Re: Any anti-spam solution against outgoing mail?
Thanks for your kind answer. I have additional question. b) once domains are identified correctly, you might replace the /usr/sbin/sendmail by a wrapper this is a good idea.. Do you have any recommendable wrapper program about sendmail? Thanks again for your time.. From: [EMAIL PROTECTED] To: users@spamassassin.apache.org Subject: Re: Any anti-spam solution against outgoing mail? Date: 28 Dec 2006 21:57:37 - >> Hello, list. >> >> I have used well SA with procmail well against incoming mail. >> But there are lots of outgoing spam-mails using web programs or using >> sendmail at my server. >> (There are several domains are hosted at the server.) >> >> So is there any program like spamassassin which can filter against outgoing >> spam mail? >> or any program which can limit sending spam-mail? >> >> Please recommend any for me.. >> >> my system is linux and sendmail. >> >> >> Hi, a) it might be possible to enforce valid sender through webserver config so it does not say [EMAIL PROTECTED] but rather shows the actual domain b) once domains are identified correctly, you might replace the /usr/sbin/sendmail by a wrapper that performs rate limiting and/or alerting c) both you andyour client domains should receive bounces d) you should educate your clients about email form best practices Wolfgang Hamann _ 지금 가까이 있는 싱글들을 찾아 보세요! http://match.kr.msn.com/channel/index.aspx?trackingid=1002127
any lots of CC related rule?
Hello, all.. I have received some spam mails which have lots of mail-lists randomly at CC(carbon copy). So I would like to filter spam-mail which has over 10 e-mail address at CC or BCC like below. Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; .. How can I make against these rule? Thanks for your time.. _ 보다 빠른 소식, 보다 빠른 정보, MSN 뉴스에서 확인하세요. http://news.msn.co.kr/
test
disregard Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
Re: FuzzyOCR and 'valid' embedded Images
Greg Skouby wrote: > We have some users of our mail system that are using Lotus Notes for > their MUA. In Lotus Notes they have the option of using, for lack of a > better word, some 'stationery' that effectively embeds three images into > the outgoing email. If the original recipient replies to that original > message with an HTML message of their own then the three images get > embedded into the second email that is sent back to the original sender. > Things get confusing here so follow me. If the original sender then > replies to the reply from the original recipient then three MORE images > get embedded into the message for a total of six embedded images. You > see where I am going here? In a long enough conversation the embedded > images start to stack up. [snip] > In order to start to solve the problem I installed FuzzyOCR; I figured > this was a good step to discern between 'hammy' and 'spammy' images. The > FuzzyOCR installation seems to have worked correctly. My question is > where do I go from here? My inclination is to decrease the scores for > the above referenced rules, besides the RAZOR tests. Does this sound > like the correct way to go? No, FuzzyOcr does not score non-spam images, nor does it subtract in any case; it does detect non-spam images but only to save the checksum in its database (and not have to scan the same image again). You would have to change the code to make it do what you want. The best solution would be not to use SA on those messages, and that is of course done somewhere else. One example are some of SnertSoft's milters for sendmail (and postfix?), the interesting functionality is that they (supposedly) can white-list the remote recipient, so that when they answer they don't have to go through the usual tests (I've only read abut this in the context of gray-listing but a milter for spam checks could do the same). MailScanner has the white-listing functionality, but its not automatic, its manual. Other possibility would be to extend AWL and/or other auto white-listing in a similar fashion. SA's AWL is probably decreasing the score in your case already and you don't have much control, just add or delete manually, and the automatic score averaging. > I am running 3.1.7 with sa-update and some of the various SARE rulesets. > I have AWL and Bayes turned on also. > > Thanks for your thoughts! HTH -- René Berber
Re: SA not catching apostrophes in sender's addressess?
Chris wrote: On Thursday 28 December 2006 12:22 pm, Benny Pedersen wrote: if clamav knows its a virus, why then test it as spam in spamassassin ? Why not? I'm using the clamav plug-in as part of the spamassassin install. Because SpamAssassin is rather expensive, while ClamAV is rather cheap (in terms of system resources consumed in the scanning process). If possible, I'd do the ClamAV check _before_ SpamAssassin, and not spam scan anything ClamAV flagged as a virus. For example, in mimedefang, the logic I follow is like this: 1) if the message has an attachment with a bad attachment filename, reject it and don't do any further scanning. 2) if ClamAV says the message is a virus, reject it and don't do any further scanning. 3) only after those 2 checks, check it for spam. If the score is >= 10, reject it. If the score is >= 5, mark it as spam. If the score is < 5, mark it as not-spam/ham. That way, the cheapest check (attachment filenames) is first and keeps those messages from clogging my more expensive checks. Then I do the next cheapest check (ClamAV) and that keeps viruses and phishing attempts from clogging up spamassassin. Only after I've eliminated all of that traffic do I then let spamassassin look at the message.
