date:20061214

On Thu, Dec 14, 2006 at 11:19:43AM -0500, Kyle Quillen wrote:
 no errors then I run spamassassin -D and it just hangs at the last line.
 Is this normal or is there some other issue.

It's waiting for input, so it's normal.   You should pass it a message though,
keep your SpamAssassin happy. :)

-- 
Randomly Selected Tagline:
 Professor: The tanker has six-thousand hulls, so, unlike me, 
it's entirely leak-proof.


pgpTyMo8sOPBJ.pgp
Description: PGP signature

Re: My bayes journal just keeps growing

On Thu, Dec 14, 2006 at 12:48:34PM +0530, Ramprasad wrote:
 The problem is my bayes_journal file grows immensely ( around 500Mb a
 day ) but the bayes_toks files hardly gets touched

It sounds like syncing is not working for you.

 When I do a bayes-expiry the process seems to hang (after even 3-4
 hours ) and I simply resort to deleting the journal file. Because I cant

Why do you delete the journal, which has nothing to do with expiry?  Have you
run in debug mode to see what is going on?

-- 
Randomly Selected Tagline:
You tell 'em Goldfish, You've been around the globe.


pgponvjmQucWL.pgp
Description: PGP signature

Re: Upgraded SA, nothing works

On Thu, Dec 14, 2006 at 11:10:32AM +0100, Gregorics Tamás wrote:
 Now, here is the funny stuff: SA is being called by amavisd-new. I'm not 
 too familiar with amavisd, and to tell you the truth i didn't find where 
 to specify the spamassassin binary location. I suppose it uses the path 

You'll want to talk to the Amavis people about issues with using their stuff.

 to=[EMAIL PROTECTED], relay=none, delay=463, status=deferred (connect to 
 localhost[127.0.0.1]: Connection refused)

I'd guess something isn't running.  If amavis connects to SA through
spamc/spamd, perhaps you're not running spamd?

-- 
Randomly Selected Tagline:
A horse is a horse. A corpse, a corpse. -Mr Ed's epitaph.


pgp9rp35mRo9U.pgp
Description: PGP signature

Re: Meta GENERATOR tag

On Thu, Dec 14, 2006 at 12:44:48PM +, Justin Mason wrote:
  What is this:
  META content=3DMSHTML 6.00.2900.2995 name=3DGENERATOR

It's a header put in by what creates the HTML.  In this case, some Microsoft
product, I'd guess FrontPage or something.  Searching around for a minute on
Google produces things like:

MSHTML 5.50 is the DLL for HTML editing that comes with Internet Explorer 5.5
(the version number changes with the version of IE installed). This means that
the author created that page with either FrontPage, Visual InterDev, or some
other product (most likely made by Microsoft) that uses IE as its design
view.

  I have been putting a score of 10 on this, because it seemed never to be

Ouch.  Not a good idea imo, but it really depends on what kind of mails you
receive.

  the radar. However, I've seen a few non-spams now that have this. It

Yep.  It's the generator, not necessarily a spam sign.

 interesting -- I have no FPs for that. nice ;)

I have a ton, a majority of hamtraps.

 I've put it in for testing -- if anyone spots an FP, I'd like a copy
 if possible...

I can send you a bunch of them if you really want, but IMO it's just a bad rule.

-- 
Randomly Selected Tagline:
I don't even have to get dressed up for Halloween.  I go as me. - Judge Judy


pgp3hE9fBKusY.pgp
Description: PGP signature

Tagging for spam mails

2006-12-14 Thread Brad Baker

We would like to add a spam report to the body of emails identified as
spam to make troubleshooting false positives easier. For instance:

To: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
Date: November 26, 2006 3:57PM
Subject: [spam] Buy ED Pills Now

The quick brown fox jumps over the lazy dog. The quick brown fox jumps
over the lazy dog. The quick brown fox jumps over the lazy dog. The
quick brown fox jumps over the lazy dog.

This email has been identified as spam for the following reasons:
Content analysis details: (6.77 points, 4.00 allowed)

pts rule name description
 -- --
0.1 HTML_MESSAGE HTML included in message
0.1 HTML_TAG_EXISTS_TBODY HTML has tbody tag
0.6 NORMAL_HTTP_TO_IP Uses a dotted-decimal IP address in URL
6.5 BAYES_995 Bayesian spam probability is 99.5 to 100%
-0.5 DK_VERIFIED Domain Keys: signature passes verification
0.0 SPF_PASS SPF: sender matches SPF record (pass)
0.0 NO_RDNS2 Sending MTA has no reverse DNS

From this page:

http://spamassassin.apache.org/full/3.0.x/dist/doc/spamassassin.html#tagging_for_spam_mails

It looks like this option is what we want:   spam mail body text

I tried just adding spam mail body text to local.cf with no result
though. I also added a 1 to the end - that didn't work either.  We
are running spam assassin 3.1 and the report_safe option in local.cf
is set to 0.

Could anyone point me to more information on how this feature works? I
tried searching Google but didn't have much luck and the Spam Assassin
documentation is somewhat ambitious.

Thanks,
Brad

Re: Meta GENERATOR tag

2006-12-14 Thread Justin Mason


Theo Van Dinter writes:
  interesting -- I have no FPs for that. nice ;)
 
 I have a ton, a majority of hamtraps.
 
  I've put it in for testing -- if anyone spots an FP, I'd like a copy
  if possible...
 
 I can send you a bunch of them if you really want, but IMO it's just a
 bad rule.

with the qp-encoded =3D?  without, it seems iffy, but in
my corpus it's a different matter with.

--j.

Way to skip scanning per-user?


Hey all,

I'm looking for an easy way to override ALL scanning (NOT scoring) for a 
specific user.


This is NOT the same as just setting required_score to 1000 -- basically 
what I want instead is some special way that SA will say nope, not even 
testing and short circuit.


