosoft.com.mx (8.13.8/8.13.8) with ESMTP id kB3G26P6019032
for <[EMAIL PROTECTED]>; Sun, 3 Dec 2006 10:02:16 -0600 (CST)
...

The result is that twice SA didn't recognize the authentication, first in the
company server, and later on my home server with the received message which I'm
testing again.

>> Using SA 3.1.7, under Solaris 9 with sendmail 8.13.8 and Windwos XP
>> manually for
>> testing.
> 
> Sendmail should be putting a "(authenticated bits=0)" line in its
> Received header when the user authenticates.  SA will automatically use

Re: VBounce.pm - anyone know where it went?

[Darron Froese]

Thanks everybody - appreciate it!

On 4-Dec-06, at 4:44 PM, Justin Mason wrote:



Yep -- these files should work:

VBounce.pm - http://svn.apache.org/viewvc/spamassassin/rules/trunk/ 
sandbox/jm/VBounce.pm?revision=467392&pathrev=482207


20_vbounce.cf - http://svn.apache.org/viewvc/spamassassin/rules/ 
trunk/sandbox/jm/20_vbounce.cf?revision=482200&pathrev=482207


I'd add those to the wiki page, but wiki.apache.org seems to be  
hanging

for me right now :(

--j.

Rocky Olsen writes:

*dug through svn*

http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/? 
pathrev=482207


On Mon, Dec 04, 2006 at 04:14:53PM -0700, Rocky Olsen wrote:
The log message for the svn says: 'virus-bounce ruleset  
integration; move

the scores into 50_scores.cf' - i heard this was happing with SA
3.2.but what about us 3.1.x users! Will the .pm and .cf be made
available anywhere? Or we left digging through svn?




On Mon, Dec 04, 2006 at 01:47:48PM -0700, Darron Froese wrote:

http://wiki.apache.org/spamassassin/VBounceRuleset

It's linked to from that page, but appears to have been removed  
from

svn - anyone know where I can get it now AND/OR why it was removed?

Thanks.
--
darron froese
principal
nonfiction studios inc.
t  403.686.8887
c 403.819.7887
f  403.313.9233
w http://nonfiction.ca/
e  [EMAIL PROTECTED]




--
 
__



what's with today, today?

Email:  [EMAIL PROTECTED]
PGP:http://rocky.mindphone.org/rocky_mindphone.org.gpg


--
_ 
_



what's with today, today?

Email:  [EMAIL PROTECTED]
PGP:http://rocky.mindphone.org/rocky_mindphone.org.gpg




--
darron froese
principal
nonfiction studios inc.
t  403.686.8887
c 403.819.7887
f  403.313.9233
w http://nonfiction.ca/
e  [EMAIL PROTECTED]

spam

[san]

Hi,

Am recieving a spam mails which is just having number on the body just like
1265 or 2196...

any thoughts how to stop this kind of spam..

thanks
san
-- 
View this message in context: http://www.nabble.com/spam-tf2758135.html#a7690605
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: How is LOCAL_AUTH_RCVD used?

[Mark Martinec]

> That's not what it "just says".  The info before it talks about how
> SpamAssassin will attempt to detect RFC 3848 style auth tokens (it'll
> also detect Sendmail and a few other styles of auth tokens) and how
> Postfix is a pain in the ass about this (but finally, optionally,
> provides the info in Postfix 2.3).

The smtpd_sasl_authenticated_header option in Postfix
has been available since 2005-04-04 in current versions
for those who needed it, and indeed with 2.3 since
this July for the rest.

If is off by default for compatibility and because it is
nobody's business (as far as recipients are concerned) to know
on what grounds and what technology our local users were
authorized to submit their mail to a local MSA.

If SA is in the play, mail administrator needs to trade:
add the information to header and supply needed information
to SA (and to recipients), or protect site setup privacy
and cover for roaming users.

  Mark

Re: spam

[Nigel Frankcom]

On Mon, 4 Dec 2006 16:11:28 -0800 (PST), san <[EMAIL PROTECTED]>
wrote:

>
>Hi,
>
>Am recieving a spam mails which is just having number on the body just like
>1265 or 2196...
>
>any thoughts how to stop this kind of spam..
>
>thanks
>san

Ditto

How in the hell does one write a  rule for this sh*?

Received: by blue-canoe.org.uk (MTSPro MTSAgent 1.60.20) ; Tue, 05 Dec
2006 00:09:12 -
for <[EMAIL PROTECTED]>
X-Spam-RBLReport: 
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on
ratsnest.bleh
X-Spam-Level: ***
X-Spam-Status: No, score=3.5 required=6.0 tests=BAYES_99
autolearn=disabled 
version=3.1.7
Received: from ip51cd0c53.adsl-surfen.hetnet.nl
(ip51cd0c53.adsl-surfen.hetnet.nl [81.205.12.83])
by blue-canoe.org.uk (envelope-sender
<[EMAIL PROTECTED]>) with ESMTP (MTSPro MTSSmtp 1.61)
for <[EMAIL PROTECTED]>; Tue, 05 Dec 2006 00:08:59 -
Message-ID: <[EMAIL PROTECTED]>
From: "noting installs" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Kazaas
Date: Tue, 5 Dec 2006 01:08:57 +0100
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
X-Abuse-Report-URL: http://www.blue-canoe.net/abuse
X-Envelope-Sender: <[EMAIL PROTECTED]>
X-Envelope-Receiver: <[EMAIL PROTECTED]>
X-Agent-Received: from fedup2 (fedup2); Tue, 05 Dec 2006 00:11:33
+
X-Agent-Train-Legitimate: 0
X-Agent-Junk-Probability: 58

25513

Re: spam

[Evan Platt]

At 04:24 PM 12/4/2006, you wrote:

On Mon, 4 Dec 2006 16:11:28 -0800 (PST), san <[EMAIL PROTECTED]>
wrote:

>
>Hi,
>
>Am recieving a spam mails which is just having number on the body just like
>1265 or 2196...
>
>any thoughts how to stop this kind of spam..
>
>thanks
>san

Ditto

How in the hell does one write a  rule for this sh*?