Re: SA not catching apostrophes in sender's addressess?
On Thursday 28 December 2006 12:22 pm, Benny Pedersen wrote: > On Wed, December 27, 2006 04:01, Chris wrote: > >> what virus is found in clamav ? > > > > X-Spam-Virus: Yes (Email.Stk.Gen124.Sanesecurity.06122204), this comes > > from one of Steve Basford's add-ons. > > if clamav knows its a virus, why then test it as spam in spamassassin ? Why not? I'm using the clamav plug-in as part of the spamassassin install. > it only makes sense when using clamav as a mail tester with own signatures The signatures I'm using are not mine, I have the daily and main signatures that I use as well as the MSRBL and SaneSecurity signatures. > is the database path diffrent from spamassassin for clamav so clamav plugin > test only own signatures and not virus ? All of the clamav databases are stored in /var/lib/clamav > mixed setups makes more questions and more problems :-) I don't understand what you mean by 'mixed setups'? -- Chris http://learn.to/quote pgpwuUMHUwrHw.pgp Description: PGP signature
Re: Any anti-spam solution against outgoing mail?
>> Hello, list. >> >> I have used well SA with procmail well against incoming mail. >> But there are lots of outgoing spam-mails using web programs or using >> sendmail at my server. >> (There are several domains are hosted at the server.) >> >> So is there any program like spamassassin which can filter against outgoing >> spam mail? >> or any program which can limit sending spam-mail? >> >> Please recommend any for me.. >> >> my system is linux and sendmail. >> >> >> Hi, a) it might be possible to enforce valid sender through webserver config so it does not say [EMAIL PROTECTED] but rather shows the actual domain b) once domains are identified correctly, you might replace the /usr/sbin/sendmail by a wrapper that performs rate limiting and/or alerting c) both you andyour client domains should receive bounces d) you should educate your clients about email form best practices Wolfgang Hamann
Re: whitelisting "from" and not "return path" addresses
Paul Andrews wrote: HI, After whitelisting my own email address, it seems that spammers will frequently put my own email address in the "return path" but not in the "from". Is it possible for Spam Assassin to make a distinction between the two so that it will block such messages? Below is an example of such headers. You'd not want to just whitelist your name, you'd want to tie it to something, like if you auth'd (not sure how to do this), SPF (whitelist_from_spf), or ip (whitelist_from_rcvd). It is very easy for spammers to use your email as the 'sender'. Another option is to (just shots in the dark) to override the whitelist (+100 or so) when the mail is from you... to you. I'm not sure how one would do this. But these are all ideas. -- Thanks, James
whitelisting "from" and not "return path" addresses
HI, After whitelisting my own email address, it seems that spammers will frequently put my own email address in the "return path" but not in the "from". Is it possible for Spam Assassin to make a distinction between the two so that it will block such messages? Below is an example of such headers. -- Return-Path: <[EMAIL PROTECTED]> X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on mail.prospeed.net X-Spam-Level: X-Spam-Status: No, score=-75.6 required=4.7 tests=BAYES_80,EXTRA_MPART_TYPE, FORGED_RCVD_HELO,FUZZY_OCR,HTML_90_100,HTML_IMAGE_ONLY_08, HTML_MESSAGE,MIME_HTML_MOSTLY,RCVD_HELO_IP_MISMATCH,RCVD_IN_SORBS_WEB, RCVD_IN_XBL,RCVD_NUMERIC_HELO,UNPARSEABLE_RELAY,USER_IN_WHITELIST autolearn=no version=3.1.7 Received: from 82.79.197.4 (86-122-136-2.rdsnet.ro [86.122.136.2] (may be forged)) by mail.prospeed.net (8.13.6/8.13.6) with ESMTP id kBSKH6sn023009 for <[EMAIL PROTECTED]>; Thu, 28 Dec 2006 15:17:07 -0500 Received: from fm-bank.com.s8b2.psmtp.com (port=6583 helo=upmydjbtqx) by 82.79.197.4 with smtp id 8fRjB-boT0U-56 for [EMAIL PROTECTED]; Thu, 28 Dec 2006 22:17:10 +0200 Message-ID: <[EMAIL PROTECTED]> From: "Leonard West" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: wicked shall not; that he his wages be in sending a Date: Thu, 28 Dec 2006 22:17:10 +0200 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="=_NextPart_000_000C_01C72ACD.E74AF4E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2871 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2871 Thanks, Paul
Re: Best / Easiest way to report spam?
