Next Botnet plugin soon
I'm going to release 0.6 on Thursday or Friday. It will only have the following changes: 1) a typo in the .txt file. 2) I figured out how to get the long package name ( Mail::SpamAssassin::Plugin::Botnet ) to work. 3) A coworker found a genuine bug in the IP-in-Hostname check (it would match the same IP octet twice because I took a shortcut in my regular expression; this was almost never a worry, except, if, say, your ip address included an octet of .1., and your hostname had something like 101 in it ... not really a fair match, so I have written a slightly less optimal regular expression that makes sure any given octet is only matched once). (I'm using tonight and tomorrow to get some extra time in to be sure the bug fix works, etc.; that's why I'm waiting a _little_ longer before I release this bug fix) I may also do a slight code-reorganization for 0.7 that moves the actual checks into subroutines that can be called outside of spam assassin (ie. that don't use $pms arguments). Then include a give me an IP address and I'll tell what rules it fails utility in the tar file. This would also make it easy to use the exact same code directly in things like Mimedefang and such. So, the spamassassin based calls would take the $pms object, extract a relay IP addr and hostname (and test for things like which IP's to skip or pass, etc.). Then they would call the new subroutines with that extracted information. If you wanted to do the same checks from some other perl program, you'd have to feed it an IP address and hostname in the call. So, that's my plans for 0.6 and 0.7. Hopefully I wont need to do anything else before a 1.0 release.
Re: Rule update over DNS?
Jason Haar writes: Daryl C. W. O'Shea wrote: What's stopping you from running sa-update more frequently? I run it once an hour on most of my systems. May I propose that sa-update should become merged into spamd? (or daemonized) I'm thinking of lessons learned with ClamAV. Once upon a time they relied on people running freshclam manually (via cron) to look for updates. People loved it. Tens of thousands loved it. Update servers got HAMMERED by people running freshclam every MINUTE. So they did two things: Starting using DNS to tell freshclam if there really was a new update, uh yeah, we do that already, for that reason! ;) and got freshclam to run as a daemon - so it could randomly sleep between lookups - and thus spread the load. Well, that's a good point. I can think of a useful modification -- change sa-update so that, if it's run non-interactively, it sleeps for a random amount of 0-600 seconds. That would reduce the hit. (it's easy enough to tell if it's an interactive session; perl's (-T STDIN) switch can tell if it's run from the command line or cron.) However note that we also support any number of mirror servers, too. given that, I think it's doubtful we're going to run into this problem... --j. If all SA users set sa-update to run hourly - then when an update comes out, you will have *all* SA users contacting the same sites simultaneously for the downloads. Och... OTOH, if a daemon (like spamd itself - or a daemonized version of sa-update I suppose) was responsible, it could do the initial DNS lookup every 0-3600 seconds (just an example) and download when it sees an update - thus spreading the load. I know putting a sleep `expr $RANDOM / 9` sa-update does the same thing - but people won't do that... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
RE: how to modify headers so sa-learn gives more accurate results?
-Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 06, 2006 7:15 PM To: לאון קולצ'ינסקי Cc: users@spamassassin.apache.org Subject: Re: how to modify headers so sa-learn gives more accurate results? Leon Kolchinsky wrote: Hello All, I'm using the following script for reporting Razor and teaching BAYESIAN with ham and spam messages. I have the following questions: --- 1) If I have the following in local.cf: use_bayes1 bayes_auto_learn 1 Starting from what score message automatically learned by Bayesian? 2) I do quarantine to spam mails and manually review all spam, then I put all False Positives (ham) to ham folder and all spam to spam folder and run the following script to populate Bayesian and report to Razor. Should I remove headers added like those - X-Quarantine-ID: X-Spam-Flag: X-Spam-Score: X-Spam-Level: X-Spam-Status: sa-learn will automatically ignore any headers and other markups that were added by SA, so you don't need to remove those. You can either remove X-Quarantine-ID, or use a bayes_ignore_header command to tell SA not to tokenize this. OK, Thanks, So the script should look like this now? sa-learn --showdots --bayes_ignore_header X-Quarantine-ID --bayes_ignore_header X-Amavis-Alert --ham * The problem that I can't find any bayes_ignore_header option in # man sa-learn Or any others, so learning (sa-learn) would be more accurate? Any other recommendations? Regards, Leon
Re: SA not firing on every email
Perhaps SA was too busy and those messages timed out and weren't scanned ? Maybe those messages were greater than 250K (default max scan size) ? I have the same sort of problem, though it's on linux rather than windows. Several emails sneak through when the server is busy. I write to spam quarantine, mail spool, and bayes databases over NFS, and sometimes the NFS server gets busy. I understand that spamassassin times out, but i'm running spamc with the -x option, which is supposed to, rather than pass the message through un-filtered, bounce it back to sendmail to try again. Is an appropriate return code not being set when spamc times out, maybe? Or does the -x option no longer work? From the manpage: -x Disables the 'safe fallback' error-recovery method, which passes through the unaltered message if an error occurs. Instead, exit with an error code, and let the MTA queue up the mails for a retry later. See also EXIT CODES. From my .procmailrc: :0fw | /usr/local/bin/spamc -x :0: * ^X-Spam-Status: YES mail/spamfile Am I missing something obvious? thanks anyone! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- | Jason Marshall, [EMAIL PROTECTED] Spots InterConnect, Inc. Calgary, AB | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Re: how to modify headers so sa-learn gives more accurate results?
Leon Kolchinsky wrote: OK, Thanks, So the script should look like this now? sa-learn --showdots --bayes_ignore_header X-Quarantine-ID --bayes_ignore_header X-Amavis-Alert --ham * Erm.. bayes_ignore_header isn't a command-line option. It's a config-file option. put it in your local.cf. The problem that I can't find any bayes_ignore_header option in # man sa-learn Of course not. see man Mail::SpamAssassin::Conf
RE: how to modify headers so sa-learn gives more accurate results?
-Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Thursday, December 07, 2006 12:36 PM To: לאון קולצ'ינסקי Cc: users@spamassassin.apache.org Subject: Re: how to modify headers so sa-learn gives more accurate results? Leon Kolchinsky wrote: OK, Thanks, So the script should look like this now? sa-learn --showdots --bayes_ignore_header X-Quarantine-ID -- bayes_ignore_header X-Amavis-Alert --ham * Erm.. bayes_ignore_header isn't a command-line option. It's a config-file option. put it in your local.cf. The problem that I can't find any bayes_ignore_header option in # man sa-learn Of course not. see man Mail::SpamAssassin::Conf Thanks, for pointing that out for me :)
Help with understanding a rule
Hi, Recently I sent an email to a list. That email was classified by several spamassasins as spam due to the contents of the From: header that did not include my full name. (This email is sent from the same account) Users on the list said that the full name should be included in the From: header and not only the email address as is the case now. I want the IT staff to change this, but they require some proof that the full name should be there(!). Does anyone know why the full name should be in the From: header? From what I can read in RFC 822, 4.2.1 there is no real requiremet of this. Is there anything else I can point to? This is the rule that matched my email: Content analysis details: (3.0 points, 3.0 required) pts rule name description -- -- 3.0 NO_REAL_NAME From: does not include a real name Thanks, Magnus Ekhall
missing SA scores in headers
My SA score inside headers are missing but the scores would inside the body of that spam email? How can I bring the SA scores back to headers? See below: X-Spam-Status: No, score=4.7 required=5.0 tests=HTML_80_90, HTML_IMAGE_RATIO_06,HTML_MESSAGE,HTML_NONELEMENT_00_10 autolearn=disabled version=3.1.7
Re: trouble calling spamc from within postfix
Noel Jones schrieb:
* NEVER * use sendmail -t to reinject mail coming from the network.
Doing so will send mail to everyone listed in the To: header, which
doesn't have anything to do with who should receive the mail.
As the guide said, use sendmail -oi -f ${sender} -- ${recipient}.
[...]
In your case, probably the easiest solution is to add -o
content_filter=spamassassin to the 127.0.0.1:10031 ... smtpd entry,
and remove the content_filter from the pickup entry, and don't set
content_filter in master.cf.
thanks a lot, that did it.
bye,
MH
--
Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1
UWG und §823 I
BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle
Nutzung der
übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist
ausdrücklich untersagt!
RE: Help with understanding a rule
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 07, 2006 5:54 AM To: users@spamassassin.apache.org Subject: Help with understanding a rule Content analysis details: (3.0 points, 3.0 required) pts rule name description -- -- 3.0 NO_REAL_NAME From: does not include a real name 3.0 is WAY too low to be a useful score. The list managers also have way too much spam coming in, so they over reacted. The list managers are the first ones who have to change. Also, the default scoring for no_real_name is NOT 3. Again, the list managers are the ones who are telling you that they don't want to bother with you. Here is the default SA score: score NO_REAL_NAME 0 0.550 0 0.961 NOT 3.0. -- Michael Scheidell, CTO SECNAP Network Security Corporation Keep up to date with latest information on IT security: Real time security alerts: http://www.secnap.com/news
What is the correct way of whitelisting local mail?
I'm trying to stop SA from incorrectly labeling local messages as spam. The most common target is a weekly script that notifies the user of quarantined spams. The subject lines of each message fire off a false positive. What is the correct way of whitelisting local mail? trusted_networks 192.168.2. 127.0.0.1 does not seem to ensure this and whitelist_from @mydomain.com might whitelist messages with spoofed sending addresses. Can anybody help?
SV: Help with understanding a rule
The list managers are the first ones who have to change. Yes, you are probably right. But: there must be a reason why the rule no_real_name exists? And if there is a rule (written or not) that From: headers should contain a real name, I want to follow it. And to follow it I need to convince my IT staff somehow... So, what is the reason behind no_real_name? Cheers, Magnus Ekhall
RE: Help with understanding a rule
I want the IT staff to change this, but they require some proof that the full name should be there(!). That is definite proof of an incompetent IT staff..
Re: SA not firing on every email
Thanks for your reply Its not that the server is to busy-I can put any one of those emails in the receive directory when no other emails are in the que-and being scanned and it still gets passed through. Size is not an issue, the emails are 26k. More details- I have spamassassin intigrated with Guinevere, and Groupwise is my mail application. Any and all suggestions are welcome! Rick Macdougall [EMAIL PROTECTED] 12/06/2006 5:01 PM Craig wrote: Yes I have asked this question previously, but with not as much detail. MY ENVIRONMENT SA 3.1.7 running on Windows 2000 Using Bayes In the past 2 days my email server has received 14,973 email messages, Spamassassin has scanned 10,951 of those messages, and my users have received @ 250 spam messages. Most of those spam messages have Subjects like; - All love enhancers on one portal! - Full of health? Then don't click! - Need medicine? All here! and my favorite - She wants a better sex? All you need's here! Why does SA fire on some emails (10,951) and not others (4,022) If I run any of these captured emails through manually, they score 50+ points. Hi, Perhaps SA was too busy and those messages timed out and weren't scanned ? Maybe those messages were greater than 250K (default max scan size) ? I'd personally go with option 1 but I don't know your server setup, how many children you allow with spamd and how busy your server is. Regards, Rick
Re: Spamassassin doesn't ding sender for saying HELO i-am-you
Kelly Jones writes: Spamassassin has lots of tests for fake HELOs. If someone says HELO hotmail.com, but aren't connecting from a Hotmail IP address, they get dinged (spam score is increased). Recently, someone connected our server, call it mx.xyz.com, and said HELO mx.xyz.com. Spamassassin didn't ding it for doing this. Is there a ruleset that does this? I realize xyz.com couldn't be hardcoded (otherwise, it'd be a different ruleset for everyone), but is there a generic ruleset that uses a function call or something to figure out your MX server (or the name of the machine spamassassin is running on) and then ding someone HELO'ing as that? This is a great spam-sign alright, but I don't know of a way to detect what the local site's HELO is, bar each site writing their own rules to do so. Bayes does a good job of figuring this out, btw. Any suggestions? --j.