This shouldn't be a difficult feature to implement at all -- I'd imagine 
about three lines of code :)


There are several uses for this, either when a user is using some 
alternate engine (so why eat CPU on the scanning system?), or under the 
situation that you have a user who has SUCH a volume of spam that it's 
under constant attack and you just want to opt them out of the system 
for diagnostic purposes.


Any ideas on how to do this?

-Dan

--

Long live little fat girls!

-Recent Taco Bell Ad Slogan, Literally Translated.  (Viva Gorditas)

Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---

Re: Meta GENERATOR tag

On Thu, Dec 14, 2006 at 04:56:09PM +, Justin Mason wrote:
 with the qp-encoded =3D?  without, it seems iffy, but in
 my corpus it's a different matter with.

I have both, from a quick glance it looks like the majority use qp,
but either way I think it's a bad rule.

-- 
Randomly Selected Tagline:
A goal, is a dream with a deadline!


pgptgSOiEFHTo.pgp
Description: PGP signature

Re: Tagging for spam mails

2006-12-14 Thread Jim Maul

Brad Baker wrote:

We would like to add a spam report to the body of emails identified as
spam to make troubleshooting false positives easier. For instance:

To: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
Date: November 26, 2006 3:57PM
Subject: [spam] Buy ED Pills Now

The quick brown fox jumps over the lazy dog. The quick brown fox jumps
over the lazy dog. The quick brown fox jumps over the lazy dog. The
quick brown fox jumps over the lazy dog.

This email has been identified as spam for the following reasons:
Content analysis details: (6.77 points, 4.00 allowed)

pts rule name description
 -- 
--

0.1 HTML_MESSAGE HTML included in message
0.1 HTML_TAG_EXISTS_TBODY HTML has tbody tag
0.6 NORMAL_HTTP_TO_IP Uses a dotted-decimal IP address in URL
6.5 BAYES_995 Bayesian spam probability is 99.5 to 100%
-0.5 DK_VERIFIED Domain Keys: signature passes verification
0.0 SPF_PASS SPF: sender matches SPF record (pass)
0.0 NO_RDNS2 Sending MTA has no reverse DNS

From this page:
http://spamassassin.apache.org/full/3.0.x/dist/doc/spamassassin.html#tagging_for_spam_mails 

It looks like this option is what we want:   spam mail body text

I tried just adding spam mail body text to local.cf with no result
though. I also added a 1 to the end - that didn't work either.  We
are running spam assassin 3.1 and the report_safe option in local.cf
is set to 0.

Dont you want report_safe 1?  I dont know what this spam mail body 
text thing is your talking about.

Could anyone point me to more information on how this feature works? I
tried searching Google but didn't have much luck and the Spam Assassin
documentation is somewhat ambitious.

ambitious?

Thanks,
Brad

Re: Way to skip scanning per-user?

On Thu, Dec 14, 2006 at 11:59:26AM -0500, Dan Mahoney, System Admin wrote:
 I'm looking for an easy way to override ALL scanning (NOT scoring) for a 
 specific user.

Don't send mails for that user to SA.

 what I want instead is some special way that SA will say nope, not even 
 testing and short circuit.

At the moment, you can't do that.

 This shouldn't be a difficult feature to implement at all -- I'd imagine 
 about three lines of code :)

There's code in 3.2 to do it, but it's still the most efficient to just not
call SA for mails you don't want scanned (SA will still need to do all the
processing to start looking at the mail, until it realizes that the mail is
whitelisted or whatever, and then stop processing).

-- 
Randomly Selected Tagline:
Does killing time damage eternity?


pgpXbMW99yFlN.pgp
Description: PGP signature

RE: Way to skip scanning per-user?

2006-12-14 Thread Coffey, Neal

Dan Mahoney, System Admin wrote:
 I'm looking for an easy way to override ALL scanning (NOT scoring)
 for a specific user.

This needs to be done in whatever you're using to call SpamAssassin
(postfix, exim, sendmail, etc).

 This shouldn't be a difficult feature to implement at all -- I'd
 imagine about three lines of code :)

How do you handle messages with multiple recipients?  Not to mention
that the envelope to address(s) (who the mail is *actually* delivered
to) don't have to match the headers that SA sees.

Since SA needs to be called by another program, and that program will be
aware of all of this, that's really the place to do the exemption.

 Any ideas on how to do this?

amavisd-new is the only solution I've seen that sanely handles
multiple-recipient emails where one recipient is excluded, without
requiring a large amount of work or awkward mail path configurations.

Re: [sa-list] Re: Way to skip scanning per-user?


On Thu, 14 Dec 2006, Theo Van Dinter wrote:


On Thu, Dec 14, 2006 at 11:59:26AM -0500, Dan Mahoney, System Admin wrote:

I'm looking for an easy way to override ALL scanning (NOT scoring) for a
specific user.


Don't send mails for that user to SA.


At the moment, that's a hack in the system-wide procmailrc that I don't 
know how to do, since the only thing procmail knows about userspace is 
dropprivs=yes, and there's no translation for an easy way to equate 
that to email address (i.e. it allows me to do it per *domain* not per 
user, i.e. [EMAIL PROTECTED], but if a user has two domains, then I'd have to 
do them each separately).



what I want instead is some special way that SA will say nope, not even
testing and short circuit.


At the moment, you can't do that.



This shouldn't be a difficult feature to implement at all -- I'd imagine
about three lines of code :)


There's code in 3.2 to do it, but it's still the most efficient to just not
call SA for mails you don't want scanned (SA will still need to do all the
processing to start looking at the mail, until it realizes that the mail is
whitelisted or whatever, and then stop processing).


Presuming we're looking for the value of the user based on the email 
address, yes, I understand, but can't you check the value of -u before you 
even do that? (i.e. at the earliest point)


-Dan

--

A mother can be an inspiration to her little son, change his thoughts,
his mind, his life, just with her gentle hum.