If your users are using either Mozilla Thunderbird or Microsoft Outlook, you should look into my plugin: SpamAssassin Coach. This plug-in/extension basically automates the task of sending a TELL command to a local or remote spamd server via the spamd protocol to report/revoke spam or ham messages. All users have to do is select a spam message in their inbox and hit Learn As Spam and the message will be reported to a specified spamd server. NOTE: This plugin is still under development and undergoing testing. I will be releasing a new version for Mozilla Thunderbird soon that should be working well. The Microsoft Outlook version (which seems to have some problems) will need to be completely rewritten in Visual Basic, but stay tuned for that update as well. SpamAssassin Coach - https://sourceforge.net/projects/soc2006spamd/
Re: Best / Easiest way to report spam?
Andrzej Adam Filip wrote: Anders Norrbring <[EMAIL PROTECTED]> writes: Micke Andersson wrote: Anders Norrbring wrote: I have a setup with Postfix, Amavis-new and SpamAssassin on one 0) Micke suggested using *public IMAP folder* (as I understand single public folder for *all* users). 1) IMHO it is not a good idea to use one bayes db for all users unless you service small and homogeneous community. It is not uncommon that one person spam is another person ham. Yes, I would very much agree with you there, but then, Anders is using AmavisD-new, and it does not support personal Bayes DB's, AFAIK, AmavisD-new only supports system wide Bayes. So then he is kind of stuck with a global handling of SPAM and HAM. And another thing, the Q was "The easiest way"! However, as you said, the best way is to have personalized Bayes training to have the best and most accurate hits on Bayes. /Micke
remove spam reports from spam email body
I am seeing detailted spamassassin reports when a specific spam email was tagged such as below: Content analysis details: (37.9 points, 5.0 required) pts rule name description -- -- 1.0 INVALID_TZ_GMT Invalid date in header (wrong GMT/UTC timezone) 1.8 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry 2.5 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP addr 2) 1.2 HTML_IMAGE_ONLY_20 BODY: HTML: images with 1600-2000 bytes of words My queries would be, is there anyway I could remove them from the spam email report, since these scores were already included from email headers? TIA
Re: Problem with Update
On Thu, Dec 28, 2006 at 12:48:16PM +0100, sasa wrote: > Hi, I have updated SA from spamassassin-3.0.4 to spamassassin-3.1.7 with > YUM method and all it's ok, but when I run sa-update I have this error: > > [EMAIL PROTECTED] ~]# sa-update > Can't locate IO/Zlib.pm in @INC (@INC contains: > > Where is the problem ?? You need to install the IO::Zlib module. Please see the INSTALL doc. -- Randomly Selected Tagline: "To announce that there must be no criticism of the President, or that we are to stand by the President, right or wrong, is not only unpatriotic and servile, but is morally treasonable to the American public." - Theodore Roosevelt, 1918 pgpbee3MKK6Ff.pgp Description: PGP signature
Re: Botnet 0.7 Plugin is available
Thomas Bolioli wrote: It seems to have an issue with mail sent through forwarders like alumni accounts and one mail type systems. I am sending you a note off line with the details. No... it doesn't look that way at all. If you read the spam report headers, it clearly states what the problem is with _BOTH_ of the messages you sent me: * 0.1 BOTNET_BADDNS Relay doesn't have full circle DNS BOTNET is triggering because the relay which is submitting the message to you doesn't have full circle DNS (the hostname returned by the PTR lookup doesn't resolve back to the IP address that is submitting the message). It's not because BOTNET has a problem with mail forwarding services (not indicated at all by the first message you sent me), nor is it because it's a server initiated message (the second message; the presence of BOTNET_SERVERWORDS should have scored -0.1, and would have served to prevent BOTNET_CLIENT from triggering ... which it did: BOTNET_CLIENT doesn't show up in that message's spam report). In that regard, neither of these is a false positive. BOTNET is told to flag messages that have "Bad DNS" configurations, and these two mail relays have bad dns configurations, so BOTNET flagged them. I can't tell you if the messages themselves were spam or not... the 2nd one definitely looks like spam to me, but the sender/recipient/subject of the first one doesn't look like spam. If you say that they're ham, then I would give you a few courses of action: 1) add the domain name in a "botnet_pass_domains" entry in Botnet.cf: For the first message: * [botnet_baddns,ip=198.212.10.108,rdns=permemail05.alumniconnections.com] becomes: botnet_pass_domains alumniconnections\.com For the second message: * [botnet_baddns,ip=208.66.204.41,rdns=mail31.uptilt.com] becomes: botnet_pass_domains uptilt\.com 2) for the second message, either do something like the above, or add the IP address, in the botnet report, to Botnet.cf as a botnet_pass_ip: For the first message: * [botnet_baddns,ip=198.212.10.108,rdns=permemail05.alumniconnections.com] becomes: botnet_pass_ip ^198\.212\.10\.108$ For the second message: * [botnet_baddns,ip=208.66.204.41,rdns=mail31.uptilt.com] becomes: botnet_pass_ip ^208\.66\.204\.41$ 3) send email to abuse@ hostmaster@ and postmaster@ each of the domains, showing them the headers of the message they sent you, including the spam report headers, and informing them that their DNS misconfigurations make their mail servers appear to be potential spam sources, and that they should fix this by having the hostnames returned by any of their PTR records actually resolve back to the IP address that the PTR record is attached to. IMO: the 3rd one is the thing that should happen (the mail servers should have their DNS configurations fixed). I'll think about adding alumniconnections.com to the centrally distributed Botnet.cf. But, given the content of the message from uptilt.com, I really don't think I'd add them to the centrally distributed Botnet.cf.
