date:20061208

Sietse van Zanen wrote:
 I have run across the following situation:
  
 I have a user, which receives all spam unmodified (ALL_SPAM_TO).
  
 When a spam message is sent to multiple users on my machine, including
 the one in ALL_SPAM_TO, all users addressed in the message get it
 unmodified, not only the ALL_SPAM_TO user. Is this correct behaviour?
  
 -Sietse
SA doesn't know for sure who the current message is being delivered to.
It acts only on the contents of the message, nothing more.

To compound the problem, if you call at the MTA layer, there is only one
message fed to SA. At that point, SA absolutely must act on an all or
nothing basis.

If you're calling at the MDA layer in a way that allows per-user
user_prefs files, move the all_spam_to command into that user's own
user_prefs file.. This way it will only be in effect when the message is
being delivered to that user.

Re: SA Scoring

Mike Kenny wrote:
 I have copied a mail to spa.mail and now I execute

 $ cat spam.mail|spamassassin

 which outputs along with the message:

 X-Spam-Flag: YES
 X-Spam-Checker-Version: SpamAssassin 3.1.5 (2006-08-29) on
 mx4.mydomain.co.za http://mx4.mydomain.co.za
 X-Spam-Level: *
 X-Spam-Status: Yes, score=5.7 required=5.0
 tests=BAYES_00,FORGED_RCVD_HELO,
 RCVD_IN_BL_SPAMCOP_NET,SARE_MLB_Stock1,SARE_MLB_Stock4,
 SARE_PROLOSTOCK_SYM1,STOCK_NAME_FVGT1 autolearn=no version= 3.1.5

 my /etc/amavisd.conf contains the lines

 $sa_tag2_level_deflt = 4.0; # add 'spam detected' headers at that level
 $sa_kill_level_deflt = 5.0; # triggers spam evasive actions
 $sa_dsn_cutoff_level = 9;# spam level beyond which a DSN is not sent
 $sa_quarantine_cutoff_level = 18;  # spam level beyond which
 quarantine is off

 my /etc/mail/spamassassin/local.cf contains

 required_hits   5.0

 but the mail still gets through to my mailbox

 What am I mising here?
What rules did the message match at the time of delivery? The sending IP
might not have been in spamcop at that time, which would cause the score
to be less than 4.0.

RE: ALL_SPAM_TO not working correctly?

2006-12-08 Thread Sietse van Zanen

I figured it would be something like that.

I have moved the spamsink to the milter config. The milter should replace all 
recipients with only the spamsink.

-Sietse



From: Matt Kettler
Sent: Fri 08-Dec-06 13:13
To: Sietse van Zanen
Cc: users@spamassassin.apache.org
Subject: Re: ALL_SPAM_TO not working correctly?


Sietse van Zanen wrote:
 I have run across the following situation:
  
 I have a user, which receives all spam unmodified (ALL_SPAM_TO).
  
 When a spam message is sent to multiple users on my machine, including
 the one in ALL_SPAM_TO, all users addressed in the message get it
 unmodified, not only the ALL_SPAM_TO user. Is this correct behaviour?
  
 -Sietse
SA doesn't know for sure who the current message is being delivered to.
It acts only on the contents of the message, nothing more.

To compound the problem, if you call at the MTA layer, there is only one
message fed to SA. At that point, SA absolutely must act on an all or
nothing basis.

If you're calling at the MDA layer in a way that allows per-user
user_prefs files, move the all_spam_to command into that user's own
user_prefs file.. This way it will only be in effect when the message is
being delivered to that user.

RE: blacklist messagID ?



   Can I blacklist a message without blacklisting the sender?
 
  Sure. Write a rule for that message-ID header and give it a score of
  1000 or so (adding insult to injury).
 
  I'm not exactly well versed, scratch that , I DO NOT KNOW how to write
 rules
  :(
 
  Any help please?
 
 header TMP_MSGID_01 Message-ID =~
  /[EMAIL PROTECTED]/
 score  TMP_MSGID_01 1000
 
 Put that in your /etc/mail/spamassassin/local.cf and restart the
 spamassassin daemon.
 
 Is there a way to discard the message? since he  is one our employees,  the
 bounce message generated by exim  will go back to him (our server) - so he
 (the sending user ) will wind up with the bounce message every hour wouldnt
 he?-

That's outside the scope of SA, take a look at your MTA. It is
considered very bad practice to generate a bounce message for spam.
Are you talking about a reject during the SMTP conversation?

Yes, I believe that's what I'm referring to- the one that says

Congratulations your message has scored x.x points blah blah blah,-

FuzzyOcr helper apps

2006-12-08 Thread Robert Fitzpatrick

I have two gateways that filter using amavisd-new and SA 3.1.7 with the
FuzzyOcr recipes used. On one of these FreeBSD servers, all the helper
applications are present, but on the other, they're all missing. I just
now realized this after a while and do not remember where those helper
apps, like giffix, come from. All packages on both systems were
installed using FreeBSD ports system. Can someone give me a pointer? Can
I merely copy over the missing helper apps?

Thanks in advance!

-- 
Robert

Re: Botnet 0.6 plugin for Spam Assassin availabile

2006-12-08 Thread Chris Lear

* John Rudd wrote (07/12/06 18:33):
 (I had a bout of insomnia last night, and got more done than I had 
 pre-announced yesterday...)
 
 
 The next version of the Botnet plugin for Spam Assassin is ready.  The 
 install instructions are in the Botnet.txt file, and in the INSTALL file.
 
 For those who don't know what Botnet is, it's a plugin which tries to 
 identify whether or not the message has been submitted by a 
 botnet/spam-zombie type host by looking at its DNS characteristics (no 
 reverse DNS, reverse DNS that doesn't resolve, or doesn't resolve back 
 to the relay's IP, or reverse DNS that contains things that look like an 
 ISP's client address).  The places I've been using it, and the people I 
 hear about who are using it, have seen a high degree of success.
 
 It can be downloaded from:
 
   http://people.ucsc.edu/~jrudd/spamassassin/Botnet.tar
 
 
 As usual, feedback, statistics, bug reports, feature suggestions, are 
 all welcome.

I've been running the BOTNET rules for a little while now. It's the
most-hit rule on the machine (above BAYES_99 even). But I get a
significant number of false positives.

Here's some sa-stats output:

TOP SPAM RULES FIRED
--
RANKRULE NAME   COUNT  %OFMAIL %OFSPAM  %OFHAM
--
   1BOTNET   138166.37   90.866.44
   2BAYES_99 127459.50   83.820.00
   3HTML_MESSAGE 118475.06   77.89   68.12
   4BOTNET_CLIENT104850.21   68.954.35
   5BOTNET_IPINHOSTNAME   96245.45   63.291.77
   6URIBL_BLACK   75135.12   49.410.16
   7RCVD_IN_SORBS_DUL 72533.96   47.700.32
   8URIBL_JP_SURBL68832.13   45.260.00
   9BOTNET_CLIENTWORDS60829.61   40.004.19
  10URIBL_SC_SURBL52424.47   34.470.00

I think the default score of 5 is far too high. I'm scoring it at 2 at
the moment, which seems OK.

I'd quite like to be able to give more score to BOTNET_IPINHOSTNAME than
BOTNET_CLIENTWORDS, because it seems to give fewer false positives [I
think this will probably improve in 0.6, though]. But this isn't a very
big deal. So that's a mild vote against the __ prefix.

I added p0f to my arsenal recently, hoping it would work to lower the
false-positive rate of BOTNET by checking for Windows machines, but it
seems that almost all the BOTNET false positives are Exchange servers,
so p0f aggravates rather than mitigates that.

Hope this feedback is useful. Thanks for the plugin. I take the view
that network tests and RBLs (especially URIBLs), rather than body
checks, are the best long-term spam-fighting tools.

Chris

Re: Google open relay?

2006-12-08 Thread laradji nacer


Steven Stern a écrit :
I've been getting lots of these get out of debt messages. It looks 
like the last stop before getting here is a gmail server.  Could they 
have an open relay?

No but gmail host personal domain not only @gmail.com .


