Re: Using SA code to extract URLs ?

[Jeff Chan]

On Friday, January 12, 2007, 6:10:32 PM, Michael Cocke wrote:
> I was told a while back that the best way to extract urls from emails 
> was to use code from SpamAssassin.  Ok - Now, I need to do just that. 
> Any pointers?  I've looked thru the code in SpamCopURI, but unless there 
> are some docs hidden somewhere I can't even figure out the entry point. 
>   Are there some docs hidden somewhere (I hope!)?

Yes, SpamAssassin is a very good way to extract URLs from mails.

Listen to Theo.  SpamCopURI is a patch for an older version of
SpamAssassin so that it could use SURBLs.  The code built into
the latest SpamAssassin for getting URIs is likely more complete
and effective.

Jeff C.
-- 
Jeff Chan
mailto:[EMAIL PROTECTED]
http://www.surbl.org/

that's how they got my email address?

[hamann . w]

Hi,

I recently received this ad (1 million "opt-in" addresses of german companies)
I believe them that they collect information from a lot of sources (phone 
books, public
registers, etc) but I doubt the victims on their list were given a chance to 
opt in.

Maybe someone is interested to download the sample and see whether - and how -
their own company got into the list

Wolfgang Hamann



NEU ! e-Market Deutschland 2007 
 
1'000'000 Opt-in-E-Mail-Adressen deutscher Mittelständler mit vollständigen 
Kontaktdaten. Unbegrenzter Export! 
 
Die genauen Angaben jedem Unternehmen ! (Tätigkeitsbereich, Anschrift,Telefon, 
Fax, Name oder Namen der Geschäftsleitung und e-mail)  
 
Unbegrenzte Anzahl ausgewählten Daten in einer Textdatei oder Excel 
exportieren,  
damit Sie Ihr Direktmarketing durchführen können!  
 
Uber 150 verschiedenen Informationsquellen wurden für dieses Firmenverzeichnis  
kompiliert und sind regelmässig aktualisiert ! 
 
Wissen Sie, dass das verantwortlich betriebene E-Mail-System die  
Methode des Direktmarketings ist, die zu niedrigsten Kosten am meisten Rücklauf 
bringt?  
 
Vorteile der neuen Anwendung MailingTonic e-Market Deutschland 2007 :
Viele Verbesserungen bei der neuen Version 2007  
Deutlich größerer Informationsumfang zu den einzelnen Unternehmen  
700.000 neue E-Mail-Adressen  
Neue Suchkriterien  
Stark verbesserte Benutzerfreundlichkeit  
Aktualisierung am 5. Januar 2007   
 
Nur 349 EUR anstatt 698 EUR nur bis zum 12. Januar 2007 !  
 
Um eine kostenlose Stichprobe fernzuladen oder für mehr Infos über e-Market 
Deutschland 2007 klicken Sie hier um unsere Website zu besuchen : 
 
http://mm.wizzms.com/r/134144/t/2257714/  
http://mm.wizzms.com/r/134145/t/2257714/ 
 
   
 
   
   

Re: that's how they got my email address?

[vertito]

I was thinking that they are making use of what google has been 
successful for, crawling bots that
_crawls_ web sites for targeted data for retrieval like email address as 
for their case, but this time

on a much different objective compared to google.

Secondly, right after using zen.spamhaus, receiving and processing spam 
emais from my box went
really down. I just hope they wont send that million emails coming from 
blacklisted IPs though.


And lastly, perhaps they get paid and were working from an anti-spam 
company that sells costly spam

filtering boxes that offers web-based configuration and so so, curious.

My half cents.


[EMAIL PROTECTED] wrote:

Hi,

I recently received this ad (1 million "opt-in" addresses of german companies)
I believe them that they collect information from a lot of sources (phone 
books, public
registers, etc) but I doubt the victims on their list were given a chance to 
opt in.

Maybe someone is interested to download the sample and see whether - and how -
their own company got into the list

Wolfgang Hamann



NEU ! e-Market Deutschland 2007 
 
1'000'000 Opt-in-E-Mail-Adressen deutscher Mittelständler mit vollständigen Kontaktdaten. Unbegrenzter Export! 
 
Die genauen Angaben jedem Unternehmen ! (Tätigkeitsbereich, Anschrift,Telefon, Fax, Name oder Namen der Geschäftsleitung und e-mail)  
 
Unbegrenzte Anzahl ausgewählten Daten in einer Textdatei oder Excel exportieren,  
damit Sie Ihr Direktmarketing durchführen können!  
 
Uber 150 verschiedenen Informationsquellen wurden für dieses Firmenverzeichnis  
kompiliert und sind regelmässig aktualisiert ! 
 
