Re: Spamassassin doesn't ding sender for saying HELO i-am-you
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Fred T wrote: As someone else pointed out, the best bet might be the use of a new config item / plugin. something like: ifplugin mxhelo mx_helo_name mx.host.tld host.tld d.d.d.d headerHELO_AS_ME eval:check_for_my_mx() score HELO_AS_ME 0.1 endif Remember to include some of the more obscure cases I've seen in the past where spams were HELOing with the name or IP address of one of the other MXes, ie example.com mail is handled by 10 mx1.example.net example.com mail is handled by 20 mx2.example.net And then the spammer does: | connect() to mx2.example.net | HELO mx1.example.net or | connect() to mx2.example.net | HELO i.p.a.d.r-of-mx1 or | connect() to any of the MXes | HELO example.net (or example.com) I have cases where a machine legitimately HELOs as myself; in my situation these cases are covered by trusted_networks or internal_networks. Maybe eval:check_for_my_mx() should consider these networks (or skip it's tests altogether if the connection came from one of these networks); it may also need an actual exception list ('allowed_helo_as_myself'). - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFFeRuWxbHw2nyi/okRAgopAJ9IjfxBqJOrgqYahlGmBtz6tAHkxACfUbGK ZlM/DipK/IaZRvIl/aJiD/Q= =xJ52 -END PGP SIGNATURE-
RulesDuJour
The configuration that I inherited had only got TRUSTED_RULESETS=TRIPWIRE SARE_EVILNUMBERS0 SARE_RANDOM; in /etc/rulesdujour/config. This obviously allows a lot of spam to filter through (or at elaast would allow the rules to become outdated). Looking at rulesdujour.sh I notice it references a lot mor rule sets than these. What problems might I encounter if I add all of these (except for those noted as pre 3.0) to my config file? mike
Score counting error
Hi, In my headers I see: X-Spam-Status: No, score=4.3 required=4.4 tests=BAYES_99,NO_RELAYS autolearn=disabled version=3.1.7 X-Spam-Report: * -0.0 NO_RELAYS Informational: message was not relayed via SMTP * 4.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.] Seems odd that score doesn't add up? (4.4 + 0.0 = 4.3!!) -- Andrew Hearn
Re: Botnet 0.6 plugin for Spam Assassin availabile
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John Rudd wrote: Michael Schaap wrote: John Rudd wrote: The next version of the Botnet plugin for Spam Assassin is ready. The install instructions are in the Botnet.txt file, and in the INSTALL file. Great work! To Do before 1.0: (...) There's another thing that would be really nice to have. You know how the DNS rules' descriptions specify what actually matches? e.g.: 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [12.34.56.789 listed in sbl-xbl.spamhaus.org] 1.6 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: example.com] It would be great if Botnet could do something similar, like: 2.0 BOTNET The submitting mail server looks like part of a Botnet [ip=12.34.56.789 rdns=dhcp12.34.example.org] Any tips on how to do that? :-} Have a look at the FuzzyOcr plugin, especially on Scoring.pm in the SVN, found here: http://fuzzyocr.own-hero.net/browser/trunk/devel/FuzzyOcr/Scoring.pm In each of the functions, the mail is scored with a different rule, a custom score and a custom description which is generated there. That should be enough for you to reproduce that :) Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFeTiMJQIKXnJyDxURAicaAJ9n5XdSIpvWXrz3W4w2DtKmbiQ82ACgvyAB ywuRctN/qak0u61idiMFw5o= =obGb -END PGP SIGNATURE-
ALL_SPAM_TO not working correctly?
I have run across the following situation: I have a user, which receives all spam unmodified (ALL_SPAM_TO). When a spam message is sent to multiple users on my machine, including the one in ALL_SPAM_TO, all users addressed in the message get it unmodified, not only the ALL_SPAM_TO user. Is this correct behaviour? -Sietse
RE: How do I know if DCC is running and working?
grep DCC /var/log/maillog Or tcpdump port 6277 -Sietse From: Vernon Webb Sent: Thu 07-Dec-06 23:55 To: SpamAssassin Subject: How do I know if DCC is running and working? Subject says it all. How can I tell if DDC is running and working on my system? Thanks
Re: Spamassassin doesn't ding sender for saying HELO i-am-you
Matthias Leisi writes: I have cases where a machine legitimately HELOs as myself; in my situation these cases are covered by trusted_networks or internal_networks. Maybe eval:check_for_my_mx() should consider these networks (or skip it's tests altogether if the connection came from one of these networks); Yeah, I think that would make the most sense. --j. it may also need an actual exception list ('allowed_helo_as_myself'). - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFFeRuWxbHw2nyi/okRAgopAJ9IjfxBqJOrgqYahlGmBtz6tAHkxACfUbGK ZlM/DipK/IaZRvIl/aJiD/Q= =xJ52 -END PGP SIGNATURE-
SA Scoring
I have copied a mail to spa.mail and now I execute $ cat spam.mail|spamassassin which outputs along with the message: X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on mx4.mydomain.co.za X-Spam-Level: * X-Spam-Status: Yes, score=5.7 required=5.0 tests=BAYES_00,FORGED_RCVD_HELO, RCVD_IN_BL_SPAMCOP_NET,SARE_MLB_Stock1,SARE_MLB_Stock4, SARE_PROLOSTOCK_SYM1,STOCK_NAME_FVGT1 autolearn=no version=3.1.5 my /etc/amavisd.conf contains the lines $sa_tag2_level_deflt = 4.0; # add 'spam detected' headers at that level $sa_kill_level_deflt = 5.0; # triggers spam evasive actions $sa_dsn_cutoff_level = 9;# spam level beyond which a DSN is not sent $sa_quarantine_cutoff_level = 18; # spam level beyond which quarantine is off my /etc/mail/spamassassin/local.cf contains required_hits 5.0 but the mail still gets through to my mailbox What am I mising here? mike
RE: How do I know if DCC is running and working?
I have nothing in either, so obviously something is not working. I thought after I installed it all I had to do was uncomment the line that says loadplugin Mail::SpamAssassin::Plugin::DCC in the /etc/mail/spamassassin/v310.pre file. Am I missing something? grep DCC /var/log/maillog Or tcpdump port 6277
RE: SA Scoring
how are you moving it to spam path location? _ From: Mike Kenny [mailto:[EMAIL PROTECTED] Sent: Friday, December 08, 2006 12:36 PM To: users@spamassassin.apache.org; GLUG Tech Subject: SA Scoring I have copied a mail to spa.mail and now I execute $ cat spam.mail|spamassassin which outputs along with the message: X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on mx4.mydomain.co.za X-Spam-Level: * X-Spam-Status: Yes, score=5.7 required=5.0 tests=BAYES_00,FORGED_RCVD_HELO, RCVD_IN_BL_SPAMCOP_NET,SARE_MLB_Stock1,SARE_MLB_Stock4, SARE_PROLOSTOCK_SYM1,STOCK_NAME_FVGT1 autolearn=no version= 3.1.5 my /etc/amavisd.conf contains the lines $sa_tag2_level_deflt = 4.0; # add 'spam detected' headers at that level $sa_kill_level_deflt = 5.0; # triggers spam evasive actions $sa_dsn_cutoff_level = 9;# spam level beyond which a DSN is not sent $sa_quarantine_cutoff_level = 18; # spam level beyond which quarantine is off my /etc/mail/spamassassin/local.cf contains required_hits 5.0 but the mail still gets through to my mailbox What am I mising here? mike
Re: ALL_SPAM_TO not working correctly?
Sietse van Zanen wrote: I have run across the following situation: I have a user, which receives all spam unmodified (ALL_SPAM_TO). When a spam message is sent to multiple users on my machine, including the one in ALL_SPAM_TO, all users addressed in the message get it unmodified, not only the ALL_SPAM_TO user. Is this correct behaviour? -Sietse SA doesn't know for sure who the current message is being delivered to. It acts only on the contents of the message, nothing more. To compound the problem, if you call at the MTA layer, there is only one message fed to SA. At that point, SA absolutely must act on an all or nothing basis. If you're calling at the MDA layer in a way that allows per-user user_prefs files, move the all_spam_to command into that user's own user_prefs file.. This way it will only be in effect when the message is being delivered to that user.
Re: SA Scoring
Mike Kenny wrote: I have copied a mail to spa.mail and now I execute $ cat spam.mail|spamassassin which outputs along with the message: X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on mx4.mydomain.co.za http://mx4.mydomain.co.za X-Spam-Level: * X-Spam-Status: Yes, score=5.7 required=5.0 tests=BAYES_00,FORGED_RCVD_HELO, RCVD_IN_BL_SPAMCOP_NET,SARE_MLB_Stock1,SARE_MLB_Stock4, SARE_PROLOSTOCK_SYM1,STOCK_NAME_FVGT1 autolearn=no version= 3.1.5 my /etc/amavisd.conf contains the lines $sa_tag2_level_deflt = 4.0; # add 'spam detected' headers at that level $sa_kill_level_deflt = 5.0; # triggers spam evasive actions $sa_dsn_cutoff_level = 9;# spam level beyond which a DSN is not sent $sa_quarantine_cutoff_level = 18; # spam level beyond which quarantine is off my /etc/mail/spamassassin/local.cf contains required_hits 5.0 but the mail still gets through to my mailbox What am I mising here? What rules did the message match at the time of delivery? The sending IP might not have been in spamcop at that time, which would cause the score to be less than 4.0.
