Re: Image spam and Bayes problem
On Wed, Dec 13, 2006 at 08:55:26PM -0800, Gary W. Smith wrote: We were running RBL's at the postfix level but recently we have started seeing FP's on a couple of them so we disabled them for now (thus increasing flow from about 200k messages per server per day to about 300k+). Use policyd-weight instead.
Re: Filtering THIS list [OT]
Dhawal Doshy wrote: Make that 2 of us. I for one would like to filter out all mails/threads originated by perkel (yeah which would include this mail as well).. i *really* would like to filter this list for obvious reasons based on sender / thread originated by sender while continuing to receive other mails.. does ezmlm provide such a feature? A mail to [EMAIL PROTECTED] doesn't help at all. I use mailscanner with postfix, so any pointers in that direction would help as well. Of course this is OT and i really ought to send this request to the postfix list OR the mailscanner list, but who cares?? TIA, - dhawal
Problem with Botnet
I installed Botnet 0.6 with SA 3.1.7. It seems that it sees botnets where there aren't. Here it is an example: X-Spam-Status: No, score=5 required=8 tests=BAYES_00,BOTNET,BOTNET_CLIENT,BOTNET_CLIENTWORDS,BOTNET_IPINHOSTNAME,RCVD_IN_NJABL_DUL,RCVD_IN _SORBS_DUL Received: from galadriel.neomedia.it (galadriel.neomedia.it [195.103.207.9]) by arwen.neomedia.it (8.13.7/8.13.7) with ESMTP id kBE8jqVf015060 for [EMAIL PROTECTED]; Thu, 14 Dec 2006 09:45:55 +0100 (CET) Received: from Giuseppe (host189-198-static.104-80-b.business.telecomitalia.it [80.104.198.189]) by galadriel.neomedia.it (8.13.7/8.13.7) with SMTP id kBE8jp10017336 for [EMAIL PROTECTED]; Thu, 14 Dec 2006 09:45:51 +0100 (CET) Message-ID: [EMAIL PROTECTED] From: X To: References: [EMAIL PROTECTED] Subject: XXX Date: Thu, 14 Dec 2006 09:53:31 +0100 MIME-Version: 1.0 Content-Type: multipart/report; report-type=disposition-notification; boundary==_NextPart_000_0021_01C71F65.B65AA420 X-Mailer: Microsoft Outlook Express 6.00.2800.1478 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478 Maybe it looked at the second Received? Bye. -- ___ __ |- [EMAIL PROTECTED] |ederico Giannici http://www.neomedia.it ___
Re: Breaking up the Bot army - we need a plan
In article [EMAIL PROTECTED], John Rudd [EMAIL PROTECTED] writes I'm _highly_ skeptical that emailebay.com has anything to do with ebay.com. Registrant: eBay Inc. 2145 Hamilton Avenue San Jose, CA 95125 US Domain name: EMAILEBAY.COM Registrar of Record: TUCOWS, INC. Record last updated on 11-Sep-2006. Record expires on 04-May-2007. Record created on 04-May-2001. Domain servers in listed order: SJC-DNS2.EBAYDNS.COM 66.135.207.138 SMF-DNS1.EBAYDNS.COM 66.135.223.137 SJC-DNS1.EBAYDNS.COM 66.135.207.137 Now I've no idea what the chances of mail from eBay coming through there, but at first glance it looks plausible that it's an eBay owned/run domain. Kevin
Re: Problem with Botnet
Federico Giannici wrote: I installed Botnet 0.6 with SA 3.1.7. It seems that it sees botnets where there aren't. Here it is an example: X-Spam-Status: No, score=5 required=8 tests=BAYES_00,BOTNET,BOTNET_CLIENT,BOTNET_CLIENTWORDS,BOTNET_IPINHOSTNAME,RCVD_IN_NJABL_DUL,RCVD_IN _SORBS_DUL Received: from galadriel.neomedia.it (galadriel.neomedia.it [195.103.207.9]) by arwen.neomedia.it (8.13.7/8.13.7) with ESMTP id kBE8jqVf015060 for [EMAIL PROTECTED]; Thu, 14 Dec 2006 09:45:55 +0100 (CET) Received: from Giuseppe (host189-198-static.104-80-b.business.telecomitalia.it [80.104.198.189]) by galadriel.neomedia.it (8.13.7/8.13.7) with SMTP id kBE8jp10017336 for [EMAIL PROTECTED]; Thu, 14 Dec 2006 09:45:51 +0100 (CET) Maybe it looked at the second Received? Is the first received a trusted IP addr?
Re: Problem with Botnet
John Rudd wrote: Federico Giannici wrote: I installed Botnet 0.6 with SA 3.1.7. It seems that it sees botnets where there aren't. Here it is an example: X-Spam-Status: No, score=5 required=8 tests=BAYES_00,BOTNET,BOTNET_CLIENT,BOTNET_CLIENTWORDS,BOTNET_IPINHOSTNAME,RCVD_IN_NJABL_DUL,RCVD_IN _SORBS_DUL Received: from galadriel.neomedia.it (galadriel.neomedia.it [195.103.207.9]) by arwen.neomedia.it (8.13.7/8.13.7) with ESMTP id kBE8jqVf015060 for [EMAIL PROTECTED]; Thu, 14 Dec 2006 09:45:55 +0100 (CET) Received: from Giuseppe (host189-198-static.104-80-b.business.telecomitalia.it [80.104.198.189]) by galadriel.neomedia.it (8.13.7/8.13.7) with SMTP id kBE8jp10017336 for [EMAIL PROTECTED]; Thu, 14 Dec 2006 09:45:51 +0100 (CET) Maybe it looked at the second Received? Is the first received a trusted IP addr? Yes, it is. Thanks. -- ___ __ |- [EMAIL PROTECTED] |ederico Giannici http://www.neomedia.it ___
RE: Breaking up the Bot army - we need a plan
You didn't read what I actually said. I didn't say the domain didn't look right. I said the IP address registration didn't look right. nslookup ebay.com Name: ebay.com Address: 66.135.192.87 whois 66.135.192.87 OrgName:eBay, Inc OrgID: EBAY Address:2145 Hamilton Ave City: San Jose StateProv: CA PostalCode: 95008 Country:US NetRange: 66.135.192.0 - 66.135.223.255 CIDR: 66.135.192.0/19 NetName:EBAY-1 NetHandle: NET-66-135-192-0-1 Parent: NET-66-0-0-0-0 NetType:Direct Assignment NameServer: SJC-DNS1.EBAYDNS.COM NameServer: SJC-DNS2.EBAYDNS.COM NameServer: SMF-DNS1.EBAYDNS.COM Comment: RegDate:2001-07-13 Updated:2003-02-20 OrgTechHandle: EBAYN-ARIN OrgTechName: eBay Network OrgTechPhone: +1-408-376-7400 OrgTechEmail: [EMAIL PROTECTED] # ARIN WHOIS database, last updated 2006-12-13 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. That part looks fine. Now, for emailebay.com: nslookup emailebay.com Name: emailebay.com Address: 216.33.156.118 whois 216.33.156.118 OrgName:Savvis OrgID: SAVVI-2 Address:3300 Regency Parkway City: Cary StateProv: NC PostalCode: 27511 Country:US ReferralServer: rwhois://rwhois.savvis.net:4321/ NetRange: 216.32.0.0 - 216.35.255.255 CIDR: 216.32.0.0/14 NetName:SAVVIS NetHandle: NET-216-32-0-0-1 Parent: NET-216-0-0-0-0 NetType:Direct Allocation NameServer: DNS01.SAVVIS.NET NameServer: DNS02.SAVVIS.NET NameServer: DNS03.SAVVIS.NET NameServer: DNS04.SAVVIS.NET Comment: RegDate:1998-07-30 Updated:2004-10-07 OrgAbuseHandle: ABUSE11-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-877-393-7878 OrgAbuseEmail: [EMAIL PROTECTED] OrgNOCHandle: NOC99-ARIN OrgNOCName: SAVVIS Support Center OrgNOCPhone: + 1-888-638-6771 OrgNOCEmail: [EMAIL PROTECTED] OrgTechHandle: UIAA-ARIN OrgTechName: US IP Address Administration OrgTechPhone: + 1-888-638-6771 OrgTechEmail: [EMAIL PROTECTED] # ARIN WHOIS database, last updated 2006-12-13 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. Looks quite a bit different to me. Not really Do a dig -x 216.33.156.118 then do a dig -x 216.33.157.1 notice my simple change and see that it appears that it just hasn't been swip'd yet - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
Re: Problem with Botnet
Federico Giannici wrote: John Rudd wrote: Federico Giannici wrote: I installed Botnet 0.6 with SA 3.1.7. It seems that it sees botnets where there aren't. Here it is an example: X-Spam-Status: No, score=5 required=8 tests=BAYES_00,BOTNET,BOTNET_CLIENT,BOTNET_CLIENTWORDS,BOTNET_IPINHOSTNAME,RCVD_IN_NJABL_DUL,RCVD_IN _SORBS_DUL Received: from galadriel.neomedia.it (galadriel.neomedia.it [195.103.207.9]) by arwen.neomedia.it (8.13.7/8.13.7) with ESMTP id kBE8jqVf015060 for [EMAIL PROTECTED]; Thu, 14 Dec 2006 09:45:55 +0100 (CET) Received: from Giuseppe (host189-198-static.104-80-b.business.telecomitalia.it [80.104.198.189]) by galadriel.neomedia.it (8.13.7/8.13.7) with SMTP id kBE8jp10017336 for [EMAIL PROTECTED]; Thu, 14 Dec 2006 09:45:51 +0100 (CET) Maybe it looked at the second Received? Is the first received a trusted IP addr? Yes, it is. Right now, Botnet doesn't look at the Trusted relays at all. It only looks at the untrusted relays. That's why it looked at the 2nd Received line instead of the 1st one. I'm considering a feature for the next Botnet version that is as follows: botnet_pass_trusted (any|public|private|none) with the following meanings: any) if there are _any_ Trusted relays, pass the message public) if any of the Trusted relays are public IPs, pass it private) if any of the Trusted relays are private IPs, pass it none) as now, don't even look at the Trusted relays, pass it Private IPs means the following IP address blocks: 127. 10. 172.(16-31). or 192.168. Public IPs means: any IP addresses that aren't private. And pass the message means don't trigger any of botnet's tests. The configuration value will default to public. (note: I don't know what SA does if the 5th or 6th relay down is a private/localhost relay ... because that's probably not local, but a private relay that someone else used ... but, does SA list them in the trusted relays if you had just happened to list 127. in your trusted networks? That's why I'm differentiating between any and public ... I included private just for completeness, I don't expect anyone is actually going to want to use it) (why would you want to set it to none? in case your scanning host isn't your front line host, such as if you have MX hosts you don't control, but do trust, you want Botnet to look past them when figuring out if this message came from a spambot. That's partially why I coded Botnet the way I did, but I've been considering that in most cases, you really want to know if the _immediate_ relay was a spambot, and if it came through a trusted relay, with a public IP address, anywhere along the line, then the immediate relay probably wasn't a spambot)
Re: Breaking up the Bot army - we need a plan
R Lists06 wrote: Looks quite a bit different to me. Not really Do a dig -x 216.33.156.118 then do a dig -x 216.33.157.1 notice my simple change and see that it appears that it just hasn't been swip'd yet I'm not sure what your point is. Yes, the latter tells you that the PTR record points to an ebay.com hostname. Which is somewhat better, but doesn't really mean anything about ownership, especially since that ebay.com hostname doesn't resolve. But the whois for 216.33.156.118, 216.33.156.1, 216.33.157.1 is all savvis.net. The ownership is still completely different than the ownership of the address blocks for ebay.com. That doesn't necessarily mean it's bad... it just isn't ... the same. Which leaves me rather skeptical.