Wissen Sie, dass das verantwortlich betriebene E-Mail-System die  
Methode des Direktmarketings ist, die zu niedrigsten Kosten am meisten Rücklauf bringt?  
 
Vorteile der neuen Anwendung MailingTonic e-Market Deutschland 2007 :
Viele Verbesserungen bei der neuen Version 2007  
Deutlich größerer Informationsumfang zu den einzelnen Unternehmen  
700.000 neue E-Mail-Adressen  
Neue Suchkriterien  
Stark verbesserte Benutzerfreundlichkeit  
Aktualisierung am 5. Januar 2007   
 
Nur 349 EUR anstatt 698 EUR nur bis zum 12. Januar 2007 !  
 
Um eine kostenlose Stichprobe fernzuladen oder für mehr Infos über e-Market Deutschland 2007 klicken Sie hier um unsere Website zu besuchen : 
 
http://mm.wizzms.com/r/134144/t/2257714/  http://mm.wizzms.com/r/134145/t/2257714/ 
 
   
 
   
   






  

RE: Rules always triggering.

[Dave Koontz]

Just a wild stab here, run a lint check on all your rules.  I once fat
fingered a rule in my local.cf file and got similar hit results as you are
describing here. 

-Original Message-
From: Daniel Staal [mailto:[EMAIL PROTECTED] 
Sent: Friday, January 12, 2007 9:05 PM
To: Users-Spamassassin
Subject: Re: Rules always triggering.

--As of January 12, 2007 7:08:18 PM -0600, Shane Williams is alleged to have
said:

>> System is Darwin, running Postfix.  The sign-up message for this list 
>> got those rules triggered.  (_Everything_ triggers them.)
>
> This is just a guess, but is it possible that OS X's use of carriage 
> returns is making the message look to spamassassin as if it's a single 
> line of text?

--As for the rest, it is mine.

I said Darwin, not OS X, though I recognize it is a small distinction.  ;)

The mail files are all saved to my Maildir folders with unix line endings. 
In general Darwin handles files in the format it receives them, and
unix-tools create unix-files.

...But it does raise the question of what _Perl_ thinks the line endings
is...  Hmm.

Daniel T. Staal

Re: Huge File Size

[Benny Pedersen]

On Fri, January 12, 2007 02:14, Matt Kettler wrote:

> form of expiry is one reason why I say the AWL isn't really ready for
> production use on any servers that have decent mail volume)

if one entry is just deleted when will there be records with 2 ?

awl is tricky but good, we have to live with it or make some changes to how
its updated, eg if and email adresse is seen just long time  ago and newer
later delete it from avl, just delete the one 1 entrys makes it not work

-- 
This message was sent using 100% recycled spam mails.

Re: Huge File Size

[Benny Pedersen]

On Fri, January 12, 2007 03:35, Christopher Jett wrote:

> OK - thanks.  So, for example, it's safe to delete the bayes_seen
> file after it gets over a certain size?  Is there a particular size
> after which performance degrades significantly?

i remember that file based bayes is huge, where sql based is working wirh
better expire in all aspects, so you might try to use sql for the bayes/awl

it sounds silly but it works

-- 
This message was sent using 100% recycled spam mails.

Re: Huge File Size

[Matt Kettler]

Benny Pedersen wrote:
> On Fri, January 12, 2007 02:14, Matt Kettler wrote:
>
>   
>> form of expiry is one reason why I say the AWL isn't really ready for
>> production use on any servers that have decent mail volume)
>> 
>
> if one entry is just deleted when will there be records with 2 ?
>   
I don't understand what you're saying here, at all. I'll take a wild
guess at what you might mean..

IMHO, the AWL should use atime based expiry, just like bayes. As it
stands now, the "number of hits" based purge algorithm is an absurdly
cheap hack at best and is a significant downside to the practical
usability of the AWL for anyone with a decent-sized mailserver.

This of course means the format of the AWL database needs to change,
because right now it doesn't store atime.
> awl is tricky but good, we have to live with it or make some changes to how
> its updated, eg if and email adresse is seen just long time  ago and newer
> later delete it from avl, just delete the one 1 entrys makes it not work
>
>   
I *think* you're in agreement with what I just said. Using last-accessed
time instead of hit-count makes substantially more sense.

RE: Rules always triggering.

[Daniel Staal]

--As of January 13, 2007 7:17:46 AM -0500, Dave Koontz is alleged to have 
said:



Just a wild stab here, run a lint check on all your rules.  I once fat
fingered a rule in my local.cf file and got similar hit results as you are
describing here.


--As for the rest, it is mine.