RE: ALL_SPAM_TO not working correctly?
I figured it would be something like that. I have moved the spamsink to the milter config. The milter should replace all recipients with only the spamsink. -Sietse From: Matt Kettler Sent: Fri 08-Dec-06 13:13 To: Sietse van Zanen Cc: users@spamassassin.apache.org Subject: Re: ALL_SPAM_TO not working correctly? Sietse van Zanen wrote: I have run across the following situation: I have a user, which receives all spam unmodified (ALL_SPAM_TO). When a spam message is sent to multiple users on my machine, including the one in ALL_SPAM_TO, all users addressed in the message get it unmodified, not only the ALL_SPAM_TO user. Is this correct behaviour? -Sietse SA doesn't know for sure who the current message is being delivered to. It acts only on the contents of the message, nothing more. To compound the problem, if you call at the MTA layer, there is only one message fed to SA. At that point, SA absolutely must act on an all or nothing basis. If you're calling at the MDA layer in a way that allows per-user user_prefs files, move the all_spam_to command into that user's own user_prefs file.. This way it will only be in effect when the message is being delivered to that user.
RE: blacklist messagID ?
Can I blacklist a message without blacklisting the sender? Sure. Write a rule for that message-ID header and give it a score of 1000 or so (adding insult to injury). I'm not exactly well versed, scratch that , I DO NOT KNOW how to write rules :( Any help please? header TMP_MSGID_01 Message-ID =~ /[EMAIL PROTECTED]/ score TMP_MSGID_01 1000 Put that in your /etc/mail/spamassassin/local.cf and restart the spamassassin daemon. Is there a way to discard the message? since he is one our employees, the bounce message generated by exim will go back to him (our server) - so he (the sending user ) will wind up with the bounce message every hour wouldnt he?- That's outside the scope of SA, take a look at your MTA. It is considered very bad practice to generate a bounce message for spam. Are you talking about a reject during the SMTP conversation? Yes, I believe that's what I'm referring to- the one that says Congratulations your message has scored x.x points blah blah blah,-
FuzzyOcr helper apps
I have two gateways that filter using amavisd-new and SA 3.1.7 with the FuzzyOcr recipes used. On one of these FreeBSD servers, all the helper applications are present, but on the other, they're all missing. I just now realized this after a while and do not remember where those helper apps, like giffix, come from. All packages on both systems were installed using FreeBSD ports system. Can someone give me a pointer? Can I merely copy over the missing helper apps? Thanks in advance! -- Robert
Re: Botnet 0.6 plugin for Spam Assassin availabile
* John Rudd wrote (07/12/06 18:33): (I had a bout of insomnia last night, and got more done than I had pre-announced yesterday...) The next version of the Botnet plugin for Spam Assassin is ready. The install instructions are in the Botnet.txt file, and in the INSTALL file. For those who don't know what Botnet is, it's a plugin which tries to identify whether or not the message has been submitted by a botnet/spam-zombie type host by looking at its DNS characteristics (no reverse DNS, reverse DNS that doesn't resolve, or doesn't resolve back to the relay's IP, or reverse DNS that contains things that look like an ISP's client address). The places I've been using it, and the people I hear about who are using it, have seen a high degree of success. It can be downloaded from: http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar As usual, feedback, statistics, bug reports, feature suggestions, are all welcome. I've been running the BOTNET rules for a little while now. It's the most-hit rule on the machine (above BAYES_99 even). But I get a significant number of false positives. Here's some sa-stats output: TOP SPAM RULES FIRED -- RANKRULE NAME COUNT %OFMAIL %OFSPAM %OFHAM -- 1BOTNET 138166.37 90.866.44 2BAYES_99 127459.50 83.820.00 3HTML_MESSAGE 118475.06 77.89 68.12 4BOTNET_CLIENT104850.21 68.954.35 5BOTNET_IPINHOSTNAME 96245.45 63.291.77 6URIBL_BLACK 75135.12 49.410.16 7RCVD_IN_SORBS_DUL 72533.96 47.700.32 8URIBL_JP_SURBL68832.13 45.260.00 9BOTNET_CLIENTWORDS60829.61 40.004.19 10URIBL_SC_SURBL52424.47 34.470.00 I think the default score of 5 is far too high. I'm scoring it at 2 at the moment, which seems OK. I'd quite like to be able to give more score to BOTNET_IPINHOSTNAME than BOTNET_CLIENTWORDS, because it seems to give fewer false positives [I think this will probably improve in 0.6, though]. But this isn't a very big deal. So that's a mild vote against the __ prefix. I added p0f to my arsenal recently, hoping it would work to lower the false-positive rate of BOTNET by checking for Windows machines, but it seems that almost all the BOTNET false positives are Exchange servers, so p0f aggravates rather than mitigates that. Hope this feedback is useful. Thanks for the plugin. I take the view that network tests and RBLs (especially URIBLs), rather than body checks, are the best long-term spam-fighting tools. Chris
Re: Google open relay?
Steven Stern a écrit : I've been getting lots of these get out of debt messages. It looks like the last stop before getting here is a gmail server. Could they have an open relay? No but gmail host personal domain not only @gmail.com . -- Laradji nacer n.laradji at ovea dot com ovea http://www.ovea.com Tél : +33 4 6767 Gsm : +33 6 1059 6883 1024D/DFCF1726 : 33A5 7162 4370 9C30 E22C 0721 DBA7 CBEE DFCF 1726
TMDA SA
Is anyone on here using , or have any comments/feedback regarding the use of TMDA SA ? http://wiki.tmda.net/SpamAssassin?highlight=%28spamassassin%29 Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
Re: Spamassassin doesn't ding sender for saying HELO i-am-you
Hello Kelly, Wednesday, December 6, 2006, 11:13:24 PM, you wrote: Is there a ruleset that does this? I realize xyz.com couldn't be hardcoded (otherwise, it'd be a different ruleset for everyone), but is there a generic ruleset that uses a function call or something to figure out your MX server (or the name of the machine spamassassin is running on) and then ding someone HELO'ing as that? For all those interested, I opened a ticket for enhancement based on this idea. See: http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5227 -- Best regards, Fredmailto:[EMAIL PROTECTED]
RE: No Nework tests?!
Thanks Bowie Bailey wrote: leemansvg wrote: I'm running spamassasint --lint and it comes up saying that its only doing local tests. I've enabled dns and I am connected to the internet. I've also enabled razor, dcc, and pyzor in the spam.assassin.perfs files. Does anyone have an idea where I might have a mis-configuration. Here's snap in from the --lint test As of the most recent versions, --lint does not do network tests. If you want to debug network tests, you will need to feed in a test message that has some header information for the network tests to work with. spamassassin -D test.msg -- Bowie -- View this message in context: http://www.nabble.com/No-Nework-tests-%21-tf2775186.html#a7759040 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Synchronizing two Bayes database
Emmanuel Lesouef wrote: Yes, I was thinking about this solution. But isn't it network ressource hungry ? And if I would like to keep a files based bayes db, what should be the good manner to migrate one to another server ? Thanks Sietse for the advice. Sietse van Zanen a écrit : Sure, use MySQL for bayes storage and have both servers use that DB. Then you could be fairly sure, both use the same bayes. I think it should even be possible to dump both databases and migrate into one SQL db. But I don't use MySQL myself, so I would not know how. -Sietse On your most accurate machine, run a CRON job that once a week does: sa-learn --siteconfigpath=/your/site/path --force-expire sa-learn --siteconfigpath=/your/site/path --backup /tmp/weeklyMerge.sal.bak scp /tmp/weeklyMerge.sal.bak [EMAIL PROTECTED]://tmp/weeklyMerge.sal.bak mv /tmp/weeklyMerge.sal.bak /tmp/weeklyMerge.sal.sent ... use ssh key-auth so no password interaction is required for your robot account. On the other.machine.tld run a cron job that fires one hour later that: sa-learn --siteconfigpath=/your/site/path --restore /tmp/weeklyMerge.sal.bak mv /tmp/weeklyMerge.sal.bak /tmp/weeklyMerge.sal.restored sa-learn --siteconfigpath=/your/site/path --force-expire -- --Michel Vaillancourt Wolfstar Systems www.wolfstar.ca
Re: FuzzyOcr helper apps
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robert Fitzpatrick wrote: I have two gateways that filter using amavisd-new and SA 3.1.7 with the FuzzyOcr recipes used. On one of these FreeBSD servers, all the helper applications are present, but on the other, they're all missing. I just now realized this after a while and do not remember where those helper apps, like giffix, come from. All packages on both systems were installed using FreeBSD ports system. Can someone give me a pointer? Can I merely copy over the missing helper apps? http://fuzzyocr.own-hero.net/wiki/OSSpecificNotes At the bottom is a link to a FreeBSD tutorial, I'm sure it lists what you need :) Chris Thanks in advance! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFeYFhJQIKXnJyDxURAvwsAKClBTQJmpVLCAR9FYgtQa4/yx2fuwCfdGkD czGZM7qXDec+mxKmzGvEtak= =1Ogr -END PGP SIGNATURE-
Re: whitelist_from and whitelist_from_rcvd not working
Hi Thanks for your mail, On Mon, Dec 04, 2006 at 02:58:56PM -0500, Robert Swan wrote: I had a similar problem with SA not reading a specific .cf file. I basically created a new greylist.cf file and copied the test over and it worked, and of coarse make sure it is in the right folder... Might be worth a try I have done this, but the issue is still occurring. Has anyone else seen this or have any suggestions? Robert Regards, Mark Peace he would say instead of goodbyepeace my brother. -Original Message- From: Mark Adams [mailto:[EMAIL PROTECTED] Sent: Monday, December 04, 2006 12:56 PM To: [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Subject: Re: whitelist_from and whitelist_from_rcvd not working On Sun, Dec 03, 2006 at 05:55:24PM +0100, mouss wrote: Mark Adams wrote: Hi All, Spamassassin 3.1.4-1 Currently have entries like the following in the local.cf file whitelist_from [EMAIL PROTECTED] and whitelist_from [EMAIL PROTECTED] But mail is still picked up as spam for the [EMAIL PROTECTED] Have also tried the following; whitelist_from_rcvd [EMAIL PROTECTED] domain.com and whitelist_from_rcvd [EMAIL PROTECTED] domain.com But nothing seems to work? has anyone got any advice on this? do you have always_trust_envelope_sender 1 ? No I don't have this setting
Re: Google open relay?