Re: Problem with Botnet
John Rudd wrote: Federico Giannici wrote: John Rudd wrote: Federico Giannici wrote: I installed Botnet 0.6 with SA 3.1.7. It seems that it sees botnets where there aren't. Here it is an example: X-Spam-Status: No, score=5 required=8 tests=BAYES_00,BOTNET,BOTNET_CLIENT,BOTNET_CLIENTWORDS,BOTNET_IPINHOSTNAME,RCVD_IN_NJABL_DUL,RCVD_IN _SORBS_DUL Received: from galadriel.neomedia.it (galadriel.neomedia.it [195.103.207.9]) by arwen.neomedia.it (8.13.7/8.13.7) with ESMTP id kBE8jqVf015060 for [EMAIL PROTECTED]; Thu, 14 Dec 2006 09:45:55 +0100 (CET) Received: from Giuseppe (host189-198-static.104-80-b.business.telecomitalia.it [80.104.198.189]) by galadriel.neomedia.it (8.13.7/8.13.7) with SMTP id kBE8jp10017336 for [EMAIL PROTECTED]; Thu, 14 Dec 2006 09:45:51 +0100 (CET) Maybe it looked at the second Received? Is the first received a trusted IP addr? Yes, it is. Right now, Botnet doesn't look at the Trusted relays at all. It only looks at the untrusted relays. That's why it looked at the 2nd Received line instead of the 1st one. I'm considering a feature for the next Botnet version that is as follows: botnet_pass_trusted (any|public|private|none) with the following meanings: any) if there are _any_ Trusted relays, pass the message public) if any of the Trusted relays are public IPs, pass it private) if any of the Trusted relays are private IPs, pass it none) as now, don't even look at the Trusted relays, pass it Private IPs means the following IP address blocks: 127. 10. 172.(16-31). or 192.168. Public IPs means: any IP addresses that aren't private. And pass the message means don't trigger any of botnet's tests. The configuration value will default to public. (note: I don't know what SA does if the 5th or 6th relay down is a private/localhost relay ... because that's probably not local, but a private relay that someone else used ... but, does SA list them in the trusted relays if you had just happened to list 127. in your trusted networks? That's why I'm differentiating between any and public ... I included private just for completeness, I don't expect anyone is actually going to want to use it) (why would you want to set it to none? in case your scanning host isn't your front line host, such as if you have MX hosts you don't control, but do trust, you want Botnet to look past them when figuring out if this message came from a spambot. That's partially why I coded Botnet the way I did, but I've been considering that in most cases, you really want to know if the _immediate_ relay was a spambot, and if it came through a trusted relay, with a public IP address, anywhere along the line, then the immediate relay probably wasn't a spambot) I agree with this last sentence. Currently the Botnet is completely USELESS for me, I really need to actually TRUST the trusted relays! Eagerly waiting for the next release... ;-) Thanks. -- ___ __ |- [EMAIL PROTECTED] |ederico Giannici http://www.neomedia.it ___
Re: Breaking up the Bot army - we need a plan
Someone, quite probably John Rudd, once wrote: Kevin Golding wrote: In article [EMAIL PROTECTED], John Rudd [EMAIL PROTECTED] writes I'm _highly_ skeptical that emailebay.com has anything to do with ebay.com. Registrant: eBay Inc. 2145 Hamilton Avenue San Jose, CA 95125 US Domain name: EMAILEBAY.COM Registrar of Record: TUCOWS, INC. Record last updated on 11-Sep-2006. Record expires on 04-May-2007. Record created on 04-May-2001. Domain servers in listed order: SJC-DNS2.EBAYDNS.COM 66.135.207.138 SMF-DNS1.EBAYDNS.COM 66.135.223.137 SJC-DNS1.EBAYDNS.COM 66.135.207.137 Now I've no idea what the chances of mail from eBay coming through there, but at first glance it looks plausible that it's an eBay owned/run domain. You didn't read what I actually said. Well I'll admit I'm only skimming the rehashed arguments of SPF going on elsewhere but I think I'm missing your objection to the domain or something. I didn't say the domain didn't look right. I said the IP address registration didn't look right. Check. nslookup ebay.com Name: ebay.com Address: 66.135.192.87 whois 66.135.192.87 OrgName:eBay, Inc OrgID: EBAY Address:2145 Hamilton Ave Check. And I note: NameServer: SJC-DNS1.EBAYDNS.COM NameServer: SJC-DNS2.EBAYDNS.COM NameServer: SMF-DNS1.EBAYDNS.COM nslookup emailebay.com Name: emailebay.com Address: 216.33.156.118 whois 216.33.156.118 OrgName:Savvis OrgID: SAVVI-2 Check. Looks quite a bit different to me. Agreed, but if we go back to the whois for emailebay.com: SJC-DNS2.EBAYDNS.COM 66.135.207.138 SMF-DNS1.EBAYDNS.COM 66.135.223.137 SJC-DNS1.EBAYDNS.COM 66.135.207.137 Now I kind of figure that if eBay's nameservers are pointing the domain to that IP it doesn't really matter who the registered owner of the IP is. Now given Savvis turned up within the past week or so as a screwed up mail server for EasyJet I'm happy to believe that they're completely legitimate delegated server for sending mail for eBay. In other words, yes - the IP is registered to Savvis not eBay and that doesn't seem ideal/completely standard for eBay, but given the companies involved and the rest of the DNS entries I don't really understand why you say you're _highly_ skeptical that emailebay.com has anything to do with ebay.com. I can understand being highly sceptical that they send mail of any value for eBay, but they appear to have some kind of legit relationship from my quick checks. Kevin
Upgraded SA, nothing works
Hi, First, let me explain my situation in a bit more detail. I got the task to manage a server, which is in chaotic state. It had several owners in the past, none of them took care of it too well. Now, they had trouble with the spam ammount lately, and after i checked the SA version, it turned out to be an ancient one. I did install the new one via the perl MCPAN method (had to instal digest:sha1 too). checking with spamassasin --version shows the correct, new version number. I'm not sure this was the proper way of upgrading from the previous version, altough after doing an sh-learn -sync, it says everything is working (with -D option). Now, here is the funny stuff: SA is being called by amavisd-new. I'm not too familiar with amavisd, and to tell you the truth i didn't find where to specify the spamassassin binary location. I suppose it uses the path variable. Anyway, after i restarted amavisd and postfix, the mail delivery stopped working. To be more precise the logs said that postfix DID receive in fact the mails, and it put in queue, but it wasn't able to deliver them to the mboxes. This is what i found in the log, for a test message i sent: Dec 14 10:22:12 zeusz postfix/smtpd[18654]: 268B5888661: client=removed[x.x.x.x] Dec 14 10:22:12 zeusz postfix/cleanup[18634]: 268B5888661: message-id=[EMAIL PROTECTED] Dec 14 10:22:12 zeusz postfix/qmgr[18602]: 268B5888661: from=[EMAIL PROTECTED], size=1309, nrcpt=1 (queue active) Dec 14 10:29:55 zeusz postfix/qmgr[18602]: 268B5888661: to=[EMAIL PROTECTED], relay=none, delay=463, status=deferred (connect to localhost[127.0.0.1]: Connection refused) I dont know what could be the problem, but after uncommenting the following line in amavis: @bypass_spam_checks_acl = qw( . ); # uncomment to DISABLE anti-spam code and restarting it the message(s) got delivered without a problem (of course, spam filtering did not occur ...) Any ideas what could be the problem? Or at least where to look..? Thanks, Thomas.
RE: FuzzyOCR Plugin question
-Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of René Berber Sent: Thursday, December 14, 2006 1:06 AM To: users@spamassassin.apache.org Subject: Re: FuzzyOCR Plugin question Evan Platt wrote: I hope someone here can help, I've looked at the FuzzyOCR wiki and can't seem to find an answer.. Is there a way to feed a GIF to FuzzyOCR and 'see' the output ? Not quite - but you can go through some of the process manually - have a read here (especially step 10): https://secure.renaissoft.com/maia/wiki/FuzzyOCR23
Meta GENERATOR tag
Hi there. What is this: META content=3DMSHTML 6.00.2900.2995 name=3DGENERATOR I have been putting a score of 10 on this, because it seemed never to be in non-spam. It catches a LOT of spam that otherwise would slip under the radar. However, I've seen a few non-spams now that have this. It seems to happen when people send a message with both plain text and HTML from Outlook. Is that particularly common? I don't have many correspondents that do that. Regards, K. -- ~~~ Karl Auer ([EMAIL PROTECTED]) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob)
Re: SpamdForkScaling messages?
snowcrash+spamassassin writes: i have spamassassin --version SpamAssassin version 3.1.8-r454679 running on Perl version 5.8.8 in my debug-level spamd log i see frequently repeating instances of, Wed Dec 13 18:36:13 2006 [923] dbg: prefork: periodic ping from spamd parent Wed Dec 13 18:36:13 2006 [923] dbg: prefork: sysread(9) not ready, wait max 300 secs Wed Dec 13 18:36:13 2006 [923] dbg: prefork: periodic ping from spamd parent Wed Dec 13 18:36:13 2006 [923] dbg: prefork: sysread(9) not ready, wait max 300 secs ... grep'ing in src, i note that these errors originate in, SpamdForkScaling.pm afaict, there's no, manpage available for Mail::SpamAssassin::SpamdForkScaling searching on the website, i find links to the .pm src. both TITLE FULLTEXT searches on the wiki come up empty. what is SpamdForkScaling? are there docs? are these not ready messages a problem? if so, wht do i do about them? They're debug messages -- not a problem at all. --j.
RE: backup for bayesian DB
-Original Message- From: Leon Kolchinsky [mailto:[EMAIL PROTECTED] Sent: Thursday, December 14, 2006 3:05 AM To: Michael Scheidell; users@spamassassin.apache.org Subject: RE: backup for Bayesian DB No takers for the above questions? Make a fish walk for a mile in the woods and feed him forever. Translation: basic computer 101. you need to figure this out from the FAQ's and make your own decisions as to what you want to accomplish or you will need to ask basic questions forever.
Re: Problems installing 3.1.7 - no update for the binaries
Steve Sanders wrote: On 14/12/06 1:51 PM, Albert E. Whale [EMAIL PROTECTED] wrote: The Target system is Mandriva 2007. Running Perl 5.8.8. I have been using SpamAssassin for quite a while. Today I encountered issues installing version 3.1.7. As strange as it is, it starts with the installation of the following CPAN Module: perl -MCPAN -e 'install ExtUtils::MakeMaker' Can't locate object method install via package ExtUtils::MakeMaker at -e line 1. Running the CPAN Shell ( perl -MCPAN -e shell) and then issuing the install command resolves this issue. The second problem is the make install command inside the source directory. /Mail-SpamAssassin-3.1.7] make install Writing /usr/lib/perl5/site_perl/5.8.8/i386-linux/auto/Mail/SpamAssassin/.packlist Appending installation info to /usr/lib/perl5/5.8.8/i386-linux/perllocal.pod /usr/bin/perl5.8.8 -MExtUtils::Command -e mkpath /etc/mail/spamassassin /usr/bin/perl5.8.8 -MFile::Copy -e copy(q{rules/local.cf}, q{/etc/mail/spamassassin/local.cf}) unless -f q{/etc/mail/spamassassin/local.cf} /usr/bin/perl5.8.8 -MFile::Copy -e copy(q{rules/init.pre}, q{/etc/mail/spamassassin/init.pre}) unless -f q{/etc/mail/spamassassin/init.pre} /usr/bin/perl5.8.8 -MFile::Copy -e copy(q{rules/v310.pre}, q{/etc/mail/spamassassin/v310.pre}) unless -f q{/etc/mail/spamassassin/v310.pre} /usr/bin/perl5.8.8 -MFile::Copy -e copy(q{rules/v312.pre}, q{/etc/mail/spamassassin/v312.pre}) unless -f q{/etc/mail/spamassassin/v312.pre} /usr/bin/perl5.8.8 -MExtUtils::Command -e mkpath /usr/share/spamassassin /usr/bin/perl5.8.8 -e map unlink, /usr/share/spamassassin/* /usr/bin/perl5.8.8 build/preprocessor -Mvars -DVERSION=3.001007 -DPREFIX=/usr -DDEF_RULES_DIR=/usr/share/spamassassin -DLOCAL_RULES_DIR=/etc/mail/spamassassin -DLOCAL_STATE_DIR=/var/lib/spamassassin -DINSTALLSITELIB=/usr/lib/perl5/site_perl/5.8.8 -DCONTACT_ADDRESS=the administrator of that system -m644 -Irules -O/usr/share/spamassassin 10_misc.cf 20_advance_fee.cf 20_anti_ratware.cf 20_body_tests.cf 20_compensate.cf 20_dnsbl_tests.cf 20_drugs.cf 20_fake_helo_tests.cf 20_head_tests.cf 20_html_tests.cf 20_meta_tests.cf 20_net_tests.cf 20_phrases.cf 20_porn.cf 20_ratware.cf 20_uri_tests.cf 23_bayes.cf 25_accessdb.cf 25_antivirus.cf 25_body_tests_es.cf 25_body_tests_pl.cf 25_dcc.cf 25_dkim.cf 25_domainkeys.cf 25_hashcash.cf 25_pyzor.cf 25_razor2.cf 25_replace.cf 25_spf.cf 25_textcat.cf 25_uribl.cf 30_text_de.cf 30_text_fr.cf 30_text_it.cf 30_text_nl.cf 30_text_pl.cf 30_text_pt_br.cf 50_scores.cf 60_awl.cf 60_whitelist.cf 60_whitelist_dk.cf 60_whitelist_dkim.cf 60_whitelist_spf.cf 60_whitelist_subject.cf user_prefs.template triplets.txt languages sa-update-pubkey.txt chmod 755 /usr/share/spamassassin However, the binaries do not get updated. Any suggestions? Are you running make install as the super user? Steve Yes, is this a problem now? I read nothing in the INSTALL Guide. -- Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant --- ABS Computer Technology, Inc. - www.ABS-CompTech.com
Re: Meta GENERATOR tag
Karl Auer writes: Hi there. What is this: META content=3DMSHTML 6.00.2900.2995 name=3DGENERATOR I have been putting a score of 10 on this, because it seemed never to be in non-spam. It catches a LOT of spam that otherwise would slip under the radar. However, I've seen a few non-spams now that have this. It seems to happen when people send a message with both plain text and HTML from Outlook. Is that particularly common? I don't have many correspondents that do that. interesting -- I have no FPs for that. nice ;) I've put it in for testing -- if anyone spots an FP, I'd like a copy if possible... --j.
trusted_networks why /16 network
My organization is allocated a /19 network by apnic. My trusted mail servers (mx, smtp and delivery) all fall under a single /24 that i could set manually using the trusted_network setting but i'd prefer it to be automated out-of-the-box. From Mail::SpamAssassin::Conf if the 'from' IP address is on the same /16 network as the top Received line's 'by' host, it's trusted Why does SA default to a /16 network and why not a /24 to be safer? OR am i missing something? - dhawal
RE: SPF is hopelessly broken and must die!