Re: SA not catching apostrophes in sender's addressess?
On Wed, December 27, 2006 04:01, Chris wrote: >> what virus is found in clamav ? > X-Spam-Virus: Yes (Email.Stk.Gen124.Sanesecurity.06122204), this comes from > one of Steve Basford's add-ons. if clamav knows its a virus, why then test it as spam in spamassassin ? it only makes sense when using clamav as a mail tester with own signatures is the database path diffrent from spamassassin for clamav so clamav plugin test only own signatures and not virus ? mixed setups makes more questions and more problems :-) -- This message was sent using 100% recycled spam mails.
Re: Best / Easiest way to report spam?
On Thu, 28 Dec 2006, Anders Norrbring wrote: > >> What's the best / easiest way(s) to enable users to report spam mails > >> for training the Bayes DB? > > > > I would say that the easiest way would be to set up a public IMAP folder > > where the users should drag-n-drop their SPAM mails into, and then > > should you set up a cron-job to read that particular IMAP folder, and do > > the learning. > > Yep, but I was thinking more in the line of a central "deposit" > thing.. Like the user feels it's a spam, click on "report" and > the mail is sent to that place, Forwarding messages for training is problematic, and what you're suggesting implies scriptability of the users' mail client. If they're already familiar with using mail folders to organize their mail, then adding system-defined spam- and ham-training folders will make sense to them. If they aren't, you're probably looking at somebody who has 10,000 uncategorized messages in their inbox (or, as I've seen before, in their Trash folder, which they're using as an "I've already read that one and don't want it in my inbox but don't want to lose it" filing mechanism), in which case they could probably use some training in how to manage their email properly. > I guess it would be easier for both me and the users to not have > to scan every users spam folder. Automating the processing of any number of user training folders is simple. And which do you feel the users would find more annoying: having marginal spams dropped in their inbox (i.e. in their face) or into a spam-inbox that they can review at their leisure? Having a FP dropped into the spam-inbox makes it very obvious that training is needed; dropping the same message into the inbox with just a "[SPAM]" notation in the subject line does not indicate that as clearly and would probably lead to under-training ham. Plus, giving the users their own ham-training folders allows them to pick a cross-section of their normal traffic for ham training, rather than having you go trolling through their mail folders for ham. This may be more acceptable to them from a privacy standpoint. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray --- 677 days until the Presidential Election
Re: Best / Easiest way to report spam?
Anders Norrbring <[EMAIL PROTECTED]> writes: > Micke Andersson wrote: >> Anders Norrbring wrote: >>> I have a setup with Postfix, Amavis-new and SpamAssassin on one >>> server, and the IMAP server on another. >>> >>> What's the best / easiest way(s) to enable users to report spam >>> mails for training the Bayes DB? >> I would say that the easiest way would be to set up a public IMAP >> folder where the users should drag-n-drop their SPAM mails into, and >> then should you set up a cron-job to read that particular IMAP >> folder, and do the learning. >> But then, you should/shall also setup a Public folder for HAM's as >> well. Otherwise your Bayes will not be to much of use. >> >> There are a few ready to use scripts out there to read an IMAP >> folder to teach your Bayes DB for you. > > Yep, but I was thinking more in the line of a central "deposit" > thing.. Like the user feels it's a spam, click on "report" and the > mail is sent to that place, and then read by SA. 0) Micke suggested using *public IMAP folder* (as I understand single public folder for *all* users). 1) IMHO it is not a good idea to use one bayes db for all users unless you service small and homogeneous community. It is not uncommon that one person spam is another person ham. > I guess it would be easier for both me and the users to not have to > scan every users spam folder. -- [pl2en: Andrew] Andrzej Adam Filip : [EMAIL PROTECTED] : [EMAIL PROTECTED] Home site: http://anfi.homeunix.net/
FuzzyOCR and 'valid' embedded Images
Hi All, We have some users of our mail system that are using Lotus Notes for their MUA. In Lotus Notes they have the option of using, for lack of a better word, some 'stationery' that effectively embeds three images into the outgoing email. If the original recipient replies to that original message with an HTML message of their own then the three images get embedded into the second email that is sent back to the original sender. Things get confusing here so follow me. If the original sender then replies to the reply from the original recipient then three MORE images get embedded into the message for a total of six embedded images. You see where I am going here? In a long enough conversation the embedded images start to stack up. If a conversation ensues of any length then we start to hit the following tests which push the score WAY over the