Re: complete false hits for BASE64 and LW_STOCK_SPAM4
Jo Rhett wrote: As for LW_STOCK_SPAM4, it's being triggered by the fact that the message In the standard config? No.. It's not a FP in the standard config, so there's no reason to modify it. Can you explain how this isn't an FP in the standard config? There's absolutely nothing custom about my config, so what standard are you applying here? Again, I have a 100% stock SA configuration. Why do I need a custom rule to work around an FP in the ruleset? No you don't. I wrote that rule. That's why it starts with my initials. I didn't submit it to SA, and while it I think exists in SARE rules, it almost undoubtledly has a SARE_ prefix in that rule set. So no, you DO NOT have a standard config, no matter what you may think. Now, that said, the forwarded Blackberry message you posted would not have hit the rule in the first place, unless someone took my original rule and modified it. So you not only don't have a standard config, you have apparently locally-modified versions of rules you have picked up elsewhere. And it is that locally-modified rule that is hitting on your Blackberry messages. Loren
Re: Re: Drug Spam
On Thursday 08 February 2007 15:21, Ben Wylie wrote: As I understand it, these undefined dependencies are errors where a meta rule has been written to depend on another rule, which does not exist. These don't have catastrophic consequences, it just means that rule may not be effective. Google suggests these rules were once in the FVGT ruleset, this is what the FM_ ones looked like: metaFM_NO_TO (!__MY_TO) describeFM_NO_TO Message is missing To score FM_NO_TO 0.001 metaFM_NO_FROM_OR_TO (!__MY_FROM !__MY_TO) describeFM_NO_FROM_OR_TO Message is missing From and To score FM_NO_FROM_OR_TO 0.001 I don't have a copy of __URIBL_ANY anywhere but I don't think it's necessary, since KAM's rules that use it also name each individual URIBL as well. Nick
Re: complete false hits for BASE64 and LW_STOCK_SPAM4
On Friday 09 February 2007 09:00, Loren Wilton wrote: Jo Rhett wrote: As for LW_STOCK_SPAM4, it's being triggered by the fact that the message No you don't. I wrote that rule. That's why it starts with my initials. I didn't submit it to SA, and while it I think exists in SARE rules, it almost undoubtledly has a SARE_ prefix in that rule set. It's in 70_sare_stocks under the plain LW_ name. Nick
Re: complete false hits for BASE64 and LW_STOCK_SPAM4
Jo Rhett wrote: Again, I have a 100% stock SA configuration. No you don't have a 100% stock config. There are at least two differences relevant to them message you posted: 1) you have the SARE STOCKS ruleset. LW_STOCK_SPAM4 is NOT a stock spamassasssin rule. It's part of an add-on ruleset, not a stock SA feature. 2) you have a lower threshold. In a stock configuration, this message would have scored 2.574, and been substantially less than 5.0. This is NOT a FP in the stock SA configuration. Why do I need a custom rule to work around an FP in the ruleset? See above.
Re: complete false hits for BASE64 and LW_STOCK_SPAM4
Loren Wilton wrote: Now, that said, the forwarded Blackberry message you posted would not have hit the rule in the first place, unless someone took my original rule and modified it. So you not only don't have a standard config, you have apparently locally-modified versions of rules you have picked up elsewhere. And it is that locally-modified rule that is hitting on your Blackberry messages. Wow.. you're right Loren, LW_STOCK_SPAM4 should not have hit. I just assumed the __RATWARE_0_TZ_DATE half was picking up on the lack of a valid timezone. It's looking for the timezone to literally be +, which it is not. I over-looked that entirely. Jo, can you check your copy of this rule? The relevant bits should be: header __RATWARE_0_TZ_DATE Date =~ /\s\+$/ metaLW_STOCK_SPAM4 __RATWARE_0_TZ_DATE MIME_BASE64_TEXT score LW_STOCK_SPAM4 1.66 describeLW_STOCK_SPAM4 Yup, its a spam!
Re: complete false hits for BASE64 and LW_STOCK_SPAM4
* Loren Wilton wrote (08/02/07 19:46): As for LW_STOCK_SPAM4, it's being triggered by the fact that the message is base-64 encoded text AND has a Date: header that's missing a proper timezone. Apparently a batch of stock spam went out at some point with both of these abnormal features. I have to admit, it's a pretty rare combination. Date: February 6, 2007 9:52:29 AM PST That should, properly, should read something like this: Date: Wed, 06 Feb 2007 09:52:29 -0800 Actually LW_STOCK_SPAM4 was written on 02/19/2006, and is looking for a Base64 encoded message that has a valid timezone that is specifically \s\+, not an invalid time zone. Internally I have it scored at 5 points and haven't had a problem with it, but people don't send me messages from Blackberrys. I suppose a blackberry might not have a clock so send all messages as though they came from London regardless of where they are. That would somewhat surprise me, since cell phones certainly know where they are and what time it is. But if Verizon is involved then it is certainly possible that the software has been deliberately crippled in a number of ways, and creating a proper date header might be one of those deliberate malfunctions. Just to confirm that this unmodified rule does hit some legit blackberry e-mail, here's an example (apologies for the obfuscation, but I've only messed with addresses. It's not my e-mail): Return-path: someone's address Envelope-to: my wife Delivery-date: Wed, 07 Feb 2007 17:21:42 + Received: from smtp02.bis.eu.blackberry.com ([216.9.253.49]) by mail.barcombe.net with esmtp (Exim 4.63) (envelope-from the sender) id 1HEqUG-0008Ku-IV for my wife's address; Wed, 07 Feb 2007 17:21:41 + Message-ID: [EMAIL PROTECTED] Content-Transfer-Encoding: base64 Reply-To: the sender References: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] Sensitivity: Normal Importance: Normal To: My Wife Her address Subject: Re: 25th august From: the sender Date: Wed, 7 Feb 2007 17:22:58 + Content-Type: text/plain; charset=Windows-1252 MIME-Version: 1.0 X-AntiVirus: Clean X-Spam-Score: 2.1 X-Spam-Level: ++ X-Spam-Report: Barcombe.net spam report: Score = 2.1. Tests=BAYES_00=-2.599,LW_STOCK_SPAM4=1.66,MIME_BASE64_NO_NAME=0.224,MIME_BASE64_TEXT=1.885,NO_REAL_NAME=0.961 A bit of grepping suggests that LW_STOCK_SPAM4 has hit 5 ham and 3 spam (all scoring 20+) on that server since about November. So its usefulness is perhaps questionable. Normal disclaimer applies: this is only one low-traffic server. I live in the UK which might make the + timezone more likely. [Also see the thread Blackberry email] Chris (whose mail from blackberries has all been received OK)
RE: Spam filtering on SA list?