--
Laradji nacer n.laradji at ovea dot com
  ovea  http://www.ovea.com
Tél : +33 4 6767    Gsm : +33 6 1059 6883
1024D/DFCF1726 : 33A5 7162 4370 9C30 E22C 0721 DBA7 CBEE DFCF 1726

TMDA SA

Is anyone on here using , or have any comments/feedback regarding the use of
TMDA  SA ?

http://wiki.tmda.net/SpamAssassin?highlight=%28spamassassin%29











Jean-Paul Natola
Network Administrator
Information Technology
Family Care International
588 Broadway Suite 503
New York, NY 10012
Phone:212-941-5300 xt 36
Fax:  212-941-5563
Mailto: [EMAIL PROTECTED]

Re: Spamassassin doesn't ding sender for saying HELO i-am-you

2006-12-08 Thread Fred T

Hello Kelly,

Wednesday, December 6, 2006, 11:13:24 PM, you wrote:
 Is there a ruleset that does this? I realize xyz.com couldn't be
 hardcoded (otherwise, it'd be a different ruleset for everyone), but
 is there a generic ruleset that uses a function call or something to
 figure out your MX server (or the name of the machine spamassassin is
 running on) and then ding someone HELO'ing as that?

For all those interested, I opened a ticket for enhancement based on
this idea.  See: http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5227

-- 
Best regards,
 Fredmailto:[EMAIL PROTECTED]

RE: No Nework tests?!

2006-12-08 Thread leemansvg


Thanks


Bowie Bailey wrote:
 
 leemansvg wrote:
 I'm running spamassasint --lint and it comes up saying that its only
 doing local tests. I've enabled dns and I am connected to the
 internet. I've also enabled razor, dcc, and pyzor in the
 spam.assassin.perfs files. Does anyone have an idea where I might
 have a mis-configuration. Here's snap in from the --lint test
 
 As of the most recent versions, --lint does not do network tests.  If you
 want to debug network tests, you will need to feed in a test message that
 has some header information for the network tests to work with.
 
 spamassassin -D  test.msg
 
 -- 
 Bowie
 
 

-- 
View this message in context: 
http://www.nabble.com/No-Nework-tests-%21-tf2775186.html#a7759040
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Synchronizing two Bayes database

2006-12-08 Thread Michel R Vaillancourt


Emmanuel Lesouef wrote:

Yes, I was thinking about this solution.

But isn't it network ressource hungry ?

And if I would like to keep a files based bayes db, what should be the
good manner to migrate one to another server ?

Thanks Sietse for the advice.

Sietse van Zanen a écrit :

Sure, use MySQL for bayes storage and have both servers use that DB.
Then you could be fairly sure, both use the same bayes.
 
I think it should even be possible to dump both databases and migrate

into one SQL db. But I don't use MySQL myself, so I would not know how.
 
-Sietse
 


On your most accurate machine, run a CRON job that once a week does:

sa-learn --siteconfigpath=/your/site/path --force-expire
sa-learn --siteconfigpath=/your/site/path --backup   /tmp/weeklyMerge.sal.bak
scp /tmp/weeklyMerge.sal.bak [EMAIL PROTECTED]://tmp/weeklyMerge.sal.bak
mv /tmp/weeklyMerge.sal.bak /tmp/weeklyMerge.sal.sent

... use ssh key-auth so no password interaction is required for your 
robot account.

On the other.machine.tld run a cron job that fires one hour later 
that:

sa-learn --siteconfigpath=/your/site/path --restore /tmp/weeklyMerge.sal.bak
mv /tmp/weeklyMerge.sal.bak /tmp/weeklyMerge.sal.restored
sa-learn --siteconfigpath=/your/site/path --force-expire

--
--Michel Vaillancourt
Wolfstar Systems
www.wolfstar.ca

Re: FuzzyOcr helper apps

2006-12-08 Thread decoder

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Robert Fitzpatrick wrote:
 I have two gateways that filter using amavisd-new and SA 3.1.7 with
 the FuzzyOcr recipes used. On one of these FreeBSD servers, all the
 helper applications are present, but on the other, they're all
 missing. I just now realized this after a while and do not remember
 where those helper apps, like giffix, come from. All packages on
 both systems were installed using FreeBSD ports system. Can someone
 give me a pointer? Can I merely copy over the missing helper apps?
http://fuzzyocr.own-hero.net/wiki/OSSpecificNotes

At the bottom is a link to a FreeBSD tutorial, I'm sure it lists what
you need :)


Chris


 Thanks in advance!


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFeYFhJQIKXnJyDxURAvwsAKClBTQJmpVLCAR9FYgtQa4/yx2fuwCfdGkD
czGZM7qXDec+mxKmzGvEtak=
=1Ogr
-END PGP SIGNATURE-

Re: whitelist_from and whitelist_from_rcvd not working

2006-12-08 Thread Mark Adams

Hi Thanks for your mail,


On Mon, Dec 04, 2006 at 02:58:56PM -0500, Robert Swan wrote:
 
 I had a similar problem with SA not reading a specific .cf file. I
 basically created a new greylist.cf file and copied the test over and it
 worked, and of coarse make sure it is in the right folder... Might be
 worth a try
 

I have done this, but the issue is still occurring. Has anyone else seen
this or have any suggestions?

 
 
 Robert
  
  


Regards,
Mark

  
  
  
 Peace he would say instead of goodbyepeace my brother.
 
 -Original Message-
 From: Mark Adams [mailto:[EMAIL PROTECTED] 
 Sent: Monday, December 04, 2006 12:56 PM
 To: [EMAIL PROTECTED]
 Cc: users@spamassassin.apache.org
 Subject: Re: whitelist_from and whitelist_from_rcvd not working
 
 On Sun, Dec 03, 2006 at 05:55:24PM +0100, mouss wrote:
  Mark Adams wrote:
  Hi All,
  
  Spamassassin 3.1.4-1
  
  Currently have entries like the following in the local.cf file
  
  whitelist_from [EMAIL PROTECTED]
  and
  whitelist_from [EMAIL PROTECTED]
  
  But mail is still picked up as spam for the [EMAIL PROTECTED]
  
  Have also tried the following;
  
  whitelist_from_rcvd [EMAIL PROTECTED] domain.com
  and
  whitelist_from_rcvd [EMAIL PROTECTED] domain.com
  
  But nothing seems to work? has anyone got any advice on this?

  
  do you have
  
 always_trust_envelope_sender 1
  
  ?
 
 
 No I don't have this setting

Re: Google open relay?

2006-12-08 Thread Steven Stern


laradji nacer wrote:

Steven Stern a écrit :
I've been getting lots of these get out of debt messages. It looks 
like the last stop before getting here is a gmail server.  Could they 
have an open relay?

No but gmail host personal domain not only @gmail.com .


Google Apps for Your Domain (GAYD) require SMTP authentication over SSL 
on port 465 to pass mail from a sending system.  That means that 
whatever's sending this mail is smart enough to handle the GAYD SMTP 
auth and SSL access.

Some ideas to test the To or the cc-lines ...

2006-12-08 Thread Wolfgang Uhr

Hello

In those lines you find comma separated E-Mails containing and normally
thoose line contains my own e-Mail Adress.

a) But sometimes this list contains not only my adress but an known
spam-trap-adress too. For example let the spam be adressed to
[EMAIL PROTECTED] and [EMAIL PROTECTED] and let the first adress to be
the normal adress of someone, while the second one is the
newsgroup-adress or an old invalid adress which has had a definte life
time. In both cases you can say - if both adresses are appearing, the
mail is spam.

b) Another interesting test may be the real names of thoose adresse - if
availialbe. I'm not Sandra McKintosh for example and if the real name
part contains a foreign name, it is spam.

All you need is an concept to store a set of parameters for each
e-mail-adress.

a) an list of spam-trap-adresses und
b) a list of possible real name values in the To and the cc line.

Best regard
Wolfgang Uhr

customized default user_prefs

2006-12-08 Thread vertito

the current default user_prefs file contains
 
###
 
# How many points before a mail is considered spam.
# required_score5
...
snip
..
# score SUBJ_ILLEGAL_CHARS  0

 
is there any way that this file be created with 0 contents and without those 
commented lines?

FP: RCVD_HELO_IP_MISMATCH?

