RE: sa-update problem after upgrading from Plesk Spamassassin 3.0.4 to SA 3.1.7....
Thanks a lot, it now works. Florent -Message d'origine- De : Theo Van Dinter [mailto:[EMAIL PROTECTED] Envoyé : mardi 23 janvier 2007 01:27 À : users@spamassassin.apache.org Objet : Re: sa-update problem after upgrading from Plesk Spamassassin 3.0.4 to SA 3.1.7 On Tue, Jan 23, 2007 at 01:16:33AM +0100, Florent Gilain wrote: SpamAssassin seems to work; but few tools not (sa-update for example). [EMAIL PROTECTED] spamassassin]# sa-update Can't locate Archive/Tar.pm in @INC (@INC contains: You need to install the modules listed in the INSTALL doc as required for sa-update. -- Randomly Selected Tagline: Ever notice when a house burns down, the only thing left is the fireplace and the chimney? - Bob Lazarus
MMS False Positives
Hi, I've just been writing a negative scoring meta-rule to offset the points added by FROM_ALL_NUMS to many MMS messages sent via email. E.g. if it matches FROM_ALL_NUMS and is from @mms.vodafone.co.uk then subtract the 2.5 points added by FROM_ALL_NUMS. The FROM_ALL_NUMS rule itself hits too much spam at my site for me to want to score it any lower. This seems to work well so far, and has avoided a few FPs, but I've only got examples from Vodafone UK and O2 to test with. Does anyone else have examples of messages from UK providers such as Orange and Three? I only need the messages headers, I'm not asking anyone to post their photos here! ;-) Thanks, Iain
RE: USER_IN_WHITELIST problem
René Berber wrote: Sherman Lilly wrote: [snip] I get why they are getting through. They are spoofing the Return-Path. Is there any way to remedy this problem? Depends on your server. For sendmail there is: http://ultra.ap.krakow.pl/~raj/sendmail/english.html the FEATURE(`local_sender_check') gets rid of all forged addresses pretending to be from your domain. -- Unfortunately, at least in my case, the addresses aren't forged - they are actual addresses on my server (Some of my clients APPEAR to send themselves quite a bit of this garbage), so the local_sender_check wouldn't help, because the return path appears to be themselves. --Will
Re: USER_IN_WHITELIST problem
As of last Wednesday I am having this problem. In fact it's more then just USER_IN_WHITELIST, I am getting many reports of incorrect USER_IN_BLACKLIST. No I don't whitelist my domain. Yes I checked the To/From/ReplyTo/EnvelopeFrom/etc. No the users don't have whitelist/blacklist entries anywhere close to reported match in debug mode. Green = Blacklist Blue = Whitelist The most recent change, on or around Wednesday, was I ran sa-update. I now use the rule's located in /var/lib/spamassassin. I checked my configs and noticed v310.pre now shows AWL enabled. I disabled this, thought I saw all my graphs drop but sadly it was a momentary drop. I reverted back to using /usr/local/share/spamassassin base rules. No change. So therefore I have rolled back any change made in the last week. Here are two examples of a test I just ran. I took two messages and ran them through a loop. One gets scanned normally and occassionally hits the blacklist. The other does the inverse. Both are from my inbox, dated today. == Example 1 === Scanned, normal score X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on spamd3.oct X-Spam-Level: *** X-Spam-PrefsFile: nac.net/paradox X-Spam-Status: Yes, score=19.5 required=5.0 tests=RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5,RAZOR2_CHECK=0.5, RCVD_IN_SORBS_DUL=1.988,RCVD_IN_XBL=3.114,SORTED_RECIPS=1.53, SPF_HELO_PASS=-0.001,SPF_PASS=-0.001,URIBL_AB_SURBL=3.306, URIBL_JP_SURBL=3.36,URIBL_OB_SURBL=2.617,URIBL_SBL=1.094 === Scanned a moment later in a loop, Hit blacklist X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on spamd3.oct X-Spam-Level: ** X-Spam-PrefsFile: nac.net/paradox X-Spam-Status: Yes, score=119.5 required=5.0 tests=RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5,RAZOR2_CHECK=0.5, RCVD_IN_SORBS_DUL=1.988,RCVD_IN_XBL=3.114,SORTED_RECIPS=1.53, SPF_HELO_PASS=-0.001,SPF_PASS=-0.001,URIBL_AB_SURBL=3.306, URIBL_JP_SURBL=3.36,URIBL_OB_SURBL=2.617,URIBL_SBL=1.094, USER_IN_BLACKLIST=100 autolearn=disabled version=3.1.7 == Original Message Return-Path: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: (qmail 95612 invoked by uid 0); 23 Jan 2007 08:34:19 - Received: from 127.0.0.1 by mx2.oct.nac.net (envelope-from [EMAIL PROTECTED], uid 0) with qmail-scanner-1.25 (clamdscan: 0.88.3/2095. f-prot: 4.6.6/3.16.14. spamassassin: 3.1.0. Clear:RC:1(127.0.0.1):. Processed in 1.629328 secs); 23 Jan 2007 08:34:19 - X-Qmail-Scanner-Mail-From: [EMAIL PROTECTED] via mx2.oct.nac.net X-Qmail-Scanner-Rcpt-To: [EMAIL PROTECTED] X-Qmail-Scanner: 1.25 (Clear:RC:1(127.0.0.1):. Processed in 1.629328 secs) X-Qmail-Scanner-NAC-Block-Zips: 1 X-Qmail-Scanner-NAC-Redirect-This: 0 X-Qmail-Scanner-NAC-Redirect-To: X-Qmail-Scanner-NAC-Scanners-Run: clamdscan_scanner fprot_scanner Received: from unknown (HELO mx2.oct.nac.net) (127.0.0.1) by localhost with SMTP; 23 Jan 2007 08:34:17 - Received: (qmail 95433 invoked by alias); 23 Jan 2007 08:34:15 - Delivered-To: [EMAIL PROTECTED] Received: (qmail 95336 invoked by uid 0); 23 Jan 2007 08:34:12 - Received: from 81.14.191.12 by mx2.oct.nac.net (envelope-from [EMAIL PROTECTED], uid 0) with qmail-scanner-1.25 (clamdscan: 0.88.3/2095. f-prot: 4.6.6/3.16.14. spamassassin: 3.1.0. Clear:RC:0(81.14.191.12):. Processed in 4.496398 secs); 23 Jan 2007 08:34:12 - X-Qmail-Scanner-Mail-From: [EMAIL PROTECTED] via mx2.oct.nac.net X-Qmail-Scanner-Rcpt-To: [EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED] X-Qmail-Scanner: 1.25 (Clear:RC:0(81.14.191.12):. Processed in 4.496398 secs) X-Qmail-Scanner-NAC-Block-Zips: 1 X-Qmail-Scanner-NAC-Redirect-This: 0 X-Qmail-Scanner-NAC-Redirect-To: REDIRECT_NONE X-Qmail-Scanner-NAC-Scanners-Run: Received: from unknown (HELO ovjkuxqmpy) (81.14.191.12) by rbl-mx.nac.net with SMTP; 23 Jan 2007 08:34:07 - To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Date: Tue, 23 Jan 2007 09:35:01 +0100 From: Man Aida [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=learned.dirty; d=dialupnet.com; b=BkqGXQzAyMlUagemGOpLIxezlerUABJhtHFfMORxbSauBfGAoroqGlvDCVRpRfuXvGXXtGXmaabRNJwo; User-Agent: Mozilla Thunderbird 1.5 (Windows/20060111) X-Accept-Language: en-us, en MIME-Version: 1.0 Subject: Be Rich, Get Yourself Rolex/AP/Bvlgari/PatekPhilippe .. At $ 199 Each least street Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit 100% Similar Quality, from $ 199 Each Show Off to your colleague that you can afford a ROLEX as well More random text == Message 2 === Scanned ok
RE: netpbm 2.10
-Original Message- From: David Baron [mailto:[EMAIL PROTECTED] Sent: Monday, January 22, 2007 4:38 PM To: users@spamassassin.apache.org Subject: netpbm 2.10 This version is now on Debian Sid. Do I go over to the newer function calls for FuzzyOcr or is they still not available (or does this matter)? I've installed from source 10.35.21 ver. on my SLES9 and it's working nicely so far. If you'd like my step-by-step for suse, I can send it to you. Regards, Leon Kolchinsky
relay
i have at my qmail server :allow,relayclient= But i receive a lot of connections anyone knows how i limit those connections thanks. - LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y móviles desde 1 céntimo por minuto. http://es.voice.yahoo.com
FuzzyOcr Hash Error
With FuzzyOcr 3.5.1 and SA 3.1.7, I noticed this in the log while debugging my setup: 2007-01-23 01:39:23 [16842] Processing Message with ID [EMAIL PROTECTED] (Lacy Silva [EMAIL PROTECTED] - ed [EMAIL PROTECTED]) 2007-01-23 01:39:23 [16842] GIF: [248x442] submersible.gif (5458) 2007-01-23 01:39:23 [16842] Found: 1 images 2007-01-23 01:39:23 [16842] Found GIF header name=submersible.gif 2007-01-23 01:39:23 [16842] Image is single non-interlaced... 2007-01-23 01:39:24 [16842] Calculating image hash for: /tmp/.spamassassin168423O9h2Ttmp/submersible.gif.pnm 2007-01-23 01:39:24 [16842] Timed out 2007-01-23 01:39:24 [16842] Error calculating the image hash, skipping hash check... 2007-01-23 01:39:24 [16842] Empty Hash, skipping... Timeout is set to default of 10 seconds and the hash.db is writeable by spamd. -rw-rw-r--1 spamdspamd 90112 Jan 23 06:19 /etc/mail/spamassassin/FuzzyOcr.db From the cf: focr_enable_image_hashing 2 focr_db_hash /etc/mail/spamassassin/FuzzyOcr.db focr_db_safe /etc/mail/spamassassin/FuzzyOcr.safe.db The rest of the hash settings are left as default. As a result, I have had no hits since installing the new version. Any suggestions as to where to look next are gratefully accepted and appreciated... Ed . . . . . . . . . . . . . . . . . . Randomly Generated Quote (290 of 1164): A journey of a thousand miles must begin with a single step. -- Lao Tsu
Re: spamassassin with qmail
night duke wrote: Hi i'm trying to use spamassassin with qmail but i was unable to use them together. Anyone can help me?. See the qmail section of: http://wiki.apache.org/spamassassin/IntegratedInMta
RE: Spam graphing
-Original Message- From: Gary V [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 23, 2007 6:20 AM To: users@spamassassin.apache.org Subject: Re: Spam graphing I then spend the better part of the day looking for a nice graphing utility that works. I'd like it to show total messages, spam/blocked messages, and virus emails in a clean graph. Does anyone know of any or have recommendations? Possibly mailgraph http://people.ee.ethz.ch/~dws/software/mailgraph/ I have never investigated the accuracy however. It may need a minor edit if you are using a recent version of amavisd-new: http://www200.pair.com/mecham/spam/mailgraph.pl-amavis-patch.txt Gary V I agree on that. From my tests: Amavis-stats 0.1.22 and mailgraph results are very similar. Note that Rejected count in mailgraph is wrong (comparing to pflogsumm and logwatch results), but you can get Recected count from pflogsumm. Regards, Leon Kolchinsky _ Valentine’s Day -- Shop for gifts that spell L-O-V-E at MSN Shopping http://shopping.msn.com/content/shp/?ctId=8323,ptnrid=37,ptnrdata=24095tc ode=wlmtagline