Why was this topic not started on the SPF list? Was the original poster of this topic looking to get MORE attention on the SpamAssassin list? I was wondering the same thing. This list was once useful for people maintaining SA installations but now at least half the traffic is useless. Jeff Moss
Re: Problems installing 3.1.7 - no update for the binaries
Albert E. Whale wrote: Yes, is this a problem now? I read nothing in the INSTALL Guide. OK, I found the Binaries in a different directory than I originally expected. Can I configure the perl Makefile.PL to change the installation directory from /usr/local/bin to another directory? -- Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant --- ABS Computer Technology, Inc. - www.ABS-CompTech.com SPAM Zapper - No-JunkMail.com - Spam-Zapper.com - SPAM Stops Here.
repost: moving/adding bayes info to global DB
Hi there. Just reposting a question to which I have as yet received no answer, in the hope that someone can assist... Regards, K. ~~~ Forwarded Message ~~~ From: Karl Auer [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: users@spamassassin.apache.org Subject: moving/adding bayes info to global DB Date: Sun, 10 Dec 2006 09:12:17 +1100 Hi there. For some time now, I have been busily accumulating bayes data by running sa-learn on various collections of emails. As myself, so I now have a nice big chunk o'data in ~/.spamassassin. Since I am a newbie to SA, I didn't realise what was happening for some time. I actually wanted that data to be used globally, for all mails that spamassassin checks. Is there some simple way to do this? I no longer have the email that I used to train spamassassin, just ~/.spamassassin/bayes_seen and ~/.spamassassin/bayes_toks. Regards, K. -- ~~~ Karl Auer ([EMAIL PROTECTED]) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob)
Re: repost: moving/adding bayes info to global DB
On 15 Dec 2006 at 1:21, Karl Auer wrote: Hi there. Just reposting a question to which I have as yet received no answer, in the hope that someone can assist... Regards, K. Hi, I think the best way to do this would be to export the data from your exisiting bayes and then import it into the one you want. sa-learn --dbpath path_to_old_bayes --backup sa_bayes_backup.txt sa-learn --dbpath path_to_new_bayes --restore sa_bayes_backup.txt watch out for the path to each command, I've got the feeling that if your bayes are like this: /root/bayes_seen /root/bayes_tokens ... then the path will be /root/bayes , but I'm not completely sure. Maybe someone else can jump in at this point... Anyway, for more info on the sa-learn command use 'man sa-learn' Regards Ian -- Snip IMPORTANT: This email is intended for the use of the individual addressee (s) named above and may contain information that is confidential, privileged or unsuitable for overly sensitive persons with low self- esteem, no sense of humour or irrational religious beliefs. If you are not the intended recipient, any dissemination, distribution or copying of this email is not authorised (either explicitly or implicitly) and constitutes an Irritating social faux pas. Unless the word absquatulation has been used in its correct context somewhere other than in this warning, it does not have any legal or grammatical use and may be ignored. No animals were harmed in the transmission of this email, although the cat next door is living on borrowed time, let me tell you. Those of you with an overwhelming fear of the unknown will be gratified to learn that there is no hidden message revealed by reading this warning backwards, so just ignore that Alert Notice from Microsoft. However, by pouring a complete circle of salt around yourself and your computer you can ensure that no harm befalls you and your pets. If you have received this email in error, please place it in a warm oven for 40 minutes and add some nutmeg and egg whites. Whisk briefly and let it stand for 2 hours before icing.
installing URIDNSBL
Hey all I am trying to get URIDNSBL. But I think that I have some more problems than just that. When I run spamassassin -D --lint I get the following out put with 8 errors. This is all Greek to me can someone shed some light on this for me. Thanks in advance, Q random_cf_sare_sa-update_dostech_net/200512121000.cf [5031] dbg: config: using /var/lib/spamassassin/3.001007/70_sare_random_cf_sare _sa-update_dostech_net/200512121000.cf for included file [5031] dbg: config: read file /var/lib/spamassassin/3.001007/70_sare_random_cf_s are_sa-update_dostech_net/200512121000.cf [5031] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/70_sare_ specific_cf_sare_sa-update_dostech_net/200605280300.cf [5031] dbg: config: using /var/lib/spamassassin/3.001007/70_sare_specific_cf_sa re_sa-update_dostech_net/200605280300.cf for included file [5031] dbg: config: read file /var/lib/spamassassin/3.001007/70_sare_specific_cf _sare_sa-update_dostech_net/200605280300.cf [5031] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/70_sare_ spoof_cf_sare_sa-update_dostech_net/200607251600.cf [5031] dbg: config: using /var/lib/spamassassin/3.001007/70_sare_spoof_cf_sare_ sa-update_dostech_net/200607251600.cf for included file [5031] dbg: config: read file /var/lib/spamassassin/3.001007/70_sare_spoof_cf_sa re_sa-update_dostech_net/200607251600.cf [5031] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/70_sare_ stocks_cf_sare_sa-update_dostech_net/200612040900.cf [5031] dbg: config: using /var/lib/spamassassin/3.001007/70_sare_stocks_cf_sare _sa-update_dostech_net/200612040900.cf for included file [5031] dbg: config: read file /var/lib/spamassassin/3.001007/70_sare_stocks_cf_s are_sa-update_dostech_net/200612040900.cf [5031] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/70_sare_ unsub_cf_sare_sa-update_dostech_net/200511121000.cf [5031] dbg: config: using /var/lib/spamassassin/3.001007/70_sare_unsub_cf_sare_ sa-update_dostech_net/200511121000.cf for included file [5031] dbg: config: read file /var/lib/spamassassin/3.001007/70_sare_unsub_cf_sa re_sa-update_dostech_net/200511121000.cf [5031] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/70_sare_ uri0_cf_sare_sa-update_dostech_net/200510042200.cf [5031] dbg: config: using /var/lib/spamassassin/3.001007/70_sare_uri0_cf_sare_s a-update_dostech_net/200510042200.cf for included file [5031] dbg: config: read file /var/lib/spamassassin/3.001007/70_sare_uri0_cf_sar e_sa-update_dostech_net/200510042200.cf [5031] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/72_sare_ bml_post25x_cf_sare_sa-update_dostech_net/20050602.cf [5031] dbg: config: using /var/lib/spamassassin/3.001007/72_sare_bml_post25x_cf _sare_sa-update_dostech_net/20050602.cf for included file [5031] dbg: config: read file /var/lib/spamassassin/3.001007/72_sare_bml_post25x _cf_sare_sa-update_dostech_net/20050602.cf [5031] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/72_sare_ redirect_post3_0_0_cf_sare_sa-update_dostech_net/200605160300.cf [5031] dbg: config: using /var/lib/spamassassin/3.001007/72_sare_redirect_post3 _0_0_cf_sare_sa-update_dostech_net/200605160300.cf for included file [5031] dbg: config: read file /var/lib/spamassassin/3.001007/72_sare_redirect_po st3_0_0_cf_sare_sa-update_dostech_net/200605160300.cf [5031] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/99_sare_ fraud_post25x_cf_sare_sa-update_dostech_net/20050602.cf [5031] dbg: config: using /var/lib/spamassassin/3.001007/99_sare_fraud_post25x_ cf_sare_sa-update_dostech_net/20050602.cf for included file [5031] dbg: config: read file /var/lib/spamassassin/3.001007/99_sare_fraud_post2 5x_cf_sare_sa-update_dostech_net/20050602.cf [5031] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_ spamassassin_org/20_dnsbl_tests.cf [5031] dbg: config: using /var/lib/spamassassin/3.001007/updates_spamassassin_o rg/20_dnsbl_tests.cf for included file [5031] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassi n_org/20_dnsbl_tests.cf [5031] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_ spamassassin_org/20_anti_ratware.cf [5031] dbg: config: using /var/lib/spamassassin/3.001007/updates_spamassassin_o rg/20_anti_ratware.cf for included file [5031] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassi n_org/20_anti_ratware.cf [5031] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_ spamassassin_org/20_advance_fee.cf [5031] dbg: config: using /var/lib/spamassassin/3.001007/updates_spamassassin_o rg/20_advance_fee.cf for included file [5031] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassi n_org/20_advance_fee.cf [5031] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001007/updates_ spamassassin_org/60_whitelist_subject.cf [5031] dbg: config: using
RE: repost: moving/adding bayes info to global DB
From: Karl Auer [mailto:[EMAIL PROTECTED] For some time now, I have been busily accumulating bayes data by running sa-learn on various collections of emails. As myself, so I now have a nice big chunk o'data in ~/.spamassassin. Since I am a newbie to SA, I didn't realise what was happening for some time. I actually wanted that data to be used globally, for all mails that spamassassin checks. Since you are using per-user databases, there is no easy way to make that corpus available to every other SA user in your system. You may use sa-learn --backup and --restore facilities to copy all that knowledge to someone else's account, but this would wipe the previous contents of the destinating bayes db, which may be less than optimal. Due to how the bayes db is designed, you can't even stack-up the informations it contains in a multi-layered way, like, in example, by having a server-wide db and a per-user db which are inspected and updated in parallel: there is actually no way to merge data coming from multiple dbs as well as there is no way to update it. If you believe that each user gets more or less the same kind of e-mails (like, in example, when running a small-business MX), then you may think to switch to a per-system bayes db an preload that single db with the content of your own bayes. giampaolo Is there some simple way to do this? I no longer have the email that I used to train spamassassin, just ~/.spamassassin/bayes_seen and ~/.spamassassin/bayes_toks. Regards, K. -- ~~~ Karl Auer ([EMAIL PROTECTED]) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob)
RE: Good source for IP addresses by country
I was not looking to block any mail from any Country, I just want to increase the score when it is not from the US Giampaolo Tomassoni wrote: From: Ken A [mailto:[EMAIL PROTECTED] Just add 10 to a test that matches everything, then subtract 10 for being in the U.S. Yeah. And keep 10 for canada, mexico and south america... You're beginning to speak alone, isn't it? Well, the way I look at it, if you are going to do one really dumb thing (block all mail from outside the US IP space) then you might as well do another one, and setup your rules so that you'll block everything if your DNS fails. :-) Right. Even spamming back the last received spam to, say, 10 foreign mailboxes randomly taken from the ones uselessly attempting to connect could be fine. ;-) g Ken A Pacific.Net giampaolo Ken A. Pacific.Net Robert Swan wrote: Let's say I wanted to score everything but the US. Do I have to write rule for every country or is there an easier way? Robert header RCVD_IN_NERDS eval:check_rbl('nerds','zz.countries.nerd.dk.') describe RCVD_IN_NERDSReceived from a spam country tflags RCVD_IN_NERDS net header RCVD_IN_NERDS_CN eval:check_rbl_sub('nerds','127.0.0.156') describe RCVD_IN_NERDS_CN Received from China tflags RCVD_IN_NERDS_CN net score RCVD_IN_NERDS_CN1.0 header RCVD_IN_NERDS_KR eval:check_rbl_sub('nerds','127.0.0.154') describe RCVD_IN_NERDS_KR Received from Rep. of Korea tflags RCVD_IN_NERDS_KR net score RCVD_IN_NERDS_KR1.0
Re: SPF is hopelessly broken and must die!
Matt Kettler wrote: Marc Perkel wrote: From openspf.org http://old.openspf.org/aspen.html Marc, this link is not describing SPF as an anti-spam technology. It's describing how SPF can be coupled with an accreditation service to create an anti-spam technology. It was marketed as anti-spam. Now they are hiding from that because it's useless in fighting spam. Nobody's saying SPF has no use in anti-spam, it has some uses when combined with the right tools. However, fundamentally, SPF by itself is not an anti-spam technology. Any spam control resulting from using SPF by itself is purely due to careless and/or clueless spammers who could easily avoid being blocked by SPF. I'm saying it has no use in anti-spam because you have to give up email forwarding to make it work. SPF is useful for: 1) Forgery control - most notably in social engineering attacks, phishing and viruses. Not really - because it treats forwarded emails that come from servers that don't user SRS (normal forwards) as forgeries. 2) Whitelisting - Using SPF to verify the proper servers for an otherwise domain-based whitelist is a potent tool for domains you trust. Compared with simple from-domain based whitelisting it resists forgery. Compared to from-domain + IP or RDNS domain SPF whitelisting allows your whitelist to automatically adapt to changes in their networks, while still offering equal forgery resistance. Since spammers can just as easily used SPF on their domains they can whitelist themselves if you use SPF for whitelisting. 3) Squashing purely stupid spammers. They can easily avoid it, but some spammers can't help themselves. (Just like the ones who keep using your own servername as a HELO. This is trivial to filter on, trivial to modify a spam tool to avoid the filter, yet so many spammers still do it.) That has nothing to do with SPF. I'm doing that now with a simple Exim rule. SPF may be useful in spam control, but it's not a particularly powerful anti-spam tool, nor is spam control SPF's best feature/application. I'm still waiting for anyone to describe any used for SPF that doesn't create false positives on normal email forwarding or allow spammers to whitelist themselves by using correct SPF to send spams. Unfortunately, many proponents of SPF like to hawk #3 like it's the primary point of SPF. Personally I view this as over-hyping the technology in an attempt to gain press and improve adoption. (And before you jump on them for such things, at least be self-aware enough to realize you're one of the strongest over-sensationalists on the entire Internet that is not employed by Microsoft, SCO, or a spammer. Over-sensationalizing isn't always a bad thing, sometimes it is a means to an end. Sometimes your bold over-hype is a catalyst for discussion that results in useful ideas. Their over-hype might get folks to adopt a useful technology, even if they end up later discovering it's more useful for other things.) But SPF is not a means to an end. It was a worthy attempt but it failed. The basic concept is flawed because it relies on the whole world adopting SRS to be at least not broken and even then it doesn't really do anything significant. And the reality is that the world is not going to implement SRS for the marginal benefits of SPF. What we need is a new technology that is compatible with existing systems that actually works. SPF is sucking up attention when what they should do is admit failure. Put the idea to death, and move on to something that actually works. I've had a lot of ideas in the past that have gone no where and when I figure out that I'm on the wrong track I give it up and try something else. SPF was a good attempt. I spent a lot of time fooling with it to come up with anything that would be at least marginally useful and it's just an idea that's not going anywhere. It's being kept alive artificially. They themselves knows that it's broken because they are now running away for the spam solution label that way Bush is running away from mission acomplished. I say it's time to pull the feeding tube and let SPF die. It was a nobel cause but it just plain doesn't work and it's time to move on to something that does.