2006-12-08 Thread Larry Rosenman

Greetings,
   I had the following headers:

Return-path: [EMAIL PROTECTED]
Envelope-to: ler@lerctr.org
Delivery-date: Thu, 07 Dec 2006 23:26:40 -0600
Received: from smtp-vbr15.xs4all.nl ([194.109.24.35]:2793)
by thebighonker.lerctr.org with esmtp (Exim 4.63 (FreeBSD))
(envelope-from [EMAIL PROTECTED])
id 1GsYFo-000OEi-SQ
for ler@lerctr.org; Thu, 07 Dec 2006 23:26:40 -0600
Received: from bag.python.org (bag.python.org [194.109.207.14])
by smtp-vbr15.xs4all.nl (8.13.8/8.13.8) with ESMTP id kB85QZZo098068
for ler@lerctr.org; Fri, 8 Dec 2006 06:26:35 +0100 (CET)
(envelope-from [EMAIL PROTECTED])
Received: from bag.python.org (bag [127.0.0.1])
by bag.python.org (Postfix) with ESMTP id 4397A1E4019
for ler@lerctr.org; Fri,  8 Dec 2006 06:26:35 +0100 (CET)
X-Original-To: mailman-users@python.org
Delivered-To: [EMAIL PROTECTED]
Received: from bag.python.org (bag [127.0.0.1])
by bag.python.org (Postfix) with ESMTP id 646CA1E401A
for mailman-users@python.org; Fri,  8 Dec 2006 06:26:07 +0100
(CET)
X-Spam-Status: OK 0.010
Received: from bag (HELO bag.python.org) (127.0.0.1)
by bag.python.org with SMTP; 08 Dec 2006 06:26:06 +0100
X-Greylist: delayed 665 seconds by postgrey-1.21 at bag.python.org;
Fri, 08 Dec 2006 06:26:06 CET
Received: from zoot.lafn.org (zoot.lafn.ORG [206.117.18.6])
by bag.python.org (Postfix) with ESMTP
for mailman-users@python.org; Fri,  8 Dec 2006 06:26:06 +0100
(CET)
Received: from 207.233.32.18 (zoot.lafn.org [206.117.18.6])
by zoot.lafn.org (8.13.6/8.13.4) with SMTP id kB85EuSN093511
for mailman-users@python.org; Thu, 7 Dec 2006 21:14:58 -0800 (PST)
(envelope-from [EMAIL PROTECTED])
Message-Id: [EMAIL PROTECTED]
To: mailman-users@python.org
From: [EMAIL PROTECTED]
Date: Thu, 7 Dec 2006 21:14:58 GMT
X-Mailer: Endymion MailMan Standard Edition v3.0.26
X-Virus-Scanned: by XS4ALL Virus Scanner
X-Virus-Status: Clean
Subject: [Mailman-Users] Mailman stop delivering ... problem with
Approval.py?
X-BeenThere: mailman-users@python.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mailman mailing list management users mailman-users.python.org
List-Unsubscribe: http://mail.python.org/mailman/listinfo/mailman-users,
mailto:[EMAIL PROTECTED]
List-Archive: http://mail.python.org/pipermail/mailman-users
List-Post: mailto:mailman-users@python.org
List-Help: mailto:[EMAIL PROTECTED]
List-Subscribe: http://mail.python.org/mailman/listinfo/mailman-users,
mailto:[EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: [EMAIL PROTECTED]
Errors-To: [EMAIL PROTECTED]
X-Spam-Score: 6.4 (++)
X-LERCTR-Spam-Score: 6.4 (++)
X-Spam-Report: (6.4 points, 5.0 required)
BAYES_00=-2.599 DATE_IN_PAST_06_12=0.827 DK_POLICY_SIGNSOME=0.001
FORGED_RCVD_HELO=0.135 HOST_EQ_NL=1.545 NO_REAL_NAME=0.961
RCVD_HELO_IP_MISMATCH=4 RCVD_NUMERIC_HELO=1.5 TW_CF=0.077
X-LERCTR-Spam-Report: (6.4 points, 5.0 required)
BAYES_00=-2.599 DATE_IN_PAST_06_12=0.827 DK_POLICY_SIGNSOME=0.001
FORGED_RCVD_HELO=0.135 HOST_EQ_NL=1.545 NO_REAL_NAME=0.961
RCVD_HELO_IP_MISMATCH=4 RCVD_NUMERIC_HELO=1.5 TW_CF=0.077
X-Spam-Flag: YES
X-LERCTR-Spam-Flag: YES
DomainKey-Status: no signature

And the rule that marked this as SPAM is the RCVD_HELO_IP_MISMATCH.

Why is this rule so high?

What exactly is it checking?

This is from a legit mailing list. 

Thanks,
Larry Rosenman 


-- 
Larry Rosenman http://www.lerctr.org/~ler
Phone: +1 512-248-2683 E-Mail: ler@lerctr.org
US Mail: 430 Valona Loop, Round Rock, TX 78681-3893

RE: blacklist messagID ?

2006-12-08 Thread John D. Hardin

On Fri, 8 Dec 2006, Jean-Paul Natola wrote:

  Is there a way to discard the message? since he  is one our employees,  the
  bounce message generated by exim  will go back to him (our server) - so he
  (the sending user ) will wind up with the bounce message every hour wouldnt
  he?-
 
 That's outside the scope of SA, take a look at your MTA. It is
 considered very bad practice to generate a bounce message for spam.
 Are you talking about a reject during the SMTP conversation?
 
 Yes, I believe that's what I'm referring to- the one that says
 
 Congratulations your message has scored x.x points blah blah blah,-

That's still not enough to tell.

A reject occurs during the conversation between the MTAs, and will
usually result in the *sending* MTA generating a notice along the
lines of:

 We could not deliver your message to [EMAIL PROTECTED]
 Log of conversation:
   RCPT TO: [EMAIL PROTECTED]
   OK
   DATA
   5.0.0 Message looks like spam.

A bounce occurs after the receiving MTA has accepted the message for
delivery, and is a new email message from the *receiving* MTA that
looks like Your message was not delivered because ...

Generally, bouncing (the receiver generating a response email) is NOT
a good idea when processing spam. This leads to Joe Jobs.

Rejecting is acceptable, because the sending shouldn't be an open
relay and thus should only notify legitimate senders about
non-delivery.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...to announce there must be no criticism of the President or to
  stand by the President right or wrong is not only unpatriotic and
  servile, but is morally treasonous to the American public.
  -- Theodore Roosevelt, 1918
---
 7 days until Bill of Rights day

Spamd and Spamassassin filtering differently


Spamd and Spamassassin are filtering in a different way. Why?
As you can see, the results of the two tests are different, although it's
the same email. 
Where is the difference?

I tried spamassassin --lint and /etc/init.d/spamd restart, but nothing
worked.

spamc -c  mail.txt
3.6/5.0

spamassassin  mail.txt

Content analysis details:   (21.8 points, 5.0 required)

 pts rule name  description
 --
--
 0.6 NO_REAL_NAME   From: does not include a real name
 1.5 FROM_BLANK_NAMEFrom: contains empty name
 1.9 DATE_IN_FUTURE_96_XX   Date: is 96 hours or more after Received: date
  10 NASTY_STOCKS   BODY: Nasty stock mails
 0.1 BAD_CREDIT BODY: Eliminate Bad Credit
 0.0 HTML_MESSAGE   BODY: HTML included in message
 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 3.1 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
[210.72.20.249 listed in sbl-xbl.spamhaus.org]
 1.1 URIBL_SBL  Contains an URL listed in the SBL blocklist
[URIs: ingreats.com]
 3.6 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: ingreats.com]

-- 
View this message in context: 
http://www.nabble.com/Spamd-and-Spamassassin-filtering-differently-tf2781676.html#a7760846
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

DomainKeys and DKIM for Windows?

Has anyone managed to build DomainKeys or DKIM modules for Windows. I
managed to build the OpenSSL libraries OK, but can't get
Crypt::OpenSSL:RSA to install, so DomainKeys won't either... Any ideas?

Bret

Re: Botnet 0.6 plugin for Spam Assassin availabile

2006-12-08 Thread Billy Huddleston

Question, how can we avoid tagging messages that are sent to our server from 
a remote connection if they use authenticated SMTP ??


Example: I have a user who is on a different network, using my mail server, 
so I let them via authenticated SMTP, every message they send gets tagged 
because of Bot Net or Relay Checker..


Thanks, Billy

- Original Message - 
From: decoder [EMAIL PROTECTED]

To: John Rudd [EMAIL PROTECTED]
Cc: users@spamassassin.apache.org
Sent: Friday, December 08, 2006 5:03 AM
Subject: Re: Botnet 0.6 plugin for Spam Assassin availabile



-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


John Rudd wrote:

Michael Schaap wrote:

John Rudd wrote:


The next version of the Botnet plugin for Spam Assassin is
ready. The install instructions are in the Botnet.txt file, and
in the INSTALL file.