minimum: SARE_GIF_ATTACH TVD_FW_GRAPHIC_NAME_MID MY_CID_AND_STYLE MY_CID_AND_ARIAL2 PART_CID_STOCK TVD_FW_GRAPHIC_ID1 PART_CID_STOCK_LESS In some extreme cases the emails even start to hit RAZOR tests but I am less concerned about that. I know you could argue that Lotus Notes is not playing 'nicely' but I can't really control that. I just want to solve the problem but if you have any suggestions of how to make Lotus Notes behave better, apart from just not sending HTML email, I would be happy to hear them. In order to start to solve the problem I installed FuzzyOCR; I figured this was a good step to discern between 'hammy' and 'spammy' images. The FuzzyOCR installation seems to have worked correctly. My question is where do I go from here? My inclination is to decrease the scores for the above referenced rules, besides the RAZOR tests. Does this sound like the correct way to go? I am running 3.1.7 with sa-update and some of the various SARE rulesets. I have AWL and Bayes turned on also. Thanks for your thoughts! --Greg
VBounce with SA 3.0.4
Hello All, I am administering a linux box that has the Plesk 8.1 control panel installed. SpamAssassin 3.0.4 comes with the Plesk package and it doesn't look like it would be easy to upgrade to the latest version of SA. I want to install VBounce which requires Mail::SpamAssassin::Logger. It appears that Logger first appeared in SA 3.1.0. Is it possible to install the Logger module on SA 3.0.4? Or is there another way that I could install VBounce? Nedry
Re: "Present" slipping through - same as "insider information"
Vernon Webb wrote: I have a ton of these emails getting through that have the sender's name and the word Present getting through and they are the same as the insider information from last week. I have MailScanner, SpamAssassin, SARE, Botnet, Razor2, Pyzor, ClamAv and f-prot all installed and as far as I know working properly. Anyone else having this issue? Thanks I do not have that issue. Are you using sa-learn to learn the messages as spam? -=Aubrey=-
Re: Precleaning SA market spam from Mbox?
JamesDR wrote: David Flanigan wrote: James, Thanks for the reply. I was not planing on double scanning, the BCC idea is basically the same, though I would be doing it vial the /etc/aliases mapping to make it transparent. I am running Sendmail as the MTA. The real question is how do to the spam check, either during or after the messages hit the PDA mailbox. That is where the script or other appropriate tool would come in. Advice on such a tool would be appreciated. Can you not use sendmail's milter for this? -=Aubrey=-
Re: Best / Easiest way to report spam?
Micke Andersson wrote: Anders Norrbring wrote: I have a setup with Postfix, Amavis-new and SpamAssassin on one server, and the IMAP server on another. What's the best / easiest way(s) to enable users to report spam mails for training the Bayes DB? I would say that the easiest way would be to set up a public IMAP folder where the users should drag-n-drop their SPAM mails into, and then should you set up a cron-job to read that particular IMAP folder, and do the learning. But then, you should/shall also setup a Public folder for HAM's as well. Otherwise your Bayes will not be to much of use. There are a few ready to use scripts out there to read an IMAP folder to teach your Bayes DB for you. Yep, but I was thinking more in the line of a central "deposit" thing.. Like the user feels it's a spam, click on "report" and the mail is sent to that place, and then read by SA. I guess it would be easier for both me and the users to not have to scan every users spam folder. -- Anders Norrbring Norrbring Consulting smime.p7s Description: S/MIME Cryptographic Signature
Re: Best / Easiest way to report spam?
Anders Norrbring wrote: I have a setup with Postfix, Amavis-new and SpamAssassin on one server, and the IMAP server on another. What's the best / easiest way(s) to enable users to report spam mails for training the Bayes DB? I would say that the easiest way would be to set up a public IMAP folder where the users should drag-n-drop their SPAM mails into, and then should you set up a cron-job to read that particular IMAP folder, and do the learning. But then, you should/shall also setup a Public folder for HAM's as well. Otherwise your Bayes will not be to much of use. There are a few ready to use scripts out there to read an IMAP folder to teach your Bayes DB for you. /Micke
Re: Error in FuzzyOcr 3.5.x branch
Heute (28.12.2006/13:27 Uhr) schrieb decoder, >> >> spamassassin --lint Subroutine FuzzyOcr::O_NONBLOCK redefined at >> /usr/share/perl/5.8/Exporter.pm line 65. at >> /usr/lib/perl/5.8/POSIX.pm line 19 >> >> What is that still? > This is no FuzzyOcr problem but a perl core problem. Two core perl > modules export the same constant(s) (in this case O_NONBLOCK). You can > safely ignore this. Upgrading perl might remove this warning. > Chris You mean, my perl (version 5.8.4) is broken. Or is this a known bug? -- Viele Gruesse, Kind regards, Jim Knuth [EMAIL PROTECTED] ICQ #277289867 -- Zufalls-Zitat -- No one ever says, "I can't read that ASCII Email you sent me." -- Der Text hat nichts mit dem Empfaenger der Mail zu tun -- Virus free. Checked by NOD32 Version 1942 Build 8653 28.12.2006
Best / Easiest way to report spam?