I fixed a couple of things, but the issue is still there.  Current lint 
output:


[24241] warn: config: failed to parse line, skipping: auto_learn 1
[24241] warn: config: failed to parse line, skipping: safe_reporting 0
[24241] warn: config: failed to parse line, skipping: use_terse_report 0
[24241] warn: config: failed to parse line, skipping: subject_tag *** 
Warning: Junk Mail ***

[24241] warn: config: failed to parse line, skipping: rewrite_subject 0
[24241] warn: config: warning: score set for non-existent rule 
FAKE_HELO_YAHOO

[24241] warn: config: warning: score set for non-existent rule HABEAS_SWE
[24241] warn: config: warning: score set for non-existent rule 
FAKE_HELO_USA_NET
[24241] warn: lint: 8 issues detected, please rerun with debug enabled for 
more information


(Yes, I've built this config over a long period of time...)

I'm liking the idea that this is an issue with Perl on Darwin expecting a 
different line ending.  I just need to figure out how to _verify_ that.


Daniel T. Staal

---
This email copyright the author.  Unless otherwise noted, you
are expressly allowed to retransmit, quote, or otherwise use
the contents for non-commercial purposes.  This copyright will
expire 5 years after the author's death, or in 30 years,
whichever is longer, unless such a period is in excess of
local copyright law.
---

Re: Rules always triggering.

[Matt Kettler]

Daniel Staal wrote:
> --As of January 13, 2007 7:17:46 AM -0500, Dave Koontz is alleged to
> have said:
>
>> Just a wild stab here, run a lint check on all your rules.  I once fat
>> fingered a rule in my local.cf file and got similar hit results as
>> you are
>> describing here.
>
> --As for the rest, it is mine.
>
> I fixed a couple of things, but the issue is still there.  Current
> lint output:
>
> [24241] warn: config: failed to parse line, skipping: auto_learn 1
Changed to bayes_auto_learn in sa 2.60
> [24241] warn: config: failed to parse line, skipping: safe_reporting 0
Erm, it's report_safe.. not safe_reporting. That's never been valid.
> [24241] warn: config: failed to parse line, skipping: use_terse_report 0
use_terse_report became irrelevant in 2.60 with the template commands.
delete it.

> [24241] warn: config: failed to parse line, skipping: subject_tag ***
> Warning: Junk Mail ***
> [24241] warn: config: failed to parse line, skipping: rewrite_subject 0
subject_tag and rewrite_subject were replaced with rewrite_header in SA
3.0.0

> [24241] warn: config: warning: score set for non-existent rule
> FAKE_HELO_YAHOO
> [24241] warn: config: warning: score set for non-existent rule HABEAS_SWE
> [24241] warn: config: warning: score set for non-existent rule
> FAKE_HELO_USA_NET
Those are all old dead rules you probably set score over-rides for.

Re: Using SA code to extract URLs ?

[Dallas Engelken]

Michael W. Cocke wrote:
I was 
told a while back that the best way to extract urls from emails was to 
use code from SpamAssassin.  Ok - Now, I need to do just that. Any 
pointers?  I've looked thru the code in SpamCopURI, but unless there 
are some docs hidden somewhere I can't even figure out the entry 
point.  Are there some docs hidden somewhere (I hope!)?


Thanks!

Mike-



here is a little something i use to extract urls from messages.   it 
takes a mesage on STDIN, runs its through a empty instance of SA (no 
rules, no configs loaded), and prints to STDOUT.


#!/usr/bin/perl

use Mail::SpamAssassin;
use Mail::SpamAssassin::PerMsgStatus;

&main;

# 

sub main {
 my $msg;
 while (<>) { $msg .= $_; }
 my $data = &geturi(\$msg);
 print $data;
 exit;
}

# 

sub geturi {
 my ($message) = shift;
 my $sa = create_saobj();
 $sa->init(0);
 my $mail = $sa->parse($$message);
 my $msg = Mail::SpamAssassin::PerMsgStatus->new($sa, $mail);
 my @uris = $msg->get_uri_list();
 my %uri_list;
 foreach my $uri (@uris) {
   next if ($uri =~ m/^(cid|mailto|javascript):/i);
   $uri_list{$uri} = 1;
 }
 my $uris = join("\n", keys %uri_list, "");
 return $uris;
}

# 

sub create_saobj {
 my %setup_args = ( rules_filename => undef, site_rules_filename => undef,
userprefs_filename => undef, userstate_dir => undef,
local_tests_only => 1, dont_copy_prefs => 1
  );
 my $sa = Mail::SpamAssassin->new(\%setup_args);
 return $sa;
}