-No Doubt, Different People, from Tragic Kingdom


Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---

Re: [sa-list] Re: Way to skip scanning per-user?

On Thu, Dec 14, 2006 at 12:11:11PM -0500, Dan Mahoney, System Admin wrote:
 At the moment, that's a hack in the system-wide procmailrc that I don't 
 know how to do, since the only thing procmail knows about userspace is 
 dropprivs=yes, and there's no translation for an easy way to equate 
 that to email address (i.e. it allows me to do it per *domain* not per 
 user, i.e. [EMAIL PROTECTED], but if a user has two domains, then I'd have to 
 do them each separately).

If you're using procmail, you could look at the X-Original-To (or similar)
header to figure out who the mail is going to.  Otherwise, you could modify
your setup to pass information in to procmail from the MTA.

 Presuming we're looking for the value of the user based on the email 
 address, yes, I understand, but can't you check the value of -u before you 
 even do that? (i.e. at the earliest point)

Ah, there you're talking about spamc/spamd which is a different beasty all
together.  If you want to skip checks based on how you're calling spamc, then
check the value you're going to use for the username and don't call spamc if
you don't want the mail scanned.

-- 
Randomly Selected Tagline:
Every man has the freedom to jump as high as his own penis.


pgpxNQnmGTItc.pgp
Description: PGP signature

RE: Tagging for spam mails

2006-12-14 Thread Bowie Bailey

Brad Baker wrote:
 We would like to add a spam report to the body of emails identified as
 spam to make troubleshooting false positives easier. For instance:

 To: [EMAIL PROTECTED]
 From: [EMAIL PROTECTED]
 Date: November 26, 2006 3:57PM
 Subject: [spam] Buy ED Pills Now

 The quick brown fox jumps over the lazy dog. The quick brown fox jumps
 over the lazy dog. The quick brown fox jumps over the lazy dog. The
 quick brown fox jumps over the lazy dog.

 This email has been identified as spam for the following reasons:
 Content analysis details: (6.77 points, 4.00 allowed)

 pts rule name description
  --
 -- 
 0.1 HTML_MESSAGE HTML included in message
 0.1 HTML_TAG_EXISTS_TBODY HTML has tbody tag
 0.6 NORMAL_HTTP_TO_IP Uses a dotted-decimal IP address in URL
 6.5 BAYES_995 Bayesian spam probability is 99.5 to 100%
 -0.5 DK_VERIFIED Domain Keys: signature passes verification
 0.0 SPF_PASS SPF: sender matches SPF record (pass)
 0.0 NO_RDNS2 Sending MTA has no reverse DNS

 From this page:

http://spamassassin.apache.org/full/3.0.x/dist/doc/spamassassin.html#tagging
_for_spam_mails

 It looks like this option is what we want:   spam mail body text

 I tried just adding spam mail body text to local.cf with no result
 though. I also added a 1 to the end - that didn't work either.  We
 are running spam assassin 3.1 and the report_safe option in local.cf
 is set to 0.

That's not an option.  It's just a header in the document.

 Could anyone point me to more information on how this feature works? I
 tried searching Google but didn't have much luck and the Spam Assassin
 documentation is somewhat ambitious.

For documentation of the configuration options, try this page instead:

http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Conf.ht
ml

-- 
Bowie

Re: [sa-list] RE: Way to skip scanning per-user?


On Thu, 14 Dec 2006, Coffey, Neal wrote:


Dan Mahoney, System Admin wrote:

I'm looking for an easy way to override ALL scanning (NOT scoring)
for a specific user.


This needs to be done in whatever you're using to call SpamAssassin
(postfix, exim, sendmail, etc).


This shouldn't be a difficult feature to implement at all -- I'd
imagine about three lines of code :)


How do you handle messages with multiple recipients?  Not to mention
that the envelope to address(s) (who the mail is *actually* delivered
to) don't have to match the headers that SA sees.


I said per-user, not per email address.  Spamd knows which local user is 
doing the calling before it ever reads the first line of the message. 
With spamassassin proper (assuming SQL prefs are in play), check $ or $ 
-- with spamc/spamd, it's being communicated.



Since SA needs to be called by another program, and that program will be
aware of all of this, that's really the place to do the exemption.


See my previous message.  I don't see an easy macro in procmail for the 
current effective UID, nor do I know an easy way to say:


if (**my uid is any of these) {

}
else {
call spamassassin
}

Where as a bonus ** is generated dynamically.


If you can supply a snippet of code that does it, I'd love it.  If I was 
only doing scanning FOR a few select users this might make a bit more 
sense, but it makes sense to me that this be a user_prefable item, as 
opposed to my users asking me to edit /etc/procmailrc


-Dan


--

SOY BOMB!

-The Chest of the nameless streaker of the 1998 Grammy Awards' Bob Dylan
Performance.

Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---

RE: Tagging for spam mails

2006-12-14 Thread Bowie Bailey

Bowie Bailey wrote:
 
 For documentation of the configuration options, try this page instead:
 

http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Conf.ht
 ml

The URL wrapped...  Try this one:

http://tinyurl.com/3r4xa

-- 
Bowie

Re: Tagging for spam mails

On Thu, Dec 14, 2006 at 12:19:54PM -0500, Bowie Bailey wrote:
  For documentation of the configuration options, try this page instead:
 The URL wrapped...  Try this one:
 http://tinyurl.com/3r4xa

Also acceptable:

perldoc Mail::SpamAssassin::Conf

-- 
Randomly Selected Tagline:
The Pre-1985 Video Game Character Test was created by RavenBlack. It is
 entirely in fun. Don't think you have special powers just because the test
 tells you so. It is not serious, and not to be taken internally. So don't.
 - http://blog.ravenblack.net/quiz/videogame.pl


pgpJJ4G85ANpZ.pgp
Description: PGP signature

Re: [sa-list] Re: [sa-list] Re: Way to skip scanning per-user?