John D. Hardin wrote: WTF, over? On Thu, 8 Feb 2007, Mail Delivery Subsystem wrote: Date: Thu, 8 Feb 2007 12:55:22 -0800 From: Mail Delivery Subsystem [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Returned mail: see transcript for details The original message was received at Thu, 8 Feb 2007 12:54:58 -0800 from localhost [127.0.0.1] - The following addresses had permanent fatal errors - users@spamassassin.apache.org (reason: 552 spam score (10.0) exceeded threshold) - Transcript of session follows - ... while talking to herse.apache.org.: DATA 552 spam score (10.0) exceeded threshold 554 5.0.0 Service unavailable The message was in reply to Ramprasad's Nuisance stock spams email. This has been discussed a few times. The short version is that this list is hosted by apache.org. They spam scan posts to their mailling lists and they aren't interested in making changes to accomodate a single list. The net result is that if you want to include a spam sample, you need to put it on a web server and link to it. If you want to refer to a spammy url, alter it so the url blacklists don't catch it. -- Bowie
More stock spam + strange cf files
These guys are just rolling in scott free except for bayes. See http://2chronicles36.org/stock.txt I'm using 3.1.7 with latest sa-update + FuzzyOCR.cf KAM.cf Oops, I just found the following in my /etc/mail/spamassassin directory, and I don't know where they came from: tripwire.cf random.cf bogus-virus-warnings.cf antidrug.cf I'm running Gentoo, and I did emerge and unmerge SARE as a test around the time that these are dated. Are these left overs? They don't seem to be doing any harm that I can tell, but should I delete or keep them? Andy Figueroa
Re: More stock spam + strange cf files
Andy Figueroa wrote: These guys are just rolling in scott free except for bayes. See http://2chronicles36.org/stock.txt I'm using 3.1.7 with latest sa-update + FuzzyOCR.cf KAM.cf Oops, I just found the following in my /etc/mail/spamassassin directory, and I don't know where they came from: tripwire.cf random.cf bogus-virus-warnings.cf antidrug.cf Probably an old version of RDJ. That said, don't use Antidrug with versions of SA newer than 2.64. (I'm the author of this rulset, and I contributed it as a part of the standard rules for 3.0.0 and higher) I'm running Gentoo, and I did emerge and unmerge SARE as a test around the time that these are dated. Are these left overs? They don't seem to be doing any harm that I can tell, but should I delete or keep them? For antidrug, delete it. It's got the potential to do harm by over-writing part of the standard ruleset with older versions.
RE: More stock spam + strange cf files
-Original Message- From: Andy Figueroa [mailto:[EMAIL PROTECTED] Sent: Friday, February 09, 2007 9:31 AM To: SpamAssassin Users List Subject: More stock spam + strange cf files These guys are just rolling in scott free except for bayes. See http://2chronicles36.org/stock.txt I'm using 3.1.7 with latest sa-update + FuzzyOCR.cf KAM.cf I must say, that a pretty well done spam. Whoever wrote it put some thought into the phrasing. This one might take a bit. The wording is gonna be hard to tag. --Chris
Re[2]: More stock spam + strange cf files
On 9/02/2007 at 10:06 AM Chris Santerre wrote: -Original Message- From: Andy Figueroa [mailto:[EMAIL PROTECTED] Sent: Friday, February 09, 2007 9:31 AM To: SpamAssassin Users List Subject: More stock spam + strange cf files These guys are just rolling in scott free except for bayes. See http://2chronicles36.org/stock.txt I'm using 3.1.7 with latest sa-update + FuzzyOCR.cf KAM.cf I must say, that a pretty well done spam. Whoever wrote it put some thought into the phrasing. This one might take a bit. The wording is gonna be hard to tag. --Chris Pardon my ignorance here, but it is full of mis-spellings and phrases that you wouldn't normally see, so why not just hit those? aid you to know C O S T brroker ama zing Peter
RE: Spamassassin does block some email
Speaking of ninjas one slipped in here and whispered in my ear that the original problem rocsca had might benefit from the anti drug rules on the SARE web site. He should read the various rule set descriptions and pick those which fit his situation best. Fine! I agree with you!! But I can't figure out what SARE rules I I have to use to block that email that SA does not block.. Moreover, could I update it with rules_du_jour? PS: I have the following conf for rules_du_jour.. TRUSTED_RULESETS=TRIPWIRE RANDOMVAL BOGUSVIRUS; BR, rocsca
Re: complete false hits for BASE64 and LW_STOCK_SPAM4
At 01:00 09-02-2007, Loren Wilton wrote: Now, that said, the forwarded Blackberry message you posted would not have hit the rule in the first place, unless someone took my original rule and modified it. So you not only don't have a standard config, you have apparently locally-modified versions of rules you have picked up elsewhere. And it is that locally-modified rule that is hitting on your Blackberry messages. Blackberry messages will hit the LW_STOCK_SPAM4 rule. There is nothing wrong with the LW_STOCK_SPAM4 rule as such. The overall score in a standard configuration with that rule added averages around two points. It shouldn't cause any false positives as the score is low. Regards, -sm
RE: Spamassassin does block some email