RE: spamassassin with qmail
_ From: night duke Hi i'm trying to use spamassassin with qmail but i was unable to use them together. Anyone can help me?. Thanks. Until you get to know it well this can and will help http://www.qmailrocks.org http://www.qmailrocks.org/ http://qmail.jms1.net http://qmail.jms1.net/ pay special attention to the combined patch and implementing validrcptto and turning on catchall bounced the pay special attention to integration with qmail-scanner ver 1.25st or the latest 2.0x-st and the qmail-scanner.pl file and settings this is not a two second solution. Always do it on a test box first IMPO if you can some qmail solutions are super scripted and although I know you can do that I am leary of them until you can break it and fix it in less than a minute etc etc - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
sa-learn and qmail Maildir
I guess the bottom line is what are qmail folks doing for training? I had never thought about it before yet I haven't had the need to sa-learn anything until recently When processing using sa-learn in a qmail Maildir should one use an options below --mboxInput sources are in mbox format --mbx Input sources are in mbx format Or should you just go to the Maildir directory and appropriate subdirectory and sa-learn --showdots --ham * sa-learn --showdots --spam * somehow my brain isn't registering Maildir vrs other formats right now and im trying to think in terms of how IMAP allows me to move mail data around... if that makes sense :-) - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
Re: sa-learn and qmail Maildir
On Tue, Jan 23, 2007 at 07:34:17AM -0800, R Lists06 wrote: --mboxInput sources are in mbox format --mbx Input sources are in mbx format (note: I don't use qmail) maildir is typically one file per message in a directory. In that situation, just pointing at the directory would be appropriate, sa-learn will use all messages in the directory. -- Randomly Selected Tagline: How is holding a cell phone any different from holding a McDonald's hamburger? I don't know. I haven't tasted a BigMac in a while. I think it's the ketchup. - From the toyota-prius list pgpI6BwR0gltW.pgp Description: PGP signature
Re: relay
You might want to try asking that question in a mailing list specific for qmail. Check www.qmail.org for access to support and forums. Also check the Life with qmail book, available for download at http://www.lifewithqmail.org, which addresses this question. Terry Terry Soucy, Systems Analyst Integrated Technology Services University of New Brunswick, Fredericton Campus http://www.unbf.ca/its Voice: 506.447.3018Fax: 506.453.3590 E-mail: [EMAIL PROTECTED] night duke wrote: i have at my qmail server :allow,relayclient= But i receive a lot of connections anyone knows how i limit those connections thanks.
RE: sa-learn and qmail Maildir
From: Theo (note: I don't use qmail) maildir is typically one file per message in a directory. In that situation, just pointing at the directory would be appropriate, sa-learn will use all messages in the directory. Yup. That's why I figure that going to the appropriate directory(ies) and doing the below is correct sa-learn --showdots --ham * sa-learn --showdots --spam * thanks! - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
Whitelist file to large?
My whitelist file currently has 13,500 lines and is 503K. spamd is about 58-59M. Is there a point when the whitelist file becomes to large? Is there a better performance method to handle whitelist entries than the .cf file? Thanks --Bryan - This email transmission and any documents, files or previous email messages attached to it may contain information that is confidential or legally privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, printing, distributing or use of this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender by telephone or return email and delete the original transmission and its attachments without reading or saving in any manner. The Evangelical Lutheran Good Samaritan Society. -
spamassassin -D --lint gives me warnings...but what does that mean ?
If i have good understood all the manual/wiki i actually read, the spamassassin -D --lint command is used to test SA configuration before reloading it ? My problem is that it seems to give me errors...but i'm unable to resolve it. Yesterday, i upgraded my SA 3.0.4 to 3.1.7 and had to update CPAN modules too in order to have a working sa-update script. During CPAN upgrade/install, i got few errors with modules like IO::Socket::INET or SSL... What should i do ? Running RHEL3 ES Here is the ouptut of the command : [EMAIL PROTECTED] root]# spamassassin -D --lint [25386] dbg: logger: adding facilities: all [25386] dbg: logger: logging level is DBG [25386] dbg: generic: SpamAssassin version 3.1.7 [25386] dbg: config: score set 0 chosen. [25386] dbg: util: running in taint mode? yes [25386] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [25386] dbg: util: PATH included '/usr/kerberos/sbin', keeping [25386] dbg: util: PATH included '/usr/kerberos/bin', keeping [25386] dbg: util: PATH included '/sbin', keeping [25386] dbg: util: PATH included '/bin', keeping [25386] dbg: util: PATH included '/usr/local/sbin', keeping [25386] dbg: util: PATH included '/usr/local/bin', keeping [25386] dbg: util: PATH included '/sbin', keeping [25386] dbg: util: PATH included '/bin', keeping [25386] dbg: util: PATH included '/usr/sbin', keeping [25386] dbg: util: PATH included '/usr/bin', keeping [25386] dbg: util: PATH included '/usr/X11R6/bin', keeping [25386] dbg: util: PATH included '/root/bin', which doesn't exist, dropping [25386] dbg: util: PATH included '/var/qmail/bin', keeping [25386] dbg: util: final PATH set to: /usr/kerberos/sbin:/usr/kerberos/bin:/sbin:/bin:/usr/local/sbin:/usr/local/b in:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/var/qmail/bin [25386] dbg: message: MIME PARSER START [25386] dbg: message: main message type: text/plain [25386] dbg: message: parsing normal part [25386] dbg: message: added part, type: text/plain [25386] dbg: message: MIME PARSER END [25386] dbg: dns: is Net::DNS::Resolver available? yes [25386] dbg: dns: Net::DNS version: 0.59 [25386] dbg: diag: perl platform: 5.008 linux [25386] dbg: diag: module installed: Digest::SHA1, version 2.01 [25386] dbg: diag: module installed: Net::Ident, version 1.20 [25386] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [25386] dbg: diag: module not installed: IO::Socket::SSL ('require' failed) [25386] dbg: diag: module installed: Time::HiRes, version 1.38 [25386] dbg: diag: module installed: DBI, version 1.32 [25386] dbg: diag: module installed: Getopt::Long, version 2.32 [25386] dbg: diag: module installed: LWP::UserAgent, version 2.001 [25386] dbg: diag: module installed: HTTP::Date, version 1.44 [25386] dbg: diag: module installed: Archive::Tar, version 1.30 [25386] dbg: diag: module installed: IO::Zlib, version 1.04 [25386] dbg: diag: module installed: DB_File, version 1.814 [25386] dbg: diag: module installed: HTML::Parser, version 3.26 [25386] dbg: diag: module installed: MIME::Base64, version 3.07 [25386] dbg: diag: module installed: Net::DNS, version 0.59 [25386] dbg: diag: module installed: Net::SMTP, version 2.29 [25386] dbg: diag: module not installed: Mail::SPF::Query ('require' failed) [25386] dbg: diag: module installed: IP::Country::Fast, version 604.001 [25386] dbg: diag: module not installed: Razor2::Client::Agent ('require' failed) [25386] dbg: ignore: using a test message to lint rules [25386] dbg: config: using /etc/mail/spamassassin for site rules pre files [25386] dbg: config: read file /etc/mail/spamassassin/init.pre [25386] dbg: config: read file /etc/mail/spamassassin/v310.pre [25386] dbg: config: read file /etc/mail/spamassassin/v312.pre [25386] dbg: config: using /var/lib/spamassassin/3.001007 for sys rules pre files [25386] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org.pre [25386] dbg: config: using /var/lib/spamassassin/3.001007 for default rules dir [25386] dbg: config: read file /var/lib/spamassassin/3.001007/updates_spamassassin_org.cf [25386] dbg: config: using /etc/mail/spamassassin for site rules dir [25386] dbg: config: read file /etc/mail/spamassassin/30_text_fr.cf [25386] dbg: config: read file /etc/mail/spamassassin/directenergie.cf [25386] dbg: config: read file /etc/mail/spamassassin/local.cf [25386] dbg: plugin: loading Mail::SpamAssassin::Plugin::RelayCountry from @INC [25386] dbg: plugin: registered Mail::SpamAssassin::Plugin::RelayCountry=HASH(0xaf35980) [25386] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC [25386] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0xaf5cc48) [25386] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC [25386] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0xafd86c0) [25386] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC [25386] dbg: plugin: registered
Re: relay
Terry Soucy wrote: You might want to try asking that question in a mailing list specific for qmail. Check www.qmail.org for access to support and forums. Also check the Life with qmail book, available for download at http://www.lifewithqmail.org, which addresses this question. Terry Terry Soucy, Systems Analyst Integrated Technology Services University of New Brunswick, Fredericton Campus http://www.unbf.ca/its Voice: 506.447.3018Fax: 506.453.3590 E-mail: [EMAIL PROTECTED] night duke wrote: i have at my qmail server :allow,relayclient= But i receive a lot of connections anyone knows how i limit those connections And also, having :allow,relayclient= makes you an open relay to all email clients.