Undefined dependancy's using Openprotect
Hi All, Spamassassin 3.1.4-1 I currently have openprotect setup to update my rules with sa-update (http://saupdates.openprotect.com/) after a recent update, I am now recieving undefined dependancy issues when I restart spamassassin as follows; Dec 14 15:04:37 hopnet spamd[18571]: logger: removing stderr method Dec 14 15:04:40 hopnet spamd[18573]: rules: meta test __SARE_HEAD_FALSE has undefined dependency '__FROM_AOL_COM' Dec 14 15:04:40 hopnet spamd[18573]: rules: meta test __SARE_HEAD_FALSE has undefined dependency '__FROM_AOL_COM' Dec 14 15:04:40 hopnet spamd[18573]: rules: meta test SARE_BOUNDARY_D12 has undefined dependency 'MIME_BOUND_DIGITS_15' Dec 14 15:04:40 hopnet spamd[18573]: rules: meta test SARE_CIT_BLOCKER has undefined dependency 'USER_IN_WHITELIST' Dec 14 15:04:40 hopnet spamd[18573]: rules: meta test SARE_SUN_BLOCKER has undefined dependency 'USER_IN_WHITELIST' Dec 14 15:04:40 hopnet spamd[18573]: rules: meta test SARE_SUB_INET_PHARM has undefined dependency 'ONLINE_PHARMACY' Dec 14 15:04:40 hopnet spamd[18573]: rules: meta test SARE_HTML_MANY_BR05 has undefined dependency 'HTML_MESSAGE' Dec 14 15:04:40 hopnet spamd[18573]: rules: meta test __IMG_ONLY has undefined dependency 'HTML_IMAGE_ONLY_04' Dec 14 15:04:40 hopnet spamd[18573]: rules: meta test __IMG_ONLY has undefined dependency 'HTML_IMAGE_ONLY_08' Dec 14 15:04:40 hopnet spamd[18573]: rules: meta test __IMG_ONLY has undefined dependency 'HTML_IMAGE_ONLY_12' Dec 14 15:04:40 hopnet spamd[18573]: rules: meta test __IMG_ONLY has undefined dependency 'HTML_IMAGE_ONLY_16' Dec 14 15:04:40 hopnet spamd[18573]: rules: meta test __IMG_ONLY has undefined dependency 'HTML_IMAGE_ONLY_20' Dec 14 15:04:40 hopnet spamd[18573]: rules: meta test __IMG_ONLY has undefined dependency 'HTML_IMAGE_ONLY_24' Dec 14 15:04:40 hopnet spamd[18573]: rules: meta test __IMG_ONLY has undefined dependency 'HTML_IMAGE_ONLY_28' Dec 14 15:04:40 hopnet spamd[18573]: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_XMAIL_SUSP2' Dec 14 15:04:40 hopnet spamd[18573]: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'SARE_HEAD_XAUTH_WARN' Dec 14 15:04:40 hopnet spamd[18573]: rules: meta test SARE_HEAD_SUBJ_RAND has undefined dependency 'X_AUTH_WARN_FAKED' Dec 14 15:04:41 hopnet spamd[18573]: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_MKSHRT' Dec 14 15:04:41 hopnet spamd[18573]: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_GT' Dec 14 15:04:41 hopnet spamd[18573]: rules: meta test SARE_RD_SAFE has undefined dependency 'SARE_RD_SAFE_TINY' Dec 14 15:04:41 hopnet spamd[18573]: rules: meta test SARE_FPP_BLOCKER has undefined dependency 'USER_IN_WHITELIST' Dec 14 15:04:41 hopnet spamd[18573]: rules: meta test __SARE_SUB_FALSE has undefined dependency '__FROM_AOL_COM' Dec 14 15:04:41 hopnet spamd[18573]: rules: meta test __SARE_SUB_FALSE has undefined dependency '__FROM_AOL_COM' Dec 14 15:04:41 hopnet spamd[18573]: rules: meta test SARE_FEB_BLOCKER has undefined dependency 'USER_IN_WHITELIST' Dec 14 15:04:41 hopnet spamd[18573]: rules: meta test SARE_OBFU_CIALIS has undefined dependency 'SARE_OBFU_CIALIS2' Dec 14 15:04:41 hopnet spamd[18573]: rules: meta test LW_STOCK_SPAM4 has undefined dependency 'MIME_BASE64_TEXT' Dec 14 15:04:41 hopnet spamd[18573]: spamd: server started on port 783/tcp (running version 3.1.4) I would be thankful if someone could tell me why I am getting this, and if possible how to fix them? Also, could this be why my whitelist_from and whitelist_from_rcvd entries are not working? Thanks in advance for your help, Mark
Re: SPF is hopelessly broken and must die!
Marc Perkel [EMAIL PROTECTED] 12/14/06 09:06AM It's being kept alive artificially. They themselves knows that it's broken because they are now running away for the spam solution label that way Bush is running away from mission acomplished. I say it's time to pull the feeding tube and let SPF die. It was a nobel cause but it just plain doesn't work and it's time to move on to something that does. === Kinda like this thread. Let it die, please. Use a blog Marc, or update your websites. Met you, Marc, once, many moons ago. I don't agree with you, but at least you don't hold stuff back. R
RE: repost: moving/adding bayes info to global DB
On Thu, 2006-12-14 at 15:47 +0100, Giampaolo Tomassoni wrote: If you believe that each user gets more or less the same kind of e-mails (like, in example, when running a small-business MX), then you may think to switch to a per-system bayes db an preload that single db with the content of your own bayes. Ok - how do I tell sa-learn to update the system database rather than the DB under my home directory? I've read the sa-learn man page, and there doesn't seem to be any appropriate switch. One way (reading the man page for Mail::SpamAssassin::Conf) would be to simply point the global SA bayes_path to my own ~/.spamassassin directory... Or I could create a special user, always run sa-learn as that user, and point bayes_path to that user's .spamassassin directory (after pre-loading the DB as you suggest). Is there a Right Way? The bayes stuff still seems to be used even when allow_user_rules is false. On the other hand, bayes_path is one of the items that (according to man Mail::SpamAssassin::Conf) cannot be set within a user_prefs file. Which seems mean that the bayes DB location ~/.spamassassin is effectively hardcoded and immutable :-( Regards, K. -- ~~~ Karl Auer ([EMAIL PROTECTED]) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob)
BODY rule fails with double-spaced text
The doc for BODY rules says All HTML tags and line breaks will be removed before matching. I was also told on this list that multiple whitespace was compressed to single space characters. So if I have text like this: xyzzy abcde and the following rules: bodyT_LMRTESTB1 /xyzzy abcde/ bodyT_LMRTESTB2 /xyzzy\s{1,4}abcde/ then both rules will match. However, if the text is double-spaced like this: xyzzy abcde then *neither* rule will match, even though I would have expected them both to still match. Is this a designed feature or a bug?
Re: installing URIDNSBL
Kyle Quillen wrote: Hey all I am trying to get URIDNSBL. But I think that I have some more problems than just that. When I run spamassassin -D --lint I get the following out put with 8 errors. This is all Greek to me can someone shed some light on this for me. Thanks in advance, Q snip [5031] warn: config: SpamAssassin failed to parse line, groups.yahoo.com is no t valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd groups.yahoo.co m [5031] warn: config: SpamAssassin failed to parse line, [EMAIL PROTECTED] com is not valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd [EMAIL PROTECTED] urns.groups.yahoo.com [5031] warn: config: SpamAssassin failed to parse line, [EMAIL PROTECTED] et is not valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd vintag [EMAIL PROTECTED] [5031] warn: config: SpamAssassin failed to parse line, [EMAIL PROTECTED] m is not valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd jpgraha [EMAIL PROTECTED] [5031] warn: config: SpamAssassin failed to parse line, [EMAIL PROTECTED] is not valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd [EMAIL PROTECTED] fi7.com [5031] warn: config: SpamAssassin failed to parse line, [EMAIL PROTECTED] i s not valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd DeloresRabe [EMAIL PROTECTED] [5031] warn: config: SpamAssassin failed to parse line, [EMAIL PROTECTED] is not valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd dlrcsrvc @berninausa.com [5031] warn: config: SpamAssassin failed to parse line, [EMAIL PROTECTED] is not valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd dlrtechq @berninausa.com Looks like your whitelist_from_rcvd statements are invalid. whitelist_from_rcvd requires TWO parameters. Not one. You need a from address, which you have, and a partial (or complete) server name from a Received: header, which you are missing. ie: whitelist_from_rcvd [EMAIL PROTECTED] xan.evi-inc.com where xan is the outbound mailserver for evi-inc.com. Usually you can just make it simpler and just do things like: whitelist_from_rcvd [EMAIL PROTECTED] evi-inc.com Which is less specific, but will at least make sure the server delivering the mail has a hostname in evi-inc.com. Also, in the future, try spamassassin --lint first, before trying spamassassin --lint -D. Unless you're dealing with a really odd problem, the -D will just add a lot of clutter that you don't usually need. Usually I use -D to see what files SA is reading, what features are enabled, etc.. but none of this is needed for simple syntax problems.
RE: Image spam and Bayes problem
Updating the sa rules seemed to make an immediate noticeable difference. Thanks. -Original Message- From: Theo Van Dinter [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 13, 2006 9:03 PM To: users@spamassassin.apache.org Subject: Re: Image spam and Bayes problem On Wed, Dec 13, 2006 at 08:55:26PM -0800, Gary W. Smith wrote: The image contained the OB stock ticker and the text was random, but coherent sentences. What's the best course of action to block these now. I'm running a couple rules from SARE. Are there some specific ones that will help on this? Use sa-update. -- Randomly Selected Tagline: If I were truly original, I'd think of something cute.
Re: installing URIDNSBL
On Thu, 2006-12-14 at 10:38 -0500, Matt Kettler wrote: Kyle Quillen wrote: Hey all I am trying to get URIDNSBL. But I think that I have some more problems than just that. When I run spamassassin -D --lint I get the following out put with 8 errors. This is all Greek to me can someone shed some light on this for me. Thanks in advance, Q snip [5031] warn: config: SpamAssassin failed to parse line, groups.yahoo.com is no t valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd groups.yahoo.co m [5031] warn: config: SpamAssassin failed to parse line, [EMAIL PROTECTED] com is not valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd [EMAIL PROTECTED] urns.groups.yahoo.com [5031] warn: config: SpamAssassin failed to parse line, [EMAIL PROTECTED] et is not valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd vintag [EMAIL PROTECTED] [5031] warn: config: SpamAssassin failed to parse line, [EMAIL PROTECTED] m is not valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd jpgraha [EMAIL PROTECTED] [5031] warn: config: SpamAssassin failed to parse line, [EMAIL PROTECTED] is not valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd [EMAIL PROTECTED] fi7.com [5031] warn: config: SpamAssassin failed to parse line, [EMAIL PROTECTED] i s not valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd DeloresRabe [EMAIL PROTECTED] [5031] warn: config: SpamAssassin failed to parse line, [EMAIL PROTECTED] is not valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd dlrcsrvc @berninausa.com [5031] warn: config: SpamAssassin failed to parse line, [EMAIL PROTECTED] is not valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd dlrtechq @berninausa.com Looks like your whitelist_from_rcvd statements are invalid. whitelist_from_rcvd requires TWO parameters. Not one. You need a from address, which you have, and a partial (or complete) server name from a Received: header, which you are missing. ie: whitelist_from_rcvd [EMAIL PROTECTED] xan.evi-inc.com where xan is the outbound mailserver for evi-inc.com. Usually you can just make it simpler and just do things like: whitelist_from_rcvd [EMAIL PROTECTED] evi-inc.com Which is less specific, but will at least make sure the server delivering the mail has a hostname in evi-inc.com. Also, in the future, try spamassassin --lint first, before trying spamassassin --lint -D. Unless you're dealing with a really odd problem, the -D will just add a lot of clutter that you don't usually need. Usually I use -D to see what files SA is reading, what features are enabled, etc.. but none of this is needed for simple syntax problems. Ok I fixed those issues with the white list and now when I run spamassassin --lint I get nothing back so I am assuming that it right. How can I be sure that uridnsbl is working? Thanks Q
RE: SPF is hopelessly broken and must die!