laradji nacer wrote: Steven Stern a écrit : I've been getting lots of these get out of debt messages. It looks like the last stop before getting here is a gmail server. Could they have an open relay? No but gmail host personal domain not only @gmail.com . Google Apps for Your Domain (GAYD) require SMTP authentication over SSL on port 465 to pass mail from a sending system. That means that whatever's sending this mail is smart enough to handle the GAYD SMTP auth and SSL access.
Some ideas to test the To or the cc-lines ...
Hello In those lines you find comma separated E-Mails containing and normally thoose line contains my own e-Mail Adress. a) But sometimes this list contains not only my adress but an known spam-trap-adress too. For example let the spam be adressed to [EMAIL PROTECTED] and [EMAIL PROTECTED] and let the first adress to be the normal adress of someone, while the second one is the newsgroup-adress or an old invalid adress which has had a definte life time. In both cases you can say - if both adresses are appearing, the mail is spam. b) Another interesting test may be the real names of thoose adresse - if availialbe. I'm not Sandra McKintosh for example and if the real name part contains a foreign name, it is spam. All you need is an concept to store a set of parameters for each e-mail-adress. a) an list of spam-trap-adresses und b) a list of possible real name values in the To and the cc line. Best regard Wolfgang Uhr
customized default user_prefs
the current default user_prefs file contains ### # How many points before a mail is considered spam. # required_score5 ... snip .. # score SUBJ_ILLEGAL_CHARS 0 is there any way that this file be created with 0 contents and without those commented lines?
FP: RCVD_HELO_IP_MISMATCH?
Greetings, I had the following headers: Return-path: [EMAIL PROTECTED] Envelope-to: ler@lerctr.org Delivery-date: Thu, 07 Dec 2006 23:26:40 -0600 Received: from smtp-vbr15.xs4all.nl ([194.109.24.35]:2793) by thebighonker.lerctr.org with esmtp (Exim 4.63 (FreeBSD)) (envelope-from [EMAIL PROTECTED]) id 1GsYFo-000OEi-SQ for ler@lerctr.org; Thu, 07 Dec 2006 23:26:40 -0600 Received: from bag.python.org (bag.python.org [194.109.207.14]) by smtp-vbr15.xs4all.nl (8.13.8/8.13.8) with ESMTP id kB85QZZo098068 for ler@lerctr.org; Fri, 8 Dec 2006 06:26:35 +0100 (CET) (envelope-from [EMAIL PROTECTED]) Received: from bag.python.org (bag [127.0.0.1]) by bag.python.org (Postfix) with ESMTP id 4397A1E4019 for ler@lerctr.org; Fri, 8 Dec 2006 06:26:35 +0100 (CET) X-Original-To: mailman-users@python.org Delivered-To: [EMAIL PROTECTED] Received: from bag.python.org (bag [127.0.0.1]) by bag.python.org (Postfix) with ESMTP id 646CA1E401A for mailman-users@python.org; Fri, 8 Dec 2006 06:26:07 +0100 (CET) X-Spam-Status: OK 0.010 Received: from bag (HELO bag.python.org) (127.0.0.1) by bag.python.org with SMTP; 08 Dec 2006 06:26:06 +0100 X-Greylist: delayed 665 seconds by postgrey-1.21 at bag.python.org; Fri, 08 Dec 2006 06:26:06 CET Received: from zoot.lafn.org (zoot.lafn.ORG [206.117.18.6]) by bag.python.org (Postfix) with ESMTP for mailman-users@python.org; Fri, 8 Dec 2006 06:26:06 +0100 (CET) Received: from 207.233.32.18 (zoot.lafn.org [206.117.18.6]) by zoot.lafn.org (8.13.6/8.13.4) with SMTP id kB85EuSN093511 for mailman-users@python.org; Thu, 7 Dec 2006 21:14:58 -0800 (PST) (envelope-from [EMAIL PROTECTED]) Message-Id: [EMAIL PROTECTED] To: mailman-users@python.org From: [EMAIL PROTECTED] Date: Thu, 7 Dec 2006 21:14:58 GMT X-Mailer: Endymion MailMan Standard Edition v3.0.26 X-Virus-Scanned: by XS4ALL Virus Scanner X-Virus-Status: Clean Subject: [Mailman-Users] Mailman stop delivering ... problem with Approval.py? X-BeenThere: mailman-users@python.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Mailman mailing list management users mailman-users.python.org List-Unsubscribe: http://mail.python.org/mailman/listinfo/mailman-users, mailto:[EMAIL PROTECTED] List-Archive: http://mail.python.org/pipermail/mailman-users List-Post: mailto:mailman-users@python.org List-Help: mailto:[EMAIL PROTECTED] List-Subscribe: http://mail.python.org/mailman/listinfo/mailman-users, mailto:[EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: [EMAIL PROTECTED] Errors-To: [EMAIL PROTECTED] X-Spam-Score: 6.4 (++) X-LERCTR-Spam-Score: 6.4 (++) X-Spam-Report: (6.4 points, 5.0 required) BAYES_00=-2.599 DATE_IN_PAST_06_12=0.827 DK_POLICY_SIGNSOME=0.001 FORGED_RCVD_HELO=0.135 HOST_EQ_NL=1.545 NO_REAL_NAME=0.961 RCVD_HELO_IP_MISMATCH=4 RCVD_NUMERIC_HELO=1.5 TW_CF=0.077 X-LERCTR-Spam-Report: (6.4 points, 5.0 required) BAYES_00=-2.599 DATE_IN_PAST_06_12=0.827 DK_POLICY_SIGNSOME=0.001 FORGED_RCVD_HELO=0.135 HOST_EQ_NL=1.545 NO_REAL_NAME=0.961 RCVD_HELO_IP_MISMATCH=4 RCVD_NUMERIC_HELO=1.5 TW_CF=0.077 X-Spam-Flag: YES X-LERCTR-Spam-Flag: YES DomainKey-Status: no signature And the rule that marked this as SPAM is the RCVD_HELO_IP_MISMATCH. Why is this rule so high? What exactly is it checking? This is from a legit mailing list. Thanks, Larry Rosenman -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
RE: blacklist messagID ?
On Fri, 8 Dec 2006, Jean-Paul Natola wrote: Is there a way to discard the message? since he is one our employees, the bounce message generated by exim will go back to him (our server) - so he (the sending user ) will wind up with the bounce message every hour wouldnt he?- That's outside the scope of SA, take a look at your MTA. It is considered very bad practice to generate a bounce message for spam. Are you talking about a reject during the SMTP conversation? Yes, I believe that's what I'm referring to- the one that says Congratulations your message has scored x.x points blah blah blah,- That's still not enough to tell. A reject occurs during the conversation between the MTAs, and will usually result in the *sending* MTA generating a notice along the lines of: We could not deliver your message to [EMAIL PROTECTED] Log of conversation: RCPT TO: [EMAIL PROTECTED] OK DATA 5.0.0 Message looks like spam. A bounce occurs after the receiving MTA has accepted the message for delivery, and is a new email message from the *receiving* MTA that looks like Your message was not delivered because ... Generally, bouncing (the receiver generating a response email) is NOT a good idea when processing spam. This leads to Joe Jobs. Rejecting is acceptable, because the sending shouldn't be an open relay and thus should only notify legitimate senders about non-delivery. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...to announce there must be no criticism of the President or to stand by the President right or wrong is not only unpatriotic and servile, but is morally treasonous to the American public. -- Theodore Roosevelt, 1918 --- 7 days until Bill of Rights day
Spamd and Spamassassin filtering differently
Spamd and Spamassassin are filtering in a different way. Why? As you can see, the results of the two tests are different, although it's the same email. Where is the difference? I tried spamassassin --lint and /etc/init.d/spamd restart, but nothing worked. spamc -c mail.txt 3.6/5.0 spamassassin mail.txt Content analysis details: (21.8 points, 5.0 required) pts rule name description -- -- 0.6 NO_REAL_NAME From: does not include a real name 1.5 FROM_BLANK_NAMEFrom: contains empty name 1.9 DATE_IN_FUTURE_96_XX Date: is 96 hours or more after Received: date 10 NASTY_STOCKS BODY: Nasty stock mails 0.1 BAD_CREDIT BODY: Eliminate Bad Credit 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 3.1 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [210.72.20.249 listed in sbl-xbl.spamhaus.org] 1.1 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: ingreats.com] 3.6 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist [URIs: ingreats.com] -- View this message in context: http://www.nabble.com/Spamd-and-Spamassassin-filtering-differently-tf2781676.html#a7760846 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
DomainKeys and DKIM for Windows?