Great work!



To Do before 1.0:

(...)



There's another thing that would be really nice to have.  You
know how the DNS rules' descriptions specify what actually
matches?  e.g.:

3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus
XBL [12.34.56.789 listed in sbl-xbl.spamhaus.org] 1.6 URIBL_SBL
Contains an URL listed in the SBL blocklist [URIs: example.com]

It would be great if Botnet could do something similar, like:

2.0 BOTNET The submitting mail server looks like
part of a Botnet [ip=12.34.56.789 rdns=dhcp12.34.example.org]



Any tips on how to do that? :-}

Have a look at the FuzzyOcr plugin, especially on Scoring.pm in the
SVN, found here:

http://fuzzyocr.own-hero.net/browser/trunk/devel/FuzzyOcr/Scoring.pm

In each of the functions, the mail is scored with a different rule, a
custom score and a custom description which is generated there.

That should be enough for you to reproduce that :)


Chris


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFeTiMJQIKXnJyDxURAicaAJ9n5XdSIpvWXrz3W4w2DtKmbiQ82ACgvyAB
ywuRctN/qak0u61idiMFw5o=
=obGb
-END PGP SIGNATURE-

Spam assasin rules problem

2006-12-08 Thread kailash vyas


Hi,

I was having some problems with spamassasin rules in local.cf
I am trying to write some custom rules but it doesnt seem to be taking these
values

I ran spamassasin -lint local.cf and it is showing no errors

After that I ran spamc -R command to run a check for the rules but it is not
reporting in the analysis

===
spamc -R
Subject:Symbol
Symbol
2.6/5.0
Spam detection software, running on the system 
interlink.xcomplete-hosting.com, has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  Symbol [...]

Content analysis details:   (2.6 points, 5.0 required)

pts rule name  description
 --
--
-0.0 NO_RELAYS  Informational: message was not relayed via SMTP
2.5 MISSING_HB_SEP Missing blank line between message header and
body
0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
   [score: 0.5197]
-0.0 NO_RECEIVEDInformational: message has no Received headers
0.1 TO_CC_NONE No To: or Cc: header



===local.cf=
# These values can be overridden by editing ~/.spamassassin/user_prefs.cf
# (see spamassassin(1) for details)

# These should be safe assumptions and allow for simple visual sifting
# without risking lost emails.

required_score 5
rewrite_header subject [SPAM]


use_bayes   1
bayes_auto_learn1
skip_rbl_checks 0
use_pyzor   1

body LOCAL_DEMONSTRATION_RULE  /symbol/
score LOCAL_DEMONSTRATION_RULE 6.0
describe LOCAL_DEMONSTRATION_RULE   This is a simple test rule
=end of local.cf=

Best Regards,
Kailash

SPF not working with these headers, why?

I should probably submit this to bz, but I thought I'd ask here first in
case it's obvious... Why is SFP_PASS not firing on this?

X-Spam-Tests:
tests=AWL=-1.710,BAYES_50=0.001,BOTNET=0.5,BOTNET_BADDNS=0.01,
BOTNET_NOSPF=3.5,DNS_FROM_RFC_ABUSE=0.2,DNS_FROM_RFC_POST=1.708,
FM_WHITEONWHITE=0.45,HTML_50_60=0.134,HTML_MESSAGE=0.001,

MIME_HEADER_CTYPE_ONLY=0,MIME_HTML_ONLY=0.001,MSGID_FROM_MTA_ID=1.393,
SARE_UNA=1.231;autolearn=no
X-Spam-Score: 7.4
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on
mail.hq.wcg.org
X-Spam-Level: +++
X-TFF-CGPSA-Version: 1.6a5
X-WCG-CGPSA-Filter: Scanned
X-SPAM-FLAG: Yes
Return-Path: [EMAIL PROTECTED]
Received: from [65.17.198.50] (HELO 123greetings.info)
  by mail.wcg.org (CommuniGate Pro SMTP 5.1.3)
  with SMTP id 19467966 for [EMAIL PROTECTED]; Fri, 08 Dec 2006 08:40:46
-0800
Received-SPF: pass
 receiver=mail.wcg.org; client-ip=65.17.198.50;
[EMAIL PROTECTED]
Content-Type: text/html; charset=US-ASCII
Date: Fri, 8 Dec 2006 11:40:25 -0500
To: [EMAIL PROTECTED]
From: Editor Bob [EMAIL PROTECTED]
X-Mailer: Version 5.0
Subject: Celebrate the Holiday Season
Organization: 123Greetings.info
Message-ID: [EMAIL PROTECTED]

RE: How can I learn a mail which how many score it got from each my rules?

2006-12-08 Thread Bowie Bailey

Larry Rosenman wrote:
 Halid Faith wrote:
  I use spamassassin3.1.7
  
  I go through some mails.
  I see a mail in /var/log/spamd.log as below Wed Dec  6 13:33:49 2006
  [4484] info: spamd: result: Y 15 -
 
EXTRA_MPART_TYPE,FRONTPAGE,HTML_MESSAGE,INVALID_DATE,MIME_BOUND_NEXTPART,
  MIME_QP_LONG_LINE,MSGID_MULTIPLE_AT,SARE_GIF_ATTACH,SARE_OBFUGIRLS,
  SUBJ_ALL_CAPS,SUBJ_ILLEGAL_CHARS,TW_IY,UNPARSEABLE_RELAY,UPPERCASE_25_50
  
  Yet, I can't understand which my rule, how many score gave that
  mail. How can I learn a mail which how many score it got from each
  my rules? is there a command for it ?
 
 In your user_prefs, add the following:
 report _TESTSSCORES( )_
 
 That shows the tests *AND* the scores:
 
 X-LERCTR-Spam-Report: (-108.6 points, 5.0 required)
   BAYES_00=-2.599 DK_POLICY_SIGNSOME=0.001 SPF_PASS=-0.001
 UPPERCASE_25_50=0 USER_IN_WHITELIST=-100 USER_IN_WHITELIST_TO=-6

I haven't seen that one before.  I might start using that as my default
setting.

What I do on my personal account and one or two others is add the full spam
report.  This should already be in the headers for spam, but I add it for
both so I can see the details for rule hits on ham as well.  Just add the
following line to either local.cf or a user's user_prefs file.

add_header all Report _REPORT_

-- 
Bowie

Re: TMDA SA

2006-12-08 Thread Bob Proulx

Jean-Paul Natola wrote:
 Is anyone on here using , or have any comments/feedback regarding the use of
 TMDA  SA ?
 
 http://wiki.tmda.net/SpamAssassin?highlight=%28spamassassin%29

Yes.  Don't use challenge response.  Here is a good write-up/rant
about the evils of it.

  http://linuxmafia.com/faq/Mail/challenge-response.html

Bob

Re: unsubscribe

2006-12-08 Thread Evan Platt


At 10:09 AM 12/8/2006, you wrote:


As the headers of every message state:

list-unsubscribe: mailto:[EMAIL PROTECTED]

Re: Spamd and Spamassassin filtering differently

2006-12-08 Thread Kris Deugau


Neo23x0 wrote:

Spamd and Spamassassin are filtering in a different way. Why?
As you can see, the results of the two tests are different, although it's
the same email. 
Where is the difference?


I tried spamassassin --lint and /etc/init.d/spamd restart, but nothing
worked.

spamc -c  mail.txt
3.6/5.0


Run spamc without the -c flag;  that should return the message *with* a 
complete report similar to what you got for spamassassin 


Comparing which rules actually hit will tell you a great deal about 
differences in how the two calls are processing mail.


Just offhand, I'd guess that your spamd instance isn't running RBL 
rules, and it looks like a custom rule isn't hitting either based on its 
score of 10 (!!).


-kgd

Re: SPF not working with these headers, why?

2006-12-08 Thread Daryl C. W. O'Shea


Bret Miller wrote:

I should probably submit this to bz, but I thought I'd ask here first in
case it's obvious... Why is SFP_PASS not firing on this?


Run the message through spamassassin -Dspf and find out.

Daryl

Re: Spamd and Spamassassin filtering differently



Kris Deugau wrote:
 
 Run spamc without the -c flag;  that should return the message *with* a 
 complete report similar to what you got for spamassassin 
 

Right. I know, that a set of fewer rules match while using spamd. *pf*


Kris Deugau wrote:
 
 Comparing which rules actually hit will tell you a great deal about 
 differences in how the two calls are processing mail.
 