Marc Perkel wrote: I'm still waiting for anyone to describe any used for SPF that doesn't create false positives on normal email forwarding or allow spammers to whitelist themselves by using correct SPF to send spams. Marc, this is very, very simple, and all these points have been raised in this thread, but not all at once together. This is my attempt to bring the whole picture into four concise points. 1) SPF is all but useless at positively identifying Spam. We all know this. Corollary: Do not use SPF-Fail as a spam indicator. 2) SPF is also useless at detecting ham. An SPF-Pass means that a given email really is coming from the domain it claims to come from, but that is not an indication that it is good or wanted. Corollary: Do not use SPF-Pass as a ham indicator. 3) Let's say you bank with Bank of MyBank BankCorp. MyBank.com specifies an SPF record. You receive a message claiming to be from mybank.com, and it passes SPF. You can be reasonably certain it is legitimate. Corollary: Do use SPF in combination with a whitelist to make the whitelist more powerful. 4) You receive another message from mybank.com, and it fails SPF. This could be a spam/scam/phish email. It could also have been forwarded to you, either by your own forwarder, or by a friend who's forwarding you news about them. Corollary: Do not use SPF to blacklist messages. Messages failing SPF are merely not whitelisted, and thus subject to normal anti-spam efforts. A legitimate, forwarded mail is likely to pass the spam tests. A spam/scam/phishing email is not. THAT'S IT! That's all she wrote. End of discussion. It meets the requirements you specified, and here's the benefit it offers in the context of SpamAssassin (so as to keep at least a modicum of on-topic-ness): * whitelist_from: Dangerous, because anyone can forge From headers. * whitelist_from_rcvd: Better, but requires you to make configuration changes every time the sender adds or changes outgoing mail servers. * whitelist_from_spf: Ding! We have a winner. It's a whitelist_from_rcvd where the sender can automatically provide you with updates to their list of outgoing mail servers. What would be even better is to use SPF-Pass in combination with a whitelist at the MTA level, so that whitelisted From addresses passing SPF can skip SpamAssassin and other anti-spam checks entirely. This reduces load on the mail server, and minimizes the chance of false positives.
How to get SA ...
Hello all, Included (in plain text) at the end of this message is the source of an e-mail that I received yesterday. Clearly SPAM and it looks like they did some kind of header injection kind of stuff from their end to get the e-mail on it's way. SA didn't recognize this as SPAM. What can be done to trap a message like this from going to the e-mail inbox? Thanks a lot.. and thanks in advance. Tyler Nally [EMAIL PROTECTED] --obvious spam follows-- Return-Path: [EMAIL PROTECTED] Received: from localhost (yadler.com [127.0.0.1]) by mail.yadler.com (Postfix) with ESMTP id AF709106 for [EMAIL PROTECTED]; Wed, 13 Dec 2006 02:52:09 -0500 (EST) X-Virus-Scanned: amavisd-new at yadler.com Received: from mail.yadler.com ([127.0.0.1]) by localhost (superneo.yadler.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id WwvayNWlduiX for [EMAIL PROTECTED]; Wed, 13 Dec 2006 02:52:09 -0500 (EST) Received: by mail.yadler.com (Postfix, from userid 99) id 1AA03107; Wed, 13 Dec 2006 02:52:09 -0500 (EST) X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on superneo.yadler.com X-Spam-Level: ** X-Spam-Status: No, score=2.6 required=4.0 tests=BAYES_50,FORGED_RCVD_HELO, HEAD_LONG autolearn=no version=3.1.7 Received: from mail.radiosuomipop.fi (metromedia1-hki.far-m.com [80.64.11.164]) by mail.yadler.com (Postfix) with ESMTP id 9E69C106 for [EMAIL PROTECTED]; Wed, 13 Dec 2006 02:52:06 -0500 (EST) Received: by mail.radiosuomipop.fi (Postfix, from userid 33) id 16BE47B6; Wed, 13 Dec 2006 09:52:02 +0200 (EET) To: [EMAIL PROTECTED], Content-Transfer-Encoding:quoted-printable@metromedia1-hki.far-m.com, Content-Type:text/plain@metromedia1-hki.far-m.com, Subject:Never@metromedia1-hki.far-m.com, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], bcc:bitchesleftnut@yahoo.com, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
Re: SPF is hopelessly broken and must die!
Marc Perkel wrote: Since spammers can just as easily used SPF on their domains they can whitelist themselves if you use SPF for whitelisting. No, they don't! Here's an example. The follwoing is from a whitelist file used by our mail gateway: ---8--- Verified_Sender [EMAIL PROTECTED] Verified_Sender [EMAIL PROTECTED]@]+\.apache\.org Verified_Sender [EMAIL PROTECTED] Verified_Sender [EMAIL PROTECTED] Verified_Sender [EMAIL PROTECTED] Verified_Sender [EMAIL PROTECTED] ---8--- Mail from (envelope) senders matching those regular expressions that come from relays authorized by SPF are never checked with SpamAssassin. For example a mail from [EMAIL PROTECTED] will bypass SpamAssassin if the relay connecting to our gateway is authorized (by SPF) to send mail from the domain regeringen.se. A mail from [EMAIL PROTECTED] will *not* bypass SpamAssassin even if the relay is authorized by SPF. Is such a simple whitelist method really so hard to understand? (Now, I'm doing thise whitelist outside of SpamAssassin (in a MIMEDefang filter, that also verifies DKIM/DomainKeys), but the SPF plugin for SpamAssassin can be used in a similar way.) I'm still waiting for anyone to describe any used for SPF that doesn't create false positives on normal email forwarding or allow spammers to whitelist themselves by using correct SPF to send spams. You've been given several such examples. and I've added one above. A whitelist such as the above will *not* allow spammers to whitelist themselves. *I* decide wich addresses/domains will be in our whitelist. A whitelist such as the above will *not* create false positives on normal email forwarding since it never ever creates any positives at all. It is only a whitelist and nothing else. The basic concept is flawed because it relies on the whole world adopting SRS to be at least not broken Only if people use SPF to block mails. (The above comment should make it obvious that I don't agree with all SPF proponents and more than I agree with all SPF opponents.) Regards /Jonas -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Re: installing URIDNSBL
On Thu, 2006-12-14 at 10:38 -0500, Matt Kettler wrote: Kyle Quillen wrote: Hey all I am trying to get URIDNSBL. But I think that I have some more problems than just that. When I run spamassassin -D --lint I get the following out put with 8 errors. This is all Greek to me can someone shed some light on this for me. Thanks in advance, Q snip [5031] warn: config: SpamAssassin failed to parse line, groups.yahoo.com is no t valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd groups.yahoo.co m [5031] warn: config: SpamAssassin failed to parse line, [EMAIL PROTECTED] com is not valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd [EMAIL PROTECTED] urns.groups.yahoo.com [5031] warn: config: SpamAssassin failed to parse line, [EMAIL PROTECTED] et is not valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd vintag [EMAIL PROTECTED] [5031] warn: config: SpamAssassin failed to parse line, [EMAIL PROTECTED] m is not valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd jpgraha [EMAIL PROTECTED] [5031] warn: config: SpamAssassin failed to parse line, [EMAIL PROTECTED] is not valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd [EMAIL PROTECTED] fi7.com [5031] warn: config: SpamAssassin failed to parse line, [EMAIL PROTECTED] i s not valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd DeloresRabe [EMAIL PROTECTED] [5031] warn: config: SpamAssassin failed to parse line, [EMAIL PROTECTED] is not valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd dlrcsrvc @berninausa.com [5031] warn: config: SpamAssassin failed to parse line, [EMAIL PROTECTED] is not valid for whitelist_from_rcvd, skipping: whitelist_from_rcvd dlrtechq @berninausa.com Looks like your whitelist_from_rcvd statements are invalid. whitelist_from_rcvd requires TWO parameters. Not one. You need a from address, which you have, and a partial (or complete) server name from a Received: header, which you are missing. ie: whitelist_from_rcvd [EMAIL PROTECTED] xan.evi-inc.com where xan is the outbound mailserver for evi-inc.com. Usually you can just make it simpler and just do things like: whitelist_from_rcvd [EMAIL PROTECTED] evi-inc.com Which is less specific, but will at least make sure the server delivering the mail has a hostname in evi-inc.com. Also, in the future, try spamassassin --lint first, before trying spamassassin --lint -D. Unless you're dealing with a really odd problem, the -D will just add a lot of clutter that you don't usually need. Usually I use -D to see what files SA is reading, what features are enabled, etc.. but none of this is needed for simple syntax problems. Ok now I think I am getting somewhere just want to make sure that this should be Happening. I run spamassassin --lint and it comes back with no errors then I run spamassassin -D and it just hangs at the last line. Is this normal or is there some other issue. Thanks Much Q [EMAIL PROTECTED] control]# spamassassin --lint [EMAIL PROTECTED] control]# spamassassin -D [18614] dbg: logger: adding facilities: all [18614] dbg: logger: logging level is DBG [18614] dbg: generic: SpamAssassin version 3.1.7 [18614] dbg: config: score set 0 chosen. [18614] dbg: util: running in taint mode? yes [18614] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [18614] dbg: util: PATH included '/usr/kerberos/sbin', keeping [18614] dbg: util: PATH included '/usr/kerberos/bin', keeping [18614] dbg: util: PATH included '/usr/local/sbin', keeping [18614] dbg: util: PATH included '/usr/local/bin', keeping [18614] dbg: util: PATH included '/sbin', keeping [18614] dbg: util: PATH included '/bin', keeping [18614] dbg: util: PATH included '/usr/sbin', keeping [18614] dbg: util: PATH included '/usr/bin', keeping [18614] dbg: util: PATH included '/usr/X11R6/bin', keeping [18614] dbg: util: PATH included '/root/bin', which doesn't exist,dropping [18614] dbg: util: final PATH set to: /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin [18614] dbg: message: MIME PARSER START [18614] dbg: message: main message type: text/plain [18614] dbg: message: parsing normal part [18614] dbg: message: added part, type: text/plain [18614] dbg: message: MIME PARSER END [18614] dbg: dns: is Net::DNS::Resolver available? yes [18614] dbg: dns: Net::DNS version: 0.48
Re: installing URIDNSBL
On Thu, Dec 14, 2006 at 11:19:43AM -0500, Kyle Quillen wrote: no errors then I run spamassassin -D and it just hangs at the last line. Is this normal or is there some other issue. It's waiting for input, so it's normal. You should pass it a message though, keep your SpamAssassin happy. :) -- Randomly Selected Tagline: Professor: The tanker has six-thousand hulls, so, unlike me, it's entirely leak-proof. pgpTyMo8sOPBJ.pgp Description: PGP signature
Re: My bayes journal just keeps growing
On Thu, Dec 14, 2006 at 12:48:34PM +0530, Ramprasad wrote: The problem is my bayes_journal file grows immensely ( around 500Mb a day ) but the bayes_toks files hardly gets touched It sounds like syncing is not working for you. When I do a bayes-expiry the process seems to hang (after even 3-4 hours ) and I simply resort to deleting the journal file. Because I cant Why do you delete the journal, which has nothing to do with expiry? Have you run in debug mode to see what is going on? -- Randomly Selected Tagline: You tell 'em Goldfish, You've been around the globe. pgponvjmQucWL.pgp Description: PGP signature
Re: Upgraded SA, nothing works
On Thu, Dec 14, 2006 at 11:10:32AM +0100, Gregorics Tamás wrote: Now, here is the funny stuff: SA is being called by amavisd-new. I'm not too familiar with amavisd, and to tell you the truth i didn't find where to specify the spamassassin binary location. I suppose it uses the path You'll want to talk to the Amavis people about issues with using their stuff. to=[EMAIL PROTECTED], relay=none, delay=463, status=deferred (connect to localhost[127.0.0.1]: Connection refused) I'd guess something isn't running. If amavis connects to SA through spamc/spamd, perhaps you're not running spamd? -- Randomly Selected Tagline: A horse is a horse. A corpse, a corpse. -Mr Ed's epitaph. pgp9rp35mRo9U.pgp Description: PGP signature
Re: Meta GENERATOR tag
On Thu, Dec 14, 2006 at 12:44:48PM +, Justin Mason wrote: What is this: META content=3DMSHTML 6.00.2900.2995 name=3DGENERATOR It's a header put in by what creates the HTML. In this case, some Microsoft product, I'd guess FrontPage or something. Searching around for a minute on Google produces things like: MSHTML 5.50 is the DLL for HTML editing that comes with Internet Explorer 5.5 (the version number changes with the version of IE installed). This means that the author created that page with either FrontPage, Visual InterDev, or some other product (most likely made by Microsoft) that uses IE as its design view. I have been putting a score of 10 on this, because it seemed never to be Ouch. Not a good idea imo, but it really depends on what kind of mails you receive. the radar. However, I've seen a few non-spams now that have this. It Yep. It's the generator, not necessarily a spam sign. interesting -- I have no FPs for that. nice ;) I have a ton, a majority of hamtraps. I've put it in for testing -- if anyone spots an FP, I'd like a copy if possible... I can send you a bunch of them if you really want, but IMO it's just a bad rule. -- Randomly Selected Tagline: I don't even have to get dressed up for Halloween. I go as me. - Judge Judy pgp3hE9fBKusY.pgp Description: PGP signature
Tagging for spam mails
We would like to add a spam report to the body of emails identified as spam to make troubleshooting false positives easier. For instance: To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Date: November 26, 2006 3:57PM Subject: [spam] Buy ED Pills Now The quick brown fox jumps over the lazy dog. The quick brown fox jumps over the lazy dog. The quick brown fox jumps over the lazy dog. The quick brown fox jumps over the lazy dog. This email has been identified as spam for the following reasons: Content analysis details: (6.77 points, 4.00 allowed) pts rule name description -- -- 0.1 HTML_MESSAGE HTML included in message 0.1 HTML_TAG_EXISTS_TBODY HTML has tbody tag 0.6 NORMAL_HTTP_TO_IP Uses a dotted-decimal IP address in URL 6.5 BAYES_995 Bayesian spam probability is 99.5 to 100% -0.5 DK_VERIFIED Domain Keys: signature passes verification 0.0 SPF_PASS SPF: sender matches SPF record (pass) 0.0 NO_RDNS2 Sending MTA has no reverse DNS From this page: http://spamassassin.apache.org/full/3.0.x/dist/doc/spamassassin.html#tagging_for_spam_mails It looks like this option is what we want: spam mail body text I tried just adding spam mail body text to local.cf with no result though. I also added a 1 to the end - that didn't work either. We are running spam assassin 3.1 and the report_safe option in local.cf is set to 0. Could anyone point me to more information on how this feature works? I tried searching Google but didn't have much luck and the Spam Assassin documentation is somewhat ambitious. Thanks, Brad
Re: Meta GENERATOR tag
Theo Van Dinter writes: interesting -- I have no FPs for that. nice ;) I have a ton, a majority of hamtraps. I've put it in for testing -- if anyone spots an FP, I'd like a copy if possible... I can send you a bunch of them if you really want, but IMO it's just a bad rule. with the qp-encoded =3D? without, it seems iffy, but in my corpus it's a different matter with. --j.