I have a setup with Postfix, Amavis-new and SpamAssassin on one server, and the IMAP server on another. What's the best / easiest way(s) to enable users to report spam mails for training the Bayes DB? -- Anders Norrbring Norrbring Consulting smime.p7s Description: S/MIME Cryptographic Signature
-u spamd syntax
Is this the correct syntax for my rc.conf spamd_enable="YES" spamd_flags="-c -u spamd -H /var/spool/spamd/spamassassin" freebsd 5.4 sa 3.1.7 Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
Re: "Present" slipping through - same as "insider information"
Vernon Webb wrote: I have a ton of these emails getting through that have the sender's name and the word Present getting through and they are the same as the insider information from last week. I have MailScanner, SpamAssassin, SARE, Botnet, Razor2, Pyzor, ClamAv and f-prot all installed and as far as I know working properly. Anyone else having this issue? Thanks I, like Chris who posted results, don't have hardly any slipping through here either. I don't have Pyzor, DCC or Razor running and have bayes trained up. I do keep rules that I keep updated on a daily basis using sa-update. Here is a header from one such message that was trapped: X-Spam-Level: xx X-Spam-Status: Hits:14.6 Learn:no Tests:BAYES_99,HELO_DYNAMIC_IPADDR, RCVD_FORGED_WROTE,SARE_LWSHORTT,SARE_MLB_Stock1,SARE_MLB_Stock2
Re: "Present" slipping through - same as "insider information"
On Thursday 28 December 2006 8:12 am, Vernon Webb wrote:
> I have a ton of these emails getting through that have the sender's name
> and the word Present getting through and they are the same as the insider
> information from last week. I have MailScanner, SpamAssassin, SARE, Botnet,
> Razor2, Pyzor, ClamAv and f-prot all installed and as far as I know working
> properly. Anyone else having this issue?
>
> Thanks
They're not slipping through here:
Content analysis details: (45.7 points, 5.0 required)
pts rule name description
-- --
4.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr
1)
2.8 RCVD_FORGED_WROTE Forged 'Received' header found ('wrote:' spam)
5.0 BOTNET Relay might be a spambot or virusbot
[botnet0.7,ip=70.62.66.95,hostname=rrcs-70-62-66-95.midsouth.biz.rr.com,maildomain=ace-ina.com,client,ipinhostname]
1.7 SARE_MLB_Stock1 BODY: SARE_MLB_Stock1
1.7 SARE_MLB_Stock2 BODY: SARE_MLB_Stock2
0.8 SARE_LWSHORTT BODY: SARE_LWSHORTT
1.5 IXHASH BODY: Classified as spam at iX Magazine, Germany
1.5 LOGINHASH2 BODY: Classified as spam at unknown company,
Germany
1.5 LOGINHASH1 BODY: Spam at LogIn&Solutions AG, Germany
5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
10 CLAMAV Clam AntiVirus detected a virus
0.8 DIGEST_MULTIPLE Message hits more than one network digest check
1.0 SAGREY Adds 1.0 to spam from first-time senders
Are you running any network tests? Any SARE rule sets installed? Steve Basford
does a fantastic job with his add-on clamav signature files for phishing and
scam messages. This one was tagged as X-Spam-Virus: Yes
(Email.Stk.Gen124.Sanesecurity.06122204). But even without the clamav tag
this would have still been picked up as spam.
HTH
--
Chris
http://learn.to/quote
pgpKPDBfSerCc.pgp
Description: PGP signature
Re: dns_available
Not a problem. Two links I always have close by:
The documentation for SA
http://spamassassin.apache.org/full/3.1.x/doc/
The Wiki page for SA
http://wiki.apache.org/spamassassin/
Most general configurations in the local.cf are contained in:
http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html
vertito wrote:
thanks
-O
dns_available 1
or
dns_available yes
From the documentation:
dns_available { yes | test[: name1 name2...] | no }
(default: test)
By default, SpamAssassin will query some default hosts on the internet to
attempt to check if DNS is
working or not.
The problem is that it can introduce some delay if your network connection is down, and in some
cases it can wrongly guess that DNS is unavailable because the test connections
failed. SpamAssassin
includes a default set of
13 servers, among which 3 are picked randomly.