 Just offhand, I'd guess that your spamd instance isn't running RBL 
 rules, and it looks like a custom rule isn't hitting either based on its 
 score of 10 (!!).
 
 -kgd
 

Hey, I assumed that before. Cool. The problem is, that I can't figure out
how to change that.
I use qmail with spamd


/etc/init.d/spamd wrote:
 
 SPAMD_BIN=/usr/sbin/spamd
 SPAMD_CONFIG=/etc/sysconfig/spamd
 


/etc/sysconfig/spamd wrote:
 
 SPAMD_ARGS=-d -c -a -L
 

Spamassassin is uptodate. 
- SpamAssassin version 3.1.7;  running on Perl version 5.8.3
- SpamAssassin Client version 3.1.7

How do I configure spamd to use the Rule Set, that are used by invoking
spamassassin?




-- 
View this message in context: 
http://www.nabble.com/Spamd-and-Spamassassin-filtering-differently-tf2781676.html#a7763175
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Botnet 0.6 plugin for Spam Assassin availabile

2006-12-08 Thread John D. Hardin

On Fri, 8 Dec 2006, Billy Huddleston wrote:

 Question, how can we avoid tagging messages that are sent to our
 server from a remote connection if they use authenticated SMTP ??
 
 Example: I have a user who is on a different network, using my
 mail server, so I let them via authenticated SMTP, every message
 they send gets tagged because of Bot Net or Relay Checker..

Don't pass email from authenticated users to SA at all.

*how* you do that is MTA-specific.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...to announce there must be no criticism of the President or to
  stand by the President right or wrong is not only unpatriotic and
  servile, but is morally treasonous to the American public.
  -- Theodore Roosevelt, 1918
---
 7 days until Bill of Rights day

Re: Spamd and Spamassassin filtering differently

On Fri, Dec 08, 2006 at 10:49:20AM -0800, Neo23x0 wrote:
 /etc/sysconfig/spamd wrote:
  SPAMD_ARGS=-d -c -a -L
 
 How do I configure spamd to use the Rule Set, that are used by invoking
 spamassassin?

Run it the same way. ;)   The first thing is removing the -L which disables
network tests.

-- 
Randomly Selected Tagline:
A successful tool is one that was used to do something undreamt by its
 author. - Stephen C. Johnson


pgpJNPIwPXPdr.pgp
Description: PGP signature

Re: Spam assasin rules problem

On Fri, Dec 08, 2006 at 05:11:14PM +, kailash vyas wrote:
 I ran spamassasin -lint local.cf and it is showing no errors

fwiw, it's just spamassassin --lint.  Adding -D is generally useful too.

 After that I ran spamc -R command to run a check for the rules but it is not
 reporting in the analysis

Have you restarted spamd?

-- 
Randomly Selected Tagline:
If your feet smell and your nose runs, you were built upside down.


pgplJh86hHNjN.pgp
Description: PGP signature

RE: TMDA SA


Jean-Paul Natola wrote:
 Is anyone on here using , or have any comments/feedback regarding the use
of
 TMDA  SA ?
 
 http://wiki.tmda.net/SpamAssassin?highlight=%28spamassassin%29

Yes.  Don't use challenge response.  Here is a good write-up/rant
about the evils of it.

http://linuxmafia.com/faq/Mail/challenge-response.html

Bob

I'm a bit confused here (what else is new) is there a difference between 
Challenge-Response  and Sender address Verification?

Some articles say they are two -different animals other say yes they are
the same

Either way I do not intend to use CR- just wondering what, if any, are the
diff

This seen on Dice

2006-12-08 Thread Philip Prindeville

Any takers?  ;-)

http://seeker.dice.com/seeker.epl?rel_code=1102op=5type=14dockey=xml/7/a/[EMAIL
 PROTECTED]bb=0source=15

RE: This seen on Dice

2006-12-08 Thread Giampaolo Tomassoni

From: Philip Prindeville [mailto:[EMAIL PROTECTED]
 
 Any takers?  ;-)
 
 http://seeker.dice.com/seeker.epl?rel_code=1102op=5type=14docke
y=xml/7/a/[EMAIL PROTECTED]bb=0source=15

Aaaah! I need a telecommuter and I don't even know what's it...

g

RE: SPF not working with these headers, why?

 Bret Miller wrote:
  I should probably submit this to bz, but I thought I'd ask
 here first in
  case it's obvious... Why is SFP_PASS not firing on this?

 Run the message through spamassassin -Dspf and find out.

 Daryl


OK. It says:

[2840] dbg: spf: checking HELO (helo=, ip=65.17.198.50)
[2840] dbg: spf: cannot get HELO, cannot use SPF
[2840] dbg: spf: checking EnvelopeFrom (helo=, ip=65.17.198.50,
[EMAIL PROTECTED])
[2840] dbg: spf: cannot get HELO, cannot use SPF
[2840] dbg: spf: def_whitelist_from_spf: [EMAIL PROTECTED] is
not in DEF_WHITELIST_FROM_SPF
[2840] dbg: spf: whitelist_from_spf: [EMAIL PROTECTED] is not
in user's WHITELIST_FROM_SPF

Which would indicate it's not parsing the Received header correctly, so
I guess a bz ticket is in order.

Bret

Re: TMDA SA

2006-12-08 Thread Bob Proulx

Jean-Paul Natola wrote:
 I'm a bit confused here (what else is new) is there a difference between 
 Challenge-Response  and Sender address Verification?
 
 Some articles say they are two -different animals other say yes they are
 the same

They are completely different animals.

In terse summary Challenge Response sends a message to the probably
forged sender address on received mail.  An innocent victim of a
forged message will receive this CR spam.  My address is widely
dispersed and often appears on forged email.  I routinely get CR spam
from sites using TMDA.  I routinely respond to those challenges to
enable the delivery of the original spam and viruses.  CR is designed
to reduce spam to a particular mailbox at the cost of producing spam
to many, many other mailboxes.  That is very rude.

By contrast sender address verification never generates an email
message.  It cannot generate spam.  What sender address verification
does is to probe the address to verify that the sender will receive a
bounce if the original message were undeliverable.  If they will
receive a bounce, without actually generating one, then message
delivery continues.  If the sender will not receive a bounce then
message delivery fails at that point.  This is not designed to block
forgeries.  This is designed to block invalid sender mail addresses.

 Either way I do not intend to use CR- just wondering what, if any, are the
 diff

When you say TMDA everyone will immediately think challenge response
because TMDA's primary functionality is CR.  TMDA will also do other
things too and some people, a minority, use it for those other
features.  But the majority use case for TMDA is for challenge
response and that is the problem case.

Bob

RE: SPF not working with these headers, why?

  Bret Miller wrote:
   I should probably submit this to bz, but I thought I'd ask
  here first in
   case it's obvious... Why is SFP_PASS not firing on this?
 
  Run the message through spamassassin -Dspf and find out.
 
  Daryl
 

 OK. It says:

 [2840] dbg: spf: checking HELO (helo=, ip=65.17.198.50)
 [2840] dbg: spf: cannot get HELO, cannot use SPF
 [2840] dbg: spf: checking EnvelopeFrom (helo=, ip=65.17.198.50,
 [EMAIL PROTECTED])
 [2840] dbg: spf: cannot get HELO, cannot use SPF
 [2840] dbg: spf: def_whitelist_from_spf:
 [EMAIL PROTECTED] is
 not in DEF_WHITELIST_FROM_SPF
 [2840] dbg: spf: whitelist_from_spf:
 [EMAIL PROTECTED] is not
 in user's WHITELIST_FROM_SPF

 Which would indicate it's not parsing the Received header
 correctly, so I guess a bz ticket is in order.

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5234

RE: TMDA SA



Jean-Paul Natola wrote:
 I'm a bit confused here (what else is new) is there a difference between 
 Challenge-Response  and Sender address Verification?
 
 Some articles say they are two -different animals other say yes they are
 the same

They are completely different animals.

In terse summary Challenge Response sends a message to the probably
forged sender address on received mail.  An innocent victim of a
forged message will receive this CR spam.  My address is widely
dispersed and often appears on forged email.  I routinely get CR spam
from sites using TMDA.  I routinely respond to those challenges to
enable the delivery of the original spam and viruses.  CR is designed
to reduce spam to a particular mailbox at the cost of producing spam
to many, many other mailboxes.  That is very rude.