Has anyone managed to build DomainKeys or DKIM modules for Windows. I managed to build the OpenSSL libraries OK, but can't get Crypt::OpenSSL:RSA to install, so DomainKeys won't either... Any ideas? Bret
Re: Botnet 0.6 plugin for Spam Assassin availabile
Question, how can we avoid tagging messages that are sent to our server from a remote connection if they use authenticated SMTP ?? Example: I have a user who is on a different network, using my mail server, so I let them via authenticated SMTP, every message they send gets tagged because of Bot Net or Relay Checker.. Thanks, Billy - Original Message - From: decoder [EMAIL PROTECTED] To: John Rudd [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Sent: Friday, December 08, 2006 5:03 AM Subject: Re: Botnet 0.6 plugin for Spam Assassin availabile -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John Rudd wrote: Michael Schaap wrote: John Rudd wrote: The next version of the Botnet plugin for Spam Assassin is ready. The install instructions are in the Botnet.txt file, and in the INSTALL file. Great work! To Do before 1.0: (...) There's another thing that would be really nice to have. You know how the DNS rules' descriptions specify what actually matches? e.g.: 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [12.34.56.789 listed in sbl-xbl.spamhaus.org] 1.6 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: example.com] It would be great if Botnet could do something similar, like: 2.0 BOTNET The submitting mail server looks like part of a Botnet [ip=12.34.56.789 rdns=dhcp12.34.example.org] Any tips on how to do that? :-} Have a look at the FuzzyOcr plugin, especially on Scoring.pm in the SVN, found here: http://fuzzyocr.own-hero.net/browser/trunk/devel/FuzzyOcr/Scoring.pm In each of the functions, the mail is scored with a different rule, a custom score and a custom description which is generated there. That should be enough for you to reproduce that :) Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFeTiMJQIKXnJyDxURAicaAJ9n5XdSIpvWXrz3W4w2DtKmbiQ82ACgvyAB ywuRctN/qak0u61idiMFw5o= =obGb -END PGP SIGNATURE-
Spam assasin rules problem
Hi, I was having some problems with spamassasin rules in local.cf I am trying to write some custom rules but it doesnt seem to be taking these values I ran spamassasin -lint local.cf and it is showing no errors After that I ran spamc -R command to run a check for the rules but it is not reporting in the analysis === spamc -R Subject:Symbol Symbol 2.6/5.0 Spam detection software, running on the system interlink.xcomplete-hosting.com, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Symbol [...] Content analysis details: (2.6 points, 5.0 required) pts rule name description -- -- -0.0 NO_RELAYS Informational: message was not relayed via SMTP 2.5 MISSING_HB_SEP Missing blank line between message header and body 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5197] -0.0 NO_RECEIVEDInformational: message has no Received headers 0.1 TO_CC_NONE No To: or Cc: header ===local.cf= # These values can be overridden by editing ~/.spamassassin/user_prefs.cf # (see spamassassin(1) for details) # These should be safe assumptions and allow for simple visual sifting # without risking lost emails. required_score 5 rewrite_header subject [SPAM] use_bayes 1 bayes_auto_learn1 skip_rbl_checks 0 use_pyzor 1 body LOCAL_DEMONSTRATION_RULE /symbol/ score LOCAL_DEMONSTRATION_RULE 6.0 describe LOCAL_DEMONSTRATION_RULE This is a simple test rule =end of local.cf= Best Regards, Kailash
SPF not working with these headers, why?
I should probably submit this to bz, but I thought I'd ask here first in case it's obvious... Why is SFP_PASS not firing on this? X-Spam-Tests: tests=AWL=-1.710,BAYES_50=0.001,BOTNET=0.5,BOTNET_BADDNS=0.01, BOTNET_NOSPF=3.5,DNS_FROM_RFC_ABUSE=0.2,DNS_FROM_RFC_POST=1.708, FM_WHITEONWHITE=0.45,HTML_50_60=0.134,HTML_MESSAGE=0.001, MIME_HEADER_CTYPE_ONLY=0,MIME_HTML_ONLY=0.001,MSGID_FROM_MTA_ID=1.393, SARE_UNA=1.231;autolearn=no X-Spam-Score: 7.4 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on mail.hq.wcg.org X-Spam-Level: +++ X-TFF-CGPSA-Version: 1.6a5 X-WCG-CGPSA-Filter: Scanned X-SPAM-FLAG: Yes Return-Path: [EMAIL PROTECTED] Received: from [65.17.198.50] (HELO 123greetings.info) by mail.wcg.org (CommuniGate Pro SMTP 5.1.3) with SMTP id 19467966 for [EMAIL PROTECTED]; Fri, 08 Dec 2006 08:40:46 -0800 Received-SPF: pass receiver=mail.wcg.org; client-ip=65.17.198.50; [EMAIL PROTECTED] Content-Type: text/html; charset=US-ASCII Date: Fri, 8 Dec 2006 11:40:25 -0500 To: [EMAIL PROTECTED] From: Editor Bob [EMAIL PROTECTED] X-Mailer: Version 5.0 Subject: Celebrate the Holiday Season Organization: 123Greetings.info Message-ID: [EMAIL PROTECTED]
RE: How can I learn a mail which how many score it got from each my rules?
Larry Rosenman wrote: Halid Faith wrote: I use spamassassin3.1.7 I go through some mails. I see a mail in /var/log/spamd.log as below Wed Dec 6 13:33:49 2006 [4484] info: spamd: result: Y 15 - EXTRA_MPART_TYPE,FRONTPAGE,HTML_MESSAGE,INVALID_DATE,MIME_BOUND_NEXTPART, MIME_QP_LONG_LINE,MSGID_MULTIPLE_AT,SARE_GIF_ATTACH,SARE_OBFUGIRLS, SUBJ_ALL_CAPS,SUBJ_ILLEGAL_CHARS,TW_IY,UNPARSEABLE_RELAY,UPPERCASE_25_50 Yet, I can't understand which my rule, how many score gave that mail. How can I learn a mail which how many score it got from each my rules? is there a command for it ? In your user_prefs, add the following: report _TESTSSCORES( )_ That shows the tests *AND* the scores: X-LERCTR-Spam-Report: (-108.6 points, 5.0 required) BAYES_00=-2.599 DK_POLICY_SIGNSOME=0.001 SPF_PASS=-0.001 UPPERCASE_25_50=0 USER_IN_WHITELIST=-100 USER_IN_WHITELIST_TO=-6 I haven't seen that one before. I might start using that as my default setting. What I do on my personal account and one or two others is add the full spam report. This should already be in the headers for spam, but I add it for both so I can see the details for rule hits on ham as well. Just add the following line to either local.cf or a user's user_prefs file. add_header all Report _REPORT_ -- Bowie
Re: TMDA SA
Jean-Paul Natola wrote: Is anyone on here using , or have any comments/feedback regarding the use of TMDA SA ? http://wiki.tmda.net/SpamAssassin?highlight=%28spamassassin%29 Yes. Don't use challenge response. Here is a good write-up/rant about the evils of it. http://linuxmafia.com/faq/Mail/challenge-response.html Bob
unsubscribe
Re: unsubscribe
At 10:09 AM 12/8/2006, you wrote: As the headers of every message state: list-unsubscribe: mailto:[EMAIL PROTECTED]
Re: Spamd and Spamassassin filtering differently
Neo23x0 wrote: Spamd and Spamassassin are filtering in a different way. Why? As you can see, the results of the two tests are different, although it's the same email. Where is the difference? I tried spamassassin --lint and /etc/init.d/spamd restart, but nothing worked. spamc -c mail.txt 3.6/5.0 Run spamc without the -c flag; that should return the message *with* a complete report similar to what you got for spamassassin Comparing which rules actually hit will tell you a great deal about differences in how the two calls are processing mail. Just offhand, I'd guess that your spamd instance isn't running RBL rules, and it looks like a custom rule isn't hitting either based on its score of 10 (!!). -kgd
Re: SPF not working with these headers, why?