train forwarded messages on local SA server
Is it ok to sa-learn train forwarded messages that end up in my local account mailboxes from accounts on remote servers (out of my admin control) that are spam? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
Re: spamassassin -D --lint gives me warnings...but what does that mean ?
On Tue, Jan 23, 2007 at 05:00:35PM +0100, Florent Gilain wrote: If i have good understood all the manual/wiki i actually read, the spamassassin -D --lint command is used to test SA configuration before reloading it ? --lint is, yes. People often run with -D so they can see the debug output. Yesterday, i upgraded my SA 3.0.4 to 3.1.7 and had to update CPAN modules too in order to have a working sa-update script. During CPAN upgrade/install, i got few errors with modules like IO::Socket::INET or SSL... Those aren't errors. [25386] dbg: diag: perl platform: 5.008 linux [25386] dbg: diag: module installed: Digest::SHA1, version 2.01 [25386] dbg: diag: module installed: Net::Ident, version 1.20 [25386] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [25386] dbg: diag: module not installed: IO::Socket::SSL ('require' failed) [25386] dbg: diag: module installed: Time::HiRes, version 1.38 [25386] dbg: diag: module installed: DBI, version 1.32 [25386] dbg: diag: module installed: Getopt::Long, version 2.32 [25386] dbg: diag: module installed: LWP::UserAgent, version 2.001 [25386] dbg: diag: module installed: HTTP::Date, version 1.44 [25386] dbg: diag: module installed: Archive::Tar, version 1.30 [25386] dbg: diag: module installed: IO::Zlib, version 1.04 [25386] dbg: diag: module installed: DB_File, version 1.814 [25386] dbg: diag: module installed: HTML::Parser, version 3.26 [25386] dbg: diag: module installed: MIME::Base64, version 3.07 [25386] dbg: diag: module installed: Net::DNS, version 0.59 [25386] dbg: diag: module installed: Net::SMTP, version 2.29 [25386] dbg: diag: module not installed: Mail::SPF::Query ('require' failed) [25386] dbg: diag: module installed: IP::Country::Fast, version 604.001 [25386] dbg: diag: module not installed: Razor2::Client::Agent ('require' failed) This is the diag area of the debug output -- it's there so it's easy to know what version of modules you're using. They're not all required, so not having them is ok. [25386] warn: config: failed to parse, now a plugin, skipping: ok_languages en fr de it la es this is an error. you need to load the TextCat plugin if you want this functionality. [25386] warn: config: warning: description exists for non-existent rule DIRECTENERGIE [25386] warn: config: warning: description exists for non-existent rule MIME_BOUND_NEXTPART [25386] warn: config: warning: description exists for non-existent rule BIZ_TLD just warnings, but I'd go figure out why those are there somewhere. -- Randomly Selected Tagline: Bender: Oh, Lord, I'm on the verge of a nervous melt-down. pgpp9eYh7ByFS.pgp Description: PGP signature
market buy with image
I've got a particular type of spam that is driving me nuts here. It's the same type of message coming from many different servers (I'm not sure how many yet, but the first 8 messages of this type I've looked at are all different). Basically, each message has a random subject followed by a small jumbled paragraph then there is an image with the message investor alert, stock symbol, etc... (Are people really that stupid to invest into something like this? =O) and finally another jumbled paragraph. When I looked up the IP addresses in the RBLs, they all are free and clear. I was thinking about adding in a optical recognition but there's noise in the image that may make it hard for the program to read. I'm sure we're not the only ones receiving this type of spam... What are people doing to stop it?
RE: market buy with image
Hi The sare and fred rules from www.rulesemporium.com are useful here. Also DCC pyzor and razor2 can help. Also make sure you've sa-updated the latest 3.1.7 core rules as these have some tuning to help.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Johnson, S [mailto:[EMAIL PROTECTED] Sent: 23 January 2007 16:46 To: users@spamassassin.apache.org Subject: market buy with image I've got a particular type of spam that is driving me nuts here. It's the same type of message coming from many different servers (I'm not sure how many yet, but the first 8 messages of this type I've looked at are all different). Basically, each message has a random subject followed by a small jumbled paragraph then there is an image with the message investor alert, stock symbol, etc... (Are people really that stupid to invest into something like this? =O) and finally another jumbled paragraph. When I looked up the IP addresses in the RBLs, they all are free and clear. I was thinking about adding in a optical recognition but there's noise in the image that may make it hard for the program to read. I'm sure we're not the only ones receiving this type of spam... What are people doing to stop it? ** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom **
RE: market buy with image
By fred rules, do you mean by Fred Tarasevicius Which specific fred rules are the best by experience? Thanks! - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
Re: market buy with image
R Lists06 wrote: By fred rules, do you mean by Fred Tarasevicius Which specific fred rules are the best by experience? Thanks! I'd use 00_FVGT_File001.cf which is a new file Fred. This combines a lot of his older 88_FVGT* cf files into one. -- -Doc SA/SARE/URIBL/SURBL -- Ninja 11:08am up 9 days, 20:06, 15 users, load average: 0.37, 0.84, 0.79 SARE HQ http://www.rulesemporium.com/
Re: USER_IN_WHITELIST problem
Sherman Lilly wrote: I was looking on the net and I came across a plugin on spamassassin I don't think i have loaded. Will the SPF plugin help with this problem? Yes... *if* you replace whitelist_from with whitelist_from_spf Alternatively you can try something like this: whitelist_from_rcvd[EMAIL PROTECTED]yourmailserver.com whitelist_from should always be a last resort because it's so easy for spammers to forge the From: and Return-Path: headers. If at all possible, you should use one of the more specific whitelist functions that will double-check against the received headers, SPF, DKIM, etc. -- Kelson Vibber SpeedGate Communications www.speed.net
Rules_du_jour question...