# 
# EOF



# cat corpus/spam/canselon.com.html | perl parse_uri.pl
http://images.loveouroffers.com/general/8675_usub/USUB_101_b_02.gif
./unsubscribeOffers.html
http://images.loveouroffers.com/general/8675_usub/USUB_101_b_01.gif
http://images.loveouroffers.com/general/8675_usub/spacer.gif
list.html?clientid=12&em=&offerid=1&mailerid=1&emailid=0
http://list.html/?clientid=12&em=&offerid=1&mailerid=1&emailid=0
http://images.loveouroffers.com/general/8675_usub/USUB_101_b_03.jpg
http:///unsubscribeOffers.html
http://./unsubscribeOffers.html


Enjoy.  Also, I only get digest copies from this list and dont check 
them all, so please cc me if you want me to see it. :)


--
Dallas Engelken
[EMAIL PROTECTED]
http://uribl.com

Re: Huge File Size

[Gary V]

Benny Pedersen wrote:
> On Fri, January 12, 2007 02:14, Matt Kettler wrote:
>
>
>> form of expiry is one reason why I say the AWL isn't really ready for
>> production use on any servers that have decent mail volume)
>>
>
> if one entry is just deleted when will there be records with 2 ?
>
I don't understand what you're saying here, at all. I'll take a wild
guess at what you might mean..

IMHO, the AWL should use atime based expiry, just like bayes. As it
stands now, the "number of hits" based purge algorithm is an absurdly
cheap hack at best and is a significant downside to the practical
usability of the AWL for anyone with a decent-sized mailserver.

This of course means the format of the AWL database needs to change,
because right now it doesn't store atime.
> awl is tricky but good, we have to live with it or make some changes to 
how
> its updated, eg if and email adresse is seen just long time  ago and 
newer

> later delete it from avl, just delete the one 1 entrys makes it not work
>
>
I *think* you're in agreement with what I just said. Using last-accessed
time instead of hit-count makes substantially more sense.



By moving AWL to SQL this can be accomplished. Here is a sample for MySQL:
Add a new field:
ALTER TABLE awl ADD lastupdate timestamp(14) NOT NULL;

If you have a small data set, optionally initialize existing records:
UPDATE awl SET lastupdate = NOW( ) WHERE lastupdate < 1;

NOTE: to prevent compounding the problem by adding all this extra lastupdate
data if you have a large record set it would probably be better to NOT
initialize existing records, letting only new records get time stamped.
Then be patient enough to wait a couple weeks or so before deleting any
records (because the first command below should delete any records that
are not time stamped).

then start daily or weekly maintenance:
DELETE FROM awl WHERE lastupdate <= DATE_SUB(SYSDATE(), INTERVAL 4 MONTH);
DELETE FROM awl WHERE count = 1 AND lastupdate <= DATE_SUB(SYSDATE(), 
INTERVAL 15 DAY);


I don't see why this method could not also be used for bayes_seen.
I was not aware bayes_seen would grow forever so I am going to implement 
this

on my own system next week.

ALTER TABLE bayes_seen ADD lastupdate timestamp(14) NOT NULL;

Then wait a few weeks before implementing:

DELETE FROM bayes_seen WHERE lastupdate <= DATE_SUB(SYSDATE(), INTERVAL 2 
MONTH);


I am not that familiar with MySQL and Bayes however so I would appreciate it
if someone would point out potential problems with this.

Gary V

_
Get live scores and news about your team: Add the Live.com Football Page 
www.live.com/?addtemplate=football&icid=T001MSN30A0701

Re: Huge File Size

[Gary V]

I *think* you're in agreement with what I just said. Using last-accessed
time instead of hit-count makes substantially more sense.



By moving AWL to SQL this can be accomplished. Here is a sample for MySQL:
Add a new field:
ALTER TABLE awl ADD lastupdate timestamp(14) NOT NULL;

If you have a small data set, optionally initialize existing records:
UPDATE awl SET lastupdate = NOW( ) WHERE lastupdate < 1;

NOTE: to prevent compounding the problem by adding all this extra 
lastupdate

data if you have a large record set it would probably be better to NOT
initialize existing records, letting only new records get time stamped.
Then be patient enough to wait a couple weeks or so before deleting any
records (because the first command below should delete any records that
are not time stamped).

then start daily or weekly maintenance:
DELETE FROM awl WHERE lastupdate <= DATE_SUB(SYSDATE(), INTERVAL 4 MONTH);
DELETE FROM awl WHERE count = 1 AND lastupdate <= DATE_SUB(SYSDATE(), 
INTERVAL 15 DAY);


I don't see why this method could not also be used for bayes_seen.
I was not aware bayes_seen would grow forever so I am going to implement 
this

on my own system next week.