Maybe a rule if the message body is less than  characters?

I mean unless you expect lots of legitimate mail that says
"Hello."

Re: spam

[Darron Froese]

I just got 12.4 on that kind of spam:

BAYES_99=3.5,
DATE_IN_FUTURE_96_XX=2.403,
DK_POLICY_SIGNSOME=0.001,
DSPAM_SPAM=4,
RCVD_IN_BL_SPAMCOP_NET=1.558,
SAGREY=1

On 4-Dec-06, at 5:24 PM, Nigel Frankcom wrote:


On Mon, 4 Dec 2006 16:11:28 -0800 (PST), san <[EMAIL PROTECTED]>
wrote:



Hi,

Am recieving a spam mails which is just having number on the body  
just like

1265 or 2196...

any thoughts how to stop this kind of spam..

thanks
san


Ditto

How in the hell does one write a  rule for this sh*?

Received: by blue-canoe.org.uk (MTSPro MTSAgent 1.60.20) ; Tue, 05 Dec
2006 00:09:12 -
for <[EMAIL PROTECTED]>
X-Spam-RBLReport:
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on
ratsnest.bleh
X-Spam-Level: ***
X-Spam-Status: No, score=3.5 required=6.0 tests=BAYES_99
autolearn=disabled
version=3.1.7
Received: from ip51cd0c53.adsl-surfen.hetnet.nl
(ip51cd0c53.adsl-surfen.hetnet.nl [81.205.12.83])
by blue-canoe.org.uk (envelope-sender
<[EMAIL PROTECTED]>) with ESMTP (MTSPro MTSSmtp 1.61)
for <[EMAIL PROTECTED]>; Tue, 05 Dec 2006 00:08:59 -
Message-ID: <[EMAIL PROTECTED]>
From: "noting installs" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Kazaas
Date: Tue, 5 Dec 2006 01:08:57 +0100
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
X-Abuse-Report-URL: http://www.blue-canoe.net/abuse
X-Envelope-Sender: <[EMAIL PROTECTED]>
X-Envelope-Receiver: <[EMAIL PROTECTED]>
X-Agent-Received: from fedup2 (fedup2); Tue, 05 Dec 2006 00:11:33
+
X-Agent-Train-Legitimate: 0
X-Agent-Junk-Probability: 58

25513


--
darron froese
principal
nonfiction studios inc.
t  403.686.8887
c 403.819.7887
f  403.313.9233
w http://nonfiction.ca/
e  [EMAIL PROTECTED]

Re: reporter.pl

[Chris]

On Monday 04 December 2006 1:54 pm, you wrote:

> Warning: I am not a perl programmer, so my word is not final on this!
>
> In the subroutine used to send out an e-mail to your address, the
> following condition:
>
> if ($spamlearned > 0 || $hamlearned > 0)
>
> ..must be met for the mail to be sent out, it seems.
>
> Here is my test, with ham and spam put in the necessary directories:
>

> Spam output: Learned tokens from 43 message(s) (43 message(s) examined)
> Ham output: Learned tokens from 219 message(s) (221 message(s) examined)
> Spam Learned:
> Ham Learned:
>
>
> As you can see, Spam Learned: and Ham Learned: contain no values. That
> is from the following portion of the script:
>
> {
> # Learn the spam!
> $spam = `sa-learn --spam $spampath`;
>
> # What was learned?
> $spam =~ /^Learned from (\d*?) message\(s\) \(\d*? message\(s\)
> examined\)\.$/; $spamlearned = $1;
>
> # Learn the ham!
> $ham = `sa-learn --ham $hampath`;
> $ham =~ /^Learned from (\d*?) message\(s\) \(\d*? message\(s\)
> examined\)\.$/; $hamlearned = $1;
>
> if ($debug eq "true")
> {
> print "Spam output: $spam";
> print "Ham output: $ham";
> print "Spam Learned: $spamlearned\n";
> print "Ham Learned: $hamlearned\n\n";
> }
> }
>
>
> So, it would appear that across several SA versions, the data output
> changed, and the two regexes for $spamlearned and $hamlearned now
> yield no data and need to be revised.
>
> Without that being done, the values returned for $spamlearned and
> $hamlearned will remain zero, and no mail will be sent.
>
> I hope someone more knowledgeable with Perl and SA data output can help
> rectify this.
>
>
>
> -Wash
>
I see, although spam/ham is being learned, the script doesn't think it is. 
Although its not a major show stopper with the script, because it does 
basically what its supposed to do, learn spam/ham and report to 
Razor/Pyzor/DCC. For statistical purposes though having the output mailed 
would be nice.