On Thu, 14 Dec 2006, Theo Van Dinter wrote:


On Thu, Dec 14, 2006 at 12:11:11PM -0500, Dan Mahoney, System Admin wrote:

At the moment, that's a hack in the system-wide procmailrc that I don't
know how to do, since the only thing procmail knows about userspace is
dropprivs=yes, and there's no translation for an easy way to equate
that to email address (i.e. it allows me to do it per *domain* not per
user, i.e. [EMAIL PROTECTED], but if a user has two domains, then I'd have to
do them each separately).


If you're using procmail, you could look at the X-Original-To (or similar)
header to figure out who the mail is going to.  Otherwise, you could modify
your setup to pass information in to procmail from the MTA.


Presuming we're looking for the value of the user based on the email
address, yes, I understand, but can't you check the value of -u before you
even do that? (i.e. at the earliest point)


Ah, there you're talking about spamc/spamd which is a different beasty all
together.  If you want to skip checks based on how you're calling spamc, then
check the value you're going to use for the username and don't call spamc if
you don't want the mail scanned.


I'm running procmail with dropprivs=yes.  There's no easy procmail thing 
for (getpwnam($)) and I do NOT feel like firing up perl on every message 
to evaluate that just to figure out if I should fire up the C program that 
I use so I don't have to fire up perl.


I see procmail macros for the email address, and for the _TO thing, but 
NOTHING that just gives you the goddamned login.


I don't need -u on spamc, spamc just picks up that username and runs with 
it.  If I'm running spamc as danm, spamd grabs danm's prefs.


When I said -u, I was asking how spamd would recognize the implied value 
of -u, not the actual command line flag.


If that makes sense?

-Dan

--

It would be bad.

-Egon Spengler, Ghostbusters

Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---

Re: BODY rule fails with double-spaced text

2006-12-14 Thread Loren Wilton

body unfortunately doesn't come out as a single string for the whole body.  
It is broken into sections at seemingly random and indeterminate places.  This 
makes an attempt to match across multiple lines fairly improbable.

Loren
  - Original Message - 
  From: Rosenbaum, Larry M. 
  To: users@spamassassin.apache.org 
  Sent: Thursday, December 14, 2006 7:30 AM
  Subject: BODY rule fails with double-spaced text

  The doc for BODY rules says All HTML tags and line breaks will be removed 
before matching.  I was also told on this list that multiple whitespace was 
compressed to single space characters.  So if I have text like this:

  xyzzy

  abcde

  and the following rules:

  bodyT_LMRTESTB1 /xyzzy abcde/

  bodyT_LMRTESTB2 /xyzzy\s{1,4}abcde/

  then both rules will match.  However, if the text is double-spaced like this:

  xyzzy

  abcde

  then *neither* rule will match, even though I would have expected them both 
to still match.  Is this a designed feature or a bug?

RE: Tagging for spam mails

2006-12-14 Thread Bowie Bailey

Theo Van Dinter wrote:
 On Thu, Dec 14, 2006 at 12:19:54PM -0500, Bowie Bailey wrote:
   For documentation of the configuration options, try this page
   instead: 
  The URL wrapped...  Try this one:
  http://tinyurl.com/3r4xa
 
 Also acceptable:
 
 perldoc Mail::SpamAssassin::Conf

That works too, but I usually find it easier to navigate the html
documentation.

-- 
Bowie

Re: Way to skip scanning per-user?


On Thu, 14 Dec 2006, Theo Van Dinter wrote:

As an aside, part of this is why I had asked for (a while back) a way to 
specify the domain portion of the -u argument, i.e. so it could be done 
per-calling server (i.e. it is assumed that if shell server A and shell 
server B, each with a distinct user-base are sharing a spamd machine, then 
their user bases will have prefnames derived from the hostnames of A and 
B.) -- regardless of the email address used.


i.e. localusername @ suffix (where the suffix is supplied to spamc in some 
global config file, and the localusername is automatic).  Knowing how to 
do this (get the current username) in procmail (without firing up perl or 
even SED -- I could call a binary like whoami but that's a bit less 
universal) would also make THIS mostly unnecessary.


Again, this is not at all based on email address (except in the case of 
emails like mine, where my address accurately reflects the FQDN of the 
calling server -- but then I've always been the exception rather than the 
rule), but on UID and HOSTNAME.


The servers in question have 400 uids each, two hostnames, and potentially 
MILLIONS of email addresses, especially in a dictionary attack, where the 
user has a catch-all account.  Which does it make sense to modify stats 
by?


--

I am a professional drinker, and I know that that was NOT Jose Cuervo!

Well, what was it then?

I think it was some mixture of Rubbing Alcohol, and Desenex(TM) Foot
Powder, because my feet feel okay, and my back doesn't hurt, but my
stomach is killing me!

-Dan Mahoney, Costa Rica, August 12th, 1994

Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---

Re: [sa-list] Re: [sa-list] Re: Way to skip scanning per-user?

On Thu, Dec 14, 2006 at 12:26:54PM -0500, Dan Mahoney, System Admin wrote:
 I'm running procmail with dropprivs=yes.  There's no easy procmail thing 
 for (getpwnam($)) and I do NOT feel like firing up perl on every message 
 to evaluate that just to figure out if I should fire up the C program that 
 I use so I don't have to fire up perl.

There are environment variables with this kind of info.  Look at LOGNAME, for
instance.  Worst case, you could run id -un and get the information that
way.

-- 
Randomly Selected Tagline:
To the engineer, the world is a toy box full of sub-optimized and
 feature-poor toys.- Scott Adams


pgp6WEjGGjW5r.pgp
Description: PGP signature

Fwd: Tagging for spam mails

2006-12-14 Thread Brad Baker

Dont you want report_safe 1?