Re: SA not firing on every email
On Thu, 2006-12-07 at 03:12 -0700, Jason Marshall wrote:
Perhaps SA was too busy and those messages timed out and weren't scanned ?
Maybe those messages were greater than 250K (default max scan size) ?
I have the same sort of problem, though it's on linux rather than windows.
Several emails sneak through when the server is busy.
This most likely is not the same issue as the OP has,
I write to spam quarantine, mail spool, and bayes databases over NFS, and
sometimes the NFS server gets busy.
I understand that spamassassin times out, but i'm running spamc with the
-x option, which is supposed to, rather than pass the message through
un-filtered, bounce it back to sendmail to try again. Is an appropriate
return code not being set when spamc times out, maybe? Or does the -x
option no longer work?
From the manpage:
-x Disables the 'safe fallback' error-recovery method, which passes
through the unaltered message if an error occurs. Instead, exit
with an error code, and let the MTA queue up the mails for a retry
later. See also EXIT CODES.
From my .procmailrc:
procmail ist not an MTA, but an MDA (Mail Transport or Delivery Agent
respectively). procmail processes your mail and delivers it. According
to your receipts, correctly. ;)
:0fw
| /usr/local/bin/spamc -x
You're using spamc as a filter. There is no fallback receipt what to do
when the filter finishes unsuccessful (based on the exit code).
:0:
* ^X-Spam-Status: YES
mail/spamfile
Filter finished unsuccessful, mail not altered, hence no such header. So
let's move on and check the next receipt...
Am I missing something obvious? thanks anyone!
The fact that procmail is not an MTA and does not queue mails (see the
description of the spamc -x option above).
...guenther
--
char *t=[EMAIL PROTECTED];
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
false positives
Hi, I constantly have problems with spamcop these days. Could you tell me what's wrong with my messages so that I can fix it? Thanks, -- Камен
RE: false positives
They contain too little information. -Sietse From: Kamen TOMOV Sent: Thu 07-Dec-06 14:34 To: users@spamassassin.apache.org Subject: false positives Hi, I constantly have problems with spamcop these days. Could you tell me what's wrong with my messages so that I can fix it? Thanks, -- Камен
Re: SV: Help with understanding a rule
* [EMAIL PROTECTED] wrote (07/12/06 12:03): The list managers are the first ones who have to change. Yes, you are probably right. But: there must be a reason why the rule no_real_name exists? And if there is a rule (written or not) that From: headers should contain a real name, I want to follow it. And to follow it I need to convince my IT staff somehow... So, what is the reason behind no_real_name? Most MUAs, most of the time, put a real name into mail they send. It's standard setup. So not having a real name is, perhaps, a spam sign This isn't the same as contravening RFCs. Remember that there's a rule called HTML_MESSAGE as well, which might be a spam sign. Both of these are bound to hit ham a lot of the time, so scoring them high would be, at best, an unusual decision. Scoring them high enough to reject would be very unusual. As it happens, on a server I manage NO_REAL_NAME hits 5% of spam, and 25% of ham (much of which is not MUA-originated). So it's not a rule I'd like to reject on. But if a mailing list or a user has a you must provide a real name policy, spamassassin's flexible enough to be able to enforce it. Chris
Re: Spamassassin doesn't ding sender for saying HELO i-am-you
Justin Mason wrote the following on 07/12/2006 13:21: This is a great spam-sign alright, but I don't know of a way to detect what the local site's HELO is, bar each site writing their own rules to do so. Bayes does a good job of figuring this out, btw. Any suggestions? A script that telnets into the mail system to discover helo name and the associated IP? Then it can write a system specific rule. Alan
Re: Rule update over DNS?
On Thu, Dec 07, 2006 at 09:31:36AM +, Justin Mason wrote: and got freshclam to run as a daemon - so it could randomly sleep between lookups - and thus spread the load. I can think of a useful modification -- change sa-update so that, if it's run non-interactively, it sleeps for a random amount of 0-600 seconds. That would reduce the hit. I'm not sure how this would help exactly. If people want to check for updates once a minute, and sa-update sleeps randomly for up to 10m, this just means their system will have (potentially) 10 sa-updates running at the same time. Through the magic of randomness, all 10 of those could end up making requests at the same time (or at least within the same minute), and that's a lot less spread out than once a minute. However note that we also support any number of mirror servers, too. given that, I think it's doubtful we're going to run into this problem... Yeah, the design, I think, is pretty scalable. -- Randomly Selected Tagline: Don't ever make trouble here, I beat you up each time. - From Rumble in the Bronx pgpVllgCOSCT6.pgp Description: PGP signature
RE: SV: Help with understanding a rule
Think of this anology: If somebody calls me on my home phone, I immediately see his nr. (If I don't see a nr. I don't pick up my phone at all). Now, the first thing I'd expect someone to say when I pick up is his name. If people start talking to me without stating who they are, it is commercial sh*** 95% of the time and I just hang up. It's a matter of being polite. Very regularly e-mail addresses are unindicating of the person's name, for example only containing initials. It basically comes down to this, if a real name is not specified the chance that it is spam is considerable and it should be scored a couple of points. -Sietse From: Chris Lear Sent: Thu 07-Dec-06 15:06 To: users@spamassassin.apache.org Subject: Re: SV: Help with understanding a rule * [EMAIL PROTECTED] wrote (07/12/06 12:03): The list managers are the first ones who have to change. Yes, you are probably right. But: there must be a reason why the rule no_real_name exists? And if there is a rule (written or not) that From: headers should contain a real name, I want to follow it. And to follow it I need to convince my IT staff somehow... So, what is the reason behind no_real_name? Most MUAs, most of the time, put a real name into mail they send. It's standard setup. So not having a real name is, perhaps, a spam sign This isn't the same as contravening RFCs. Remember that there's a rule called HTML_MESSAGE as well, which might be a spam sign. Both of these are bound to hit ham a lot of the time, so scoring them high would be, at best, an unusual decision. Scoring them high enough to reject would be very unusual. As it happens, on a server I manage NO_REAL_NAME hits 5% of spam, and 25% of ham (much of which is not MUA-originated). So it's not a rule I'd like to reject on. But if a mailing list or a user has a you must provide a real name policy, spamassassin's flexible enough to be able to enforce it. Chris
Re: Spamassassin doesn't ding sender for saying HELO i-am-you
On 7 Dec 2006 at 13:21, Justin Mason wrote: Kelly Jones writes: Spamassassin has lots of tests for fake HELOs. If someone says HELO hotmail.com, but aren't connecting from a Hotmail IP address, they get dinged (spam score is increased). Recently, someone connected our server, call it mx.xyz.com, and said HELO mx.xyz.com. Spamassassin didn't ding it for doing this. Is there a ruleset that does this? I realize xyz.com couldn't be hardcoded (otherwise, it'd be a different ruleset for everyone), but is there a generic ruleset that uses a function call or something to figure out your MX server (or the name of the machine spamassassin is running on) and then ding someone HELO'ing as that? This is a great spam-sign alright, but I don't know of a way to detect what the local site's HELO is, bar each site writing their own rules to do so. Bayes does a good job of figuring this out, btw. Any suggestions? --j. I use milter-regex as the frontline wall and this regex for catching fakers: ## HELO faking my own IP address tempfail Malformed HELO (can't be me) helo /^70\.86\.37\.82$/ HTH. Regards, Jack L. Stone System Admin
Re: Spamassassin doesn't ding sender for saying HELO i-am-you
Jack L. Stone writes: On 7 Dec 2006 at 13:21, Justin Mason wrote: Kelly Jones writes: Spamassassin has lots of tests for fake HELOs. If someone says HELO hotmail.com, but aren't connecting from a Hotmail IP address, they get dinged (spam score is increased). Recently, someone connected our server, call it mx.xyz.com, and said HELO mx.xyz.com. Spamassassin didn't ding it for doing this. Is there a ruleset that does this? I realize xyz.com couldn't be hardcoded (otherwise, it'd be a different ruleset for everyone), but is there a generic ruleset that uses a function call or something to figure out your MX server (or the name of the machine spamassassin is running on) and then ding someone HELO'ing as that? This is a great spam-sign alright, but I don't know of a way to detect what the local site's HELO is, bar each site writing their own rules to do so. Bayes does a good job of figuring this out, btw. Any suggestions? I use milter-regex as the frontline wall and this regex for catching fakers: ## HELO faking my own IP address tempfail Malformed HELO (can't be me) helo /^70\.86\.37\.82$/ HTH. yeah -- there are any number of ways to do this, if requiring admin configuration is OK -- I'm asking for ways we can automatically figure it out from SpamAssassin code, without help. ;) --j.
Re: SpamAssassin dns timeouts... why?!
On Thu, 7 Dec 2006, Matthias Häker wrote: Richard D Alloway schrieb: Hi! I have been having loads of problems with spamassassin timing out during DNS lookups... If I use /usr/bin/spamassassin -D /tmp/spamemail.txt I see the correct IP used for the nameserver: [16018] dbg: dns: name server: 192.168.1.1, family: 2, ipv6: 0 maybe you should use the DNS Server from your ISP and not the DNS Proxy from your Router / Gateway Hi Matthias. I *AM* the ISP ;) We have a dedicated DNS server that we communicate with over a non-routable network to segregate the mail server traffic from the rest of our network. This was to reduce the load on our primary and secondary DNS servers that serve our customers. The dedicated mail DNS server handles 2 RBLs locally (one rsync'd from the RBL vendor and one that is our own) and caches all non-authoritative traffic. Thanks for the suggestion, though! :) -Rich
Re: Spamassassin doesn't ding sender for saying HELO i-am-you
On Thursday 07 December 2006 15:11, Justin Mason wrote: yeah -- there are any number of ways to do this, if requiring admin configuration is OK -- I'm asking for ways we can automatically figure it out from SpamAssassin code, without help. ;) Really and truly, it belongs at the MTA level, not in the scoring engine. Being pedantic aside... A new config item would make it easier - one that defines the IP address and/or names (including NAT/CNAME) that the MTAs talking to the SA instance are known by. A plug-in / core subroutine can then compare the received lines to see if the HELO fragment matches the 'by a.b.c' fragments, where a.b.c is a name listed in the config item. Problem is, I don't have any samples to be more concrete with - my servers reject any machines that claim to be in my DNS domain or IP range (unless they're in mynetworks).