[EMAIL PROTECTED] chris]$ sa-learn --dump magic
0.000  0  3  0  non-token data: bayes db version
0.000  0 113324  0  non-token data: nspam
0.000  0  16886  0  non-token data: nham

[EMAIL PROTECTED] chris]$ sa-learn --dump magic
0.000  0  3  0  non-token data: bayes db version
0.000  0 113328  0  non-token data: nspam
0.000  0  16914  0  non-token data: nham

Thanks for your help, I appreciate it.

Chris

-- 
Chris


pgpCJpcE9IBWL.pgp
Description: PGP signature

Re: spam

[Nigel Frankcom]

On Mon, 4 Dec 2006 17:34:00 -0700, Darron Froese
<[EMAIL PROTECTED]> wrote:

>I just got 12.4 on that kind of spam:
>
>BAYES_99=3.5,
>DATE_IN_FUTURE_96_XX=2.403,
>DK_POLICY_SIGNSOME=0.001,
>DSPAM_SPAM=4,
>RCVD_IN_BL_SPAMCOP_NET=1.558,
>SAGREY=1
>
>On 4-Dec-06, at 5:24 PM, Nigel Frankcom wrote:
>
>> On Mon, 4 Dec 2006 16:11:28 -0800 (PST), san <[EMAIL PROTECTED]>
>> wrote:
>>
>>>
>>> Hi,
>>>
>>> Am recieving a spam mails which is just having number on the body  
>>> just like
>>> 1265 or 2196...
>>>
>>> any thoughts how to stop this kind of spam..
>>>
>>> thanks
>>> san
>>
>> Ditto
>>
>> How in the hell does one write a  rule for this sh*?
>>
>> Received: by blue-canoe.org.uk (MTSPro MTSAgent 1.60.20) ; Tue, 05 Dec
>> 2006 00:09:12 -
>> for <[EMAIL PROTECTED]>
>> X-Spam-RBLReport:
>> X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on
>> ratsnest.bleh
>> X-Spam-Level: ***
>> X-Spam-Status: No, score=3.5 required=6.0 tests=BAYES_99
>> autolearn=disabled
>>  version=3.1.7
>> Received: from ip51cd0c53.adsl-surfen.hetnet.nl
>> (ip51cd0c53.adsl-surfen.hetnet.nl [81.205.12.83])
>>  by blue-canoe.org.uk (envelope-sender
>> <[EMAIL PROTECTED]>) with ESMTP (MTSPro MTSSmtp 1.61)
>>  for <[EMAIL PROTECTED]>; Tue, 05 Dec 2006 00:08:59 -
>> Message-ID: <[EMAIL PROTECTED]>
>> From: "noting installs" <[EMAIL PROTECTED]>
>> To: [EMAIL PROTECTED]
>> Subject: Kazaas
>> Date: Tue, 5 Dec 2006 01:08:57 +0100
>> MIME-Version: 1.0
>> Content-Type: text/plain;
>>  format=flowed;
>>  charset="iso-8859-1";
>>  reply-type=original
>> Content-Transfer-Encoding: 7bit
>> X-Priority: 3
>> X-MSMail-Priority: Normal
>> X-Mailer: Microsoft Outlook Express 6.00.2900.2869
>> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
>> X-Abuse-Report-URL: http://www.blue-canoe.net/abuse
>> X-Envelope-Sender: <[EMAIL PROTECTED]>
>> X-Envelope-Receiver: <[EMAIL PROTECTED]>
>> X-Agent-Received: from fedup2 (fedup2); Tue, 05 Dec 2006 00:11:33
>> +
>> X-Agent-Train-Legitimate: 0
>> X-Agent-Junk-Probability: 58
>>
>> 25513

What rules/scores are you running?

Re: spam

[Nigel Frankcom]

On Mon, 04 Dec 2006 16:35:33 -0800, Evan Platt
<[EMAIL PROTECTED]> wrote:

>At 04:24 PM 12/4/2006, you wrote:
>>On Mon, 4 Dec 2006 16:11:28 -0800 (PST), san <[EMAIL PROTECTED]>
>>wrote:
>>
>> >
>> >Hi,
>> >
>> >Am recieving a spam mails which is just having number on the body just like
>> >1265 or 2196...
>> >
>> >any thoughts how to stop this kind of spam..
>> >
>> >thanks
>> >san
>>
>>Ditto
>>
>>How in the hell does one write a  rule for this sh*?
>
>Maybe a rule if the message body is less than  characters?
>
>I mean unless you expect lots of legitimate mail that says
>"Hello."
>

Good point; thanks.

Though I think I'll do one that picks only numerals. That said I'm
pretty sure there's a sare rule that covers this sort of thing
though I could easily be wrong; it wouldn't be the 1st time :-D

KR

Nigel

Re: spam

[Darron Froese]

On 4-Dec-06, at 5:57 PM, Nigel Frankcom wrote:


What rules/scores are you running?



BAYES_99=3.5,
DATE_IN_FUTURE_96_XX=2.403,
DK_POLICY_SIGNSOME=0.001,
DSPAM_SPAM=4,
RCVD_IN_BL_SPAMCOP_NET=1.558,
SAGREY=1


The nonstandard rules that tripped on this are DSPAM and SAGrey -  
everything else for this stock I think.