You can however specify your own list by specifying
dns_available test: domain1.tld domain2.tld domain3.tldPlease note, the DNS
test queries for NS
records.
SpamAssassin's network rules are run in parallel. This can cause overhead in
terms of the number of
file descriptors required; it is recommended that the minimum limit on file
descriptors be raised to
at least 256 for safety.
"Present" slipping through - same as "insider information"
I have a ton of these emails getting through that have the sender's name and the word Present getting through and they are the same as the insider information from last week. I have MailScanner, SpamAssassin, SARE, Botnet, Razor2, Pyzor, ClamAv and f-prot all installed and as far as I know working properly. Anyone else having this issue? Thanks
RE: dns_available
thanks
-O
>
> dns_available 1
>
> or
>
> dns_available yes
>
>
From the documentation:
dns_available { yes | test[: name1 name2...] | no }
(default: test)
By default, SpamAssassin will query some default hosts on the internet to
attempt to check if DNS is
working or not.
The problem is that it can introduce some delay if your network connection is
down, and in some
cases it can wrongly guess that DNS is unavailable because the test connections
failed. SpamAssassin
includes a default set of
13 servers, among which 3 are picked randomly.
You can however specify your own list by specifying
dns_available test: domain1.tld domain2.tld domain3.tldPlease note, the DNS
test queries for NS
records.
SpamAssassin's network rules are run in parallel. This can cause overhead in
terms of the number of
file descriptors required; it is recommended that the minimum limit on file
descriptors be raised to
at least 256 for safety.
Re: false "positive" with vbounce plugin
noted and fixed in trunk - thx! --j. Alex Woick writes: > Hello, > > I am using the VBounce.pm plugin to catch backscatter bounces, and there > is a small problem with locally auto-created mail. The mail is is > created by Cron on a Fedora Core 5 system and is attached below. It is > falsely declared as BOUNCE_MESSAGE because of the "Auto-Submitted: > auto-generated" header and MY_SERVERS_FOUND not triggered. > MY_SERVERS_FOUND is of course not triggered, since the message is no > bounce message at all, so whitelist_bounce_relay cannot catch anything. > > I suggest a change in 20_vbounce.cf and add an exception for one of the > X-Cron-Env headers just like the __XM_VBULLETIN exception in 20_vbounce.cf. > > Return-Path: <[EMAIL PROTECTED]> > X-Original-To: [EMAIL PROTECTED] > Delivered-To: [EMAIL PROTECTED] > Received: from lxrouter.wombaz.localnet (localhost.localdomain [127.0.0.1]) > by lxrouter.wombaz.localnet (Postfix) with ESMTP id 2AE5E46865 > for <[EMAIL PROTECTED]>; Sun, 24 Dec 2006 00:00:11 +0100 (CET) > X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on > lxrouter.wombaz.localnet > X-Spam-Level: > X-Spam-Status: No, score=-2.8 required=5.0 tests=ANY_BOUNCE_MESSAGE,AWL, > BAYES_00,BOUNCE_MESSAGE,DK_POLICY_SIGNSOME,NO_RELAYS autolearn=no > version=3.1.7 > Received: by lxrouter.wombaz.localnet (Postfix, from userid 9) > id 0F6CF4691C; Sun, 24 Dec 2006 00:00:11 +0100 (CET) > From: [EMAIL PROTECTED] (Cron Daemon) > To: [EMAIL PROTECTED] > Subject: Cron <[EMAIL PROTECTED]> /usr/local/bin/run-bbsmaint-midnight > Content-Type: text/plain; charset=UTF-8 > Auto-Submitted: auto-generated > X-Cron-Env: > X-Cron-Env: > X-Cron-Env: > X-Cron-Env: > X-Cron-Env: > Message-Id: <[EMAIL PROTECTED]> > Date: Sun, 24 Dec 2006 00:00:11 +0100 (CET) > > 1 00:00:02 Start > 6 00:00:02 Checking tmp dir > C 00:00:02 Start file... > [...] > > > Regards, > Alex
Re: Precleaning SA market spam from Mbox?