Re[4]: spam
Hello Neal, Wednesday, December 6, 2006, 11:08:27 AM, you wrote: Except for the problem that body tests include the subject, so there will be non-alpha characters in the body due to the subject inclusion. Are you sure about that? I find nothing in the documentation that indicates this (though I admit I didn't look terribly hard). All I see is: 100% sure of this, I've been writing rules for over 2 years, not that big by some standards, but I've come to know for a very long time this is how it is. Do a simple test to see for yourself, I have a rule to check for FREE in caps. It's a body rule, create a simple test message with FREE in the subject and not in the body, now run that message through and see it hit ;) http://wiki.apache.org/spamassassin/WritingRules For our first rule, let's start with the simplest type of rules, the basic body rule. These rules search the body of the message with a regular expression and if it matches, the corresponding score is assigned. It must be in the official doc's that come with the install, I'm looking over the wiki to see how it can be updated. Considering headers are not part of the body, I'd say that if body rules match against the subject, then either the documentation in the wiki is misleading and needs to be changed, or there's a problem with the body rules behavior. I know it's been this way, there's probably a really old bugzilla ticket someone can dig up, but it's been around since 2.64 or earlier. -- Best regards, Fredmailto:[EMAIL PROTECTED]
No Nework tests?!
I'm running spamassasint --lint and it comes up saying that its only doing local tests. I've enabled dns and I am connected to the internet. I've also enabled razor, dcc, and pyzor in the spam.assassin.perfs files. Does anyone have an idea where I might have a mis-configuration. Here's snap in from the --lint test [30223] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC 0.00032 [30223] dbg: dcc: local tests only, disabling DCC 0.00817 [30223] dbg: plugin: registered Mail::SpamAssassin::Plugin::DCC=HASH(0x91ef780) 0.00028 [30223] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC 0.00016 [30223] dbg: pyzor: local tests only, disabling Pyzor 0.00346 [30223] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0x928b9a8) 0.00022 [30223] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC 0.00016 [30223] dbg: razor2: local tests only, skipping Razor 0.00372 [30223] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH(0x91b29f4) 0.0002 [30223] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC 0.00016 [30223] dbg: reporter: local tests only, disabling SpamCop Thanks. -- View this message in context: http://www.nabble.com/No-Nework-tests-%21-tf2775186.html#a7741659 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re[2]: Spamassassin doesn't ding sender for saying HELO i-am-you
Hello Justin, Thursday, December 7, 2006, 10:11:45 AM, you wrote: yeah -- there are any number of ways to do this, if requiring admin configuration is OK -- I'm asking for ways we can automatically figure it out from SpamAssassin code, without help. ;) As someone else pointed out, the best bet might be the use of a new config item / plugin. something like: ifplugin mxhelo mx_helo_name mx.host.tld host.tld d.d.d.d headerHELO_AS_ME eval:check_for_my_mx() score HELO_AS_ME 0.1 endif I'll create a ticket for enhancement. -- Best regards, Fredmailto:[EMAIL PROTECTED]
RE: No Nework tests?!
leemansvg wrote: I'm running spamassasint --lint and it comes up saying that its only doing local tests. I've enabled dns and I am connected to the internet. I've also enabled razor, dcc, and pyzor in the spam.assassin.perfs files. Does anyone have an idea where I might have a mis-configuration. Here's snap in from the --lint test As of the most recent versions, --lint does not do network tests. If you want to debug network tests, you will need to feed in a test message that has some header information for the network tests to work with. spamassassin -D test.msg -- Bowie
Synchronizing two Bayes database
Dear List, This is sort of a repost of a previous email I sent to this list. I have two mailserver acting as mail proxies for ou main mailserver. These two servers have the same sitewide configuration for Spamassassin and they use site-wide bayes databases. For a reason I don't really know, the 2 bayes database are not the same. And the one of the second MX isn't really good at detecting spam. I suppose I forgot to do a sa-learn someday... My question is : what can I do to have the same database on the two mailserver ? Is there a procedure to dump the database from the best mailserver and import it on the second ? Thanks for your attention and help you can give. -- Emmanuel Lesouef
RE: Re[4]: spam
Fred T wrote: 100% sure of this, I've been writing rules for over 2 years, not that big by some standards, but I've come to know for a very long time this is how it is. [...] I know it's been this way, there's probably a really old bugzilla ticket someone can dig up, but it's been around since 2.64 or earlier. Thanks for the clarification, Fred. It's behavior I wouldn't have expected, so I'm glad it's been brought up.
Re: ***SPAM*** SpamAssassin dns timeouts... why?!
On Wednesday, December 6, 2006, 2:19:11 PM, Richard Alloway wrote: Any idea what could be wrong? I'm rapidly running out of ways to try to increase performance here. Net::DNS uses the first server in your resolv.conf . Make sure that server works, is local, etc. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
RE: Synchronizing two Bayes database
Sure, use MySQL for bayes storage and have both servers use that DB. Then you could be fairly sure, both use the same bayes. I think it should even be possible to dump both databases and migrate into one SQL db. But I don't use MySQL myself, so I would not know how. -Sietse From: Emmanuel Lesouef Sent: Thu 07-Dec-06 17:28 To: Spamassassin Mailing-List Subject: Synchronizing two Bayes database Dear List, This is sort of a repost of a previous email I sent to this list. I have two mailserver acting as mail proxies for ou main mailserver. These two servers have the same sitewide configuration for Spamassassin and they use site-wide bayes databases. For a reason I don't really know, the 2 bayes database are not the same. And the one of the second MX isn't really good at detecting spam. I suppose I forgot to do a sa-learn someday... My question is : what can I do to have the same database on the two mailserver ? Is there a procedure to dump the database from the best mailserver and import it on the second ? Thanks for your attention and help you can give. -- Emmanuel Lesouef
Re: rules_du_jour not working confusion?
Alan Munday wrote: Daryl C. W. O'Shea wrote the following on 06/12/2006 17:31: Is a migration document really necessary? Stop using the rule files you got via RDJ that you now want to get with sa-update. Start using sa-update for those rule files. Have some lunch. Agreed - I do like to lunch. Though the last time I counted there are 26 rulesets on the SARE site but only 20 on your channels page. I don't have a channels page. I will in the future, but it's way down the list of things to do. My howto says: Channels names are created by prepending the .cf file name found on the SARE site (http://www.rulesemporium.com/rules.htm) to .sare.sa-update.dostech.net. It has no mention of there only being a subset of the rules available. They're all there, even some old ones that aren't listed on the rules page anymore. The current count is one hundred (100) channels, some of which are pretty much useless though, as they're rules for old versions of SA. If you want to confirm I have a ruleset, either check DNS, or do what a good 75% of the people currently using the channels have done and check out the index of the directory housing all the channels: http://daryl.dostech.ca/sa-update/sare/ A migration document which covers why this is the case and what to do about the other rulesets covered by RDJ or there status as they are added to the number of rulesets that can be updated via sa-update may be very useful. As a said before, the only channels that aren't currently provided are ones for Bill Stearns rules and I think at least some of those are used for input to SURBL anyway. So: - it's not really the case - new SARE rulesets are added immediately (as in less than 5 minutes) Feel free, though, to edit the SpamAssassin wiki to improve the documentation there as you see fit. This and my last two emails to this thread should have all the necessary info. Daryl
Re: false positives
On четвъртък, Декември 07 2006, Sietse van Zanen wrote: They contain too little information. All right - here is more information. I sent a message to a group and I got it classified as spam. Here is the report: * 1.7 SUBJECT_ENCODED_TWICE Subject: MIME encoded twice Here is how the subject looks like when I sent it: (off-topic) spamcop =?windows-1251?B?4vrv8O7x6A==?= It looks to me that it is not encoded twice. However, here is the subject of the message that was received in the list: [SPAM] =?windows-1251?q?=5BSPAM=5D_=28off-topic=29_spamcop_=E2?= =?windows-1251?b?+u/w7vHo?= .., which might have been encoded twice. So is that a problem of the mail-list? * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record * 0.1 FORGED_RCVD_HELO Received: contains a forged HELO Can anybody tell me what does HELO matches SPF record mean? * -0.0 SPF_PASS SPF: sender matches SPF record * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.4115] * 0.2 MIME_BASE64_NO_NAME RAW: base64 attachment does not have a file * name What attachments? I haven't attached anything to my message. It looks like spamassassin took the hole message as an attachment just because it is base64 - encoded. * 1.9 MIME_BASE64_TEXT RAW: Message text disguised using base64 encoding I don't understand why base64 encoded message is classified as disguised? My mail agent had just decided to encode the message in base64 encoding as it contains cp1251 characters so what's wrong with that? * 0.4 AWL AWL: From: address is in the auto white-list Can anybody tell me what does From: address is in the auto white-list mean? If it is in a white list why the coefficient is 0? -- Камен
forwarding email
OS - slackware 11.0
MDA - sendmail 8.13.8
mimedefang version 2.58
SpamAssassin version 3.1.7
running on Perl version 5.8.8
I have one user that has to get email forwarded from an old account to
the server that I administer. I have spam going to a spamdrop via
MiMEDefang. So I added this little bit into mimedefang-filter
# Spam checks if SpamAssassin is installed
if ($Features{SpamAssassin}) {
if (-s ./INPUTMSG 100*1024) {
# Only scan messages smaller than 100kB. Larger messages
# are extremely unlikely to be spam, and SpamAssassin is
# dreadfully slow on very large messages.
my($hits, $req, $names, $report) = spam_assassin_check();
my($score);
if ($hits = req) {
# action_discard();
# Remove original recipients
# Add a header with original recipients, just for info
action_add_header(X-Orig-Rcpts, join(, , @Recipients));
# Remove original recipients
foreach $recip (@Recipients) {
delete_recipient($recip);
}
# Send to spam address
add_recipient('[EMAIL PROTECTED]');
}
This works great, except for that email that is getting forwarded.
Maybe 1 out of 45 messages are ham, the rest, spam. The problem I have
is the messages that are ham are getting sent to the spamdrop as well.
All of the messages that get tagged as spam, get the spamassassin report
attached. But the ham messages that should not go to the spamdrop *do
not* get a spamassassin report, or score. If I take the message(s) out
of the spamdrop, and run them through spamassassin, then they do not
score high enough to get filtered.
Does anyone know why this is, or ever had an issue like this?