These are the DSPAM rules - SA looks at the mail after it goes  
through DSPAM:


header DSPAM_SPAM X-DSPAM-Result =~ /^Spam$/
describe DSPAM_SPAM DSPAM claims it is spam
score DSPAM_SPAM 4.0

header DSPAM_HAM X-DSPAM-Result =~ /^Innocent$/
describe DSPAM_HAM DSPAM claims it is ham
score DSPAM_HAM -0.25

SAGrey you can get here:

http://www.ntrg.com/misc/sagrey/

Hope that helps at all.
--
darron froese
principal
nonfiction studios inc.
t  403.686.8887
c 403.819.7887
f  403.313.9233
w http://nonfiction.ca/
e  [EMAIL PROTECTED]

Re: How to examine a system and determine the mail delivery agent.

[Don Saklad]

How would, where would a mail transfer agent tell you the
mail delivery agent for a the system at hand?...

Developing instructive information without acronyms,
without industry jargon that complete novices, neophytes
can use easily is the heart of the matter.

Re: [Slightly OT and long] Architectural question...

[Theo Van Dinter]

On Mon, Dec 04, 2006 at 05:19:56PM -0500, Rubin Bennett wrote:
> I have pretty much every test on the planet being run (see list below)
> and updated via Rules_Du_Jour on the SpamAssassin side of things, and

You don't seem to be using sa-update...

-- 
Randomly Selected Tagline:
"I'm convinced that the body metal for this car was supplied by Reynold's
 Aluminum." - Unknown about the Renault LeCar


pgpxpUId6NW9C.pgp
Description: PGP signature

Re: rules_du_jour not working confusion?

[Steven Stern]

Bazooka Joe wrote:
> rules_du_jour seems to fail on lint. I am trying to figure that out
> now but I have a different question.  Has channels replaced
> rules_du_jour? Should I be using something else to update my sare
> rules?
> 
> thx
> 
> -bazooka
> 
> ps I am using SpamAssassin 3.1.4
> 
> pps below are the lint errors if anyone has come across it before I
> delve into it.
> 
> 
>
[snip]

Do your current rules pass a lint test?


-- 

  Steve

Re: rules_du_jour not working confusion?

[Bazooka Joe]

I think so. ran spamassassin --lint and no errors.

On 12/4/06, Steven Stern <[EMAIL PROTECTED]> wrote:

Bazooka Joe wrote:
> rules_du_jour seems to fail on lint. I am trying to figure that out
> now but I have a different question.  Has channels replaced
> rules_du_jour? Should I be using something else to update my sare
> rules?
>
> thx
>
> -bazooka
>
> ps I am using SpamAssassin 3.1.4
>
> pps below are the lint errors if anyone has come across it before I
> delve into it.
>
>
>
[snip]

Do your current rules pass a lint test?


--

  Steve

Re: How to examine a system and determine the mail delivery agent.

[Alan Premselaar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



Don Saklad wrote:
> How would, where would a mail transfer agent tell you the
> mail delivery agent for a the system at hand?...
> 
> Developing instructive information without acronyms,
> without industry jargon that complete novices, neophytes
> can use easily is the heart of the matter.

Don,

 to my knowledge, there is no way to determine the MDA (mail delivery
agent) without having access to the mail server's configuration files.

Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFdNfxE2gsBSKjZHQRAlDCAJ4uSVmxnpkNzqWaWOiuDSVYiPYF+ACfbxD+
UgSh4d/dst6sC+AoruiCrxU=
=dP3a
-END PGP SIGNATURE-

Re: Wiki: Document the rules!

[Kenneth Porter]

A little investigation reveals another path:

Go to the Tests page from the main web page:



Select the latest SA version to see its list of tests. For a given test 
(AKA rule) click its Wiki link on the right. Either a descriptive page 
already exists, or you'll be presented with the option to create a new one. 
If the latter, select the RuleDescriptionTemplate from the list of 
templates, edit as needed, and save.

Re: spam

[Chris]

On Monday 04 December 2006 6:11 pm, san wrote:
> Hi,
>
> Am recieving a spam mails which is just having number on the body just like
> 1265 or 2196...
>
> any thoughts how to stop this kind of spam..
>
> thanks
> san
This is how these are scored here:

Content analysis details:   (32.8 points, 5.0 required)

 pts rule name              description
 -- --
 2.6 HELO_DYNAMIC_DIALIN    Relay HELO'd using suspicious hostname
                            (T-Dialin)
  20 RM_t_bobbf             Definate spam destination email address
 0.0 BOTNET_CLIENTWORDS     Hostname contains client-like substrings
 0.0 BOTNET_IPINHOSTNAME    Hostname contains its own IP address
 4.2 BAYES_95               BODY: Bayesian spam probability is 95 to 99%
                            [score: 0.9864]
 0.0 BOTNET_CLIENT          Hostname looks like a client hostname
 5.0 BOTNET                 Any Botnet rule hit
 1.0 SAGREY                 Adds 1.0 to spam from first-time senders


-- 
Chris


pgp0efdGYP2SR.pgp
Description: PGP signature

New spam

[Ray Anderson]

Hello,

I've been lurking for a while and had just recently decided to try to 
put the FuzzyOCR on my spam filtering machine, when I found the 
following incredibly obfuscated stock spam (link at bottom of message)


The question is this:

Will FuzzyOCR find/detect the garbage in this image or is even 
implenting OCR pointless as the generators get more sophisticated?


I wasn't sure if I could post an image, so here is a link to the headers 
and the image.


I'll take it down tomorrow morning.

Thanks!

-=Ray

http://www.rb-com.com/spam.php

Confused about white/black lists.

[Steven W. Orr]

I have some spam getting through that has USER_IN_WHITELIST. I go and look 
and sher nuff, the From address is there in the email column of the awl 
table. I don't know how it got there but it's there. Can someone please 
'splain to me how this works?


