Re: Question concerning HTML_IMAGE_ONLY_32

2007-01-18 Thread Office of the Postmaster 



> A 3-5% ratio of our email is getting tagged with HTML_IMAGE_ONLY_32 which
> according to the DOC is HTML: images with 2800-3200 bytes of words.  The



Yes, it's the message size that's in question, not the "" tag. it's
expected that the rule may fire on ham -- that's why it only scores 1.6
points (max).  1.6 is far below the 5.0 threshold...



Thank you.  That explains it then.  I suppose there is no fix for the false 
positives then?  Since its the total message size.  I began thinking that 
maybe it was a \n versus a \r issue as most of the emails being tagged that 
way had \n for the line breaks instead of \r hard returns.


James

Re: box trapper filter and wildcard question

2007-01-18 Thread Matt Kettler 
dan li wrote:
> Hello. I am wondering if the Box Trapper is a part of spam assasain? 
Never heard of it until now, but it's essentially the same thing as
TMDA, which is a particularly abhorrent idea.

Any kind of challenge-response "spam control" system is simply foisting
your spam problems into the in boxes of other people and asking them to
do the filtering for you.

Based on that, my own behavior is to immediately approve anything that I
know for sure I did not send, and refuse to approve anything I know I
did if it would be at all beneficial to the recipient (ie: advice,
tuning tips, etc).

After all, what reason do they have to believe I'm willing to make
accurate judgments for them? They've gone so far as to generate an
unwanted message into my mailbox regarding their spam, so I might as
well make sure they get that spam message they went to all the trouble
to bother me over.

I encourage *ALL* users of the Internet to do the same.

Hopefully we'll eventually be rid of the jerks who think that they can
control their spam problems by spamming everyone else on the internet
and making everyone else be their human-operated spam filter.


> If so, I am hoping some of you can give me the correct lines for the
> addresses I want to whitelist by using wildcard expressions.
>
> 1)  all email ending in .edu to be whitelisted
> 2)  all email ending in .bellsouth.net
>
>
> So are these the correct entries?
>
> from [EMAIL PROTECTED]
> from [EMAIL PROTECTED]
Well whitelist_from, not from.

That said, this is an extraordinarily bad idea because from addresses
are easily forged, and commonly so. You *WILL* get a lot of spam
skipping past your filters if you do this.
>
> Assume I'm using the latest version of spam assassain, but with my
> question it shouldnt matter much.

Re: blacklisting

2007-01-18 Thread Matt Kettler 
D Ivago wrote:
> Hi,
>
> I'm trying to blacklist some domians who sent me spam, I added
> following lines in local.cf  like I do to whitelist a
> domain.
>
> whitelist_from_rcvd *@ vsko.be  vsko.be 
> whitelist_from_rcvd [EMAIL PROTECTED]  vlhorb.be
> 
> whitelist_from_rcvd [EMAIL PROTECTED]  omcdgent.be
> 
> blacklist_from_rcvd [EMAIL PROTECTED] 
>
>
> but I keep getting spam from those 2 blacklisted domains.
1) it's blacklist_from not blacklist_from_rcvd. There's no reason to use
the Received: header check to prevent forgery of blacklists.

2) *EVERY* time you edit your config files, run spamassassin --lint. It
should run quietly and just exit if all is well. If there's a problem
parsing your config, it will print a message to that effect.

Re: Spamassassin memory problem

2007-01-18 Thread Jan Doberstein 
just an idea, did you use awl ?

if so, try it and disable it ... that was probleme here some time before ...