ALTER TABLE bayes_seen ADD lastupdate timestamp(14) NOT NULL;

Then wait a few weeks before implementing:

DELETE FROM bayes_seen WHERE lastupdate <= DATE_SUB(SYSDATE(), INTERVAL 2 
MONTH);


I am not that familiar with MySQL and Bayes however so I would appreciate 
it

if someone would point out potential problems with this.

Gary V



Ok, I do see one issue with bayes_seen. When a bayes_seen record is created, 
the lastupde field is updated but of course the time stamp does not change 
when the record is simply read. So if you have the same message getting 
learned every day (for example) cleaning bayes_seen on a regular basis would 
not be a good idea. You could clean it up something like every four months 
or so however by using the lastupdate field but you would have to put up 
with all the added lastupdate data.


Gary V

_
Your Hotmail address already works to sign into Windows Live Messenger! Get 
it now 
http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href=http://get.live.com/messenger/overview

comprehensive perl module site like cpan or other for SA needs ???

[R Lists06]

Greetings

Seeking some list wisdom please?

We have some well functioning boxes running SA out there

Most run RHEL 4 or CentOS 4

I am wondering where to go to find out specifically for each perl module if
we have the latest greatest and most stable version(s) etc

Please note the sa-update output at bottom.

Do we need to search them out individually or has someone put together a
place where they all are

I am aware of CPAN and sourceforge and other places yet looking for
comprehensive site people use in terms of SA and the needs of SA boxen

Also, please note the modules that are not active or found in the install
below during the SA update

Would installing them just be plug and play and they start working or do I
search them out individually too and their activation configs etc?

Thanks and kind regards

 - rh

--
Robert - Abba Communications
   Computer & Internet Services
 (509) 624-7159 - www.abbacomm.net

[EMAIL PROTECTED] log]# sa-update -D
[12921] dbg: logger: adding facilities: all
[12921] dbg: logger: logging level is DBG
[12921] dbg: generic: SpamAssassin version 3.1.7
[12921] dbg: config: score set 0 chosen.
[12921] dbg: message:  MIME PARSER START 
[12921] dbg: message: main message type: text/plain
[12921] dbg: message: parsing normal part
[12921] dbg: message: added part, type: text/plain
[12921] dbg: message:  MIME PARSER END 
[12921] dbg: dns: is Net::DNS::Resolver available? yes
[12921] dbg: dns: Net::DNS version: 0.48
[12921] dbg: generic: sa-update version svn454083
[12921] dbg: generic: using update directory: /var/lib/spamassassin/3.001007
[12921] dbg: diag: perl platform: 5.008005 linux
[12921] dbg: diag: module installed: Digest::SHA1, version 2.07
[12921] dbg: diag: module installed: Getopt::Long, version 2.34
[12921] dbg: diag: module installed: LWP::UserAgent, version 2.031
[12921] dbg: diag: module installed: HTTP::Date, version 1.46
[12921] dbg: diag: module installed: Archive::Tar, version 1.30
[12921] dbg: diag: module installed: IO::Zlib, version 1.04
[12921] dbg: diag: module installed: DB_File, version 1.809
[12921] dbg: diag: module installed: HTML::Parser, version 3.35
[12921] dbg: diag: module installed: MIME::Base64, version 3.01
[12921] dbg: diag: module installed: Net::DNS, version 0.48
[12921] dbg: diag: module installed: Net::SMTP, version 2.29
[12921] dbg: diag: module not installed: Mail::SPF::Query ('require' failed)
[12921] dbg: diag: module not installed: IP::Country::Fast ('require'
failed)
[12921] dbg: diag: module not installed: Razor2::Client::Agent ('require'
failed
)
[12921] dbg: diag: module not installed: Net::Ident ('require' failed)
[12921] dbg: diag: module not installed: IO::Socket::INET6 ('require'
failed)
[12921] dbg: diag: module not installed: IO::Socket::SSL ('require' failed)
[12921] dbg: diag: module installed: Time::HiRes, version 1.55
[12921] dbg: diag: module installed: DBI, version 1.40

Re: Huge File Size

[Gary V]

I don't see why this method could not also be used for bayes_seen.
I was not aware bayes_seen would grow forever so I am going to implement 
this

on my own system next week.

ALTER TABLE bayes_seen ADD lastupdate timestamp(14) NOT NULL;

Then wait a few weeks before implementing:

DELETE FROM bayes_seen WHERE lastupdate <= DATE_SUB(SYSDATE(), INTERVAL 2 
MONTH);


I am not that familiar with MySQL and Bayes however so I would appreciate 
it

if someone would point out potential problems with this.