* My understanding is that a positive value in the awl table in the
  totscore column is a blacklist entry. A negative value is a
  whitelist entry. Am I correct?
* What is the purpose of the count column. Is it used as a parameter
  in the calculation with the totscore value?
* Is there a command line interface to change something from a
  whitelist value to a blacklist value?
* If an address is added to the table for a user, can I make that
  address be made somehow 'global' so that it weighs against email to
  any user?
* Is all mail that comes in, both ham and spam, using From addresses
  to add to the awl table?
* (Last question). All spam that comes in is run through
  sa-learn --spam
  Is there something else I should do to better manage the awl?

TIA

--
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net

Re: How to examine a system and determine the mail delivery agent.

[Shane Williams]

On Mon, 4 Dec 2006, Evan Platt wrote:


At 12:20 PM 12/4/2006, you wrote:

How do novice end users, neophytes examine things and determine
what is the mail delivery agent ?... as a general understanding
of the particular system at hand.

This is with respect to setting up a secondary mail file for
screened spam type messages that later can be checked over for
any false positives.


Unless I'm not understanding you... You could attempt to telnet to the mail 
server on port 25, some will say for example:

220 example.com ESMTP Postfix


The way I read the message (which may also be incorrect), Don wants to
know about the MDA (for instance procmail), not the MTA (like
sendmail, postfix, etc.).  While your MTA and MDA can often be the
same software, this isn't necessarily true.

In any case, the best first step is to determine the MTA using the
method Evan suggests.  Once you know the MTA, you can probably check the
config files.  For example, grep for the string "Mlocal" in
/etc/mail/sendmail.cf and if it makes reference to procmail, the MDA
is procmail.

--
Public key #7BBC68D9 at| Shane Williams
http://pgp.mit.edu/|  System Admin - UT iSchool
=--+---
All syllogisms contain three lines |  [EMAIL PROTECTED]
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew

Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)

[René Berber]

Daryl C. W. O'Shea wrote:
[snip]
> Sendmail should be putting a "(authenticated bits=0)" line in its
> Received header when the user authenticates.  SA will automatically use
> this to extend the trust path if the header above it is trusted.

Let's start by saying two things:

1) LOCAL_AUTH_RCVD doesn't do anything useful, just to clarify what happened to
the original subject.

2) SA 3.1.7 (and 3.1.5) doesn't seem to recognize Sendmail's authentication
under some circumstances.  I assume that it does recognize it for other
messages, even if I have not seen evidence to that effect.

If I change Received.pm, line 414, like this:

  # Sendmail, MDaemon, some webmail servers, and others
-  elsif (/^from .*?(?:\]\)|\)\]) .*?\(.*?authenticated.*?\).*? by/) {
+  elsif (/^from .*?(.*?authenticated.*?\).*? by/) {

It does recognize the authentication line I showed before, and the message is
not scored by Botnet which is what I wanted.

The relevant debug output:
...
[2932] dbg: received-header: parsed as [ ip=189.149.70.163
rdns=dsl-189-149-70-163.prod-infinitum.com.mx helo=MARISELA
by=mail.legosoft.com.mx ident= envfrom= intl=0 id=kB3G26P6019032 auth=Sendmail ]
[2932] dbg: received-header: relay 189.149.70.163 trusted? yes internal? yes
[2932] dbg: metadata: X-Spam-Relays-Trusted: [ ip=200.52.129.137
rdns=mail.legosoft.com.mx helo= by=cactus-soft.dyndns.org ident=
[EMAIL PROTECTED] intl=1 id=J9POUJ-0001MC-JY auth= ] [ ip=189.149.70.163
rdns=dsl-189-149-70-163.prod-infinitum.com.mx helo=MARISELA
by=mail.legosoft.com.mx ident= envfrom= intl=1 id=kB3G26P6019032 auth=Sendmail ]
...

The full path to the patched file is
/usr/lib/perl5/site_perl/5.8/Mail/SpamAssassin/Message/Metadata/Received.pm
-- 
René Berber

Re: Confused about white/black lists.

[Theo Van Dinter]

On Mon, Dec 04, 2006 at 10:12:26PM -0500, Steven W. Orr wrote:
> I have some spam getting through that has USER_IN_WHITELIST. I go and look 
> and sher nuff, the From address is there in the email column of the awl 
> table. I don't know how it got there but it's there. Can someone please 
> 'splain to me how this works?

USER_IN_WHITELIST has nothing to do with the AWL.  You'll want to find your
whitelist_from/whitelist_from_rcvd entry that matches the mail.

-- 
Randomly Selected Tagline:
"Linux is not beautiful. Because power means rawness. And its up to the
 user to paint it. When he gets there don't get scared. Everyone has a
 Picasso inside."- Unknown user from /.


pgpQlhqBO4HzO.pgp
Description: PGP signature

What is this spam trying to do ??