Speaking of ninjas one slipped in here and whispered in my ear that the original problem rocsca had might benefit from the anti drug rules on the SARE web site. He should read the various rule set descriptions and pick those which fit his situation best. Fine! I agree with you!! But I can't figure out what SARE rules I I have to use to block that email that SA does not block.. Moreover, could I update it with rules_du_jour? PS: I have the following conf for rules_du_jour.. TRUSTED_RULESETS=TRIPWIRE RANDOMVAL BOGUSVIRUS; Maybe I have to use 70_sare_obfu*.cf ruleset files? It seems to me that my SA configuration doesn't load them.. Infact I have this only cf files other that in SA dir (/etc/mail/spamassassin): path_to_SA/10_misc.cf path_to_SA/20_advance_fee.cf path_to_SA/20_anti_ratware.cf path_to_SA/20_body_tests.cf path_to_SA/20_compensate.cf path_to_SA/20_dnsbl_tests.cf path_to_SA/20_drugs.cf path_to_SA/20_fake_helo_tests.cf path_to_SA/20_head_tests.cf path_to_SA/20_html_tests.cf path_to_SA/20_meta_tests.cf path_to_SA/20_net_tests.cf path_to_SA/20_phrases.cf path_to_SA/20_porn.cf path_to_SA/20_ratware.cf path_to_SA/20_uri_tests.cf path_to_SA/23_bayes.cf path_to_SA/25_accessdb.cf path_to_SA/25_antivirus.cf path_to_SA/25_body_tests_es.cf path_to_SA/25_body_tests_pl.cf path_to_SA/25_dcc.cf path_to_SA/25_dkim.cf path_to_SA/25_domainkeys.cf path_to_SA/25_hashcash.cf path_to_SA/25_pyzor.cf path_to_SA/25_razor2.cf path_to_SA/25_replace.cf path_to_SA/25_spf.cf path_to_SA/25_textcat.cf path_to_SA/25_uribl.cf PS: What other cf file is worth to use without overload the server? BR, rocsca
RE: Spam filtering on SA list?
On Fri, 9 Feb 2007, Bowie Bailey wrote: This has been discussed a few times. The short version is that this list is hosted by apache.org. They spam scan posts to their mailling lists and they aren't interested in making changes to accomodate a single list. Fair enough. The net result is that if you want to include a spam sample, you need to put it on a web server and link to it. If you want to refer to a spammy url, alter it so the url blacklists don't catch it. That's what puzzles me - there was no spam sample, just regular discussion. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The difference is that Unix has had thirty years of technical types demanding basic functionality of it. And the Macintosh has had fifteen years of interface fascist users shaping its progress. Windows has the hairpin turns of the Microsoft marketing machine and that's all.-- Red Drag Diva --- 3 days until Abraham Lincoln's and Charles Darwin's 198th Birthdays
RE: Spam filtering on SA list?
John D. Hardin wrote: On Fri, 9 Feb 2007, Bowie Bailey wrote: This has been discussed a few times. The short version is that this list is hosted by apache.org. They spam scan posts to their mailling lists and they aren't interested in making changes to accomodate a single list. Fair enough. The net result is that if you want to include a spam sample, you need to put it on a web server and link to it. If you want to refer to a spammy url, alter it so the url blacklists don't catch it. That's what puzzles me - there was no spam sample, just regular discussion. If their rejection didn't specify hits, you can always take your message, run it through SA and see what it hits. Alternately, send it directly to me and I'll let you know what it hits on my system. -- Bowie
RE: Re[2]: More stock spam + strange cf files
These guys are just rolling in scott free except for bayes. See http://2chronicles36.org/stock.txt I'm using 3.1.7 with latest sa-update + FuzzyOCR.cf KAM.cf I must say, that a pretty well done spam. Whoever wrote it put some thought into the phrasing. This one might take a bit. The wording is gonna be hard to tag. --Chris Pardon my ignorance here, but it is full of mis-spellings and phrases that you wouldn't normally see, so why not just hit those? aid you to know C O S T brroker ama zing Peter Because if people learn anything from my posts, its that there are always new ways to horribly misspell words! ;) Search for C O S T today, and tomorrow its C,O,S,T. Search for /c.?o.?s.?t.?/i and you FP and CLOSET Taggnig spam is more of an art, then an exact science. Wellmore of an artistic science withou tht pretty colors and swimsuit modelswhen the hell are we gonna see some antispam swimsuit modelsoh thats a bit sexist... well not really...I suppose we could have male models as well.Justin is pretty sexydid I say that out loudmaybe no one will notice.. swinsuit models. --Chris
Re: complete false hits for BASE64 and LW_STOCK_SPAM4
On Feb 9, 2007, at 2:41 AM, Matt Kettler wrote: Jo Rhett wrote: Again, I have a 100% stock SA configuration. No you don't have a 100% stock config. There are at least two differences relevant to them message you posted: 1) you have the SARE STOCKS ruleset. LW_STOCK_SPAM4 is NOT a stock spamassasssin rule. It's part of an add-on ruleset, not a stock SA feature. Why do I need a custom rule to work around an FP in the ruleset? See above. It's really hard not to be really annoyed with this answer. What kind of nonsense did you think my question was? If LW_STOCK_SPAM is a SARE RULE, then I am requesting a revision to the SARE rule. Why on the gods green earth would you assume that I wanted a fix in the base distribution for a SARE rule? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: complete false hits for BASE64 and LW_STOCK_SPAM4
On Fri, 2007-02-09 at 09:01 -0800, Jo Rhett wrote: On Feb 9, 2007, at 2:41 AM, Matt Kettler wrote: Jo Rhett wrote: Again, I have a 100% stock SA configuration. No you don't have a 100% stock config. There are at least two differences relevant to them message you posted: 1) you have the SARE STOCKS ruleset. LW_STOCK_SPAM4 is NOT a stock spamassasssin rule. It's part of an add-on ruleset, not a stock SA feature. Why do I need a custom rule to work around an FP in the ruleset? See above. It's really hard not to be really annoyed with this answer. What kind of nonsense did you think my question was? If LW_STOCK_SPAM is a SARE RULE, then I am requesting a revision to the SARE rule. Why on the gods green earth would you assume that I wanted a fix in the base distribution for a SARE rule? Not to start a flame war or anything (yeah, right) but: It's really hard not to be annoyed with your response. If you want a change to a SARE rule, go talk to the SARE people. If you want help from the SA list, please provide accurate information in your requests; it will go a long way towards getting accurate (and helpful) responses. signature.asc Description: This is a digitally signed message part
question about image spam
Hi List, First time posting here, we are running SA version 3.0.6 on centos 4.4, we have a lot of image spam and I would like to know if somebody can give me an idea about how to deal with it? Any comment will be appreciated. Regards, --Ivan.