By contrast sender address verification never generates an email
message.  It cannot generate spam.  What sender address verification
does is to probe the address to verify that the sender will receive a
bounce if the original message were undeliverable.  If they will
receive a bounce, without actually generating one, then message
delivery continues.  If the sender will not receive a bounce then
message delivery fails at that point.  This is not designed to block
forgeries.  This is designed to block invalid sender mail addresses.

 Either way I do not intend to use CR- just wondering what, if any, are the
 diff

When you say TMDA everyone will immediately think challenge response
because TMDA's primary functionality is CR.  TMDA will also do other
things too and some people, a minority, use it for those other
features.  But the majority use case for TMDA is for challenge
response and that is the problem case.

Bob

is Sender Address Verification a feasible option? Let me rephrase , does
anyone here use it? If not why?

Re: Spamd and Spamassassin filtering differently



Theo Van Dinter-2 wrote:
 
 Run it the same way. ;)   The first thing is removing the -L which
 disables
 network tests.
 

Thanks. Just changed it. 
Ok, but my question is still unanswered. I have a lot of really nice *.cf
files in my /usr/share/spamassassin directory, but it seems that spamd
doesn't use them. Why? Which conf-Files uses spamd? Where is the hack. 
I can't find anything in a manual or online documentation.


dir listing wrote:
 
 ls /usr/share/spamassassin/
 .  23_bayes.cf  30_text_nl.cf
 .. 25_accessdb.cf   30_text_pl.cf
 10_misc.cf 25_antivirus.cf  30_text_pt_br.cf
 20_advance_fee.cf  25_body_tests_es.cf  50_scores.cf
 20_anti_ratware.cf 25_body_tests_pl.cf  60_awl.cf
 20_body_tests.cf   25_dcc.cf60_whitelist.cf
 20_compensate.cf   25_dkim.cf   60_whitelist_dk.cf
 20_dnsbl_tests.cf  25_domainkeys.cf 60_whitelist_dkim.cf
 20_drugs.cf25_hashcash.cf   60_whitelist_spf.cf
 20_fake_helo_tests.cf  25_pyzor.cf  60_whitelist_subject.cf
 20_head_tests.cf   25_razor2.cf 70_neos_whitelist_subject.cf
 20_html_tests.cf   25_replace.cf70_zmi_german.cf
 20_meta_tests.cf   25_spf.cflanguages
 20_net_tests.cf25_textcat.cfsa-update-pubkey.txt
 20_phrases.cf  25_uribl.cf  triplets.txt
 20_porn.cf 30_text_de.cfuser_prefs.template
 20_ratware.cf  30_text_fr.cf
 20_uri_tests.cf30_text_it.cf
 

-- 
View this message in context: 
http://www.nabble.com/Spamd-and-Spamassassin-filtering-differently-tf2781676.html#a7764285
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

RE: This seen on Dice


From: Philip Prindeville [mailto:[EMAIL PROTECTED]
 
 Any takers?  ;-)
 
 http://seeker.dice.com/seeker.epl?rel_code=1102op=5type=14docke
y=xml/7/a/[EMAIL PROTECTED]bb=0source=15

Aaaah! I need a telecommuter and I don't even know what's it...

g

Maybe they are setting a trap for spammers?

RE: This seen on Dice

2006-12-08 Thread Giampaolo Tomassoni

 -Original Message-
 From: Jean-Paul Natola [mailto:[EMAIL PROTECTED]
 Sent: Friday, December 08, 2006 9:09 PM
 To: Giampaolo Tomassoni; users@spamassassin.apache.org
 Subject: RE: This seen on Dice

 From: Philip Prindeville [mailto:[EMAIL PROTECTED]

  Any takers?  ;-)

  http://seeker.dice.com/seeker.epl?rel_code=1102op=5type=14docke
 y=xml/7/a/[EMAIL PROTECTED]bb=0source=15

 Aaaah! I need a telecommuter and I don't even know what's it...

 g

 Maybe they are setting a trap for spammers?

Mmmm, nah! From Florida? You mean, a sound, hurting trap for lizards?

It seems a real hiring ad. In USA spam is legal, am I wrong? So, hiring 
somebody for that job is legal too.

g

RE: Spamd and Spamassassin filtering differently

2006-12-08 Thread Dan Barker

Forth, the .cf's are off of /var if you use sa-update

Dan

-Original Message-
From: Theo Van Dinter [mailto:[EMAIL PROTECTED]
Sent: Friday, December 08, 2006 3:14 PM
To: users@spamassassin.apache.org
Subject: Re: Spamd and Spamassassin filtering differently

On Fri, Dec 08, 2006 at 12:03:17PM -0800, Neo23x0 wrote:
 Ok, but my question is still unanswered. I have a lot of really nice *.cf
 files in my /usr/share/spamassassin directory, but it seems that spamd
 doesn't use them. Why? Which conf-Files uses spamd? Where is the hack. 
 I can't find anything in a manual or online documentation.

First, don't do that.  Your own config files (and any cf files that aren't
part of the default distribution) should go into /etc/mail/spamassassin (or
wherever you keep your site-wide configs).

Second, as usual, run with -D and find out what's going on.

Third, man spamassassin has a large amount of information about what
files/dir are used for configs.

-- 
Randomly Selected Tagline:
Why are there certain flavors of pet food?  Chicken, beef...

Re: Spamd and Spamassassin filtering differently

Theo Van Dinter-2 wrote:

First, don't do that. Your own config files (and any cf files that aren't
part of the default distribution) should go into /etc/mail/spamassassin
(or
wherever you keep your site-wide configs).

Second, as usual, run with -D and find out what's going on.

Third, man spamassassin has a large amount of information about what
files/dir are used for configs.

Ok, moved the files.
Reloaded spamassassin with -D --lint and found my
/etc/mail/spamassassin/70_*.cf files. Well, well.
Spamassassin itself workes correctly, so I guess that I don't need the
params for spamassassin, but for spamd.

Example

spamassassin mail.txt

Content analysis details: (10.0 points, 6.0 required)

pts rule name description
--
--
10 NEOS_BLACK BODY: Blacklist Rule for testing purpose
0.0 UPPERCASE_25_50message body is 25-50% uppercase
0.0 AWLAWL: From: address is in the auto white-list

spamc -R mail.txt

Content analysis details: (1.5 points, 6.0 required)

pts rule name description
--
--
1.5 EMPTY_MESSAGE Message appears to have no textual parts and
no
Subject: text

Where is the difference? What config files uses spamd?

Is it that param?

-V, --virtual-config=dir Enable Virtual configs (needs -x)
--virtual-config-dir=dir Enable pattern based Virtual
configs (needs -x)

--
View this message in context:
http://www.nabble.com/Spamd-and-Spamassassin-filtering-differently-tf2781676.html#a7764696
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: How do I know if DCC is running and working?

2006-12-08 Thread Robert S


Try

$ spamassassin --debug --lint

(or $ spamassassin --debug --lint 21 | less )
and look in the output for DCC.  The DCC daemon doesn't have to be
running for DCC to work.

I've found that if the DCC daemon is running I get timeout errors at
times and nobody's been able to show me how to get rid of them.

bayes db site wide or per user

2006-12-08 Thread Alex Handle


Hi to all,

a month a go we implemented a mailcluster based on
postfix/mysql/nfs/amavisd-new/spamassassin and now we
would like to add bayesian filtering to the system.
Our Cluster is designed to scale for about 100 000 mailboxes.

The users should forward spam and ham to sa-learn by
sending the mails as attachment to a specific address:

[EMAIL PROTECTED]

or

[EMAIL PROTECTED]


Is it a bad idea to use a site wide bayes database or is it better
to use a per user database in this scenario?
How resistent is a site wide setup with a lot of mailboxes against
poisoning?

Thanks!

Alex

Re: This seen on Dice

2006-12-08 Thread George R . Kasica

On Fri, 08 Dec 2006 12:36:11 -0700, you wrote:

Any takers?  ;-)

http://seeker.dice.com/seeker.epl?rel_code=1102op=5type=14dockey=xml/7/a/[EMAIL
 PROTECTED]bb=0source=15

They have got to be joking..then again, I'd believe just about
anything these days


===[George R. Kasica]===+1 262 677 0766
President   +1 206 374 6482 FAX 
Netwrx Consulting Inc.  Jackson, WI USA 
http://www.netwrx1.com
[EMAIL PROTECTED]
ICQ #12862186

RE: This seen on Dice

2006-12-08 Thread Michael Scheidell

And all this from DICE that spams the hell out of me non stop?
 