\jd



signature.asc
Description: OpenPGP digital signature

Re: procmailrc question

2007-01-18 Thread jp 
Systemwide I use this so everything get scanned:
[EMAIL PROTECTED]:~> cat /etc/procmailrc 
VERBOSE=on
ORGMAIL=Mailbox
MAILDIR=$HOME
#LOGFILE=procmail-log

DROPPRIVS=yes
:0fw
* < 128000
| spamc

:f:lock-file
*
| /usr/bin/formail -a "Status: O"

INCLUDERC=.procmailrc

:0:lockfile
* ^TO*
Mailbox

Each user that wants their spam deleted before it comes in has this.
(We use PJM-> instead of [SPAM] in the subject)

[EMAIL PROTECTED]:~> more .procmailrc 
VERBOSE=off
ORGMAIL=$HOME/Mailbox
:0:
* ^Subject:.*PJM-\>
/dev/null


On Wed, Jan 10, 2007 at 05:21:06PM +0100, D Ivago wrote:
> Hi all,
> 
> i''ve been using spamassassin for over a year now and I'm really happy with
> this solution.
> 
> At he moment my maximum SA score is 3.0 and this seems to stop 99% of spam
> without marking wanted mail as spam.
> 
> Now I get like +200 mails in my spam folder marked as [SPAM] but would like
> to delete these mails instead of filtering them in a folder, so I poked
> around with my .procmailrc but it doesn't seem to work OK.
> 
> This is spam delete option would be only for me and not for other people
> using the mailserver so I have this in my /home/ivago/.procmailrc file:
> 
> MAILDIR=$HOME/Mail
> LOGFILE=$HOME/Mail/log
> 
> :0:
> * ^X-Spam-Status: Yes
> Spam
> :0:
> * ^Subject:.*\<[SPAM]\>
> /dev/null
> 
> I just added the 3 last lines as seen on a webpage but it doesn't work, any
> suggestions what I exactely need to put in there?
> 
> kind regards,
> 
> ivago

-- 
/*
Jason Philbrook   |   Midcoast Internet Solutions - Internet Access,
KB1IOJ|  Hosting, and TCP-IP Networks for Midcoast Maine
 http://f64.nu/   | http://www.midcoast.com/
*/

Spamassassin memory problem

2007-01-18 Thread Klaas Schaafsma 

Hi group,

After a couple of days experimenting and searching the internet + 
reading the FAQ I decided to try my luck here :)


Since last week one of my mailservers is running out of memory on a 
regular basis because of the memory usage of spamd. At those times one 
spamd process is using ~ 75% of the total system memory (according to 
top / ps aux). The kernel is complaining that there is not enough memory 
and the OOM-killer comes in action to randomly shoot processes.


The strange thing is: there are no changes made to the server. No 
software updates and no configuration changes.


The system is a AMD Athlong 1Ghz box with 320MB of RAM and 512MB swap 
space running Debian GNU/Linux 3.0 (Sarge) with kernel 2.6.8-3-686 
(Debian stock kernel).


Spamassassin (3.0.3 with perl 5.8.4) is used as a daemon in combination 
with Exim4-daemon-heavy (4.50).


Spamd is started with the following options:
--no-create-prefs --max-children 3 --helper-home-dir -d 
--pidfile=/var/run/spamd.pid and I'm not using bayes.


I'm using the following extra rulesets:

70_sare_adult.cf
70_sare_header0.cf
70_sare_html0.cf
70_sare_oem.cf
70_sare_random.cf
70_sare_specific.cf
70_sare_stocks.cf
70_sare_uri0.cf
72_sare_bml_post25x.cf
72_sare_redirect_post3.0.0.cf
99_sare_fraud_post25x.cf

Updated with rulesdujour.

When I reboot the server the 3 children all use ~ 10% of the memory 
according to ps. and after an hour or so the memory usage is going wild.


I've searched the logfiles and the strange thing is: at first when spamd 
uses ~75% of the memory, there is nothing to be done; The exim4 logfiles 
say there is no mail coming in or going out and there is nothing not yet 
delivered. But because spamassassin seems to be busy with something, 
exim does give this in paniclog upon new e-mail coming in:


2007-01-18 10:28:33 1H7TTB-0005kD-VT spam acl condition: cannot parse 
spamd output


/var/log/mail.info at that time says:

Jan 18 10:28:37 localhost spamd[21074]: server hit by SIGCHLD
Jan 18 10:28:39 localhost spamd[21074]: handled cleanup of child pid 21076
Jan 18 10:28:39 localhost spamd[21074]: server successfully spawned 
child process, pid 22177
Jan 18 10:28:40 localhost spamd[21077]: connection from localhost 
[127.0.0.1] at port 47584