Re: question about image spam
At 10:09 AM 2/9/2007, Ivan Arteaga wrote: Hi List, First time posting here, we are running SA version 3.0.6 on centos 4.4, we have a lot of image spam and I would like to know if somebody can give me an idea about how to deal with it? Any comment will be appreciated. Upgrading to 3.1.7 wouldn't be a bad idea. FuzzyOCR would be another good idea. http://wiki.apache.org/spamassassin/FuzzyOcrPlugin Evan
Re: question about image spam
On 02/09/07 Ivan wrote: Hi First time posting here, we are running SA version 3.0.6 on centos 4.4, we have a lot of image spam and I would like to know if somebody can give me an idea about how to deal with it? http://www200.pair.com/mecham/spam/image_spam2.html here is the best help to install FuzuOCR FuzyOCR rekognize animated graphics maciek -- |_|0|_| Maciej Friedel [EMAIL PROTECTED] |_|_|0| http://wwv.pl - usługi hostingowe |0|0|0| http://eprogram.pl - projektowanie stron www
spamc 3.1.1 and procmail
Hi, In our system wide .procmail I have been using /usr/bin/spammassin. Recently the CPU usage has soared when spamassassin ran so I decided to use /usr/bin/spamc with spamd running as a dameon. well, it didn't quite work. here is a sample problem: | /usr/bin/spamc -u $LOGNAME sendmail[21908]: l19HQGne021908: from=bounce-422420- [EMAIL PROTECTED], size=18119, class=0, nrcpts=1, msgid=LYRIS-1377318- [EMAIL PROTECTED], proto=SMTP, daemon=Daemon0, relay=lists.now.org [198.65.157.134] spamd[17291]: spamd: connection from localhost [127.0.0.1] at port 56232 spamd[17291]: spamd: setuid to xyzsom succeeded net spamd[17291]: spamd: creating default_prefs: /home/xyzsom/.spamassassin/user_prefs net spamd[17291]: mkdir /root/.spamassassin: Permission denied at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin.pm line 1469 net spamd[17291]: config: cannot write to /home/xyzsom/.spamassassin/user_prefs: Permission denied I also tried spamc with no parameters but that did not help. So what changes do I need to make? Will this adversly affect running /usr/bin/spamassassin ?
SPamc not filtering all mail.
Hello, I have this rule in my .procmailrc, :0f * ^[F|f]rom:.*ourdomain\.com * ^[m|M]essage-[i|I][D|d]:.*ourdomain\.com|^Received:.*(authenticated).*\.ourdomain\.com | formail -AX-Spam: none :0fw * 256000 * !^X-Spam: none * !^FROM_DAEMON | /usr/bin/spamc We don't want SPAMASSASSIN to check any mails coming from our own domain. So every email must be tagged for either X-Spam: none OR X-Spam-Level: X-Spam-Status: No, This seems to have been pretty good, but every once in a while we get few emails that dont get checked for spam. and neither get the tag X-SPAM: none. For Example this one, Return-Path: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from node.ourdomain.com (node.ourdomain.com [OUR.PUBLIC.IP.ADDr]) by localmail.lan.aleks.com (Postfix) with ESMTP id 2CB3D60E26 for [EMAIL PROTECTED]; Fri, 9 Feb 2007 04:05:19 -0800 (PST) Received: from sys1.hobarotua.com (66.63.190.191.oc3networks.com [66.63.190.191] (may be forged)) by node.ourdomain.aleks.com (8.11.6/8.11.6) with ESMTP id l19C5Ji11370 for [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]; Fri, 9 Feb 2007 04:05:19 -0800 Message-Id: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] //This message ID was forged to like like from our domain. Received: by sys1.hobarotua.com id hphhnu0cq2g5 for [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]; Fri, 9 Feb 2007 04:05:17 -0800 (envelope-from [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]) from: Message in a Bottle[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] to: [EMAIL PROTECTED] subject: Personalized Message in a Bottle date: 2/9/2007 4:05:28 AM MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=Multipart-Boundary-xxcekeBKXHe7w--- This is a multi-part message in MIME format. Can anyone help me out what I might be doing wrong, how can I make sure that every email not from our domain must be checked for spam. I am using postfix+spamassassin. version spamassassin-3.0.6-1.fc4 Thank you, -Jai
updating 3.1.1 to 3.1.7
using the DAG site and rpm -U, I updated spamassassin and spamassissin-tools to 3.1.7-1 Things don't look so good. Here is what happened when I restarted spamd spamd[26917]: spamd: server killed by SIGTERM, shutting down spamd[27082]: persistent_udp: no such method at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/DnsResolver.pm line 99 spamd[27082]: logger: removing stderr method spamd[27084]: config: failed to parse line, skipping: rewrite_subject 1 spamd[27084]: config: failed to parse line, skipping: subject_tag [:] spamd[27084]: config: failed to parse line, skipping: check_mx_delay 3 spamd[27084]: config: failed to parse line, skipping: report_header 1 spamd[27084]: config: failed to parse line, skipping: use_terse_report 1 spamd[27084]: config: failed to parse line, skipping: detailed_phrase_score 0 spamd[27084]: config: failed to parse line, skipping: spam_level_stars 0 spamd[27084]: config: failed to parse line, skipping: defang_mime 0 spamd[27084]: config: score: the non-numeric score (-.3) is