I want report_safe 1 but I don't want the original message as an
attachment - I want it included below the spam report (inline). A lot
of our users have problems with opening and managing attachments.

I dont know what this spam mail body text thing is your talking about.

It appears to be a spam tagging option per the spam assassin
documentation. I'm hoping it will add the spam report to the body of
the message w/o using attachments but I can't seem to figure out
exactly how it works.

ambitious?

I meant to say ambiguous instead of ambitious. ;-)

Thanks
Brad

On 12/14/06, Jim Maul [EMAIL PROTECTED] wrote:

Brad Baker wrote:
We would like to add a spam report to the body of emails identified as
spam to make troubleshooting false positives easier. For instance:

To: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
Date: November 26, 2006 3:57PM
Subject: [spam] Buy ED Pills Now

The quick brown fox jumps over the lazy dog. The quick brown fox jumps
over the lazy dog. The quick brown fox jumps over the lazy dog. The
quick brown fox jumps over the lazy dog.

This email has been identified as spam for the following reasons:
Content analysis details: (6.77 points, 4.00 allowed)

pts rule name description
--
--
0.1 HTML_MESSAGE HTML included in message
0.1 HTML_TAG_EXISTS_TBODY HTML has tbody tag
0.6 NORMAL_HTTP_TO_IP Uses a dotted-decimal IP address in URL
6.5 BAYES_995 Bayesian spam probability is 99.5 to 100%
-0.5 DK_VERIFIED Domain Keys: signature passes verification
0.0 SPF_PASS SPF: sender matches SPF record (pass)
0.0 NO_RDNS2 Sending MTA has no reverse DNS

From this page:

http://spamassassin.apache.org/full/3.0.x/dist/doc/spamassassin.html#tagging_for_spam_mails

It looks like this option is what we want: spam mail body text

I tried just adding spam mail body text to local.cf with no result
though. I also added a 1 to the end - that didn't work either. We
are running spam assassin 3.1 and the report_safe option in local.cf
is set to 0.

Dont you want report_safe 1? I dont know what this spam mail body
text thing is your talking about.

Could anyone point me to more information on how this feature works? I
tried searching Google but didn't have much luck and the Spam Assassin
documentation is somewhat ambitious.

ambitious?

Thanks,
Brad

Re: [sa-list] Re: Way to skip scanning per-user?

On Thu, 14 Dec 2006, Theo Van Dinter wrote:

 On Thu, Dec 14, 2006 at 12:11:11PM -0500, Dan Mahoney, System Admin wrote:
  At the moment, that's a hack in the system-wide procmailrc that I don't 
  know how to do, since the only thing procmail knows about userspace is 
  dropprivs=yes, and there's no translation for an easy way to equate 
  that to email address (i.e. it allows me to do it per *domain* not per 
  user, i.e. [EMAIL PROTECTED], but if a user has two domains, then I'd have 
  to 
  do them each separately).
 
 If you're using procmail, you could look at the X-Original-To (or
 similar) header to figure out who the mail is going to.  
 Otherwise, you could modify your setup to pass information in to
 procmail from the MTA.

Try looking at $LOGNAME. Procmail knows who it's delivering the
message to - it's a *delivery agent* after all.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  It is not the business of government to make men virtuous or
  religious, or to preserve the fool from the consequences of his own
  folly.  -- Henry George
---
 Tomorrow: Bill of Rights day

Re: [sa-list] RE: Way to skip scanning per-user?

On Thu, 14 Dec 2006, Dan Mahoney, System Admin wrote:

  Dan Mahoney, System Admin wrote:
  I'm looking for an easy way to override ALL scanning (NOT scoring)
  for a specific user.
 
 See my previous message.  I don't see an easy macro in procmail for the 
 current effective UID, nor do I know an easy way to say:

 If you can supply a snippet of code that does it, I'd love it. 

  http://www.impsec.org/~jhardin/antispam/spamassassin.procmail

Drop it in your /etc/procmail/ directory and INCLUDERC it from your
/etc/procmailrc file. Hack to fit.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  It is not the business of government to make men virtuous or
  religious, or to preserve the fool from the consequences of his own
  folly.  -- Henry George
---
 Tomorrow: Bill of Rights day

RE: Tarpits are fun!

On Tue, 12 Dec 2006, John D. Hardin wrote:

 http://www.impsec.org/~jhardin/antispam/spammer-firewall
 
 plus labrea with patches I worked up this weekend:
 
 http://sourceforge.net/projects/labrea
 
 http://sourceforge.net/tracker/index.php?func=detailaid=1612818group_id=70896atid=529395
 
 I still need to figure out why labrea is only accepting a
 1000-character-ish BPF filter when the buffer is 65K in size.

Okay, that's fixed too.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  It is not the business of government to make men virtuous or
  religious, or to preserve the fool from the consequences of his own
  folly.  -- Henry George
---
 Tomorrow: Bill of Rights day

Re: Fwd: Tagging for spam mails

On Thu, Dec 14, 2006 at 12:46:55PM -0500, Brad Baker wrote:
 I want report_safe 1 but I don't want the original message as an
 attachment - I want it included below the spam report (inline).  A lot
 of our users have problems with opening and managing attachments.

You'd have to write your own code to do that.  In SpamAssassin the two
options are: report_safe (put the original in an attachment), or only
modify the headers.

 It appears to be a spam tagging option per the spam assassin
 documentation. I'm hoping it will add the spam report to the body of
 the message w/o using attachments but I can't seem to figure out
 exactly how it works.

Reading the documentation link you sent, it's telling you what report_safe
does...