Jan 18 10:28:40 localhost spamd[21077]: info: setuid to nobody succeeded
Jan 18 10:28:45 localhost spamd[21077]: checking message 
<[EMAIL PROTECTED]> for nobody:65534.


and the exim mainlog:

2007-01-18 10:28:33 1H7TTB-0005kD-VT spam acl condition: cannot parse 
spamd output
2007-01-18 10:28:33 1H7TTB-0005kD-VT H=marge.gardenrs.net 
[81.23.247.163] U=postfix Warning: ACL "warn" statement skipped: 
condition test deferred:


Anyone any idea what could cause this behavior and what I can do about it?

Greeting,

Klaas Schaafsma

Re: box trapper filter and wildcard question

2007-01-18 Thread Jim Maul 

dan li wrote:
Hello. I am wondering if the Box Trapper is a part of spam assasain? If 
so, I am hoping some of you can give me the correct lines for the 
addresses I want to whitelist by using wildcard expressions.




Boxtrapper appears to be part of (or an add on to) cpanel.  It is not 
related in any way to spamassassin.


-Jim

box trapper filter and wildcard question

2007-01-18 Thread dan li 
Hello. I am wondering if the Box Trapper is a part of spam assasain? If so, 
I am hoping some of you can give me the correct lines for the addresses I 
want to whitelist by using wildcard expressions.


1)  all email ending in .edu to be whitelisted
2)  all email ending in .bellsouth.net


So are these the correct entries?

from [EMAIL PROTECTED]
from [EMAIL PROTECTED]

Assume I'm using the latest version of spam assassain, but with my question 
it shouldnt matter much.


Thank you for any help.

_
FREE online classifieds from Windows Live Expo – buy and sell with people 
you know 
http://clk.atdmt.com/MSN/go/msnnkwex001001msn/direct/01/?href=http://expo.live.com?s_cid=Hotmail_tagline_12/06

Re: Problem with mass-check on cygwin

2007-01-18 Thread Michael Parker 
Fred T wrote:
> Hello users,
> 
>   I'm getting ready for the mass-check run for rescoring 3.2 and I'm
>   seeing an awful lot of messages like:
> 
> bayes: cannot open bayes databases 
> /cygdrive/E/Temp/spamassassin-trunk/masses/spam
> assassin/bayes_* R/W: lock failed: File exists
> 
> Being on cygwin, what are my options to deal with this problem?
> 
> This message is also cluttering the output from mass-check making it
> difficult to keep an eye on the progress.
> Thank you,
> 

What is your -j value?  If its > 1 then its most likely just lock
contention.  Not sure about cygwin, can you use lock_method flock?  That
might help.  You could also see if you can install and use SDBM for your
bayes DB, that will be a bit quicker and possibly avoid the contention.

If your -j value is > 1 you can try running it at just 1 to see how it
does, but might be too slow depending on how many msgs you are checking.

If your -j value is already 1, then it might be something more serious.

Michael

Problem with mass-check on cygwin

2007-01-18 Thread Fred T 
Hello users,

  I'm getting ready for the mass-check run for rescoring 3.2 and I'm
  seeing an awful lot of messages like:

bayes: cannot open bayes databases 
/cygdrive/E/Temp/spamassassin-trunk/masses/spam
assassin/bayes_* R/W: lock failed: File exists

Being on cygwin, what are my options to deal with this problem?

This message is also cluttering the output from mass-check making it
difficult to keep an eye on the progress.
Thank you,

-- 
Best regards,
 Fred  mailto:[EMAIL PROTECTED]

Re: NOTICE: 3.2.0 mass-checks heads-up

2007-01-18 Thread Justin Mason 

Fred T writes:
> Hello Justin,
> 
> Thursday, January 18, 2007, 9:22:14 AM, you wrote:
> 
> > Hi all --
> 
> > we're going to be starting the mass-checks for 3.2.0 RSN.   These will be
> > used to generate an up-to-date score set for that release.
> 
> 
> Should we run sa-update before we begin the mass-check?  I'm just
> curious if or how this might have any impact on what rules get tested?
>  What if someone has an old copy of rules from neglecting to run
>  sa-update before they test?  Or does the latest release contain all
>  the rules and it won't be a problem?  Thanks!

the prerelease tarball will contain all the rules, and the
mass-check will use those rules directly... that's the plan anyway ;)

--j.