not valid, a numeric score is required spamd[27084]: config: SpamAssassin failed to parse line, FROM_POSTOFFICE - .3 is not valid for score, skipping: score FROM_POSTOFFICE -.3 spamd[27084]: config: failed to parse line, skipping: razor_timeout 1 spamd[27084]: config: failed to parse line, skipping: dcc_timeout 1 spamd[27084]: config: failed to parse line, skipping: pyzor_add_header 0 spamd[27084]: rules: meta test DIGEST_MULTIPLE has undefined dependency 'RAZOR2_CHECK' spamd[27084]: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' spamd[27084]: rules: meta test DRUGS_ERECTILE has undefined dependency '__DRUGS_ERECTILE7' spamd[27084]: rules: meta test VIRUS_WARNING_DOOM_BNC has undefined dependency 'VIRUS_WARNING_MYDOOM4' spamd[27084]: rules: meta test SARE_OBFU_CIALIS has undefined dependency 'SARE_OBFU_CIALIS2' spamd[27084]: spamd: server started on port 783/tcp (running version 3.1.7) spamd[27084]: spamd: server pid: 27084 spamd[27084]: spamd: server successfully spawned child process, pid 27091 spamd[27084]: spamd: server successfully spawned child process, pid 27092 spamd[27084]: prefork: child states: IS spamd[27084]: prefork: child states: II I don't see anything mentioned about this in /usr/share/doc/spamassassin-3.1.7/UPGRADE Thanks.
RE: updating 3.1.1 to 3.1.7
using the DAG site and rpm -U, I updated spamassassin and spamassissin-tools to 3.1.7-1 Things don't look so good. Here is what happened when I restarted spamd spamd[26917]: spamd: server killed by SIGTERM, shutting down spamd[27082]: persistent_udp: no such method at /usr/lib/perl5/vendor_perl/5.8.0/Mail/SpamAssassin/DnsResolver .pm line 99 spamd[27082]: logger: removing stderr method spamd[27084]: config: failed to parse line, skipping: rewrite_subject 1 spamd[27084]: config: failed to parse line, skipping: subject_tag [:] spamd[27084]: config: failed to parse line, skipping: check_mx_delay 3 spamd[27084]: config: failed to parse line, skipping: report_header 1 spamd[27084]: config: failed to parse line, skipping: use_terse_report 1 spamd[27084]: config: failed to parse line, skipping: detailed_phrase_score 0 spamd[27084]: config: failed to parse line, skipping: spam_level_stars 0 spamd[27084]: config: failed to parse line, skipping: defang_mime 0 spamd[27084]: config: score: the non-numeric score (-.3) is not valid, a numeric score is required spamd[27084]: config: SpamAssassin failed to parse line, FROM_POSTOFFICE - .3 is not valid for score, skipping: score FROM_POSTOFFICE -.3 spamd[27084]: config: failed to parse line, skipping: razor_timeout 1 spamd[27084]: config: failed to parse line, skipping: dcc_timeout 1 spamd[27084]: config: failed to parse line, skipping: pyzor_add_header 0 spamd[27084]: rules: meta test DIGEST_MULTIPLE has undefined dependency 'RAZOR2_CHECK' spamd[27084]: rules: meta test DIGEST_MULTIPLE has undefined dependency 'DCC_CHECK' spamd[27084]: rules: meta test DRUGS_ERECTILE has undefined dependency '__DRUGS_ERECTILE7' spamd[27084]: rules: meta test VIRUS_WARNING_DOOM_BNC has undefined dependency 'VIRUS_WARNING_MYDOOM4' spamd[27084]: rules: meta test SARE_OBFU_CIALIS has undefined dependency 'SARE_OBFU_CIALIS2' spamd[27084]: spamd: server started on port 783/tcp (running version 3.1.7) spamd[27084]: spamd: server pid: 27084 spamd[27084]: spamd: server successfully spawned child process, pid 27091 spamd[27084]: spamd: server successfully spawned child process, pid 27092 spamd[27084]: prefork: child states: IS spamd[27084]: prefork: child states: II I don't see anything mentioned about this in /usr/share/doc/spamassassin-3.1.7/UPGRADE The failed to parse line warnings are all deprecated settings IIRC. Check the documentation for current equivalents. I would be surprised if 3.1.1 didn't note those as well. The score from FROM_POSTOFFICE should be -0.3 instead of -.3. Is that in your local.cf? The undefined dependency info messages are new in a recent version (sorry-- don't remember which). However, the end result is the same as before as far as processing goes. It's just the undefined dependencies are actually noted somewhere now where they weren't before. If you develop your own meta rules, having this is very helpful. For stardard or other 3rd-party rules, it's just annoying. Is your Net::DNS up-to-date per the release notes? HTH, Bret
TVD_ENVFROM_APOST
Two questions about TVD_ENVFROM_APOST : 1. Is its execution conditional in any way? Because I have many posts that have an apostrophe in the From: yet don't trigger this flag. I can't figure out when it's applied or not. 2. Wouldn't it be better to check for apostrophe s ? It seems like what that test catches is mostly addresses made up from random dictionary words, from dictionaries that consider each genitive case to be a word in itself. E.g. open /usr/share/dict/words and search for apostrophes. _ _ __ ___ _ _ _ ... | Mathieu Bouchard - tél:+1.514.383.3801 - http://artengine.ca/matju | Freelance Digital Arts Engineer, Montréal QC Canada
Spam Scam - childsafenetwork.org