Ok, I do see one issue with bayes_seen. When a bayes_seen record is 
created, the lastupde field is updated but of course the time stamp does 
not change when the record is simply read. So if you have the same message 
getting learned every day (for example) cleaning bayes_seen on a regular 
basis would not be a good idea. You could clean it up something like every 
four months or so however by using the lastupdate field but you would have 
to put up with all the added lastupdate data.




I have to correct my correction. How often the command to delete the data is 
performed is not the issue but rather how long the data is allowed to stay 
in the database. Maybe something like:
DELETE FROM bayes_seen WHERE lastupdate <= DATE_SUB(SYSDATE(), INTERVAL 6 
MONTH);


This way all new bayes_seen records would stay in the database for 6 months, 
then get deleted.


Gary V

_
Get FREE Web site and company branded e-mail from Microsoft Office Live 
http://clk.atdmt.com/MRT/go/mcrssaub0050001411mrt/direct/01/

Install or enable net::ident

[Andy Figueroa]

I'm running 3.1.7 under Gentoo.  It seems like I might want to install 
or enable Net::Ident, but I can't find anything about it in the 
configuration files, though it shows up in debugging output as

"dbg: diag: module not installed: Net::Ident ('require' failed)"

Then I installed Net-Ident and the debugging output changes to:
"dbg: diag: module installed: Net::Ident, version 1.20"

What else do I need to do?  I don't seem to be able to find a clue on my 
own.


Andy Figueroa

Re: Install or enable net::ident

[Theo Van Dinter]

On Sat, Jan 13, 2007 at 02:40:54PM -0500, Andy Figueroa wrote:
> What else do I need to do?  I don't seem to be able to find a clue on my 
> own.

It's only used in spamd, so "man spamd" for more information.

-- 
Randomly Selected Tagline:
"There's nothing wrong with [Microsoft] systems until Back Orifice
 is installed. ..."
 - Jason Garms, product manager for NT security at Microsoft
 "A security hole isn't a security hole until someone exploits it?"
 - Jeff Moyer


pgpJnqfCOCQm8.pgp
Description: PGP signature

Re: Install or enable net::ident

[Andy Figueroa]

Thank you for the reply.  I certainly agree that Net::Ident is mentioned 
in the man for spamd.  But, it doesn't help me enough.  It did raise 
these questions:


Is the spamd option --auth-ident the only thing Net::Ident is used for? 
 What is identd (I haven't found one on my system)?
Will Net::Ident, properly implemented help spamassassin (spamd) identify 
spam email?


I'm not usually helpless.  I usually help others.  Sigh!

Andy figueroa

Theo Van Dinter wrote:

On Sat, Jan 13, 2007 at 02:40:54PM -0500, Andy Figueroa wrote:
What else do I need to do?  I don't seem to be able to find a clue on my 
own.


It's only used in spamd, so "man spamd" for more information.

Re: Install or enable net::ident

[Theo Van Dinter]

On Sat, Jan 13, 2007 at 03:28:07PM -0500, Andy Figueroa wrote:
> Is the spamd option --auth-ident the only thing Net::Ident is used for? 

Yes.

> What is identd (I haven't found one on my system)?

The idea is that a remote machine can ask who (user) is connecting to it.
In this case, spamd can verify that the user calling it is the user that
spamc says it is.  Googling for "identd" brings up a bunch of results,
http://en.wikipedia.org/wiki/Ident has some good info.

> Will Net::Ident, properly implemented help spamassassin (spamd) identify 
> spam email?

No.  It has nothing to do with the rules.

-- 
Randomly Selected Tagline:
"There are more ways to reduce friction in metals then there were
 release dates for Windows 95."- Quantum on TLC


pgpVq32pOFESA.pgp
Description: PGP signature

Any rules to catch EXE's?

[Robert Nicholson]

At this time I'm forwarding mail that SA considers spam to my gmail  
account. The following bounces with


SMTP error from remote mail server after end of data:
host gmail-smtp-in.l.google.com [64.233.185.27]:
552 5.7.0 Illegal Attachment g5si5192165wra

error

None of the rules indicate that it had any exe or zip attachment

X-Spam-Status: Yes, score=20.3 required=0.6  
tests=BAYES_99,DNS_FROM_RFC_ABUSE,

DNS_FROM_RFC_POST,HTML_IMAGE_ONLY_08,HTML_MESSAGE,MISSING_MIMEOLE,
NO_REAL_NAME,PRIORITY_NO_NAME,RCVD_IN_DSBL,RCVD_IN_XBL autolearn=spam
version=3.1.7
X-Spam-Report:
*  1.0 NO_REAL_NAME From: does not include a real name
*  0.0 HTML_MESSAGE BODY: HTML included in message
	*  3.1 HTML_IMAGE_ONLY_08 BODY: HTML: images with 400-800 bytes of  
words