[Rajkumar S]

Hi,

I got a new spam, and it just have a single number as content, and
worryingly the sender ip is not listed in any blacklists. Some spammer
trying to clean his address lists?

raj
--
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 27195 invoked from network); 5 Dec 2006 00:58:01 -
Received: from myserver1.com ([202.88.xxx.xx])
 (envelope-sender <[EMAIL PROTECTED]>)
 by myserver2.com (qmail-ldap-1.03) with compressed SMTP
 for <[EMAIL PROTECTED]>; 5 Dec 2006 00:58:01 -
Received: (qmail 13384 invoked from network); 5 Dec 2006 01:11:36 -
Received: from unknown (HELO [219.144.240.66]) ([219.144.240.66])
 (envelope-sender <[EMAIL PROTECTED]>)
 by myserver1.com (qmail-ldap-1.03) with SMTP
 for <[EMAIL PROTECTED]>; 5 Dec 2006 01:11:32 -
Message-ID: <[EMAIL PROTECTED]>
From:   "edges" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Swedes just
Date:   Tue, 5 Dec 2006 08:57:24 +0800
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="windows-1250";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on myserver1.com
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=disabled
version=3.0.3

2141

Re: What is this spam trying to do ??

[Evan Platt]

At 09:18 PM 12/4/2006, you wrote:

Hi,

I got a new spam, and it just have a single number as content, and
worryingly the sender ip is not listed in any blacklists. Some spammer
trying to clean his address lists?


See the thread earlier today "spam". 

Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)

[Jo Rhett]

René Berber wrote:

If I change Received.pm, line 414, like this:

  # Sendmail, MDaemon, some webmail servers, and others
-  elsif (/^from .*?(?:\]\)|\)\]) .*?\(.*?authenticated.*?\).*? by/) {
+  elsif (/^from .*?(.*?authenticated.*?\).*? by/) {


This can't be right.  You have mismatched parens.  Perl agrees with me:

perl -wc 
/usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/Message/Metadata/Received.pm
Unmatched ( in regex; marked by <-- HERE in m/^from .*?( <-- HERE 
.*?authenticated.*?\).*? by/ at 
/usr/local/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/Message/Metadata/Received.pm 
line 415.



--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: [Slightly OT and long] Architectural question...

[hamann . w]

Hi,

from your description it seems that an "I have seen this before" component 
would do well.
The IXHASH was originally developed for just that context: if the same mail is 
sent to almost
everybody in a <50 usergroup, the recipients are likely not to want it.
Consideration (if you want to handle the load ... you probably can): your MTA 
should reject
unknown recipients, but it could also reject after the data phase and 
immediately feed to
bayes

Wolfgang Hamann

Re: [Slightly OT and long] Architectural question...

[Karl Auer]

On Tue, 2006-12-05 at 05:53 +, [EMAIL PROTECTED] wrote:
> The IXHASH was originally developed for just that context: if the same mail 
> is sent to almost
> everybody in a <50 usergroup, the recipients are likely not to want it.

That seems wrong to me - what about mailing lists, newsletters etc? Or
would you explicitly whitelist such stuff?

Regards, K.