David Flanigan wrote: James, Thanks for the reply. I was not planing on double scanning, the BCC idea is basically the same, though I would be doing it vial the /etc/aliases mapping to make it transparent. I am running Sendmail as the MTA. The real question is how do to the spam check, either during or after the messages hit the PDA mailbox. That is where the script or other appropriate tool would come in. Advice on such a tool would be appreciated. I've never personally used sendmail, so I can't be of much assistance. I would check with the guys on the sendmail list to see if this is doable. Another such idea is to go through the directory for the mail box and delete (rm) any mails which have X-Spam-Staus: Yes (or however you do your headers) This can be done with a shell script. Tho, this has the problem of being fired at intervals opposed to when the MTA delivers the mail. -- Thanks, James
Re: Error in FuzzyOcr 3.5.x branch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jim Knuth wrote: > Heute (28.12.2006/05:10 Uhr) schrieb Gary V, > Jim, I have been working on a doc for Debian. It is unfinished but may >>> help you through some rough spots at this point. I have no idea when I'll >>> have time to finish it. I have 3.5.0-rc1 running for two days now (works >>> great). >>> http://www200.pair.com/mecham/spam/image_spam2.html Gary V >>> >>> mmh, sorry. But the same game. >>> >>> spamassassin --lint Subroutine FuzzyOcr::O_NONBLOCK redefined >>> at /usr/share/perl/5.8/Exporter.pm line 65. at >>> /usr/lib/perl/5.8/POSIX.pm line 19 Subroutine >>> FuzzyOcr::debuglog redefined at /usr/share/perl/5.8/Exporter.pm >>> line 65. at /etc/mail/spamassassin/FuzzyOcr.pm line 24 >>> Subroutine FuzzyOcr::parse_config redefined at >>> /usr/share/perl/5.8/Exporter.pm line 65. at >>> /etc/mail/spamassassin/FuzzyOcr.pm line 25 Subroutine >>> FuzzyOcr::check_image_hash_db redefined at >>> /usr/share/perl/5.8/Exporter.pm line 65. at >>> /etc/mail/spamassassin/FuzzyOcr.pm line 40 Subroutine >>> FuzzyOcr::add_image_hash_db redefined at >>> /usr/share/perl/5.8/Exporter.pm line 65. at >>> /etc/mail/spamassassin/FuzzyOcr.pm line 40 Subroutine >>> FuzzyOcr::calc_image_hash redefined at >>> /usr/share/perl/5.8/Exporter.pm line 65. at >>> /etc/mail/spamassassin/FuzzyOcr.pm line 40 Subroutine >>> FuzzyOcr::wrong_ctype redefined at >>> /usr/share/perl/5.8/Exporter.pm line 65. at >>> /etc/mail/spamassassin/FuzzyOcr.pm line 42 Subroutine >>> FuzzyOcr::corrupt_img redefined at >>> /usr/share/perl/5.8/Exporter.pm line 65. at >>> /etc/mail/spamassassin/FuzzyOcr.pm line 42 Subroutine >>> FuzzyOcr::known_img_hash redefined at >>> /usr/share/perl/5.8/Exporter.pm line 65. at >>> /etc/mail/spamassassin/FuzzyOcr.pm line 42 Subroutine >>> FuzzyOcr::max redefined at /usr/share/perl/5.8/Exporter.pm line >>> 65. at /etc/mail/spamassassin/FuzzyOcr.pm line 43 [2769] warn: >>> Subroutine new redefined at /etc/mail/spamassassin/FuzzyOcr.pm >>> line 48. [2769] warn: Subroutine dummy_check redefined at >>> /etc/mail/spamassassin/FuzzyOcr.pm line 59. [2769] warn: >>> Subroutine fuzzyocr_check redefined at >>> /etc/mail/spamassassin/FuzzyOcr.pm line 63. [2769] warn: >>> config: failed to parse line, skipping: focr_end_config [2769] >>> warn: lint: 1 issues detected, please rerun with debug enabled >>> for more information >>> >>> >>> -- Viele Gruesse, Kind regards, > >> And what version of SpamAssassin are you running? > > SpamAssassin version 3.1.7 running on Perl version 5.8.4 > >> Did you move all the old stuff out of the way and remove the >> loadplugin entry in v310.pre? > > no. ;) That was it! And now gets only: > > spamassassin --lint Subroutine FuzzyOcr::O_NONBLOCK redefined at > /usr/share/perl/5.8/Exporter.pm line 65. at > /usr/lib/perl/5.8/POSIX.pm line 19 > > What is that still? This is no FuzzyOcr problem but a perl core problem. Two core perl modules export the same constant(s) (in this case O_NONBLOCK). You can safely ignore this. Upgrading perl might remove this warning. Chris > >> In the 2.3 doc it had you comment out the loadplugin directive in >> FuzzyOcr.cf and add one to v310.pre. This doc does not do that. > >> Gary V > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFk7gsJQIKXnJyDxURAidrAJsH31Iqt0oRgCFv1DDl/bjw3lGQGgCeK4jW xZprwz1WGaTzFgVsd681SSs= =ZEe1 -END PGP SIGNATURE-
Problem with Update
Hi, I have updated SA from spamassassin-3.0.4 to spamassassin-3.1.7 with YUM method and all it's ok, but when I run sa-update I have this error: [EMAIL PROTECTED] ~]# sa-update Can't locate IO/Zlib.pm in @INC (@INC contains: /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl) at /usr/bin/sa-update line 95. BEGIN failed--compilation aborted at /usr/bin/sa-update line 95. Where is the problem ?? Thanks. -- Salvatore.