Re: NOTICE: 3.2.0 mass-checks heads-up

2007-01-18 Thread Fred T 
Hello Justin,

Thursday, January 18, 2007, 9:22:14 AM, you wrote:

> Hi all --

> we're going to be starting the mass-checks for 3.2.0 RSN.   These will be
> used to generate an up-to-date score set for that release.


Should we run sa-update before we begin the mass-check?  I'm just
curious if or how this might have any impact on what rules get tested?
 What if someone has an old copy of rules from neglecting to run
 sa-update before they test?  Or does the latest release contain all
 the rules and it won't be a problem?  Thanks!

Re: [SPAM:***] blacklisting

2007-01-18 Thread Chris St. Pierre 

On Thu, 18 Jan 2007, D Ivago wrote:


Hi,

I'm trying to blacklist some domians who sent me spam, I added following
lines in local.cf like I do to whitelist a domain.

whitelist_from_rcvd [EMAIL PROTECTED] vsko.be
whitelist_from_rcvd [EMAIL PROTECTED] vlhorb.be
whitelist_from_rcvd [EMAIL PROTECTED] omcdgent.be
blacklist_from_rcvd [EMAIL PROTECTED]


but I keep getting spam from those 2 blacklisted domains.

Any suggestions for the syntax?

kind regards,

ivago


Blacklisting is a job better done by your MTA, not your spam filter.
Drop their messages before you have to process them, scan them, etc.,
and you'll save yourself some cycles and some headaches.

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University

Never send mail to [EMAIL PROTECTED]

NOTICE: 3.2.0 mass-checks heads-up

2007-01-18 Thread Justin Mason 
Hi all --

we're going to be starting the mass-checks for 3.2.0 RSN.   These will be
used to generate an up-to-date score set for that release.

If you have a hand-classified, clean set of mail corpora [1] [2], and are
able and willing to run mass-check over them [3] and submit the results
via rsync, that would be very helpful!

  [1]: http://wiki.apache.org/spamassassin/HandClassifiedCorpora
  [2]: http://wiki.apache.org/spamassassin/CorpusCleaning
  [3]: http://wiki.apache.org/spamassassin/MassCheck

It is essential that the corpora be hand-classified by users you trust to
tell ham from spam; volume is not important here, accuracy is.  It's
also important that you have *both* ham and spam to mass-check.

The current plan is to start the mass-checks next Thursday (or
thereabouts).  See http://wiki.apache.org/spamassassin/Release320Schedule .

It might be worthwhile getting your corpora in shape, running a test
mass-check, and taking a look at the high and low-scoring messages to spot
any FPs or FNs you may have missed.Also, request an rsync account if
you haven't already got one [3].

  [3]: http://wiki.apache.org/spamassassin/RsyncAccounts

cheers,

--j.

blacklisting

2007-01-18 Thread D Ivago 

Hi,

I'm trying to blacklist some domians who sent me spam, I added following
lines in local.cf like I do to whitelist a domain.

whitelist_from_rcvd [EMAIL PROTECTED] vsko.be
whitelist_from_rcvd [EMAIL PROTECTED] vlhorb.be
whitelist_from_rcvd [EMAIL PROTECTED] omcdgent.be
blacklist_from_rcvd [EMAIL PROTECTED]


but I keep getting spam from those 2 blacklisted domains.