As a violent crime victims advocate, I might be overreacting to this issue. OTOH, I can write, with absolute certainty, that anyone using any of the services from childsafenetwork.org is opting in for a considerable volume of commercial spam (from hoodia to credit reports). In point of fact, the domain is registered to Paradigm Direct which seems to be an affiliate of JBR Media Ventures, They, and their affiliates, have done a remarkable job of seeding Google search results. The real deal seems to be CSN.org. The home pages are remarkably similar in context. If you agree with my point of view, feel free to make some noise. I have written to Starbucks without reply. More information is available at http://tqmcube.com/childsafe.php . -- Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com Don't Subsidize Criminals: http://boulderpledge.org
Re: TVD_ENVFROM_APOST
On Fri, 9 Feb 2007, Mathieu Bouchard wrote: Two questions about TVD_ENVFROM_APOST : 1. Is its execution conditional in any way? Because I have many posts that have an apostrophe in the From: yet don't trigger this flag. I can't figure out when it's applied or not. I just checked it again, and it may have to do with EnvelopeFrom vs From:addr. However, my mail program hides the EnvelopeFrom (the very first line of the message, if I'm not mistaken) even when in full headers mode. Fortunately, I can export any message to a file in which the first line will be the EnvelopeFrom. So, I found an email that had 's in the From: but not tagged TVD_ENVFROM_APOST, and I exported it, and looked at the first line. It contained an 's too. So, that possibility is eliminated, and I have no other idea what it could be. (I don't have any experience writing rules in SpamAssassin. I know Regexps, Perl, etc., but I don't know much SA-specific information) _ _ __ ___ _ _ _ ... | Mathieu Bouchard - tél:+1.514.383.3801 - http://artengine.ca/matju | Freelance Digital Arts Engineer, Montréal QC Canada
Re: TVD_ENVFROM_APOST
It checks the Envelope from, NOT the Header From:. On Friday 09 February 2007 14:57, Mathieu Bouchard wrote: Two questions about TVD_ENVFROM_APOST : 1. Is its execution conditional in any way? Because I have many posts that have an apostrophe in the From: yet don't trigger this flag. I can't figure out when it's applied or not. 2. Wouldn't it be better to check for apostrophe s ? It seems like what that test catches is mostly addresses made up from random dictionary words, from dictionaries that consider each genitive case to be a word in itself. E.g. open /usr/share/dict/words and search for apostrophes. _ _ __ ___ _ _ _ ... | Mathieu Bouchard - tél:+1.514.383.3801 - http://artengine.ca/matju | Freelance Digital Arts Engineer, Montréal QC Canada -- Larry G. Starr - [EMAIL PROTECTED] or [EMAIL PROTECTED] Software Engineer: Full Compass Systems LTD. Phone: 608-831-7330 x 1347 FAX: 608-831-6330 === There are only three sports: bullfighting, mountaineering and motor racing, all the rest are merely games! - Ernest Hemmingway
20_porn.cf/SUBJECT_SEXUAL not picking up new subjects
I've been getting many sexy subject emails lately that are not getting properly categorized by the SUBJECT_SEXUAL rule in 20_porn.cf. These new-to-me subjects are: SEUAL-EXPLCIT: SEEUAL-EXPLlClT: I've modified my rule locally but figured I'd pass along my changes should the rule actually be updated: Subject =~ /[EMAIL PROTECTED]|1]( ?:[l!|1]y)?.{0,3}[e3\xE8-\xEB]xp[l!|1][i1!|l\xEC-\xEF]?c[i1!|l\xEC-\xEF]t/i Thanks, Bubba
RE: Spam Scam - childsafenetwork.org
David Cary Hart wrote: As a violent crime victims advocate, I might be overreacting to this issue. OTOH, I can write, with absolute certainty, that anyone using any of the services from childsafenetwork.org is opting in for a considerable volume of commercial spam (from hoodia to credit reports). In point of fact, the domain is registered to Paradigm Direct which seems to be an affiliate of JBR Media Ventures, They, and their affiliates, have done a remarkable job of seeding Google search results. The real deal seems to be CSN.org. The home pages are remarkably similar in context. If you agree with my point of view, feel free to make some noise. I have written to Starbucks without reply. More information is available at http://tqmcube.com/childsafe.php . Interesting. What happens if you try to opt out of these mailings? -- Bowie
Does exist a public database of spam content?
I would like to know if there is a public database of spam content that I could use to update my SpamAssassin Bayes database. There is still a lot of spam that is not catched by SpamAssassin, so I was thinking that it could be an alternative for improving its effectiveness. It could also be a business oportunity. Think of it as an antivirus signature update service or the way Sourcefire makes profit with Snort rules. Regards Alejandro Lengua
Re: Does exist a public database of spam content?
How much spam do you want? /me stares at the millions of emails in his quarantines -- Mr Michele Neylon Blacknight Solutions Hosting Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Fax. +353 (0) 59 9164239
Re: Does exist a public database of spam content?