-- 
Randomly Selected Tagline:
You might say 'So what?' - Prof. Farr
 So what? - Students
 Good, I like that.   - Prof. Farr


pgpXlG2myrbVL.pgp
Description: PGP signature

Re: BODY rule fails with double-spaced text

On Thu, Dec 14, 2006 at 09:31:23AM -0800, Loren Wilton wrote:
 body unfortunately doesn't come out as a single string for the whole body.  
 It is broken into sections at seemingly random and indeterminate places.  
 This makes an attempt to match across multiple lines fairly improbable.

... if by seemingly random and indeterminate places you mean that the
body is split into paragraphs.

-- 
Randomly Selected Tagline:
I've installed mufflers, but the work was too exhausting.


pgpleVWfSBTEh.pgp
Description: PGP signature

Re: SPF is hopelessly broken and must die!

2006-12-14 Thread Magnus Holmgren

On Thursday 14 December 2006 01:51, Giampaolo Tomassoni wrote:
 From: Marc Perkel [mailto:[EMAIL PROTECTED]

  OK Daryl,
 
  How do you deal with people forwarding email from another domain when
  using SPF?

 Right. That's the big reason for using +all (or not using SPF at all).

 Using +all means to me: Look, I - the postmaster - I'm aware of SPF, but
 unfortunately my customers have the need to send their mail through many
 ISPs.

No, you say ?all. That means that users may send mail from anywhere, but 
then we don't guarantee that it's genuine.

-- 
Magnus Holmgren[EMAIL PROTECTED]
   (No Cc of list mail needed, thanks)

  Exim is better at being younger, whereas sendmail is better for 
   Scrabble (50 point bonus for clearing your rack) -- Dave Evans


pgpaPkLxMZqZh.pgp
Description: PGP signature

Re: SPF is hopelessly broken and must die!

2006-12-14 Thread Magnus Holmgren

On Thursday 14 December 2006 01:37, Marc Perkel wrote:
 How do you deal with people forwarding email from another domain when
 using SPF?

*If* you intend to reject mail based on hard SPF failures, then you *must* 
allow for exceptions for forwarded mail. Mail can only be forwarded from 
specific hosts, so while it might be tricky it's definitely possible to 
define such exception in a meaningful way.

Demanding that forwarding between arbitrary hosts must simply work (without 
SRS, DKIM or some other mechanism) is to say that everyone must always trust 
the envelope sender and mail header like 20 years ago. That is what is really 
broken.

-- 
Magnus Holmgren[EMAIL PROTECTED]
   (No Cc of list mail needed, thanks)

  Exim is better at being younger, whereas sendmail is better for 
   Scrabble (50 point bonus for clearing your rack) -- Dave Evans


pgpVkJTLMWo1f.pgp
Description: PGP signature

Re: FuzzyOCR Plugin question

2006-12-14 Thread Evan Platt

Group Owner: Please unsubscribe CTI Corporativo 
[EMAIL PROTECTED] per the bounce below.


Thanks.



At 11:05 AM 12/14/2006, you wrote:

HOLA:
NO RECIBI TU MAIL YA QUE ESTA CASILLA ESTA 
DESACTIVADA (ESTO ES UNA RESPUESTA AUTOMATICA)


POR FAVOR REENVIARLO A

[EMAIL PROTECTED]

 con copia a

[EMAIL PROTECTED]

Y AGENDAR ESTAS DOS DIRECCIONES COMO MI NUEVA DIRECCION DE CORREO

MUCHAS GRACIAS


Luciano Mari Brusco
Ejecutivo de Cuenta
Centro Comercial Buenos Aires.
Departamento PYMES
( 011) 15 5883-2464

*** 



Este mensaje y todos los archivos adjuntos a él son para uso exclusivo
del destinatario y pueden contener información confidencial o propietaria,
cuya divulgación es sancionada por ley.

Si usted recibió este mensaje erróneamente, por 
favor notifíquenos respondiendo al

remitente, borre el mensaje original y destruya las copias (impresas o
grabadas
en cualquier medio magnético) que pueda haber realizado del mismo.

Todas las opiniones contenidas en este mail son propias del autor del mensaje
y no necesariamente coinciden con las de CTI Móvil o alguna de las empresas
accionistas. La publicación, uso, copia e impresión total o parcial de
este mensaje o documentos adjuntos queda prohibida.

Muchas gracias

CTI Móvil

*** 



This message and any attachments are for exclusive usage of an addressee
and may contain confidential or privileged information whose disclosure
is subject to penalty by law.

If you are not the addressee, please notify the 
sender by return e-mail, delete

the original message and destroy any existing copy no matter if printed
or recorded.

Any opinions contained in this e-mail are those 
of the author of the message and

do not necessarily coincide with those of CTI Móvil or its shareholders.
No part of this message or attachments may be used or reproduced in any
manner whatsoever.

Re: SpamdForkScaling messages?

2006-12-14 Thread snowcrash+spamassassin


They're debug messages -- not a problem at all.


great. i can ignore them. :-)

does it matter at all that those message have DISappeared after
switching from sa-via-TCP-sock to sa-via-UNIX-sock?

Re: FuzzyOCR Plugin question

On Thu, Dec 14, 2006 at 11:16:01AM -0800, Evan Platt wrote:
 Group Owner: Please unsubscribe CTI Corporativo 
 [EMAIL PROTECTED] per the bounce below.

Someone already reported this to the owners alias (which is a better place
than the list to report it to btw...)

None of the email addresses, usernames, or domains are subscribed to
the list (and fwiw, I haven't gotten any of these bounces for posts made
today).  Are they in anyway including the original mail, or message-id,
or something which could identify the real recipient?

-- 
Randomly Selected Tagline:
Solve the rush hour problem; get vehicular weaponry...


pgp8cXNK0Tf7I.pgp
Description: PGP signature

Re: FuzzyOCR Plugin question

2006-12-14 Thread Evan Platt


At 11:33 AM 12/14/2006, you wrote:


Someone already reported this to the owners alias (which is a better place
than the list to report it to btw...)