TIA
-Aubrey
RE: false positives
off-topic) spamcop =?windows-1251?B?4vrv8O7x6A==?= Was that really your subject, did you type that? I think the =?windows-1251?B?4vrv8O7x6A==?= is the double encoded part. Your problem might be the result of some incompatibility between slavic - european character sets. But I'm not suchh an smtp expert. Other people probably can elaborate more on this. SPF is Sender Policy Framework. More information can be found here: http://www.openspf.org/ It validates that the mail servers sending are really mail servers responsible for the domain they send mail for. So SPF matches are a good thing. More info on the AWL can be found here: http://wiki.apache.org/spamassassin/AutoWhitelist -Sietse From: Kamen TOMOV Sent: Thu 07-Dec-06 18:00 To: users@spamassassin.apache.org Subject: Re: false positives On четвъртък, Декември 07 2006, Sietse van Zanen wrote: They contain too little information. All right - here is more information. I sent a message to a group and I got it classified as spam. Here is the report: * 1.7 SUBJECT_ENCODED_TWICE Subject: MIME encoded twice Here is how the subject looks like when I sent it: (off-topic) spamcop =?windows-1251?B?4vrv8O7x6A==?= It looks to me that it is not encoded twice. However, here is the subject of the message that was received in the list: [SPAM] =?windows-1251?q?=5BSPAM=5D_=28off-topic=29_spamcop_=E2?= =?windows-1251?b?+u/w7vHo?= .., which might have been encoded twice. So is that a problem of the mail-list? * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record * 0.1 FORGED_RCVD_HELO Received: contains a forged HELO Can anybody tell me what does HELO matches SPF record mean? * -0.0 SPF_PASS SPF: sender matches SPF record * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.4115] * 0.2 MIME_BASE64_NO_NAME RAW: base64 attachment does not have a file * name What attachments? I haven't attached anything to my message. It looks like spamassassin took the hole message as an attachment just because it is base64 - encoded. * 1.9 MIME_BASE64_TEXT RAW: Message text disguised using base64 encoding I don't understand why base64 encoded message is classified as disguised? My mail agent had just decided to encode the message in base64 encoding as it contains cp1251 characters so what's wrong with that? * 0.4 AWL AWL: From: address is in the auto white-list Can anybody tell me what does From: address is in the auto white-list mean? If it is in a white list why the coefficient is 0? -- Камен
Re: Percentage of email that is spam after filtering?
Hello Kelly, Friday, November 24, 2006, 8:28:38 PM, you wrote: I know that most (90%+) email sent now is spam, but what are the numbers for people who use spam filtering? Well, I run a small ISP with about 3,000 mailboxes, we receive about 50k messages per day. Of that, on average 39-44k are blocked by SA for scoring 6+ points. From what slips in, I created a simple VB program to use spamassassin to scan the messages sitting in the inboxes. In the last few days of running, it's identified 12,404 spam and 72,520 ham. Since the spammers make huge runs and then change or disappear for a while, I needed a method to clean my maildir almost like real-time virus scanning. Except I'm just running my scanners on free CPU of various workstations, if my program ID's spam in someone's mailbox, it removes it and I verify it and add to my corpus. According to my numbers, about 17% of mail passing SA is considered spam by the time I'm done writing rules after it's already entered my system. I block at 6.0 and use no RBL's. I do write custom rules daily. -- Best regards, Fredmailto:[EMAIL PROTECTED]
Re: SV: Help with understanding a rule
[EMAIL PROTECTED] wrote: The list managers are the first ones who have to change. Yes, you are probably right. But: there must be a reason why the rule no_real_name exists? And if there is a rule (written or not) that From: headers should contain a real name, I want to follow it. And to follow it I need to convince my IT staff somehow... So, what is the reason behind no_real_name? None. Cheers, Magnus Ekhall -- Michael Scheidell, CTO SECNAP Network Security / www.secnap.com [EMAIL PROTECTED] / 1+561-999-5000, x 1131
Re: Percentage of email that is spam after filtering?
Fred T wrote: Hello Kelly, Friday, November 24, 2006, 8:28:38 PM, you wrote: I know that most (90%+) email sent now is spam, but what are the numbers for people who use spam filtering? Well, I run a small ISP with about 3,000 mailboxes, we receive about 50k messages per day. Of that, on average 39-44k are blocked by SA for scoring 6+ points. From what slips in, I created a simple VB program to use spamassassin to scan the messages sitting in the inboxes. In the last few days of running, it's identified 12,404 spam and 72,520 ham. Since the spammers make huge runs and then change or disappear for a while, I needed a method to clean my maildir almost like real-time virus scanning. Except I'm just running my scanners on free CPU of various workstations, if my program ID's spam in someone's mailbox, it removes it and I verify it and add to my corpus. According to my numbers, about 17% of mail passing SA is considered spam by the time I'm done writing rules after it's already entered my system. I block at 6.0 and use no RBL's. I do write custom rules daily. Why do you not run RBL's? RBL's account for more than 60% of all spam that is getting filtered from my server. Of course I'm small (60 users) but we get 25MB of spam daily. So far, 100% spam is filtered from my server. -=Aubrey=-
Re: What is the correct way of whitelisting local mail?
Robert S wrote: I'm trying to stop SA from incorrectly labeling local messages as spam. The most common target is a weekly script that notifies the user of quarantined spams. The subject lines of each message fire off a false positive. What is the correct way of whitelisting local mail? The best way, if possible, is to configure your MTA not to run SpamAssassin on local mail traffic, however you define that. Nels Lindquist
Re: Synchronizing two Bayes database
Yes, I was thinking about this solution. But isn't it network ressource hungry ? And if I would like to keep a files based bayes db, what should be the good manner to migrate one to another server ? Thanks Sietse for the advice. Sietse van Zanen a écrit : Sure, use MySQL for bayes storage and have both servers use that DB. Then you could be fairly sure, both use the same bayes. I think it should even be possible to dump both databases and migrate into one SQL db. But I don't use MySQL myself, so I would not know how. -Sietse *From:* Emmanuel Lesouef *Sent:* Thu 07-Dec-06 17:28 *To:* Spamassassin Mailing-List *Subject:* Synchronizing two Bayes database Dear List, This is sort of a repost of a previous email I sent to this list. I have two mailserver acting as mail proxies for ou main mailserver. These two servers have the same sitewide configuration for Spamassassin and they use site-wide bayes databases. For a reason I don't really know, the 2 bayes database are not the same. And the one of the second MX isn't really good at detecting spam. I suppose I forgot to do a sa-learn someday... My question is : what can I do to have the same database on the two mailserver ? Is there a procedure to dump the database from the best mailserver and import it on the second ? Thanks for your attention and help you can give. -- Emmanuel Lesouef -- Emmanuel Lesouef
Re: Score=x+5
Hello Alan, Wednesday, November 29, 2006, 8:23:14 PM, you wrote: -0.0 P0F_UNIX OS fingerprint BSD/Solaris/HP-UX/Tru64 I'm curious about P0F_UNIX could you share this rule with me? And any similar fingerprint rules? Thanks! -- Best regards, Fredmailto:[EMAIL PROTECTED]
local.cf
I am looking for local.cf documentation to understand which are the variables to set in this file. Can you help me? Thank Andrea
Re: Spamassassin doesn't ding sender for saying HELO i-am-you
On Wed, 6 Dec 2006, Kelly Jones wrote: Recently, someone connected our server, call it mx.xyz.com, and said HELO mx.xyz.com. Spamassassin didn't ding it for doing this. IMHO this is worthy of a 500 reject at the MTA level. There is NO legitimate reason for J. Random User out on the internet to claim his MTA is yours. I've posted milter-regex examples that do this here before. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The fetters imposed on liberty at home have ever been forged out of the weapons provided for defense against real, pretended, or imaginary dangers from abroad. -- James Madison, 1799 --- 8 days until Bill of Rights day
Re: Rule update over DNS?
Jason Haar wrote: May I propose that sa-update should become merged into spamd? (or daemonized) Merging would be bad. There are plenty of us using methods other than spamd to call SpamAssassin. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: What is the correct way of whitelisting local mail?
On Thu, 7 Dec 2006, Robert S wrote: I'm trying to stop SA from incorrectly labeling local messages as spam. The most common target is a weekly script that notifies the user of quarantined spams. The subject lines of each message fire off a false positive. Determine what is passing messages to SA and tell it to not do that with locally-sources messages. If you use procmail to launch spamc this is pretty easy to do. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The fetters imposed on liberty at home have ever been forged out of the weapons provided for defense against real, pretended, or imaginary dangers from abroad. -- James Madison, 1799 --- 8 days until Bill of Rights day
Re: local.cf
Andrea Bencini wrote: I am looking for local.cf documentation to understand which are the variables to set in this file. Can you help me? Thank Andrea man Mail::SpamAssassin::Conf
RE: Spamassassin doesn't ding sender for saying HELO i-am-you
John D. Hardin wrote:
On Wed, 6 Dec 2006, Kelly Jones wrote:
Recently, someone connected our server, call it mx.xyz.com, and said
HELO mx.xyz.com. Spamassassin didn't ding it for doing this.
IMHO this is worthy of a 500 reject at the MTA level. There is NO
legitimate reason for J. Random User out on the internet to claim his
MTA is yours.
I've posted milter-regex examples that do this here before.
I have the following in my EXIM Rcpt ACL:
---
# kill off the folks that use OUR ip's in HELO Nice and Early.
drop message= Forged IP detected in HELO: $sender_helo_name
hosts = !+relay_from_hosts
!authenticated = *
condition = ${if \
eq{$sender_helo_name}{$interface_address}{yes}{no}}
# Forged hostname - HELOs as my own hostname or domain (early as well)
drop message= Forged hostname detected in HELO:
$sender_helo_name
hosts = !+relay_from_hosts
!authenticated = *
condition = ${lookup {$sender_helo_name} \
lsearch{/usr/local/etc/exim/checkfiles/our_host_names}
{yes}{no}}
If they try and HELO/EHLO as my IP or host name, we unceremoniusly drop the
connection.
Just one other solution to this issue.
--
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 512-248-2683 E-Mail: ler@lerctr.org
US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
Re: Spamassassin doesn't ding sender for saying HELO i-am-you
On Wed, 6 Dec 2006, Kelly Jones wrote: Recently, someone connected our server, call it mx.xyz.com, and said HELO mx.xyz.com. Spamassassin didn't ding it for doing this. IMHO this is worthy of a 500 reject at the MTA level. There is NO legitimate reason for J. Random User out on the internet to claim his MTA is yours. I've posted milter-regex examples that do this here before. -- Hi, if you have outside users sending through your mta, you need to allow them almost any garbage in the helo string. So the helo check should be run at mail or rcpt time - users are authenticated then Wolfgang Hamann
Re: forwarding email
This really would be more on topic on the MIMEDefang list, but here goes...
You have a small but significant typo in your code:
if ($hits = req) {
You forgot the $ in $req.
The effect of the above comparison is that all mail that scores above 0 (zero)
are considered spam.
Regards
/Jonas
--
Jonas Eckerman, FSDB Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/
Re: Rule update over DNS?
Kelson wrote: Jason Haar wrote: May I propose that sa-update should become merged into spamd? (or daemonized) Merging would be bad. There are plenty of us using methods other than spamd to call SpamAssassin. I dont think anyone is using spamd to call SpamAssassin.
New to Spamassassin
I would like to know if it is possible to use spamassassin on one server to filter mail and then deliver it to a seperate mail server on the network running exchange, groupwise, etc?
Re: Rule update over DNS?