-- 
~~~
Karl Auer ([EMAIL PROTECTED])   +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/  +61-428-957160 (mob)

Re: How novice end users, neophytes can set things up so that suspected spam or likely spam or definitely spam type messages go to another secondary mail file for later examination in case there are a

[Don Saklad]

Thank you!

Unfortunately, so far the usability of information is rather more
advanced than for novices, for the neophytes.

How could something be developed that's easier, simple and
straightforward?...

So many end users looking over the SpamAssassin headers on email
haven't climbed the too steep learning curve for
making the best use of the headers.

Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)

[Jo Rhett]

So I did some digging, and by deliberately breaking the REGEX (adding 
NOMATCH to the middle of the line) I confirmed several things:


1. The line works properly on my system with the patch
2. If the line matches then ALL_TRUSTED is applied
3. ALL_TRUSTED does nothing to negate SPF checks

René Berber wrote:

Daryl C. W. O'Shea wrote:
[snip]

Sendmail should be putting a "(authenticated bits=0)" line in its
Received header when the user authenticates.  SA will automatically use
this to extend the trust path if the header above it is trusted.


Let's start by saying two things:

1) LOCAL_AUTH_RCVD doesn't do anything useful, just to clarify what happened to
the original subject.

2) SA 3.1.7 (and 3.1.5) doesn't seem to recognize Sendmail's authentication
under some circumstances.  I assume that it does recognize it for other
messages, even if I have not seen evidence to that effect.

If I change Received.pm, line 414, like this:

  # Sendmail, MDaemon, some webmail servers, and others
-  elsif (/^from .*?(?:\]\)|\)\]) .*?\(.*?authenticated.*?\).*? by/) {
+  elsif (/^from .*?(.*?authenticated.*?\).*? by/) {

It does recognize the authentication line I showed before, and the message is
not scored by Botnet which is what I wanted.

The relevant debug output:
...
[2932] dbg: received-header: parsed as [ ip=189.149.70.163
rdns=dsl-189-149-70-163.prod-infinitum.com.mx helo=MARISELA
by=mail.legosoft.com.mx ident= envfrom= intl=0 id=kB3G26P6019032 auth=Sendmail ]
[2932] dbg: received-header: relay 189.149.70.163 trusted? yes internal? yes
[2932] dbg: metadata: X-Spam-Relays-Trusted: [ ip=200.52.129.137
rdns=mail.legosoft.com.mx helo= by=cactus-soft.dyndns.org ident=
[EMAIL PROTECTED] intl=1 id=J9POUJ-0001MC-JY auth= ] [ ip=189.149.70.163
rdns=dsl-189-149-70-163.prod-infinitum.com.mx helo=MARISELA
by=mail.legosoft.com.mx ident= envfrom= intl=1 id=kB3G26P6019032 auth=Sendmail ]
...

The full path to the patched file is
/usr/lib/perl5/site_perl/5.8/Mail/SpamAssassin/Message/Metadata/Received.pm



--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)

[John Rudd]

Jo Rhett wrote:

René Berber wrote:

If I change Received.pm, line 414, like this:

  # Sendmail, MDaemon, some webmail servers, and others
-  elsif (/^from .*?(?:\]\)|\)\]) .*?\(.*?authenticated.*?\).*? by/) {
+  elsif (/^from .*?(.*?authenticated.*?\).*? by/) {


This can't be right.  You have mismatched parens.  Perl agrees with me:



I think, given one of the escaped parens, he meant this:

+  elsif (/^from .*?\(.*?authenticated.*?\).*? by/) {



Though, CommuniGate Pro's authenticated received header looks like this:

from [$ipaddr] (acccount $account HELO $helostring) by $host 
(CommuniGate Pro


So, you could match that with:

/^from \[\S+\] \(account [EMAIL PROTECTED] .*\) by \S+ \(CommuniGate Pro/

Re: How to examine a system and determine the mail delivery agent.

[SM]

At 16:40 04-12-2006, Don Saklad wrote:

How would, where would a mail transfer agent tell you the
mail delivery agent for a the system at hand?...


You are using Exim as the mail transfer agent.  Exim comes with its 
own mail delivery agent.  The mail delivery agent would be specified 
in the Exim's configuration file.


Regards,
-sm 

Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)

[Jo Rhett]

Sorry, in my reply I meant to point out that the original line was 
working properly for me (Sendmail environment) but that the line working 
did not solve my problem.


John Rudd wrote:

Jo Rhett wrote:

René Berber wrote:

If I change Received.pm, line 414, like this:

  # Sendmail, MDaemon, some webmail servers, and others
-  elsif (/^from .*?(?:\]\)|\)\]) .*?\(.*?authenticated.*?\).*? by/) {
+  elsif (/^from .*?(.*?authenticated.*?\).*? by/) {


This can't be right.  You have mismatched parens.  Perl agrees with me:



I think, given one of the escaped parens, he meant this:

+  elsif (/^from .*?\(.*?authenticated.*?\).*? by/) {



Though, CommuniGate Pro's authenticated received header looks like this:

from [$ipaddr] (acccount $account HELO $helostring) by $host 
(CommuniGate Pro


So, you could match that with:

/^from \[\S+\] \(account [EMAIL PROTECTED] .*\) by \S+ \(CommuniGate Pro/








--
Jo Rhett
Network/Software Engineer
Net Consonance

5 digit probe spam?

[Marc Perkel]

Is anyone else getting these? Messages with a random subject and the 
message is a 5 digit number. What is it?

Re: SPAM Question

[Loren Wilton]

Gee, I thought these had been gone for weeks.

Write a rule for this:

Reply-To: "Your Mngr. linetmelisa" <[EMAIL PROTECTED]>
  - Original Message - 
  From: Robert Swan 
  To: users@spamassassin.apache.org 
  Sent: Monday, December 04, 2006 9:25 AM
  Subject: SPAM Question


  Q1. How does this e-mail end up in my mailbox, if the "To:" is someone else 
(I am not [EMAIL PROTECTED]), and how can I identify this with a SPAM rule:

   

  Q2. Is there a custom rule that triggers if someone sends from an ".ar" 
domain server or some other foreign country server , we don't get e-mail here 
from other counties ever.

   

   

  Thanks in advance.

   

  Received: by spam1.nskinc.com (Postfix, from userid 501)

  id 26E7034D15F; Sat,  2 Dec 2006 02:23:15 -0500 (EST)

  X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on SPAM1

  X-Spam-Level: **

  X-Spam-Status: No, score=2.8 required=4.9 tests=BAYES_80,LOCAL_INVALID_PTR2,

  UNPARSEABLE_RELAY autolearn=no version=3.1.7