Bret Miller wrote: I should probably submit this to bz, but I thought I'd ask here first in case it's obvious... Why is SFP_PASS not firing on this? Run the message through spamassassin -Dspf and find out. Daryl
Re: Spamd and Spamassassin filtering differently
Kris Deugau wrote: Run spamc without the -c flag; that should return the message *with* a complete report similar to what you got for spamassassin Right. I know, that a set of fewer rules match while using spamd. *pf* Kris Deugau wrote: Comparing which rules actually hit will tell you a great deal about differences in how the two calls are processing mail. Just offhand, I'd guess that your spamd instance isn't running RBL rules, and it looks like a custom rule isn't hitting either based on its score of 10 (!!). -kgd Hey, I assumed that before. Cool. The problem is, that I can't figure out how to change that. I use qmail with spamd /etc/init.d/spamd wrote: SPAMD_BIN=/usr/sbin/spamd SPAMD_CONFIG=/etc/sysconfig/spamd /etc/sysconfig/spamd wrote: SPAMD_ARGS=-d -c -a -L Spamassassin is uptodate. - SpamAssassin version 3.1.7; running on Perl version 5.8.3 - SpamAssassin Client version 3.1.7 How do I configure spamd to use the Rule Set, that are used by invoking spamassassin? -- View this message in context: http://www.nabble.com/Spamd-and-Spamassassin-filtering-differently-tf2781676.html#a7763175 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Botnet 0.6 plugin for Spam Assassin availabile
On Fri, 8 Dec 2006, Billy Huddleston wrote: Question, how can we avoid tagging messages that are sent to our server from a remote connection if they use authenticated SMTP ?? Example: I have a user who is on a different network, using my mail server, so I let them via authenticated SMTP, every message they send gets tagged because of Bot Net or Relay Checker.. Don't pass email from authenticated users to SA at all. *how* you do that is MTA-specific. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...to announce there must be no criticism of the President or to stand by the President right or wrong is not only unpatriotic and servile, but is morally treasonous to the American public. -- Theodore Roosevelt, 1918 --- 7 days until Bill of Rights day
Re: Spamd and Spamassassin filtering differently
On Fri, Dec 08, 2006 at 10:49:20AM -0800, Neo23x0 wrote: /etc/sysconfig/spamd wrote: SPAMD_ARGS=-d -c -a -L How do I configure spamd to use the Rule Set, that are used by invoking spamassassin? Run it the same way. ;) The first thing is removing the -L which disables network tests. -- Randomly Selected Tagline: A successful tool is one that was used to do something undreamt by its author. - Stephen C. Johnson pgpJNPIwPXPdr.pgp Description: PGP signature
Re: Spam assasin rules problem
On Fri, Dec 08, 2006 at 05:11:14PM +, kailash vyas wrote: I ran spamassasin -lint local.cf and it is showing no errors fwiw, it's just spamassassin --lint. Adding -D is generally useful too. After that I ran spamc -R command to run a check for the rules but it is not reporting in the analysis Have you restarted spamd? -- Randomly Selected Tagline: If your feet smell and your nose runs, you were built upside down. pgplJh86hHNjN.pgp Description: PGP signature
RE: TMDA SA
Jean-Paul Natola wrote: Is anyone on here using , or have any comments/feedback regarding the use of TMDA SA ? http://wiki.tmda.net/SpamAssassin?highlight=%28spamassassin%29 Yes. Don't use challenge response. Here is a good write-up/rant about the evils of it. http://linuxmafia.com/faq/Mail/challenge-response.html Bob I'm a bit confused here (what else is new) is there a difference between Challenge-Response and Sender address Verification? Some articles say they are two -different animals other say yes they are the same Either way I do not intend to use CR- just wondering what, if any, are the diff
This seen on Dice
Any takers? ;-) http://seeker.dice.com/seeker.epl?rel_code=1102op=5type=14dockey=xml/7/a/[EMAIL PROTECTED]bb=0source=15
RE: This seen on Dice
From: Philip Prindeville [mailto:[EMAIL PROTECTED] Any takers? ;-) http://seeker.dice.com/seeker.epl?rel_code=1102op=5type=14docke y=xml/7/a/[EMAIL PROTECTED]bb=0source=15 Aaaah! I need a telecommuter and I don't even know what's it... g
RE: SPF not working with these headers, why?
Bret Miller wrote: I should probably submit this to bz, but I thought I'd ask here first in case it's obvious... Why is SFP_PASS not firing on this? Run the message through spamassassin -Dspf and find out. Daryl OK. It says: [2840] dbg: spf: checking HELO (helo=, ip=65.17.198.50) [2840] dbg: spf: cannot get HELO, cannot use SPF [2840] dbg: spf: checking EnvelopeFrom (helo=, ip=65.17.198.50, [EMAIL PROTECTED]) [2840] dbg: spf: cannot get HELO, cannot use SPF [2840] dbg: spf: def_whitelist_from_spf: [EMAIL PROTECTED] is not in DEF_WHITELIST_FROM_SPF [2840] dbg: spf: whitelist_from_spf: [EMAIL PROTECTED] is not in user's WHITELIST_FROM_SPF Which would indicate it's not parsing the Received header correctly, so I guess a bz ticket is in order. Bret
Re: TMDA SA
Jean-Paul Natola wrote: I'm a bit confused here (what else is new) is there a difference between Challenge-Response and Sender address Verification? Some articles say they are two -different animals other say yes they are the same They are completely different animals. In terse summary Challenge Response sends a message to the probably forged sender address on received mail. An innocent victim of a forged message will receive this CR spam. My address is widely dispersed and often appears on forged email. I routinely get CR spam from sites using TMDA. I routinely respond to those challenges to enable the delivery of the original spam and viruses. CR is designed to reduce spam to a particular mailbox at the cost of producing spam to many, many other mailboxes. That is very rude. By contrast sender address verification never generates an email message. It cannot generate spam. What sender address verification does is to probe the address to verify that the sender will receive a bounce if the original message were undeliverable. If they will receive a bounce, without actually generating one, then message delivery continues. If the sender will not receive a bounce then message delivery fails at that point. This is not designed to block forgeries. This is designed to block invalid sender mail addresses. Either way I do not intend to use CR- just wondering what, if any, are the diff When you say TMDA everyone will immediately think challenge response because TMDA's primary functionality is CR. TMDA will also do other things too and some people, a minority, use it for those other features. But the majority use case for TMDA is for challenge response and that is the problem case. Bob
RE: SPF not working with these headers, why?
Bret Miller wrote: I should probably submit this to bz, but I thought I'd ask here first in case it's obvious... Why is SFP_PASS not firing on this? Run the message through spamassassin -Dspf and find out. Daryl OK. It says: [2840] dbg: spf: checking HELO (helo=, ip=65.17.198.50) [2840] dbg: spf: cannot get HELO, cannot use SPF [2840] dbg: spf: checking EnvelopeFrom (helo=, ip=65.17.198.50, [EMAIL PROTECTED]) [2840] dbg: spf: cannot get HELO, cannot use SPF [2840] dbg: spf: def_whitelist_from_spf: [EMAIL PROTECTED] is not in DEF_WHITELIST_FROM_SPF [2840] dbg: spf: whitelist_from_spf: [EMAIL PROTECTED] is not in user's WHITELIST_FROM_SPF Which would indicate it's not parsing the Received header correctly, so I guess a bz ticket is in order. http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5234
RE: TMDA SA
Jean-Paul Natola wrote: I'm a bit confused here (what else is new) is there a difference between Challenge-Response and Sender address Verification? Some articles say they are two -different animals other say yes they are the same They are completely different animals. In terse summary Challenge Response sends a message to the probably forged sender address on received mail. An innocent victim of a forged message will receive this CR spam. My address is widely dispersed and often appears on forged email. I routinely get CR spam from sites using TMDA. I routinely respond to those challenges to enable the delivery of the original spam and viruses. CR is designed to reduce spam to a particular mailbox at the cost of producing spam to many, many other mailboxes. That is very rude. By contrast sender address verification never generates an email message. It cannot generate spam. What sender address verification does is to probe the address to verify that the sender will receive a bounce if the original message were undeliverable. If they will receive a bounce, without actually generating one, then message delivery continues. If the sender will not receive a bounce then message delivery fails at that point. This is not designed to block forgeries. This is designed to block invalid sender mail addresses. Either way I do not intend to use CR- just wondering what, if any, are the diff When you say TMDA everyone will immediately think challenge response because TMDA's primary functionality is CR. TMDA will also do other things too and some people, a minority, use it for those other features. But the majority use case for TMDA is for challenge response and that is the problem case. Bob is Sender Address Verification a feasible option? Let me rephrase , does anyone here use it? If not why?
Re: Spamd and Spamassassin filtering differently
Theo Van Dinter-2 wrote: Run it the same way. ;) The first thing is removing the -L which disables network tests. Thanks. Just changed it. Ok, but my question is still unanswered. I have a lot of really nice *.cf files in my /usr/share/spamassassin directory, but it seems that spamd doesn't use them. Why? Which conf-Files uses spamd? Where is the hack. I can't find anything in a manual or online documentation. dir listing wrote: ls /usr/share/spamassassin/ . 23_bayes.cf 30_text_nl.cf .. 25_accessdb.cf 30_text_pl.cf 10_misc.cf 25_antivirus.cf 30_text_pt_br.cf 20_advance_fee.cf 25_body_tests_es.cf 50_scores.cf 20_anti_ratware.cf 25_body_tests_pl.cf 60_awl.cf 20_body_tests.cf 25_dcc.cf60_whitelist.cf 20_compensate.cf 25_dkim.cf 60_whitelist_dk.cf 20_dnsbl_tests.cf 25_domainkeys.cf 60_whitelist_dkim.cf 20_drugs.cf25_hashcash.cf 60_whitelist_spf.cf 20_fake_helo_tests.cf 25_pyzor.cf 60_whitelist_subject.cf 20_head_tests.cf 25_razor2.cf 70_neos_whitelist_subject.cf 20_html_tests.cf 25_replace.cf70_zmi_german.cf 20_meta_tests.cf 25_spf.cflanguages 20_net_tests.cf25_textcat.cfsa-update-pubkey.txt 20_phrases.cf 25_uribl.cf triplets.txt 20_porn.cf 30_text_de.cfuser_prefs.template 20_ratware.cf 30_text_fr.cf 20_uri_tests.cf30_text_it.cf -- View this message in context: http://www.nabble.com/Spamd-and-Spamassassin-filtering-differently-tf2781676.html#a7764285 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: This seen on Dice
From: Philip Prindeville [mailto:[EMAIL PROTECTED] Any takers? ;-) http://seeker.dice.com/seeker.epl?rel_code=1102op=5type=14docke y=xml/7/a/[EMAIL PROTECTED]bb=0source=15 Aaaah! I need a telecommuter and I don't even know what's it... g Maybe they are setting a trap for spammers?