Way to skip scanning per-user?
Hey all, I'm looking for an easy way to override ALL scanning (NOT scoring) for a specific user. This is NOT the same as just setting required_score to 1000 -- basically what I want instead is some special way that SA will say nope, not even testing and short circuit. This shouldn't be a difficult feature to implement at all -- I'd imagine about three lines of code :) There are several uses for this, either when a user is using some alternate engine (so why eat CPU on the scanning system?), or under the situation that you have a user who has SUCH a volume of spam that it's under constant attack and you just want to opt them out of the system for diagnostic purposes. Any ideas on how to do this? -Dan -- Long live little fat girls! -Recent Taco Bell Ad Slogan, Literally Translated. (Viva Gorditas) Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: Meta GENERATOR tag
On Thu, Dec 14, 2006 at 04:56:09PM +, Justin Mason wrote: with the qp-encoded =3D? without, it seems iffy, but in my corpus it's a different matter with. I have both, from a quick glance it looks like the majority use qp, but either way I think it's a bad rule. -- Randomly Selected Tagline: A goal, is a dream with a deadline! pgptgSOiEFHTo.pgp Description: PGP signature
Re: Tagging for spam mails
Brad Baker wrote: We would like to add a spam report to the body of emails identified as spam to make troubleshooting false positives easier. For instance: To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Date: November 26, 2006 3:57PM Subject: [spam] Buy ED Pills Now The quick brown fox jumps over the lazy dog. The quick brown fox jumps over the lazy dog. The quick brown fox jumps over the lazy dog. The quick brown fox jumps over the lazy dog. This email has been identified as spam for the following reasons: Content analysis details: (6.77 points, 4.00 allowed) pts rule name description -- -- 0.1 HTML_MESSAGE HTML included in message 0.1 HTML_TAG_EXISTS_TBODY HTML has tbody tag 0.6 NORMAL_HTTP_TO_IP Uses a dotted-decimal IP address in URL 6.5 BAYES_995 Bayesian spam probability is 99.5 to 100% -0.5 DK_VERIFIED Domain Keys: signature passes verification 0.0 SPF_PASS SPF: sender matches SPF record (pass) 0.0 NO_RDNS2 Sending MTA has no reverse DNS From this page: http://spamassassin.apache.org/full/3.0.x/dist/doc/spamassassin.html#tagging_for_spam_mails It looks like this option is what we want: spam mail body text I tried just adding spam mail body text to local.cf with no result though. I also added a 1 to the end - that didn't work either. We are running spam assassin 3.1 and the report_safe option in local.cf is set to 0. Dont you want report_safe 1? I dont know what this spam mail body text thing is your talking about. Could anyone point me to more information on how this feature works? I tried searching Google but didn't have much luck and the Spam Assassin documentation is somewhat ambitious. ambitious? Thanks, Brad
Re: Way to skip scanning per-user?
On Thu, Dec 14, 2006 at 11:59:26AM -0500, Dan Mahoney, System Admin wrote: I'm looking for an easy way to override ALL scanning (NOT scoring) for a specific user. Don't send mails for that user to SA. what I want instead is some special way that SA will say nope, not even testing and short circuit. At the moment, you can't do that. This shouldn't be a difficult feature to implement at all -- I'd imagine about three lines of code :) There's code in 3.2 to do it, but it's still the most efficient to just not call SA for mails you don't want scanned (SA will still need to do all the processing to start looking at the mail, until it realizes that the mail is whitelisted or whatever, and then stop processing). -- Randomly Selected Tagline: Does killing time damage eternity? pgpXbMW99yFlN.pgp Description: PGP signature
RE: Way to skip scanning per-user?
Dan Mahoney, System Admin wrote: I'm looking for an easy way to override ALL scanning (NOT scoring) for a specific user. This needs to be done in whatever you're using to call SpamAssassin (postfix, exim, sendmail, etc). This shouldn't be a difficult feature to implement at all -- I'd imagine about three lines of code :) How do you handle messages with multiple recipients? Not to mention that the envelope to address(s) (who the mail is *actually* delivered to) don't have to match the headers that SA sees. Since SA needs to be called by another program, and that program will be aware of all of this, that's really the place to do the exemption. Any ideas on how to do this? amavisd-new is the only solution I've seen that sanely handles multiple-recipient emails where one recipient is excluded, without requiring a large amount of work or awkward mail path configurations.
Re: [sa-list] Re: Way to skip scanning per-user?
On Thu, 14 Dec 2006, Theo Van Dinter wrote: On Thu, Dec 14, 2006 at 11:59:26AM -0500, Dan Mahoney, System Admin wrote: I'm looking for an easy way to override ALL scanning (NOT scoring) for a specific user. Don't send mails for that user to SA. At the moment, that's a hack in the system-wide procmailrc that I don't know how to do, since the only thing procmail knows about userspace is dropprivs=yes, and there's no translation for an easy way to equate that to email address (i.e. it allows me to do it per *domain* not per user, i.e. [EMAIL PROTECTED], but if a user has two domains, then I'd have to do them each separately). what I want instead is some special way that SA will say nope, not even testing and short circuit. At the moment, you can't do that. This shouldn't be a difficult feature to implement at all -- I'd imagine about three lines of code :) There's code in 3.2 to do it, but it's still the most efficient to just not call SA for mails you don't want scanned (SA will still need to do all the processing to start looking at the mail, until it realizes that the mail is whitelisted or whatever, and then stop processing). Presuming we're looking for the value of the user based on the email address, yes, I understand, but can't you check the value of -u before you even do that? (i.e. at the earliest point) -Dan -- A mother can be an inspiration to her little son, change his thoughts, his mind, his life, just with her gentle hum. -No Doubt, Different People, from Tragic Kingdom Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: [sa-list] Re: Way to skip scanning per-user?
On Thu, Dec 14, 2006 at 12:11:11PM -0500, Dan Mahoney, System Admin wrote: At the moment, that's a hack in the system-wide procmailrc that I don't know how to do, since the only thing procmail knows about userspace is dropprivs=yes, and there's no translation for an easy way to equate that to email address (i.e. it allows me to do it per *domain* not per user, i.e. [EMAIL PROTECTED], but if a user has two domains, then I'd have to do them each separately). If you're using procmail, you could look at the X-Original-To (or similar) header to figure out who the mail is going to. Otherwise, you could modify your setup to pass information in to procmail from the MTA. Presuming we're looking for the value of the user based on the email address, yes, I understand, but can't you check the value of -u before you even do that? (i.e. at the earliest point) Ah, there you're talking about spamc/spamd which is a different beasty all together. If you want to skip checks based on how you're calling spamc, then check the value you're going to use for the username and don't call spamc if you don't want the mail scanned. -- Randomly Selected Tagline: Every man has the freedom to jump as high as his own penis. pgpxNQnmGTItc.pgp Description: PGP signature
RE: Tagging for spam mails
Brad Baker wrote: We would like to add a spam report to the body of emails identified as spam to make troubleshooting false positives easier. For instance: To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Date: November 26, 2006 3:57PM Subject: [spam] Buy ED Pills Now The quick brown fox jumps over the lazy dog. The quick brown fox jumps over the lazy dog. The quick brown fox jumps over the lazy dog. The quick brown fox jumps over the lazy dog. This email has been identified as spam for the following reasons: Content analysis details: (6.77 points, 4.00 allowed) pts rule name description -- -- 0.1 HTML_MESSAGE HTML included in message 0.1 HTML_TAG_EXISTS_TBODY HTML has tbody tag 0.6 NORMAL_HTTP_TO_IP Uses a dotted-decimal IP address in URL 6.5 BAYES_995 Bayesian spam probability is 99.5 to 100% -0.5 DK_VERIFIED Domain Keys: signature passes verification 0.0 SPF_PASS SPF: sender matches SPF record (pass) 0.0 NO_RDNS2 Sending MTA has no reverse DNS From this page: http://spamassassin.apache.org/full/3.0.x/dist/doc/spamassassin.html#tagging _for_spam_mails It looks like this option is what we want: spam mail body text I tried just adding spam mail body text to local.cf with no result though. I also added a 1 to the end - that didn't work either. We are running spam assassin 3.1 and the report_safe option in local.cf is set to 0. That's not an option. It's just a header in the document. Could anyone point me to more information on how this feature works? I tried searching Google but didn't have much luck and the Spam Assassin documentation is somewhat ambitious. For documentation of the configuration options, try this page instead: http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Conf.ht ml -- Bowie
Re: [sa-list] RE: Way to skip scanning per-user?
On Thu, 14 Dec 2006, Coffey, Neal wrote: Dan Mahoney, System Admin wrote: I'm looking for an easy way to override ALL scanning (NOT scoring) for a specific user. This needs to be done in whatever you're using to call SpamAssassin (postfix, exim, sendmail, etc). This shouldn't be a difficult feature to implement at all -- I'd imagine about three lines of code :) How do you handle messages with multiple recipients? Not to mention that the envelope to address(s) (who the mail is *actually* delivered to) don't have to match the headers that SA sees. I said per-user, not per email address. Spamd knows which local user is doing the calling before it ever reads the first line of the message. With spamassassin proper (assuming SQL prefs are in play), check $ or $ -- with spamc/spamd, it's being communicated. Since SA needs to be called by another program, and that program will be aware of all of this, that's really the place to do the exemption. See my previous message. I don't see an easy macro in procmail for the current effective UID, nor do I know an easy way to say: if (**my uid is any of these) { } else { call spamassassin } Where as a bonus ** is generated dynamically. If you can supply a snippet of code that does it, I'd love it. If I was only doing scanning FOR a few select users this might make a bit more sense, but it makes sense to me that this be a user_prefable item, as opposed to my users asking me to edit /etc/procmailrc -Dan -- SOY BOMB! -The Chest of the nameless streaker of the 1998 Grammy Awards' Bob Dylan Performance. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
RE: Tagging for spam mails
Bowie Bailey wrote: For documentation of the configuration options, try this page instead: http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Conf.ht ml The URL wrapped... Try this one: http://tinyurl.com/3r4xa -- Bowie
Re: Tagging for spam mails
On Thu, Dec 14, 2006 at 12:19:54PM -0500, Bowie Bailey wrote: For documentation of the configuration options, try this page instead: The URL wrapped... Try this one: http://tinyurl.com/3r4xa Also acceptable: perldoc Mail::SpamAssassin::Conf -- Randomly Selected Tagline: The Pre-1985 Video Game Character Test was created by RavenBlack. It is entirely in fun. Don't think you have special powers just because the test tells you so. It is not serious, and not to be taken internally. So don't. - http://blog.ravenblack.net/quiz/videogame.pl pgpJJ4G85ANpZ.pgp Description: PGP signature
Re: [sa-list] Re: [sa-list] Re: Way to skip scanning per-user?