I remember them from '94? Spamming the fl.jobs.* newsgroups till they
were useless?

This must be for themselves.

RE: This seen on Dice


Any takers?  ;-)

http://seeker.dice.com/seeker.epl?rel_code=1102op=5type=14dockey=xml/7/a
/[EMAIL PROTECTED]bb=0source=15

I guess we know who is job hunting  :)

Re: TMDA SA

Jean-Paul Natola wrote:
 Is anyone on here using , or have any comments/feedback regarding the use of
 TMDA  SA ?

 http://wiki.tmda.net/SpamAssassin?highlight=%28spamassassin%29
   

TMDA is an acceptable criteria for being blacklisted by spamcop.

ie: don't use TMDA, it's evil. It's simply a way of trying to foist your
spam filtering problems into someone else's mailbox.

Re: blacklist-uri.cf

LuKreme wrote:

 Is there something about

   blacklist-uri.cf

 That I should know?  
It uses an *ABSURD* amount of memory, and is 100% redundant with the WS
list on surbl.org.

Don't use it unless BOTH of the following are true:
 1) the idea of increasing your mailserver memory load by a couple
of gigs doesn't worry you.

2) the idea of adding 100ms of latency for a DNS lookup has kept you
form enabling the URIBL plugin.

 If I install it I seem to get lint errors in seemingly random
 locations (usually when it reads $HOME/.spamassassin/user_pref but it
 can be several other places as well)

 As a note, it WAS running for a long time on my mailserver without
 issue, but recently RDJ has been giving me lint errors and after
 testing each .cf file I found that one was the culprit.

RE: TMDA SA

2006-12-08 Thread hamann . w


Hi,

if someone sends you lots of crap from a handful of forged addresses, and your 
verification
does not cache results, you might create a lot of connects to innocent systems 
(and possibly
get blacklisted for that)

What happens if the other side does the same, and starts a smtp connection to 
your server in
response to your verification attempt? You might get two machines locking up 
each other.
A careful design (verifying at DATA command) would probably avoid that.

Both sender address validation and CR may lose valid email 

I am using address verification but in the context of a web form: if a visitor 
is supplying an email
that seems to be unreachable, he/she would be asked to supply a different one.

Wolfgang Hamann

Jean-Paul Natola wrote:
is Sender Address Verification a feasible option? Let me rephrase , does
anyone here use it? If not why?=20

Rules du Jour (RDJ) and AntiDrug

2006-12-08 Thread Chris Thielen


To all RDJ users:

I have removed ANTIDRUG from the script because the author requested 
it.  The antidrug ruleset is included in SpamAssassin 3.0 and above, and 
is not being actively updated for use with SpamAssassin 2.64.


After updating your system with RDJ version 1.30 or higher you will 
receive occasional warnings until you remove ANTIDRUG from the 
TRUSTED_RULESETS in the RDJ config file.



Also, sorry for releasing so many updates to RDJ in such a short time 
period!


Chris Thielen

Re: Rule update over DNS?

2006-12-08 Thread Kenneth Porter

--On Friday, December 08, 2006 12:20 AM -0500 Duncan Findlay 
[EMAIL PROTECTED] wrote:



That's a good point. Those of us packaging SpamAssassin for
distributions should think about this. :-) Will it be okay if all
Debian users start running sa-update on the same minute of the hour?


Are those distributions joining the list of update mirrors? Can the 
mirroring be done by DNS round-robin, so that a random HTTP server will be 
chosen for the update? Is there a failover scheme so that a system finding 
a slow mirror without the update will switch to another mirror that has the 
update?

Re: Rules du Jour (RDJ) and AntiDrug

2006-12-08 Thread René Berber

Chris Thielen wrote:

 To all RDJ users:
 
 I have removed ANTIDRUG from the script because the author requested
 it.  The antidrug ruleset is included in SpamAssassin 3.0 and above, and
 is not being actively updated for use with SpamAssassin 2.64.
 
 After updating your system with RDJ version 1.30 or higher you will
 receive occasional warnings until you remove ANTIDRUG from the
 TRUSTED_RULESETS in the RDJ config file.

By version 1.30 you mean the script?

Where is the script available?
http://www.exit0.us/index.php?pagename=RulesDuJour is not working.

 Also, sorry for releasing so many updates to RDJ in such a short time
 period!

Thanks.
-- 
René Berber

Re: blacklist-uri.cf


On 8-Dec-2006, at 16:11, Matt Kettler wrote:
It uses an *ABSURD* amount of memory, and is 100% redundant with  
the WS

list on surbl.org.


The WS list? I don't think I'm setup for SURBL.  I'm running RDJ with

TRUSTED_RULESETS=TRIPWIRE EVILNUMBERS RANDOMVAL
BOGUSVIRUS SARE_ADULT SARE_FRAUD SARE_BML SARE_SPOOF
SARE_BAYES_POISON_NXM SARE_OEM SARE_RANDOM SARE_HEADER_ABUSE
SARE_SPECIFIC SARE_CODING_HTML SARE_GENLSUBJ SARE_UNSUB SARE_URI0
SARE_REDIRECT_POST300 SARE_OBFU SARE_SPAMCOP_TOP200;

and with the following plugins/modules

# grep -e ^load /usr/local/etc/mail/spamassassin/*.pre | awk  
{'print $2'}

Mail::SpamAssassin::Plugin::URIDNSBL
Mail::SpamAssassin::Plugin::Hashcash
Mail::SpamAssassin::Plugin::SPF
Mail::SpamAssassin::Plugin::DCC
Mail::SpamAssassin::Plugin::Pyzor
Mail::SpamAssassin::Plugin::Razor2
Mail::SpamAssassin::Plugin::SpamCop
Mail::SpamAssassin::Plugin::AntiVirus
Mail::SpamAssassin::Plugin::AWL
Mail::SpamAssassin::Plugin::AutoLearnThreshold
Mail::SpamAssassin::Plugin::TextCat
Mail::SpamAssassin::Plugin::WhiteListSubject
Mail::SpamAssassin::Plugin::MIMEHeader
Mail::SpamAssassin::Plugin::ReplaceTags
Mail::SpamAssassin::Plugin::DKIM

so I guess SURBL is setup, but how do I feed it a specific list like  
WS?  And should I replace EvilNumbers and SARE_SPAMCOP with  
be.surbl.or and sc.surbl.org respectively?  Or just use  
multi.surbl.org and be?


2) the idea of adding 100ms of latency for a DNS lookup has  
kept you

form enabling the URIBL plugin.


well, it looks like the PLUGIN is enabled, but I certainly am not  
seeing where to tell it what lists to use.


It looks like I have to build my own rules/cf files in order to  
enable these checks?  Are there pre-rolled cf files for the various  
SURBLs?


--
Living is easy with eyes closed, misunderstanding all you see

Re: TMDA SA


On 8-Dec-2006, at 12:27, Jean-Paul Natola wrote:
I'm a bit confused here (what else is new) is there a difference  
between

Challenge-Response  and Sender address Verification?

Some articles say they are two -different animals other say yes  
they are

the same


Some articles are written by morons then, as they are in no way the  
same.  The latter is an automated check that the address listed as  
the sender is a valid address, the former is a prove-you-love-me  
irritation that, at least when I receive it, goes straight in my  
trash.  Generating more email to try to protect YOUR mailbox at the  
expense of my time and resources is not cool.  Do it often enough and  
you get listed in my permanent blacklist (I still have hosts in there  
from 1995).


And that doesn't even deal with the issue of perfectly valid, but  
forged, sender addresses.  Prove-you-love-me means you send THEM  
bucketloads of extra spam.


--
Don't be nice.  It's Creepy.  Tendo Akane

Re: RulesDuJour


On 8-Dec-2006, at 01:46, Mike Kenny wrote:
The configuration that I inherited had only got  
TRUSTED_RULESETS=TRIPWIRE
SARE_EVILNUMBERS0 SARE_RANDOM; in /etc/rulesdujour/config. This  
obviously
allows a lot of spam to filter through  (or at elaast would allow  
the rules
to become outdated). Looking at rulesdujour.sh I notice it  
references a lot
mor rule sets than these. What problems might I encounter if I add  
all of

these (except for those noted as pre 3.0) to my config file?