I didn't see a header for owner - did I miss it?


None of the email addresses, usernames, or domains are subscribed to
the list (and fwiw, I haven't gotten any of these bounces for posts made
today).  Are they in anyway including the original mail, or message-id,
or something which could identify the real recipient?


Here's the complete headers:

Return-Path: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on espphotography.com
X-Spam-Level:
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham
version=3.1.7
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from avas-mr13.fibertel.com.ar (avas-mr13.fibertel.com.ar 
[24.232.0.197])

by espphotography.com (Postfix) with ESMTP id 3C7F7AF7B38
for [EMAIL PROTECTED]; Thu, 14 Dec 2006 11:06:15 -0800 (PST)
Received: from host-200-81-160-81.sion.net ([200.81.160.81]:30473 EHLO
luciano smtp-auth: cticorporativo) by avas-mr13.fibertel.com.ar
with ESMTPA id S490247AbWLNTGD convert rfc822-to-8bit; Thu, 
14 Dec 2006 16:06:03 -0300

Message-ID: [EMAIL PROTECTED]
From: CTI Corporativo [EMAIL PROTECTED]
To: Evan Platt [EMAIL PROTECTED]
Subject: Re: FuzzyOCR Plugin question
Date:   Thu, 14 Dec 2006 16:05:53 -0300
MIME-Version: 1.0
Content-Type: text/plain;
charset=iso-8859-1
Content-Transfer-Encoding: 8BIT
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
X-Fib-Al-Info: Al
X-Fib-Al-MRId: 859c1d021b215ba0cdd3e8af189cdfd6
X-Fib-Al-SA: analyzed
X-Fib-Al-From: [EMAIL PROTECTED]
X-UID: 12216

Re: SPF is hopelessly broken and must die!

2006-12-14 Thread Gino Cerullo


On 14-Dec-06, at 10:30 AM, Marc Perkel wrote:


I'm not the one who brought it up.

Gino Cerullo wrote:

Marc,

I get the impression that you run a business that markets itself  
as an anti-spam solution and it's based on forwarding email and  
that business model is threatened by the growing adoption of SPF.


Now, I maybe I'm completely wrong but your incessant rants over  
this leads me to think otherwise. Regardless, if you have concerns  
about SPF and it's perceived relations to anti-spam or it's  
problems with email forwarding why are you continuing to bring it  
up on this list. The venue for it is the SPF Discuss and the SRS  
Discuss mailing lists.


To subscribe to those lists use the following addresses.

[EMAIL PROTECTED]
[EMAIL PROTECTED]

For a complete list of SPF related discussion list please visit  
the following page.


http://www.openspf.org/Forums


I presume the answer you gave is an admission that you are, in fact,  
using email forwarding as the method behind your spam filtering system.


To me that sounds like an abuse of the email forwarding feature to  
accomplish something that it was not designed or meant to be used  
for. So you see, many people, including yourself, are using the email  
system in ways that it was not meant or at least, envisioned to be  
used for.



--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON  M3M 1W6

416-247-7740

This email address protect by SPF! Want to protect your domain's  
email from forgery? Visit openspf.org

Re: Upgraded SA, nothing works

2006-12-14 Thread Gary V


On Thu, Dec 14, 2006 at 11:10:32AM +0100, Gregorics Tamás wrote:
 Now, here is the funny stuff: SA is being called by amavisd-new. I'm not
 too familiar with amavisd, and to tell you the truth i didn't find where
 to specify the spamassassin binary location. I suppose it uses the path

You'll want to talk to the Amavis people about issues with using their 
stuff.


 to=[EMAIL PROTECTED], relay=none, delay=463, status=deferred (connect to
 localhost[127.0.0.1]: Connection refused)

I'd guess something isn't running.  If amavis connects to SA through
spamc/spamd, perhaps you're not running spamd?



Right, looks like amavisd-new was stopped and not restarted. Amavisd-new 
does not need spamd as it uses the Mail::SpamAssassin Perl module.


Gary V

_
Talk now to your Hotmail contacts with Windows Live Messenger. 
http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href=http://get.live.com/messenger/overview

Re: FuzzyOCR Plugin question

On Thu, Dec 14, 2006 at 11:40:23AM -0800, Evan Platt wrote:
 I didn't see a header for owner - did I miss it?

It's just [EMAIL PROTECTED]  listname-owner is a standard address for the 
folks
who run the list.

 today).  Are they in anyway including the original mail, or message-id,
 or something which could identify the real recipient?
 
 Here's the complete headers:
[...]

I didn't see anything obvious in there.  Searching for variations on username
and domain return no matches to the subscriber list.

-- 
Randomly Selected Tagline:
Hey, you're shaped like buddah, millions of people follow him!
  - The Drew Carey Show


pgpx7lAp5W4KX.pgp
Description: PGP signature

Re: Topics for SA presentation?

2006-12-14 Thread Harold Paulson


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Theo,

I was also thinking about doing a rules/sa-update/plugin talk,  
though doing 3

may be a bit much.


How about Care and feeding of SpamAssassin?

 - Keeping SA updated
 - sa-update and rule maintenance
 - When do you write your own rules
 - Adding plugins
 - How well is SA working?
 - Creating and maintaining your own spam/ham corpus for testing
 - Compare vanilla SA scores to sa-updat-ed ones (especially on  
recent %$^$%#$ image spams)


That would cover a lot of FAQs.