Jim Maul writes: Kelson wrote: Jason Haar wrote: May I propose that sa-update should become merged into spamd? (or daemonized) Merging would be bad. There are plenty of us using methods other than spamd to call SpamAssassin. I dont think anyone is using spamd to call SpamAssassin. ??? one over here ;) --j.
Botnet 0.6 plugin for Spam Assassin availabile
(I had a bout of insomnia last night, and got more done than I had pre-announced yesterday...) The next version of the Botnet plugin for Spam Assassin is ready. The install instructions are in the Botnet.txt file, and in the INSTALL file. For those who don't know what Botnet is, it's a plugin which tries to identify whether or not the message has been submitted by a botnet/spam-zombie type host by looking at its DNS characteristics (no reverse DNS, reverse DNS that doesn't resolve, or doesn't resolve back to the relay's IP, or reverse DNS that contains things that look like an ISP's client address). The places I've been using it, and the people I hear about who are using it, have seen a high degree of success. It can be downloaded from: http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar As usual, feedback, statistics, bug reports, feature suggestions, are all welcome. NOTE: This will be the last version I announce outside of the SA users mailing list. I don't want to wear out the patience of the other list owners. users@spamassassin.apache.org is where I'll make all further release announcements. What's new in 0.6: 1) IP in Hostname bug fix (the same IP address octet could be matched twice.. which was a problem if the octet was 1, and the hostname had a sub-string like 101 in it) 2) pass_domains, clientwords, and serverwords weren't insensitive checks 3) typo fixed in botnet.txt 4) moved to Net::DNS (finally; and it's going to be needed for To Do item #3) 5) perl package is now named Mail::SpamAssassin::Plugin::Botnet 6) because clientwords and serverwords are meant to be _words_, they are now wrapped by (\b|\d) (both before and after the word/expression). This is to help avoid false positives where a clientword might have been a substring of a larger word that shouldn't have triggered the check (similarly for serverwords). 7) similarly, pass_domains now have a leading (\.|\A) added to them IF they don't already have \. or \A in front (but it will be added if the expression starts with . -- since this is a regular expression, that is assumed to mean any single character, so be careful). 8) added debug output for parse_config 9) added mta and relay to serverwords (used by classmates.com and/or reunion.com) 10) changed dsl to (a|s|d(yn)?)?dsl in clientwords (so, covers adsl, sdsl, ddsl, and dyndsl ... I've seen all of those except ddsl) 11) added res(net|ident(ial)?)? to clientwords (rr.com supposedly uses .res. in residential/customer IP hostnames, and .resnet. is common at universities for dorm IP addresses) 12) contemplating adding cpe and cust(omer)? to the controversial clientwords (I think cpe = customer (presence/provided/?) equipment) To Do before 1.0: 1) prepend __ to sub-rules, only BOTNET proper should not have that 2) separate the SA routines from the core algorithms, so that the botnet checks can be used in other perl programs. Include a script that takes an IP addr and answers where/how it passed/failed. 3) try to do a lookup on the sender's email address domain; if it points back to the relay's IP address (A record, or one of the MX records), then that's less likely to be a botnet. Use this like BOTNET_SERVERWORDS -- just a counter to BOTNET_CLIENT. What about SPF, too? (I think that was a suggestion in one of the alternate meta rules) 4) credits for help I've gotten from other people 5) get listed in the wiki
deny messageID
I know this may sound weird but, I have this message ( a valid one) that keeps coming in The senders machine is off so I'm not really sure whats going on Its been happening for about 36 hours now- its odd that this message is in both the mainlog AND the rejectlog- My thought is if I deny that message the sending server may eventually give up? P=esmtp S=4528454 [EMAIL PROTECTED] mainlog:2006-12-07 06:59:16 1GsHpH-000P5O-7p = [EMAIL PROTECTED] H=pmx2.africaonline.co.tz [216.104.206.8] P=esmtp S=4528454 [EMAIL PROTECTED] mainlog:2006-12-07 12:08:28 1GsMeF-0002bN-3J = [EMAIL PROTECTED] H=pmx2.africaonline.co.tz [216.104.206.8] P=esmtp S=4528454 [EMAIL PROTECTED] mainlog:2006-12-07 13:18:33 1GsNkS-0002m7-U5 = [EMAIL PROTECTED] H=pmx2.africaonline.co.tz [216.104.206.8] P=esmtp S=4528454 [EMAIL PROTECTED] rejectlog:I Message-Id: [EMAIL PROTECTED] rejectlog:I Message-Id: [EMAIL PROTECTED] rejectlog:I Message-Id: [EMAIL PROTECTED] rejectlog:I Message-Id: [EMAIL PROTECTED] rejectlog:I Message-Id: [EMAIL PROTECTED] rejectlog:I Message-Id: [EMAIL PROTECTED] rejectlog:I Message-Id: [EMAIL PROTECTED] rejectlog:I Message-Id: [EMAIL PROTECTED] rejectlog:I Message-Id: [EMAIL PROTECTED] rejectlog:I Message-Id: [EMAIL PROTECTED] rejectlog:I Message-Id: [EMAIL PROTECTED] rejectlog:I Message-Id: [EMAIL PROTECTED] Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
Re: Rule update over DNS?
Justin Mason wrote: Jim Maul writes: Kelson wrote: Jason Haar wrote: May I propose that sa-update should become merged into spamd? (or daemonized) Merging would be bad. There are plenty of us using methods other than spamd to call SpamAssassin. I dont think anyone is using spamd to call SpamAssassin. ??? one over here ;) --j. oh? Care to explain how spamd would call spamassassin? That would be a neat trick ;) -Jim
our latest award!
I think I noted this honour on the dev list a week or two ago -- but the _physical_ award for 'Best Linux-based Anti-spam Solution' from the Linux New Media Awards 2006 just turned up, and that warrants another post ;) Take a look: http://taint.org/2006/12/07/140259a.html w00t, --j.
RE: New to Spamassassin
I would like to know if it is possible to use spamassassin on one server to filter mail and then deliver it to a seperate mail server on the network running exchange, groupwise, etc? YES I use it to filter my mail - then pass it to exchange- But the server that has SA must have an MTA and since you are setting that up you may as well throw CLAMAV on it too My setup: BSD server running Exim-MTA Clamav- AV SA-
Re: Spamassassin doesn't ding sender for saying HELO i-am-you
On 7 Dec 2006 [EMAIL PROTECTED] wrote: On Wed, 6 Dec 2006, Kelly Jones wrote: Recently, someone connected our server, call it mx.xyz.com, and said HELO mx.xyz.com. Spamassassin didn't ding it for doing this. IMHO this is worthy of a 500 reject at the MTA level. There is NO legitimate reason for J. Random User out on the internet to claim his MTA is yours. I've posted milter-regex examples that do this here before. -- if you have outside users sending through your mta, you need to allow them almost any garbage in the helo string. So the helo check should be run at mail or rcpt time - users are authenticated then In my case that doesn't apply. The first think I do in my milter-regex set is skip the rest of the file for locally-originated messages. Extending that to include skipping messages from authenticated senders would be logical. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The fetters imposed on liberty at home have ever been forged out of the weapons provided for defense against real, pretended, or imaginary dangers from abroad. -- James Madison, 1799 --- 8 days until Bill of Rights day
Re: Rule update over DNS?
Jim Maul writes: Justin Mason wrote: Jim Maul writes: Kelson wrote: Jason Haar wrote: May I propose that sa-update should become merged into spamd? (or daemonized) Merging would be bad. There are plenty of us using methods other than spamd to call SpamAssassin. I dont think anyone is using spamd to call SpamAssassin. ??? one over here ;) oh? Care to explain how spamd would call spamassassin? That would be a neat trick ;) ah, I see where you're going! Although in fact, you could say it's a valid way to put it -- after all, spamd is just a script which calls the Mail::SpamAssassin modules. ;) --j.
Re: New to Spamassassin
Development wrote: I would like to know if it is possible to use spamassassin on one server to filter mail and then deliver it to a seperate mail server on the network running exchange, groupwise, etc? Hi, Easiest way is to setup a Unix based MTA (I prefer the Qmail/Simscan setup, but what ever you are comfortable with will work) to accept mail as the primary MX, scan it and then forward it on to the Internal server. We do this quite a lot for our clients. Regards, Rick
Re: Spamassassin doesn't ding sender for saying HELO i-am-you
On 12/7/06, Kelly Jones [EMAIL PROTECTED] wrote:
Spamassassin has lots of tests for fake HELOs. If someone says HELO
hotmail.com, but aren't connecting from a Hotmail IP address, they
get dinged (spam score is increased).
Recently, someone connected our server, call it mx.xyz.com, and said
HELO mx.xyz.com. Spamassassin didn't ding it for doing this.
Is there a ruleset that does this? I realize xyz.com couldn't be
hardcoded (otherwise, it'd be a different ruleset for everyone), but
is there a generic ruleset that uses a function call or something to
figure out your MX server (or the name of the machine spamassassin is
running on) and then ding someone HELO'ing as that?
Do it at the MTA level, in exim
acl_check_helo:
deny condition = ${if or{ { eq{$sender_helo_name}{$interface_address}} \
{ eq{$sender_helo_name}{$primary_hostname}} \
} {yes}{no}}
message = REJECTED: Fake HELO/EHLO: $sender_helo_name - That's our addre
ss!
accept
--
We're just a Bunch Of Regular Guys, a collective group that's trying
to understand and assimilate technology. We feel that resistance to
new ideas and technology is unwise and ultimately futile.
--
A Scientist will earn a living by taking a really difficult problem
and spends many years solving it, an engineer earns a living by
finding really difficult problems and side stepping them
Re: ***SPAM*** SpamAssassin dns timeouts... why?!
On Thu, 7 Dec 2006, Jeff Chan wrote: On Wednesday, December 6, 2006, 2:19:11 PM, Richard Alloway wrote: Any idea what could be wrong? I'm rapidly running out of ways to try to increase performance here. Net::DNS uses the first server in your resolv.conf . Make sure that server works, is local, etc. Hi Jeff! The first server is 192.168.1.1, which is my dedicated, local caching/RBL nameserver. It works and is not overtaxed and the network connecting the mail servers to the nameserver is solid (100Mbps FDX). -Rich
RE: our latest award!
Nah, that's overdone. The linux-based' is waaay too much said... :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 07, 2006 7:43 PM To: users@spamassassin.apache.org Subject: our latest award! I think I noted this honour on the dev list a week or two ago -- but the _physical_ award for 'Best Linux-based Anti-spam Solution' from the Linux New Media Awards 2006 just turned up, and that warrants another post ;) Take a look: http://taint.org/2006/12/07/140259a.html w00t, --j.
Re: Rule update over DNS?
Jim Maul wrote: oh? Care to explain how spamd would call spamassassin? That would be a neat trick ;) Neat, but really simple with the plugin interface. :)
Re: What is the correct way of whitelisting local mail?