Well, ALL of them would be a bit much.

The drawback is that some will add some overheard, both in time and  
in resources, to processing messages.  The more messages your  
mailserver gets, the more you care about that.


I would look at the SARE ones and enable those that sound good to  
you, and see how that goes.


--
You may be anti anti-spam-kook if: Despite having invented the FUSSP,  
you not only don't know the difference between the SMTP envelope and  
SMTP headers; you doubt there is such a thing as the SMTP envelope  
because email doesn't involve paper.

Re: How do I know if DCC is running and working?


On 8-Dec-2006, at 13:35, Robert S wrote:

spamassassin --debug --lint 21 | less


I went with

# spamassassin -D --lint 21| grep -i dcc
[85448] dbg: config: read file /usr/local/share/spamassassin/25_dcc.cf
[85448] dbg: plugin: registered  
Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8f63dcc)

[85448] dbg: plugin: loading Mail::SpamAssassin::Plugin::DCC from @INC
[85448] dbg: dcc: local tests only, disabling DCC
[85448] dbg: plugin: registered Mail::SpamAssassin::Plugin::DCC=HASH 
(0x90d3b38)
[85448] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH 
(0x8f63dcc) implements 'parsed_metadata'
[85448] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH 
(0x8f63dcc) implements 'check_tick'
[85448] dbg: plugin: Mail::SpamAssassin::Plugin::URIDNSBL=HASH 
(0x8f63dcc) implements 'check_post_dnsbl'


no hits on DCC in maillog

--
It's better to burn out than it is to rust
  -- Neil Young as quoted by Kurt Cobain

Re: bayes db site wide or per user

On Fri, Dec 08, 2006 at 09:44:04PM +0100, Alex Handle wrote:
 postfix/mysql/nfs/amavisd-new/spamassassin and now we
 
 Is it a bad idea to use a site wide bayes database or is it better
 to use a per user database in this scenario?

Per user DBs will give you better results, but since you're running from
the MTA, your only choice is site-wide.

-- 
Randomly Selected Tagline:
Wheee! ...ow, I bit my tongue!
 
--Ralph Wiggum
  Bart's Inner Child (Episode 1F05)


pgpHXRSHFKtRT.pgp
Description: PGP signature

Re: false positives

2006-12-08 Thread Kamen TOMOV

On четвъртък, Декември 07 2006, Sietse van Zanen wrote:

 off-topic) spamcop =?windows-1251?B?4vrv8O7x6A==?=

 Was that really your subject, did you type that? I think the
 =?windows-1251?B?4vrv8O7x6A==?= is the double encoded part.

No, my subject was: 
(off-topic) spamcop проблеми 


 Your problem might be the result of some incompatibility between
 slavic - european character sets. But I'm not suchh an smtp
 expert. Other people probably can elaborate more on this.

Anybody?

 SPF is Sender Policy Framework. More information can be found here:
 http://www.openspf.org/ It validates that the mail servers sending
 are really mail servers responsible for the domain they send mail
 for. So SPF matches are a good thing.

Yeah, I have an idea, but what's wrong with my mail servers?

 More info on the AWL can be found here:
 http://wiki.apache.org/spamassassin/AutoWhitelist

Thanks.


 From: Kamen TOMOV
 Sent: Thu 07-Dec-06 18:00
 To: users@spamassassin.apache.org
 Subject: Re: false positives


 On четвъртък, Декември 07 2006, Sietse van Zanen wrote:

 They contain too little information.

 All right - here is more information. I sent a message to a group and
 I got it classified as spam. Here is the report:

 *  1.7 SUBJECT_ENCODED_TWICE Subject: MIME encoded twice

 Here is how the subject looks like when I sent it:

 (off-topic) spamcop =?windows-1251?B?4vrv8O7x6A==?=

 It looks to me that it is not encoded twice. However, here is the
 subject of the message that was received in the list:

  [SPAM] =?windows-1251?q?=5BSPAM=5D_=28off-topic=29_spamcop_=E2?=
   =?windows-1251?b?+u/w7vHo?=

 .., which might have been encoded twice. So is that a problem of the
 mail-list?

 * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
 *  0.1 FORGED_RCVD_HELO Received: contains a forged HELO

 Can anybody tell me what does HELO matches SPF record mean?

 * -0.0 SPF_PASS SPF: sender matches SPF record
 *  0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
 *  [score: 0.4115]
 *  0.2 MIME_BASE64_NO_NAME RAW: base64 attachment does not have a file
 *  name

 What attachments? I haven't attached anything to my message. It looks
 like spamassassin took the hole message as an attachment just because
 it is base64 - encoded.

 *  1.9 MIME_BASE64_TEXT RAW: Message text disguised using base64 encoding

 I don't understand why base64 encoded message is classified as
 disguised? My mail agent had just decided to encode the message in
 base64 encoding as it contains cp1251 characters so what's wrong with
 that?

 *  0.4 AWL AWL: From: address is in the auto white-list

 Can anybody tell me what does From: address is in the auto
 white-list mean? If it is in a white list why the coefficient is 0?

 -- 
 Камен

user_bayes_sql_custom_query ?

2006-12-08 Thread C. Bensend


Hey folks,

   So, I've been giving this some thought in the last week, as I'm
running into the old either site bayes or per-user bayes, nothing
in between issue.  I'm using simscan, which passes the first email
address to spamc, so for me it's a per-email-address limitation.

   For a majority of my users, that's fine - they only have _one_
email address.  For me, it's a problem, as I have dozens of email
addresses that are delivered to me, and sorted via maildrop.  Many
of these secondary addresses get tons of spam, but because they're
delivered to aliases, SA never applies bayes scoring, because the
user doesn't match the user my bayes database uses (using SQL,
of course).

   I would _love_ to have a bayes equivalent of
user_score_sql_custom_query, where spamd would query a table
consisting of something like so:

email_alias  CHAR(64)
email_user   CHAR(64)

or something similar.  That way, I could populate it with data like:

[EMAIL PROTECTED]   [EMAIL PROTECTED]
[EMAIL PROTECTED]  [EMAIL PROTECTED]
[EMAIL PROTECTED]  [EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]
[EMAIL PROTECTED][EMAIL PROTECTED]

etc...

   So, in this scenario, an email comes in destined to one of the
many secondary email addresses.  spamd makes a query (SELECT
email_user FROM aliases WHERE email_alias = '$user').  If spamd
gets a hit, great, try to initialize the bayes database for that
user.  If not, skip bayes and go on with life.

   Just a thought.  It would certainly help me in my situation,
but perhaps I'm just spending a little too much quality time with
the crackpipe.

Good idea?  Bad idea?  Dumb idea?

Benny


-- 
The faster you finish the fight, the less shot you will get.
-- Marine Corps Rules for
   Gunfighting

Re: user_bayes_sql_custom_query ?

On Fri, Dec 08, 2006 at 07:39:42PM -0600, C. Bensend wrote:
 in between issue.  I'm using simscan, which passes the first email
 address to spamc, so for me it's a per-email-address limitation.
[...]
I would _love_ to have a bayes equivalent of
 user_score_sql_custom_query, where spamd would query a table
 consisting of something like so:
 
 email_alias  CHAR(64)
 email_user   CHAR(64)

Why not modify simscan to do this kind of lookup for you, and pass the
correct username to SA?

-- 
Randomly Selected Tagline:
Your computer hasn't been returning all the bits it gets from the
 Internet. - Today's BOFH Excuse


pgpktn2RvL33t.pgp
Description: PGP signature

Re: user_bayes_sql_custom_query ?

2006-12-08 Thread C. Bensend


 Why not modify simscan to do this kind of lookup for you, and pass the
 correct username to SA?

Yes, absolutely, that would be another solution to the issue.  :)

The reason I ask here is because SA already does almost exactly
this sort of lookup for userpref.  Maybe some of the code could be
reused, but maybe not...  I'm not a developer, and you'd weep
yourself to sleep for weeks on end if I tried to come up with a
patch.  ;)

If there's no interest/resources, no problem.  It would be nice to
have, though.  :)

Benny


-- 
The faster you finish the fight, the less shot you will get.
-- Marine Corps Rules for
   Gunfighting

Re: blacklist-uri.cf