On Thu, 14 Dec 2006, Theo Van Dinter wrote: On Thu, Dec 14, 2006 at 12:11:11PM -0500, Dan Mahoney, System Admin wrote: At the moment, that's a hack in the system-wide procmailrc that I don't know how to do, since the only thing procmail knows about userspace is dropprivs=yes, and there's no translation for an easy way to equate that to email address (i.e. it allows me to do it per *domain* not per user, i.e. [EMAIL PROTECTED], but if a user has two domains, then I'd have to do them each separately). If you're using procmail, you could look at the X-Original-To (or similar) header to figure out who the mail is going to. Otherwise, you could modify your setup to pass information in to procmail from the MTA. Presuming we're looking for the value of the user based on the email address, yes, I understand, but can't you check the value of -u before you even do that? (i.e. at the earliest point) Ah, there you're talking about spamc/spamd which is a different beasty all together. If you want to skip checks based on how you're calling spamc, then check the value you're going to use for the username and don't call spamc if you don't want the mail scanned. I'm running procmail with dropprivs=yes. There's no easy procmail thing for (getpwnam($)) and I do NOT feel like firing up perl on every message to evaluate that just to figure out if I should fire up the C program that I use so I don't have to fire up perl. I see procmail macros for the email address, and for the _TO thing, but NOTHING that just gives you the goddamned login. I don't need -u on spamc, spamc just picks up that username and runs with it. If I'm running spamc as danm, spamd grabs danm's prefs. When I said -u, I was asking how spamd would recognize the implied value of -u, not the actual command line flag. If that makes sense? -Dan -- It would be bad. -Egon Spengler, Ghostbusters Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: BODY rule fails with double-spaced text
body unfortunately doesn't come out as a single string for the whole body. It is broken into sections at seemingly random and indeterminate places. This makes an attempt to match across multiple lines fairly improbable. Loren - Original Message - From: Rosenbaum, Larry M. To: users@spamassassin.apache.org Sent: Thursday, December 14, 2006 7:30 AM Subject: BODY rule fails with double-spaced text The doc for BODY rules says All HTML tags and line breaks will be removed before matching. I was also told on this list that multiple whitespace was compressed to single space characters. So if I have text like this: xyzzy abcde and the following rules: bodyT_LMRTESTB1 /xyzzy abcde/ bodyT_LMRTESTB2 /xyzzy\s{1,4}abcde/ then both rules will match. However, if the text is double-spaced like this: xyzzy abcde then *neither* rule will match, even though I would have expected them both to still match. Is this a designed feature or a bug?
RE: Tagging for spam mails
Theo Van Dinter wrote: On Thu, Dec 14, 2006 at 12:19:54PM -0500, Bowie Bailey wrote: For documentation of the configuration options, try this page instead: The URL wrapped... Try this one: http://tinyurl.com/3r4xa Also acceptable: perldoc Mail::SpamAssassin::Conf That works too, but I usually find it easier to navigate the html documentation. -- Bowie
Re: Way to skip scanning per-user?
On Thu, 14 Dec 2006, Theo Van Dinter wrote: As an aside, part of this is why I had asked for (a while back) a way to specify the domain portion of the -u argument, i.e. so it could be done per-calling server (i.e. it is assumed that if shell server A and shell server B, each with a distinct user-base are sharing a spamd machine, then their user bases will have prefnames derived from the hostnames of A and B.) -- regardless of the email address used. i.e. localusername @ suffix (where the suffix is supplied to spamc in some global config file, and the localusername is automatic). Knowing how to do this (get the current username) in procmail (without firing up perl or even SED -- I could call a binary like whoami but that's a bit less universal) would also make THIS mostly unnecessary. Again, this is not at all based on email address (except in the case of emails like mine, where my address accurately reflects the FQDN of the calling server -- but then I've always been the exception rather than the rule), but on UID and HOSTNAME. The servers in question have 400 uids each, two hostnames, and potentially MILLIONS of email addresses, especially in a dictionary attack, where the user has a catch-all account. Which does it make sense to modify stats by? -- I am a professional drinker, and I know that that was NOT Jose Cuervo! Well, what was it then? I think it was some mixture of Rubbing Alcohol, and Desenex(TM) Foot Powder, because my feet feel okay, and my back doesn't hurt, but my stomach is killing me! -Dan Mahoney, Costa Rica, August 12th, 1994 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: [sa-list] Re: [sa-list] Re: Way to skip scanning per-user?
On Thu, Dec 14, 2006 at 12:26:54PM -0500, Dan Mahoney, System Admin wrote: I'm running procmail with dropprivs=yes. There's no easy procmail thing for (getpwnam($)) and I do NOT feel like firing up perl on every message to evaluate that just to figure out if I should fire up the C program that I use so I don't have to fire up perl. There are environment variables with this kind of info. Look at LOGNAME, for instance. Worst case, you could run id -un and get the information that way. -- Randomly Selected Tagline: To the engineer, the world is a toy box full of sub-optimized and feature-poor toys.- Scott Adams pgp6WEjGGjW5r.pgp Description: PGP signature
Fwd: Tagging for spam mails
Dont you want report_safe 1? I want report_safe 1 but I don't want the original message as an attachment - I want it included below the spam report (inline). A lot of our users have problems with opening and managing attachments. I dont know what this spam mail body text thing is your talking about. It appears to be a spam tagging option per the spam assassin documentation. I'm hoping it will add the spam report to the body of the message w/o using attachments but I can't seem to figure out exactly how it works. ambitious? I meant to say ambiguous instead of ambitious. ;-) Thanks Brad On 12/14/06, Jim Maul [EMAIL PROTECTED] wrote: Brad Baker wrote: We would like to add a spam report to the body of emails identified as spam to make troubleshooting false positives easier. For instance: To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Date: November 26, 2006 3:57PM Subject: [spam] Buy ED Pills Now The quick brown fox jumps over the lazy dog. The quick brown fox jumps over the lazy dog. The quick brown fox jumps over the lazy dog. The quick brown fox jumps over the lazy dog. This email has been identified as spam for the following reasons: Content analysis details: (6.77 points, 4.00 allowed) pts rule name description -- -- 0.1 HTML_MESSAGE HTML included in message 0.1 HTML_TAG_EXISTS_TBODY HTML has tbody tag 0.6 NORMAL_HTTP_TO_IP Uses a dotted-decimal IP address in URL 6.5 BAYES_995 Bayesian spam probability is 99.5 to 100% -0.5 DK_VERIFIED Domain Keys: signature passes verification 0.0 SPF_PASS SPF: sender matches SPF record (pass) 0.0 NO_RDNS2 Sending MTA has no reverse DNS From this page: http://spamassassin.apache.org/full/3.0.x/dist/doc/spamassassin.html#tagging_for_spam_mails It looks like this option is what we want: spam mail body text I tried just adding spam mail body text to local.cf with no result though. I also added a 1 to the end - that didn't work either. We are running spam assassin 3.1 and the report_safe option in local.cf is set to 0. Dont you want report_safe 1? I dont know what this spam mail body text thing is your talking about. Could anyone point me to more information on how this feature works? I tried searching Google but didn't have much luck and the Spam Assassin documentation is somewhat ambitious. ambitious? Thanks, Brad
Re: [sa-list] Re: Way to skip scanning per-user?
On Thu, 14 Dec 2006, Theo Van Dinter wrote: On Thu, Dec 14, 2006 at 12:11:11PM -0500, Dan Mahoney, System Admin wrote: At the moment, that's a hack in the system-wide procmailrc that I don't know how to do, since the only thing procmail knows about userspace is dropprivs=yes, and there's no translation for an easy way to equate that to email address (i.e. it allows me to do it per *domain* not per user, i.e. [EMAIL PROTECTED], but if a user has two domains, then I'd have to do them each separately). If you're using procmail, you could look at the X-Original-To (or similar) header to figure out who the mail is going to. Otherwise, you could modify your setup to pass information in to procmail from the MTA. Try looking at $LOGNAME. Procmail knows who it's delivering the message to - it's a *delivery agent* after all. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It is not the business of government to make men virtuous or religious, or to preserve the fool from the consequences of his own folly. -- Henry George --- Tomorrow: Bill of Rights day
Re: [sa-list] RE: Way to skip scanning per-user?
On Thu, 14 Dec 2006, Dan Mahoney, System Admin wrote: Dan Mahoney, System Admin wrote: I'm looking for an easy way to override ALL scanning (NOT scoring) for a specific user. See my previous message. I don't see an easy macro in procmail for the current effective UID, nor do I know an easy way to say: If you can supply a snippet of code that does it, I'd love it. http://www.impsec.org/~jhardin/antispam/spamassassin.procmail Drop it in your /etc/procmail/ directory and INCLUDERC it from your /etc/procmailrc file. Hack to fit. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It is not the business of government to make men virtuous or religious, or to preserve the fool from the consequences of his own folly. -- Henry George --- Tomorrow: Bill of Rights day
RE: Tarpits are fun!
On Tue, 12 Dec 2006, John D. Hardin wrote: http://www.impsec.org/~jhardin/antispam/spammer-firewall plus labrea with patches I worked up this weekend: http://sourceforge.net/projects/labrea http://sourceforge.net/tracker/index.php?func=detailaid=1612818group_id=70896atid=529395 I still need to figure out why labrea is only accepting a 1000-character-ish BPF filter when the buffer is 65K in size. Okay, that's fixed too. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It is not the business of government to make men virtuous or religious, or to preserve the fool from the consequences of his own folly. -- Henry George --- Tomorrow: Bill of Rights day
Re: Fwd: Tagging for spam mails
On Thu, Dec 14, 2006 at 12:46:55PM -0500, Brad Baker wrote: I want report_safe 1 but I don't want the original message as an attachment - I want it included below the spam report (inline). A lot of our users have problems with opening and managing attachments. You'd have to write your own code to do that. In SpamAssassin the two options are: report_safe (put the original in an attachment), or only modify the headers. It appears to be a spam tagging option per the spam assassin documentation. I'm hoping it will add the spam report to the body of the message w/o using attachments but I can't seem to figure out exactly how it works. Reading the documentation link you sent, it's telling you what report_safe does... -- Randomly Selected Tagline: You might say 'So what?' - Prof. Farr So what? - Students Good, I like that. - Prof. Farr pgpXlG2myrbVL.pgp Description: PGP signature
Re: BODY rule fails with double-spaced text
On Thu, Dec 14, 2006 at 09:31:23AM -0800, Loren Wilton wrote: body unfortunately doesn't come out as a single string for the whole body. It is broken into sections at seemingly random and indeterminate places. This makes an attempt to match across multiple lines fairly improbable. ... if by seemingly random and indeterminate places you mean that the body is split into paragraphs. -- Randomly Selected Tagline: I've installed mufflers, but the work was too exhausting. pgpleVWfSBTEh.pgp Description: PGP signature
Re: SPF is hopelessly broken and must die!
On Thursday 14 December 2006 01:51, Giampaolo Tomassoni wrote: From: Marc Perkel [mailto:[EMAIL PROTECTED] OK Daryl, How do you deal with people forwarding email from another domain when using SPF? Right. That's the big reason for using +all (or not using SPF at all). Using +all means to me: Look, I - the postmaster - I'm aware of SPF, but unfortunately my customers have the need to send their mail through many ISPs. No, you say ?all. That means that users may send mail from anywhere, but then we don't guarantee that it's genuine. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpaPkLxMZqZh.pgp Description: PGP signature
Re: SPF is hopelessly broken and must die!
On Thursday 14 December 2006 01:37, Marc Perkel wrote: How do you deal with people forwarding email from another domain when using SPF? *If* you intend to reject mail based on hard SPF failures, then you *must* allow for exceptions for forwarded mail. Mail can only be forwarded from specific hosts, so while it might be tricky it's definitely possible to define such exception in a meaningful way. Demanding that forwarding between arbitrary hosts must simply work (without SRS, DKIM or some other mechanism) is to say that everyone must always trust the envelope sender and mail header like 20 years ago. That is what is really broken. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) Exim is better at being younger, whereas sendmail is better for Scrabble (50 point bonus for clearing your rack) -- Dave Evans pgpVkJTLMWo1f.pgp Description: PGP signature
Re: FuzzyOCR Plugin question
Group Owner: Please unsubscribe CTI Corporativo [EMAIL PROTECTED] per the bounce below. Thanks. At 11:05 AM 12/14/2006, you wrote: HOLA: NO RECIBI TU MAIL YA QUE ESTA CASILLA ESTA DESACTIVADA (ESTO ES UNA RESPUESTA AUTOMATICA) POR FAVOR REENVIARLO A [EMAIL PROTECTED] con copia a [EMAIL PROTECTED] Y AGENDAR ESTAS DOS DIRECCIONES COMO MI NUEVA DIRECCION DE CORREO MUCHAS GRACIAS Luciano Mari Brusco Ejecutivo de Cuenta Centro Comercial Buenos Aires. Departamento PYMES ( 011) 15 5883-2464 *** Este mensaje y todos los archivos adjuntos a él son para uso exclusivo del destinatario y pueden contener información confidencial o propietaria, cuya divulgación es sancionada por ley. Si usted recibió este mensaje erróneamente, por favor notifíquenos respondiendo al remitente, borre el mensaje original y destruya las copias (impresas o grabadas en cualquier medio magnético) que pueda haber realizado del mismo. Todas las opiniones contenidas en este mail son propias del autor del mensaje y no necesariamente coinciden con las de CTI Móvil o alguna de las empresas accionistas. La publicación, uso, copia e impresión total o parcial de este mensaje o documentos adjuntos queda prohibida. Muchas gracias CTI Móvil *** This message and any attachments are for exclusive usage of an addressee and may contain confidential or privileged information whose disclosure is subject to penalty by law. If you are not the addressee, please notify the sender by return e-mail, delete the original message and destroy any existing copy no matter if printed or recorded. Any opinions contained in this e-mail are those of the author of the message and do not necessarily coincide with those of CTI Móvil or its shareholders. No part of this message or attachments may be used or reproduced in any manner whatsoever.
Re: SpamdForkScaling messages?