*  3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
*  [score: 1.]
	*  0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc- 
ignorant.org

*  2.6 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
*  []
*  3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
*  [196.28.242.118 listed in sbl-xbl.spamhaus.org]
*  1.7 DNS_FROM_RFC_POST RBL: Envelope sender in
*  postmaster.rfc-ignorant.org
*  1.6 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE
*  2.7 PRIORITY_NO_NAME Message has priority, but no user agent name


--=_NextPart_000_0016_7CAC.73A6
Content-Type: application/octet-stream;
name="information_robert.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="information_robert.exe"

Checking for PTR record

[Peter Smith]

Hi,

I'm interested in filtering mail relayed from hosts which have no reverse
dns (PTR) record. A lot of MTAs support rejection of mail from such hosts,
but I feel this will reject too much genuine mail, so I'm looking to
approach the problem via Spam Assassin - perhaps score 1 or 2 for such mail.

I was suprised that Spam Assassin doesn't already have a rule for this, or
that a plugin has not been written; or perhaps I'm looking in the wrong
place? I'm aware of the tests Spam Assassin performs for PRT records for
hotmail, excite, mail.com etc, but there don't seem to be any general rules.

Thanks,
Pete

Re: Checking for PTR record

[René Berber]

Peter Smith wrote:

> I'm interested in filtering mail relayed from hosts which have no reverse
> dns (PTR) record. A lot of MTAs support rejection of mail from such hosts,
> but I feel this will reject too much genuine mail, so I'm looking to
> approach the problem via Spam Assassin - perhaps score 1 or 2 for such mail.
> 
> I was suprised that Spam Assassin doesn't already have a rule for this, or
> that a plugin has not been written; or perhaps I'm looking in the wrong
> place? I'm aware of the tests Spam Assassin performs for PRT records for
> hotmail, excite, mail.com etc, but there don't seem to be any general rules.

Take a look at Botnet plugin:

http://permalink.gmane.org/gmane.mail.spam.spamassassin.general/93141

with minor changes I think it can do exactly what you describe, which is a
subset of what it already does.
-- 
René Berber

Re: comprehensive perl module site like cpan or other for SA needs ???

[John Andersen]

On Saturday 13 January 2007 09:01, R Lists06 wrote:
> Also, please note the modules that are not active or found in the install
> below during the SA update
>
> Would installing them just be plug and play and they start working or do I
> search them out individually too and their activation configs etc?

So how did you install in the first place?

Yes, installing these would cause them to start working.

I recommend installing using CPAN, as it is portable, reliable, 
picks up its pre-requsites very well and you are not dependent
on some Distro specific packager.

If you have the latest distro specific package installed, running
CPAN will overlay it with the latest standard version and your
package management software will be none the wiser.

There are only a very few subtle things you must look out for
when overlaying your disto packages with CPAN, namely where
spamd is stored.  (Suse has its own idea of where things get stored).

I always install SA from Cpan, but sometimes I will install the distro
package first to get all the pre-requisite  perl modules installed.

-- 
_
John Andersen


pgpFPeRnHGgbp.pgp
Description: PGP signature

Re: Any rules to catch EXE's?

[Matt Kettler]

Robert Nicholson wrote:
> At this time I'm forwarding mail that SA considers spam to my gmail
> account. The following bounces with
>
> SMTP error from remote mail server after end of data:
> host gmail-smtp-in.l.google.com [64.233.185.27]:
> 552 5.7.0 Illegal Attachment g5si5192165wra
>
> error
>
> None of the rules indicate that it had any exe or zip attachment
Why would they?

SA is a spam filter, not a virus filter.

That said, perhaps the AntiVirus plugin and its MICROSOFT_EXECUTABLE
rule can help you.

http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Plugin_AntiVirus.html

AFAIK, It won't pick off zipfiles, but will pick off exe's.

Re: Any rules to catch EXE's?

[Michele Neylon :: Blacknight]

Matt Kettler wrote:

Robert Nicholson wrote:

At this time I'm forwarding mail that SA considers spam to my gmail
account. The following bounces with

SMTP error from remote mail server after end of data:
host gmail-smtp-in.l.google.com [64.233.185.27]:
552 5.7.0 Illegal Attachment g5si5192165wra

error

None of the rules indicate that it had any exe or zip attachment

Why would they?

SA is a spam filter, not a virus filter.