Hi all, I followed the 2 docs here : http://www.rulesemporium.com/rules.htm and http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt But i'm not sure all is ok because link for more info is broken..and i'm really a newbie ;-(( My /etc/mail/spamassassin/sare-sa-update-channels.txt : updates.spamassassin.org 72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net 70_sare_evilnum0.cf.sare.sa-update.dostech.net 70_sare_evilnum1.cf.sare.sa-update.dostech.net 70_sare_evilnum2.cf.sare.sa-update.dostech.net 70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net 70_sare_html.cf.sare.sa-update.dostech.net 70_sare_header0.cf.sare.sa-update.dostech.net 70_sare_specific.cf.sare.sa-update.dostech.net 70_sare_adult.cf.sare.sa-update.dostech.net 72_sare_bml_post25x.cf.sare.sa-update.dostech.net 99_sare_fraud_post25x.cf.sare.sa-update.dostech.net 70_sare_spoof.cf.sare.sa-update.dostech.net 70_sare_random.cf.sare.sa-update.dostech.net 70_sare_oem.cf.sare.sa-update.dostech.net 70_sare_genlsubj0.cf.sare.sa-update.dostech.net 70_sare_highrisk.cf.sare.sa-update.dostech.net 70_sare_unsub.cf.sare.sa-update.dostech.net 70_sare_uri0.cf.sare.sa-update.dostech.net 70_sare_whitelist.cf.sare.sa-update.dostech.net 70_sare_obfu.cf.sare.sa-update.dostech.net 70_sare_stocks.cf.sare.sa-update.dostech.net My /etc/rulesdujour/config file : TRUSTED_RULESETS=TRIPWIRE SARE_REDIRECT_POST300 SARE_EVILNUMBERS0 SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 SARE_BAYES_POISON_NXM SARE_HTML SARE_HEADER0 SARE_SPECIFIC SARE_ADULT SARE_BML SARE_FRAUD SARE_SPOOF SARE_RANDOM SARE_OEM SARE_GENLSUBJ0 SARE_HIGHRISK SARE_UNSUB SARE_URI0 SARE_WHITELIST SARE_OBFU SARE_STOCKS; 1) I was already using sa-update in crontab to update SA standard rules. 2) I think i have mixed 2 things that should do the same thing using different method, didn't I ? (sa-update + rules_du_jour script...) Should i now just have to run the sa-update command line from crontab to update everything ? Or should i add parameters like : sa-update --channelfile /etc/mail/spamassassin/sare-sa-update-channels.txt --gpgkey 856AA88A I suppose i can delete the reules_du_jour script and config file now ? But there is something strange in /var/lib/spamassassin, it seems to have duplicate things : [EMAIL PROTECTED] root]# ls -rtla /var/lib/spamassassin/3.001007/ total 188 -rw-r--r--1 root root 43 jan 23 01:45 updates_spamassassin_org.pre -rw-r--r--1 root root 2200 jan 23 01:45 updates_spamassassin_org.cf drwxr-xr-x2 root root 4096 jan 23 01:45 updates_spamassassin_org drwxr-xr-x3 root root 4096 jan 23 01:45 .. -rw-r--r--1 root root 98 jan 23 17:09 70_sare_adult_cf_sare_sa-update_dostech_net.cf drwxr-xr-x2 root root 4096 jan 23 17:09 70_sare_adult_cf_sare_sa-update_dostech_net -rw-r--r--1 root root 111 jan 23 17:57 72_sare_redirect_post3_0_0_cf_sare_sa-update_dostech_net.cf drwxr-xr-x2 root root 4096 jan 23 17:57 72_sare_redirect_post3_0_0_cf_sare_sa-update_dostech_net -rw-r--r--1 root root 101 jan 23 17:57 70_sare_evilnum0_cf_sare_sa-update_dostech_net.cf drwxr-xr-x2 root root 4096 jan 23 17:57 70_sare_evilnum0_cf_sare_sa-update_dostech_net -rw-r--r--1 root root 101 jan 23 17:57 70_sare_evilnum1_cf_sare_sa-update_dostech_net.cf drwxr-xr-x2 root root 4096 jan 23 17:57 70_sare_evilnum1_cf_sare_sa-update_dostech_net -rw-r--r--1 root root 101 jan 23 17:57 70_sare_evilnum2_cf_sare_sa-update_dostech_net.cf drwxr-xr-x2 root root 4096 jan 23 17:57 70_sare_evilnum2_cf_sare_sa-update_dostech_net -rw-r--r--1 root root 109 jan 23 17:57 70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net.cf drwxr-xr-x2 root root 4096 jan 23 17:57 70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net -rw-r--r--1 root root 97 jan 23 17:57 70_sare_html_cf_sare_sa-update_dostech_net.cf drwxr-xr-x2 root root 4096 jan 23 17:57 70_sare_html_cf_sare_sa-update_dostech_net -rw-r--r--1 root root 100 jan 23 17:57 70_sare_header0_cf_sare_sa-update_dostech_net.cf drwxr-xr-x2 root root 4096 jan 23 17:57 70_sare_header0_cf_sare_sa-update_dostech_net -rw-r--r--1 root root 101 jan 23 17:57 70_sare_specific_cf_sare_sa-update_dostech_net.cf drwxr-xr-x2 root root 4096 jan 23 17:57 70_sare_specific_cf_sare_sa-update_dostech_net -rw-r--r--1 root root 104 jan 23 17:57 72_sare_bml_post25x_cf_sare_sa-update_dostech_net.cf drwxr-xr-x2 root root 4096 jan 23 17:57 72_sare_bml_post25x_cf_sare_sa-update_dostech_net -rw-r--r--1 root root 106 jan 23 17:57 99_sare_fraud_post25x_cf_sare_sa-update_dostech_net.cf drwxr-xr-x2 root root 4096 jan 23 17:57 99_sare_fraud_post25x_cf_sare_sa-update_dostech_net -rw-r--r--1 root
RE: Minor FPs on Wii emails
(Bringing this back to the list...) Dan Barker wrote: The largest score was FROM_ENDS_IN_NUMS and FROM_LOCAL_HEX, both of which you made up. Do real wii addresses end in 16 Hex digits? This is my webhost's SA installation, not my own (which is unfortunate, since it means I can't tweak it). That said, they are not made up. FROM_ENDS_IN_NUMS and FROM_LOCAL_HEX are both listed on the SpamAssassin website as part of the standard 3.1.x tests. http://spamassassin.apache.org/tests_3_1_x.html And yes, as explained in my email, real Wii addresses do end in 16 hex digits. (Technically it's 16 decimal digits, but the set of decimal digits overlaps the set of Hex digits.) (Each Wii is assigned a unique 16-digit code. For you to communicate with other Wii users, you both need to enter each other's codes in your Wii address book. To communicate via email from a Wii, you put an email address into your Wii address book, and they get an email like the one I posted. The email recipient must reply to the message before real emails can be sent back and forth.)
RE: Minor FPs on Wii emails (apologies to Dan)
Coffey, Neal wrote: Dan Barker wrote: Do real wii addresses end in 16 Hex digits? And yes, as explained in my email, real Wii addresses do end in 16 hex digits. Just realized that I did *not* actually explain that...I had a first draft where I did, but I must've cut that out. Sorry!
Re: Header processsing not working.
Hmm - presently I feel rather stupid... I found a tip about starting SA in debug-mode from amavis: amavisd debug-sa which revealed a few syntax errors in my local.cf, and these caused header checks to break off prematurely. So now all my header checks work fine, and the MISSING_SUBJECT hit vanished. The only problem remaining now is, that if the same pattern is specified for a header/subject test and for a body test, I get hits for both test, even though the pattern tested for only appears in the subject line and not in the body. Strange, eh ? Regards Joern. Theo Van Dinter wrote: On Mon, Jan 22, 2007 at 01:29:22PM +0100, J. W. Andersen wrote: which did not hit the spam score. In either case the header is somewhat modified by amavis, but they still look OK to me, as far as I understand RFC2822. As long as it's still in the proper rfc-related format it's fine. Is there a way to capture or freeze the message file at the moment it is passed to SA ? You could write a plugin to do this for you, but there's no standard feature that would do it, especially since you're using a third party daemon. X-Spam-Status: No, score=5.751 tagged_above=3 required=6.3 tests=[AWL=1.774, HEALTH_BDY=2.5, MISSING_SUBJECT=1.345, NO_RECEIVED=-0.001, SPF_PASS=-0.001, TO_CC_NONE=0.134] [...] Subject: health Hrm. Yeah, something is definitely messed up. It clearly has a Subject header and it works fine if I run it through spamassassin: [21577] dbg: check: tests=BAYES_95,TVD_RCVD_SPACE_BRACKET,UNPARSEABLE_RELAY [21577] dbg: check: subtests=__CT,__CTE,__CT_TEXT_PLAIN,__ENV_AND_HDR_FROM_MATCH,__HAS_MSGID,__HAS_RCVD,__HAS_SUBJECT,__MIME_VERSION,__MOZILLA_MSGID,__MSGID_OK_HOST,__NONEMPTY_BODY,__SANE_MSGID,__TOCC_EXISTS,__USER_AGENT
SA --lint help 3.1.7
I have installed Spamassassin 3.1.7 on a Fedora Core 6 box when I run spamassassin --lint I get the following warnings [11180] warn: config: failed to parse line, skipping: rewrite_subject 1 [11180] warn: config: failed to parse line, skipping: report_header 1 [11180] warn: config: failed to parse line, skipping: use_terse_report 1 [11180] warn: config: failed to parse line, skipping: defang_mime 0 [11180] warn: config: failed to parse line, skipping: auto_learn 1 [11180] warn: lint: 5 issues detected, please rerun with debug enabled for more information I cant seem to find information on the site http://spamassassin.apache.org/ on how to resolve this issue. I hope to run Spamassassin as a Daemon Here is my local.cf file local.cf-- add_header all Score _SCORE_ required_score 5 rewrite_header subject [SPAM] (_SCORE_) use_bayes 1 use_bayes_rules 1 bayes_auto_learn 1 bayes_auto_learn_threshold_nonspam 0.3 bayes_auto_learn_threshold_spam 12 bayes_min_ham_num 200 bayes_min_spam_num 200 report_safe 0 use_razor2 1
Re: train forwarded messages on local SA server
R Lists06 wrote: Is it ok to sa-learn train forwarded messages that end up in my local account mailboxes from accounts on remote servers (out of my admin control) that are spam? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net I would think so, as long as you are able to train both HAM and SPAM from that forwarded domain. I have this same situation myself, and it's for the owner of the company. -=Aubrey=-
RE: market buy with image
I'd use 00_FVGT_File001.cf which is a new file Fred. This combines a lot of his older 88_FVGT* cf files into one. -- -Doc Thanks, if anyone out there running some or a lot of the FRED rules with a lot of success or should we only run certain ones in general Bottom line is, I don't know how aggressive or not the rulesets are etc Please advise and thanks! - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
Re: market buy with image
R Lists06 wrote: I'd use 00_FVGT_File001.cf which is a new file Fred. This combines a lot of his older 88_FVGT* cf files into one. -- -Doc Thanks, if anyone out there running some or a lot of the FRED rules with a lot of success or should we only run certain ones in general Bottom line is, I don't know how aggressive or not the rulesets are etc Please advise and thanks! I personally run all Fred's rules and never have seen a FP. Of course as with anything YMMV. -- -Doc SA/SARE -- Ninja 11:52am up 9 days, 20:50, 15 users, load average: 0.78, 0.89, 1.20 SARE HQ http://www.rulesemporium.com/
Re: a few string of header in message body