They're debug messages -- not a problem at all. great. i can ignore them. :-) does it matter at all that those message have DISappeared after switching from sa-via-TCP-sock to sa-via-UNIX-sock?
Re: FuzzyOCR Plugin question
On Thu, Dec 14, 2006 at 11:16:01AM -0800, Evan Platt wrote: Group Owner: Please unsubscribe CTI Corporativo [EMAIL PROTECTED] per the bounce below. Someone already reported this to the owners alias (which is a better place than the list to report it to btw...) None of the email addresses, usernames, or domains are subscribed to the list (and fwiw, I haven't gotten any of these bounces for posts made today). Are they in anyway including the original mail, or message-id, or something which could identify the real recipient? -- Randomly Selected Tagline: Solve the rush hour problem; get vehicular weaponry... pgp8cXNK0Tf7I.pgp Description: PGP signature
Re: FuzzyOCR Plugin question
At 11:33 AM 12/14/2006, you wrote: Someone already reported this to the owners alias (which is a better place than the list to report it to btw...) I didn't see a header for owner - did I miss it? None of the email addresses, usernames, or domains are subscribed to the list (and fwiw, I haven't gotten any of these bounces for posts made today). Are they in anyway including the original mail, or message-id, or something which could identify the real recipient? Here's the complete headers: Return-Path: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on espphotography.com X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham version=3.1.7 X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from avas-mr13.fibertel.com.ar (avas-mr13.fibertel.com.ar [24.232.0.197]) by espphotography.com (Postfix) with ESMTP id 3C7F7AF7B38 for [EMAIL PROTECTED]; Thu, 14 Dec 2006 11:06:15 -0800 (PST) Received: from host-200-81-160-81.sion.net ([200.81.160.81]:30473 EHLO luciano smtp-auth: cticorporativo) by avas-mr13.fibertel.com.ar with ESMTPA id S490247AbWLNTGD convert rfc822-to-8bit; Thu, 14 Dec 2006 16:06:03 -0300 Message-ID: [EMAIL PROTECTED] From: CTI Corporativo [EMAIL PROTECTED] To: Evan Platt [EMAIL PROTECTED] Subject: Re: FuzzyOCR Plugin question Date: Thu, 14 Dec 2006 16:05:53 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8BIT X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 X-Fib-Al-Info: Al X-Fib-Al-MRId: 859c1d021b215ba0cdd3e8af189cdfd6 X-Fib-Al-SA: analyzed X-Fib-Al-From: [EMAIL PROTECTED] X-UID: 12216
Re: SPF is hopelessly broken and must die!
On 14-Dec-06, at 10:30 AM, Marc Perkel wrote: I'm not the one who brought it up. Gino Cerullo wrote: Marc, I get the impression that you run a business that markets itself as an anti-spam solution and it's based on forwarding email and that business model is threatened by the growing adoption of SPF. Now, I maybe I'm completely wrong but your incessant rants over this leads me to think otherwise. Regardless, if you have concerns about SPF and it's perceived relations to anti-spam or it's problems with email forwarding why are you continuing to bring it up on this list. The venue for it is the SPF Discuss and the SRS Discuss mailing lists. To subscribe to those lists use the following addresses. [EMAIL PROTECTED] [EMAIL PROTECTED] For a complete list of SPF related discussion list please visit the following page. http://www.openspf.org/Forums I presume the answer you gave is an admission that you are, in fact, using email forwarding as the method behind your spam filtering system. To me that sounds like an abuse of the email forwarding feature to accomplish something that it was not designed or meant to be used for. So you see, many people, including yourself, are using the email system in ways that it was not meant or at least, envisioned to be used for. -- Gino Cerullo Pixel Point Studios 21 Chesham Drive Toronto, ON M3M 1W6 416-247-7740 This email address protect by SPF! Want to protect your domain's email from forgery? Visit openspf.org
Re: Upgraded SA, nothing works
On Thu, Dec 14, 2006 at 11:10:32AM +0100, Gregorics Tamás wrote: Now, here is the funny stuff: SA is being called by amavisd-new. I'm not too familiar with amavisd, and to tell you the truth i didn't find where to specify the spamassassin binary location. I suppose it uses the path You'll want to talk to the Amavis people about issues with using their stuff. to=[EMAIL PROTECTED], relay=none, delay=463, status=deferred (connect to localhost[127.0.0.1]: Connection refused) I'd guess something isn't running. If amavis connects to SA through spamc/spamd, perhaps you're not running spamd? Right, looks like amavisd-new was stopped and not restarted. Amavisd-new does not need spamd as it uses the Mail::SpamAssassin Perl module. Gary V _ Talk now to your Hotmail contacts with Windows Live Messenger. http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href=http://get.live.com/messenger/overview
Re: FuzzyOCR Plugin question
On Thu, Dec 14, 2006 at 11:40:23AM -0800, Evan Platt wrote: I didn't see a header for owner - did I miss it? It's just [EMAIL PROTECTED] listname-owner is a standard address for the folks who run the list. today). Are they in anyway including the original mail, or message-id, or something which could identify the real recipient? Here's the complete headers: [...] I didn't see anything obvious in there. Searching for variations on username and domain return no matches to the subscriber list. -- Randomly Selected Tagline: Hey, you're shaped like buddah, millions of people follow him! - The Drew Carey Show pgpx7lAp5W4KX.pgp Description: PGP signature
Re: Topics for SA presentation?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theo, I was also thinking about doing a rules/sa-update/plugin talk, though doing 3 may be a bit much. How about Care and feeding of SpamAssassin? - Keeping SA updated - sa-update and rule maintenance - When do you write your own rules - Adding plugins - How well is SA working? - Creating and maintaining your own spam/ham corpus for testing - Compare vanilla SA scores to sa-updat-ed ones (especially on recent %$^$%#$ image spams) That would cover a lot of FAQs. - H -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFFga2/Oy/dHTCUq6oRAp/iAKDnspjtUK4OMEAeA6UBbKxszWqhBwCgm/yJ WwHjv5rgAGfVYAlSIEFclKI= =a1Td -END PGP SIGNATURE-
Re: Bayes doesn't seem to be working for me
Markus, the key was: sa-learn was run by the user rd, and the bayes database went into the directory ~rd/.spamassassin spamd was called from exim, i.e. it was running under the userid Debian-exim and thus *not* checking ~rd/.spamassassin I am right now the only user on that system, so I added bayes_path /home/rd/.spamassassin/bayes to /etc/spamassassin/local.cf which makes spamd looking at the right place for the bayes database (not this is not ONLY the directory, but also the prefix of the files: [EMAIL PROTECTED]:~$ cd ~rd/.spamassassin/ [EMAIL PROTECTED]:~/.spamassassin$ ls -1 auto-whitelist bayes_seen bayes_toks bayes_toks.expire20200 user_prefs user_prefs~ [EMAIL PROTECTED]:~/.spamassassin$ ) Hope that helps, Rainer Am Donnerstag, 14. Dezember 2006 03:36 schrieben Sie: hello, can you share with me how you solve your problem posted at spamassassin mailing list below? thank you Best Regards, Markus - Original Message From: Rainer Dorsch [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Thursday, 14 December, 2006 6:32:39 AM Subject: Re: Bayes doesn't seem to be working for me Am Mittwoch, 13. Dezember 2006 23:40 schrieb Theo Van Dinter: On Wed, Dec 13, 2006 at 10:39:08PM +0100, Rainer Dorsch wrote: [EMAIL PROTECTED]:~$ spamassassin -D --lint 21 |grep bayes debug: config: read file /usr/share/spamassassin/23_bayes.cf debug: bayes: 18897 tie-ing to DB file R/O /home/rd/.spamassassin/bayes_toks debug: bayes: 18897 tie-ing to DB file R/O /home/rd/.spamassassin/bayes_seen Ok. So you're running as user rd, and that's the DB you're using. [EMAIL PROTECTED]:~$ sa-learn --dump magic 0.000 0 7812 0 non-token data: nspam 0.000 0 8204 0 non-token data: nham ditto. X-SA-Exim-Connect-IP: 217.72.192.221 X-SA-Exim-Mail-From: [EMAIL PROTECTED] So you're running from exim. Is exim using user rb? My guess is not. I know nothing about Exim, but my guess is that scanning happens at the MTA point, and not the MDA point. In that case, you're running site-wide, so no per-user configs or dbs, and you'll want to configure SA to be site-wide (use bayes_path, etc.) Thanks, that solved my problem. Rainer -- Rainer Dorsch Alzentalstr. 28 D-71083 Herrenberg 07032-919495 jabber: [EMAIL PROTECTED] GPG Fingerprint: 5966 C54C 2B3C 42CC 1F4F 8F59 E3A8 C538 7519 141E Full GPG key: http://pgp.mit.edu/
Re: SPF is hopelessly broken and must die!
On 14 dec 2006, at 20.40, Gino Cerullo wrote: I presume the answer you gave is an admission that you are, in fact, using email forwarding as the method behind your spam filtering system. The link from perkel.com - junkemailfilter.com is pretty self explanatory. It all makes sense now... Marc: Since you already require that your customers modify their MX records to have their email sent to your servers, why not update / add the appropriate SPF records at the same time? That would prevent any problems caused by SPF checks. j o a r
Re: SPF is hopelessly broken and must die!
On Thu, 14 Dec 2006, j o a r wrote: Marc: Since you already require that your customers modify their MX records to have their email sent to your servers, why not update / add the appropriate SPF records at the same time? That would prevent any problems caused by SPF checks. Not quite. Anyone using Marc's service or one like it (e.g. Postini) should DISABLE any SPF checks on their MTAs that reject mail, since their MTA is no longer the public MX for their domain. Marc can still perform SPF checks at *his* inbound MTA, as *he* is now their public MX. How he uses that information is up to him. Marc? I assume you tell your customers to disable any SPF checks on their inbound MTA once they start using your service? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Men by their constitutions are naturally divided in to two parties: 1. Those who fear and distrust the people and wish to draw all powers from them into the hands of the higher classes. 2. Those who identify themselves with the people, have confidence in them, cherish and consider them as the most honest and safe, although not the most wise, depository of the public interests. -- Thomas Jefferson --- Tomorrow: Bill of Rights day
Re: SPF is hopelessly broken and must die!
On 14-Dec-06, at 4:35 PM, j o a r wrote: On 14 dec 2006, at 20.40, Gino Cerullo wrote: I presume the answer you gave is an admission that you are, in fact, using email forwarding as the method behind your spam filtering system. The link from perkel.com - junkemailfilter.com is pretty self explanatory. It all makes sense now... I already knew the answer, I just wanted him to admit it in front of everyone but he didn't. He opted to send the email directly to me, off list but I put it back in for everyone to see. Marc's, rants have nothing to do with the perceived short comings of SPF but everything to do with the threat to his flawed business model. There are work-arounds to Marc's problems if he thinks about it a little but he's so fixated on what he's read about SPF breaking forwarding he can't see the forest through the trees so to speak. Marc: Since you already require that your customers modify their MX records to have their email sent to your servers, why not update / add the appropriate SPF records at the same time? That would prevent any problems caused by SPF checks. No, that's not the solution and I'm not going to share it with him either. He'll have to work it out himself. -- Gino Cerullo Pixel Point Studios 21 Chesham Drive Toronto, ON M3M 1W6 416-247-7740 This email address protect by SPF! Want to protect your domain's email from forgery? Visit openspf.org
Re: SPF is hopelessly broken and must die!
On Thu, 14 Dec 2006, Gino Cerullo wrote: Marc: Since you already require that your customers modify their MX records to have their email sent to your servers, why not update / add the appropriate SPF records at the same time? That would prevent any problems caused by SPF checks. No, that's not the solution and I'm not going to share it with him either. He'll have to work it out himself. Oops. Sorry. :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Men by their constitutions are naturally divided in to two parties: 1. Those who fear and distrust the people and wish to draw all powers from them into the hands of the higher classes. 2. Those who identify themselves with the people, have confidence in them, cherish and consider them as the most honest and safe, although not the most wise, depository of the public interests. -- Thomas Jefferson --- Tomorrow: Bill of Rights day
SURBL scored stronger than normal on the apache servers?
[EMAIL PROTECTED] wrote: This report relates to a message you sent with the following header fields: Message-id: [EMAIL PROTECTED] Date: Thu, 14 Dec 2006 11:37:35 -0500 From: Matt Kettler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: installing URIDNSBL Your message cannot be delivered to the following recipients: Recipient address: users@spamassassin.apache.org Reason: SMTP transmission failure has occurred Diagnostic code: smtp;552 spam score (21.0) exceeded threshold Remote system: dns;herse.apache.org (TCP|206.46.252.46|57572|140.211.11.133|25) (apache.org ESMTP qpsmtpd 0.29 ready; send us your mail, but not your spam.) snip email containing the surbl permanent test point, and no spam quotes. The test-point URL used to only be listed in SC, although tests at uribl.com and rulesemporium.com both just report it as listed as a test point and don't list out any SURBL sub-lists it belongs to. ... So has apache.org jumped up their score, or is there some change in the listing here that's causing SA deployments to go nuts on this test point? 21 points seems absolutely *absurd* for just SC, or any test point. (Actually 21 seems a little bit out-of-whack for any combination of rules all looking at the same small attribute of the email, no matter how strong a spam sign it is, except perhaps an end-user configured explicit blacklist.)