Determine what is passing messages to SA and tell it to not do that with locally-sources messages. If you use procmail to launch spamc this is pretty easy to do. I use procmail. I could do this in /etc/procmailrc: :0fw: spamassassin.lock * 256000 * ! From: .*mydomain.com | /usr/bin/spamc .. but presumably this would fail to scan messages with forged headers that claim to come from my network.
RE: Spam: New to Spamassassin
Absolutely! All you have to do is set up your spamassassin email server as a smarthost (gateway) email server then forward all scanned email to your exchange or groupwise server. - Darren. From: Development [mailto:[EMAIL PROTECTED] Sent: Thursday, December 07, 2006 1:28 PM To: users@spamassassin.apache.org Subject: Spam: New to Spamassassin I would like to know if it is possible to use spamassassin on one server to filter mail and then deliver it to a seperate mail server on the network running exchange, groupwise, etc?
Re: Recognizing Sendmail's authentication -- patch included (WAS: How is LOCAL_AUTH_RCVD used?)
On Dec 5, 2006, at 4:17 PM, Daryl C. W. O'Shea wrote: Jo Rhett wrote: While you are fixing bugs related to authentication, any chance you'll fix the SPF plugin to skip checks on authenticated delivery? Or have an option to enable this behavior? Or do you want a patch from me? It'll take me a lot longer than you, since I'll spend hours just tracing down the data structures I know for sure that if there are no external relays detected there will be no SPF checks. There might be checks done (read I'm almost certain there is) if all the relays are trusted, but one or more of them are external. I can show you extensive logs of SPF checks against me, submitting authenticated mail for my own domain to my relayhost using SA :-) I guess my host is considered external, but it is also TRUSTED so in my opinion the logic should be fixed to handle this. Your other email about this didn't include the necessary debug info to confirm the bug as you reported it. If you'd like me to look at it, I'd need a full debug output, including the complete message headers, of a message that exhibits the bug. Here it is again, first the received headers then the entire, very verbose debug including SA startup From: [EMAIL PROTECTED] Subject:testing SPF relay Date: December 7, 2006 12:38:32 PM PST To: [EMAIL PROTECTED] Return-Path:[EMAIL PROTECTED] Received: from triceratops.lizardarts.com ([unix socket]) by triceratops.lizardarts.com (Cyrus v2.3.7) with LMTPA; Thu, 07 Dec 2006 12:38:40 -0800 Received: from [10.66.240.106] (public-wireless.sv.svcolo.com [64.13.135.30]) (authenticated bits=0) by triceratops.lizardarts.com (8.13.8/8.13.8) with ESMTP id kB7Kcc5v015458 for [EMAIL PROTECTED]; Thu, 7 Dec 2006 12:38:38 -0800 (PST) (envelope-from [EMAIL PROTECTED]) Mime-Version: 1.0 (Apple Message framework v752.2) Content-Transfer-Encoding: 7bit Message-Id: [EMAIL PROTECTED] Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed X-Mailer: Apple Mail (2.752.2) X-Spam-Status: No, score=-3.776 tagged_above=-999 required=4 tests= [ALL_TRUSTED=-1.44, AWL=4.164, LOCAL_AUTH_RCVD=-10, SPF_FAIL=3.5] X-Spam-Level: X-Spam-Score: -3.776 X-Virus-Scanned:amavisd-new at netconsonance.com [15504] dbg: logger: adding facilities: all [15504] dbg: logger: logging level is DBG [15504] dbg: generic: SpamAssassin version 3.1.7 [15504] dbg: config: score set 0 chosen. [15504] dbg: util: running in taint mode? yes [15504] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [15504] dbg: util: PATH included '/usr/local/sbin', keeping [15504] dbg: util: PATH included '/usr/local/bin', keeping [15504] dbg: util: PATH included '/usr/sbin', keeping [15504] dbg: util: PATH included '/sbin', keeping [15504] dbg: util: PATH included '/usr/bin', keeping [15504] dbg: util: PATH included '/bin', keeping [15504] dbg: util: final PATH set to: /usr/local/sbin:/usr/local/bin:/ usr/sbin:/sbin:/usr/bin:/bin [15504] dbg: message: MIME PARSER START [15504] dbg: message: main message type: text/plain [15504] dbg: message: parsing normal part [15504] dbg: message: added part, type: text/plain [15504] dbg: message: MIME PARSER END [15504] dbg: dns: is Net::DNS::Resolver available? yes [15504] dbg: dns: Net::DNS version: 0.58 [15504] dbg: ignore: test message to precompile patterns and load modules [15504] dbg: config: using /usr/local/etc/mail/spamassassin for site rules pre files [15504] dbg: config: read file /usr/local/etc/mail/spamassassin/init.pre [15504] dbg: config: read file /usr/local/etc/mail/spamassassin/v310.pre [15504] dbg: config: read file /usr/local/etc/mail/spamassassin/v312.pre [15504] dbg: config: using /var/lib/spamassassin/3.001007 for sys rules pre files [15504] dbg: config: read file /var/lib/spamassassin/3.001007/ updates_spamassassin_org.pre [15504] dbg: config: using /var/lib/spamassassin/3.001007 for default rules dir [15504] dbg: config: read file /var/lib/spamassassin/ 3.001007/70_sare_adult_cf_sare_sa-update_dostech_net.cf [15504] dbg: config: read file /var/lib/spamassassin/ 3.001007/70_sare_evilnum0_cf_sare_sa-update_dostech_net.cf [15504] dbg: config: read file /var/lib/spamassassin/ 3.001007/70_sare_evilnum1_cf_sare_sa-update_dostech_net.cf [15504] dbg: config: read file /var/lib/spamassassin/ 3.001007/70_sare_evilnum2_cf_sare_sa-update_dostech_net.cf [15504] dbg: config: read file /var/lib/spamassassin/ 3.001007/70_sare_genlsubj_cf_sare_sa-update_dostech_net.cf [15504] dbg: config: read file /var/lib/spamassassin/ 3.001007/70_sare_genlsubj_eng_cf_sare_sa-update_dostech_net.cf [15504] dbg: config: read file /var/lib/spamassassin/ 3.001007/70_sare_header_cf_sare_sa-update_dostech_net.cf [15504] dbg: config: read file /var/lib/spamassassin/
blacklist messagID ?
Apparently a remote server is having issues- It keeps sending this message here- [EMAIL PROTECTED] Can I blacklist a message without blacklisting the sender? Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
Re: blacklist messagID ?
On Thu, 2006-12-07 at 16:00 -0500, Jean-Paul Natola wrote: Apparently a remote server is having issues- It keeps sending this message here- [EMAIL PROTECTED] Can I blacklist a message without blacklisting the sender? Is the sending host someone that you care about receiving messages from? If not (and maybe even if you do), block the host from connecting to you and contact the postmaster at that domain, have them remove the offending message from their queue. signature.asc Description: This is a digitally signed message part
RE: blacklist messagID ?
Subject: Re: blacklist messagID ? On Thu, 2006-12-07 at 16:00 -0500, Jean-Paul Natola wrote: Apparently a remote server is having issues- It keeps sending this message here- [EMAIL PROTECTED] Can I blacklist a message without blacklisting the sender? Is the sending host someone that you care about receiving messages from? If not (and maybe even if you do), block the host from connecting to you and contact the postmaster at that domain, have them remove the offending message from their queue. The sender is an employee ours that works in one of our field offices ( in Africa ) very , very difficult to get any support from the ISP- I will try to see if I can get anywhere with them
Re: What is the correct way of whitelisting local mail?
On Fri, 8 Dec 2006, Robert S wrote: Determine what is passing messages to SA and tell it to not do that with locally-sources messages. If you use procmail to launch spamc this is pretty easy to do. I use procmail. I could do this in /etc/procmailrc: :0fw: spamassassin.lock * 256000 * ! From: .*mydomain.com | /usr/bin/spamc .. but presumably this would fail to scan messages with forged headers that claim to come from my network. That's why you should check the Received: header your MTA added to see whether it came from a local network host, or was an authenticated user. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The fetters imposed on liberty at home have ever been forged out of the weapons provided for defense against real, pretended, or imaginary dangers from abroad. -- James Madison, 1799 --- 8 days until Bill of Rights day
Re: blacklist messagID ?
On Thu, 7 Dec 2006, Jean-Paul Natola wrote: Apparently a remote server is having issues- It keeps sending this message here- [EMAIL PROTECTED] Can I blacklist a message without blacklisting the sender? Sure. Write a rule for that message-ID header and give it a score of 1000 or so (adding insult to injury). -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The fetters imposed on liberty at home have ever been forged out of the weapons provided for defense against real, pretended, or imaginary dangers from abroad. -- James Madison, 1799 --- 8 days until Bill of Rights day
RE: blacklist messagID ?
Apparently a remote server is having issues- It keeps sending this message here- [EMAIL PROTECTED] Can I blacklist a message without blacklisting the sender? Sure. Write a rule for that message-ID header and give it a score of 1000 or so (adding insult to injury). I'm not exactly well versed, scratch that , I DO NOT KNOW how to write rules :( Any help please?
RE: blacklist messagID ?
On Thu, 7 Dec 2006, Jean-Paul Natola wrote: Apparently a remote server is having issues- It keeps sending this message here- [EMAIL PROTECTED] Can I blacklist a message without blacklisting the sender? Sure. Write a rule for that message-ID header and give it a score of 1000 or so (adding insult to injury). I'm not exactly well versed, scratch that , I DO NOT KNOW how to write rules :( Any help please? header TMP_MSGID_01 Message-ID =~ /[EMAIL PROTECTED]/ score TMP_MSGID_01 1000 Put that in your /etc/mail/spamassassin/local.cf and restart the spamassassin daemon. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The fetters imposed on liberty at home have ever been forged out of the weapons provided for defense against real, pretended, or imaginary dangers from abroad. -- James Madison, 1799 --- 8 days until Bill of Rights day
Google open relay?
I've been getting lots of these get out of debt messages. It looks like the last stop before getting here is a gmail server. Could they have an open relay? Received: from ccim-mx2.cciminstitute.com ([10.0.2.10]) by ccim-exchange.cciminstitute.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 7 Dec 2006 16:17:53 -0600 Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.183]) by ccim-mx2.cciminstitute.com (8.13.8/8.13.6) with ESMTP id kB7MHojp020673 for x; Thu, 7 Dec 2006 16:17:50 -0600 Received: by py-out-1112.google.com with SMTP id f31so317551pyh for x; Thu, 07 Dec 2006 14:17:46 -0800 (PST) Received: by 10.35.99.17 with SMTP id b17mr4277287pym.1165529866966; Thu, 07 Dec 2006 14:17:46 -0800 (PST) Received: by 10.35.99.17 with SMTP id b17mr4277286pym.1165529866955; Thu, 07 Dec 2006 14:17:46 -0800 (PST) Received: from shawcable.net (S0106000ea6a66e9b.vc.shawcable.net [24.81.32.62]) by mx.google.com with SMTP id j7si945230nzd.2006.12.07.14.17.34; Thu, 07 Dec 2006 14:17:46 -0800 (PST) Received-SPF: pass (google.com: domain of [EMAIL PROTECTED] designates 24.81.32.62 as permitted sender) Message-ID: [EMAIL PROTECTED] Date: Thu, 07 Dec 2006 19:10:30 -0400 Reply-To: spring freeman [EMAIL PROTECTED] From: spring freeman [EMAIL PROTECTED] MIME-Version: 1.0 To: Lawanna x Cc: Laci x Subject: TotallyCardDebtFree Overnight
How can I learn a mail which how many score it got from each my rules?