  Received: from 41EB3698 (unknown [80.227.13.12])

  by spam1.nskinc.com (Postfix) with SMTP id F07C034CB3C;

  Sat,  2 Dec 2006 00:30:41 -0500 (EST)

  Received: from intrusive.uccor.edu.ar (HELO precis.uccor.edu.ar)

  by linux.org (8.12.6/8.12.6/Debian-1) with ESMTP id gBAApHtr083821

  for <[EMAIL PROTECTED]>; Fri, 01 Dec 2006 22:18:52 -0700

  Message-Id: <[EMAIL PROTECTED]>

  Reply-To: "Your Mngr. linetmelisa" <[EMAIL PROTECTED]>

  Date: Fri, 01 Dec 2006 23:22:52 -0600

  From: "Mr. lizzie" <[EMAIL PROTECTED]>

  To: <[EMAIL PROTECTED]>

  Subject: just like the real ones  -Roxanne

  Return-Path: [EMAIL PROTECTED]

  X-OriginalArrivalTime: 02 Dec 2006 18:54:45.0462 (UTC) 
FILETIME=[55648760:01C71643]

   

  Robert

   

   

   

   

   

   

  Peace he would say instead of goodbyepeace my brother.

   

Re: 5 digit probe spam?

[Evan Platt]

At 10:27 PM 12/4/2006, you wrote:
Is anyone else getting these? Messages with a random subject and the 
message is a 5 digit number. What is it?


See thre thread earlier today "spam" 

SPF module bug

[Jo Rhett]

Well, here's the debug to show that SPF is doing the wrong thing. 
Rather, it's not doing the right thing -- it's not checking for an 
authenticated session at all.


So... I guess this means I need to provide a patch to the SPF module? 
Or will the author step up to the plate on this?


[2133] dbg: spf: checking HELO (helo=!172.16.12.22!, ip=209.157.140.144)
[2133] dbg: spf: query for /209.157.140.144/!172.16.12.22!: result: 
unknown, comment: Please see 
http://www.openspf.org/why.html?sender=!172.16.12.22!&ip=209.157.140.144&receiver=triceratops.lizardarts.com: 
domain of sender !172.16.12.22! does not exist

[2133] dbg: eval: all '*From' addrs: [EMAIL PROTECTED]
[2133] dbg: eval: trying Received header date for real time: 4 Dec 2006 
22:31:23 -0800
[2133] dbg: eval: time_t from date=1165300283, rcvd= 4 Dec 2006 22:31:23 
-0800

[2133] dbg: eval: all '*To' addrs: [EMAIL PROTECTED]
[2133] dbg: spf: found Envelope-From in first external Received header
[2133] dbg: spf: checking EnvelopeFrom (helo=!172.16.12.22!, 
ip=209.157.140.144, [EMAIL PROTECTED])
[2133] dbg: spf: query for 
[EMAIL PROTECTED]/209.157.140.144/!172.16.12.22!: result: fail, 
comment: Please see 
http://www.openspf.org/why.html?sender=jrhett%40lizardarts.com&ip=209.157.140.144&receiver=triceratops.lizardarts.com

[2133] dbg: rules: ran eval rule ALL_TRUSTED ==> got hit
[2133] dbg: rules: ran eval rule __ENV_AND_HDR_FROM_MATCH ==> got hit
[2133] dbg: spf: def_whitelist_from_spf: [EMAIL PROTECTED] is not in 
DEF_WHITELIST_FROM_SPF

[2133] dbg: rules: ran eval rule SPF_FAIL ==> got hit
[2133] dbg: eval: date chosen from message: Mon Dec 4 22:31:23 2006
[2133] dbg: spf: whitelist_from_spf: [EMAIL PROTECTED] is not in 
user's WHITELIST_FROM_SP


--
Jo Rhett
Network/Software Engineer
Net Consonance

Re: Confused about white/black lists.

[Matt Kettler]

Steven W. Orr wrote:
> I have some spam getting through that has USER_IN_WHITELIST. I go and
> look and sher nuff, the From address is there in the email column of
> the awl table. 
USER_IN_WHITELIST has NOTHING to do with the AWL.

This is strictly a whitelist_from, whitelist_from_rcvd or
whitelist_from_spf thing.

Be sure to check *all* header that SA considers to be From: equivalents,
including Return-Path.


> I don't know how it got there but it's there. Can someone please
> 'splain to me how this works?
>
> * My understanding is that a positive value in the awl table in the
>   totscore column is a blacklist entry. A negative value is a
>   whitelist entry. Am I correct?
No. That's the total score. The AWL is a score-averager, not a black or
whitelist.

AWL score = (totalscore/count)-(current message score before AWL) * (awl
factor, default 0.5).


> * What is the purpose of the count column. Is it used as a parameter
>   in the calculation with the totscore value?
Yes. See above
> * Is there a command line interface to change something from a
>   whitelist value to a blacklist value?
no, because it's not a black or whitelist. In theory
--add-addr-to-whitelist and --add-addr-to-blacklist can be used to bias
these numbers, but last time I tried it didn't work properly for
existing entries.

> * If an address is added to the table for a user, can I make that
>   address be made somehow 'global' so that it weighs against email to
>   any user?
Not unless you use a global AWL.
> * Is all mail that comes in, both ham and spam, using From addresses
>   to add to the awl table?
Yes.
> * (Last question). All spam that comes in is run through
>   sa-learn --spam
>   Is there something else I should do to better manage the awl?
sa-learn --spam has no affect on the AWL. That affects the BAYES system.

Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)

[René Berber]

Jo Rhett wrote:

> René Berber wrote:
>> If I change Received.pm, line 414, like this:
>>
>>   # Sendmail, MDaemon, some webmail servers, and others
>> -  elsif (/^from .*?(?:\]\)|\)\]) .*?\(.*?authenticated.*?\).*? by/) {
>> +  elsif (/^from .*?(.*?authenticated.*?\).*? by/) {
> 
> This can't be right.  You have mismatched parens.  Perl agrees with me:

Yes, it's a typo, should be:

elsif (/^from .*?\(.*?authenticated.*?\).*? by/) {

-- 
René Berber

Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)

[Jo Rhett]

René Berber wrote:

Jo Rhett wrote:


René Berber wrote:

If I change Received.pm, line 414, like this:

  # Sendmail, MDaemon, some webmail servers, and others
-  elsif (/^from .*?(?:\]\)|\)\]) .*?\(.*?authenticated.*?\).*? by/) {
+  elsif (/^from .*?(.*?authenticated.*?\).*? by/) {

This can't be right.  You have mismatched parens.  Perl agrees with me:


Yes, it's a typo, should be:

elsif (/^from .*?\(.*?authenticated.*?\).*? by/) {


So just FYI, with both plain sendmail and with amavisd-milter, the 
original line worked fine for me.


If you are using a different MTA then perhaps you should submit this as 
a patch with its own elsif {} container for that mailer?


Or send me a copy of your recieved line and I'll do the patch for you.

--
Jo Rhett
Network/Software Engineer
Net Consonance