Any suggestions for the syntax?

kind regards,

ivago

Re: ClamAV plugin with 3.1.17

2007-01-18 Thread Justin Mason 

Michel Vaillancourt writes:
> Brent Kennedy wrote:
> > Woops I meant .cf file not pm file.
> > 
> > I just wanted to make sure this is still accurate:
> > http://wiki.apache.org/spamassassin/ClamAVPlugin
> 
> As a suggestion, the way I am doing it is running ClamAV as my
> SMTP proxy... so it gets virus scanned and dropped as required
> before it ever sees anything important in my infrastructure.

To respond to the original q -- yes, that page is still
accurate.

--j.

Re: ClamAV plugin with 3.1.17

2007-01-18 Thread Michel Vaillancourt 
Brent Kennedy wrote:
> Woops I meant .cf file not pm file.
> 
> I just wanted to make sure this is still accurate:
> http://wiki.apache.org/spamassassin/ClamAVPlugin
> 

As a suggestion, the way I am doing it is running ClamAV as my SMTP 
proxy... so it gets virus scanned and dropped as required before it ever sees 
anything important in my infrastructure.

-- 
-- Michel Vaillancourt
Wolfstar Systems

RE: Lint failed - Rules Du Jour

2007-01-18 Thread [EMAIL PROTECTED] 
John

The blacklist.cf has been superseded long ago by the URI-RBLs..

Also what version of Spamassassin are you using???

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

> -Original Message-
> From: John Fleming [mailto:[EMAIL PROTECTED]
> Sent: 18 January 2007 12:30
> To: [EMAIL PROTECTED]
> Subject: Lint failed - Rules Du Jour
>
> Newbie - The last several days I get emails that 3 rulesets have
changed,
> and finally another that says lint failed.  Any idea what's up with
the
> RDJ
> rulesets recently.  A couple of weeks ago I didn't have the problem.
>
> ***WARNING***: spamassassin --lint failed.
> Rolling configuration files back, not restarting SpamAssassin.
> Rollback command is:  mv -f /etc/spamassassin/blacklist.cf
> /etc/spamassassin/RulesDuJour/sa-blacklist.current.2; mv -f
> /etc/spamassassin/RulesDuJour/blacklist.cf.20070118-0443
> /etc/spamassassin/blacklist.cf; mv -f
/etc/spamassassin/blacklist-uri.cf
> /etc/spamassassin/RulesDuJour/sa-blacklist.current.uri.cf.2; mv -f
> /etc/spamassassin/RulesDuJour/blacklist-uri.cf.20070118-0504
> /etc/spamassassin/blacklist-uri.cf; mv -f
> /etc/spamassassin/70_sare_spoof.cf
> /etc/spamassassin/RulesDuJour/70_sare_spoof.cf.2; mv -f
> /etc/spamassassin/RulesDuJour/70_sare_spoof.cf.20070118-0510
> /etc/spamassassin/70_sare_spoof.cf; mv -f
> /etc/spamassassin/70_sc_top200.cf
> /etc/spamassassin/RulesDuJour/70_sc_top200.cf.2; mv -f
> /etc/spamassassin/RulesDuJour/70_sc_top200.cf.20070118-0510
> /etc/spamassassin/70_sc_top200.cf;
>
> Lint output:
>
> (no output listed)
>
>
> Thanks - John





**
Confidentiality : This e-mail and any attachments are intended for the 
addressee only and may be confidential. If they come to you in error 
you must take no action based on them, nor must you copy or show them 
to anyone. Please advise the sender by replying to this e-mail 
immediately and then delete the original from your computer.

Opinion : Any opinions expressed in this e-mail are entirely those of 
the author and unless specifically stated to the contrary, are not 
necessarily those of the author's employer.

Security Warning : Internet e-mail is not necessarily a secure 
communications medium and can be subject to data corruption. We advise 
that you consider this fact when e-mailing us. 

Viruses : We have taken steps to ensure that this e-mail and any 
attachments are free from known viruses but in keeping with good 
computing practice, you should ensure that they are virus free.

Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales 
(Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, 
United Kingdom
**

Lint failed - Rules Du Jour

2007-01-18 Thread John Fleming 
Newbie - The last several days I get emails that 3 rulesets have changed, 
and finally another that says lint failed.  Any idea what's up with the RDJ 
rulesets recently.  A couple of weeks ago I didn't have the problem.