RE: This seen on Dice
-Original Message- From: Jean-Paul Natola [mailto:[EMAIL PROTECTED] Sent: Friday, December 08, 2006 9:09 PM To: Giampaolo Tomassoni; users@spamassassin.apache.org Subject: RE: This seen on Dice From: Philip Prindeville [mailto:[EMAIL PROTECTED] Any takers? ;-) http://seeker.dice.com/seeker.epl?rel_code=1102op=5type=14docke y=xml/7/a/[EMAIL PROTECTED]bb=0source=15 Aaaah! I need a telecommuter and I don't even know what's it... g Maybe they are setting a trap for spammers? Mmmm, nah! From Florida? You mean, a sound, hurting trap for lizards? It seems a real hiring ad. In USA spam is legal, am I wrong? So, hiring somebody for that job is legal too. g
RE: Spamd and Spamassassin filtering differently
Forth, the .cf's are off of /var if you use sa-update Dan -Original Message- From: Theo Van Dinter [mailto:[EMAIL PROTECTED] Sent: Friday, December 08, 2006 3:14 PM To: users@spamassassin.apache.org Subject: Re: Spamd and Spamassassin filtering differently On Fri, Dec 08, 2006 at 12:03:17PM -0800, Neo23x0 wrote: Ok, but my question is still unanswered. I have a lot of really nice *.cf files in my /usr/share/spamassassin directory, but it seems that spamd doesn't use them. Why? Which conf-Files uses spamd? Where is the hack. I can't find anything in a manual or online documentation. First, don't do that. Your own config files (and any cf files that aren't part of the default distribution) should go into /etc/mail/spamassassin (or wherever you keep your site-wide configs). Second, as usual, run with -D and find out what's going on. Third, man spamassassin has a large amount of information about what files/dir are used for configs. -- Randomly Selected Tagline: Why are there certain flavors of pet food? Chicken, beef...
Re: Spamd and Spamassassin filtering differently
Theo Van Dinter-2 wrote: First, don't do that. Your own config files (and any cf files that aren't part of the default distribution) should go into /etc/mail/spamassassin (or wherever you keep your site-wide configs). Second, as usual, run with -D and find out what's going on. Third, man spamassassin has a large amount of information about what files/dir are used for configs. Ok, moved the files. Reloaded spamassassin with -D --lint and found my /etc/mail/spamassassin/70_*.cf files. Well, well. Spamassassin itself workes correctly, so I guess that I don't need the params for spamassassin, but for spamd. Example spamassassin mail.txt Content analysis details: (10.0 points, 6.0 required) pts rule name description -- -- 10 NEOS_BLACK BODY: Blacklist Rule for testing purpose 0.0 UPPERCASE_25_50message body is 25-50% uppercase 0.0 AWLAWL: From: address is in the auto white-list spamc -R mail.txt Content analysis details: (1.5 points, 6.0 required) pts rule name description -- -- 1.5 EMPTY_MESSAGE Message appears to have no textual parts and no Subject: text Where is the difference? What config files uses spamd? Is it that param? -V, --virtual-config=dir Enable Virtual configs (needs -x) --virtual-config-dir=dir Enable pattern based Virtual configs (needs -x) -- View this message in context: http://www.nabble.com/Spamd-and-Spamassassin-filtering-differently-tf2781676.html#a7764696 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: How do I know if DCC is running and working?
Try $ spamassassin --debug --lint (or $ spamassassin --debug --lint 21 | less ) and look in the output for DCC. The DCC daemon doesn't have to be running for DCC to work. I've found that if the DCC daemon is running I get timeout errors at times and nobody's been able to show me how to get rid of them.
bayes db site wide or per user
Hi to all, a month a go we implemented a mailcluster based on postfix/mysql/nfs/amavisd-new/spamassassin and now we would like to add bayesian filtering to the system. Our Cluster is designed to scale for about 100 000 mailboxes. The users should forward spam and ham to sa-learn by sending the mails as attachment to a specific address: [EMAIL PROTECTED] or [EMAIL PROTECTED] Is it a bad idea to use a site wide bayes database or is it better to use a per user database in this scenario? How resistent is a site wide setup with a lot of mailboxes against poisoning? Thanks! Alex
Re: This seen on Dice
On Fri, 08 Dec 2006 12:36:11 -0700, you wrote: Any takers? ;-) http://seeker.dice.com/seeker.epl?rel_code=1102op=5type=14dockey=xml/7/a/[EMAIL PROTECTED]bb=0source=15 They have got to be joking..then again, I'd believe just about anything these days ===[George R. Kasica]===+1 262 677 0766 President +1 206 374 6482 FAX Netwrx Consulting Inc. Jackson, WI USA http://www.netwrx1.com [EMAIL PROTECTED] ICQ #12862186
RE: This seen on Dice
And all this from DICE that spams the hell out of me non stop? I remember them from '94? Spamming the fl.jobs.* newsgroups till they were useless? This must be for themselves.
RE: This seen on Dice
Any takers? ;-) http://seeker.dice.com/seeker.epl?rel_code=1102op=5type=14dockey=xml/7/a /[EMAIL PROTECTED]bb=0source=15 I guess we know who is job hunting :)
Re: TMDA SA
Jean-Paul Natola wrote: Is anyone on here using , or have any comments/feedback regarding the use of TMDA SA ? http://wiki.tmda.net/SpamAssassin?highlight=%28spamassassin%29 TMDA is an acceptable criteria for being blacklisted by spamcop. ie: don't use TMDA, it's evil. It's simply a way of trying to foist your spam filtering problems into someone else's mailbox.
Re: blacklist-uri.cf
LuKreme wrote: Is there something about blacklist-uri.cf That I should know? It uses an *ABSURD* amount of memory, and is 100% redundant with the WS list on surbl.org. Don't use it unless BOTH of the following are true: 1) the idea of increasing your mailserver memory load by a couple of gigs doesn't worry you. 2) the idea of adding 100ms of latency for a DNS lookup has kept you form enabling the URIBL plugin. If I install it I seem to get lint errors in seemingly random locations (usually when it reads $HOME/.spamassassin/user_pref but it can be several other places as well) As a note, it WAS running for a long time on my mailserver without issue, but recently RDJ has been giving me lint errors and after testing each .cf file I found that one was the culprit.
RE: TMDA SA
Hi, if someone sends you lots of crap from a handful of forged addresses, and your verification does not cache results, you might create a lot of connects to innocent systems (and possibly get blacklisted for that) What happens if the other side does the same, and starts a smtp connection to your server in response to your verification attempt? You might get two machines locking up each other. A careful design (verifying at DATA command) would probably avoid that. Both sender address validation and CR may lose valid email I am using address verification but in the context of a web form: if a visitor is supplying an email that seems to be unreachable, he/she would be asked to supply a different one. Wolfgang Hamann Jean-Paul Natola wrote: is Sender Address Verification a feasible option? Let me rephrase , does anyone here use it? If not why?=20
Rules du Jour (RDJ) and AntiDrug
To all RDJ users: I have removed ANTIDRUG from the script because the author requested it. The antidrug ruleset is included in SpamAssassin 3.0 and above, and is not being actively updated for use with SpamAssassin 2.64. After updating your system with RDJ version 1.30 or higher you will receive occasional warnings until you remove ANTIDRUG from the TRUSTED_RULESETS in the RDJ config file. Also, sorry for releasing so many updates to RDJ in such a short time period! Chris Thielen
Re: Rule update over DNS?
--On Friday, December 08, 2006 12:20 AM -0500 Duncan Findlay [EMAIL PROTECTED] wrote: That's a good point. Those of us packaging SpamAssassin for distributions should think about this. :-) Will it be okay if all Debian users start running sa-update on the same minute of the hour? Are those distributions joining the list of update mirrors? Can the mirroring be done by DNS round-robin, so that a random HTTP server will be chosen for the update? Is there a failover scheme so that a system finding a slow mirror without the update will switch to another mirror that has the update?