At 01:35 PM 2/9/2007, Alejandro Lengua wrote: I would like to know if there is a public database of spam content that I could use to update my SpamAssassin Bayes database. There is still a lot of spam that is not catched by SpamAssassin, so I was thinking that it could be an alternative for improving its effectiveness. It could also be a business oportunity. Think of it as an antivirus signature update service or the way Sourcefire makes profit with Snort rules. Post to a usenet group, using a real e-mail address. Have that e-mail address go to a mailbox you can run sa-learn on.
dns query failed for 1.1.3.saupdates.openprotect.com
Hi guys, I'm running SA 3.1.1 and have imported openprotect's gpg sig, but when I try to run sa-update on this channel with the debug switch turned on I get the error: dbg: dns: query failed: 1.1.3.saupdates.openprotect.com = NXDOMAIN Is SA 3.1.1 still supported with this channel? I know I need to udpate SA to 3.1.7 but can't do it just at the moment. Thanks! Stephen Carter Retrac Networking Limited www: http://www.retnet.co.uk Ph: +44 (0)7870 218 693 Fax: +44 (0)870 7060 056 CNA, CNE 6, CNS, CCNA, MCSE 2003
Re: dns query failed for 1.1.3.saupdates.openprotect.com
Stephen Carter wrote: Hi guys, I'm running SA 3.1.1 and have imported openprotect's gpg sig, but when I try to run sa-update on this channel with the debug switch turned on I get the error: dbg: dns: query failed: 1.1.3.saupdates.openprotect.com = NXDOMAIN Is SA 3.1.1 still supported with this channel? It appears that they're only publishing updates for 3.1.3 to 3.1.7. I know I need to udpate SA to 3.1.7 but can't do it just at the moment. Either update SA or use a different SARE ruleset channel provider. The one I know of will work for 3.1.1. ;) Daryl
Re: RE: More stock spam + strange cf files
Chris Santerre wrote: These guys are just rolling in scott free except for bayes. See http://2chronicles36.org/stock.txt I'm using 3.1.7 with latest sa-update + FuzzyOCR.cf KAM.cf I must say, that a pretty well done spam. Whoever wrote it put some thought into the phrasing. This one might take a bit. The wording is gonna be hard to tag. I get a decent score on this. These are the rules it hit. X-Spam-Status: Yes, score=10.4 version=3.1.7 X-Spam-Report: * 2.0 BOTNET Relay might be a spambot or virusbot * [botnet0.7,ip=218.157.62.185,maildomain=gcpower.net,nordns] * 2.7 SARE_PROLOSTOCK_SYM4 BODY: Last week's hot stock scam * 1.7 SARE_LWSYMFMT BODY: SARE_LWSYMFMT * 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% * [score: 1.] * 0.6 HELO_MISMATCH_COM HELO_MISMATCH_COM I don't know if these SARE rules have been written since you posted this email though... Ben
Re: Spam Scam - childsafenetwork.org
On Fri, 9 Feb 2007 16:32:27 -0500 , Bowie Bailey [EMAIL PROTECTED] opined: David Cary Hart wrote: As a violent crime victims advocate, I might be overreacting to this issue. OTOH, I can write, with absolute certainty, that anyone using any of the services from childsafenetwork.org is opting in for a considerable volume of commercial spam (from hoodia to credit reports). In point of fact, the domain is registered to Paradigm Direct which seems to be an affiliate of JBR Media Ventures, They, and their affiliates, have done a remarkable job of seeding Google search results. The real deal seems to be CSN.org. The home pages are remarkably similar in context. If you agree with my point of view, feel free to make some noise. I have written to Starbucks without reply. More information is available at http://tqmcube.com/childsafe.php . Interesting. What happens if you try to opt out of these mailings? Since putting up the page, I have received three (unverified) complaints that opt-outs are not honored. JBR Media used to spam SwitchMyCellPhone.com. BTW, all of our escalated ranges are now available in real time on our site. -- Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com Don't Subsidize Criminals: http://boulderpledge.org
Re: dns query failed for 1.1.3.saupdates.openprotect.com
On Fri, 2007-02-09 at 17:49 -0500, Daryl C. W. O'Shea wrote: Stephen Carter wrote: Hi guys, I'm running SA 3.1.1 and have imported openprotect's gpg sig, but when I try to run sa-update on this channel with the debug switch turned on I get the error: dbg: dns: query failed: 1.1.3.saupdates.openprotect.com = NXDOMAIN Is SA 3.1.1 still supported with this channel? It appears that they're only publishing updates for 3.1.3 to 3.1.7. I know I need to udpate SA to 3.1.7 but can't do it just at the moment. Either update SA or use a different SARE ruleset channel provider. The one I know of will work for 3.1.1. ;) Daryl Thanks for the reply Daryl. Looks like I'll have to push through that SA upgrade then How do you know what versions are supported? Is it simply performing DNS queries on each version of SA? -- Stephen Carter Retrac Networking Limited www: http://www.retnet.co.uk Ph: +44 (0)7870 218 693 Fax: +44 (0)870 7060 056 CNA, CNE 6, CNS, CCNA, MCSE 2003
spamassassin learning method
Hi all, Iam rizal, iam newbie I have a SMTP proxy server, before any email enter my company, they must past via my smtp proxy server.My smtp server consist of 2 machine, one work with postfix and the other work with spamassaasin + clamav. It serve about 2000 clients. I want to create spamassassin learning method, if my client find any spam for their email they can forward it to one address i create for receive spam, example: [EMAIL PROTECTED] After that i can do sa-learn to [EMAIL PROTECTED] mailbox or maildir. But when i read spamassassin documentacy, they also learn email header. Cause my [EMAIL PROTECTED] mailbox consist of email forward from my client, so it have a header (from, to, cc,msg-id, etc) from my client. I affraid if i use this method, my client will be a spammers. How do u think, any idea ? Are there any configuration from SA, so they can remove forward header from they learning method? -- Best Regards, -Rizal Ferdiyan
Re: complete false hits for BASE64 and LW_STOCK_SPAM4
Jo Rhett wrote: Why do I need a custom rule to work around an FP in the ruleset? See above. It's really hard not to be really annoyed with this answer. If you don't like my answers, you're free to not accept my help. But please keep in mind two things: 1) I often come across as more rude than I'm intending to be because I, like you might be, am a busy person. I'm often pressed for time, and my answers tend to be terse, and a bit blunt. 2) I don't also have enough spare time to both offer free help, and spend time considering my choices of wording. As such, you'll often see my current moods, knee-jerk reactions, and opinions regarding technical matters biasing my overall verbiage. Those are character flaws on my part, and being busy isn't much of an excuse, but at least I'm working for free. I also assure you that had I meant to insult you, it would be rather obvious. Also consider: 1) I've already spent the time to write a rule for you in an effort to try to help out. 2) your own choice of wording isn't exactly devoid of annoyances either. So, if my response was annoying, it's because I slept poorly last night, had a morning meeting to go to, found it obnoxious that you insisted an obviously non-stock configuration was, and my attempt to help was met with indignation. So my minor annoyance showed through. What kind of nonsense did you think my question was? If LW_STOCK_SPAM is a SARE RULE, then I am requesting a revision to the SARE rule. Why on the gods green earth would you assume that I wanted a fix in the base distribution for a SARE rule? Fair enough.. However, the custom rule I came up with doesn't deal with this LW_STOCK_SPAM. It deals with MIME_BASE64_TEXT, which IS a base distribution rule, but isn't generally a problem for most folks. I would not want to to suggest the devs should commit a modification to the base ruleset to fix how this rule interacts with crackberry, because the base ruleset isn't much of a problem. As for making a change to the SARE ruleset to fix LW_STOCK_SPAM. Sure.. That said, as noted elsewhere, this rule shouldn't have fired for this message, which makes me wonder why it fired.