***WARNING***: spamassassin --lint failed.
Rolling configuration files back, not restarting SpamAssassin.
Rollback command is:  mv -f /etc/spamassassin/blacklist.cf 
/etc/spamassassin/RulesDuJour/sa-blacklist.current.2; mv -f 
/etc/spamassassin/RulesDuJour/blacklist.cf.20070118-0443 
/etc/spamassassin/blacklist.cf; mv -f /etc/spamassassin/blacklist-uri.cf 
/etc/spamassassin/RulesDuJour/sa-blacklist.current.uri.cf.2; mv -f 
/etc/spamassassin/RulesDuJour/blacklist-uri.cf.20070118-0504 
/etc/spamassassin/blacklist-uri.cf; mv -f /etc/spamassassin/70_sare_spoof.cf 
/etc/spamassassin/RulesDuJour/70_sare_spoof.cf.2; mv -f 
/etc/spamassassin/RulesDuJour/70_sare_spoof.cf.20070118-0510 
/etc/spamassassin/70_sare_spoof.cf; mv -f /etc/spamassassin/70_sc_top200.cf 
/etc/spamassassin/RulesDuJour/70_sc_top200.cf.2; mv -f 
/etc/spamassassin/RulesDuJour/70_sc_top200.cf.20070118-0510 
/etc/spamassassin/70_sc_top200.cf;


Lint output:

(no output listed)


Thanks - John

Re: PLease help

2007-01-18 Thread dirk 
Yes, the answer definitely lies in upgrading.

Dirk

> Hi,
>
> I am newbie to this list and quite new to the difficulties in fight spam.
> Please accept my apologies if sending a copy spam message to the list is
> not acceptable etiquette
>
> We have started to receive quite a lot of spam in this type of form with
> an embedded stock or meds image., None of my rules are hitting it. Can
> anyone please offer me some help so that I can get to the bottom of what
> is becoming a very time consuming process. I use Spam Assassin 2.64.
> Perhaps the answer is that it is time to upgrade.
>
> Thanks
>
> Bob
>
> Example...
>
> which is headed, than as that of an animal, for the animal does speak of
> an action or a process as lengthy, because the time covered qualities. It
> is evident that these are qualities, for those things A line, on the other
> hand, is a continuous quantity, for it is
>
> genteel and insinuating: he waved his hands plausibly as he went, and of
> which it is a half. Similarly the existence of a master to withstand
> disintegration; softness, again, is predicated of a thing to be
> correlative with another, and the terminology used is correct,
> particular attitudes, but attitude is itself a relative term. To colour;
> justice and injustice, to contrary genera, virtue and vice; Thus habit
> differs from disposition in this, that while the latter that may be, it is
> an incontrovertible fact that the things which in
> more of the same

Re: getting Bayes token data from spamassassin

2007-01-18 Thread Jonas Eckerman 
Jonas Eckerman wrote:

> I do not consider my plugin "nice" since it uses DBI in such an unoptimized 
> way.

I did optimize it slightly yesterday, so maybe I do consider it almost nice 
now. :-)

> It really should use a prepared statement

Now it does this.

It probably should use the DELAYED keyword When used with MySQL and MyISAM 
tables.

And optionally this as well.

> It should be made faster using INSERT with fallback to UPDATE

But not this.

It's good enough for me now (except for some cleanup), so I'm not going to 
spend any more time on optimizing it myself, but suggestions from others are 
not unwelcome.

Regards
/Jonas
-- 
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/

RE: Increase in unmarked spam

2007-01-18 Thread Matthias Fuhrmann 
On Thu, 18 Jan 2007, [EMAIL PROTECTED] wrote:

> Hi
>
> Test SARE rules (sare_stock, sare_spoof especially) and fred's rules
> from www.rulesemporium.com are very useful..
>
> Also make sure you're running SA 3.1.7 with the latest "sa-update"-ed
> core rules..
[...]
> > Recently (for the last two weeks), we are seeing lot of unmarked spam.
> > Lot of them with image and text.  Are there any rules in spamassassin
> > that would tackle this?  I am using botnet - but still unable to stop
> > these kind of spam effectively.