- H



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFFga2/Oy/dHTCUq6oRAp/iAKDnspjtUK4OMEAeA6UBbKxszWqhBwCgm/yJ
WwHjv5rgAGfVYAlSIEFclKI=
=a1Td
-END PGP SIGNATURE-

Re: Bayes doesn't seem to be working for me

2006-12-14 Thread Rainer Dorsch

Markus,

the key was:

sa-learn was run by the user rd, and the bayes database went into the 
directory

~rd/.spamassassin

spamd was called from exim, i.e. it was running under the userid Debian-exim 
and thus *not* checking ~rd/.spamassassin

I am right now the only user on that system, so I added

bayes_path /home/rd/.spamassassin/bayes

to /etc/spamassassin/local.cf

which makes spamd looking at the right place for the bayes database (not this 
is not ONLY the directory, but also the prefix of the files:

[EMAIL PROTECTED]:~$ cd ~rd/.spamassassin/
[EMAIL PROTECTED]:~/.spamassassin$ ls -1
auto-whitelist
bayes_seen
bayes_toks
bayes_toks.expire20200
user_prefs
user_prefs~
[EMAIL PROTECTED]:~/.spamassassin$

)

Hope that helps,
Rainer

Am Donnerstag, 14. Dezember 2006 03:36 schrieben Sie:
 hello,

 can you share with me how you solve your problem posted at spamassassin
 mailing list below?

 thank you

 Best Regards,
 Markus

 - Original Message 
 From: Rainer Dorsch [EMAIL PROTECTED]
 To: users@spamassassin.apache.org
 Sent: Thursday, 14 December, 2006 6:32:39 AM
 Subject: Re: Bayes doesn't seem to be working for me

 Am Mittwoch, 13. Dezember 2006 23:40 schrieb Theo Van Dinter:
  On Wed, Dec 13, 2006 at 10:39:08PM +0100, Rainer Dorsch wrote:
   [EMAIL PROTECTED]:~$ spamassassin -D --lint 21 |grep bayes
   debug: config: read file /usr/share/spamassassin/23_bayes.cf
   debug: bayes: 18897 tie-ing to DB file R/O
   /home/rd/.spamassassin/bayes_toks debug: bayes: 18897 tie-ing to DB
   file R/O /home/rd/.spamassassin/bayes_seen
 
  Ok.  So you're running as user rd, and that's the DB you're using.
 
   [EMAIL PROTECTED]:~$ sa-learn --dump magic
   0.000  0   7812  0  non-token data: nspam
   0.000  0   8204  0  non-token data: nham
 
  ditto.
 
X-SA-Exim-Connect-IP: 217.72.192.221
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
 
  So you're running from exim.  Is exim using user rb?  My guess is not.
 
  I know nothing about Exim, but my guess is that scanning happens at the
  MTA point, and not the MDA point.  In that case, you're running
  site-wide, so no per-user configs or dbs, and you'll want to configure SA
  to be site-wide (use bayes_path, etc.)

 Thanks, that solved my problem.

 Rainer

-- 
Rainer Dorsch
Alzentalstr. 28
D-71083 Herrenberg
07032-919495
jabber: [EMAIL PROTECTED]
GPG Fingerprint: 5966 C54C 2B3C 42CC 1F4F  8F59 E3A8 C538 7519 141E
Full GPG key: http://pgp.mit.edu/

Re: SPF is hopelessly broken and must die!

2006-12-14 Thread j o a r



On 14 dec 2006, at 20.40, Gino Cerullo wrote:

I presume the answer you gave is an admission that you are, in  
fact, using email forwarding as the method behind your spam  
filtering system.


The link from perkel.com - junkemailfilter.com is pretty self  
explanatory. It all makes sense now...


Marc: Since you already require that your customers modify their MX  
records to have their email sent to your servers, why not update /  
add the appropriate SPF records at the same time? That would prevent  
any problems caused by SPF checks.


j o a r

Re: SPF is hopelessly broken and must die!

On Thu, 14 Dec 2006, j o a r wrote:

 Marc: Since you already require that your customers modify their
 MX records to have their email sent to your servers, why not
 update / add the appropriate SPF records at the same time? That
 would prevent any problems caused by SPF checks.

Not quite.

Anyone using Marc's service or one like it (e.g. Postini) should
DISABLE any SPF checks on their MTAs that reject mail, since their MTA
is no longer the public MX for their domain.

Marc can still perform SPF checks at *his* inbound MTA, as *he* is now
their public MX. How he uses that information is up to him.

Marc? I assume you tell your customers to disable any SPF checks on
their inbound MTA once they start using your service?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Men by their constitutions are naturally divided in to two parties:
  1. Those who fear and distrust the people and wish to draw all
  powers from them into the hands of the higher classes. 2. Those who
  identify themselves with the people, have confidence in them,
  cherish and consider them as the most honest and safe, although not
  the most wise, depository of the public interests.
  -- Thomas Jefferson
---
 Tomorrow: Bill of Rights day

Re: SPF is hopelessly broken and must die!

2006-12-14 Thread Gino Cerullo


On 14-Dec-06, at 4:35 PM, j o a r wrote:



On 14 dec 2006, at 20.40, Gino Cerullo wrote:

I presume the answer you gave is an admission that you are, in  
fact, using email forwarding as the method behind your spam  
filtering system.


The link from perkel.com - junkemailfilter.com is pretty self  
explanatory. It all makes sense now...


I already knew the answer, I just wanted him to admit it in front of  
everyone but he didn't. He opted to send the email directly to me,  
off list but I put it back in for everyone to see.


Marc's, rants have nothing to do with the perceived short comings of  
SPF but everything to do with the threat to his flawed business model.


There are work-arounds to Marc's problems if he thinks about it a  
little but he's so fixated on what he's read about SPF breaking  
forwarding he can't see the forest through the trees so to speak.


Marc: Since you already require that your customers modify their MX  
records to have their email sent to your servers, why not update /  
add the appropriate SPF records at the same time? That would  
prevent any problems caused by SPF checks.


No, that's not the solution and I'm not going to share it with him  
either. He'll have to work it out himself.



--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON  M3M 1W6

416-247-7740

This email address protect by SPF! Want to protect your domain's  
email from forgery? Visit openspf.org

Re: SPF is hopelessly broken and must die!