Re: Rules du Jour (RDJ) and AntiDrug
Chris Thielen wrote: To all RDJ users: I have removed ANTIDRUG from the script because the author requested it. The antidrug ruleset is included in SpamAssassin 3.0 and above, and is not being actively updated for use with SpamAssassin 2.64. After updating your system with RDJ version 1.30 or higher you will receive occasional warnings until you remove ANTIDRUG from the TRUSTED_RULESETS in the RDJ config file. By version 1.30 you mean the script? Where is the script available? http://www.exit0.us/index.php?pagename=RulesDuJour is not working. Also, sorry for releasing so many updates to RDJ in such a short time period! Thanks. -- René Berber
Re: blacklist-uri.cf
On 8-Dec-2006, at 16:11, Matt Kettler wrote: It uses an *ABSURD* amount of memory, and is 100% redundant with the WS list on surbl.org. The WS list? I don't think I'm setup for SURBL. I'm running RDJ with TRUSTED_RULESETS=TRIPWIRE EVILNUMBERS RANDOMVAL BOGUSVIRUS SARE_ADULT SARE_FRAUD SARE_BML SARE_SPOOF SARE_BAYES_POISON_NXM SARE_OEM SARE_RANDOM SARE_HEADER_ABUSE SARE_SPECIFIC SARE_CODING_HTML SARE_GENLSUBJ SARE_UNSUB SARE_URI0 SARE_REDIRECT_POST300 SARE_OBFU SARE_SPAMCOP_TOP200; and with the following plugins/modules # grep -e ^load /usr/local/etc/mail/spamassassin/*.pre | awk {'print $2'} Mail::SpamAssassin::Plugin::URIDNSBL Mail::SpamAssassin::Plugin::Hashcash Mail::SpamAssassin::Plugin::SPF Mail::SpamAssassin::Plugin::DCC Mail::SpamAssassin::Plugin::Pyzor Mail::SpamAssassin::Plugin::Razor2 Mail::SpamAssassin::Plugin::SpamCop Mail::SpamAssassin::Plugin::AntiVirus Mail::SpamAssassin::Plugin::AWL Mail::SpamAssassin::Plugin::AutoLearnThreshold Mail::SpamAssassin::Plugin::TextCat Mail::SpamAssassin::Plugin::WhiteListSubject Mail::SpamAssassin::Plugin::MIMEHeader Mail::SpamAssassin::Plugin::ReplaceTags Mail::SpamAssassin::Plugin::DKIM so I guess SURBL is setup, but how do I feed it a specific list like WS? And should I replace EvilNumbers and SARE_SPAMCOP with be.surbl.or and sc.surbl.org respectively? Or just use multi.surbl.org and be? 2) the idea of adding 100ms of latency for a DNS lookup has kept you form enabling the URIBL plugin. well, it looks like the PLUGIN is enabled, but I certainly am not seeing where to tell it what lists to use. It looks like I have to build my own rules/cf files in order to enable these checks? Are there pre-rolled cf files for the various SURBLs? -- Living is easy with eyes closed, misunderstanding all you see
Re: TMDA SA
On 8-Dec-2006, at 12:27, Jean-Paul Natola wrote: I'm a bit confused here (what else is new) is there a difference between Challenge-Response and Sender address Verification? Some articles say they are two -different animals other say yes they are the same Some articles are written by morons then, as they are in no way the same. The latter is an automated check that the address listed as the sender is a valid address, the former is a prove-you-love-me irritation that, at least when I receive it, goes straight in my trash. Generating more email to try to protect YOUR mailbox at the expense of my time and resources is not cool. Do it often enough and you get listed in my permanent blacklist (I still have hosts in there from 1995). And that doesn't even deal with the issue of perfectly valid, but forged, sender addresses. Prove-you-love-me means you send THEM bucketloads of extra spam. -- Don't be nice. It's Creepy. Tendo Akane
Re: RulesDuJour
On 8-Dec-2006, at 01:46, Mike Kenny wrote: The configuration that I inherited had only got TRUSTED_RULESETS=TRIPWIRE SARE_EVILNUMBERS0 SARE_RANDOM; in /etc/rulesdujour/config. This obviously allows a lot of spam to filter through (or at elaast would allow the rules to become outdated). Looking at rulesdujour.sh I notice it references a lot mor rule sets than these. What problems might I encounter if I add all of these (except for those noted as pre 3.0) to my config file? Well, ALL of them would be a bit much. The drawback is that some will add some overheard, both in time and in resources, to processing messages. The more messages your mailserver gets, the more you care about that. I would look at the SARE ones and enable those that sound good to you, and see how that goes. -- You may be anti anti-spam-kook if: Despite having invented the FUSSP, you not only don't know the difference between the SMTP envelope and SMTP headers; you doubt there is such a thing as the SMTP envelope because email doesn't involve paper.
Re: How do I know if DCC is running and working?
On 8-Dec-2006, at 13:35, Robert S wrote: spamassassin --debug --lint 21 | less I went with # spamassassin -D --lint 21| grep -i dcc [85448] dbg: config: read file /usr/local/share/spamassassin/25_dcc.cf [85448] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8f63dcc) [85448] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC [85448] dbg: dcc: local tests only, disabling DCC [85448] dbg: plugin: registered Mail::SpamAssassin::Plugin::DCC=HASH (0x90d3b38) [85448] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH (0x8f63dcc) implements 'parsed_metadata' [85448] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH (0x8f63dcc) implements 'check_tick' [85448] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH (0x8f63dcc) implements 'check_post_dnsbl' no hits on DCC in maillog -- It's better to burn out than it is to rust -- Neil Young as quoted by Kurt Cobain
Re: bayes db site wide or per user
On Fri, Dec 08, 2006 at 09:44:04PM +0100, Alex Handle wrote: postfix/mysql/nfs/amavisd-new/spamassassin and now we Is it a bad idea to use a site wide bayes database or is it better to use a per user database in this scenario? Per user DBs will give you better results, but since you're running from the MTA, your only choice is site-wide. -- Randomly Selected Tagline: Wheee! ...ow, I bit my tongue! --Ralph Wiggum Bart's Inner Child (Episode 1F05) pgpHXRSHFKtRT.pgp Description: PGP signature
Re: false positives
On четвъртък, Декември 07 2006, Sietse van Zanen wrote: off-topic) spamcop =?windows-1251?B?4vrv8O7x6A==?= Was that really your subject, did you type that? I think the =?windows-1251?B?4vrv8O7x6A==?= is the double encoded part. No, my subject was: (off-topic) spamcop проблеми Your problem might be the result of some incompatibility between slavic - european character sets. But I'm not suchh an smtp expert. Other people probably can elaborate more on this. Anybody? SPF is Sender Policy Framework. More information can be found here: http://www.openspf.org/ It validates that the mail servers sending are really mail servers responsible for the domain they send mail for. So SPF matches are a good thing. Yeah, I have an idea, but what's wrong with my mail servers? More info on the AWL can be found here: http://wiki.apache.org/spamassassin/AutoWhitelist Thanks. From: Kamen TOMOV Sent: Thu 07-Dec-06 18:00 To: users@spamassassin.apache.org Subject: Re: false positives On четвъртък, Декември 07 2006, Sietse van Zanen wrote: They contain too little information. All right - here is more information. I sent a message to a group and I got it classified as spam. Here is the report: * 1.7 SUBJECT_ENCODED_TWICE Subject: MIME encoded twice Here is how the subject looks like when I sent it: (off-topic) spamcop =?windows-1251?B?4vrv8O7x6A==?= It looks to me that it is not encoded twice. However, here is the subject of the message that was received in the list: [SPAM] =?windows-1251?q?=5BSPAM=5D_=28off-topic=29_spamcop_=E2?= =?windows-1251?b?+u/w7vHo?= .., which might have been encoded twice. So is that a problem of the mail-list? * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record * 0.1 FORGED_RCVD_HELO Received: contains a forged HELO Can anybody tell me what does HELO matches SPF record mean? * -0.0 SPF_PASS SPF: sender matches SPF record * 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.4115] * 0.2 MIME_BASE64_NO_NAME RAW: base64 attachment does not have a file * name What attachments? I haven't attached anything to my message. It looks like spamassassin took the hole message as an attachment just because it is base64 - encoded. * 1.9 MIME_BASE64_TEXT RAW: Message text disguised using base64 encoding I don't understand why base64 encoded message is classified as disguised? My mail agent had just decided to encode the message in base64 encoding as it contains cp1251 characters so what's wrong with that? * 0.4 AWL AWL: From: address is in the auto white-list Can anybody tell me what does From: address is in the auto white-list mean? If it is in a white list why the coefficient is 0? -- Камен
user_bayes_sql_custom_query ?
Hey folks, So, I've been giving this some thought in the last week, as I'm running into the old either site bayes or per-user bayes, nothing in between issue. I'm using simscan, which passes the first email address to spamc, so for me it's a per-email-address limitation. For a majority of my users, that's fine - they only have _one_ email address. For me, it's a problem, as I have dozens of email addresses that are delivered to me, and sorted via maildrop. Many of these secondary addresses get tons of spam, but because they're delivered to aliases, SA never applies bayes scoring, because the user doesn't match the user my bayes database uses (using SQL, of course). I would _love_ to have a bayes equivalent of user_score_sql_custom_query, where spamd would query a table consisting of something like so: email_alias CHAR(64) email_user CHAR(64) or something similar. That way, I could populate it with data like: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED][EMAIL PROTECTED] etc... So, in this scenario, an email comes in destined to one of the many secondary email addresses. spamd makes a query (SELECT email_user FROM aliases WHERE email_alias = '$user'). If spamd gets a hit, great, try to initialize the bayes database for that user. If not, skip bayes and go on with life. Just a thought. It would certainly help me in my situation, but perhaps I'm just spending a little too much quality time with the crackpipe. Good idea? Bad idea? Dumb idea? Benny -- The faster you finish the fight, the less shot you will get. -- Marine Corps Rules for Gunfighting
Re: user_bayes_sql_custom_query ?