On Mon, Jan 22, 2007 at 12:47:29PM +0300, S R wrote: Hello, please help to understand why sometimes message body consist of body+few string from header like: Do you by chance run spamass-milter? This problem usually comes up when third party code doesn't correctly handle line endings. -- Randomly Selected Tagline: Today I set a motherboard on fire. Now the bizarre thing is that after the smoke cleared it still worked. - Alan Cox pgp6zED42vZq3.pgp Description: PGP signature
INVALID_TZ_EST flagged in all emails
All, I've searched but can not find the answer to this. I'm running RedHat Enterprise Linux v4 with all latest updates and am using the amavisd-milter to call amavisd-new (v2.4.4) which in turn is using spamd (spamassassin v3.1.7). It appears that every single email that's getting filtered is getting the INVALID_TZ_EST attached. Even something as simple as just piping the text test through sendmail to root gives this result: From [EMAIL PROTECTED] Mon Jan 22 16:20:37 2007 X-Virus-Scanned: amavisd-new at graze.net X-Spam-Score: 4.29 X-Spam-Level: X-Spam-Status: No, score=4.29 tagged_above=- required=5 tests=[ALL_TRUSTED=-1.8, AWL=-0.568, BAYES_60=1, DATE_IN_FUTURE_03_06=1.961, INVALID_TZ_EST=1.883, MISSING_SUBJECT=1.816, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] Date: Mon, 22 Jan 2007 16:20:26 -0500 From: root [EMAIL PROTECTED] To: [EMAIL PROTECTED] test What can I do to determine what is causing that test to fail? Thanks, Brian
Some tests not being run during relay
hello, I am looking for some help with an issue I am having. Some spam has been getting through and it looks like when it comes through a bunch of rules are not getting hit, but when I run it manually as the same user that my mimedefang runs as it scores well above the threshold. I am running on RedHat Linux 4 with sendmail-mimedefang-spamassassin(3.1.7). I am running it manually as the same user mimedefang uses so I don't think that is the issue. Could it be timing out or something? Any help would be appreciated. Thanks, David Here is an example. Here is the MSG.0 file that gets quarantined by Mimedefang. -bash-3.00$ more MSG.0 Spam detection software, running on the system , has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Good day Davidr!!! A Genuine Univers1ty Degree 1n 4-6 weeks! Haev you ever thought that the only thing stopping you from a great job and better pay was a few letters behind you name? Well now you can get them! [...] Content analysis details: (4.4 points, 5.0 required) pts rule name description -- -- 0.5 PLING_QUERYSubject has exclamation mark and question mark 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.4473] 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [89.137.135.243 listed in sbl-xbl.spamhaus.org] 4.412 5 BAYES_50,PLING_QUERY,RCVD_IN_XBL Here is the output when I run it manually. -bash-3.00$ spamassassin ENTIRE_MESSAGE Received: from localhost by mx2.narus.com with SpamAssassin (version 3.1.7); Tue, 23 Jan 2007 10:01:46 -0800 From: (270) 818-7244 Reuben [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: *SPAM* Need a Diploma? {}You Need a Better Degere, and we can Help! Date: Tue, 23 Jan 2007 19:46:19 +0300 Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on mx2.narus.com X-Spam-Level: X-Spam-Status: Yes, score=16.4 required=5.0 tests=BAYES_50, DRUGS_STOCK_MIMEOLE,FM_SCHOOLING,FM_SCHOOL_DIPLOMA,FM_SCHOOL_TYPES, J_CHICKENPOX_31,J_CHICKENPOX_72,MID_14DIGITS_HEX,NO_RECEIVED, NO_RELAYS,PLING_QUERY,SARE_SPEC_DIPLOMA autolearn=no version=3.1.7 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=--=_45B64D8A.F257228F This is a multi-part message in MIME format. =_45B64D8A.F257228F Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit Spam detection software, running on the system , has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Good day Davidr!!! A Genuine Univers1ty Degree 1n 4-6 weeks! Haev you ever thought that the only thing stopping you from a great job and better pay was a few letters behind you name? Well now you can get them! [...] Content analysis details: (16.4 points, 5.0 required) pts rule name description -- -- 0.5 PLING_QUERYSubject has exclamation mark and question mark 2.8 MID_14DIGITS_HEX MID_14DIGITS_HEX 1.1 SARE_SPEC_DIPLOMA educational spam subject -0.0 NO_RELAYS Informational: message was not relayed via SMTP 0.6 J_CHICKENPOX_72BODY: 7alpha-pock-2alpha 0.6 J_CHICKENPOX_31BODY: 3alpha-pock-1alpha 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.4275] 5.6 FM_SCHOOL_TYPESMeta Combo Phrase for Schooling 1.2 FM_SCHOOLING Meta Combo Phrase for Schooling (2) 2.0 DRUGS_STOCK_MIMEOLEStock-spam forged headers found (5510) -0.0 NO_RECEIVEDInformational: message has no Received headers 2.0 FM_SCHOOL_DIPLOMA Meta for Schooling + Diploma. =_45B64D8A.F257228F Content-Type: message/rfc822; x-spam-type=original Content-Description: original message before SpamAssassin Content-Disposition: inline Content-Transfer-Encoding: 8bit Message-ID: [EMAIL PROTECTED] From: (270) 818-7244 Reuben [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Need a Diploma? {}You Need a Better Degere, and we can Help! Date: Tue, 23 Jan 2007 19:46:19 +0300 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Thread-Index: A4ZDuhTMWDpnC33nubM21tj5viVqfrdeJ83i Content-Type: text/plain;
Re: SA --lint help 3.1.7
On Tue, Jan 23, 2007 at 09:51:56AM -0800, Tom wrote: [11180] warn: config: failed to parse line, skipping: rewrite_subject 1 [11180] warn: config: failed to parse line, skipping: report_header 1 [11180] warn: config: failed to parse line, skipping: use_terse_report 1 [11180] warn: config: failed to parse line, skipping: defang_mime 0 [11180] warn: config: failed to parse line, skipping: auto_learn 1 [11180] warn: lint: 5 issues detected, please rerun with debug enabled for more information All of these config options were deprecated years ago. You can look at old release announcements or Google around for it. In short: Most of those got replaced by report_safe. auto_learn is really bayes_auto_learn and is 1 by default. In short, I would drop those lines and see how the defaults do for you. -- Randomly Selected Tagline: I develop for Linux for a living, I used to develop for DOS. Going from DOS to Linux is like trading a glider for an F117. - F. Sweetser pgpz0uavHZv8I.pgp Description: PGP signature
auto_learn
I have set bayes_autolearn 1 in my spampd configuration. But I keep getting headers that autolern=no. Is there something else I need to do? bayes_tok and bayes_seen are working and getting updated.
Re: USER_IN_WHITELIST problem
Ok I have an update. I picked a message that was getting marked USER_IN_WHITELIST once every 5 or so messages. I took the from address and added this code to Perl..Mail\SpamAssassin\EvalTests.pm if ($addr =~ qr/$regexp/i) { dbg(rules: address $addr matches whitelist or blacklist regexp: $regexp); if ($addr eq [EMAIL PROTECTED]) { info(PARADOX: rules: address $addr matches whitelist or blacklist regexp: $regexp); foreach my $reg (values %{$list}) { info(PARADOX: $reg); } } I then ran my loop and watched the log. After a few tries it hit. Guess the cool part. It printed out hundreds and hundreds of lines of blacklist/whitelist settings. I use a domain/username file based pref system, no sql, nothing broken there. The hundreds of lines were not 'all' my wl/bl's. After some more debugging I am petty confident that I am seeing the list of all wl/bl's loaded in memory for any message being scanned at that moment. On this particularly box probably around 25 or so. Pretty cool huh? How is this possible? How did it just start happening out of nowhere? Ryan Pavely Director Research And Development Net Access Corporation http://www.nac.net/ http://www.15minuteservers.com/
Re: USER_IN_WHITELIST problem
Will Nordmeyer wrote: René Berber wrote: Sherman Lilly wrote: [snip] I get why they are getting through. They are spoofing the Return-Path. Is there any way to remedy this problem? Depends on your server. For sendmail there is: http://ultra.ap.krakow.pl/~raj/sendmail/english.html the FEATURE(`local_sender_check') gets rid of all forged addresses pretending to be from your domain. -- Unfortunately, at least in my case, the addresses aren't forged - they are actual addresses on my server (Some of my clients APPEAR to send themselves quite a bit of this garbage), so the local_sender_check wouldn't help, because the return path appears to be themselves. That could be solved with smtp auth, of course that means that your clients/users need to change their configuration or implementing pop-before-send. As for SA, the plugin Botnet will catch most spammers, over 90% in my experience (even if it is redundant with some of the dynamic-ip-blacklist tests). -- René Berber
Re: auto_learn
On Tue, Jan 23, 2007 at 01:06:43PM -0500, [EMAIL PROTECTED] wrote: I have set bayes_autolearn 1 in my spampd configuration. That enables autolearning, but doesn't guarantee that it'll happen. Enabled (1) is also the default, so there's no real point in specifying it in the config fwiw. But I keep getting headers that autolern=no. Is there something else I need to do? http://wiki.apache.org/spamassassin/AutolearningNotWorking -- Randomly Selected Tagline: It's a chicken finger device.- Theo, looking at entree pgpegW00FrAhK.pgp Description: PGP signature
Re: INVALID_TZ_EST flagged in all emails
On Tue, Jan 23, 2007 at 01:04:24PM -0500, Brian C. Huffman wrote: I'm running RedHat Enterprise Linux v4 with all latest updates and am using the amavisd-milter to call amavisd-new (v2.4.4) which in turn is using spamd (spamassassin v3.1.7). It appears that every single email that's getting filtered is getting the INVALID_TZ_EST attached. Even something as simple as just piping the text test through sendmail to root gives this result: From [EMAIL PROTECTED] Mon Jan 22 16:20:37 2007 X-Virus-Scanned: amavisd-new at graze.net Date: Mon, 22 Jan 2007 16:20:26 -0500 To: [EMAIL PROTECTED] What can I do to determine what is causing that test to fail? I can't reproduce your problem. There is indeed a a rule that looks for questionable EST-related timezone statements, but there aren't any in your sample mail. Specifically, the rule needs EST to show up in a header, which doesn't for you. Try running the mail through spamassassin manually. If it works fine, you need to debug the other stuff and figure out where the problem is. -- Randomly Selected Tagline: So Lone Star ... Now you see that evil will always triumph because good is dumb. - Space Balls pgpHxitodIHSg.pgp Description: PGP signature
Re: Header processsing not working.