Re: dns query failed for 1.1.3.saupdates.openprotect.com
Stephen Carter wrote: On Fri, 2007-02-09 at 17:49 -0500, Daryl C. W. O'Shea wrote: Stephen Carter wrote: Hi guys, I'm running SA 3.1.1 and have imported openprotect's gpg sig, but when I try to run sa-update on this channel with the debug switch turned on I get the error: dbg: dns: query failed: 1.1.3.saupdates.openprotect.com = NXDOMAIN Is SA 3.1.1 still supported with this channel? It appears that they're only publishing updates for 3.1.3 to 3.1.7. I know I need to udpate SA to 3.1.7 but can't do it just at the moment. Either update SA or use a different SARE ruleset channel provider. The one I know of will work for 3.1.1. ;) Daryl Thanks for the reply Daryl. Looks like I'll have to push through that SA upgrade then ...or use the channels I provide (see SARE website or SA wiki) that will work with 3.1.1. Of course, an upgrade wouldn't hurt. How do you know what versions are supported? Is it simply performing DNS queries on each version of SA? Yeah. Daryl
Re: spamassassin learning method
On Sat, 10 Feb 2007, Rizal Ferdiyan wrote: I want to create spamassassin learning method, if my client find any spam for their email they can forward it The act of forwarding completely changes the message. The best way is for them to move the message to a folder that you have access to. What is the mail server that the messages eventually end up on? Sendmail with standard mbox/maildir? Exchange? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The difference is that Unix has had thirty years of technical types demanding basic functionality of it. And the Macintosh has had fifteen years of interface fascist users shaping its progress. Windows has the hairpin turns of the Microsoft marketing machine and that's all.-- Red Drag Diva --- 3 days until Abraham Lincoln's and Charles Darwin's 198th Birthdays
Re: Re[2]: More stock spam + strange cf files
Pardon my ignorance here, but it is full of mis-spellings and phrases that you wouldn't normally see, so why not just hit those? aid you to know C O S T brroker ama zing Peter 1) Most people can't spell these days. These phrases might hit all over the place on ham. 2) These hadn't been used before in spam (except maybe the cost spelling) so there was no need for rules for them. Summary: It would need a mass-check on new rules to see if they were good. That said, I expect that new rules will show up soon if this isn't a one-off spam. Loren
Re: RE: More stock spam + strange cf files
* 2.7 SARE_PROLOSTOCK_SYM4 BODY: Last week's hot stock scam * 1.7 SARE_LWSYMFMT BODY: SARE_LWSYMFMT I don't know if these SARE rules have been written since you posted this email though... Nope. They are rather old. About the same age as LW_STOCK_SPAM4 that is annoying the Blackberry crowd, in fact. ;-) Loren
IADB, 70_iadb.cf and multiple A records returned
Looking at the IADB page: http://www.isipp.com/iadbcodes.php , it says: ... When queried, the IADB will return one or more A records for any site which is listed in the IADB ... Now looking at the 70_iadb.cf file from sa-update, most rules are like this: eval:check_rbl_sub('iadb-firsttrusted', '^127.2.255.1$') Doesn't this prevents the test if more than one A record is returned (^ and $)?? Or each check_rbl_sub is called for each A record returned?? If the last one is true, is the ^ $ really necessary? If this is set because it is an RE, doesn it need the / / too? If it really is a RE, what preventes '127.0.0.1' to not match 127.0.0.10? Or 127.1.0.1 to not match 127.120.1.1 ? Shouldn't the dots be escaped too? Thats enought for now :) - Raul Dias
Re: IADB, 70_iadb.cf and multiple A records returned
On Sat, Feb 10, 2007 at 12:42:53AM -0300, Raul Dias wrote: eval:check_rbl_sub('iadb-firsttrusted', '^127.2.255.1$') Doesn't this prevents the test if more than one A record is returned (^ and $)?? No. They're not all in a string, the match happens against each response individually. Or each check_rbl_sub is called for each A record returned?? No, just one call. If this is set because it is an RE, doesn it need the / / too? Nope. The code does that for us. If the last one is true, is the ^ $ really necessary? [...] If it really is a RE, what preventes '127.0.0.1' to not match 127.0.0.10? Or 127.1.0.1 to not match 127.120.1.1 ? You answered your own question. :) Shouldn't the dots be escaped too? Arguably, yes. It works out that things like /^127.0.0.1$/ won't match any other valid IP though, so in the end it's ok, but technically the dots should be escaped. Note: I don't recall if the code escapes the dots for us, but I don't think so. -- Randomly Selected Tagline: Integrity is doing the right thing when nobody is watching you. - Infonaut on Slashdot pgp1shllGv5wM.pgp Description: PGP signature