On Fri, Dec 08, 2006 at 07:39:42PM -0600, C. Bensend wrote: in between issue. I'm using simscan, which passes the first email address to spamc, so for me it's a per-email-address limitation. [...] I would _love_ to have a bayes equivalent of user_score_sql_custom_query, where spamd would query a table consisting of something like so: email_alias CHAR(64) email_user CHAR(64) Why not modify simscan to do this kind of lookup for you, and pass the correct username to SA? -- Randomly Selected Tagline: Your computer hasn't been returning all the bits it gets from the Internet. - Today's BOFH Excuse pgpktn2RvL33t.pgp Description: PGP signature
Re: user_bayes_sql_custom_query ?
Why not modify simscan to do this kind of lookup for you, and pass the correct username to SA? Yes, absolutely, that would be another solution to the issue. :) The reason I ask here is because SA already does almost exactly this sort of lookup for userpref. Maybe some of the code could be reused, but maybe not... I'm not a developer, and you'd weep yourself to sleep for weeks on end if I tried to come up with a patch. ;) If there's no interest/resources, no problem. It would be nice to have, though. :) Benny -- The faster you finish the fight, the less shot you will get. -- Marine Corps Rules for Gunfighting
Re: blacklist-uri.cf
LuKreme wrote: On 8-Dec-2006, at 16:11, Matt Kettler wrote: It uses an *ABSURD* amount of memory, and is 100% redundant with the WS list on surbl.org. The WS list? I don't think I'm setup for SURBL. I'm running RDJ with SURBL is part of the standard SA ruleset, nothing to do with RDJ.. and with the following plugins/modules # grep -e ^load /usr/local/etc/mail/spamassassin/*.pre | awk {'print $2'} Mail::SpamAssassin::Plugin::URIDNSBL You're set up for SURBL, including WS.. so I guess SURBL is setup, but how do I feed it a specific list like WS? It's already in there as a part of the stock ruleset, URIBL_WS_SURBL is the rule. And should I replace EvilNumbers and SARE_SPAMCOP with evilnumbers is completely unrelated. It detects phone numbers, not URI's. SARE_SPAMCOP doesn't detect URI's either it detects blacklisted. However, you should get rid of it too as it's redundant with RCVD_IN_BL_SPAMCOP_NET from the standard ruleset. This ruleset is only useful for people who have DNS disabled entirely. (ie: they use the -Lcommand line parameter to disable all network checks) be.surbl.or and sc.surbl.org respectively? be.surbl.org is *DEAD* it's data was originally derived from bigevil.cf (not evilnumbers), but it has been rolled into ws.surbl.org, along with blacklist_uri.cf. Or just use multi.surbl.org and be? Just use multi.surbl.org as the default SA ruleset has it, you don't need to do anything else other than get rid of blacklist_uri, and I'd recomend getting rid of the spamcop ruleset too. 2) the idea of adding 100ms of latency for a DNS lookup has kept you form enabling the URIBL plugin. well, it looks like the PLUGIN is enabled, but I certainly am not seeing where to tell it what lists to use. You don't need to tell it what lists to use necause the rules are already there, all you need to do is load the plugin and the rules spring into action on their own. It looks like I have to build my own rules/cf files in order to enable these checks? Nope. Are there pre-rolled cf files for the various SURBLs? The 25_uribl.cf that comes with, and is automatically installed with, SpamAssassin 3.0.0 and higher has all the SURBL lists in it. If you're using sa-update you've probably also picked up rules for uribl.com's URIBL's too. Otherwise, if you feel the need to add on, you can get rules for their URIBL at the website on www.uribl.com. uribl.com's URIBL_BLACK tends to have a higher hitrate than the surbl lists, but is also slightly more prone to false positives in my experience.
RE: FP: RCVD_HELO_IP_MISMATCH?
aubreyl wrote: Larry Rosenman wrote: Greetings, I had the following headers: [snip] This checks what the server initiating the SMTP connection to your server says it is, and what it's domain name resolves to. Let's say that fakedomain.com resolves to 45.45.45.45 then ~# telnet yourdomain.com 25 Trying 123.123.123.123... Connected to yourdomain.com. Escape character is '^]'. 220 mail.yourdomain.com ESMTP Sendmail 8.13.8/8.13.8; Fri, 8 Dec 2006 19:30:05 -0600 *helo fakedomain.com* 250 mail.yourdomain.com *Hello 12-34-56-78.client.isp.com [12.34.56.78]*, pleased to meet you during this interaction, it is obvious that the connection was made from 12-34-56-78.client.isp.com that has an IP of 12.34.56.78. But since in the helo giviaubreyln, the server says that it is fakedomain.com. This is common for some small mail servers, like mine, who use to be able to stand behind a router with a different outgoing IP. Now it has become common practice to void messages from such servers. I'm not up to speed with all of the RFC's, but perhaps there's one in there for this? Anyone know? -=Aubrey=- I'm very familiar with the HELO/Etc. My concern is the high score And the fact that this message was legit, to a well-known mailing-list. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 512-248-2683 E-Mail: ler@lerctr.org US Mail: 430 Valona Loop, Round Rock, TX 78681-3893
Re: user_bayes_sql_custom_query ?
And as far as I understand it user aliases are only half the problem. On my simscan installation (simscan 1.2 from qmailtoaster.com) if an incoming messages has multiple recipients, simscan doesn't know which one to use and the username that is passed to spamc is just the user simscan is running as (clamav). I think it was *designed* to run likt this because simscan at SMTP transaction time keeps the connection open until scanning is complete. Theoretically, you could change simscan to execute spamc once for each recipient (resolving aliases too) but that would hold up the smtp connection a long time if there are lots of recipients. This design is a compromise between performance and configuration granularity. The only workable solutions I can think of are: - Run spamassassin at the mail delivery level (maildrop). - Run two instances of spamassassin: once via simscan (which blocks the bulk of spam) then again at the user level). And a dirty idea that really against the whole idea of simscan: - run two instances of qmail: one on port 25 receives mail breaks messages apart into individual recipients and delivers each message one by one (the default qmail behavior, I think); then another qmail on port 2500 running simscan that receives mail from the first one. Actually, this doesn't solve the user aliases problem. Anybody else have any other ideas? Quinn - Strangecode :: Internet Consultancy http://www.strangecode.com/ On Fri, 8 Dec 2006 19:39:42 -0600 (CST), C. Bensend wrote: Hey folks, So, I've been giving this some thought in the last week, as I'm running into the old either site bayes or per-user bayes, nothing in between issue. I'm using simscan, which passes the first email address to spamc, so for me it's a per-email-address limitation. For a majority of my users, that's fine - they only have _one_ email address. For me, it's a problem, as I have dozens of email addresses that are delivered to me, and sorted via maildrop. Many of these secondary addresses get tons of spam, but because they're delivered to aliases, SA never applies bayes scoring, because the user doesn't match the user my bayes database uses (using SQL, of course). I would _love_ to have a bayes equivalent of user_score_sql_custom_query, where spamd would query a table consisting of something like so: email_alias CHAR(64) email_user CHAR(64) or something similar. That way, I could populate it with data like: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED][EMAIL PROTECTED] etc... So, in this scenario, an email comes in destined to one of the many secondary email addresses. spamd makes a query (SELECT email_user FROM aliases WHERE email_alias = '$user'). If spamd gets a hit, great, try to initialize the bayes database for that user. If not, skip bayes and go on with life. Just a thought. It would certainly help me in my situation, but perhaps I'm just spending a little too much quality time with the crackpipe. Good idea? Bad idea? Dumb idea? Benny -- The faster you finish the fight, the less shot you will get. -- Marine Corps Rules for Gunfighting
efax spam being marked as -212 ???
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I've been getting an occasional efax spam that registers -212... I'm using SA 3.1.7 and SARE rules from openprotect: /var/lib/spamassassin/3.001007/saupdates_openprotect_com/ 70_sare_whitelist.cf /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist.cf /usr/local/share/spamassassin/60_whitelist.cf 3.500 BAYES_99Bayesian spam probability is 99 to 100% 0.135 FORGED_RCVD_HELOReceived: contains a forged HELO 0.001 HTML_MESSAGEHTML included in message - -0.001SPF_PASSSPF: sender matches SPF record - -1.204AWL From: address is in the auto white-list - -15.000 USER_IN_DEF_WHITELIST From: address is in the default white- list - -100.000 USER_IN_WHITELIST From: address is in the user's white-list - -100.000 USER_IN_SPF_WHITELIST From: address is in the user's SPF whitelist FROM: eFax [EMAIL PROTECTED] TO: [EMAIL PROTECTED] SUBJECT:eFax from unknown - 1 page(s) Doesn't this seem just a little bit extreme? Or flat out WRONG? :) David Morton Maia Mailguard http://www.maiamailguard.com [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFFelmxUy30ODPkzl0RAmfrAJ9NqOr+L06Jyp/SE/oOdOrOiftlfgCfXIf9 B0A34cE/K9emDm4J1ZTIXAE= =lL5N -END PGP SIGNATURE-