On Tue, Jan 23, 2007 at 06:37:46PM +0100, J. W. Andersen wrote: The only problem remaining now is, that if the same pattern is specified for a header/subject test and for a body test, I get hits for both test, even though the pattern tested for only appears in the subject line and not in the body. The Subject is included as the first line in the body for rules fyi. -- Randomly Selected Tagline: Flourescent lights are generating negative ions. - Today's BOFH Excuse pgpwJp985f094.pgp Description: PGP signature
Re: FuzzyOcr Hash Error
Ed Kasky wrote: With FuzzyOcr 3.5.1 and SA 3.1.7, I noticed this in the log while debugging my setup: 2007-01-23 01:39:23 [16842] Processing Message with ID [EMAIL PROTECTED] (Lacy Silva [EMAIL PROTECTED] - ed [EMAIL PROTECTED]) 2007-01-23 01:39:23 [16842] GIF: [248x442] submersible.gif (5458) 2007-01-23 01:39:23 [16842] Found: 1 images 2007-01-23 01:39:23 [16842] Found GIF header name=submersible.gif 2007-01-23 01:39:23 [16842] Image is single non-interlaced... 2007-01-23 01:39:24 [16842] Calculating image hash for: /tmp/.spamassassin168423O9h2Ttmp/submersible.gif.pnm 2007-01-23 01:39:24 [16842] Timed out Look at the timestamp, there was no 10 sec timeout, it was immediate. 2007-01-23 01:39:24 [16842] Error calculating the image hash, skipping hash check... 2007-01-23 01:39:24 [16842] Empty Hash, skipping... Timeout is set to default of 10 seconds and the hash.db is writeable by spamd. -rw-rw-r--1 spamdspamd 90112 Jan 23 06:19 /etc/mail/spamassassin/FuzzyOcr.db The date and size indicates that it has been used very recently. From the cf: focr_enable_image_hashing 2 focr_db_hash /etc/mail/spamassassin/FuzzyOcr.db focr_db_safe /etc/mail/spamassassin/FuzzyOcr.safe.db The rest of the hash settings are left as default. As a result, I have had no hits since installing the new version. When did you install the new version? For what period of time there are no hits? Do you know how many times the plugin was called? Any suggestions as to where to look next are gratefully accepted and appreciated... There is a global timeout, usually disabled but looks like you uncommented the 1 sec sample value. -- René Berber
Re: Rules_du_jour question...
For the SARE rules you only need to use ONE of sa-update or rules_du_jour. Either works fine. sa-update has the potential to get you newer rules faster without any significant additional load on the servers serving the channels. Assuming you want to use sa-update for everything... - remove all the SARE rules from /etc/mail/spamassassin - disable your rules_du_jour cron - continue using sa-update how you are (you'll find all your updated rules in /var/lib/spamassassin which is where they are supposed to be) Daryl
Re[2]: market buy with image
Hello R, Tuesday, January 23, 2007, 12:53:00 PM, you wrote: Thanks, if anyone out there running some or a lot of the FRED rules with a lot of success or should we only run certain ones in general Bottom line is, I don't know how aggressive or not the rulesets are etc Please advise and thanks! My rules are very aggressive, but they can and possibly will cause FP's!! As soon as 3.2 is released, those rules of mine that survive the rescoring and mass-check runs will be included in the stock rules! Frederic Tarasevicius
Re: FuzzyOcr Hash Error
At 10:23 AM Tuesday, 1/23/2007, René Berber wrote -= Ed Kasky wrote: With FuzzyOcr 3.5.1 and SA 3.1.7, I noticed this in the log while debugging my setup: 2007-01-23 01:39:23 [16842] Processing Message with ID [EMAIL PROTECTED] (Lacy Silva [EMAIL PROTECTED] - ed [EMAIL PROTECTED]) 2007-01-23 01:39:23 [16842] GIF: [248x442] submersible.gif (5458) 2007-01-23 01:39:23 [16842] Found: 1 images 2007-01-23 01:39:23 [16842] Found GIF header name=submersible.gif 2007-01-23 01:39:23 [16842] Image is single non-interlaced... 2007-01-23 01:39:24 [16842] Calculating image hash for: /tmp/.spamassassin168423O9h2Ttmp/submersible.gif.pnm 2007-01-23 01:39:24 [16842] Timed out Look at the timestamp, there was no 10 sec timeout, it was immediate. I know - that caught my attention right away. 2007-01-23 01:39:24 [16842] Error calculating the image hash, skipping hash check... 2007-01-23 01:39:24 [16842] Empty Hash, skipping... Timeout is set to default of 10 seconds and the hash.db is writeable by spamd. -rw-rw-r--1 spamdspamd 90112 Jan 23 06:19 /etc/mail/spamassassin/FuzzyOcr.db The date and size indicates that it has been used very recently. The date and size changed I think because I restarted spamd at that time this morning after checking the cf. 4 1/2 hours later it's still the same. From the cf: focr_enable_image_hashing 2 focr_db_hash /etc/mail/spamassassin/FuzzyOcr.db focr_db_safe /etc/mail/spamassassin/FuzzyOcr.safe.db The rest of the hash settings are left as default. As a result, I have had no hits since installing the new version. When did you install the new version? About 2 weeks ago. For what period of time there are no hits? Do you know how many times the plugin was called? I haven't had any hits since installing. Since Sunday when the log was rotated, there are 1241 instances in the FuzzyOcr log, 404 scans and 837 cancels due to score being above/below thresholds. Any suggestions as to where to look next are gratefully accepted and appreciated... There is a global timeout, usually disabled but looks like you uncommented the 1 sec sample value. # Timeout for the plugin, in seconds. (Maximum runtime of the plugin) # Default value: 10 focr_timeout 20 # Use a global timeout value instead of per helper application. # Default value: 0 #focr_global_timeout 1 Still scratching my head on the timeouts and hash db errors... Ed Kasky ~ Randomly Generated Quote (431 of 526): Scriptures, n. The sacred books of our holy religion, as distinguished from the false and profane writings on which all other faiths are based. -Ambrose Bierce, writer (1842-1914) [The Devil's Dictionary]
Looking to get a rule checked against the SVN corpus
Can someone point me to a sa developer? We've been doing some hacking on SA at work (guardiandigital.com) and have a rule that we'd like to get run against the corpus. It's not worth getting all set up as real submitters, so maybe someone could just toss it in with their next run..? The suspicion is that this might help against the current flood of image spam. Eric noticed that most of it seems to be sent as multipart related instead of the common way, but we're a little concerned about false positives. Thanks! Mike- header LOCAL_MULTIPART_RELATED Content-Type =~ /multipart\/related;/ score LOCAL_MULTIPART_RELATED 0.753 describe LOCAL_MULTIPART_RELATED Stock messages with images attachments
Re: Looking to get a rule checked against the SVN corpus
On Tue, Jan 23, 2007 at 01:54:27PM -0500, Michael Cocke wrote: Can someone point me to a sa developer? We've been doing some hacking For things like rule suggestions, we generally like people to goto http://issues.apache.org/SpamAssassin/ and open a ticket about it. That way there's tracking and such. on SA at work (guardiandigital.com) and have a rule that we'd like to get run against the corpus. It's not worth getting all set up as real FWIW, there isn't the corpus, it's a bunch of personal corpora. multipart related instead of the common way, but we're a little concerned about false positives. I'm not sure what you mean by the common way. If you want to send a text part with an image, it's multipart/related. header LOCAL_MULTIPART_RELATED Content-Type =~ /multipart\/related;/ Yeah, I did some work related to this when trying to clean up the EXTRA_MPART_TYPE rule. See https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5110 for that discussion. Someone else also suggested it in https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5224 There's also a number of tickets for FPs on image spams, since they're essentially being sent with Outlook, so genuine Outlook mails get flagged a lot, ie: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5226 All that said, the rule may work well for you, it really depends on the type of mails that you receive. For example, if it wasn't for my hamtraps, I wouldn't receive any legit mails that include pictures and could easily ignore the whole image spam thing with a simple MTA rule. -- Randomly Selected Tagline: Senator Helms went on to say that President Clinton would need a bodyguard if he ever went to North Carolina. Helms later claimed that reporters misunderstood him through his hood. - Dennis Miller, Dennis Miller Live (1994, Jerry Seinfeld) pgpHSCcO35fYI.pgp Description: PGP signature
amavistat-new
Is anyone using amavistat-new http://wwwhomes.uni-bielefeld.de/schoppa/amavistat-new/ (not amavis-stats) to graph spam/virus statistics? I'm looking for a graphing utility that counts RBL rejected messages as part of the spam rejected messages. Does this package do that?