I use spamassassin3.1.7 I go through some mails. I see a mail in /var/log/spamd.log as below Wed Dec 6 13:33:49 2006 [4484] info: spamd: result: Y 15 - EXTRA_MPART_TYPE,FRONTPAGE,HTML_MESSAGE,INVALID_DATE,MIME_BOUND_NEXTPART ,MIME_QP_LONG_LINE,MSGID_MULTIPLE_AT,SARE_GIF_ATTACH,SARE_OBFUGIRLS,SUBJ_ALL _CAPS,SUBJ_ILLEGAL_CHARS,TW_IY,UNPARSEABLE_RELAY,UPPERCA SE_25_50 scantime=0.6,size=36790,[EMAIL PROTECTED],uid=1001,required_score=15.0,rhost= localhost,raddr=127.0.0.1,rport=50832,mi d=[EMAIL PROTECTED]@domain.com,autolearn=no Yet, I can't understand which my rule, how many score gave that mail. How can I learn a mail which how many score it got from each my rules? is there a command for it ?
Re: How can I learn a mail which how many score it got from each my rules?
On Fri, 8 Dec 2006, Halid Faith wrote: I go through some mails. I see a mail in /var/log/spamd.log as below Wed Dec 6 13:33:49 2006 [4484] info: spamd: result: Y 15 - EXTRA_MPART_TYPE,FRONTPAGE,HTML_MESSAGE,INVALID_DATE,MIME_BOUND_NEXTPART ,MIME_QP_LONG_LINE,MSGID_MULTIPLE_AT,SARE_GIF_ATTACH,SARE_OBFUGIRLS,SUBJ_ALL _CAPS,SUBJ_ILLEGAL_CHARS,TW_IY,UNPARSEABLE_RELAY,UPPERCASE_25_50 Yet, I can't understand which my rule, how many score gave that mail. How can I learn a mail which how many score it got from each my rules? is there a command for it ? The per-rule scoring details are probably in a header of the message; look there, assuming the message hasn't been discarded. If you look at a spam message and don't see a header with per-rule scores, then add report_safe 0 to your config file and restart the daemon. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...to announce there must be no criticism of the President or to stand by the President right or wrong is not only unpatriotic and servile, but is morally treasonous to the American public. -- Theodore Roosevelt, 1918 --- 8 days until Bill of Rights day
RE: How can I learn a mail which how many score it got from each my rules?
Halid Faith wrote: I use spamassassin3.1.7 I go through some mails. I see a mail in /var/log/spamd.log as below Wed Dec 6 13:33:49 2006 [4484] info: spamd: result: Y 15 - EXTRA_MPART_TYPE,FRONTPAGE,HTML_MESSAGE,INVALID_DATE,MIME_BOUND_NEXTPART ,MIME_QP_LONG_LINE,MSGID_MULTIPLE_AT,SARE_GIF_ATTACH,SARE_OBFUGIRLS,SUBJ_ALL _CAPS,SUBJ_ILLEGAL_CHARS,TW_IY,UNPARSEABLE_RELAY,UPPERCA SE_25_50 scantime=0.6,size=36790,[EMAIL PROTECTED],uid=1001,required_score=15.0,rhost= localhost,raddr=127.0.0.1,rport=50832,mi d=[EMAIL PROTECTED]@domain.com,autolearn=no Yet, I can't understand which my rule, how many score gave that mail. How can I learn a mail which how many score it got from each my rules? is there a command for it ? In your user_prefs, add the following: report _TESTSSCORES( )_ That shows the tests *AND* the scores: X-LERCTR-Spam-Report: (-108.6 points, 5.0 required) BAYES_00=-2.599 DK_POLICY_SIGNSOME=0.001 SPF_PASS=-0.001 UPPERCASE_25_50=0 USER_IN_WHITELIST=-100 USER_IN_WHITELIST_TO=-6 -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
Re: Google open relay?
On Thu, 7 Dec 2006, Steven Stern wrote: I've been getting lots of these get out of debt messages. It looks like the last stop before getting here is a gmail server. Could they have an open relay? Have you notified [EMAIL PROTECTED]? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...to announce there must be no criticism of the President or to stand by the President right or wrong is not only unpatriotic and servile, but is morally treasonous to the American public. -- Theodore Roosevelt, 1918 --- 8 days until Bill of Rights day
How do I know if DCC is running and working?
Subject says it all. How can I tell if DDC is running and working on my system? Thanks
Re: Google open relay?
John D. Hardin wrote: On Thu, 7 Dec 2006, Steven Stern wrote: I've been getting lots of these get out of debt messages. It looks like the last stop before getting here is a gmail server. Could they have an open relay? Have you notified [EMAIL PROTECTED]? You betcha! And also reported through spamcop.
Re: Google open relay?
At 02:52 PM 12/7/2006, you wrote: Have you notified [EMAIL PROTECTED]? You're kidding right? I've given up on e-mailing google about blogspot pages, or anything else. They could care less.
Re: Help with understanding a rule
Yes, you are probably right. But: there must be a reason why the rule no_real_name exists? Yes. It successfully HELPS to detect spam. It is not, on its own, a good method to detect spam. That is why it normally has a low score. And if there is a rule (written or not) that From: headers should contain a real name, I want to follow it. There is no requirement that I know of in any RFC that a to address contain a comment containing the recipient's real address. There ARE specifications on how to include the real name if someone chooses to do it. While there is no requirement in any RFC that this be done, MOST mail clients will install a real name from the local address book when sending mail to a recipient. At one time at least, there was a much greater chance that this would happen on ham than on spam. Whether that is still true I don't know. SA rules are not intended to enforce RFC compliance. They are not limited to checking for deviations from what an RFC says. They are not limited to only testing for those things required by some RFC. SA rules are desinged to detect spam. They do this by looking for common patterns in spam (and sometimes in ham) and attempting to separate the two. Spammers are not required to violate RFCs, although they often do. Normal users do not always comply with RFCs, though they usually do. Thus, checking for RFC compliance is not necessarily a good way to separate ham and spam. Looking for common patterns that show up IS a good way. Loren
Trying to catch spoofed ToCc
In my mail setup, it is gospel that (ignoring BCC and mailing lists) the full email address in the Delivered-To will match an email address in the ToCc. Example below. Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from mx01.domain.ext (unknown [172.16.0.149]) by localdelivery01 (Postfix) with ESMTP id EB9CA921E8C57 for [EMAIL PROTECTED]; Mon, 27 Nov 2006 19:36:46 -0500 (EST) From: [EMAIL PROTECTED] To: Jason [EMAIL PROTECTED] Cc: Jason [EMAIL PROTECTED] Subject: Testing I have created a matching rule to statically qualify the validity of a domain (below). #- --- header __HEAD_01_01 Delivered-To =~ /[EMAIL PROTECTED]/i header __HEAD_01_02 ToCc !~ /[EMAIL PROTECTED]/i #- --- metaHEAD_01(__HEAD_01_01 __HEAD_01_02) score HEAD_015.0 #- --- I host hundreds of domains, so I cannot create static rules for each. My goal is to have a rule, much like the one above, but will qualify the entire email address from the Delivered-To to the ToCc. No match equals a score. Any insight would be much appreciated. Thank you, Jason
Re: Spamassassin doesn't ding sender for saying HELO i-am-you
Having it set up automagically is a great idea. But it is worth considering as a config option IMO. After all, it is already necessary in many cases to config trusted_networks and internal_networks. So it isn't like SA will always run optimally without some local user input. I'd simply suggest a config option or two that would contain the helo string and possibly ip address. If they aren't configured, the rule will never fire. If they are configured, then it would do some good. Loren
Re: Google open relay?
On Thu, 7 Dec 2006, Steven Stern wrote:
John D. Hardin wrote:
On Thu, 7 Dec 2006, Steven Stern wrote:
I've been getting lots of these get out of debt messages. It
looks like the last stop before getting here is a gmail server.
Could they have an open relay?
Have you notified [EMAIL PROTECTED]?
You betcha! And also reported through spamcop.
Ony problem with reporting it thru spamcop is that they will very
industriously drill down thru the Received: chain, breeze right
thru all the Google entries, latch onto that shawcable.net IP
and only send a report to them (IE not bother Google at all).
This is a good thing in that they try very hard to not cause collateral
damage and only send reports to the real culprits, but the down-side
is that potential 'enablers' don't get notified too.
If you buy into the spamcop premium service one of the things that
you gain is the ability to modify their report and add such notices.
Best to send it directly to Google's abuse address.
Dave
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
Re: forwarding email
Jonas Eckerman wrote:
This really would be more on topic on the MIMEDefang list, but here goes...
You have a small but significant typo in your code:
if ($hits = req) {
You forgot the $ in $req.
The effect of the above comparison is that all mail that scores above 0 (zero)
are considered spam.
Regards
/Jonas
omg .how embarrassing. I'll go through my spamdrop now, and must
be left alone for hours. Thanks Jonas.
-=Aubrey=-
Re: Trying to catch spoofed ToCc
Trying to catch spoofed ToCcNasty to do without using a plugin or eval rule,
but it can be done.
The following is off the top of my head, and I almost guarantee it won't work
correctly without testing and some minor tweak somewhere. But you can try it
and/or fool with it if you like.
header __SENT_TO_MEALL ~=
/\n(?i:Delivered-To):\s+([^\n]+)\n.{0,300}\n(?i:To|Cc):[^\n]+\b\1\b/
meta NOT_SENT_TO_ME!__SENT_TO_ME
You can give that a try, but I warn you you may have to fiddle with it for half
an hour to get it to work right. Or maybe it will work now.
Loren
- Original Message -
From: Jason Oriente
To: users@spamassassin.apache.org
Sent: Thursday, December 07, 2006 3:04 PM
Subject: Trying to catch spoofed ToCc
In my mail setup, it is gospel that (ignoring BCC and mailing lists) the full
email address in the Delivered-To will match an email address in the ToCc.
Example below.
Return-Path: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from mx01.domain.ext (unknown [172.16.0.149])
by localdelivery01 (Postfix) with ESMTP id EB9CA921E8C57
for [EMAIL PROTECTED]; Mon, 27 Nov 2006 19:36:46 -0500 (EST)
From: [EMAIL PROTECTED]
To: Jason [EMAIL PROTECTED]
Cc: Jason [EMAIL PROTECTED]
Subject: Testing
I have created a matching rule to statically qualify the validity of a domain
(below).
#
header __HEAD_01_01 Delivered-To =~ /[EMAIL PROTECTED]/i
header __HEAD_01_02 ToCc !~ /[EMAIL PROTECTED]/i
#
metaHEAD_01(__HEAD_01_01 __HEAD_01_02)
score HEAD_015.0
#
I host hundreds of domains, so I cannot create static rules for each. My
goal is to have a rule, much like the one above, but will qualify the entire
email address from the Delivered-To to the ToCc. No match equals a score.