DCC and razor2 catching alot here too. if not yet installed, worth a try.

regards,
Matthias

RE: Increase in unmarked spam

2007-01-18 Thread [EMAIL PROTECTED] 
Hi

Test SARE rules (sare_stock, sare_spoof especially) and fred's rules
from www.rulesemporium.com are very useful..

Also make sure you're running SA 3.1.7 with the latest "sa-update"-ed
core rules..

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

> -Original Message-
> From: Sujit Choudhury [mailto:[EMAIL PROTECTED]
> Sent: 18 January 2007 10:38
> To: users@spamassassin.apache.org
> Subject: Increase in unmarked spam
>
> Recently (for the last two weeks), we are seeing lot of unmarked spam.
> Lot of them with image and text.  Are there any rules in spamassassin
> that would tackle this?  I am using botnet - but still unable to stop
> these kind of spam effectively.
>
> Regards,
>
> Sujit




**
Confidentiality : This e-mail and any attachments are intended for the 
addressee only and may be confidential. If they come to you in error 
you must take no action based on them, nor must you copy or show them 
to anyone. Please advise the sender by replying to this e-mail 
immediately and then delete the original from your computer.

Opinion : Any opinions expressed in this e-mail are entirely those of 
the author and unless specifically stated to the contrary, are not 
necessarily those of the author's employer.

Security Warning : Internet e-mail is not necessarily a secure 
communications medium and can be subject to data corruption. We advise 
that you consider this fact when e-mailing us. 

Viruses : We have taken steps to ensure that this e-mail and any 
attachments are free from known viruses but in keeping with good 
computing practice, you should ensure that they are virus free.

Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales 
(Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, 
United Kingdom
**

Increase in unmarked spam

2007-01-18 Thread Sujit Choudhury 
Recently (for the last two weeks), we are seeing lot of unmarked spam.
Lot of them with image and text.  Are there any rules in spamassassin
that would tackle this?  I am using botnet - but still unable to stop
these kind of spam effectively.

Regards,

Sujit

Re: Question concerning HTML_IMAGE_ONLY_32

2007-01-18 Thread Justin Mason 

Office of the Postmaster writes:
> I sent the below about 10 days ago and I didnt see anything from anyone.
> 
> A 3-5% ratio of our email is getting tagged with HTML_IMAGE_ONLY_32 which 
> according to the DOC is HTML: images with 2800-3200 bytes of words.  The 
> only problem is the emails in question had only 1 image in them and it was 
> a spacer.gif file.  And I manually checked the size of the IMG SRC line and 
> counting everything in it include domain names, directories, directives, 
> etc was 184 bytes.
> 
> Is this a red herring event?  Because I have checked 10 different messages 
> and none of them had anything that could match that.
> 
> The only thing that might of was if you cut and pasted the entire body of 
> the email from  that was 3020 bytes but thats the message 
> itself not an IMG.

Yes, it's the message size that's in question, not the "" tag. it's
expected that the rule may fire on ham -- that's why it only scores 1.6
points (max).  1.6 is far below the 5.0 threshold...

--j.

Question concerning HTML_IMAGE_ONLY_32

2007-01-18 Thread Office of the Postmaster 

I sent the below about 10 days ago and I didnt see anything from anyone.

A 3-5% ratio of our email is getting tagged with HTML_IMAGE_ONLY_32 which 
according to the DOC is HTML: images with 2800-3200 bytes of words.  The 
only problem is the emails in question had only 1 image in them and it was 
a spacer.gif file.  And I manually checked the size of the IMG SRC line and 
counting everything in it include domain names, directories, directives, 
etc was 184 bytes.


Is this a red herring event?  Because I have checked 10 different messages 
and none of them had anything that could match that.


The only thing that might of was if you cut and pasted the entire body of 
the email from  that was 3020 bytes but thats the message 
itself not an IMG.


James

ps thanks ahead for any help on this.