You could try MailScanner (http://www.mailscanner.info)

--
Mr Michele Neylon
Blacknight Solutions
Hosting & Colocation, Brand Protection
http://www.blacknight.ie/
http://blog.blacknight.ie/
Tel. 1850 927 280
Intl. +353 (0) 59  9183072
UK: 0870 163 0607
Fax. +353 (0) 59  9164239

RE: comprehensive perl module site like cpan or other for SA needs ???

[R Lists06]

> 
> So how did you install in the first place?
> 
> Yes, installing these would cause them to start working.
> 
> I recommend installing using CPAN, as it is portable, reliable,
> picks up its pre-requsites very well and you are not dependent
> on some Distro specific packager.
> 
> If you have the latest distro specific package installed, running
> CPAN will overlay it with the latest standard version and your
> package management software will be none the wiser.
> 
> There are only a very few subtle things you must look out for
> when overlaying your disto packages with CPAN, namely where
> spamd is stored.  (Suse has its own idea of where things get stored).
> 
> I always install SA from Cpan, but sometimes I will install the distro
> package first to get all the pre-requisite  perl modules installed.
> John Andersen

It is my experience that CPAN installs can or will tend to do things I do
not want it to do (or cannot control) in a RPM environment among other
things...

I am looking more for documentations and information plus URLs to download
so we can make decisions as to what they do, how it affects our design and
engineering as well as implementation before I would consider installing.

Apologies for not mentioning that or making it more clear at the beginning

 - rh

--
Robert - Abba Communications
   Computer & Internet Services
 (509) 624-7159 - www.abbacomm.net

Re: Any rules to catch EXE's?

[Matt Kettler]

Michele Neylon :: Blacknight wrote:
> Matt Kettler wrote:
>> Robert Nicholson wrote:
>>> At this time I'm forwarding mail that SA considers spam to my gmail
>>> account. The following bounces with
>>>
>>> SMTP error from remote mail server after end of data:
>>> host gmail-smtp-in.l.google.com [64.233.185.27]:
>>> 552 5.7.0 Illegal Attachment g5si5192165wra
>>>
>>> error
>>>
>>> None of the rules indicate that it had any exe or zip attachment
>> Why would they?
>>
>> SA is a spam filter, not a virus filter.
> You could try MailScanner (http://www.mailscanner.info)
>
True that.. I use it myself :)

Re: comprehensive perl module site like cpan or other for SA needs ???

[David Morton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On Jan 13, 2007, at 8:01 PM, R Lists06 wrote:



It is my experience that CPAN installs can or will tend to do  
things I do

not want it to do (or cannot control) in a RPM environment among other
things...



Heh, my experience is just opposite,  RPM environment often  
misrepresents what's installed, or has a nonstandard install.




David Morton
Maia Mailguard http://www.maiamailguard.com
[EMAIL PROTECTED]



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFFqZxyUy30ODPkzl0RAmpiAJ9o5jhzR5uSboiYj74AazwQ2rP7wwCdHtLz
I0m3MvfFg6A5RBe/m6QstSI=
=Rd+u
-END PGP SIGNATURE-

Re: comprehensive perl module site like cpan or other for SA needs ???

[Theo Van Dinter]

On Sat, Jan 13, 2007 at 08:58:55PM -0600, David Morton wrote:
> >It is my experience that CPAN installs can or will tend to do  
> >things I do not want it to do (or cannot control) in a RPM environment
> >among other things...
> 
> Heh, my experience is just opposite,  RPM environment often  
> misrepresents what's installed, or has a nonstandard install.

The thing about package management is that either you need to use it, or you
need to avoid it.  Trying to manage a bunch of inter-related files, all in the
same area of the file system, like perl modules, using different management
methods, is like asking to be kicked in the head repeatedly with a pointy rock.

Personally, I only use RPM to do perl modules and cpan2rpm to deal with making
packages for those modules.

-- 
Randomly Selected Tagline:
"Any two consenting adults can rub two primes together to create a public
 keypair" - R. Thayer


pgpUmBbCOmdw5.pgp
Description: PGP signature

Re: Any rules to catch EXE's?

[John D. Hardin]

> >> None of the rules indicate that it had any exe or zip attachment
> > Why would they?
> > 
> > SA is a spam filter, not a virus filter.
>
> You could try MailScanner (http://www.mailscanner.info)

Or this if you already have a procmail infrastructure:

http://www.impsec.org/email-tools/procmail-security.html

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  ...every time I sit down in front of a Windows machine I feel as
  if the computer is just a place for the manufacturers to put their
  advertising.-- fwadling on Y! SCOX
--
 4 days until Benjamin Franklin's 301st Birthday