Re: FuzzyOcr Hash Error
Ed Kasky wrote: At 10:23 AM Tuesday, 1/23/2007, René Berber wrote -= Ed Kasky wrote: With FuzzyOcr 3.5.1 and SA 3.1.7, I noticed this in the log while debugging my setup: 2007-01-23 01:39:23 [16842] Processing Message with ID [EMAIL PROTECTED] (Lacy Silva [EMAIL PROTECTED] - ed [EMAIL PROTECTED]) 2007-01-23 01:39:23 [16842] GIF: [248x442] submersible.gif (5458) 2007-01-23 01:39:23 [16842] Found: 1 images 2007-01-23 01:39:23 [16842] Found GIF header name=submersible.gif 2007-01-23 01:39:23 [16842] Image is single non-interlaced... 2007-01-23 01:39:24 [16842] Calculating image hash for: /tmp/.spamassassin168423O9h2Ttmp/submersible.gif.pnm 2007-01-23 01:39:24 [16842] Timed out Look at the timestamp, there was no 10 sec timeout, it was immediate. I know - that caught my attention right away. What version of module Time::HiRes do you have? -- René Berber
RE: Re[2]: market buy with image
My rules are very aggressive, but they can and possibly will cause FP's!! As soon as 3.2 is released, those rules of mine that survive the rescoring and mass-check runs will be included in the stock rules! Frederic Tarasevicius Good lookin' out Frederic Will you please keep us posted as that happens so that those of us that are old enough and have the sometimers disease will remember to deal with the resultant issues? Sometimes I remember, sometimes I dont :-) - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
Re: INVALID_TZ_EST flagged in all emails
Brian C. Huffman wrote: All, I've searched but can not find the answer to this. I'm running RedHat Enterprise Linux v4 with all latest updates and am using the amavisd-milter to call amavisd-new (v2.4.4) which in turn is using spamd (spamassassin v3.1.7). It appears that every single email that's getting filtered is getting the INVALID_TZ_EST attached. Even something as simple as just piping the text test through sendmail to root gives this result: It sounds like it may be an issue with the received header that amavisd is faking (as required) when it passes the message to SA. Daryl
RE: INVALID_TZ_EST flagged in all emails
- Original Message - From: Daryl C. W. O'Shea [EMAIL PROTECTED] Sent: Tue, 1/23/2007 4:11pm To: Brian C. Huffman [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Subject: Re: INVALID_TZ_EST flagged in all emails It sounds like it may be an issue with the received header that amavisd is faking (as required) when it passes the message to SA. Daryl Looking through /usr/sbin/amavisd, it appears that it *does not* add the Received header if it is called via a milter (which it is). So, this wouldn't seem to be the issue. Thanks - I'm still looking. I'll try to run this through spamassassin w/o amavis when I get home this evening. -b
Re: Some tests not being run during relay
On Tue, 23 Jan 2007, David Reta wrote: hI, I am looking for some help with an issue I am having. Some spam has been getting through and it looks like when it comes through a bunch of rules are not getting hit, but when I run it manually as the same user that my mimedefang runs as it scores well above the threshold. I am running on RedHat Linux 4 with sendmail-mimedefang-spamassassin(3.1.7). I am running it manually as the same user mimedefang uses so I don't think that is the issue. Could it be timing out or something? Any help would be appreciated. did you run it manualy,using the same user as used by mimedefang/spamassasin? maybe its some sort of permission mismatch. got no help/hint using spamasasssin --lint -D? regards, Matthias
Re: INVALID_TZ_EST flagged in all emails
Brian C. Huffman wrote: Looking through /usr/sbin/amavisd, it appears that it *does not* add the Received header if it is called via a milter (which it is). So, this wouldn't seem to be the issue. New versions do. The old versions that don't are broken and have greater issues (most DNSBL tests and other stuff is broken) than INVALID_TZ_EST firing. Daryl
Pipe errors attempting to run SA
Hi there followed the steps layed out Postfix http://www.postfix.org First Step - Basic Integrating - at http://onetforum.com/fourm/viewtopic.php?p=27 from the http://wiki.apache.org/spamassassin/IntegratingSA Now when I check my email the new messages are now in the postfix mail que When I check the /var/log/maillog I find the error listed below: Eserver pipe[3691]: fatal: pipe_command: execvp /usr/local/bin/spamfilter: Permission denied
Re: FuzzyOcr Hash Error - Fixed
At 12:54 PM Tuesday, 1/23/2007, René Berber wrote -= Ed Kasky wrote: At 10:23 AM Tuesday, 1/23/2007, René Berber wrote -= Ed Kasky wrote: With FuzzyOcr 3.5.1 and SA 3.1.7, I noticed this in the log while debugging my setup: 2007-01-23 01:39:23 [16842] Processing Message with ID [EMAIL PROTECTED] (Lacy Silva [EMAIL PROTECTED] - ed [EMAIL PROTECTED]) 2007-01-23 01:39:23 [16842] GIF: [248x442] submersible.gif (5458) 2007-01-23 01:39:23 [16842] Found: 1 images 2007-01-23 01:39:23 [16842] Found GIF header name=submersible.gif 2007-01-23 01:39:23 [16842] Image is single non-interlaced... 2007-01-23 01:39:24 [16842] Calculating image hash for: /tmp/.spamassassin168423O9h2Ttmp/submersible.gif.pnm 2007-01-23 01:39:24 [16842] Timed out Look at the timestamp, there was no 10 sec timeout, it was immediate. I know - that caught my attention right away. What version of module Time::HiRes do you have? Time::HiRes is up to date (1.9704) However, I suppose running a debug would have helped ;-) [456] info: FuzzyOcr: Calculating image hash for: /tmp/.spamassassin456xeuqXRtmp/CIMG0980.gif.pnm [456] dbg: FuzzyOcr: Saved pid: 490 [490] dbg: FuzzyOcr: Exec : /usr/local/netpbm/bin/ppmhist -noheader /tmp/.spamassassin456xeuqXRtmp/CIMG0980.gif.pnm [490] dbg: FuzzyOcr: Stdout: /tmp/.spamassassin456xeuqXRtmp/ppmhist.info [490] dbg: FuzzyOcr: Stderr: /dev/null [456] dbg: FuzzyOcr: Elapsed [490]: 0.162664 sec. (/usr/local/netpbm/bin/ppmhist: exit 127) [456] error: FuzzyOcr: Timed out [456] info: FuzzyOcr: Error calculating the image hash, skipping hash check... [456] info: FuzzyOcr: Empty Hash, skipping... [456] dbg: FuzzyOcr: Remove DIR: /tmp/.spamassassin456xeuqXRtmp [456] dbg: FuzzyOcr: FuzzyOcr ending successfully... [456] dbg: FuzzyOcr: Processed in 1.138189 sec. ppmhist couldn't find libnetpbm.so.10 so I added the path and it's working now. Results from parsing one of the sample emails: 1.5 FUZZY_OCR_WRONG_CTYPE BODY: Mail contains an image with wrong content-type set Image has format GIF but content-type is image/jpeg 1.5 FUZZY_OCR_WRONG_EXTENSION BODY: Mail contains an image with wrong file extension Image has format GIF but file extension is jpeg 2.5 FUZZY_OCR_CORRUPT_IMG BODY: Mail contains a corrupted image Corrupt image: GIF-LIB error: Image is defective, decoding aborted. 15 FUZZY_OCR_KNOWN_HASH BODY: Mail contains an image with known hash Words found: company in 1 lines recommendation in 1 lines target in 1 lines price in 2 lines service in 1 lines stock in 2 lines (12 word occurrences found) And I got a hit on an email a few minutes ago as well. Ed Kasky ~ Randomly Generated Quote (56 of 526): Every people has a right to choose the sovereignty under which they shall live. --Woodroe Wilson
Re: Pipe errors attempting to run SA
On Tue, Jan 23, 2007 at 02:10:22PM -0800, Tom wrote: Now when I check my email the new messages are now in the postfix mail que When I check the /var/log/maillog I find the error listed below: Eserver pipe[3691]: fatal: pipe_command: execvp /usr/local/bin/spamfilter: Permission denied Since it's a postfix error, I'd ask the postfix people. My random guess is that spamfilter isn't executable. -- Randomly Selected Tagline: 1960 + (RND * 40) = THE Year of UNIX pgpUvqT8hrfZj.pgp Description: PGP signature
Spamassassin Integrating first step problems
Hi there followed the steps layed out on the wiki.apache.org/spamassassin/IntegratingSA First Step page followed the link http://onetforum.com/fourm/viewtopic.php?p=27 Now when I check my email the new messages are now in the postfix mail que When I check the /var/log/maillog I find the error listed below: Eserver pipe[3691]: fatal: pipe_command: execvp /usr/local/bin/spamfilter: Permission denied /usr/local/bin/spamfilter is a script that calls spamc This
spamdoptions ???
Apologies for not finding it in my searching yet... I think it is my sometimers kickin' in... ;- I am looking for info on the granularity knob control for number of extra spamd daemons on startup. ...AND if one has enough processors and ram memory, how to know how many extra to have available to speed up scanning and such under load. On Redhat or CentOS machines would that be under SPAMDOPTIONS ? - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
Re: whitelist_from_rcvd
Robert Fitzpatrick wrote: I have the following in my local.cf file, but some messages get blocked still, see my log entries below. I use amavisd-new and it seems those in the log that show localhost as the client pass through and those directly from the blackberry get blocked. Not sure why all would not be coming from the amavisd localhost, can someone tell me what is going on? Perhaps my whitelist_from_rcvd line is wrong? I want anything coming from a user at culin.com using their blackberry to bypass filtering. whitelist_from_rcvd [EMAIL PROTECTED] blackberry.com Passed message: snip useless mail logs My guess is one of the following two has occured, in order of likelyhood: 1) that SA doesn't have the right trusted_networks. (if your MX server has a private IP (ie: static NAT) you *MUST* declare trusted_networks manually. The auto-guesser won't handle this scenario properly) 2) SA can't parse your received headers. You can test this by running one of the messages through spamassassin -D. If you need help, post the debug info here.