Any insight would be much appreciated.
Thank you,
Jason
Re: Botnet 0.6 plugin for Spam Assassin availabile
John Rudd wrote: The next version of the Botnet plugin for Spam Assassin is ready. The install instructions are in the Botnet.txt file, and in the INSTALL file. Great work! To Do before 1.0: (...) There's another thing that would be really nice to have. You know how the DNS rules' descriptions specify what actually matches? e.g.: 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [12.34.56.789 listed in sbl-xbl.spamhaus.org] 1.6 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: example.com] It would be great if Botnet could do something similar, like: 2.0 BOTNET The submitting mail server looks like part of a Botnet [ip=12.34.56.789 rdns=dhcp12.34.example.org] Regards, - Michael
Re: Trying to catch spoofed ToCc
Loren Wilton wrote:
Nasty to do without using a plugin or eval rule, but it can be done.
The following is off the top of my head, and I almost guarantee it won't
work correctly without testing and some minor tweak somewhere. But you
can try it and/or fool with it if you like.
header __SENT_TO_MEALL ~=
/\n(?i:Delivered-To):\s+([^\n]+)\n.{0,300}\n(?i:To|Cc):[^\n]+\b\1\b/
meta NOT_SENT_TO_ME!__SENT_TO_ME
You can give that a try, but I warn you you may have to fiddle with it
for half an hour to get it to work right. Or maybe it will work now.
Loren
That looks pretty good, but I think that sort of user-specific action
might be best done in the user's procmail file-
(Well, assuming of course that that the user is using procmail!)
but something like
# if it's not to or cc me at this point, it's probably spam
:0
* !^(To|Cc).*{my email address}
possibly-spam
Towards the very end of the procmail script does the trick.
-Mike
Re: Score=x+5
On Thursday December 7 2006 18:21, Fred T wrote: -0.0 P0F_UNIX OS fingerprint BSD/Solaris/HP-UX/Tru64 I'm curious about P0F_UNIX could you share this rule with me? And any similar fingerprint rules? Thanks! The rules are quite straightforward (see below) - just matching on inserted header field, which can be inserted by amavisd-new (or some other sw component like milter or policy daemon or SA plugin), based of results from p0f ( http://lcamtuf.coredump.cx/p0f.shtml ). See release notes, p0f support was introduced with version 2.4.0: http://www.ijs.si/software/amavisd/release-notes.txt Here is my current set: header L_P0F_WXP X-Amavis-OS-Fingerprint =~ /^Windows XP(?![^(]*\b2000 SP)/ score L_P0F_WXP 3.0 header L_P0F_W X-Amavis-OS-Fingerprint =~ /^Windows(?! XP)/ score L_P0F_W 1.7 header L_P0F_UNKN X-Amavis-OS-Fingerprint =~ /^UNKNOWN/ score L_P0F_UNKN 0.8 header L_P0F_Unix X-Amavis-OS-Fingerprint =~ /^((Free|Open|Net)BSD|Solaris|HP-UX|Tru64)/ score L_P0F_Unix -1.0 header L_P0F_Linux X-Amavis-OS-Fingerprint =~ /^Linux/ score L_P0F_Linux -0.1 plus a couple to slightly favour network proximity, which works well in my environment, but may not work so well elsewhare: header L_P0F_D1234 X-Amavis-OS-Fingerprint =~ /\bdistance [1-4](?![0-9])/ header L_P0F_D5X-Amavis-OS-Fingerprint =~ /\bdistance 5(?![0-9])/ header L_P0F_D6X-Amavis-OS-Fingerprint =~ /\bdistance 6(?![0-9])/ header L_P0F_D7X-Amavis-OS-Fingerprint =~ /\bdistance 7(?![0-9])/ header L_P0F_D8X-Amavis-OS-Fingerprint =~ /\bdistance 8(?![0-9])/ header L_P0F_D9X-Amavis-OS-Fingerprint =~ /\bdistance 9(?![0-9])/ header L_P0F_D10 X-Amavis-OS-Fingerprint =~ /\bdistance 10(?![0-9])/ header L_P0F_D11 X-Amavis-OS-Fingerprint =~ /\bdistance 11(?![0-9])/ score L_P0F_D1234 -0.5 score L_P0F_D5-0.5 score L_P0F_D6-0.5 score L_P0F_D7-0.5 score L_P0F_D8-0.5 score L_P0F_D9-0.5 score L_P0F_D10 -0.3 score L_P0F_D11 -0.3 Mark
Re: Google open relay?
David B Funk wrote: On Thu, 7 Dec 2006, Steven Stern wrote: John D. Hardin wrote: On Thu, 7 Dec 2006, Steven Stern wrote: I've been getting lots of these get out of debt messages. It looks like the last stop before getting here is a gmail server. Could they have an open relay? Have you notified [EMAIL PROTECTED]? You betcha! And also reported through spamcop. Ony problem with reporting it thru spamcop is that they will very industriously drill down thru the Received: chain, breeze right thru all the Google entries, latch onto that shawcable.net IP and only send a report to them (IE not bother Google at all). This is a good thing in that they try very hard to not cause collateral damage and only send reports to the real culprits, but the down-side is that potential 'enablers' don't get notified too. If you buy into the spamcop premium service one of the things that you gain is the ability to modify their report and add such notices. Best to send it directly to Google's abuse address. Dave Spamcop sent a report to both shawcable and [EMAIL PROTECTED] I paid spamcop $25 several years ago for 25MB of reports (however that's measured) and I still have 8.3MB left in my pool. -- Steve
Re: Botnet 0.6 plugin for Spam Assassin availabile
Michael Schaap wrote: John Rudd wrote: The next version of the Botnet plugin for Spam Assassin is ready. The install instructions are in the Botnet.txt file, and in the INSTALL file. Great work! To Do before 1.0: (...) There's another thing that would be really nice to have. You know how the DNS rules' descriptions specify what actually matches? e.g.: 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [12.34.56.789 listed in sbl-xbl.spamhaus.org] 1.6 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: example.com] It would be great if Botnet could do something similar, like: 2.0 BOTNET The submitting mail server looks like part of a Botnet [ip=12.34.56.789 rdns=dhcp12.34.example.org] Any tips on how to do that? :-}
RE: blacklist messagID ?
On Thu, 7 Dec 2006, Jean-Paul Natola wrote: Apparently a remote server is having issues- It keeps sending this message here- [EMAIL PROTECTED] Can I blacklist a message without blacklisting the sender? Sure. Write a rule for that message-ID header and give it a score of 1000 or so (adding insult to injury). I'm not exactly well versed, scratch that , I DO NOT KNOW how to write rules :( Any help please? header TMP_MSGID_01 Message-ID =~ /[EMAIL PROTECTED]/ score TMP_MSGID_01 1000 Put that in your /etc/mail/spamassassin/local.cf and restart the spamassassin daemon. Is there a way to discard the message? since he is one our employees, the bounce message generated by exim will go back to him (our server) - so he (the sending user ) will wind up with the bounce message every hour wouldnt he?-
Re: Botnet 0.6 plugin for Spam Assassin availabile
John Rudd wrote: It would be great if Botnet could do something similar, like: 2.0 BOTNET The submitting mail server looks like part of a Botnet [ip=12.34.56.789 rdns=dhcp12.34.example.org] Any tips on how to do that? :-} Well, I had a look, and the good news: it's rather simple to add such a line: just use something like: $pms-test_log(ip=$ip, rdns=$rdns); The bad news, of course, is that BOTNET is a meta rule, so you can't do this for that rule. You can still do so for the individual rules, but as those are going away, that won't help much... - Michael
Re: spam
On Tuesday 05 December 2006 3:31 pm, Rosenbaum, Larry M. wrote:
Has anybody come up with a rule for these yet? I tried the following:
body ORNL_B0RKEN1 /^\d{3,5}\n{1,3}$/s
describe ORNL_B0RKEN1 B0rken spamware, message just contains a short
number
scoreORNL_B0RKEN1 1
I believe I've posted before that these type spams are picked up quite well on
my home box with these rules:
Content analysis details: (13.6 points, 5.0 required)
pts rule name description
-- --
2.6 HELO_DYNAMIC_DIALIN Relay HELO'd using suspicious hostname
(T-Dialin)
0.0 BOTNET_CLIENTWORDS Hostname contains client-like substrings
0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP address
5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
0.0 BOTNET_CLIENT Hostname looks like a client hostname
5.0 BOTNET Any Botnet rule hit
1.0 SAGREY Adds 1.0 to spam from first-time senders
Content analysis details: (15.2 points, 5.0 required)
pts rule name description
-- --
4.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr
1)
0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP address
5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 0.9955]
0.0 BOTNET_CLIENT Hostname looks like a client hostname
5.0 BOTNET Any Botnet rule hit
1.0 SAGREY Adds 1.0 to spam from first-time senders
Content analysis details: (12.8 points, 5.0 required)
pts rule name description
-- --
2.6 HELO_DYNAMIC_DIALIN Relay HELO'd using suspicious hostname
(T-Dialin)
0.0 BOTNET_CLIENTWORDS Hostname contains client-like substrings
0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP address
4.2 BAYES_95 BODY: Bayesian spam probability is 95 to 99%
[score: 0.9865]
0.0 BOTNET_CLIENT Hostname looks like a client hostname
5.0 BOTNET Any Botnet rule hit
1.0 SAGREY Adds 1.0 to spam from first-time senders
These are from earlier this month, looks like the Botnet plug-in and a good
bayes database are your best bet.
--
Chris
pgpPZafdzdlRT.pgp
Description: PGP signature
Re: Botnet 0.6 plugin for Spam Assassin availabile
Michael Schaap wrote: John Rudd wrote: It would be great if Botnet could do something similar, like: 2.0 BOTNET The submitting mail server looks like part of a Botnet [ip=12.34.56.789 rdns=dhcp12.34.example.org] Any tips on how to do that? :-} Well, I had a look, and the good news: it's rather simple to add such a line: just use something like: $pms-test_log(ip=$ip, rdns=$rdns); The bad news, of course, is that BOTNET is a meta rule, so you can't do this for that rule. You can still do so for the individual rules, but as those are going away, that won't help much... Hm. They're not going away, as much as they're not going to show up in the test list anymore. But that might be, for this purpose, the same thing. I'll see how I might be able to handle that. (ideally, a Meta rule would take the test logs for its non-visible sub-rules, and display them with itself) If I can't make anything reasonable happen there, then maybe I'll have to choose one of: 1) keep the rules around as visible rules 2) go back to the original style I had of one rule that has config options for turning the different tests on/off. Then it would state in its log what the IP address was, what RDNS it found, and which rules were triggered. 3) some hybrid: BOTNET becomes a rule like #2, but the individual rules stick around ... just with a score of 0. Then you can pick between calling one big rule, or disabling the big rule and only calling the piece-meal rules.