Re: Spamassassin Integrating first step problems
Tom wrote: Hi there followed the steps layed out on the wiki.apache.org/spamassassin/IntegratingSA First Step page followed the link http://onetforum.com/fourm/viewtopic.php?p=27 Now when I check my email the new messages are now in the postfix mail que When I check the /var/log/maillog I find the error listed below: Eserver pipe[3691]: fatal: pipe_command: execvp /usr/local/bin/spamfilter: Permission denied /usr/local/bin/spamfilter is a script that calls spamc Well, my first guess would be that you need to change the ownership and/or permissions on /usr/local/bin/spamfilter to allow the calling program to run it.
sa-learn --sync importance ???
Can anyone comment on the true importance of this command and option below? sa-learn --sync my simple research is telling me that if you don't do this at some regular interval, that your training isn't fully put into action when journaling starts. I haven't found much mention of it on the www yet I am still checking I was tipped off by reading this doc - url and by doing a frequent ls -axl in the /home/spamd/.spamassassin directory on one of our servers http://spamassassin.apache.org/full/3.1.x/doc/sa-learn.html and by noticing that traffic on my server was generating what to my noviceness at this is journaling??? am I correct? Those in the know, Please do enlighten us all :-) - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
Re: sa-learn --sync importance ???
On Tue, Jan 23, 2007 at 05:16:00PM -0800, R Lists06 wrote: sa-learn --sync Puts the journal information into the DB. my simple research is telling me that if you don't do this at some regular interval, that your training isn't fully put into action when journaling starts. I didn't quite parse that. But man sa-learn, it has many an informational statement about how it all works. In short, by default, it stores token timestamp updates. Whenever the journal goes over a certain size, SA will automatically sync it for you. -- Randomly Selected Tagline: I'm looking for a Linux equivilant to PC Magazine. - Brian Dudek Unfortunately, this isn't available. Linux-centric magazines tend to actually contain useful information. - Chris Saunderson pgpuMDflYt8Gp.pgp Description: PGP signature
Re: sa-learn --sync importance ???
R Lists06 wrote: Can anyone comment on the true importance of this command and option below? sa-learn --sync Only when upgrading is this option *truly* important. my simple research is telling me that if you don't do this at some regular interval, that your training isn't fully put into action when journaling starts. SA when it performs an oportunistic expiry check will sync the journal first. Also, unless you've enabled the bayes_learn_to_journal option (off by default), the journal only contains atime updates, so this won't really matter much.
Re: whitelist_from_rcvd
Matt Kettler wrote: Robert Fitzpatrick wrote: I have the following in my local.cf file, but some messages get blocked still, see my log entries below. I use amavisd-new and it seems those in the log that show localhost as the client pass through and those directly from the blackberry get blocked. Not sure why all would not be coming from the amavisd localhost, can someone tell me what is going on? Perhaps my whitelist_from_rcvd line is wrong? I want anything coming from a user at culin.com using their blackberry to bypass filtering. whitelist_from_rcvd [EMAIL PROTECTED] blackberry.com Passed message: snip useless mail logs My guess is one of the following two has occured, in order of likelyhood: 1) that SA doesn't have the right trusted_networks. (if your MX server has a private IP (ie: static NAT) you *MUST* declare trusted_networks manually. The auto-guesser won't handle this scenario properly) 2) SA can't parse your received headers. You can test this by running one of the messages through spamassassin -D. If you need help, post the debug info here Thanks, I am running static NAT, but with public IP addresses. The MX server does not have a private IP, it has a public IP address using NAT policies for outbound traffic in the firewall for proper rDNS. The configuration of the SonicWall firewall allows us to use multiple public subnets behind one WAN port. The only message I have to run through SA is a blocked one, sorry, but how do I capture the debug output to file for posting here? I tried the following and got a copy of the file: I did see some things referencing headers in the debug: [38446] dbg: rules: running header regexp tests; score so far=0 [38446] dbg: rules: ran header rule __HAS_MSGID == got hit: [38446] dbg: rules: ran header rule __SANE_MSGID == got hit: [EMAIL PROTECTED] [38446] dbg: rules: [38446] dbg: rules: ran header rule __CT == got hit: m [38446] dbg: rules: ran header rule __TOCC_EXISTS == got hit: [38446] dbg: rules: ran header rule __HAS_SUBJECT == got hit: F [38446] dbg: rules: ran header rule __MSGID_OK_HEX == got hit: 96205411 [38446] dbg: rules: ran header rule __BOUNCE_RP1 == got hit: [38446] dbg: rules: ran header rule __SARE_WHITELIST_FLAG == got hit: [38446] dbg: rules: ran header rule __HAS_RCVD == got hit: f [38446] dbg: rules: ran header rule __FROM_ENCODED_B64 == got hit: =?UTF-8?B? [38446] dbg: rules: ran header rule __CTYPE_HAS_BOUNDARY == got hit: boundary [38446] dbg: rules: ran header rule __MIME_VERSION == got hit: 1 [38446] dbg: rules: ran header rule __RATWARE_0_TZ_DATE == got hit: + [38446] dbg: rules: ran header rule __MSGID_OK_DIGITS == got hit: 2049971341 Thanks, Robert
Perl Help With FuzzyOCR Needed
I'm trying to set up FuzzyOCR as a plug-in to SpamAssassin. Wrote to the author several days ago but have not received a response. The errors I'm seeing appear to be perl issues or OS issues, not specifically related to the application. Here is the error message I see: plugin: failed to parse plugin /etc/mail/spamassassin/FuzzyOcr.pm: Can't locate FuzzyOcr/Logging.pm in @INC (@INC contains: /etc/mail/spamassassin /usr/lib/perl5/site_perl/5.8.8/i486-linux /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/5.8.8/i486-linux /usr/lib/perl5/5.8.8 /usr/lib/perl5/site_perl) at /etc/mail/spamassassin/FuzzyOcr.pm line 24. BEGIN failed--compilation aborted at /etc/mail/spamassassin/FuzzyOcr.pm line 24. plugin: failed to create instance of plugin FuzzyOcr: Can't locate object method new via package FuzzyOcr at (eval 30) line 1. I changed the perms on FuzzyOcr.pm and Logging.pm to 755. I don't understand why perl failed to parse the plugin /etc/mail/spamassassin/FuzzyOcr.pm since a copy of that module is in that directory. Further, FuzzyOcr/Logging.pm is also in /etc/mail/spamassassin. The error at line 24 is: use FuzzyOcr::Logging qw(debuglog errorlog warnlog infolog); Since I don't know perl, I'm lost here. Rich -- Richard B. Shepard, Ph.D. |The Environmental Permitting Applied Ecosystem Services, Inc.| Accelerator(TM) http://www.appl-ecosys.com Voice: 503-667-4517 Fax: 503-667-8863
RE: Perl Help With FuzzyOCR Needed
I'm trying to set up FuzzyOCR as a plug-in to SpamAssassin. Wrote to the author several days ago but have not received a response. The errors I'm seeing appear to be perl issues or OS issues, not specifically related to the application. Here is the error message I see: plugin: failed to parse plugin /etc/mail/spamassassin/FuzzyOcr.pm: Can't locate FuzzyOcr/Logging.pm in @INC (@INC contains: /etc/mail/spamassassin /usr/lib/perl5/site_perl/5.8.8/i486-linux /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/5.8.8/i486-linux /usr/lib/perl5/5.8.8 /usr/lib/perl5/site_perl) at /etc/mail/spamassassin/FuzzyOcr.pm line 24. BEGIN failed--compilation aborted at /etc/mail/spamassassin/FuzzyOcr.pm line 24. plugin: failed to create instance of plugin FuzzyOcr: Can't locate object method new via package FuzzyOcr at (eval 30) line 1. I changed the perms on FuzzyOcr.pm and Logging.pm to 755. I don't understand why perl failed to parse the plugin /etc/mail/spamassassin/FuzzyOcr.pm since a copy of that module is in that directory. Further, FuzzyOcr/Logging.pm is also in /etc/mail/spamassassin. The error at line 24 is: use FuzzyOcr::Logging qw(debuglog errorlog warnlog infolog); Since I don't know perl, I'm lost here. Rich Are you using SpamAssassin version 3.1.4 or newer? If not, you need to. What version of FuzzyOcr? Are you trying to load the plugin from more than one place - in other words if you are trying to load it via an entry in v310.pre, comment that out and instead use the supplied loadplugin entry in FuzzyOcr.cf. Gary V _ The MSN Entertainment Guide to Golden Globes is here. Get all the scoop. http://tv.msn.com/tv/globes2007/?icid=nctagline2
Re: Perl Help With FuzzyOCR Needed
Rich Shepard wrote: I'm trying to set up FuzzyOCR as a plug-in to SpamAssassin. Wrote to the author several days ago but have not received a response. There's a user list, subscribers only: http://lists.own-hero.net/mailman/listinfo/devel-spam The errors I'm seeing appear to be perl issues or OS issues, not specifically related to the application. Here is the error message I see: plugin: failed to parse plugin /etc/mail/spamassassin/FuzzyOcr.pm: Can't locate FuzzyOcr/Logging.pm in @INC (@INC contains: /etc/mail/spamassassin [snip] This is obviously with FuzzyOcr-3.5.1, did you installed correctly? Seems that you did not copy directory scuzzy which has 8 perl modules, Logging.pm is one of them. -- René Berber
what are the rules directories
I have been using SA for more than 3 years now and I have a dumb question I am using SA 3.1.5 on Centos AFAIK By default Spamassassin reads from /usr/share/spamassassin and /etc/mail/spamassassin But If I have /var/lib/spamassassin with some files in it SA is apparently ignoring /usr/share/spamassassin/*.cf Is this so by design or have I misconfigured something Thanks Ram